Cisco Example Configs

Table of Contents

basic rtr

no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2-Central (set hostname)
!
!
!
enable secret 5 $1$MPbO$c5sbahDFMUwu.v1DoHklW1 (pw to get into enable mode)
!
!
!
!
username blah password 0 blahpw (username and pw for login)
username blah2 password 0 blah2pw (username and pw for login)
!
!
!
!
!
ip name-server 192.168.254.254 (dns svr)
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.255.254 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Da Description for fa0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 10.10.10.2 255.255.255.252
!
interface Serial0/0/1
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.3
!
!
!
ip dhcp excluded-address 172.16.2.0 172.16.2.254
!
ip dhcp pool Central
 network 172.16.0.0 255.255.0.0
 default-router 172.16.255.254
 dns-server 192.168.254.254
!
no cdp run
!
no ip domain-lookup (disable dns lookups)
!
banner motd ^C
*****************************************************************
 This is the lab router blah1.
 Authorized access only.
*****************************************************************
^C
!
!
!
!
line con 0 (serial port)
line vty 0 4 (virtual terminal - telnet/ssh...)
 login local (username and pw - define with username)
! (can also be login (pw only) or no login (no auth)
!
!
end

basic switch

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DaSwitch
!
enable secret 5 abcdefghabcdefgh
enable password abcdefgh
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
mls qos map cos-dscp 0 8 16 24 34 46 48 56
mls qos
!
!
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 description connection to rtr
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
!
interface FastEthernet0/2
 description data
 switchport access vlan 3
 switchport mode access
 mls qos trust cos
 spanning-tree portfast
!
...
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan3
 description Data
 ip address 10.1.1.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.1.1.1
ip classless
ip http server
!
snmp-server community public RW
snmp-server community private RO
snmp-server location HERE
snmp-server contact J Smith
!
control-plane
!
!
line con 0
line vty 0 4
 password abcdefgh
 login
line vty 5 15
 password abcdefgh
 login
!
end

MLPPP WAN

controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface Multilink1
ip address x.x.x.x y.y.y.y
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/0/0:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/1/1:0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
ppp multilink group 1

Unicast RPF

interface FastEthernet 0/0
ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [list]

show cef interface FastEthernet 0/0
show ip verify statistics

Serial

rate <rate> (sets DCE side of connection)

L2 WAN

HDLC

interface s0/1
 encapsulation hdlc

---
sh interface serial <serialInterfaceID>

Integrated CSU/DSU Interfaces

http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a0080093c56.shtml#tconfigcommands 
interface serial 0
 service-module t1 clock source {line | internal}
 service-module t1 data-coding {normal | inverted}
 service-module t1 timeslots {all | } [speed 56 | 64]
  time-slots can be 1-4, 6, 7-10
 service-module t1 framing {sf | esf}
 service-module t1 lbo {none | -7.5db | -15db} (line buildout/signal strength)
 service-module t1 linecode {b8zs | ami}
 service-module t1 remote-alarm-enable (enable yellows sent/received)
 service-module t1 remote-loopback (go into loopback when recieve the loopback cmd)

clear service-module [serial 0|1] (hardware reset)
debug service-module (prout alarms)
show service-module [serial 0|1] [performance-statistics []
  performance-statistics are 15 minute stats
test service-module [serial 0|1] (CSU/DSU self test)

interface serial 0
loopback dte
loopback line
[no] loopback remote [2047 | 511 | stress-pattern {1-4}] (56k)
[no] loopback remote {full | payload | smart-jack}  [qrw | 1in8 | 3in24 | 1in2 | 1in5 | 1in1 | 0in1 | user-pattern value]
  (t1)

P2P T1

controller T1 0/0
  channel-group 0 timeslots 1-24 speed 64  [64 | 56]
  framing esf    {sf | esf} linecode b8sz  {ami | b8zs} 
  clock source {line | internal}
  no shutdown
interface Serial0/0:0
  ip address 192.168.1.2 255.255.255.0
  encapsulation hdlc [ppp | frame-relay]
  no shutdown

Routing Commands

router ospf 1
 log-adjacency-changes
 redistribute static
 redistribute connected
 network 10.0.0.0 0.255.255.255 area 0
!
router rip
 version 2
 network 192.168.1.0
 neighbor XXX.XXX.XXX.XXX  (if you have a NBMA connection)
 passive-interface Fa0/0 (if you want to listen but not adver)
!
ip classless
ip route 192.168.0.0 255.255.255.0 192.168.10.2  (static)

ACLs

implicit deny at end
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip access-group 10 in
!
interface FastEthernet0/1
 ip address 192.168.11.1 255.255.255.0
 ip access-group 110 out
!
access-list 10 deny 192.168.1.0 0.0.0.255
access-list 110 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www

standard

On source closer to destination
access-list <1-99> permit|deny <srcipaddr> <wildcardmask>
access-list 1 permit 192.168.1.0 0.0.0.255
access_list 1 remark
interface fa0/1
 
ip access-list standard NO_ACCESS
 deny host 192.168.11.10
 permit 192.168.11.0 0.0.0.255
interface fa0/0
 ip access-group NO_ACCESS out

extended

On both source and destination closer to source
access-list <100-199> permit|deny ip|tcp|udp|icmp <srcipaddr> <wildcardaddr> <destipaddr> <wildcardaddr> ge|le|eq <port#> [established]
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80

established only TCP.  Look for ACK or RST bit set.

dynamic

Users that want to transverse router are blocked until they telnet to connect to rtr and are authenticated

username <username> <pw> 0 cisco
access_list 101 permit tcp any host 10.2.2.2 eq telnet
access-list 101 dynamic testlist timeout 15
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
interface serial 0/0/1
 ip access-group 101 in
line vty 0 4
 login local
 autocommand access-enable host timeout

reflexive

Allows outbound traffic annd limits inbound traffic in resopnse to sessions that originate inside the router
ip accesslist extended OUTBOUNDFILTERS
 permit tcp 192.168.0.0 0.0.255.255 any reflect TCPTRAFFIC

ip access-list extended INBOUNDFILTERS
 evaluate TCPTRAFFIC

interface s0/1/0
 ip access-group INBOUNDFILTERS in

time based

Allows for access control based on TOD.

time-range EVERYOTHERDAY
 periodic Monday Wednesday Friday 8:00 to 17:00

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq telnet time-range EVERYOTHERDAY
(this matches and turns into a drop if time-range is not matched?)

interface s0/0/0
 ip access-group 101 out

Cisco Switchport Security

switchport port-security mac-address
switchport port-security violation protect (drop and don't log)
switchport port-security violation shutdown (shutdown and log)
switchport port-security violation restrict (drop and log)

Setting up vty with ssh or telnet

crypto key generate rsa
ip ssh version 2
line vty 0 15
  transport input (SSH) (TELNET)

Domain/DNS lookup commands

ip domain-lookup (sets the mode)
ip name-server <ipaddr>
ip domain list <domainname.com> (list of domains to append)
ip domain name mydomain.com (default domain - domain list overrides)
ip ospf name-lookup (looks up DNS names for use in OSPF show EXEC commands)

Command line history commands

terminal history [size number-of-lines] (enable and set number of lines)
history [size number-of-lines] (enable command history function)
show history (show list of commands)
<up arrow>/<down arrow>

GRE tunnels

interface tunnel1
 ip address 192.168.35.6 255.255.255.252
 tunnel source 172.25.1.5
 tunnel destination 172.26.1.6

IP DHCP

ip dhcp pool <name>
 network 172.22.1.0 255.255.255.0
 default-router 172.22.1.1
 domain-name <domainname>
 dns-server <dns server> <dns server2>
 lease <days> <hours> <minutes>
ip dhcp excluded-address <beginning ip addr> <end ip addr>

matches up against IP address of interface
ip helper-address <ipaddress> (interace level command)

NAT

many-to-many
  1. access-list 10 permit 192.168.0.0 0.0.0.255 (1st many)
  2. ip nat pool <poolname> <startipRange> <endipRange> netmask <netmask> (2nd many)
    ip nat pool pool10 200.0.0.20 200.0.0.30 netmask 255.255.255.0
  3. ip nat inside source list 10 pool <poolname> overload (overload allows up to 4000 source ports for PAT?)
  4. int fa 0/0
      ip nat inside
  5. int fa0/1
      ip nat inside

IPv6

ipv6 unicast-routing (enables ipv6 routing)


interface <interface>
 ipv6 address autoconfig (sets up link-local (169 like addr))
 ipv6 address FEC0:E14:9::A000:1/100 (address)
 ipv6 rip RIP_PROC enable
 ipv6 ospf <procid> area <areaid>

sh ipv6 route

6-to-4 tunnelling (encapsulate ipv6 in ipv4)

EUI-64

Config 64 bit network 
 ipv6 address FEC0:DB8:2222:2272::/64 eui-64
Host addr = MAC addr w/ 0xFFFE in middle at 24th bit
 0090:27FF:FE17:FC0F
Remember to invert universal bit (6 pos, 1st octet)
 0290:27FF:FE17:FC0F