CISCO Guide - metrafonic/Cisco-Cheatsheet GitHub Wiki


title: CISCO Guide author: Mathias Hedberg - Ving 68 geometry: margin=3cm header-includes: - \usepackage{fancyhdr} - \pagestyle{fancy} - \fancyhead[CO,CE]{} - \fancyfoot[CO,CE]{Mathias Hedberg} - \fancyfoot[LE,RO]{\thepage}

Welcome!

Welcome to the Cisco-Cheatsheet wiki!

Documents covering the basics can be found in the sidebar to the right. Commands are tested with the CISCO Catalyst 2960.

Getting Started

View the Basic Configuration w Auth

Disclaimer

This wiki is not guaranteed to be correct, use at your own risk.

1. Basic Configuration

Initial Commands

Commands to be run right after a fresh boot with no configuration

Clear old config

write erase

Change Hostname:

> enable
# configure terminal
(config)# hostname [newhostname]
(config)# exit

Set IP address & enable interface:

(config)# interface g0/0
(config-if)# ip address [ip-address] [subnet]
(config-if)# no shutdown

Check interfaces

# show ip interface brief

Disable DNS lookup:

(config)# no ip domain-lookup

Save config

(config)# copy running-config startup-config

2. Authentication

Enable Secret:

The user will be prompted to enter this password when entering enable mode

(config)# enable secret [newsecret]

Set password for vty & comm-port login:

VTY:

> enable
# configure terminal

Allow 16 different connections (0 to 16)

(config)# line vty 0 15
(config-line)# login local

Alternativly one universal password (not reccomended):

(config-line)# login password [newpass]
(config-line)# exit

COM-PORT:

> enable
# configure terminal
(config)# line con 0
(config-line)# login local
(config-line)# exit

Add the local user:

(config)# username admin secret [newpasswd]
(config)# exit

Save Config:

# copy running-config startup-config
# show startup-config

3. Configure a static route

It is important to remember that in a scenario where you may not need to add a static route on your gateway router to access a different router, you will most likely need to configure a route back to the client. The remote router will need a route to your internal subdomain via your access router.

Recursive

(config)# ip route [nettID] [subnet] [router ip to use]

Directly Connected

(config)# ip route [ip-address] [subnet] [interface]

Set a default route

(config)# ip route 0.0.0.0 0.0.0.0 [gateway router]

Check route

# show ip route

4. EIGRP and OSPF

EIGRP:

EIGRP Usage

Download EIGRP Example

In the example above, we have four routers connected together via switches, with two end devices added to the mix. To make the job of setting up routing on this network much easier, we use EIGRP. Router 10 would in this example, advertise its neighbours to the rest of the network, so that a topology can be built. These adjacent networks to be advertised must be set manually, otherwise it is almost completely automatic.

Enable EIGRP

# configure teminal
(config)# router eigrp [autonomous-system-number]
(config-router)# router-id [ipv4-address]  //Not required

Enable for adjacent subnets

Replace nettID with the subnets the router is directly connected to, this will often be more than one. Default is a /16 subnet when no subnet is given:

(config-router)# network [nettID] [wildcard mask]

To find the inverted subnet, calculate 255.255.255.255 minus your given subnet

Example:

In the example above, router 10 would have the following:

# configure teminal
(config)# router eigrp 10
(config-router)# network 192.168.1.0 0.0.0.255
(config-router)# network 192.168.2.0 0.0.0.255

As neighbours are added, a prompt will display on screen alerting the user of the neighbours

Verify EIGRP Routing

View Neighbors

# show ip eigrp neighbors

View ip EIGRP routing table

# show ip route eigrp

View EIGRP topology table

# show ip eigrp topology

Verify EIGRP routing parameters

# show ip protocols

Modifying Bandwidth

Useful for checking the functionality of your setup.

# interface [interface]
# bandwidth [Kbit/sec]

Configure passive interfaces

Useful to use on the interface to be used on the client side, to avoid MITM attacks.

# router eigrp [used AS number]
(config-router)# passive-interface [interface]

Remove EIGRP

(config)# no router eigrp [autonomous-system-number]

OSPF:

Guide can be found here: https://www.petri.com/how-to-configure-ospf-in-cisco-ios

5. DHCP Configuration

Everything DHCP, server, debugging and iphelper

DHCP Server

Creating the pool

(config)# ip dhcp pool [nameofpool]
(dhcp-config)# network [nettID] [subnet]

Note that the nettID where the client request is coming from will be checked against the nettID and subnet set here. if the two do not match, an address will not be allocated.

(dhcp-config)# default-router [dafault router]
(dhcp-config)# dns-server [dafault dns]
(dhcp-config)# domain-name [example.com]
(dhcp-config)# lease [days]
(dhcp-config)# exit

Excluding Addresses

(config)# ip dhcp exluded-address [start reserved ip] [end reseved ip]

Debugging

View DHCP address leases

# show ip dhcp binding

View DHCP pool statistics

# show ip dhcp server statistics

View DHCP pool settings

# show ip dhcp pool

IP relaying of DHCP (IPHELPER)

Challenge I have not managed to figure out how this can be done to request an ip over multiple routers. As of right now i am only able to do this on a router that is connected to both subnets directly. In the topology above, we have one DHCP server in the middle, three relays and three clients, though only two of the relay servers work correctly.

Enable IPHELPER on router

# conf t
(config)# int [interface to relay to]
(config-if)# ip helper [dhcp server address]

Check IPHELPER configuration

# show ip int [interface]

6. IPv6 Configuration

Enabling IPv6

Initialize IPv6

# conf t
(config)# ipv6 unicast-routing

Configure an andress on an interface

(config)# interface [interface]
(config-if)# ipv6 address [ipv6 prefix]/[prefix length] eui-64
(config-if)# ipv6 address [link-local] link-local //not required
(config-if)# no shutdown
(config-if)# exit

Note, the ipv6 prefix will look like a netid will usually end in 0, the wui-64 command allocates the unique portion of the computer to the address. This in a whole will be the same as witing
Example:

(config-if)# ipv6 address 2001:DB8:ACAD:A::/64 eui-64

IPv6 Routing:

Static Route

(config)# ipv6 route [ipv6 prefix]/[prefix length] [next hop ipv6 address]

Default IPv6 static route

(config)# ipv6 route ::/0 [interface]

EIGRP Dynamic Routing

Enable ipv6 routing:

(config)# ipv6 unicast-routing

Start eigpr protocol

(config)# ipv6 router eigrp [AS-number]

Configure EIGRP for a 32-bit address for the router ID.

(config-rtr)# eigrp router-id [32 bit ip id] //feks 1.1.1.1

Enable:

(configure-rtr)# no shutdown

7. NAT Protocol Mapping

In progress

8. Passord Recovery

in progress

9. Telnet and SSH Configuration:

For remote management of routers and switches

Adding telnet access

Configure an admin user and password with level 15 access:

(config)# username admin priv 15 secret cisco

Enable telnet access for a variable number of sessions:

(config)# line vty 0 [number of sessions]
(config-line)# login local
(config-line)# end

Enable SSH

Set a domain name:

ip domain-name [domain.no]

Generate keys:

R1(config)# crypto key gen rsa

Set time if time sync error appears:

#clock set 13:00:00 2 JUL 2015

Update ssh version:

(config)# ip ssh version 2

Connect from client.

10. Config Backup & Restore

Backup to tftp

#copy running-config tftp:

Restore from tftp:

#copy tftp: running-config

Copy IOS

show flash: # note down the ios filename
copy flash: tftp

11. Pseudo-wire via L2TPv3

L2TPv3 –Layer 2 Tunneling Protocol Version 3 is an IETF standard related to L2TP that can be used as an alternative protocol to Multiprotocol Label Switching (MPLS) for encapsulation of multiprotocol Layer 2 communications traffic over IP networks. Like L2TP, L2TPv3 provides a ‘pseudo-wire’ service, but scaled to fit carrier requirements.

Pseudowire

Pseudo-wire – a pseudo-wire (or pseudo-wire) is an emulation of a point-to-point connection over a packet-switching network. The service being carried over the “wire” may be Asynchronous Transfer Mode (ATM), Frame Relay, Ethernet or Time-division multiplexing (TDM) while the packet network may be Multi-protocol label switching (MPLS), Internet Protocol (IPv4 or IPv6), or Layer 2 Tunneling Protocol Version 3 (L2TPv3).

Create the tunnel:

Many variations exist, this one is taken from: http://packetpushers.net/extending-layer-2-across-layer-3-with-l2tpv3-pseudo-wires/

Create a L2TPv3 class:

This must be done on both routers:

l2tp-class networkstV3class
authentication
password L2TPv3

Create pseudo-wire

Apply the class to a pseudo-wire defining our source interfaces for the L2TPv3 tunnel. this needs to be done on both routers:

pseudowire-class NETWORKPW
encapsulation l2tpv3
protocol l2tpv3 networkstV3class
ip local interface [int or vlan]

Apply pseudo-wire and connect:

We activate the pseudowire on the interface to tunnel. We also set the ip of the router to connect to:

interface [pseudowire int]
description LAN Facing
no ip address
duplex auto
speed auto
xconnect [other router ip address]   1 encapsulation l2tpv3 pw-class NETWORKPW

Verify connection:

Useful for debugging

sh l2tun tunnel all

12. Router on a stick:

Useful when we need more interfaces on a router, a switch is connected to one of the interfaces, which is set to trunk mode. On the switch, a trunk port is assigned for transferring all the data and is connected directly to the router trunk port. The remaining switch interfaces can then be set as access ports for accessing the virtual interfaces on the router. This is done by assigning them a VLAN ID, this ID is also configured on the router and is the routers only way to distinguish between the interfaces.

Router on a stick

Common practice:

It can be useful to assign vlan x to subinterface f0/0.x on a router. For example int f0/1.400 has is connected to vlan 400.

On a switch, int f1/x should have access to vlan x. For example f1/4 connects to vlan 400.

Switch configuraion:

The switch will be set up to include one trunk port, and a couple of access ports. Note that more that one interface can be set as trunk for daisychaining.

Setup trunk and mgmnt

We begin by selecting an interface to be used as trunk:

(config)# int [trunk int]
(config-if)# switchport mode trunk

(Optional): Limit VLAN access and set a native vlan for use when a host is connected. Note, no spaces between the IDs:

(config-if)# switchport trunk allowed vlan [ID],[ID], ...
(config-if)# switchport trunk native vlan VLAN [ID]

(Optional): Give the switch an ip address on the VLAN. Useful for management like telnet.

(config)# int vlan [ID]
(config-if)# ip address [ip] [subnet]
(config)# ip route 0.0.0.0 0.0.0.0 [gw router ip]

Setup access ports

We can define a range of interfaces as seen below. the switchport host command sets the switchport mode to access, and turns off spanningtree (equivilant to typing spanning-tree portfast)

(config)# int f1/[first] - [last]
(config-if)# switchport host
(config-if)# switchport access vlan [ID]

Repeat commands for other vlans

Shutdown remaining interfaces

It may be useful to shut down the remaining interfaces to avoid accidental wrong connections and help with problem debugging.

(config)# int f1/[first] - [last]
(config-if)# shutdown

Dont forget to save the configuration.

Router configuration

On the router we must define subinterfaces so that we can route between the vlans, and ultimatly the ports on the switch. Be sure to follow the standardize like shown earlier in #common-practice

Define subinterface

We must now define a subinterface for each vlan. This must be done on the trunk interface. First we must prepare the trunk interface:

(config)# int [trunk int]
(config-if)# no ip address
(config-if)# no shutdown

Setup subinterface and assign vlan:

(config)# int [trunk interface].[VLAN-ID] # for example int f0/0.100
(config-if)# encapsulation dot1Q [VLAN-ID]
(config-if)# ip address [dhcp]|[ip and subnet]
(config-if)# no shutdown

13. Mobile IP

Home agent:

Requires an external OSPF network that the home agent is a part of. Will not work if home agent and a mobile router are connected to the same subnet.

  1. Initializes mobility and virtual loopback address
  2. Sets up OSPF
    • OSPF 1, area 0
    • Advertieses subnets and the mobile network containing the TKN routers. This will means that all data to the mobile routers will go via the home agent.
  3. Sets up the default gateway
    • All IPs and Subnets to 192.168.7.1
  4. Sets up mobility
    • Role as home-agent
    • Defines mobile subnet
    • Assigns routers to the mobile subnet
    • Sets up authentication for all routers, same spi and password "100"
interface Loopback0
 ip address 192.168.0.65 255.255.255.255
!
router mobile
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 redistribute mobile subnets
 network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.7.1
!
ip mobile home-agent
ip mobile virtual-network 192.168.0.0 255.255.255.128
ip mobile host 192.168.0.1 192.168.0.63 virtual-network 192.168.0.0 255.255.255.128
ip mobile mobile-networks 192.168.0.1 192.168.0.63
 register
ip mobile secure host 192.168.0.1 192.168.0.63 spi 100 key ascii 100 algorithm md5 mode prefix-suffix

Mobile router:

This is the most basic configuration, also possible to use multiple carriers like ICE.net, thogh this requires seting up tunneling, and in cases with more than one carrier vlans must be used.

interface Loopback0
 ip address 192.168.0.x 255.255.255.255
!
interface FastEthernet0/0
 ip address dhcp
 ip mobile router-service roam
 ip mobile router-service collocated registration retry 10
 ip mobile router-service collocated
 no routing dynamic
!
router mobile
!
ip mobile secure home-agent 192.168.0.65 spi 100 key ascii 100 algorithm md5 mode prefix-suffix
ip mobile router
 address 192.168.0.x 255.255.255.128
 home-agent 192.168.0.65
 mobile-network FastEthernet0/1
 register lifetime 100
 reverse-tunnel
!

END