Skip to content

Instantly share code, notes, and snippets.

@chmutoff
Last active Mar 23, 2022
Embed
What would you like to do?
Cisco CCNA (200-125) command summary

Cisco CCNA (200-125) command summary

Working with configuration

Show configuration

show running-config
show stored-config

Save configuration

copy run start
copy running-config flash

copy to ram(running-config) will perfom a MERGE operation!!! Use the replace instead.
configure replace

Safe way of doing changes

reload in X will reboot the device in X minutes
... do the changes ...
reload cancel cancel the scheduled reboot

Reset default settings

Restore interface to default settings
default intefrace fa0/1

Restore switch to default settings

write erase
show flash:
delete flash:vlan.dat
reload

The perfect initial config for a cisco device

The commands to perform this steps should be memorized

  1. Hostname
  2. MOTD banner
  3. Console config
    • No timeout
    • Logging sync
    • Request password
  4. No domain lookup
  5. Set domain name
  6. Encrypt passwords in config
  7. Set secret for privileged mode
  8. VTY config
    • Login local
    • Timeout in 30 minutes
    • Set access through SSH only
  9. Add user with secret
  10. Create RSA key
  11. Setup management IP on VLAN
    • Set IP
    • Enable interface
  12. Copy config to startup
conf t
	hostname blabla
	no ip domain-lookup
	ip domain-name somedomain.com
	crypto key generate rsa
	banner motd #Unauthorized access to this device is prohibited!# ! appears before login
	enable secret XXXX ! good encryption, `password` is old
	service password ecnryption ! encrypts clear text password
!
	line 0
		exec-timeout 30
		password cisco 
		login
		exit
!	
	username bla secret blabla
	line vty 0 4
		exec-timeout 30
		transport input ssh
		login local
!	
	interface vlan 1
		ip address x.x.x.x y.y.y.y
		no shutdown

Serial interface

DCE config:
show controllers s1/0 shows if cable is DTE or DCE
clock rate 1000000 set clock rate in bits per second
bandwidth 1000 set bandwith in kbits per second, used by routing algs

DTP - Dynamic Trunking Protocol

Configuration

interface g0/0	
	switchport mode dynamic auto
	switchport mode dynamic desirable
	switchport mode trunk ! DTP will send messages on this port
	switchport nonegotiate ! DISABLE
	no switchport nonegotiate ! ENABLE

Verification

sh dtp interface g0/0

CDP Cisco discovery protocol

Configuration

cdp run 	   ! enable globally
no cdp run     ! disable globally
cdp enable 	   ! on inteface
cdp timer x    ! timer for CDP advertisements
cdp holdtime x ! timer for CDP holdtime

Verification

show cdp
show cdp neigbors
show cdp neigbors detail
show cdp traffic shows CDP stats
show cdp interface

LLDP

Configuration

lldp run
lldp holdtime
lldp timer
lldp reint
interface g0/0
	no lldp transmit
	no lldp receive

Verification

show lldp
show lldp interface

VTP

  • Vlan Trunking Protocol is NOT a trunking protocol!
  • Version 1, 2, 3

Configuration

vtp version 2
vpt domain test

vtp mode transparent disable VTP

Verification

show vtp status
show vtp password
show vtp counters

VLANs on routers

Configuration

interface g0/0.51
	encapsulation dot1Q 51 [native]
	ip address x.x.x.x

VLANs on switches

  • Vlans 1002 - 1005 reserved

Configuration

switchport trunk encapsulation dot1q
switchport mode trunk
switchport mode access
switchport voice vlan 10
switchport acces vlan 11
switchport native vlan 12

Verification

show vlan shows only access
show vlan brief
show interfaces trunk shows trunk port vlans
show interfaces switchport shows information about interface
show interface g0/0 switchport vlan port information

DHCP

Configuration

ip dhcp excluded-address 10.1.51.1 10.1.51.19
ip dhcp excluded-address 10.1.51.100 10.1.51.255
ip dhcp excluded-address 10.1.52.1 10.1.52.19
ip dhcp excluded-address 10.1.52.100 10.1.52.255
ip dhcp pool VLAN51
    network 10.1.51.0 255.255.255.0
    default-router 10.1.51.1
    dns-server 4.2.2.2 8.8.8.8
ip dhcp pool VLAN52
    network 10.1.52.0 255.255.255.0
    default-router 10.1.52.1
    dns-server 4.2.2.2 8.8.8.8

Verification

show ip dhcp binding
show ip dhcp conflict
show ip dhcp pool
show ip dhcp server statistics

RIP

Configuration

router rip
version 2
network x.x.x.x
no auto-summary
default-information originate ! default route
  • 1st way to exclude interface
    passive interface fa0/0

  • 2nd way to exclide interface

passive-interface default  ! do not advertice on any interface
no passive interface fa0/1 ! add interface to advertise

Verification

show ip protocols

ACCESS LISTS

Configuration

access-list 100 blabla Standard access list
ip access-list standard INTERNET_FILTER extended access list
ip access-list resequence name 10 10 change sentence sequence inside of a list

Apply access list to interface

interfacfe g0/1
ip access-group blabla in

Apply access list to ssh/telnet line

line vty 0 4
access-class FILTER_TELNET in

Verification

show access-list
show ip access-lists

NAT

Configuration

  1. Choose the direction
interface eth0/0
ip nat outside
interface eth0/1
ip nat inside
  1. Create access list to match natted addresses
ip access-list standard NATTED
permit 10.0.0.0 0.0.0.255
  1. Create a NAT pool
ip nat pool OUTSIDE 170.168.2.3 170.168.2.254 netmask 255.255.255.0
  1. Apply NAT
ip nat inside source list NATTED interface eth0/0 overload 	! masquerading
ip nat inside source static 10.1.1.1 170.46.2.2 			! static nat
ip nat inside source list NATTED pool OUTSIDE overload 		! one to many natting

Verification

show ip nat translations
show ip nat statistics
clear ip nat translation *

RADIUS and TACACS

Configuration

aaa new-model
radius-server host x.x.x.x key secretKey ! or tacacs-server
! or
radius server RADIUS ! or tacacs server
	address ipv4 x.x.x.x
	key secretKey
!
aaa group server radius RadiusServerGROUP ! or ... server tacacs+ ...
	server x.x.x.x                        ! or server name RADIUS,  whatever was defined before
!
aaa authentication login default group RadiusServerGROUP local

SNMP

Configure v2c

snmp-server community SecretCommunity 1 default is ro, is possible to add an acces list
snmp-server location LOCATION
snmp-server contact SOMEBODY

Configure v3 SNMP Object Explorer to view MIB family name

snmp-server view VIEWNAME ifIndex included
snmp-server group GROUPNAME v3 priv read VIEWNAME ! priv = auth + priv (encryption)
snmp-server user USER GROUPNAME v3 auth sha PASSWORD priv des56 ENCRYPTIONKEY ! also can use access list

Configure trap server

snmp-server host x.x.x.x traps

Verification

show snmp
show snmp community

IPv6

ipv6 unicast-routing globally
ipv6 enable on interface

STP

Configuration

spanning-tree mode rapid-pvst
spanning-tree vlan 1 root [primary|secondary]
spanning-tree portfast default !enable portfast on all access ports
spanning-tree bpduguard default !enable bpduguard on all access ports

Configuration on interface

spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree vlan X priority Y
spanning-tree link-type point-to-point
spanning-tree cost X ! change interface cost

Verification

show spanning-tree
show spanning-tree detail
show spanning-tree summary
clear spanning-tree detected protocols [interface intId]

Bonding (Link aggregation)

Configuration

interface gig0/1
channel-group X mode [...] ! the enabled protocol depends on the selected mode
exit
interface port-channel X
! ... configure as normal interface

Verification

show etherchannel port-channel
show etherchannel summary

EIGRP

Configuration

router eigrp 90          ! specify AS number
network x.x.x.x y.y.y.y  ! network and wilcard
no auto-summary
redistribute static      ! advertise default route
variance 3
maximum-paths 10
interface gi0/0
ip summary-address eigrp 90 x.x.x.x y.y.y.y   ! summarization on interface
ip hello-interval eigrp 90 1                  ! send hello every 1s
ip hold-time eigrp 90 3                       ! consider me dead in 3s
ip bandwidth-percent 90 40                    ! allow eigrp use up to 40% of bandwith

IPv6 configuration

ipv6 unicast-routing
ipv6 router eigrp X  ! AS number
router-id 1.1.1.1
no shutdown
!
interface g0/0
ivp6 eigrp X   ! AS number

Verification

show ip eigrp neighbors
show ip eigrp topology
show ip eigrp topology all-links
show ip eigrp interfaces
show ip eigrp interfaces detail g0/0
show ip route eigrp

OSPF

Configuration

router ospf 1 ! ospf process ID
	router-id 1.1.1.1
	network x.x.x.x y.y.y.y area Z
	area 1 stub
	maximum-paths X                        ! change maximum paths to load balance
	auto-cost reference-bandwidth 10000    ! adjust ospf to work on 10G
	area X range x.x.x.x y.y.y.y advertise ! add summarization
	default-information originate          ! generate default information posible to add 'always'
	!
    ! Passive and active interfaces
    !
    passive-interface g0/1    ! make only this interface passive
	passive-interface default ! make all the interfaces passive
	no passive-interface g0/0 ! make the desiredinterface not passive
interface g0/4
    ip ospf priority X             ! preference for being DR
    ip ospf cost X                 ! prefer one path over another
    ip ospf hello-interval X       ! this will adjust dead timer automatically
    ip ospf dead-interval Y
    ip ospf network point-to-point
    ip ospf mtu-ignore             ! ignore mtu errors

IPv6 on interface

interface g0/5
ipv6 ospf 1 area 0

Verification

show ip ospf
show ip ospf int brief
show ip ospf int f0/0
show ip ospf neighbors
show ip ospf database

IP SLA

Configuration

ip sla 1
	icmp-echo x.x.x.x
	frequency 10
    exit
ip sla schedule 1 life forever start-time now

Verification

show ip sla configuration
show ip sla statistics

SPAN

Configuration

monitor session 1 source interface f0/1
monitor session 1 destination interface f0/2

Verification

show monitor

POINT to POINT connections

! global config router A
username RouterB password cisco # password must match for CHAP
!
int s1/0
	encapsulation ppp
	ppp authentication pap ! or chap
	ppp pap sent-username RouterA password cisco ! PAP only
	ppp compress stacker
	ppp compress predictor
!
! global config router B
username RouterA password cisco # password must match for CHAP
!
int s1/0
	encapsulation ppp
	ppp authentication pap ! or chap
	ppp pap sent-username RouterB password cisco ! PAP only

PPP MULTILINK

Configuration

interface Multilink 1
	ip address x.x.x.x y.y.y.y
	encapsulation ppp
	ppp multilink
	ppp multilink group 1
!
interface s1/0
	ppp multilink group 1
	no ip address
	encapsulation ppp

Verification

shos ppp multilink

PPPoE

int dialer 1
	mtu 1492
	encapsulation ppp
	ip address negotiated
	ppp chap hostname CBTNuggets
	ppp chap password IsQuiteFun
	dialer pool 1
!
int fa0/1
	pppoe enable
	pppoe-client dial-pool-number 1
!
ip route 0.0.0.0 0.0.0.0 Dialer 1

GRE

Configuration

int Tunnel 1
	ip address x.x.x.x y.y.y.y
	tunnel mode gre ip
	tunnel source z.z.z.z
	tunnel destination w.w.w.w

BGP

Configuration

router bgp X ! AS Number
	neighbor z.z.z.z remote-as XXXX
	network x.x.x.x y.y.y.y

Verification

show ip bgp
show ip bgp summary
show ip bgp neighbors

HSRP

  • There are 2 version, v1 and v2.
  • Works with groups.
  • Active/Standby status.
  • Ties = highest IP and Highes priority (0-255) wins
  • Hello timer 3s
  • Hold timer 10s
  • Supports authentication: txt or md5
  • Multicast communication
  • In datacenter with VPC (virtual port channel) the standby router also process traffic. It becomes some kind of active-active
V1 V2
256 groups 4096 groups
second timers ms timers
0000.0c07.acXX 0000.0c9f.fXXX
224.0.0.2 224.0.0.102

Configuration

int fa0/0
	standby version 2     ! default is v1
	standby 1 ip x.x.x.x
	standby 1 priority 100
	standby 1 preempt
	standby 1 timers 5 15 ! hello and hold timers

Verification

show standby

SYSLOG

Log display configuration

service timestamps log datetime
service sequence-numbers

Logging onfiguration

logging x.x.x.x
logging trap 4  ! 4 or waring. Control the messages sent to syslog
logging source-interface g0/0
!
logging console
logging buffered

Verification

show logging

Other usfeull commands

CTRL + SHIFT + 6, X cancel traceroute or name resolution (like Ctrl + C in Linux)

ip host XX y.y.y.y host to ip asignment
ip name-server x.x.x.x act as dns client
ip dns server enable dns server
config-register 0x2102 router should attempt to load a Cisco IOS software image from Flash memory and load the startup configuration with a console speed of 9600 baud
show controllers utilization display bandwidth utilization onthe switch or specific ports show users show vty users
show mac address-table
show ip interface brief
show port-security
clear line vty x
terminal ip netmask-format bit-count
service compress-config compress config file
terminal monitor shows debug output on vty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment