Basics
sh run
sh int trunk
sh ip int brief
sh eth sum
sh vlan brief
sh ip ospf neighbor
sh ip protocols (check areas and router id)
sh ip eigrp topology
sh cdp neighbors
sh controllers serial 0
enable password cisco
service password-encryption
enable secret ccna
create multiple users:
username ccna secret cisco
username ccnp secret CISCO
login local
Setup console pw
line console 0
password ccna
service password-encryption
login
telnet
int g0/0
ip add 192.168.1.1 255.255.255.0
no shut
username cisco secret CCNA
line vty 0 15
login local
transport input telnet
exec-timeout 5
SSH
int g0/0
ip add 192.168.1.1 255.255.255.0
no shut
username cisco secret CCNA
ip domain-name cisco.com
crypto key generate rsa (1024)
line vty 0 15
login local
transport input ssh
exec-timeout 5
exit
ip ssh version 2
messages:
username ccna secret Cisco
username ccnp secret Cisco
line console 0
login local
banner motd star Welcome eto LAB star
banner login star auth users only star
Serial
int serial0
no shut
clock rate 64000
(DCE applies clock signal)
Interface f0/1
ip address 10.10.10.2 255.255.255.0
no shutdown
give switch vlan:
interface vlan1
ip address 10.10.10.10 255.255.255.0
no shutdown
give switch default gateway: ip default-gateway 10.10.10.2
check interface config (full fuplex, speed, ..): sh interface f0/1
Manually adjust speed / duplex mode
interface f0/2
speed 100
duplex full
CDP:
show cdp neighbors
shutdown cdp for interface:
interface f0/1
no cdp enable
Flush CDP Cache:
no cdp run
cdp run
Routing
Static routing
ip route 10.10.0.0 255.255.255.0 10.0.0.2
Troubleshoot: sh ip route, ping, tracert
LB static route:
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 0.0.0.0 0.0.0.0 10.0.0.3
Dynamic Routing rip:
router rip
version 2
network 10.0.0.0
no auto-suppry
Troubleshoot: debug ip rip, undebug all, sh ip route, sh ip rip database
OSPF
configure loopbacks:
interface loopback0
ip address 192.168.0.1 255.255.255.255
Configure ospf
router ospf 1
auto-cost reference-bandwidth 100000
network 10.0.0.0 0.255.255.255 area 0
network 192.168.0.0 0.0.0.255 area 0
Troubleshoot:
sh ip protocols (check if loopback is used for router id)
sh ip ospf neighbor (check for adjancies)
sh ip route
sh ip ospf interface f0/0
OSPF Costs:
sh ip route
adjust for a path:
int f1/1
ip ospf cost 1500
Default route injection
router ospf 1
passive-interface f1/1
network 203.0.113.0 0.0.0.255 are 0
sh ip route
configure default static route to isp: ip route 0.0.0.0 0.0.0.0 203.0.113.2
router ospf 1
default-information originate
Multi area OSPF
rotuer ospf 1
network 10.0.0.0.0 0.255.255.255 area 1
network 192.168.0.0 0.0.0.255 area 1 xxx
copy run start
reload
Designated router and BDR
int loopback0
ip address 192.168.0.6 255.255.255
OSPF
router ospf 1
network 172.16.0.0 0.0.0.255 area 0
network 192.168.0.0 0.0.0.255 area 0
auto-cost reference bandwidth 100000
sh ip ospf interface f0/0
interface f0/0
ip ospf priority 100
end
Clear ip ospf process
verify dr is correct
sh ip ospf interface f0/0 (lf Designated router ID:)
Simple config
en
conf t
hostname R1
int f0/0
ip add 192.168.12.1 255.255.255.0
no sh
int f0/1
ip add 192.168.14.1 255.255.255.0
no sh
int f1/0
ip add 192.168.1.1 255.255.255.0
no sh
router ospf 1
int f0/0
ip ospf 1 area 0
int f0/1
ip ospf 1 area 0
int f1/0
ip ospf 1 area 0
_________
en
conf t
hostname R2
int f0/0
ip add 192.168.12.2 255.255.255.0
no sh
int f0/1
ip add 192.168.23.1 255.255.255.0
no sh
router ospf 1
int f0/0
ip ospf 1 area 0
int f0/1
ip ospf 1 area 0
_________
en
conf t
hostname R3
int f0/0
ip add 192.168.23.2 255.255.255.0
no sh
int f0/1
ip add 192.168.34.1 255.255.255.0
no sh
int f1/0
ip add 192.168.2.1 255.255.255.0
no sh
router ospf 1
int f0/0
ip ospf 1 area 0
int f0/1
ip ospf 1 area 0
int f1/0
ip ospf 1 area 0
__________
en
conf t
hostname R4
int f0/0
ip add 192.168.34.2 255.255.255.0
no sh
int f0/1
ip add 192.168.14.2 255.255.255.0
no sh
router ospf 1
int f0/0
ip ospf 1 area 0
int f0/1
ip ospf 1 area 0
STP
Configure STP
show current spanning tree:
show spanning-tree summary (also to check blocking ports)
show spanning tree vlan 10
Configure RVST+ (to reduce convergence time)
spanning-tree mode rapid-pvst
configure primary stp on root switch connected to active router.
CD1: spanning-tree vlan 10 root primary
CD2: spanning-tree vlan 10 secondary
Verify Priorities are correct:
CD1: show spanning-tree vlan 10
CD2: show spanning-tree vlan 10
Acc: show spanning-tree vlan 10
Enable Portfast and BPDU
Acc: interface f0/1
spanning-tree portfast
spanning-tree bpduguard enable
Root & backup root bridge protection (configure on all ports to other swithces)
CD1: interface f0/21
CD1: spanning-tree guard root
CD2: interface f0/21
CD2: spanning-tree guard root
STP Troubleshooting
Get Diagram of network
Check which router is active (show standby on top routers)
Switch connected to active will become primary stp
Check all interface configs, trunks if they are correct.
Do ping and tracerts from bottom to top.
Check interface configs, vlans, trunk ports
sh ip int brief
sh running config
Verify stp config spanning tree core/distri are root stp: Access sw: show spanning-tree vlan 10
If you see a wrong root check priorietes (sh run | include priority)
Simplere troubleshooting:
show standby (check active mac address)
show spanning-tree vlan 10 (check who is root)
Clear arp cach on pc: arp -d and ping virtual ip of hsrp
show mac address-table on access switch and check on which link it comes in.
We can go hop by hp using show mac address-table to verify the tracking
VTP, Trunk and access
Show vlan brief
Show int gig 0/1 switchport
Configure links between switches and trunks
Int g0/1
Switchport mode trunk
Switch trunk native vlan 199
Configure link with encap dot1q
Int g0/1
Switchport mode trunk
Switch trunk encap dot1q
Switch trunk native vlan 199
Configure access ports
Int f0/1
Switchport mode access
Switchport access vlan 10
Configure VTP server for domain petit
Vtp domain Petit
Vtp mode server
Setup VTP client for domain petit
Vtp mode client
Vtp domain Petit
Setup VTP transparant
Vtp mode transparant
Create vlans
Vlan 10
Name sales
Vlan 199
Name Native
Check: show vlan brief
Inter vlan routing (router on a stick)
Configure subinterface on router
Int f0/1
No ip address
No shutdown
Int f0/1.10
Encapsulation dot1q 10
Ip address 10.10.10.1 255.255.255.0
Switch end:
Int f1/1
Switchport mode trunk
Switch encap dot1q
Layer 3 routing on switch
Enable ip routing: ip routing
Configure vlans:
int vlan 10
Im address 10.10.10.1 255.255.255.0
DHCP
Put int as dhcp client
Int f0/1
Ip address dhcp
No shutdown
Show ips
Sh ip int brief
Sh dhcp lease
Setup DHCP server
ip dhcp excluded-address 10.10.10.1 10.10.10.10
Ip dhcp pool petit
Default-router 10.10.10.1
Dns server 10.10.20.10
Network 10.10.10.0 255.255.255.0
Sh ip dhcp binding
External dhcp server
Int f0/1
Ip helper-address 10.10.20.1
Eth Channel
int range f0/23 - 24
channel-group 1 mode active
exit
interface port-channel 1
description Link to CD1
switchport mode trunk
switchport trunk native vlan 100
CD1:
int range f0/23 - 24
channel-group 1 mode active
exit
port-channel 1
Description Link to Acc
switchport mode trunk
switchport trunk native vlan 199
Verify: show etherchannel summary
L3 ETH Channel:
ip routing
int range g0/1-2
no switchport
channel-group 1 mode on
int po1
ip add 23.0.0.1 255.255.255.0
https://www.youtube.com/watch?v=0FwjDV9UJBw&list=PLxbwE86jKRgMQ4HTuaJ7yQgA2BoNwY9ct&index=51
Port Security
sh ip int brief (disable unused ports)
int f0/3 - 24
shutdown
int f0/1
switschport mode access
switschport port-security
switchport port-security maximum 2
switchport port-security mac-address 0000.1111.1111
show port-security address
ACLS
Numbered acl (deny from 10.0.2.0 and permit from 10.0.1.0)
access-list 1 deny 10.0.2.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
int f0/0
ip access-group 1 out
numbered acl
access-list 100 permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
access-list 100 deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
access-list 100 permit ip any any
int f1/0
ip access-group 100 in
named acl
ip access-list extended F1/0_in
permit tcp host 10.0.1.10 host 10.0.0.2 eq telnet
deny tcp 10.0.1.0 0.0.0.255 host 10.0.0.2 eq telnet
permit icmp host 10.0.1.11 host 10.0.0.2 echo
deny icmp 10.0.1.0 0.0.0.255 host 10.0.0.2 echo
permit ip any any
int f1/0
ip access-group F1/0_in in
NAT
Static nat
int f0/0
ip nat outside
int f0/1
ip nat inside
ip nat inside source static 10.0.1.10 203.0.113.3
Dynamic nat
int f0/0
ip nat outside
int f1/0
ip nat inside
ip nat pool petit 203.0.113.4 203.0.113.12 netmask 255.255.255.240
access-list 1 permit 10.0.2.0 0.0.0.255
ip nat inside source list 1 pool petit
PAT
int f0/0
shutdown
No ip address
ip address dhcp
int f0/0
no shut
sh ip int brief
int f0/0
ip nat outside
int f1/0
ip nat inside
access-list 1 permit 10.0.2.0 0.0.0.255
ip nat inside source list 1 interface f0/0 overload
IPv6
config unicast IPv6
int f0/1
ipv6 address 2001:db8::1/64
no shut
exit
int f0/0
ipv6 address 2001:db8:0:1::1/64
R2:
int f0/0
ipv6 address 2001:db8:0:1::2/64
no sh
exit
int f0/1
ipv6 address 2001:db8:0:2::2/64
R3:
int f0/0
ipv6 address 2001:db8:0:2::1/64
no shut
exit
int f0/1
ipv6 address 2001:db8:0:3::1/64
no shut
configure global unicast EUI-64 on pc
int f0/0
ipv6 address 2001:db8::/64 eui-64
no shut
int f0/0
ipv6 address 2001:db8:0:3::/64 eui-64
no shut
configure link local on R1, R2,R3
int f0/0
ipv6 address fe80::1 link-local
exit
int f0/1
ipv6 address fe80::1 link-local
R2
int f0/0
ipv6 address fe80::2 link-local
exit
int f0/1
ipv6 address fe80::2 link-local
R3:
int f0/0
ipv6 address fe80::3 link-local
exit
int f0/1
ipv6 address fe80::3 link-local
verify global unicast and link local addressed: sh ipv6 int brief
Show neighbors show ipv6 neighbors
Static ipv6 routing
sh ipv6 protoocls
show run | include ipv6 route
ipv6 route:0:/0 2001:db8::1
ipv6 route ::/0 2001:db8:0:3::1
ipv6 route 2001:db8::/64 2001:db8:0:1::1
allow unicast routing ipv6 unicast-routing
ipv6 route 2001:db8:0:2::/64 2001:db8:0:1::2
ipv6 route 2001:db8:0:3::/64 2001:db8:0:1::2
R2:
ipv6 route 2001:db8::/64 2001:db8:0:1::1
ipv6 route 2001:db8:0:3::/64 2001:db8:0:2::2
R3
ipv6 route 2001:db8::/64 2001:db8:0:2::2
ipv6 route 2001:db8:0:1::/64 001:db8:0:2::2
sh ipv6 route
VTI
R1:
crypto isakmp policy 10
encryption aes 256
authentication pre-share
hash sha256
group 5
lifetime 86400
exit
crypto isakmp key ccie*123 address 2.2.2.2
crypto ipsec transform-set TSET1 esp-aes 256 esp-sha256-hmac
mode tunnel
exit
crypto ipsec profile VTI1
set transform-set TSET1
set pfs group5
crypto isakmp policy 10
group 5
exit
int tunnel 1
tunnel source 1.1.1.1 (wanip)
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI1
ip unnumbered f0/0
exit
R2:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
crypto isakmp key ccie*123 address 1.1.1.1
!
!
crypto ipsec transform-set TSET1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile VTI1
set transform-set TSET1
set pfs group5
!
!
Interface Tunnel1
ip unnumbered FasteEtherent2/0
tunnel source 2.2.2.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI1
!
interface fastethernet0/0
ip address 1.1.1.1 255.255.255.0
duplex full
i
check status:
do sh cry isakmp sa
do sh int des
sh crypto isakmp sa
sh crypto ipsec sa
route:
R2: ip route 192.168.1.0 255.255.255.0 tun1
R1: ip route 192.168.1.0 255.255.255.0 tun1
ISE: Notion – The all-in-one workspace for your notes, tasks, wikis, and databases.
