cisco2 | Networks, Infrastructure, Microsoft Azure & Modern Workplace

Troubleshooting
sh run
sh ip int brief
sh vla brief
sh int trunk
sh int g0/0.13
sh cdp neighbors
sh cdp neighbors detail
sh cdp entry R1
sh lldp
sh lldp neighbors
sh lldp neighbors detail
sh controllers s2/0 (CDE - DTE)
sh mac address-table
sh ip route
sh acc
sh clock
sh clock detail
sh ntp associations
sh ip nat translations
sh ipv6 int br
sh ipv6 route
sh int g0/2 sw (for DTP for example)
sh vtp status
sh spanning-tree sum (check mode & protections & vlans)
sh spanning-tree (lowest bridge id is root)
Designated ports: int from root switch or from root path
Root ports: int going to root switch
Alt / Block: highest costs
sh eth sum
sh int f0/4 (duplex en speed check)
sh ipv6 ospf neighb
sh ipv6 route
sh standby (higher prio wins)
terminal no monitor (stop spamming)

Router on a stick
en
Conf t
int g0/0
no shut
int g0/0.13
encap dot1q 13
ip add 10.0.0.1 255.255.255.0

Trunk
sh int trunk
int g0/1
switchport mode trunk
switchport trunk nonegotiate
switchport trunk allowed vlan 5,6,7,8

CDP
cdp run
int range f0/3-4 (access ports)
cdp enable (default)
no cdp enable

LLDP
no cdp run
lldp run
sh lldp
sh lldp neighbors
prevent access lldp updates int f0/1
no lldp receive
no lldp transmit

Loopback
int l0
ip add 1.1.1.1 255.255.255.255
no shut

Port security
sh mac address-table
sh port-security
int f0/2
switchport mode access
switchport port-security (only on access port)
switchport port-security maximum 1
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security ac-address mac-address 002.16E2.2193

Static route
sh ip route
ip route 192.168.2.0 255.255.255.0 10.0.0.2
ip route 192.168.2.0 255.255.255.0 g0/0
ip route 10.0.0.0 255.255.255.0 192.168.0.3 121 (backup route - floating)

RIP
router rip
network 192.168.1.0
network 10.0.0.0 (classfull so auto summarized in version 1)

RIPv2
router rip
version 2
no auto-summary
network 10.0.0.0
network 192.168.1.0
passive-interface g0/2 (access facing)

Standard ACLs
access-list 1 permit 192.168.1.0 0.0.0..255
do sh acc
int f0/0
ip access-group 1 out

access-list 1 deny host 192.168.2.14
access-list 1 permit any
do sh acc
int f0/0
ip access-group 1 out

Extended ACL's
access-list 100 permit ip host 192.168.1.11 host 192.168.3.100
access-list 100 deny ip any host 192.168.3.100
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 192.168.3.101
access-list 100 deny ip any host 192.168.3.101
access-list 100 permit ip any any
int s2/0
ip access-group 100 out

Named ACL's
ip access-list standard 2to1
deny 192.168.2.0 0.0.0.255
permit any
int f0/0
ip access-group 2to1 out

ip access-list standard 1to2
deny 192.168.1.0 0.0.0.255
permit any
int f0/0
ip access-group 1to2 out

NTP
show clock
sh clock detail
sh ntp associations
clock timezone JST 9
clock set 12:00:00 Aug 21 2019
ntp master (set as master not server)
ntp authenticate
ntp authentication-key 1 md5 cisco1

set ntp client
clock timezone JST 9
ntp authenticate
ntp authentication-key 1 md5 cisco1
ntp trusted-key 1
ntp server 192.168.12.1 key 1

DHCP
ip dhcp pool 10pool
network 10.0.0.0 255.255.255.0
default-rotuer 10.0.0.1
dns-server 10.0.0.1
exit
ip dhcp excluded-address 10.0.0.1 10.0.0.10

int g0/1 (relay)
ip helper-address 192.168.12.1

DNS
on switch
ip default-gateway 192.168.1.1
ip name-server 20.0.0.100

Static NAT
int g0/0
ip nat inside
int s0/0
ip nat outside
ip nat inside source static 192.168.1.11 1.2.3.11

Dynamic NAT
sh ip nat translations
int g0/0
ip nat inside
int s0/3/0
ip nat outside
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool pool1 1.2.3.10 1.2.3.20 netmask 255.255.255.0
ip nat inside source list 1 pool pool1

PAT (port address translation)
int g0/0
ip nat inside
int s0/3/0
ip nat outside
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface s0/3/0 overload

syslog
service timestamps log datetime msec

Password recovery
reboot switch and in boot go to rommon
confreg 0x2142
reset
en
copy start run
conf t
enable secret ccna
int g0/0
no shut
exit
config-register 0x2102
wr
ping 192.168.1.100
copy startup-config tftp
server: 192.168.1.100

sh version (check version and image file)
copy tftp flash 192.168.1.100 and past filename
delete flash:oldfilename
show flash
reload

IPV6
ipv6 unicast-routing
int g0/0
ipv6 add 2001:db8:123:123::1/64
no shut
int g0/0

no shut
ipv6 add auto
do sh ipv6 int br

IPV6 static routes
ipv6 route 2001:db8:2:2::/64 2001:DB8:123:123:2D0:FFFF:FE69:3801

DTP
sh int g0/2 sw
int g0/2
switchport nonegotiate
int g0/1
switchport mode trunk
switchport nonegotiate
int range f0/1-2
switchport mode access
switchport access vlan13
switchport nonegotiate

VTP
sh vtp status
vtp mode server
vtp domain name CCNA
vtp version 2

VTP Middleman:
vtp mode transparant
vtp domain name CCNA
vtp version 2

Client:
vtp mode client
vtp domain name CCNA
vtp version 2

STP
sh spanning-tree sum (check mode & protections & vlans)
sh spanning-tree (lowest bridge id is root)
Designated ports: int from root switch or from root path
Root ports: int going to root switch
Alt / Block: highest costs

spanning-tree mode rapid-pvst
spanning-tree vlan 10 root primary
spanning-tree vlan 10 root secondary
spanning-tree portfast default (enable portfast on all acc ports)
int f0/1
spanning-tree portfast
spanning-tree bpduguard enable

Etherchannel
All ports must have same config (duplex, speed, native & allowed vlan, switchport mode)
sh eth sum
Layer 2 Eth Channel PAGP
int range f0/1 - 4
channel-group 1 mode desirable
int po1
switchport trunk encapsulation dot1q
switchport mode trunk

Layer 2 Eth Channel LACP
int range f0/1-4
channel-group 2 mode active
switchport trunk encap dot1q
switchport mode trunk

Layer 3 routing (static eth channel)
ip routing
int range g0/1-2
no shwitchport
channel-group 1 mode on
int po1
ip add 23.0.0.1 255.255.255.0

inter vlan routing (svi)
sh vlan brief
ip routing
int vlan 10
ip address 10.0.1.1 255.255.255.255.0
no shut
int vlan 20
ip add 10.0.2.1 255.255.255.0
no shut

inter vlan Roas
sh ip int brief
sh vlan brief

switch:
int g0/1
switchport mode trunk
R:
int g0/0
no shut
int g0/0.30
encap dot1q 30
ip add 10.0.3.1 255.255.255.0
int g0/0.40
encap dot1q 40
ip add 10.0.4.1 255.255.255.0

OSPF
sh ip ospf neighbor
sh ip prot
sh ip route
int l0
ip add 1.1.1.1 255.255.255.255
router ospf 1
network 12.0.0.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 0
passive-interface l0
auto-cost reference-bandwith 100000
modify cost on int (ip ospf cost 10000)

OSPF Multi Area
int l0
ip add 1.1.1.1 255.255.255.255
router ospf 1
network 10.12.0.0 0.0.0.255 area 1
passive -interface l0
auto-cost reference)bandwidth 100000

border router
router ospf 1
net 10.12.0.0 0.0.0.255 area 1
net 10.23.0.0. 0.0.0.255 area 0
area 0 range 10.0.0.0 255.0.0.0 (summary route send to area)
passive-interface l0
auto-cost reference-bandwidth 10000

OSPFv3
sh ipv6 ospf neighb
sh ipv6 route
int l0
ip add 1.1.1.1 255.255.255.255
ipv6 router ospf 1
int g0/0
ipv6 ospf 1 area 1
default route
ipv6 route ::/0 2001:db8:01:01::2
ipv6 router ospf 1
default-information originate

EIGRP
sh ip eigrp neigh
sh ip prot
sh ip int brief
int l0
ip add 1.1.1.1 255.255.255.255
router eigrp 100
network 10.12.0.0 0.0.255.255
network 1.1.1.1 0.0.0.0
passive-interface l0
no auto-summary
int f1/0
ip summary-address eigrp 100 10.0.0.0 255.0.0.0

EIGRP IPV6
int l0
ip add 1.1.1.1 255.255.255.255
ipv6 router eigrp 100
no shut
passive-interface g0/2
int g0/0
ipv6 eigrp 100

HSRP
sh standby (higher prio wins)
(preemt is activ after reboot)
terminal no monitor (stop spamming)
sh standby g0/1
int g0/1
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preemt

HSRP V2
int g0/1
standby 10 ip 10.10.10.1
standby version 2

PPP with PAP
L2 over wan
do sh ip int br
sh int s0/0
username Packet password Tracert
int s0/0
encap ppp
ppp authentication pap
ppp pap sent-username Cisco password CCNA
shut
no shut

PPP with CHAP
sh int s0/0 (check encap, hdlc and up / up down state)
username SPR2 password CCNA
int s0/0
shut
encap ppp
ppp auth chap
no shut
ip route 0.0.0.0/0 200.0.0.1 (to your wan)

PPPoE
username Packet password Tracer
int dialer 1
mtu 1492
encap ppp
ip add negotiated
pp auth pap
ppp pap sent-username Cisco password CCNA
dialer pool 1
do sh run int dialer 1
int g0/0
pppoe-client dial-pool-number 1
no shut
sh ip int brief (dialer1 check)

PPPoE CHAP instead of pap
username SPR2 password CCNA
int dialer 1
mtu 1492
encap ppp
ip add negotiated
ppp authentication chap
dialer pool 1
int g0/0
pppoe-client dial-pool-number 1
sh ip int brief
sh int dialer 1

MultiLink PPP
sh ppp all
sh ppp multilink

username Packet password Tracer
interface multilink 1
ppp multilink group 1
ppp authentication pap
ppp pap sent-username cisco password CCNA
ip address 100.0.0.2 255.255.255.252
do sh run int multi 1

int s1/0
encap ppp
ppp multilink group 1
no shut

int s1/1
encap ppp
ppp multi group 1
no shut

Site to Site VPN
1) draw necessary toplogy
2) configure ip addresses to the routers interfaces and pcs
3) configure ospf and test communication
router ospf 11
router-id 2.1.2.1
network 192.168.10.0 0.0.0.255 area 0
network 20.20.20.0 0.0.0.3 area 0

4) configure ipsec vpn
4.1) enable security technology package
license boot module c2900 technology-package securityk9
sh version (check for security and package)

4.2) configure extended acl permitting the target on each router
access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

4.3) configure the ike phase 1 isakmp policy on each router
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key password4544646 30.30.30.2 (wan other side)
do wr

other side
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
exit
crypto isakmp key password45644646 20.20.20.2 (wan other side)
do wr

4.4) configure the ike phase 2 ipsec policy on each router
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description THIS VPN CONNECTS SITE B
Set peer 30.30.30.2
set transform-set VPN-SET
match address 130
exit

Other side:
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description THIS VPN CONNECTS TO SITE A
set peer 20.20.20.2
set transform-set VPN-SET
match address 130
exit

4.5) configure the crypto map on the outgoing interface
int serioal0/3/0
crypto map VPN-MAP
do wr

sh crypto ipsec sa

BGP
router bgp 65001
neighbor 10.10.10.2 remote-as 65001
network 192.168.0.0 mask 255.255.255.0

Advanced BGP
router bgp 65000
neighbor 192.168.0.0 mask 255.255.255.0
redistribute ospf 1

Paardeveldstraat 16/1 9400 Ninove Belgium

Paardeveldstraat 16/1
9400 Ninove
Belgium