Cisco IOS
From TheBeard Science Project Wiki
enable - enter privilege exec mode enable password - set password enable secret - same but encrypted copy run start - copy running-config to startup-config copy flash:/file run - copy file from flash to running-config copy run tftp:<addr> - copy to another host erase start - erase startup-config reload - reboot router exit - exit mode end - back to main mode sh run - show running-config sh start - show startup-config sh v - show version sh hosts sh ip int br - show ip interface brief sh ip protocols sh ip route sh ip rip database sh ip http server status sh ip ospf <option> - see OSPF section sh port-security <option> - see Switches section sh cdp <option> - see CDP section sh controllers <interface> - troubleshoot controllers sh access-lists conf t - configure terminal int <int> <int#> - interface config mode description <description> no shut - bring up shut - bring down no ip add - remove ip address no ip nat - remove nat config ip add <address> <mask> - ip address ip n i - nat inside ip n o - nat outside ip subnet-zero - allow use of full ip range (dont use with legacy equipment) clock rate # - set clock rate for interface cdp enable duplex <option> - options are: auto, half, full ip access-group <1-99> <in/out> - control acl on interface int <int> <int#>.<vlan#> - configure sub-interface. interface can contain multiple vlans (ie f 0/0.1, f 0/0.10, f 0/0.20) interface with vlans should only be brought up (ie int f 0/0 -> no shut -> int f 0/0.10 -> <configurations, etc.>) description <description> encap dot1q <#> <option> - <#> = the vlan number which will be encapsulated by the sub-interface (ie 10 for f 0/0.10). <option> = "native" for management vlan. ip add <address> <mask> - ip address. MUST DO ENCAP FIRST ip access-group <acl-name or acl#> <in/out> - allow traffic in or out router rip net <address> - enable rip on all addresses that fall within range of address given. passive-interface f 0/0 - do not advertise on interface version <#> - use rip version 1 or 2 redistribute <protocol> - use one protocol to redistribute another no auto-summary - allows discontiguous networks if using rip 2 (all routers configured) timers basic <update> <invalid> <holddown> <flush> - set timers (holddown should be [max hops in network]*[update]) redistribute static - allows static default routes to propagate through rip ip r a.a.a.a b.b.b.b c.c.c.c d - static route a - destination (other router [direct] or network) b - destination prefix mask (classful!!) c - forwarding router address (next hop) d - administrative distance. lower distance used first. rip routes have 120 by default. static have 1 or 0. must add every network ip default-network <address> - advertise as default network line con 0 - config console 0 logging synchronous - cleaner output password <password> - set password login - set login to ask for password exec-timeout 5 0 - automatically logout after 5 min line aux 0 - config aux 0 line vty 0 4 - config connections 0 through 4 password <password> - set password login - set login to ask for password transport <input/output> <protocol> - set the protocol. protocols: all, none, ssh, telnet no ip domain-lookup - eliminate annoying domain lookup banner motd # <message> # - use any symbol like a # to mark the beginning & ending of message. message can be multiple lines. banner login # <message> # ip host <hostname> <address> - match host name with ip address ip domain-name <domain-name> - set domain name username <username> pass <password> - create a user with a password ip name-server <address> - define dns server ip http server - start http server boot system <device> - specify boot device for next boot config-register 0x2102 - set register to 0x2102 0x2102 - normal boot 0x2142 - do not load config file (password recovery) 0x2101 - load rommon cdp run - enable cdp ROMMON: ctrl+break - hold during boot to load rommon dir flash - show contents of flash boot <device>:<file> - boot from specific file confreg 0x2102 - set config register to 0x2102 0x2102 - normal boot 0x2142 - do not load config file (password recovery) reset - reboot tftpdnld - download ios (must set environment variables first) tftp uses udp port 69 set - finalizes all variables after they have been defined environment variables: IP-ADDRESS IP-SUBNET-MASK DEFAULT-GATEWAY TFTP-SERVER TFTP-FILE CDP: cisco discovery protocol cdp run debug cdp packets - recieve cdp info undebug all - undo debug mode config-if cdp enable sh cdp int - cdp interfaces sh cdp neighbors detail sh cdp traffic - monitor cdp OSPF: router ospf <pid> - pid arbitrarily assigned. interfaces do not share a pid. net <addr> <wildcard addr> <area> <area-id> log-adjacency-changes - logs when neighbor goes up or down area <area-id> auth mess - use authentication default-information originate - inject default rout into area passiv-int <int> <int#> config-if ip ospf hello-interval <seconds> - 5 is a good # ip ospf dead-interval <seconds> - always 4x hello interval ip ospf <pid> area <area-id> bandwidth <#> - not clock rate. factored into cost. ip ospf mess <key-id> md5 <password> - key-id (start at 1) arbitrary ip ospf priority <0-255> - used for elections to become designated router. default: 1. set 0 to never win. set 255 to always win. central router should win OSPFv3: ipv6 router ospf <pid> config-if ip ospf <pid> area <area-id> sh ip ospf int sh ip ospf neighbors sh ip ospf route sh ip ospf topology sh ip ospf statistics EIGRP: router eigrp <as> - as = autonomous system number net <addr> no auto - no auto-summary for discontiguous networks passive <int> - specify interface to not use eigrp on redist <option> - redistribute another protocol. most commonly use "static" to redist default route specified by the "ip route" command. FRAME RELAY: ip cef config-if bandwidth 128000 encap frame-relay no dce-terminal-timing-enable frame-relay intf-type dce frame-relay route 301 int s 0/1 103 [incomplete] SWITCHES: usually have separate vlan for trunk line to router. ie vlan1 -> vlan10,20,30 sh vlan sh ip int vlan <#> sh power inline sh vtp stat sh ip int port-channel sh standby sh etherchannel summary config-if switchport mode trunk - config for non-access port (to a router or switch). might produce error. just do dot1q first, then do mode trunk again. sw trunk encap dot1q - encapsulates 8021q. use on each vlan interface. required before sw mode trunk on trunk interface. sw trunk encap dot1q native - use on point-to-point vlan to the router sw mode trunk - configure interface as trunk interface (ie between switches) sw mode access - config for access ports (to hosts) sw mode dynamic - automatically config port(s). this is the default. sw access vlan <#> - set port(s) to vlan sw port-security - enable port security sw port-security mac-address <option> - set mac address security. use "no" to undo <mac> - allow this mac address sticky - remember mac address and only allow that one sw port-security maximum <#> - max number of mac addresses to remember. default 1. sw port-security violation <option> - set violation action shutdown - shutdown port restrict - alert admin protect - protect mode speed <speed> - set speed. can be 10, 100, 1000, auto (depending on interface). default: auto duplex <mode> - either full, half, or auto. non-auto requires speed to be set non-auto. (default: auto). no switchport - disables access layer on interface. use on ports attached to routers spanning-tree vlan <#> priority <p#> - lowest = root switch, ie vlan 1 should be lower. default priority 32768. increments of 4096. int f 0/1 int range f 0/1 - 5 ip default-gateway <addr> - address of attached router (vlan 1). if using hot standby, use the standby address int vlan <#> - create/configure vlan. ip routing - enable layer 3 routing. must use 'no switchport' on each interface to make layer 3. EXAMPLE (TRUNK PORT TO ROUTER): ip default-gateway 10.1.1.1 int f 0/24 sw mode trunk int vlan 1 ip add 10.1.1.2 255.255.255.252 no shut EXAMPLE (ACCESS PORTS): int vlan 10 int range f 0/1 - 20 sw access vlan 10 sw mode access HOT STANDBY: int vlan <#> standby <group#> ip <addr> - dedicate an address within each subnet to be the standby. configure standby ip address for each vlan on a distribution switch. standby <group#> priority <#> - make priority same for all if not sure standby <group#> preempt - tells it to choose the most available standby. conf t vlan <#> - updates vlan.dat file. DHCP FORWARDING: int vlan <#> ip helper-address <addr> - use address of the dhcp server TRUNKING: no switchport - disables access layer on interface. use on ports attached to routers ip routing - enable layer 3 routing line vty 0 15 clear mac - clear mac address table clear man d - clear only dynamic sh port-security - show port security statistics sh port-security address - show port security table sh port-security int <int> <int#> - show port security for interface sh vlan br sh vtp status sh mac - mac address table return to default: must delete files vlan.dat and startup-config on flash sh flash - see files on flash sw delete vlan.dat erase startup-config VOICE/VOIP: Router: config int lo 0 ip add <address> <mask> no shut exit telephony-service setup - goes through wizard. (dhcp: no, voicemail: no, DID: no, CME address: router loopback, num of phones: 2, multi-line: no, skinny port: default, 1st extension: 301) no telephony-service - resets tele config tele-service can also be put on a stubby server on the voice vlan. configure the "server" Fa interface as an address on the voice subnet, and do: sw access vlan <Voice-vlan#> on the switch port. Switch: config int vlan 6 ip add <addr> <mask> ip helper <DHCPserver addr> int range f 0/23 - 24 sw access vlan 3 - must be different from voice vlan on phone ports!!! sw voice vlan 6 DHCP server: dhcp server needs to be set up with option 150, which serves the address for the TFTP server (usually same as call manager). VTP: DSW config vtp domain <VTPdomain> vtp mode server vtp password <pass> - must be same on all servers/clients ASW config vtp domain <VTPdomain> vtp mode client vtp password <pass> - must be same on all servers/clients CHANNEL-GROUP: int range f 0/1 - 2 channel-group 1 mode desirable int port-channel 1 sw trunk encap dot sw mode trunk shut - may need to "flap" interface no shut ASA: int vlan 1 nameif <arbitrary name of int> (ie inside) ip add x.x.x.x x.x.x.x no shut int e 0/0 sw mode access sw access vlan 1 no shut http server enable http <net-address> <mask> <arbitrary name of int> (ie inside) ACL: sh access-lists access-list <1-99,100-199> <permit/deny> <protocol> host (<source address> <wildcard mask>) host (<destination address> <wildcard mask>) eq <port> - make acl rule acl list has an implicit deny all at the end list in order from allow to deny. ie first rules given are higher priority. 1-99 - standard acl # 100-199 - extended acl # protocol - tcp, udp, ip, icmp host - use if specifying single host address - network address wildcard mask - bits which will be wildcard in network address, ie 0.0.3.255 any - replace anything to include all possibilities eq <port> - specify port/protocol access-list <1-99,100-199> remark <comment> - leave comment for acl rule config-if ip access-group <1-99,100-199> <in/out> - control acl on interface EXAMPLES: access-list 100 deny tcp any any eq telnet - deny telnet SSH: hostname <hostname> ip domain-name <domain-name> username <username> priv 15 secret <password> - priv 15 is the highest crypto key gen rsa - when prompted, use 768 or higher for ssh v2 compatibility ip ssh version 2 - use version 2 line vty 0 4 trans input ssh password <password> - the vty password is used to login login local - allow vty to use local users ip ssh auth <0-5> - number of authentication retries ip ssh time <1-120> - ssh timeout in seconds ssh -l <username> <host> - ssh into another host TELNET: ctrl+shift+6, then x - suspend telnet session (while in telnet) sh sessions - show current sessions resume <#> - resume telnet session #
