Terminology
- Placeholders are indicated between less-than and greater-than symbols (e.g.
<subnet mask>
). - Optional arguments are indicated between square brackets (e.g.
[<upper range>]
). - Option sets where one option is required are indicated between curly brackets (e.g.
{permit | deny}
). Options are seperated by the pipe sybmols (|
). Optional arguments can also made an option set by including the pipe symbol. - If long command sections are repeated across different commands, they'll be substituted with paranthesis (e.g.
(source address)
), with the actual argument(s) being defined earlier. - Some commands require confirmation. "Confirm" means press enter when asked for confirmation.
Connecting to a switch/router's CLI with an end device
- Connect a console cable from a computer's RS 232 port to the console port of the switch/router.
- Enter the computer's desktop, go to terminal, and click OK.
Navigating access levels
- User EXEC (UE) ⇌ Privileged EXEC (PE) ⇌ Global Configuration (GC) ⇌ ...
- Access levels can be told apart by their input prompts:
UE: hostname>
PE: hostname#
GC: hostname(config)#
- Type
enable
to go up from UE to PE (think of PE as having administrator privileges). - Type
conf t
to go up from PE to GC (GC can configure much more than PE, hence the name). - Typing
exit
goes down the chain (GC to PE, PE to UE, etc.). Typingend
goes down directly to PE.
The basics
- To show the currently active configuration file, from PE type
show running-config
. Spam spacebar until it reaches the end.show startup-config
shows the configuration that the device will power on with. - To save configuration changes, from PE type
copy running-config startup-config
. Confirm. - Typing
?
shows all available commands for the access level that you're on.- Typing
<anything>?
will show all available commands that start with<anything>
. - Typing
<command> ?
will show available/required arguments for<command>
(notice the space).
- Typing
- The up and down keys can be used to navigate through previously input commands.
- The tab key can be used for autocompletion.
Resetting a switch/router
- From PE, type
erase startup-config
to reset the startup configuration. Confirm.- For switches, also type
delete vlan.dat
to clear VLAN configurations. Confirm x2.
- For switches, also type
- From PE, type
reload
to restart the device (upon restarting it will be reset).- Do not save, as the current running-config would then still be in effect after the reload.
- If, on startup, you see the message "Would you like to enter the initial configuration dialog? [yes/no]", type
no
.- If you then see the message "Would you like to terminate autoinstall? [yes]", type
yes
.
- If you then see the message "Would you like to terminate autoinstall? [yes]", type
Setting up and securing a switch/router
- From GC, type
hostname <name>
to give the device a new name. - From GC, type
line con 0
to create a password for UE:- Type
password <password>
(e.g. "cisco"). - Type
login
to specify that the password configured on the line(s) must be used for logging in. - Type
exec-timeout <minutes> [<seconds>]
to set an automatic inactivity disconnection timer. - Type
logging synchronous
to prevent the logs from cutting you off and making you retype commands. - Repeat for subsequent lines in the configuration file (e.g.
line vty 0 15
andline aux 0
).
- Type
- To create a password for PE, from GC type
enable [algorithm-type scrypt] secret <password>
(e.g. "class").[algorithm-type scrypt]
makes the password much more secure, but is only available on newer devices.
- From GC, type
service password-encryption
to encrypt the UE password(s).- The PE password is encrypted by default.
- To create a message to be shown during UE login, from GC type
banner motd "<message>"
(e.g. "Unauthorized access prohibited!"). (Anything can be used as delimiters, not just quotation marks.) - From GC, type
no ip domain-lookup
so the device doesn't misinterpret a typo as a domain.- You can cancel a domain lookup with
Ctrl+Shift+6
.
- You can cancel a domain lookup with
Securing a switch/router: in-band management
- From GC, type
ip domain-name <domain>
(e.g. "xamk.fi"). - From GC, type
crypto key generate rsa
to create an RSA key.- Type
1024
to set the modulus bit length to 1024.
- Type
- From GC, type
username <name> [algorithm-type scrypt] secret <password>
(e.g. "ssh_user" and "cisco").[algorithm-type scrypt]
makes the password much more secure, but is only available on newer devices.
- From GC, type
line vty 0 15
to edit all vty lines simultaneously:- Type
transport input ssh
to restrict the management connection type to SSH. - Type
login local
to restrict login to users (if a password is configured on the lines, it is ignored).
- Type
- From GC, type
ip ssh version 2
(this must be done AFTER creating the RSA key). - To test the connection, do the following:
- Open a command prompt (not the terminal) from any PC connected to the device.
- Type
ssh -l <name> <ip>
(e.g. "ssh_user" and "192.168.1.2"). - Enter the password (e.g. "cisco").
- You should now have in-band management, removing the need to use the console cable.
Setting an IP address
- Router (each physical interface in use needs an IP address).
- From GC, type
int <interface>
(e.g. "F0/5", "G0/1", "S0/0/0", etc.)- Type
ip address <ip> <subnet mask>
. - Type
no shutdown
to enable the interface.
- Type
- From GC, type
- Switch (each VLAN in use can have an IP address).
- From GC, type
int <vlan>
(e.g. "vlan1").- Type
ip address <ip> <subnet mask>
. - Type
no shutdown
to enable the interface.
- Type
- From GC, type
ip default-gateway <ip>
to set the switch's default gateway.
- From GC, type
- From PE, type
show ip int brief
to give details on each VLAN and interface. - A range of interfaces can also be specified, if multiple interfaces need the same configuration.
- For example, for a range of "F0/1" to "F0/4" and "F0/7" to "F0/10", type
int range F0/1-4, F0/7-10
.
- For example, for a range of "F0/1" to "F0/4" and "F0/7" to "F0/10", type
Setting up a VLAN
- From GC, type
vlan <number>
(e.g. "99") to create the VLAN.- Type
name <name>
(e.g. "Management") to assign a name to the VLAN.
- Type
- From GC, type
int <vlan>
(e.g. "vlan99") to create the VLAN's interface (if the VLAN needs an IP, see above). - From GC, type
int <interface>
(e.g. "F0/5") to add an interface to a VLAN (a range can also be specified).- If a single VLAN is behind an interface (e.g. a workstation), do the following:
- Type
switchport mode access
. - Type
switchport access vlan <number>
. - Type
spanning-tree portfast
to have the interface bypass straight to the forwording state.- Type
spanning-tree bpduguard enable
for the interface to shut down if switch traffic is detected.
- Type
- Type
switchport port-security
to block CAM table overflow attacks.- Type
switchport port-security maximum <number>
to specify the maximum number of MAC addresses allowed behind the interface (by default only one is allowed). - Type
switchport port-security mac-address sticky
to have the interface memorize the MAC(s) it sees.
- Type
- Type
- If multiple VLANs are behind an interface (e.g. another switch), do the following:
- Type
switchport mode trunk
. - Type
switchport nonegotiate
to disable DTP (auto trunking), requiring trunks to be manually configured. - Type
switchport trunk native vlan <number>
to set the trunk's default VLAN (usually "1"). - Type
switchport trunk allowed vlan <numbers>
to restrict VLANs allowed over the trunk (e.g. "1,10,20,99").
- Type
- If a single VLAN is behind an interface (e.g. a workstation), do the following:
- From PE, type
show vlan brief
to show what interfaces belong to what VLANs. - For configuring router-on-a-stick on a router, from GC type
int <interface>
(e.g. "G0/0").- Type
no shutdown
to enable the interface. - Type
int <subinterface>
(e.g. "G0/0.10" for VLAN 10 on port G0/0) to configure a subinterface for a VLAN.- Type
encapsulation dot1q <vlan number>
(e.g. "10"). - Type
ip address <ip> <subnet mask>
.
- Type
- Type
Setting up EtherChannel on a switch
- From GC, type
int range <range>
(e.g. "f0/1-4") to create an EtherChannel group.- Type
channel-group <number> mode <mode>
to set the channel (number must match on either switch).- For PAgP, the modes are
desirable
for requesting connections andauto
for waiting for connections. - For LACP, the modes are
active
for requesting connections andpassive
for waiting for connections.
- For PAgP, the modes are
- VLAN trunking can then be set up on the interfaces.
- Type
- From GC, type
int port-channel <number>
to modify the channel (can be used instead of the interface range).
Setting up DHCP on a router
- From GC, type
service dhcp
to enable the DHCP service. - From GC, type
ip dhcp excluded-address <ip>
to exclude an address from your created pool(s).- A range can be specified by appending a second IP address.
- From GC, type
ip dhcp pool <pool name>
(e.g. "R1_LAN").- Type
network <ip> <subnet mask>
to create a pool from all host addresses in the network. - Type
default-router <ip>
to include a default gateway in offers to hosts. - Type
dns-server <ip>
to include a DNS server in offers to hosts.
- Type
- To have a router relay DHCP frames, from GC type
int <interface>
for the client-facing interface(s).- Type
ip helper-address <dhcp server ip>
to have the router forward DHCP frames.
- Type
Setting up HSRP on a router
- From GC, type
int <interface>
to set up HSRP on a router interface.- Type
standby version 2
to set the HSRP version to 2. - Type
standby <group number> ip <ip>
to set the virtual IP. - Type
standby <group number> priority <number>
to set the priority. - Type
standby <group number> preempt
to tell the router to preempt when possible. - Type
standby <group number> track <interface>
to track an interface.
- Type
Setting up PPP on a router
- For point-to-point connections (e.g. serial), do the following:
- From GC, type
int <interface>
to set up PPP on a router interface.- Type
encapsulation ppp
to set PPP as the encapsulation method. - Type
ppp authentication chap
to set CHAP as the authentication method.
- Type
- From GC, type
username <neighbor router's hostname> password <password>
to set the CHAP password.
- From GC, type
- For Ethernet connections, do the following to configure a PPPoE client:
- From GC, type
interface dialer <number>
(e.g. "1").- Type
encapsulation ppp
. - Type
ip address negotiated
for the router to get its IP address(es) from a PPPoE server. - Type
mtu <bytes>
(usually "1492"). - Type
dialer pool <pool number>
(e.g. "1"). - Type
ppp authentication chap callin
. - Type
ppp chap hostname <router hostname>
. - Type
ppp chap password <password>
(password must match password set by the PPPoE server).
- Type
- From GC, type
int <interface>
for the interface to use PPPoE.- Type
no ip address
(the IP is provided by the PPPoE server). - Type
pppoe enable group global
. - Type
ip tcp adjust-mss <number>
(usually "1452", related to the configured MTU). - Type
pppoe-client dial-pool-number <pool number>
(e.g. "1"). - Type
no shutdown
.
- Type
- From GC, type
Setting up Syslog on a switch/router
- From GC, type
logging host <ip>
to set a Syslog server (e.g. a computer with Syslog software). - From GC, type
logging trap <level 0-7>
(e.g. "6") to set the minimum severity for Syslog logging. - From GC, type
logging source-interface <interface>
(e.g. "s0/0/0", "loopback0", etc.) to set the IP address that the Syslog server will see as the source for Syslog messages from that device. This is usually a loopback interface. - From GC, type
logging on
to enable logging to the Syslog server(s).
Setting up (dynamic) routing on a router
Dynamic routing with RIP
- From GC, type
router rip
to enter the router RIP config.- Type
version 2
to set the RIP version to 2.- Type
no auto-summary
to enable the advertising of classless networks.
- Type
- Type
network <ip>
to advertise a directly connected network (repeat for all directly connected networks). - Type
passive-interface <interface>
to disable routing updates through an interface (e.g. if there's only hosts).
- Type
Dynamic routing with EIGRP
- From GC, type
router eigrp <as id>
(e.g. "1") to enter the router EIGRP config (AS ID must match across routers).- Type
no auto-summary
to enable the advertising of classless networks. - Type
network <ip> <wildcard mask>
to advertise a directly connected network. - Type
passive-interface <interface>
to disable routing updates through an interface.
- Type
- From GC, type
key chain <name>
(e.g. "eigrp-keys") to create a key chain for authentication.- Type
key <number>
(e.g. "1").- Type
key-string <password>
(e.g. "cisco").
- Type
- Type
- From GC, enter the interface config for the interface(s) to enable the MD5 authentication.
- Type
ip authentication mode eigrp <as id> md5
. - Type
ip authentication key-chain eigrp <key number> <key chain name>
.
- Type
Dynamic routing with OSPF
- From GC, type
router ospf <process id>
(e.g. "1") to enter the router OSPF config.- Type
router-id <router id>
(e.g. "1.1.1.1") to set the router ID (highest becomes DR). - Type
network <ip> <wildcard mask> area <area number>
to advertise a directly connected network. - Type
passive-interface <interface>
to disable routing updates through an interface. - Type
area <area number> range <ip> <subnet mask>
to set a summary route for an area.
- Type
- From GC, enter the interface config for the interface(s) to set an MD5 authentication password.
- Type
ip ospf authentication message-digest
. - Type
ip ospf message-digest-key <number> md5 <password>
(e.g. "1", "cisco").
- Type
- From GC, type
ip route <ip> <subnet mask> <next-hop ip or exit interface>
to set a static route. - From an interface config, type
ip summary-address <ip> <subnet mask>
to set a static summary address. - From GC, type
ip route 0.0.0.0 0.0.0.0 <next-hop ip or exit interface>
to set a default route.- Under the RIP/OSPF routing config, type
default-information originate
to advertise the default route. - Under the EIGRP routing config, type
redistribute static
to advertise the default route.
- Under the RIP/OSPF routing config, type
Setting up an ACL on a router
(source address)
:{<source ip> <wildcard mask> | any | host <source ip>}
.(destination address)
:{<destination ip> <wildcard mask> | any | host <destination ip>}
.- From GC, type
ip access-list standard <name | number 1-99>
to configure a standard named/numbered ACL.- Type
{permit | deny} (source address)
to permit/deny IP/network traffic. - Type
remark <comment>
to document the purpose of following ACEs. - Alternatively to first doing
ip access-list standard ...
, each ACE command can be prepended withaccess-list <number 1-99>
(numbered ACLs only).
- Type
- From GC, type
ip access-list extended <name | number 100-199>
to configure an extended named/numbered ACL.- Type
{permit | deny} <protocol> (source address) (destination address) [eq <destination port>]
to permit/deny IP/network traffic. Setting the protocol to "ip" will cause the ACE to apply to all traffic. - Type
remark <comment>
to document the purpose of following ACEs. - Alternatively to first doing
ip access-list extended ...
, each ACE command can be prepended withaccess-list <number 100-199>
(numbered ACLs only).
- Type
- From GC, type
int <interface>
to apply an ACL on an interface:- Type
ip access-group <acl name/number> out
to enforce the ACL for traffic outbound from the router. - Type
ip access-group <acl name/number> in
to enforce the ACL for traffic inbound to the router.
- Type
- From GC, type
line vty 0 15
to apply an ACL on all VTY lines (e.g. for SSH):- Type
ip access-class <acl name/number> in
to enforce the ACL for traffic inbound to the vty lines.
- Type
Setting up ZPF on a router
- From GC, type
zone security <zone name>
to create a zone. - From GC, type
class-map type inspect {match-any | match-all} <class name>
to create a class to match traffic.- Type
match access-group {[name] <acl name> | <acl number>}
to match traffic based on an ACL.- Some devices require the
[name]
when adding a named ACL.
- Some devices require the
- Type
match protocol <protocol>
(e.g. "https", "ssh", etc.) to match traffic based on a protocol. - Type
match class-map <class name>
to match traffic based on another class (classes can be nested).
- Type
- From GC, type
policy-map type inspect <policy name>
to create a policy for how to apply a class.- Type
class type inspect <class name>
to use a class for the policy.- Type
{inspect | drop | pass} [log]
to specify what action to take for traffic matched to the class.
- Type
- Type
- From GC, type
zone-pair security <pair name> source <zone name> destination <zone name>
to create a zone pair for applying a policy (different policies may be needed for each direction).- Type
service-policy type inspect <policy name>
to filter traffic based on a policy.
- Type
- To apply a zone to an interface (and the network behind it), from GC type
int <interface>
.- Type
zone-member security <zone name>
to apply the zone.
- Type
Setting up a Site-to-Site IPsec VPN on a router
- From GC, type
crypto isakmp policy <priority number>
(e.g. "10", lower is preferred) to configure phase 1 policy. The policy must be identical on both routers.- Type
hash <hash algorithm>
(e.g. "sha"). - Type
authentication pre-share
to specify that authentication will use a key set on both routers. - Type
group <dh group number>
(e.g. "14", higher is more secure). - Type
lifetime <seconds>
(e.g. "3600"). - Type
encryption <encryption algorithm>
(e.g. "aes 256").
- Type
- From GC, type
crypto isakmp key <key> address <ip of remote router>
(e.g. "cisco123", "10.2.2.1") to set the pre-shared key used for phase 1 authentication between the routers. The key must be identical on both routers. - From GC, type
crypto ipsec transform-set <set name> <encryption algorithm> <hash algorithm>
(e.g. "R1-R2", "esp-aes 256", "esp-sha-hmac") to set the algorithms for phase 2. The same command must be used on both routers. - An extended ACL must be configured, which permits traffic from the local network to the remote one.
- The ACLs should be mirrored on either router to prevent networking issues.
- From GC, type
crypto map <map name> <policy priority number> ipsec-isakmp
(e.g. "R1-R2-MAP", "10") to configure the phase 2 map. The map must be identical on both routers (aside from the peer and ACL).- Type
set peer <ip of remote router>
(e.g. "10.2.2.1"). - Type
match address <acl name/number>
to bind an ACL to the map. - Type
set transform-set <set name>
(e.g. "R1-R2") to bind a transform set to the map. - Type
set pfs <dh group>
(e.g. "group14"). - Type
set security-association lifetime seconds <seconds>
(e.g. "900").
- Type
- From GC, type
int <interface>
(e.g. "S0/0/0") to apply the map to an interface.- Type
crypto map <map name>
(e.g. "R1-R2-MAP").
- Type
- Once traffic passes from one side specified in the ACLs to the other, the security assoctiation will be established.
Setting up PAT on a router
- Create a numbered ACL to describe the inner network (e.g. "1", "192.168.1.0", "0.0.0.255").
- From GC, type
ip nat pool <pat name> <outer ip> <outer ip> netmask <outer subnet mask>
. - From GC, type
ip nat inside source list <acl number> pool <pat name> overload
. - To set an inside interface for the PAT, from GC type
int <interface>
.- Type
ip nat inside
.
- Type
- To set an outside interface for the PAT, from GC type
int <interface>
.- Type
ip nat outside
.
- Type
Setting up NTP on a switch/router
- From GC, type
ntp authentication-key <key number> md5 <password>
(e.g. "1", "NTPpassword"). - From GC, type
ntp trusted-key <key number>
(e.g. "1"). - From GC, type
ntp authenticate
to enable the authentication. - To configure the device as an NTP master:
- From GC, type
ntp master <stratum number>
(e.g. "3").
- From GC, type
- To configure the device as an NTP client:
- From GC, type
ntp server <ntp master ip>
to set what device to use as a master. - From GC, type
ntp update-calendar
for the client to also use ntp to update its calendar.
- From GC, type