Configuration Checklists
Configure logon security no user nameConfigure logon security with user names
Select/Restrict Telnet/SSHHide password from show running-configuration
Setting bannersSwitch configuration
Switch securitySwitch security Lock Down
Create vlanSet administrative trunking mode
ACL standardACL standard named
ACL extendedRouter Config
PPP PAP ConfigurationPPP Chap Configuration
Router on a Stick ROSL3 Switch
Static RoutesRIP V2
Learn from DHCPDHCP Server
Multilink PPPGRE Tunnel
PPPoEHSRP
SNMPSLA
SPANQOS
OSPFEIGRP
Remote ConnectionsName Resolution
NATIPV6
TriviaLogging
NTPCDP - LLDP
Passwords / bannersReset Password
Boot FieldMake Backup copy of config
Automate Backup/restoreBoot system commands
Replace running config w/o reloadAutomate FTP
SCP copyLicensing
Port Security FactoidMisc
Table of Eightsblank























































Trivia

  • host tracert uses icmp, cisco uses UDP header
  • tracert sends packets with TTL=1, TTL=2, TTL=2, TTL=...
  • pathping is another Windows OS tracert like command
  • extended ping on IOS is just ping (then it asks questions)
  • show running-config interface g0/1
  • Most specific (longest prefix) of the Overlapping routes is used to route
  • subnet of a single classful network that use multiple different masks = VLSM
  • Outbound ACL does not filter routing. ping, and traceroute
  • disable access list prior to making changes i.e. S1(config-if)# no ip access-group 1
  • Router Self Ping to Serial Interface will be fowrared out serial interface
    Router Self Ping to Ethernet Interface will not foward frame, but it will process incomming ACL logic

    R2# setup (CLI for auto setup by prompt)


    Menu























































    Configure logon security no user name

  • sw1>enable
  • sw1# configure terminal
  • sw1(config)# enable secret letmein
  • sw1(config)# hostname bob
  • bob(config)# line console 0
  • bob(config-line)# password hope
  • bob(config-line)# login
  • bob(config-line)# exec-timeout 0 0
  • bob(config-line)# logging synchronous
  • bob(config-line)# exit
  • bob(config)# line vty 0 15
  • bob(config-line)# password love
  • bob(config-line)# login
  • bob(config-line)# end
  • bob#


  • Menu























































    Configure logon security with user names

  • bob>enable
  • bob# configure terminal
  • bob(config)# line vty 0 15
  • bob(config-line)# login local
  • bob(config-line)# exit
  • bob(config-line)# username johnt password letmein
  • bob(config-line)# username lynn password 666
  • bob(config-line)# ip domain-name ccaac.com
  • bob(config-line)# crypto key generate rsa
  • bob(config-line)# ip ssh version 2
  • bob(config-line)# end (or ^z)
  • bob# (show ip ssh shows server)
  • bob# (show ssh shows connections)


  • Menu























































    Select/Restrict Telnet/SSH

  • bob(config)# line vty 0 15
  • bob(config-line)# transport input { all | none | telnet | ssh }


  • Menu























































    Hide password from show running-configuration

  • bob# configure terminal
  • bob(config)# service password-encrytion hides passwords from the show running-config (7)
  • bob(config)# end (or ^z)

  • bob# configure terminal
  • bob(config)# enable password Mother hides passwords from the show running-config (7)
  • bob(config)# end (or ^z)

  • bob# configure terminal
  • bob(config)# enable secret Fred hides passwords from the show running-config (5)
  • bob(config)# end (or ^z)

  • bob>enable
  • bob# configure terminal
  • bob(config)# line vty 0 15
  • bob(config-line)# login local
  • bob(config-line)# exit
  • bob(config-line)# username johnt secret letmein (5)

  • enable password fred (0)
    enable secret barney (5)
    service password-encryption (7)
    enable algorthm-type sha-256 secret barney (8)
    enable algorthm-type scrypt secret barney (9)


    Menu























































    Setting banners

  • bob>enable
  • bob# configure terminal
  • bob(config)# banner # (MOTD) switch down #
  • bob(config)# banner login # (login) hello user #
  • bob(config)# banner exec # (exec) keys are in the top drawer #

  • bob(config)# terminal history size 55 Sets for this user the # of entries for history buffer
  • bob# show terminal history


  • Menu























































    Switch configuration

  • S1(config)# ip default-gateway 192.168.1.45
  • S1(config)# interface vlan 1
  • S1(config-if)# ip address 192.168.1.86 255.255.255.0
  • S1(config-if)# ip address dhcp
  • S1(config-if)# no shutdown

  • S1(config)# interface range 2 25
  • S1(config-if-range)# description end_users_connect_here
  • S1(config-if-range)# duplex full
  • S1(config-if-range)# speed 100 - configuring duplex AND speed disables auto-negotiation


  • Menu























































    Switch security

  • S1# interface fa0/0
  • S1(config-if)# switchport mode access
  • S1(config-if)# switchport port-security
  • S1(config-if)# switchport port-security mac-address ab11.1212.34de
  • S1(config-if)# switchport port-security mac-address sticky
  • S1(config-if)# switchport port-security maximum 8
  • S1(config-if)# switchport port-security violation {protect | restrict | shutdown}


  • Menu























































    Switch security Lock Down

  • S1(config)# interface fa0/0
  • S1(config-if)# shutdown disabled
  • S1(config-if)# switchport mode access no trunking
  • S1(config-if)# switchport access vlan 99 assigned to unused vlan
  • S1(config-if)# switchport trunk native vlan 33 Set default native vlan to default to unused vlan


  • Menu























































    Create vlan

  • S1(config)# vlan 2
  • S1(config-vlan)# vlan 22 (This will be a voice vlan)
  • S1(config-vlan)# name John-vlan
  • S1(config-vlan)# exit
  • S1(config)# interface range fastethernet 0/13 14
  • S1(config-if)# switchport access vlan 2 (if vlan not created, it will create it)
  • S1(config-if)# switchport voice vlan 22 (Voice)
  • S1(config-if)# switchport mode access
  • S1(config-if)# end
  • 1, 1002-1005 are reserved
    1006 - 4094 are extended and not used by VTP and not saved in database


    Menu























































    Set administrative trunking mode

  • S1(config)# interface fastethernet 1/1
  • S1(config-if)# switchport mode dynamic desirable (could have been auto)
  • S1(config-if)# ^z
  • S1# show interfaces fastethernet 1/1 switchport

  • S1# show interfaces trunking
  • S1(config-if)# switchport trunk allowed {add | all | except | remove} [vlan-list]

  • S1(config-if)# switchport trunk encapsulation {dot1q | isl | negotiate}
  • vlan std range 1 1005 (can config from VTP server)
  • vlan range 1 - 4094
  • vtp mode transparent OR vtp mode off (this will disable Vlan Trunking Protocol)
    Only server, client or transparent are the possible modes of VTP

  • S1(config-if)# switchport trunk allowed remove 3 (will remove interface from trunking mode)


  • Menu























































    ACL standard

  • S1(config)# access-list {1-99 | 1300-1999} {permit | deny} [host] source-IP [WC] [log]
  • S1(config)# access-list 1 remark text
  • S1(config)# access-list 1 permit any
  • S1(config)# interface serial 0/0/0
  • S1(config-if)# ip access-group 1 {in | out}
  • S1(config-if)# no access-group 1 {in | out}

  • show ip access-lists [# | name]
    show access-lists [# | name]
    show ip interface s0/0/0
    Place as close to the destination as possible
    *note* access-class is used ONLY in line vtty mode to filter telnet/ssh access


    Menu























































    ACL standard named

  • S1(config)# access-list {extended | standard} {name | #}
  • S1(config-ext-nacl)# permit any
  • S1(config-ext-nacl)# no 20
  • S1(config-ext-nacl)# 5 deny 10.10.10.10
  • S1(config-ext-nacl)# do show ip access-lists paul
  • S1(config-ext-nacl)# interface serial1
  • S1(config-if)# ip access-group 1 {in | out}
  • S1(config-if)# no ip access-group 1


  • Menu























































    Router Config

  • S1(config)# interface serial 0/0/0
  • S1(config-if)# description my_favorite_router
  • S1(config-if)# ip address 192.168.1.1 255.255.255.0
  • S1(config-if)# no shutdown
  • S1(config-if)# duplex {full | half | auto}
  • S1(config-if)# speed {10 | 100 | 1000}
  • S1(config-if)# clock rate 128000 (bps DCE cable only and is required!)
  • S1(config-if)# bandwidth 1544 (kps optional for OSPF calculations)

  • # show interfaces [type number]
    # show ip interface brief
    # show protocols [type number]
    # show controllers [type number]


    Menu























































    Router on a Stick ROS

  • S1(config)# interface gigabitethernet 0/0.20
  • S1(config-if)# encapulation dot1q 20 [native]
  • S1(config-if)# ip address 192.168.1.1 255.255.255.0
  • S1(config-if)# ip helper-address 192.168.1.55


  • Menu























































    L3 Switch

  • sdm prefer lanbase-routing
  • reload
  • ip routing
  • interface vlan [vlan]
  • ip address 192.168.20.1 255.255.255.0
  • no shutdown

  • Routed Port

  • interface g0/0
  • no switchport
  • ip address 192.168.30.1 255.255.255.0

  • show interfaces status - will show routed instead of vlan #
  • Etherchannel

  • interface g0/0/13
  • no switchport
  • no ip address
  • channel-group 12 mode on

  • interface g0/1/13
  • no switchport
  • no ip address
  • channel-group 12 mode on

  • interface Port-channel12
  • no switchport
  • ip address 192.168.40.1 255.255.255.0


  • Menu























































    Static Routes

  • ip route 172.16.2.0 255.255.255.0 172.16.4.2 {permanent}
  • ip route 172.16.3.0 255.255.255.0 s0/0/1 {permanent}
  • ip route 0.0.0.0 0.0.0.0 s0/0/1 (default Route)
  • ip route 172.16.2.0 255.255.255.0 172.16.4.2 130 (sets admin distance to 130!)
  • show ip route {connected | static | rip} | ip-address
    show ip route
    sho vlans
    show arp
    show ip arp
    clear ip arp [ip-address]


    Menu























































    RIP V2

  • router rip
  • version 2
  • network 10.0.0.0 (classful network)
  • no auto-summary
  • maximun-paths 3
  • default-information originate (advertise default route)
  • Must have a default route i.e. ip route 0.0.0.0 0.0.0.0 S0/1
    Inbound 'EXTENDED' ACL should have the following to make sure that routing protocol packets are permitted 224.0.0.9
  • permit udp any any eq 520
  • passive-interface G0/1
  • Could have used passive-interface default followed by no passive-ineteface S0/0/1 commands
    show ip route [rip]
    show ip protocols
    show ip rip database


    Menu























































    DHCP Server

  • R2(config)# interface fa0/0 (set ip helper on other router)
  • R2(config-if)# ip helper-address 172.16.1.1 (set ip helper on other router)
  • R1(config)# ip dchp pool testpool (set pool info)
  • R1(dhcp-config)# network 10.10.10.0 255.255.255.0
  • R1(dhcp-config)# network 192.168.1.0 255.255.255.0 secondary
  • R1(dhcp-config)# dns-server 8.8.8.8
  • R1(dhcp-config)# domain-name testing.com
  • R1(dhcp-config)# dns-server addr1 addr2 addrx
  • R1(dhcp-config)# lease 0 12 0 (Defaults to 1 day lease if not set 1 0 0)
  • R1(dhcp-config)# next-server 192.168.1.221 (TFTP for VOIP)
  • R1(config)# ip dhcp excluded-address 192.168.1.1
  • R1(config)# ip dhcp excluded-address 10.10.10.1 [first] [last]

  • *NOTE* Default lease is one day

    Menu























































    Remote Connections

  • telnet 10.1.1.1
  • ssl -l username host


  • Menu























































    Name Resolution

  • ip name-server dns1 dns2 (Global Conf)
  • ip domain-lookup (Global Conf) Defaulted


  • Menu























































    Table of Eights

    \/\/ \/\/\/ \/ \/
    816243240485664
    72808896104112120128
    136144152160168176184192
    200208216224232240248256

    PrefixMask# Subnets
    1 - 9 - 17 - 25128128
    2 - 10 - 18 - 2619264
    3 - 11 - 19 - 2722432
    4 - 12 - 20 - 2824016
    5 - 13 - 21 - 292488
    6 - 14 - 22 - 302524
    7 - 15 - 23 - 312542

    ClassRange#
    A10.*1
    B172.16.* - 172.31.*16
    C192.168.*256



    Menu























































    NAT

  • S1(config-if)# ip nat {inside | outside}
  • S1(config)# ip nat inside source {list {access-list-number | access-list name} [interface type number | pool pool-name} {overload]
  • S1(config)# ip nat pool name start-ip end-ip [netmask netmask | prefix-length prefix-length
  • S1(config)# ip nat inside source inside-local inside-global
  • sho ip nat statistics
    show ip nat translations [verbose]
    clear ip nat translation {* | inside global-ip local-ip] [outside local-ip global-ip]}
    clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip global-ip]
    debug ip nat

  • S1(config)# access-list 1 permit 10.10.10.0 0.0.0.255 (access list of local hosts to nat)
  • S1(config)# ip nat pool CS1 200.1.1.225 200.1.1.226 netmask 255.255.255.254(Public IPs to use)
  • S1(config)# interface S0/0/0 (Set interface)
  • S1(config-if)# ip nat out (Outgoing interface)
  • S1(config)# interface fa0/5 (Set interface)
  • S1(config-if)# ip nat in (Inside interface)
  • S1(config)# ip nat inside source static 10.10.10.14 200.1.1.228 (Activate Static mapping)
  • S1(config)# ip nat inside source list 1 pool CS1 overload(Activate NAT with overload *PAT*)


  • Menu























































    IPV6

  • R1(config)# ipv6 unicast-routing (enable IPV6 on router)
  • R1(config)# interface serial 0/0/1
  • R1(config-if)# ipv6 address 200:db8:1111:1::1/64
  • R1(config-if)# ipv6 address 200:db8:1111:1::1/64 [eui-64]
  • R1(config-if)# ipv6 address 2ipv6-address/prefix-length [anycast]
  • R1(config-if)# ipv6 enable
  • R1(config-if)# ipv6 address dhcp
  • R1(config-if)# ipv6 address fe80::12:1 link-local (Overwrites auto eui-64 link-local entry for interface)
  • show ipv6 route [connected] [local]
    show ipv6 interface [type number]
    show ipv6 interface brief [type number]

  • R2(config)# ipv6 unicast-routing (enable IPV6 on router)
  • R2(config)# interface serial 0/0/1
  • R2(config-if)# ipv6 address 2001:C15C:0:1::2/64
  • R2(config-if)# no shutdown
  • R2(config-if)# interface fastethernet 0/0
  • R2(config-if)# ipv6 address 2001:C15C:0:3::/64 eui-64
  • R2(config-if)# no shutdown

  • FD[Global_Id,Subnet,Interface_Id] (FC00::/7)Local (Unicast)
    FE80::[Interface_ID]Link Local (Unicast)
    FF02::[1(all),2(router),(5,6)OSPF,9(RIP),A(eIGRP),1:2(dhcp)]Multicast
    FF02::1:FF[last 6 of unicast Addr]Solicited mode multicast
    ::Unknown
    ::1Loopback


    Menu























































    Logging

  • logging console
  • logging monitor
  • logging buffered
  • logging host [ip | hostname}
  • logging console {level-name | level #}
  • logging monitor {level-name | level #}
  • logging buffered {level-name | level #}
  • logging trap {level-name | level #} ** to syslog **
  • service timestamp
  • service sequence-numbers
  • show logging
    terminal {no} monitoring
    {no} debug {various}
    keyword#Desc
    Alert0Immediate Action Req
    Emergancy1System Unuasable
    Critical2Critical Higest of 3
    Error3Error Event Middle of 3
    Warning4Warning event lowest of 3
    Notification5Normal More importand
    Informational6Normal Less important
    Debug7Requested by user Debug


    Menu























































    NTP

  • clock timezone NAME +-number
  • clock sumertime NAME recuring
  • ntp server address | hostname
  • ntp master STRATUM#
  • ntp source name/number ** interface **
  • interface loopback NUMBER
  • show clock
    show ntp associations
    show ntp status
    show interfaces loopback #


    Menu























































    CDP - LLDP

  • cdp run
  • R2(config-if)# cdp enable
  • lldp run
  • R2(config-if)# lldp transmit
  • R2(config-if)# lldp recieve
  • show {cdp | lldp} neighbors {type number}
    show {cdp | lldp} neighbors detail
    show {cdp | lldp} entry {name}
    show {cdp | lldp} interface {type number}
    show {cdp | lldp} traffic


    Menu























































    Passwords / banners

    enable secret PW (level MD5)
    service password-encryption (level MD7)
    enable algorithm-type sha-256 secret PW (Level 8 - SHA-256)
    enable algorithm-type scrypt secret PW (Level 9 - SHA-256)
    crypto key generate rsa modulus {512|768|1024}


    Console and Telnet
  • MOD Banner
  • Login Banner
  • Login#
  • Exec Banner

  • SSH
  • Login Banner
  • Login#
  • MOD Banner
  • Exec Banner

  • SSHv1
  • Login#
  • MOD Banner
  • Exec Banner


  • Menu























































    Reset Password

    Power off
    Remove Flash
    Power on
    confreg 0x2142
    power off
    Install Flash
    Power on
    from enable: copy startup-config running-config
    enable secret cisco
    config-reg 0x2102
    copy running-config startup-config


    Menu























































    Boot Field

    x2102 = default value
    config-register 0x2100 - Load ROMMON
    boot field values
    0 - ROMMON OS
    1 - Load 1st IOS in Flash
    2-f - Try each boot system command in startup-conf
    if none work, load 1st IOS from Flash
    If all fail, load ROMMON

    If 3rd digit is a 4 (not a 2)
    ignore the start-up config and not execute any boot systm commands
    Example is x2142


    Menu























































    Make Backup copy of config

    copy running-config tfrp
    copy tftp startup-config
    reload


    Menu























































    Automate Backup/restore

    R1# archive
    R1 (config-archive)# path ftp://wendell:odom@192.168.1.170/
    R1 (config-archive)# time-period 1440
    R1 (config-archive)# write-memory
    R1# archive config (does the magic!)
    R1# show archive

    to erase use the "erase nvram"
    older ones: write erase and erase startup-config

    Also see Config replace Command

    R1# configure restore (Restores last archive w/o reboot - may be a misprint!)


    Menu























































    Boot system commands

    boot system {file-uri|filename}
    boot system flash [flash-fs:] [filename]
    boot system [tfpt|ftp] filename ip-address


    Menu























































    Replace running config w/o reload

    R2# configure replace filesystem:name
    R2# configure replace ftp://wendle:odem@192.168.1.170/oct-24


    Menu























































    Automate FTP Copy

    ip ftp username NAME
    ip ftp password pass
    copy ftp://192.168.1.170/FILENAME
    -- This eliminates the need for the username and password in the copy command
    Otherwise: copy ftp://wendle:odem@192.168.1.170/FILENAME



    Menu























































    SCP copy

    Give SSH user direct access to privileged mode by adding a parameters to the username command
    R1(config)# line vty 1 4
    R1(config)# username fred privilege-level 15 password barney

    Enable scp server with the ip scp server enable global command
    R1(config)# ip scp server enable (Enable SCP server)

    Then use SCP (from a client) to transfer files:
    c:> scp c2900-universalk9-mz.SPA.155-2-T1.bin windell@192.168.1.9:flash0:c2900-universalk9-mz.SPA.155-2-T1.bin




    Menu























































    Licensing

    Cisco ONE licensing
    PAK - Product Authorization Key
    UDI - Unique device Identifier
    PID - Product ID
    Feature Sets
    CLM Cisco License Manager (Software)
    IOS feature set
    universal image

    From Cisco Product License Registration Portal, input UDI
    Enter PAK (from reseller)
    Download for get from email the license key file (download)
    Copy license key file to router via USB or network server
    issue: license install URL
    Reload router

    show license
    show license feature (brief) this is where you find items that you can install as right to use w/o PAK
    show license udi
    show version
    dir FILESYSTEM (usbflash1:)
    license install URL

    Right to use (w/o PAK)
    license boot module (with reload)
    -- license boot module c2900 technology-package securityk9
    reload
    (60 days then converts to lifetime)


    Menu























































    Port Security Factoid

    Once port security has been configured
    MAC addresses are static. Even if learned.
    show mac address-table secure
    show mac address-table static

    To save 'sticky' learned mac addresses in config,
    use copy running-config startup-config


    Menu























































    Misc

    R2# setup - EXEC command for prompt config

    R2# dir FILESYSTEM
    R2# dir FILESYSTEM:directory

    R2# show flash
    R2# verify /md5 filesystem:name [MD5:hash}
    Remember the ip-helper-address interface subcommand on Routers that service clients that need access to a non-local dhcp server
    show arp
    show ip arp
    show ip dhcp binding
    show ip dhcp pool name
    show ip dhcp server statistics
    show ip dhcp conflict
    clear ip dhcp conflict
    --ROUTER--
    sho interfaces
    show ip interface brief
    show protocols
    show running-config
    --SWITCH--
    show interfaces status
    show vlan
    show interfaces switchport
    --OS--
    ipconfig, ifconfig
    netstat -rn
    arp -a
    ---MISC---
    no ip directed-broadcast (int sub command) prevents encapulation into ethernet broadcast frame (loc 13005)
    - access-class is used to apply an ACL to a "line" (vty, aux, etc).
    Example (permit any ip address to telnet/ssh into the router):
  • access-list 10 permit ip any
  • line vty 0 4
  • access-class 10 in

  • - access-group is used to apply an ACL to an "interface"
    Example (deny all ip traffic ingress to interface gi1/1):
  • access-list 11 deny ip any
  • interface gi1/1
  • access-group 11 in


  • Menu























































    Learn from DHCP

  • S1# configure terminal
  • S1(config)# interface gigibitethernet0/1
  • S1(config-if)# ip address dhcp


  • Menu























































    ACL Extended

  • S1(config)# access-list {100-199 | 2000-2699} {permit | deny} protocol source WC dest WC [log | log-input]
  • S1(config)# access-list {100-199 | 2000-2699} {permit | deny} {tcp | udp} source WC operator port dest WC operator port established [log]
  • S1(config-if)# ip access-group 100 {in | out}
  • S1(config-if)# no ip access-group 100
  • Plase close to the source
    Operators are eq, ne, lt, gt, and range # to #
    Protocols are osfp, eigrp, icmp, tcp, udp

    PortProtocolApplicationKeyword
    20TCPFTP dataftp-data
    21TCPFTP controlftp
    22TCPSSH---
    23TCPTelnettelent
    25TCPSMTP---
    53UDP;TCPDNSdomain
    67UDPDHCP Server---
    68UDPDHCP Client---
    69UDPTFTPtftp
    80TCPHTTP (WWW)www
    110TCPPOP3pop3
    161UDPSNMPsnmp
    179TCPEBGP---
    443TCPSSL---
    514UDPSyslog---
    520UDPRIP---
    16,384 - 32,767UDPRTP (voice, video)---


    Menu























































    PPP PAP Configuration

  • hostname R1
  • username R2 password pass2

  • interface serial 0/0/0
  • ip address 192.168.2.1 255.255.255.0
  • encapsulation ppp
  • ppp authentication pap [chap]
  • ppp pap sent-username R1 password pass1


  • Menu























































    PPP Chap Configuration

  • hostname R1
  • username R2 password mypass

  • interface serial 0/0/0
  • ip address 192.168.2.1 255.255.255.0
  • encapsulation ppp
  • ppp authentication chap [pap]


  • Menu























































    Multilink PPP

  • interface multilink 1
  • encapsulation ppp
  • ppp multilink
  • ip address 192.168.5.1 255.255.255.0
  • ppp multilink group 1

  • interface s0/0/0
  • encapsulation ppp
  • ppp multilink
  • no ip address
  • ppp multilink group 1
  • ! authentication goes here!

  • Same group number on neighbor router (underlined)


  • Menu























































    GRE Tunnel

  • interface s0/0/1
  • ip address 2.2.2.2 255.255.255.0 (public)

  • interface tunnel1
  • ipaddress 10.1.3.2 255.255.255.0 (private)
  • tunnel mode gre [ip | ipv6 | multipoint]
  • tunnel source [s0/0/1 | IP]
  • tunnel destination [1.1.1.1 | Hostname] (public)

  • router osfp 1
  • network 10.0.0.0 0.255.255.255 area 0



  • Menu























































    PPPoE

  • interface dialer 2
  • ip address negotiated
  • mtu 1492
  • encapsulation ppp
  • ppp chap hostname Fred
  • ppp chap password Barney
  • dialer pool 1

  • interface g0/1
  • no ip address
  • ppoe-client dial-pool-number 1 (Automatically adds ppoe enable shown below)
  • ppoe enable
  • mac-address 0200.0000.0011 [not required]
  • no shutdown


  • Menu























































    HSRP

    Has Tracking which will reduce priority every failure
  • FHRP - First Hop Routing Protocol
  • HSRP - Hot Stand-by Routing Protocol (Cisco)
  • VRRP - Virtual Router Redundancy Protocol (RFC 5798)
  • GLBP - Gateway Load Balancing Protocol (Cisco active/active per host)

  • interface g0/0
  • ip address 10.1.1.9 255.255.255.0
  • standby version 2
  • standby 1 ip 10.1.1.1
  • standby 1 prority 110 (default 100 highest is chosen)
  • standby 1 preempt
  • standby 1 name HRSP-Group_one

  • version 1 uses 224.0.0.2 (255 groups), Ver2 uses 224.0.0.102(4095 groups)
    UDP 1985


    Menu























































    SNMP

    snmp v1

  • snmp-server community Sim-RO ro
  • snmp-server community Sim-RW rw
  • snmp-server host 10.10.10.100 traps trap-RO
  • snmp v2c

  • ip access-list standart ACL_PROTECTSNMP
  • - permit host 10.1.3.3
  • snmp-server community secretROpw RO ACL_PROTECTSNMP
  • snmp-server community secretRWpw RW ACL_PROTECTSNMP
  • snmp-server loaction Corpus
  • snmp-server contact John T
  • snmp-server host 10.1.3.3 version 2c secretTRAPpw
  • snmp-server host 10.1.3.4 informs version 2c secretTRAPpw
  • snmp-server enable traps (snmp linkup linkdown)

  • snmp v3

  • (snmp-server group Gname v3 [noauth|auth|priv] write viewname access [ipv6] aclname)
  • snmp-server group BookGroup v3 auth write v1derault
  • (snmp-server user USR GROUP v3 [noauth|auth|priv] [md5|sha] PSW priv [DES|3DES|AES] key)
  • * note that AES keylength key *
  • snmp-server user Yoda BookGroup v3 auth md5 madeuppassword
  • snmp-server host 10.1.3.3 version 3 auth Yoda
  • ** disable by remove all snmp config with NO, and reload switch/router **


  • Menu























































    SLA

  • ip sla 1
  • - icmp-echo 100.100.100.2 source-ip 10.10.10.100
  • - frequency 5
  • ip sla schedule 1 start-time now life forever
  • ** sho ip sla [configuration|statistics|summary]


  • Menu























































    SPAN

  • (monitor session NUM source interface TYPE NUM [rx|tx|both])
  • (monitor session NUM source vlan VID [rx|tx|both])
  • monitor session 1 source interface GigabitEthernet0/1
  • (monitor session 1 destination interface TYPE NUM)
  • monitor session 1 destination interface fastEthernet0/11
  • ** show monitor (session|detail)


  • Menu























































    OSPF

    ipv4 OSPF

  • Router(config)#router opsf 10
  • Router(config-router)#network 10.10.0.0 0.0.255.255 area 0
  • Router(config-router)#router-id 1.1.1.1
  • Router(config)#interface loopback 0
  • Router(config-if)#ip address 192.168.250.250 255.255.255.0
  • Router(config)#interface serial 0/0
  • Router(config-if)#ip ospf priority 100
  • Router(config-if)#bandwidth 256
  • Router(config-if)#ip ospf hello-interval timer 15
  • Router(config-if)#ip ospf dead-interval 60
  • ipv6 OSPF

  • Router(config)#ipv6 unicast-routing
  • Router(config)#router ipv6 opsf 10
  • Router(config-router)#router-id 1.1.1.1
  • Router(config)#interface loopback 0
  • Router(config-if)#ip address 192.168.250.250 255.255.255.0
  • Router(config)#interface serial 0/0
  • Router(config-if)#ipv6 ospf priority 100
  • Router(config-if)#bandwidth 256
  • Router(config-if)#ipv6 ospf hello-interval timer 15
  • Router(config-if)#ipv6 ospf dead-interval 60
  • Router(config-if)# ipv6 enable
  • Router(config-if)#ipv6 address 2001:abab::/64 eui-64
  • Router(config-if)#ipv6 ospf 10 area 2


  • Menu























































    EIGRP

    ipv4 EIGRP

  • router eigrp 1
  • eigrp router-id
  • network 10.0.0.0
  • network 10.1.3.0 0.0.0.255
  • maximun-paths MAX
  • variance MULTIPLIER
  • [no] auto-summary
  • passive-interface TYPE NUM
  • no passive-interface TYPE NUM
  • passive-interface default


  • interface s0/0/0
  • bandwidth 1400
  • delay TENSOFMICROSECONDS *default of 100
  • ip hello-interval eigrp AS TIMERVALUE
  • ipv6 EIGRP

    Passive interface means no neighbors, but still advertises routes
  • ipv6 unicast-routing

  • interface Loopback0
  • no ip address
  • ipv6 address 200:100::/64 eui-64
  • ipv6 enable
  • ipv6 eigrp 1

  • interface Serial0/0
  • no ip address
  • ipv6 address FE80::1 link-local
  • ipv6 address 2010:100::1/64
  • ipv6 enable
  • ipv6 eigrp 1
  • clock rate 2000000

  • ipv6 rputer eigrp 1
  • eigrp router-id 2.2.2.2
  • no shutdown


  • Menu























































    QOS

    DSCP - Differentiated Service Code Point

    EF - Expidited Fowrarding DEC46
    AF - Assured Forwarding AFXY (12 values)
    41
    (34)
    42
    (36)
    43
    (38)
    31
    (26)
    32
    (28)
    33
    (30)
    21
    (18)
    22
    (20)
    23
    (22)
    11
    (10)
    12
    (12)
    13
    (14)
    CS - Class selector
  • 0-7 - 0, 8, 16, 24,..,56)
  • First 3 bites of IPP (IP Precedent)
  • Scheduling

    Round Robin (+ weighted)
    LLQ (Low Latency Queuing) it can cause queue starvation
    BW = 30-320kbps, 150ms delay (one way), 30ms jitter, <1% loss
    Class Based Weighted Fair Queuing (CBWFQ)
    Tail Drop (Max and Min thresholds)

    NBAR - Network Based Application Recoginition

    Helps with setting QOS via ACL

    Packet

    IP TOS field (8 bits)
    RFC 791 - IPP (3 bits with 5 unused)
    RFC 2476 - DSCP (6 bits) + RFC 3168 (2 bits) ENC Expliicit Congestion Notification)

    Frame

    COS - Class of Service is in the 802.1Q (3 bits) Priority Code Point (PCP)


    Menu