Command Description

(config)# interface g1/0 Enter their interface config mode

(config-if)# description Link to Somehost Human readable link description

(config-if)# ip address 10.23.42.5 255.255.0.0 Add IPv4 address to interface.

(config-if)# mac address 1234.5678.90AB Overwrite MAC address.

(config-if)# no mac address Remove MAC overwrite.

(config-if)# ipv6 address 2001:41d0:8:e115::ccc/64 Add IPv6 address to interface.

(config-if)# ipv6 address 2001:41d0:8:e115::/64 eui- Add IPv6 address based on MAC to
64 interface.

(config-if)# ip address dhcp Get IPv4 address via dhcp.

Get IPv6 address [and default route] via

(config-if)# ipv6 address autoconfig [default]
autoconfig

Set hostname transmitted as dhcp client to

(config-if)# ip dhcp client client-id asccii SW2
SW2

(config)# interface g1/0 - 2 Configure both interfaces at once.

En- or Disable interface. Often shutdown is

(config-if)# [no] shutdown
the default.

(config)# ip default-gateway 10.23.42.1 Set 10.23.42.1 as the default gateway

(config)# ip route 10.20.30.0 255.255.255.0

Add static route via next hop or interface
{1.2.3.4,e0/0} [ad]
 Command Description

(config)# ipv6 route 2001:41d0:8:e115::/64 [g1/1] Next hop is required for Ethernet interface
[next hop] in IPv6

(config)# ip host the-space.agency 178.32.222.21 Create a static host entry on this device.

(config)# ipv6 unicast-routing Globally enable ipv6 routing.

Troubleshoot basic Networking

Command Description

# show interfaces [if-name] Show interfaces mac, bandwidth, mtu, packet stats...

# show ip[v6] route [static] Show routes and how they were learned.

# show ip[v6] interface [if-name] Show interfaces ip/arp/icmp/nd... configuration

# show ip[v6] interface brief [if-name] Only show ip, status and operational status

# show protocols [if-name] Much like show ip int brief, w/ cidr, w/o ok/method

# show mac address-table Show the mac address table of a switch.

# clear mac address-table [dynamic] Clear the dynamically learned mac address table entries.

# show arp Show {ip,ipx,appletalk}-mac bindings

# show ip arp [{ip, mac, if-name}] Show ip-mac bindings

# clear [ip] arp 192.168.1.1 Remove arp entry for ip

Show debug messages when receiving/sending arp

# debug arp
packets
 Command Description

# undebug all Disable all previously enabled debugs

# show ipv6 neighbors Show neighbor discovery table cache

# ping 1.2.3.4 [source g1/1]

# traceroute 1.2.3.4 [source g1/1]

# show control-plane host open-ports netstat -tulpn on this cisco device, basically

Troubleshoot networks with SPAN

Command Description

(config)# monitor session 23 source interface g1/1 {rx,tx,both} Define SPAN #23 input as g1/1

(config)# monitor session 23 destination interface g1/2 Define SPAN #23 output as g1/2

# show monitor Show all configured SPANs

Port Security

Command Description

(config-if)# switchport mode {access, trunk}

(config-if)# [no] switchport port-security En/Disable port-security

(config-if)# switchport port-security maximum 1 Number of allowed MACs.

(config-if)# switchport port-security mac-address

Manually allow a MAC on this port.
1234.5678.9abc
 Command Description

(config-if)# switchport port-security mac-address Allow learning of connected macs until

sticky mac reached.

(config-if)# switchport port-security violation Shutdown port when other device gets
shutdown connected.

(config-if)# shutdown (config-if)# no shutdown Reenable if after port-security violation.

Reenable if automatically after problem is

(config)# errdisable recovery cause psecure-violation
fixed.

Recheck every 42 seconds. (min 30, default

(config)# errdisable recovery interval 42
300)

Port-security violation terms

Term Definition

protect Drops packets, no alert

restrict Drops packets, increments security-violation count

shutdown Shuts down the port (default)

Troubleshooting Port Security

Command Description

# show port-security [interface g1/1] port status, violation mode, max/total MACs,...

# show port-security address Secure MACs on ports.

# show errdisable recovery Check if autorecovery is enabled. Disabled by default.

Configure vlans

Note: Even when a switch port is changed from access to trunk, its access vlan is maintained in the config.
When automatic trunk negotiation fails (e.g. because I unplug a link between to switches and put it into
my laptop) the configured access vlan becomes active once again and I might be able to reach network
parts I'm not supposed to. Always disable DTP / trunk auto negotiation.

Layer2 Switch Vlan Config

Command Description

[delete vlan or] create vlan and enter config-vlan

(config)# [no] vlan 23
mode

(config-vlan)# name TelephoneSanitizer Name this vlan TelephoneSanitizer

(config)# int g1/1

(config-if)# switchport mode access Make frames out this port untagged

(config-if)# switchport access vlan 23

(config)# int g1/2

(config-if)# switchport mode trunk Make frames out this port tagged by default

(config-if)# switchport trunk encapsulation

Sometimes the default is ciscos old isl.
dot1q

(config-if)# switchport trunk native vlan 256 Except for vlan 256, which is still untagged.

(config-if)# switchport nonegotiate Disable DTP

Layer3 Switch Vlan Config

 Command Description

(config)# interface vlan 23 enter interface config mode

(config-if)# ip address 1.2.3.4 255.255.255.0 set device ip in vlan 23

(config-if)# no shutdown virtual interfaces are disabled by default

(config-if)# int g

(config)# no vlan 23 delete vlan 23

Router (on a Stick) Vlan Config

Command Description

(config)# interface g1/1.10 Create subinterface g1/1.10 on g1/1

enable ieee 802.1Q vlan tagging with vlan 10 on the

(config-subif)# encapsulation dot1q 10
subinterface

(config-subif)# ip address 10.0.10.1

255.255.255.0

# show vlans Show vlans and their trunk interfaces

Troubleshoot Vlans on a switch

Command Description

# show vlan [{id 23, name TelephoneSanitizer}] [brief] Show vlan settings for all switch ports

# show interfaces g1/1 switchport Verify mode and vlan of g1/1

 Command Description

# show interfaces g1/1 trunk Show trunk settings and state

# show run interface vlan 1 Quick way to search the running config.

# show interface status Show trunk mode / access vlan

# show dtp interface g1/1 Show current DTP mode for g1/1

VTP

Command Description

(config)# vtp mode [server, client, transparent]

(config)# vtp domain

(config)# vtp password

(config)# vtp pruning

Troubleshoot VTP

Command Description

show vtp status show vtp domain, pruning, mode and more

show vtp password

STP

Spaning Tree Protocol (802.1D) blocks ports with redundant links to prevent layer 2 loops and broadcast
storms.
 Command Description

(config)# spanning-tree vlan 1 root {primary, Make this device the primary/secondary root
secondary} bridge.

(config)# spanning-tree portfast bpduguard Enable bpdu guard for all portfast enable
default interfaces

(config)# spanning-tree portfast default Enable portfast for all non-trunk interfaces

(config-if)# spanning-tree bpduguard enable Enable gpduguard on this interface

(config-if)# spanning-tree portfast Enable portfast on this interface

(config-if)# spanning-tree guard root Enable root guard on this interface

Troubleshoot STP

Command Description

# show spanning-tree [vlan 1] Who's the root and how do I get there?

# show spanning-tree summary Is global portfast/bpduguard configured?

# show running-config interface g1/1 Is portfast/bpduguard configured on this interface?

# show spanning-tree interface g1/1 portfast Is portfast active on this interface?

RSTP

Rapid Spanning Tree Protocol (802.1w) reduces convergence time after a topology change compares to
STP.
 Command Description

(config)# spanning-tree mode rapid-pvst Change spanning-tree mode to RSTP

Etherchannel (Link Aggregation)

How to set LACP? TODO: Look at modes again

Command Description

(config)# interface range g1/1 - 2 configure g1/1 and g1/2 at the same time

(config-if-range)# channel-group 1 mode {auto, Add both interfaces to etherchannel 1

desirable} (PAgP)

(config-if-range)# channel-group 1 mode {active, Add both interfaces to etherchannel 1

passive} (LACP)

Add both interfaces to etherchannel 1

(config-if-range)# channel-group 1 mode on
(Static)

Configure virtual interface for

(config)# interface port-channel 1
etherchannel 1

(config-if)# switchport mode trunk Put etherchannel 1 in trunk mode

Add tagged vlans 10,20,30 on

(config-if)# switchport trunk allowed vlan 10,20,30
ethercahnnel 1

Troubleshoot Etherchannel (Link Aggregation)

Command Description

# show interface port-channel 1 Has the combined bandwidth and members as extra info.

# show etherchannel summary Show etherchannel protocols and members as a list

 Command Description

# show etherchannel port-channel 1 Show per member state and stats

Configure a Serial

Layer 1 link speed is dictated by a CSU/DSU, in a lab without an external CSU/DSU a DTE (Data Terminal
Equipment) cable and DCE (Data Communications Equipment) cable are used.

Command Description

(config)# interface serial 1/0 Configure interface serial 1/0

(config-if)# clock rate 128000 Set clock rate on DCE router side to 128 kbps

(config)# show controllers serial 1/0 Verify clock rate for serial interface 1/0

ACLs

#1-#99, #1300-#1999: Standard IPv4 ACL

#100-#199, #2000-#2699: Extended IPv4 ACL

Default mask for standard ACLs: 0.0.0.0

Command Description

(config)# access-list 23 permit 1.2.3.4 Create ACL #23 or append a rule to ACL #23,
[0.0.255.255] allow 1.2.x.x

(config)# no access-list 23 Delete entire ACL #23

(config)# ip[v6] access-list resequence local_only Renumber ACL Rules, put first on #5,
5 10 increment by 10.

Create ACL and/or enter config mode for ACL

(config)# ip access-list {standard, extended} 23
#23
 Command Description

(config)# ip access-list {standard, extended} Create ACL and/or enter config mode for ACL
local_only 'local_only'

(config-std-nac1)# permit 10.20.30.0 0.0.0.255 Append rule to standard ACL 'local_only'

(config-std-nac1)# 5 permit 10.20.30.0 0.0.0.255 Append rule to ACL at sequence number 5.

(config-std-nac1)# no <sequence#> Remove rule with sequence# from ACL

(config-ext-nac1)# deny tcp any any

(config-ext-nac1)# permit udp host 10.20.30.40

any lt 1024

(config-ext-nac1)# permit udp host 10.20.30.40

any eq dns

(config-ext-nac1)# deny udp host 10.20.30.40

any

(config-ext-nac1)# permit ip any any

Interface ACLs

Command Description

(config)# inter g1/1 Enter if-config mode for g1/1

(config-if)# ip access-group 23 out Apply ACL #23 to outgoing packets, not send by the router

(config-if)# ip access-group 42 in Apply ACL #42 to incoming packets

(config-if)# ip access-group Overwrite the used ACL, only one ACL per if + proto +
local_only in direction!
 Command Description

(config-if)# ipv6 traffic-filter 23

The v6 syntax of course differs...
out

# show ip interface g1/1 | incl Show ACLs on g1/1 (When none set shows not set for v4 and
access list nothing for v6)

Troubleshooting ACLs

Command Description

# show [ip[v6]] access-lists Show all configured ACLs

# show access-list 10 Display all rules in ACL #10 and how often they matched.

NAT

Local addresses are any address as it appears inside the network. Global addresses are any address as it
appears outside the network.

Term Definition

inside local IP address assigned to a host inside the network, non-routable

inside global IP address assigned by Network Information Center or ISP, routable

outside local IP address of a remote host as it appears inside the network, non-routable

outside global IP address of a remote host assigned by the host owner, routable

Command Description

(config)# int g1/1 Enter if-config mode for g1/1

 Command Description

(config-if)# ip address 1.2.3.4

configure 1.2.3.4/28 on g1/1
255.255.255.240

Packets going out, need to change their src, incoming

(config-if)# ip nat outside
their dest ip.

(config)# int g1/2 Enter if-config mode for g1/2

(config-if)# ip address 10.10.23.1

configure 10.10.23.1/24 on g1/2
255.255.255.0

Packets going out, need to change their dest, incoming

(config-if)# ip nat inside
their src ip.

SNAT

Command Description

(config)# ip nat inside source static 10.10.23.2 SNAT - statically map an internal ip 1:1 to an
1.2.3.5 external ip.

DNAT

Command Description

(config)# access-list 42 permit 10.10.23.0 0.0.0.255 Create an ACL identifying 10.10.23/24

(config)# ip nat pool POOL 1.2.3.5 1.2.3.10 netmask

Create an IP Address Pool for NATing
255.255.255.240

DNAT IPs matching ACL #42 1:1 with IPs from

(config)# ip nat inside source list 42 pool POOL
nat pool 'POOL'.

Note the missing overload.

PAT

The overload keyword means, that one or a couple of external IPs are to be used for multiple internal IPs.
Higher level information like connection port numbers are used to identify the correct internal
destination for incoming packets. Cisco calls this PAT, while this is what your average joes home router
would call NAT.

Command Description

(config)# access-list 10 permit 10.10.0.0

Create an ACL identifying 10.10/16
0.0.255.255

(config)# ip nat inside source list 10 interface g1/1 PAT IPs matching ACL #10 many:1 with g1/1s
overload public IP

Troubleshooting NAT

Command Description

# show ip nat translations Show nat table entries if any

Show translations are actually used and interfaces are marked in/out
# show ip nat statistics
correctly.

# clear ip nat translation

Clear dynamic translations. Doesn't mess with SNAT!
{ip, *}

# debug ip nat [detailed]

Is the ACL correct? Is there a route to the address? Note: NAT Table entries are kept for 24h after the last
use by default.

DHCP Server

Command Description

(config)# ip dhcp excluded-address 10.30.4.1

Don't distribute these IPs in leases
10.30.4.100
 Command Description

(config)# ip dhcp pool PCs Creat and/or enter dhcp config for pool 'PCs'

(dhcp-config)# network 10.30.4.0 /24 define pool addresses

define default-gateway to be distributed in the

(dhcp-config)# default-router 10.2.1.1
leases

(dhcp-config)# dns-server 10.30.4.1

(dhcp-config)# domain-name acme.com

(dhcp-config)# lease lease validity time

Enter interface config mode on client facing

(config)# int g1/1
interface

(config-if)# ip helper-address 192.168.1.1 Relay DHCP Requests to this host

Troubleshooting DHCP

Command Description

# debug ip dhcp server packet

# show dhcp lease Show dhcp lease information

# show ip dhcp pool Show pool size and addresses in use

# show ip dhcp binding Show which mac got which ip

# sh run | section dhcp See if ip dhcp exclude-address / pool stuff is wrong.

# sh run int g1/1 See if ip helper-address is wrong.

HSRP

Command Description

(config-if)# standby [group-number] ip Join HSRP Group

(config-if)# standby [group-number]

(optional) Set prio of this router.
priority

(config-if)# standby [group-number] (optional) Preempt other routers when this router
preempt becomes active

(config-if)# standby {1,2} (optional) Set HSRP Version

Troubleshooting HSRP

Command Description

# show standby HSRP Groups, their VIPs, state, active router, standby router, preemption.

SLAs

Command Description

Create ip sla test #23 and enter its config

(config)# ip sla 23
mode.

(config-ip-sla)# icmp-echo 1.2.3.4 Define icmp-echo test.

(config-ip-sla)# frequency 42 frequency in seconds.

(config)# ip sla schedule 23 life {forever, seconds} start- Start test #23 now and until manually
time now stopped.

Troubleshooting SLAs
 Command Description

# show ip sla configuration Show all configured ip sla configs

# show ip sla statistics Show sla results

Device Management

Command Description

(config)# hostname R1 Set hostname to R1

(config)# enable password Set enable passwort.

(config)# enable secret Same, but with hashing.

(config)# service password-

Very weak encryption of passwords passwords.
encryption

Copy something from flash to tftp. Wizard asks for details.

# copy flash0: tftp:
Works both ways.

# write # copy running-config startup-config

# write erase # erase startup-config

# reload restart the device and load the startup-config

# copy running-config tftp: copy running-config to an tftp server. (interactive)

# copy running-config Merge source config into the running config.

# setup initial configuration dialog

 Command Description

ios, bootloader and hardware infos, uptime, configuration

# show version
register

# show {running,startup}-config

Firmware Management

Note: flash: is the main flash memory on all iOS devices

Command Description

(config)# boot system flash:filename.bin Boot filename.bin from flash memory.

(config)# boot system

Boot filename.bin from tftp.
tftp://10.20.30.40/filename.bin

(config)# boot system rom Boot ROM monitor as a backup.

Set the 16bit Configuration Register value used

(config)# config-register 0x2342
after reboot.

# show file systems Lists available file systems

# show flash0: List fs content and free space.

License Management

Command Description

# license save flash:licenses.lic Save a copy of all licenses.

# license install flash0:license.xml Install a license.

 Command Description

(config)# license boot module technology-package active a evaluation right-to-use license.

Reboot to activate the package and right to

# reload
use license.

(config)# license boot module technology-package

deactive a technology-package.
disable

# reload Reboot without that technology-package.

# license clear Remove license from the license storage.

(config)# no license boot module technology- Remove the no longer needed line from the
package disable config.

I don't even know why this is needed. Fu

# reload
cisco.

# show license active licenses

technology packe and feature licenses

# show license feature
supported.

product id and serial number needed to

# show license udi
order licenses

Reset Password

Command Description

> confreq Show the configuration register in rom monitor

 Command Description

Set the configuration register in rom monitor to not load startup-

> confreq 0x2142
conf

> reset Reboot in rom monitor

# copy startup running

(config)# enable secret foobar Overwrite forgotten password

(config)# config-register
Do load startup-config after boot again.
0x2102

# save

Telnet / Console

Command Description

(config)# banner login "Insert snarky

Make sure to include legal terms to sound smart.
banner."

(config)# banner motd "Insert snarky

Set Login Banner.
banner."

(config)# line vty 0 4 Enter config mode for vty 0 to 4 (up to 15 allowed).

(config)# line console 0 Enter config mode for the console port

(config-line)# login Require login on telnet/console connection.

(config-line)# password Enable Telnet and set vty login password.

(config-line)# access-class 10 in Set ACL to limit inbound IPs allowed to access vty
 Command Description

Overwrite the used ACL, only one ACL per vty +

(config-line)# access-class 42 in
direction!

(config-line)# exec-timeout 10 Autologout after 10 Minutes

Require login on telnet/console connection via local

(config-line)# login local
users.

(config)# username h.acker secret

Create local user with encrypted password.
C1sco123

SSH

Command Description

(config)# hostname Foobar Required to generate SSH keys.

(config)# ip domain-name example.com Required to generate SSH keys.

(config)# crypto key generate rsa modulus Generate keys like it's 1995! Potentially takes
2048 forever.

(config)# ip ssh version 2 Force SSHv2

(config-line)# transport input ssh Force ssh, disable telnet.

# show ip ssh SSH version, timeout time, auth retries..

# show ssh List of active connections

Clock
 Command Description

# show clock Show time and date

(config)# clock set 23:50:42 10 Jan 2017 Update clock

(config)# clock timezone EST 0 Update timezone to EST

(config)# ntp server 10.20.30.40 Configure upstream ntp server.

(config)# ntp master [stratum] Enable ntp server.

# show ntp associations ntp connections.

# show ntp status synchronized?, statum, ...

Disable unused services

Command Description

# show control-plane host open-ports Show open ports

(config)# no ip http server Stop the http server (but not https).

(config)# no cdp enable Stop CDP

# auto secure

Radius

Command Description

(config)# username password Local backup user.

 Command Description

(config)# aaa new-model Enable aaa services.

(config)# radius server Add and define Radius conf.

(config-radius-server)# address ipv4 [auth-port ] Use this hostname/ip of server.

(config-radius-server)# key Radius PSK

(config)# aaa group server radius Create authentication group.

(config-sg-radius)# server name Using the radius config.

(config)# aaa authentication login group local Allow that group and local users in.

TACACS+

Command Description

(config)# username password Local backup user.

(config)# aaa new-model Enable aaa services.

(config)# tacacs server Add and define TACACS conf.

(config-server-tacacs)# address ipv4

(config-server-tacacs)# [port ]

(config-server-tacacs)# key

(config)# aaa group server tacacs+ Multiple possible.

(config-sg-tacacs+)# server name

 Command Description

(config)# aaa authentication login group local Allow that group and local users in.

Syslog

Command Description

# logging 10.20.30.40 Log to this syslog server (name or ip)

# logging trap informational Only log messages with min. informational sev.

service sequence-number | Needed for seqence number in syslog messages service time stamps log
[datetime, log] | Needed for date and time in syslog messages

Command Description

# show logging syslog status, local logging buffer

SNMP

Command Description

(config)# snmp-server contact [email protected] Contact email

(config)# snmp-server location RZ-Hamburg Where is the device

(config)# snmp-server community [ro, rw] Add community

(config)# snmp-server host 10.20.30.40 SNMP notifications recipient

Command Description

# show snmp community

# show snmp location

 Command Description

# show snmp contact

# show snmp host

CDP - Cisco Discovery Protocol

Command Description

# [no] cdp run Enables cdp globaly and on all interfaces (default)

# (config-if)# [no] cdp enable Enable cdp on an interface

# show cdp neighbors [detail] List connected cisco devices (name, local/remote port, [ip] ..)

# show cdp entry *

LLDP - Link Layer Discovery Protocol

Command Description

# [no] lldp run Enables lldp globaly and on all interfaces

(config-if)# [no] lldp transmit Enable lldp packet transmission on interface

(config-if)# [no] lddp receive Enable lldp packet reception on interace

PPP

Command Description

(config)# username fnord password pass Create users for pap auth.
 Command Description

(config)# inteface S0/0/0

(config-if)# clock rate 125000 Baud rate. Only on DCE cable!

Logical speed used for routing cost calc,

(config-if)# bandwidth 125
RSVP...

(config-if)# encapsulation ppp Default is HDLC

(config-if)# ppp authentication pap Require remote to authenticate via pap

(config-if)# ppp pap sent-username fnord password

Authenticate to remote pap
pass

Required for CHAP, used as chap client

(config)# hostname routy1
username

(config)# username routy2 password foobar Create users for chap auth for routy2

(config)# inteface S0/0/0

(config-if)# no ppp authentication pap Remove in favor of chap

(config-if)# no ppp pap sent-username fnord

Remove in favor of chap
password pass

(config-if)# ppp authentication chap Require remote to authenticate via chap

Note: When routy1 connects to routy2 it looks in it's local user database for a user named routy2 and
uses that users password. This means the passwords have to be the same on both sides and the
usernames must be the other sides hostname.

Troubleshooting PPP
 Command Description

# show controllers S0/0/0 interface, connected type of cable, clock rate

# show interfaces encapsulation, logical bandwidth

# show ppp all session state, auth type, peer ip and name

# debug ppp authentication

MLP

Command Description

(config)# interface Multilink23 Create and configure virtual if

(config-if)# ip address 10.20.30.40 255.255.255.0

(config-if)# ppp multilink Enable mlp

(conifg-if)# ppp multilink group 23 Make phys ifs with mlp #23 join.

(config)# interface s0/0/0 Configure phys ifs

(config-if)# no ip address Remove ip addrs.

(config-if)# encapsulation ppp

(config-if)# ppp multilink

(config-if)# ppp multilink group 23 Join mlp group #23.

Troubleshooting MLP
 Command Description

show ppp multilink Physical IFs,

PPPoE

Command Description

(config)# interface Dialer23 Create and configure virtual dialer interface.

(config-if)# ip address negotiated Get IP via PPP/IPCP

(config-if)# encapsulation ppp

(config-if)# dialer pool 23 The dialer interface is a member of one dialer pool...

(config)# interface s0/0/0

(config-if)# no ip address

(config-if)# pppoe-client dial-pool-number ... the pool is a group of one or more physical
23 interfaces.

Troubleshooting PPPoE

Command Description

# show ip interface brief is the dialer if up? Does the dialer have an IP via IPCP?

# show pppoe session Are PPPoE sessions established? Which ports.

GRE

Note: We can run OSPF and other routing protocols through this gre tunnel, as gre supports multicast.
 Command Description

(config)# interface tunnel23

(config-if)# ip address 192.168.1.1 255.255.255.0 transit net

(config-if)# tunnel source 10.20.30.40 local, can be linklocal

(config-if)# tunnel destination 6.5.4.3 remote, can be linklocal

tunnel mode gre ip ip mtu

Troubleshooting GRE

Command Description

# show ip interface brief tunnel23 Line hould be up, given a route to the destination.

# show inteface tunnel23 Tunnel source, dest, protocol

# show ip route Should include the transit net as directly connected.

RIPv2

Command Description

(config)# router rip Enable RIP and enter it's config mode

(config-router)# version 2 Set RIPv2, which is Classless

(config-router)# network 192.168.0.0 Advertise connected networks which are within .

(config-router)# network 0.0.0.0 Advertise all connected networks.

(config-router)# timers basic

 Command Description

Don't summarize a smaller subnet route in a bigger

(config-router)# no auto-summary
one.

(config-router)# passive-interface g1/1 Don't send RIP updates out this interface

(config-router)# passive-interface default Don't send RIP updates on any if by default

(config-router)# no passive-interface g1/2 Overwrite passive-interface default

(config-router)# default information

Advertise the default route.
originate

(config-if)# no ip rip advertise 123

Troubleshooting RIPv2

Command Description

# show ip[v6] protocols Show rip timers, interfaces, networks,

# show ip rip database Routes learned by rip, used to combile the routing table

# show ip route Show learned routes

# clear ip route * Get rid of all routes

EIGRP

Note: The network command enables any interface with an ip in that net to send and receive EIGRP
updates. Also it enables routes to this nets to start beeing advertised.
Command Description

# show run &#124 section eigrp Show EIGRP settings.

# show interfaces g1/1 Show configured/default bandwith and delay.

(config-if)# bandwidth Overwrite bandwidth used for eigrp metric.

(config-if)# delay Overwrite deplay used for eigrp metric.

(config)# router eigrp 23 Add and conf EIGRP AS#23

(config-router)# network 10.20.30.0

Announce routes to 10.20.30.0/24
0.0.0.255

(config-router)# no shutdown On some iOS versions it's off by default.

(config-router)# [no] eigrp router-id Defaults to highest loopback ip

(config-router)# [no] passive-interface g1/2 Disable EIGRP here. Ignore incoming pkgs.

(config-router)# [no] passive-interface

Disable EIGRP on all ifs by default.
default

Default 4, must match, number of loadbalanced

(config-router)# maximum-paths
paths.

(config-router)# variance 4 Default 1, Max 4:1 variance for unequal lb.

Don't summarize a smaller subnet route in a big

(config-router)# no auto-summary
one.

# show ip[v6] eigrp neighbors Neighbor addr, if, hold time, uptime, queued pkgs

# show ip[v6] eigrp interfaces [if-name] If, Number of peers, pending routes, queued pkgs
 Command Description

# show ip[v6] route [eigrp] Routes starting with D were learned via EIGRP

# show ip[v6] eigrp topology [all-links] Topology table, as#, router-id

EIGRP with ipv6

Command Description

(config)# ipv6 unicast-routing Enable v6 routing on the router

(config)# ipv6 router eigrp 23 Configure eigrp as #23

(config-rtr)# no shutdown Enable this eigrp routing process.

(config-if)# [no] ipv6 eigrp 23 Enable eigrp with ipv6 for as #23 on this if.

OSPF

cost = reference bandwidth / interface bandwidth

The default reference bandwith is 100Mbps. Everything faster has a cost of 1.

Command Description

(config)# router ospf 1 1 is the pid, not the area.

Defaults to highest IPv4 on lo, then

(config-router)# router-id 1.2.3.4
other ifs.

enable interfaces for ospf with

(config-router)# network 10.20.30.0 0.0.0.255 area 0
matching IPs

(config-router)# (no) passive-interface g1/1 Stop in- and egress ospf hello packets.
 Command Description

(config-router)# passive-interface default Mark all ifs passive by default.

Advertise default routes into a normal

(config-router)# default-information originate (always)
area

(config-router)# auto-cost reference-bandwidth <refbw

Change reference bandwidth speed
in Mb/s>

(config-if)# ip ospf cost 23 Overwrite interface cost to 23

(config-if)# bandwidth <bw in kb/s> Change interface bandwidth

Router Types

Term Definition

Internal Router All OSPF interfaces in one area

Backbone Router Has one or more OSPF interfaces in the backbone

Has at least one interface in the backbone area and at least

Area Boundary Router (ABR)
one in another area

Autonomous System Boundary Injects routes into OSPF via redistribution from other
Router (ASBR) routing protocols

OSPF with ipv6 (OSPFv3)

Command Description

(config)# ipv6 unicast-routing

(config)# ipv6 router ospf

 Command Description

(config-router)# router-id Required if we don't have any v4 addrs configured.

(config-if)# ipv6 ospf area Required for OSPFv3.

The networks command does not exist, non mentioned commands are the same.

Troubleshooting OSPF

Command Description

# show run | sect ospf

# show ip(v6) protocols Other protocols with lower AD?

# show ipv6 ospf reference bandwidth, router id, networks, interface per area

# show ip(v6) ospf neighbor neighbor IDs, IPs and via interface.

# show ip(v6) ospf neighbor detail dr, bdr, timers, ...

# show interface brief admin down? link?

# show ip(v6) ospf interface brief ospf enabled interfaces

# show ip(v6) ospf interface g1/1 ospf related infos for g1/1, passive?

# show ip(v6) route (ospf) ospf routes are marked O, show route ad and cost

BGP

Note: In other routing protocols the network statement is used to determin the interfaces over which the
protocol should talk to its neighbors. In BGP it indicates only which routes should be advertised to the
BGP neighbors. The network needs to match an exact route in the routing table or it will still not be
announced.
 Command Description

(config)# router bgp Create routing process.

(config)# neighbor remote-as BGP does not auto discover neighbors.

(config)# network [mask ] Advertise this network.

Command Description

# show run | sect bgp

# show ip bgp summary neighbors IPs, ASs and session states, bgp version

# show ip bgp neighbors [peer-ip] tcp sessions and timers, bgp parameters

# show ip bgp routing infos received from all peers

CLI

Default Behavior

Here I'll collect crazy default behaviors and how to fix them, I guess..

Command Description

(config)# no ip domain-lookup Don't try to telnet unknown single word commands

Modes

Mode Prompt enter

User > N/A

Exec # > enable

 Mode Prompt enter

Config (config)# # configure terminal

Interface (config-if)# (config)# interface g1/0

Line (config-line)# (config)# line vty 0 4

DHCP (dhcp-config)# (config)# ip dhcp pool Foobar

Filters

Name Function

include hostname find a line including 'hostname'

section interface find a section including 'interface'

begin interface Show remaining config starting with the first line containing 'interface'

exclude ! exclude all line containing ! (comments)

Navigation

Sequence Function

Ctrl-Shfit-6 Kill many commands

Ctrl-Shift-6 x Move telnet session to background

Esc-B Ctrl-Left arrow

Esc-F Ctrl-Right arrow

 Sequence Function

Ctrl-R Redraw the current line

Ctrl-U Erase line

Ctrl-W Delete the word left of the cursor

Ctrl-C
Drop back to Exec, does not kill processes..

Ctrl-A Move Cursor to the beginning of the line

Ctrl-E Move Cursor to the end of the line

Tab Autocompletion

? Help, can be entered mostly everywhere

Packet Types

Ethernet Frame

Field Field Length Description

Preamble 8 bytes Alternating 1s and 0s used to synchronize

Destination MAC (DA) 6 bytes MAC of recipient

Source MAC (SA) 6 bytes MAC of sender

Optional vlan tag. Starts with 0x8100 to mark 802.1Q

802.1Q tag (optional) 4 bytes
mode in type location.

Type or Length 2 bytes Layer three type OR length if smaler then 1536 bytes.

46 - 1500
Data Payload
bytes
 Field Field Length Description

Frame check sequence

4 bytes 32 bit CRC Checksum
(FCS)

IPv4 Header

Field Field Length Description

Version 4 bits IP Version, always four

Internet Header Length (IHL) 4 bits Length of the header

Service Type 8 bits Desired QOS information (DSCP and ECN)

Total Length 2 bytes Packet length, including this header

Identification 2 bytes A unique ID

Flag 3 bits fragmentation behaviour

Fragment Offset 13 bits

TTL 1 byte TTL, decreased by every router by one.

Protocol 1 byte Layer four type

Header Checksum 2 bytes

Options (optional) 16 bytes

Padding max. 31 bits Pad to the nearest 32 bit boundary

TCP Segment
 Field
Field Description
Length

Source Port 2 bytes

Destination Port 2 bytes

Squence Number 4 bytes Unique Number for this Segment

Acknowledgement Next expected sequence number, acknowledge all prior

4 bytes
Number Segments.

Header size in multiples of 4 bytes, sometimes also

Header Lenght 4 bits
called Data Offset.

Reserved 3 bits N/A

Control Flags like SYN, ACK, FIN, RST and Flags for
Flags 9 bits
congestion control.

Window size 2 bytes bytes sender is currently willing to receive

Checksum 2 bytes Header Checksum

Points to the last 'urgent' byte in the Segment, used

Urgent Pointer 2 bytes
when URG flag is set.

0 - 320
Options The Size is determined by Header length. TODO:
bits

Data variable

UDP Segment
 Field Field Length Description

Source Port 2 bytes

Destination Port 2 bytes

Length 2 bytes Length of the whole Segment

Checksum (optional) 2 bytes Checksum of the whole Segment

Data variable

To Sort and Misc

Command Description

# telnet 1.2.3.4 23
Telnet to 1.2.3.4 using port 23

# disconnect Disconnect background telnet session

# ssh -l h.acker 1.2.3.4 SSH to 1.2.3.4 using h.acker user

(config-if)# duplex {full, auto} Set duplex mode or set it to autonegotiation.

(config-if)# speed {100, auto} Set speed or set it to autonegotiation.