Beard: Created page with "

 enable - enter privilege exec mode enable password - set password enable secret - same but encrypted copy run start - copy running-config to startup-config copy flash:/f..."

2016-02-29T21:12:05Z

Created page with "<pre> enable - enter privilege exec mode enable password - set password enable secret - same but encrypted copy run start - copy running-config to startup-config copy flash:/f..."

New page

<pre>
enable - enter privilege exec mode
enable password - set password
enable secret - same but encrypted
copy run start - copy running-config to startup-config
copy flash:/file run - copy file from flash to running-config
copy run tftp:<addr> - copy to another host

erase start - erase startup-config
reload - reboot router
exit - exit mode
end - back to main mode

sh run - show running-config
sh start - show startup-config
sh v - show version
sh hosts
sh ip int br - show ip interface brief
sh ip protocols
sh ip route
sh ip rip database
sh ip http server status
sh ip ospf <option> - see OSPF section
sh port-security <option> - see Switches section
sh cdp <option> - see CDP section
sh controllers <interface> - troubleshoot controllers
sh access-lists

conf t - configure terminal
int <int> <int#> - interface config mode
description <description>
no shut - bring up
shut - bring down
no ip add - remove ip address
no ip nat - remove nat config
ip add <address> <mask> - ip address
ip n i - nat inside
ip n o - nat outside
ip subnet-zero - allow use of full ip range (dont use with legacy equipment)
clock rate # - set clock rate for interface
cdp enable
duplex <option> - options are: auto, half, full
ip access-group <1-99> <in/out> - control acl on interface
int <int> <int#>.<vlan#> - configure sub-interface. interface can contain multiple vlans (ie f 0/0.1, f 0/0.10, f 0/0.20)
interface with vlans should only be brought up (ie int f 0/0 -> no shut -> int f 0/0.10 -> <configurations, etc.>)
description <description>
encap dot1q <#> <option> - <#> = the vlan number which will be encapsulated by the sub-interface (ie 10 for f 0/0.10). <option> = "native" for management vlan.
ip add <address> <mask> - ip address. MUST DO ENCAP FIRST
ip access-group <acl-name or acl#> <in/out> - allow traffic in or out
router rip
net <address> - enable rip on all addresses that fall within range of address given.
passive-interface f 0/0 - do not advertise on interface
version <#> - use rip version 1 or 2
redistribute <protocol> - use one protocol to redistribute another
no auto-summary - allows discontiguous networks if using rip 2 (all routers configured)
timers basic <update> <invalid> <holddown> <flush> - set timers (holddown should be [max hops in network]*[update])
redistribute static - allows static default routes to propagate through rip
ip r a.a.a.a b.b.b.b c.c.c.c d - static route
a - destination (other router [direct] or network)
b - destination prefix mask (classful!!)
c - forwarding router address (next hop)
d - administrative distance. lower distance used first. rip routes have 120 by default. static have 1 or 0.
must add every network
ip default-network <address> - advertise as default network
line con 0 - config console 0
logging synchronous - cleaner output
password <password> - set password
login - set login to ask for password
exec-timeout 5 0 - automatically logout after 5 min
line aux 0 - config aux 0
line vty 0 4 - config connections 0 through 4
password <password> - set password
login - set login to ask for password
transport <input/output> <protocol> - set the protocol. protocols: all, none, ssh, telnet
no ip domain-lookup - eliminate annoying domain lookup
banner motd # <message> # - use any symbol like a # to mark the beginning & ending of message. message can be multiple lines.
banner login # <message> #
ip host <hostname> <address> - match host name with ip address
ip domain-name <domain-name> - set domain name
username <username> pass <password> - create a user with a password
ip name-server <address> - define dns server
ip http server - start http server
boot system <device> - specify boot device for next boot
config-register 0x2102 - set register to 0x2102
0x2102 - normal boot
0x2142 - do not load config file (password recovery)
0x2101 - load rommon
cdp run - enable cdp

ROMMON:
ctrl+break - hold during boot to load rommon
dir flash - show contents of flash
boot <device>:<file> - boot from specific file
confreg 0x2102 - set config register to 0x2102
0x2102 - normal boot
0x2142 - do not load config file (password recovery)
reset - reboot
tftpdnld - download ios (must set environment variables first)
tftp uses udp port 69
set - finalizes all variables after they have been defined
environment variables:
IP-ADDRESS
IP-SUBNET-MASK
DEFAULT-GATEWAY
TFTP-SERVER
TFTP-FILE

CDP:
cisco discovery protocol
cdp run
debug cdp packets - recieve cdp info
undebug all - undo debug mode
config-if
cdp enable

sh cdp int - cdp interfaces
sh cdp neighbors detail
sh cdp traffic - monitor cdp

OSPF:
router ospf <pid> - pid arbitrarily assigned. interfaces do not share a pid.
net <addr> <wildcard addr> <area> <area-id>
log-adjacency-changes - logs when neighbor goes up or down
area <area-id> auth mess - use authentication
default-information originate - inject default rout into area
passiv-int <int> <int#>
config-if
ip ospf hello-interval <seconds> - 5 is a good #
ip ospf dead-interval <seconds> - always 4x hello interval
ip ospf <pid> area <area-id>
bandwidth <#> - not clock rate. factored into cost.
ip ospf mess <key-id> md5 <password> - key-id (start at 1) arbitrary
ip ospf priority <0-255> - used for elections to become designated router. default: 1. set 0 to never win. set 255 to always win. central router should win

OSPFv3:
ipv6 router ospf <pid>
config-if
ip ospf <pid> area <area-id>

sh ip ospf int
sh ip ospf neighbors
sh ip ospf route
sh ip ospf topology
sh ip ospf statistics

EIGRP:
router eigrp <as> - as = autonomous system number
net <addr>
no auto - no auto-summary for discontiguous networks
passive <int> - specify interface to not use eigrp on
redist <option> - redistribute another protocol. most commonly use "static" to redist default route specified by the "ip route" command.

FRAME RELAY:
ip cef
config-if
bandwidth 128000
encap frame-relay
no dce-terminal-timing-enable
frame-relay intf-type dce
frame-relay route 301 int s 0/1 103
[incomplete]

SWITCHES:
usually have separate vlan for trunk line to router. ie vlan1 -> vlan10,20,30
sh vlan
sh ip int vlan <#>
sh power inline
sh vtp stat
sh ip int port-channel
sh standby
sh etherchannel summary

config-if
switchport mode trunk - config for non-access port (to a router or switch). might produce error. just do dot1q first, then do mode trunk again.
sw trunk encap dot1q - encapsulates 8021q. use on each vlan interface. required before sw mode trunk on trunk interface.
sw trunk encap dot1q native - use on point-to-point vlan to the router
sw mode trunk - configure interface as trunk interface (ie between switches)
sw mode access - config for access ports (to hosts)
sw mode dynamic - automatically config port(s). this is the default.
sw access vlan <#> - set port(s) to vlan
sw port-security - enable port security
sw port-security mac-address <option> - set mac address security. use "no" to undo
<mac> - allow this mac address
sticky - remember mac address and only allow that one
sw port-security maximum <#> - max number of mac addresses to remember. default 1.
sw port-security violation <option> - set violation action
shutdown - shutdown port
restrict - alert admin
protect - protect mode
speed <speed> - set speed. can be 10, 100, 1000, auto (depending on interface). default: auto
duplex <mode> - either full, half, or auto. non-auto requires speed to be set non-auto. (default: auto).
no switchport - disables access layer on interface. use on ports attached to routers

spanning-tree vlan <#> priority <p#> - lowest = root switch, ie vlan 1 should be lower. default priority 32768. increments of 4096.
int f 0/1
int range f 0/1 - 5
ip default-gateway <addr> - address of attached router (vlan 1). if using hot standby, use the standby address
int vlan <#> - create/configure vlan.
ip routing - enable layer 3 routing. must use 'no switchport' on each interface to make layer 3.

EXAMPLE (TRUNK PORT TO ROUTER):
ip default-gateway 10.1.1.1
int f 0/24
sw mode trunk
int vlan 1
ip add 10.1.1.2 255.255.255.252
no shut

EXAMPLE (ACCESS PORTS):
int vlan 10
int range f 0/1 - 20
sw access vlan 10
sw mode access

HOT STANDBY:
int vlan <#>
standby <group#> ip <addr> - dedicate an address within each subnet to be the standby. configure standby ip address for each vlan on a distribution switch.
standby <group#> priority <#> - make priority same for all if not sure
standby <group#> preempt - tells it to choose the most available standby.
conf t
vlan <#> - updates vlan.dat file.

DHCP FORWARDING:
int vlan <#>
ip helper-address <addr> - use address of the dhcp server

TRUNKING:
no switchport - disables access layer on interface. use on ports attached to routers
ip routing - enable layer 3 routing

line vty 0 15

clear mac - clear mac address table
clear man d - clear only dynamic

sh port-security - show port security statistics
sh port-security address - show port security table
sh port-security int <int> <int#> - show port security for interface
sh vlan br
sh vtp status
sh mac - mac address table

return to default:
must delete files vlan.dat and startup-config on flash
sh flash - see files on flash
sw delete vlan.dat
erase startup-config

VOICE/VOIP:
Router:
config
int lo 0
ip add <address> <mask>
no shut
exit

telephony-service setup - goes through wizard. (dhcp: no, voicemail: no, DID: no, CME address: router loopback, num of phones: 2, multi-line: no, skinny port: default, 1st extension: 301)
no telephony-service - resets tele config

tele-service can also be put on a stubby server on the voice vlan. configure the "server" Fa interface as an address on the voice subnet, and do: sw access vlan <Voice-vlan#> on the switch port.

Switch:
config
int vlan 6
ip add <addr> <mask>
ip helper <DHCPserver addr>

int range f 0/23 - 24
sw access vlan 3 - must be different from voice vlan on phone ports!!!
sw voice vlan 6

DHCP server:
dhcp server needs to be set up with option 150, which serves the address for the TFTP server (usually same as call manager).

VTP:
DSW config
vtp domain <VTPdomain>
vtp mode server
vtp password <pass> - must be same on all servers/clients

ASW config
vtp domain <VTPdomain>
vtp mode client
vtp password <pass> - must be same on all servers/clients

CHANNEL-GROUP:
int range f 0/1 - 2
channel-group 1 mode desirable
int port-channel 1
sw trunk encap dot
sw mode trunk
shut - may need to "flap" interface
no shut

ASA:
int vlan 1
nameif <arbitrary name of int> (ie inside)
ip add x.x.x.x x.x.x.x
no shut

int e 0/0
sw mode access
sw access vlan 1
no shut

http server enable
http <net-address> <mask> <arbitrary name of int> (ie inside)

ACL:
sh access-lists
access-list <1-99,100-199> <permit/deny> <protocol> host (<source address> <wildcard mask>) host (<destination address> <wildcard mask>) eq <port> - make acl rule
acl list has an implicit deny all at the end
list in order from allow to deny. ie first rules given are higher priority.
1-99 - standard acl #
100-199 - extended acl #
protocol - tcp, udp, ip, icmp
host - use if specifying single host
address - network address
wildcard mask - bits which will be wildcard in network address, ie 0.0.3.255
any - replace anything to include all possibilities
eq <port> - specify port/protocol
access-list <1-99,100-199> remark <comment> - leave comment for acl rule

config-if
ip access-group <1-99,100-199> <in/out> - control acl on interface

EXAMPLES:
access-list 100 deny tcp any any eq telnet - deny telnet

SSH:
hostname <hostname>
ip domain-name <domain-name>
username <username> priv 15 secret <password> - priv 15 is the highest

crypto key gen rsa - when prompted, use 768 or higher for ssh v2 compatibility
ip ssh version 2 - use version 2
line vty 0 4
trans input ssh
password <password> - the vty password is used to login
login local - allow vty to use local users

ip ssh auth <0-5> - number of authentication retries
ip ssh time <1-120> - ssh timeout in seconds

ssh -l <username> <host> - ssh into another host

TELNET:
ctrl+shift+6, then x - suspend telnet session (while in telnet)
sh sessions - show current sessions
resume <#> - resume telnet session #

</pre>

Cisco IOS - Revision history

Beard: Created page with "
enable - enter privilege exec mode enable password - set password enable secret - same but encrypted copy run start - copy running-config to startup-config copy flash:/f..."