Cisco Notes...
I'm going back and reviewing the CCNA 1-4 material (don't want no rust setting in). Keeping notes as a quick reference point for future reviews. Tried not to use shortcuts on commands as I've been advised the CCNA certification doesn't allow you to.
Example: configure terminal = good. config t = not.
In your real world, shortcut all you want.
Very Basic Router Config
ROUTER#configure terminal ROUTER(config)#hostname Dude Dude(config)#enable password cisco Dude(config)#enable secret class Dude(config)#line vty 0 4 //to allow telneting Dude(config-line)#password cisco Dude(config-line)#login Dude(config-line)#exit
NAT & PAT
For below examples:
ISP Router
network: 200.2.2.16/30
serial: 200.2.2.17/30 ; Loopback 0: 172.16.1.1/32
Dude Router
networks: 199.99.9.32/27 ; (private) 10.10.10.0/24
serial: 200.3.3.18/30 ; Fast Ethernet: 10.10.1.0/24
Create a default route from the ISP to the Dude router using ip route command
ISP(config)#ip route 199.99.9.32 255.255.255.224 200.2.2.18
Default route to forward any unknown destination traffic from the Dude router to ISP
Dude(config)#ip route 0.0.0.0 0.0.0.0 200.2.2.17
Define pool of public addresses using the ip nat pool command. Allows the use of addresses .40-.62
Dude(config)#ip nat pool public_access 199.99.9.40 199.99.9.62 netmask 255.255.255.224
Define the access list to match inside private address using access list command
Dude(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Define the NAT translation using ip nat inside source command
Dude(config)#ip nat inside source list 1 pool public_access
To define PAT translation, add overload
Dude(config)#ip nat inside source list 1 pool public_access overload
Creating a static NAT address
Dude(config)#ip nat inside source static 10.10.10.10 199.99.9.33
Apply NAT to inside and outside
Dude(config)#interface fastethernet 0/0 Dude(config-if)#ip nat inside Dude(config)#interface serial 0/0 Dude(config-if)#ip nat outside
Commands to verify
show ip route show ip nat translations show ip nat stat
DHCP
Exclude addresses from your pool for routers, servers, switches and such. This excludes .1-.10
Dude(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
Create DHCP address pool
Dude(config)#ip dhcp pool dude_lan Dude(dhcp-config)#network 192.168.1.0 255.255.255.0 Dude(dhcp-config)#default-router 192.168.1.1 Dude(dhcp-config)#dns-server 192.168.1.2
If DHCP server is on another network, for example: 192.168.2.1, use the ip helper-address command. Is needed because routers do not forward broadcasts. This enables broadcast packets to be forwarded as unicast packets to the specified server.
Dude(config)#interface fastethernet 0/0 Dude(config-if)#ip helper-address 192.168.2.1
VLAN's
Setting up VLAN 1
SwitchDude(config)#interface VLAN 1 SwitchDude(config-if)#ip address 192.168.1.2 255.255.255.0 SwitchDude(config-if)#no shutdown
Setting default gateway for switch and default management VLAN
SwitchDude(config)#ip default-gateway 192.168.1.1
Verify LAN settings
show interface VLAN 1
Create and name some VLANs
SwitchDude#vlan database //yes, NOT done from config mode SwitchDude(vlan)#vlan 20 name Accounting SwitchDude(vlan)#vlan 30 name Marketing
Add ports to your VLAN's
SwitchDude(config)#interface fastethernet 0/2 SwitchDude(config-if)#switchport mode access SwitchDude(config-if)#switchport access vlan 20 SwitchDude(config)#interface fastethernet 0/8 SwitchDude(config-if)#switchport mode access SwitchDude(config-if)#switchport access vlan 30
Commands to view VLANs
show vlan show vlan id 20 show vlan id 30
Remove host from VLAN - Delete an entire VLAN, use word no
//Remove host SwitchDude(config)#interface fastethernet 0/2 SwitchDude(config-if)#no switchport mode access SwitchDude(config-if)#no switchport access vlan 20 //Delete VLAN SwitchDude#vlan database SwitchDude(vlan)#no vlan 20
Trunking with 801.1q
Switch_1 and Switch_2 connected on Fa0/1
Switch_1(config)#interface fastethernet 0/1 Switch_1(config-if)#switchport mode trunk Switch_1(config-if)#switchport trunk encapsulation dot1q Switch_2(config)#interface fastethernet 0/1 Switch_2(config-if)#switchport mode trunk Switch_2(config-if)#switchport trunk encapsulation dot1q
Command to view
show interface fastethernet 0/1 switchport
Configuring VTP client and server
//by default Catalyst are configured as VTP servers //but encase it's turned off... Switch_1#vlan database Switch_1(vlan)#vtp server //client Switch_2#vlan database Switch_2(vlan)#vtp client Switch_2(vlan)#vtp domain group1 //group1 or any name of your choosing //all clients must be in same domain name
Creating sub-interfaces on router for inter-VLAN communication. Note: router must have a fast ethernet port.
//set up trunking for switch on port to router SwitchDude(config)#interface fastethernet 0/1 SwitchDude(config-if)#switchport mode trunk SwitchDude(config-if)#switchport trunk encapsulation dot1q Router(config)#interface fastethernet 0/0 Router(config-if)#no shutdown Router(config-if)#interface fastethernet 0/0.1 Router(config-subif)#encapsulation dot1q 1 Router(config-subif)#ip address 192.168.1.1 255.255.255.0 Router(config-subif)#exit Router(config-if)#interface fastethernet 0/0.2 Router(config-subif)#encapsulation dot1q 10 Router(config-subif)#ip address 192.168.2.1 255.255.255.0 Router(config-subif)#exit Router(config-if)#interface fastethernet 0/0.3 Router(config-subif)#encapsulation dot1q 20 Router(config-subif)#ip address 192.168.3.1 255.255.255.0
Switch Port Security
Command to see and clear the MAC address table. ? marks for more options.
show mac-address-table clear mac-address-table
Static MAC addresses. Remove it with a no in front.
SwitchDude(config)#mac-address-table static <mac address here> interface fastethernet 0/2 vlan 1
Making the switchport accept only one device using port security command
SwitchDude(config)#interface fastethernet 0/2 SwitchDude(config-if)#switchport mode access SwitchDude(config-if)#switchport port-security SwitchDude(config-if)#switchport port-security mac-address sticky
Using the maximum MAC count to only allow that MAC address to use the port
SwitchDude(config)#interface fastethernet 0/2 SwitchDude(config-if)#switchport port-security maximum 1
Shutting down the port if a security violation is detected
SwitchDude(config)#interface fastethernet 0/2 SwitchDude(config-if)#switchport-security violation shutdown //note on the above. I'm following the cisco lab book on this one. //and as your probably aware, their lab book is completely fallible. //it might be switchport port-security, not switchport-security //I have a note a page couple pages later saying: //"add switchport <space> in front of port-security" //which makes sense. most entries seem to re-enforce "switchport port-security"
Clearing the MAC address table to releases the MAC addresses from security
clear mac-address-table dynamic
Cisco Router and Switch Password Recovery
My boss had given a stack of Cisco routers and switches, which had been removed from the network, needed the configs erased, and the username/passwords were not known. Here's my password recovery documentation for future reference.
* For Cisco Catalyst 2900/3500/3550 XL Switches *
Unplug the switch
Hold down the Mode button while reconnecting the power
Keep holding down the Mode button until the LED above Port 1x goes out, release the button
Enter the flash_init command
switch: flash_init
Enter the load_helper command
switch: load_helper
Enter into the flash directory using (don't forget the colon after flash!)
switch: dir flash:
Rename the config.text file (the configuration file).
switch: rename flash:config.text flash:config.old
Now boot the switch
switch: boot
The switch will now load up to it's default.
In my case, I deleted the config.txt because these switches had a buyer and obviously we would not want our configurations left on the switches. But I renamed the files here to complete the password recovery process (below).
To complete password recovery...
After the switch has rebooted, enter enable mode, rename the config.old back to .text
switch# rename flash:config.old flash:config.text
Copy the file into memory
switch# copy flash:config.text system:running-config
Since your already in enable mode, there is no need to enter a password. You can now change the password.
Enter
switch#config t switch(config)#no enable secret //this is encase there was a secret password switch(config)#enable password cisco //the "cisco" could be any password of your choice switch(config)#exit
Save configuration
switch#copy run start
* For Cisco 2600 Routers *
Password recovery is all about the 6th bit. If it's set to off, it checks NVRAM when booting up. If it's set to on, it skips NVRAM. Make a change to the configuration register to change the 6th bit. Most likely right now it's 0x2102.
Turn on the router and hold down CNTR+BREAK. This will interrupt the start up and the router will enter rommon (aka rom monitor mode).
Change the configuration register by entering
rommon 1>confreg 0x2142
The 6th bit has been changed. Now reboot the router
rommon 1>reset
It will now reboot while effectively skipping the config in NVRAM
enter privilege mode
Router>enable
If you wanted to erase the config in NVRAM, you'd do it here by simply copying running config into startup
Router#copy run start
Else re-instate the config from NVRAM by copying the startup config into running config
Router#copy start run
Notice your in privilege mode without needing to enter the passwords. You can now change the forgotten passwords with the enable password and enable secret commands.
Last, but not least, change back the configuration register
Router#config t Router(config)#config-register 0x2102 Router(config)#exit Router#copy run start