Cisco Example Configs
Table of Contents
basic rtr
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2-Central (set hostname)
!
!
!
enable secret 5 $1$MPbO$c5sbahDFMUwu.v1DoHklW1 (pw to get into enable mode)
!
!
!
!
username blah password 0 blahpw (username and pw for login)
username blah2 password 0 blah2pw (username and pw for login)
!
!
!
!
!
ip name-server 192.168.254.254 (dns svr)
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.255.254 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Da Description for fa0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.10.10.2 255.255.255.252
!
interface Serial0/0/1
no ip address
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.3
!
!
!
ip dhcp excluded-address 172.16.2.0 172.16.2.254
!
ip dhcp pool Central
network 172.16.0.0 255.255.0.0
default-router 172.16.255.254
dns-server 192.168.254.254
!
no cdp run
!
no ip domain-lookup (disable dns lookups)
!
banner motd ^C
*****************************************************************
This is the lab router blah1.
Authorized access only.
*****************************************************************
^C
!
!
!
!
line con 0 (serial port)
line vty 0 4 (virtual terminal - telnet/ssh...)
login local (username and pw - define with username)
! (can also be login (pw only) or no login (no auth)
!
!
end
basic switch
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DaSwitch
!
enable secret 5 abcdefghabcdefgh
enable password abcdefgh
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
mls qos map cos-dscp 0 8 16 24 34 46 48 56
mls qos
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description connection to rtr
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface FastEthernet0/2
description data
switchport access vlan 3
switchport mode access
mls qos trust cos
spanning-tree portfast
!
...
!
interface Vlan1
no ip address
shutdown
!
interface Vlan3
description Data
ip address 10.1.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.1
ip classless
ip http server
!
snmp-server community public RW
snmp-server community private RO
snmp-server location HERE
snmp-server contact J Smith
!
control-plane
!
!
line con 0
line vty 0 4
password abcdefgh
login
line vty 5 15
password abcdefgh
login
!
end
MLPPP WAN
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface Multilink1
ip address x.x.x.x y.y.y.y
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/0/0:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1/1:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
Unicast RPF
interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default]
[allow-self-ping] [list]
show cef interface
FastEthernet 0/0
show ip verify statistics
- rx is strict
(address must be recieved before it will be
sent)
- any is loose
(anything in routing table)
- allow-default allows
default route to work
- allow-self-ping
probably shouldn't be used...DoS attack can
occur
- list is a
specific access-list
Serial
rate <rate> (sets DCE side of connection)
- DCE - Data Communication Equipment - telecom providers side
(e.g. provides clock)
- DTE - Data Terminal Equipment - customer side
L2 WAN
HDLC
interface s0/1
encapsulation hdlc
---
sh interface serial
<serialInterfaceID>
Integrated CSU/DSU Interfaces
http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a0080093c56.shtml#tconfigcommands
interface serial 0
service-module t1 clock source {line | internal}
service-module t1 data-coding {normal | inverted}
service-module t1 timeslots {all | } [speed 56 | 64]
time-slots can be 1-4, 6, 7-10
service-module t1 framing {sf | esf}
service-module t1 lbo {none | -7.5db | -15db} (line buildout/signal strength)
service-module t1 linecode {b8zs | ami}
service-module t1 remote-alarm-enable (enable yellows sent/received)
service-module t1 remote-loopback (go into loopback when recieve the loopback cmd)
clear service-module [serial 0|1] (hardware reset)
debug service-module (prout alarms)
show service-module [serial 0|1] [performance-statistics []
performance-statistics are 15 minute stats
test service-module [serial 0|1] (CSU/DSU self test)
interface serial 0
loopback dte
loopback line
[no] loopback remote [2047 | 511 | stress-pattern {1-4}] (56k)
[no] loopback remote {full | payload | smart-jack} [qrw | 1in8 | 3in24 | 1in2 | 1in5 | 1in1 | 0in1 | user-pattern value]
(t1)
P2P T1
controller T1 0/0
channel-group 0 timeslots 1-24 speed 64 [64 | 56]
framing esf {sf | esf} linecode b8sz {ami | b8zs}
clock source {line | internal}
no shutdown
interface Serial0/0:0
ip address 192.168.1.2 255.255.255.0
encapsulation hdlc [ppp | frame-relay]
no shutdown
Routing Commands
router ospf 1
log-adjacency-changes
redistribute static
redistribute connected
network 10.0.0.0 0.255.255.255 area 0
!
router rip
version 2
network 192.168.1.0
neighbor
XXX.XXX.XXX.XXX (if you have a NBMA connection)
passive-interface Fa0/0 (if you want to listen but not adver)
!
ip classless
ip route 192.168.0.0 255.255.255.0 192.168.10.2 (static)
ACLs
implicit deny at end
interface
FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip access-group 10 in
!
interface FastEthernet0/1
ip address 192.168.11.1 255.255.255.0
ip access-group 110 out
!
access-list 10 deny 192.168.1.0 0.0.0.255
access-list 110 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq
www
standard
On source closer to destination
access-list
<1-99> permit|deny <srcipaddr>
<wildcardmask>
access-list 1 permit 192.168.1.0 0.0.0.255
access_list 1 remark
interface fa0/1
ip access-list standard NO_ACCESS
deny host 192.168.11.10
permit 192.168.11.0 0.0.0.255
interface fa0/0
ip access-group NO_ACCESS out
extended
On both source and destination closer to source
access-list <100-199>
permit|deny ip|tcp|udp|icmp <srcipaddr>
<wildcardaddr> <destipaddr>
<wildcardaddr> ge|le|eq <port#>
[established]
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
established only TCP.
Look for ACK or RST bit set.
dynamic
Users that want to transverse router are blocked until they telnet to
connect to rtr and are authenticated
username <username>
<pw> 0 cisco
access_list
101 permit tcp any host 10.2.2.2 eq telnet
access-list
101 dynamic testlist timeout 15
permit
ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
interface serial 0/0/1
ip
access-group 101 in
line vty 0 4
login local
autocommand
access-enable host timeout
reflexive
Allows outbound traffic annd limits inbound traffic in resopnse to
sessions that originate inside the router
ip accesslist extended OUTBOUNDFILTERS
permit tcp 192.168.0.0
0.0.255.255 any reflect TCPTRAFFIC
ip access-list extended INBOUNDFILTERS
evaluate TCPTRAFFIC
interface s0/1/0
ip access-group
INBOUNDFILTERS in
time based
Allows for access control based on TOD.
time-range EVERYOTHERDAY
periodic Monday Wednesday
Friday 8:00 to 17:00
access-list 101 permit tcp 192.168.10.0
0.0.0.255 any eq telnet time-range EVERYOTHERDAY
(this matches and turns into a drop if time-range is not matched?)
interface s0/0/0
ip access-group 101 out
Cisco Switchport Security
switchport port-security mac-address
switchport port-security violation protect (drop and don't log)
switchport port-security violation shutdown (shutdown and log)
switchport port-security violation restrict (drop and log)
Setting up vty with ssh or telnet
crypto key generate rsa
ip ssh version 2
line vty 0 15
transport input (SSH) (TELNET)
Domain/DNS lookup commands
ip domain-lookup (sets the mode)
ip name-server <ipaddr>
ip domain list <domainname.com> (list of domains to append)
ip domain name mydomain.com (default domain - domain list overrides)
ip ospf name-lookup (looks up DNS names for use in OSPF show EXEC commands)
Command line history commands
terminal history [size number-of-lines] (enable and set number of lines)
history [size number-of-lines] (enable command history function)
show history (show list of commands)
<up arrow>/<down arrow>
GRE tunnels
interface tunnel1
ip address 192.168.35.6 255.255.255.252
tunnel source 172.25.1.5
tunnel destination 172.26.1.6
IP DHCP
ip dhcp pool <name>
network 172.22.1.0 255.255.255.0
default-router 172.22.1.1
domain-name <domainname>
dns-server <dns server> <dns server2>
lease <days> <hours> <minutes>
ip dhcp excluded-address <beginning ip addr> <end ip addr>
matches up against IP address of interface
ip helper-address <ipaddress> (interace level command)
NAT
many-to-many
- access-list
10 permit
192.168.0.0 0.0.0.255 (1st many)
- ip nat pool
<poolname> <startipRange>
<endipRange> netmask <netmask>
(2nd many)
ip
nat pool pool10
200.0.0.20 200.0.0.30 netmask 255.255.255.0
- ip
nat inside source
list 10 pool <poolname> overload (overload
allows up to
4000 source ports for PAT?)
- int
fa 0/0
ip nat inside
- int
fa0/1
ip nat inside
IPv6
ipv6 unicast-routing (enables ipv6 routing)
interface <interface>
ipv6 address autoconfig (sets up link-local (169 like addr))
ipv6 address FEC0:E14:9::A000:1/100 (address)
ipv6 rip RIP_PROC enable
ipv6 ospf <procid> area <areaid>
sh ipv6 route
6-to-4 tunnelling (encapsulate ipv6 in ipv4)
EUI-64
Config 64 bit network
ipv6 address FEC0:DB8:2222:2272::/64 eui-64
Host addr = MAC addr w/ 0xFFFE in middle at 24th bit
0090:27FF:FE17:FC0F
Remember to invert universal bit (6 pos, 1st octet)
0290:27FF:FE17:FC0F