TakingItCasual/packet_tracer_guide.rst

## packet_tracer_guide.rst

      
    Raw
  

              packet_tracer_guide.rst
            
          
Terminology


Placeholders are indicated between less-than and greater-than symbols (e.g. <subnet mask>).
Optional arguments are indicated between square brackets (e.g. [<upper range>]).
Option sets where one option is required are indicated between curly brackets (e.g. {permit | deny}). Options are seperated by the pipe sybmols (|). Optional arguments can also made an option set by including the pipe symbol.
If long command sections are repeated across different commands, they'll be substituted with paranthesis (e.g. (source address)), with the actual argument(s) being defined earlier.
Some commands require confirmation. "Confirm" means press enter when asked for confirmation.

 Connecting to a switch/router's CLI with an end device


Connect a console cable from a computer's RS 232 port to the console port of the switch/router.
Enter the computer's desktop, go to terminal, and click OK.

 Navigating access levels


User EXEC (UE) ⇌ Privileged EXEC (PE) ⇌ Global Configuration (GC) ⇌ ...
Access levels can be told apart by their input prompts:

UE: hostname>
PE: hostname#
GC: hostname(config)#

Type enable to go up from UE to PE (think of PE as having administrator privileges).
Type conf t to go up from PE to GC (GC can configure much more than PE, hence the name).
Typing exit goes down the chain (GC to PE, PE to UE, etc.). Typing end goes down directly to PE.

 The basics


To show the currently active configuration file, from PE type show running-config. Spam spacebar until it reaches the end. show startup-config shows the configuration that the device will power on with.
To save configuration changes, from PE type copy running-config startup-config. Confirm.
Typing ? shows all available commands for the access level that you're on.

Typing <anything>? will show all available commands that start with <anything>.
Typing <command> ? will show available/required arguments for <command> (notice the space).

The up and down keys can be used to navigate through previously input commands.
The tab key can be used for autocompletion.

 Resetting a switch/router


From PE, type erase startup-config to reset the startup configuration. Confirm.

For switches, also type delete vlan.dat to clear VLAN configurations. Confirm x2.

From PE, type reload to restart the device (upon restarting it will be reset).

Do not save, as the current running-config would then still be in effect after the reload.

If, on startup, you see the message "Would you like to enter the initial configuration dialog? [yes/no]", type no.

If you then see the message "Would you like to terminate autoinstall? [yes]", type yes.


 Setting up and securing a switch/router


From GC, type hostname <name> to give the device a new name.
From GC, type line con 0 to create a password for UE:

Type password <password> (e.g. "cisco").
Type login to specify that the password configured on the line(s) must be used for logging in.
Type exec-timeout <minutes> [<seconds>] to set an automatic inactivity disconnection timer.
Type logging synchronous to prevent the logs from cutting you off and making you retype commands.
Repeat for subsequent lines in the configuration file (e.g. line vty 0 15 and line aux 0).

To create a password for PE, from GC type enable [algorithm-type scrypt] secret <password> (e.g. "class").

[algorithm-type scrypt] makes the password much more secure, but is only available on newer devices.

From GC, type service password-encryption to encrypt the UE password(s).

The PE password is encrypted by default.

To create a message to be shown during UE login, from GC type banner motd "<message>" (e.g. "Unauthorized access prohibited!"). (Anything can be used as delimiters, not just quotation marks.)
From GC, type no ip domain-lookup so the device doesn't misinterpret a typo as a domain.

You can cancel a domain lookup with Ctrl+Shift+6.


 Securing a switch/router: in-band management


From GC, type ip domain-name <domain> (e.g. "xamk.fi").
From GC, type crypto key generate rsa to create an RSA key.

Type 1024 to set the modulus bit length to 1024.

From GC, type username <name> [algorithm-type scrypt] secret <password> (e.g. "ssh_user" and "cisco").

[algorithm-type scrypt] makes the password much more secure, but is only available on newer devices.

From GC, type line vty 0 15 to edit all vty lines simultaneously:

Type transport input ssh to restrict the management connection type to SSH.
Type login local to restrict login to users (if a password is configured on the lines, it is ignored).

From GC, type ip ssh version 2 (this must be done AFTER creating the RSA key).
To test the connection, do the following:

Open a command prompt (not the terminal) from any PC connected to the device.
Type ssh -l <name> <ip> (e.g. "ssh_user" and "192.168.1.2").
Enter the password (e.g. "cisco").

You should now have in-band management, removing the need to use the console cable.

 Setting an IP address


Router (each physical interface in use needs an IP address).

From GC, type int <interface> (e.g. "F0/5", "G0/1", "S0/0/0", etc.)

Type ip address <ip> <subnet mask>.
Type no shutdown to enable the interface.


Switch (each VLAN in use can have an IP address).

From GC, type int <vlan> (e.g. "vlan1").

Type ip address <ip> <subnet mask>.
Type no shutdown to enable the interface.

From GC, type ip default-gateway <ip> to set the switch's default gateway.

From PE, type show ip int brief to give details on each VLAN and interface.
A range of interfaces can also be specified, if multiple interfaces need the same configuration.

For example, for a range of "F0/1" to "F0/4" and "F0/7" to "F0/10", type int range F0/1-4, F0/7-10.


 Setting up a VLAN


From GC, type vlan <number> (e.g. "99") to create the VLAN.

Type name <name> (e.g. "Management") to assign a name to the VLAN.

From GC, type int <vlan> (e.g. "vlan99") to create the VLAN's interface (if the VLAN needs an IP, see above).
From GC, type int <interface> (e.g. "F0/5") to add an interface to a VLAN (a range can also be specified).

If a single VLAN is behind an interface (e.g. a workstation), do the following:

Type switchport mode access.
Type switchport access vlan <number>.
Type spanning-tree portfast to have the interface bypass straight to the forwording state.

Type spanning-tree bpduguard enable for the interface to shut down if switch traffic is detected.

Type switchport port-security to block CAM table overflow attacks.

Type switchport port-security maximum <number> to specify the maximum number of MAC addresses allowed behind the interface (by default only one is allowed).
Type switchport port-security mac-address sticky to have the interface memorize the MAC(s) it sees.


If multiple VLANs are behind an interface (e.g. another switch), do the following:

Type switchport mode trunk.
Type switchport nonegotiate to disable DTP (auto trunking), requiring trunks to be manually configured.
Type switchport trunk native vlan <number> to set the trunk's default VLAN (usually "1").
Type switchport trunk allowed vlan <numbers> to restrict VLANs allowed over the trunk (e.g. "1,10,20,99").


From PE, type show vlan brief to show what interfaces belong to what VLANs.
For configuring router-on-a-stick on a router, from GC type int <interface> (e.g. "G0/0").

Type no shutdown to enable the interface.
Type int <subinterface> (e.g. "G0/0.10" for VLAN 10 on port G0/0) to configure a subinterface for a VLAN.

Type encapsulation dot1q <vlan number> (e.g. "10").
Type ip address <ip> <subnet mask>.


 Setting up EtherChannel on a switch


From GC, type int range <range> (e.g. "f0/1-4") to create an EtherChannel group.

Type channel-group <number> mode <mode> to set the channel (number must match on either switch).

For PAgP, the modes are desirable for requesting connections and auto for waiting for connections.
For LACP, the modes are active for requesting connections and passive for waiting for connections.

VLAN trunking can then be set up on the interfaces.

From GC, type int port-channel <number> to modify the channel (can be used instead of the interface range).

 Setting up DHCP on a router


From GC, type service dhcp to enable the DHCP service.
From GC, type ip dhcp excluded-address <ip> to exclude an address from your created pool(s).

A range can be specified by appending a second IP address.

From GC, type ip dhcp pool <pool name> (e.g. "R1_LAN").

Type network <ip> <subnet mask> to create a pool from all host addresses in the network.
Type default-router <ip> to include a default gateway in offers to hosts.
Type dns-server <ip> to include a DNS server in offers to hosts.

To have a router relay DHCP frames, from GC type int <interface> for the client-facing interface(s).

Type ip helper-address <dhcp server ip> to have the router forward DHCP frames.


 Setting up HSRP on a router


From GC, type int <interface> to set up HSRP on a router interface.

Type standby version 2 to set the HSRP version to 2.
Type standby <group number> ip <ip> to set the virtual IP.
Type standby <group number> priority <number> to set the priority.
Type standby <group number> preempt to tell the router to preempt when possible.
Type standby <group number> track <interface> to track an interface.


 Setting up PPP on a router


For point-to-point connections (e.g. serial), do the following:

From GC, type int <interface> to set up PPP on a router interface.

Type encapsulation ppp to set PPP as the encapsulation method.
Type ppp authentication chap to set CHAP as the authentication method.

From GC, type username <neighbor router's hostname> password <password> to set the CHAP password.

For Ethernet connections, do the following to configure a PPPoE client:

From GC, type interface dialer <number> (e.g. "1").

Type encapsulation ppp.
Type ip address negotiated for the router to get its IP address(es) from a PPPoE server.
Type mtu <bytes> (usually "1492").
Type dialer pool <pool number> (e.g. "1").
Type ppp authentication chap callin.
Type ppp chap hostname <router hostname>.
Type ppp chap password <password> (password must match password set by the PPPoE server).

From GC, type int <interface> for the interface to use PPPoE.

Type no ip address (the IP is provided by the PPPoE server).
Type pppoe enable group global.
Type ip tcp adjust-mss <number> (usually "1452", related to the configured MTU).
Type pppoe-client dial-pool-number <pool number> (e.g. "1").
Type no shutdown.


 Setting up Syslog on a switch/router


From GC, type logging host <ip> to set a Syslog server (e.g. a computer with Syslog software).
From GC, type logging trap <level 0-7> (e.g. "6") to set the minimum severity for Syslog logging.
From GC, type logging source-interface <interface> (e.g. "s0/0/0", "loopback0", etc.) to set the IP address that the Syslog server will see as the source for Syslog messages from that device. This is usually a loopback interface.
From GC, type logging on to enable logging to the Syslog server(s).

 Setting up (dynamic) routing on a router

Dynamic routing with RIP


From GC, type router rip to enter the router RIP config.

Type version 2 to set the RIP version to 2.

Type no auto-summary to enable the advertising of classless networks.

Type network <ip> to advertise a directly connected network (repeat for all directly connected networks).
Type passive-interface <interface> to disable routing updates through an interface (e.g. if there's only hosts).


 Dynamic routing with EIGRP


From GC, type router eigrp <as id> (e.g. "1") to enter the router EIGRP config (AS ID must match across routers).

Type no auto-summary to enable the advertising of classless networks.
Type network <ip> <wildcard mask> to advertise a directly connected network.
Type passive-interface <interface> to disable routing updates through an interface.

From GC, type key chain <name> (e.g. "eigrp-keys") to create a key chain for authentication.

Type key <number> (e.g. "1").

Type key-string <password> (e.g. "cisco").


From GC, enter the interface config for the interface(s) to enable the MD5 authentication.

Type ip authentication mode eigrp <as id> md5.
Type ip authentication key-chain eigrp <key number> <key chain name>.


 Dynamic routing with OSPF


From GC, type router ospf <process id> (e.g. "1") to enter the router OSPF config.

Type router-id <router id> (e.g. "1.1.1.1") to set the router ID (highest becomes DR).
Type network <ip> <wildcard mask> area <area number> to advertise a directly connected network.
Type passive-interface <interface> to disable routing updates through an interface.
Type area <area number> range <ip> <subnet mask> to set a summary route for an area.

From GC, enter the interface config for the interface(s) to set an MD5 authentication password.

Type ip ospf authentication message-digest.
Type ip ospf message-digest-key <number> md5 <password> (e.g. "1", "cisco").


From GC, type ip route <ip> <subnet mask> <next-hop ip or exit interface> to set a static route.
From an interface config, type ip summary-address <ip> <subnet mask> to set a static summary address.
From GC, type ip route 0.0.0.0 0.0.0.0 <next-hop ip or exit interface> to set a default route.

Under the RIP/OSPF routing config, type default-information originate to advertise the default route.
Under the EIGRP routing config, type redistribute static to advertise the default route.


 Setting up an ACL on a router


(source address): {<source ip> <wildcard mask> | any | host <source ip>}.
(destination address): {<destination ip> <wildcard mask> | any | host <destination ip>}.
From GC, type ip access-list standard <name | number 1-99> to configure a standard named/numbered ACL.

Type {permit | deny} (source address) to permit/deny IP/network traffic.
Type remark <comment> to document the purpose of following ACEs.
Alternatively to first doing ip access-list standard ..., each ACE command can be prepended with access-list <number 1-99> (numbered ACLs only).

From GC, type ip access-list extended <name | number 100-199> to configure an extended named/numbered ACL.

Type {permit | deny} <protocol> (source address) (destination address) [eq <destination port>] to permit/deny IP/network traffic. Setting the protocol to "ip" will cause the ACE to apply to all traffic.
Type remark <comment> to document the purpose of following ACEs.
Alternatively to first doing ip access-list extended ..., each ACE command can be prepended with access-list <number 100-199> (numbered ACLs only).

From GC, type int <interface> to apply an ACL on an interface:

Type ip access-group <acl name/number> out to enforce the ACL for traffic outbound from the router.
Type ip access-group <acl name/number> in to enforce the ACL for traffic inbound to the router.

From GC, type line vty 0 15 to apply an ACL on all VTY lines (e.g. for SSH):

Type ip access-class <acl name/number> in to enforce the ACL for traffic inbound to the vty lines.


 Setting up ZPF on a router


From GC, type zone security <zone name> to create a zone.
From GC, type class-map type inspect {match-any | match-all} <class name> to create a class to match traffic.

Type match access-group {[name] <acl name> | <acl number>} to match traffic based on an ACL.

Some devices require the [name] when adding a named ACL.

Type match protocol <protocol> (e.g. "https", "ssh", etc.) to match traffic based on a protocol.
Type match class-map <class name> to match traffic based on another class (classes can be nested).

From GC, type policy-map type inspect <policy name> to create a policy for how to apply a class.

Type class type inspect <class name> to use a class for the policy.

Type {inspect | drop | pass} [log] to specify what action to take for traffic matched to the class.


From GC, type zone-pair security <pair name> source <zone name> destination <zone name> to create a zone pair for applying a policy (different policies may be needed for each direction).

Type service-policy type inspect <policy name> to filter traffic based on a policy.

To apply a zone to an interface (and the network behind it), from GC type int <interface>.

Type zone-member security <zone name> to apply the zone.


 Setting up a Site-to-Site IPsec VPN on a router


From GC, type crypto isakmp policy <priority number> (e.g. "10", lower is preferred) to configure phase 1 policy. The policy must be identical on both routers.

Type hash <hash algorithm> (e.g. "sha").
Type authentication pre-share to specify that authentication will use a key set on both routers.
Type group <dh group number> (e.g. "14", higher is more secure).
Type lifetime <seconds> (e.g. "3600").
Type encryption <encryption algorithm> (e.g. "aes 256").

From GC, type crypto isakmp key <key> address <ip of remote router> (e.g. "cisco123", "10.2.2.1") to set the pre-shared key used for phase 1 authentication between the routers. The key must be identical on both routers.
From GC, type crypto ipsec transform-set <set name> <encryption algorithm> <hash algorithm> (e.g. "R1-R2", "esp-aes 256", "esp-sha-hmac") to set the algorithms for phase 2. The same command must be used on both routers.
An extended ACL must be configured, which permits traffic from the local network to the remote one.

The ACLs should be mirrored on either router to prevent networking issues.

From GC, type crypto map <map name> <policy priority number> ipsec-isakmp (e.g. "R1-R2-MAP", "10") to configure the phase 2 map. The map must be identical on both routers (aside from the peer and ACL).

Type set peer <ip of remote router> (e.g. "10.2.2.1").
Type match address <acl name/number> to bind an ACL to the map.
Type set transform-set <set name> (e.g. "R1-R2") to bind a transform set to the map.
Type set pfs <dh group> (e.g. "group14").
Type set security-association lifetime seconds <seconds> (e.g. "900").

From GC, type int <interface> (e.g. "S0/0/0") to apply the map to an interface.

Type crypto map <map name> (e.g. "R1-R2-MAP").

Once traffic passes from one side specified in the ACLs to the other, the security assoctiation will be established.

 Setting up PAT on a router


Create a numbered ACL to describe the inner network (e.g. "1", "192.168.1.0", "0.0.0.255").
From GC, type ip nat pool <pat name> <outer ip> <outer ip> netmask <outer subnet mask>.
From GC, type ip nat inside source list <acl number> pool <pat name> overload.
To set an inside interface for the PAT, from GC type int <interface>.

Type ip nat inside.

To set an outside interface for the PAT, from GC type int <interface>.

Type ip nat outside.


 Setting up NTP on a switch/router


From GC, type ntp authentication-key <key number> md5 <password> (e.g. "1", "NTPpassword").
From GC, type ntp trusted-key <key number> (e.g. "1").
From GC, type ntp authenticate to enable the authentication.
To configure the device as an NTP master:

From GC, type ntp master <stratum number> (e.g. "3").

To configure the device as an NTP client:

From GC, type ntp server <ntp master ip> to set what device to use as a master.
From GC, type ntp update-calendar for the client to also use ntp to update its calendar.