Scribd
Upload
132 views16 pages

Commands 2.1

The document provides instructions for configuring various settings on a switch including: 1. Configuring the management interface on the switch with IPv4 and IPv6 addresses and enabling the interface. 2. Configuring the default gateway for the switch. 3. Commands for verifying switch configuration and status including interface status, startup configuration, running configuration, flash file system, system status and more. 4. Configuring SSH access on the switch and displaying SSH configuration.

Uploaded by

Curtizagio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
132 views16 pages

Commands 2.1

The document provides instructions for configuring various settings on a switch including: 1. Configuring the management interface on the switch with IPv4 and IPv6 addresses and enabling the interface. 2. Configuring the default gateway for the switch. 3. Commands for verifying switch configuration and status including interface status, startup configuration, running configuration, flash file system, system status and more. 4. Configuring SSH access on the switch and displaying SSH configuration.

Uploaded by

Curtizagio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 16

SWITCHING COMMANDS

Configure the Management Interface


Enter global configuration mode: S1# configure terminal
Enter interface configuration mode for the SVI: S1(config)# interface vlan 99
Configure the management interface IPv4 address: S1(config-if)# ip address
172.17.99.11 255.255.255.0
Configure the management interface IPv6 address: S1(config-if)# ipv6 address
2001:db8:acad:99::1/64
Enable the management interface: S1(config-if)# no shutdown
Save the running config to the startup config: S1# copy running-config startup-
config

Configure the Default Gateway


Configure the default gateway for the switch: S1(config)# ip default-gateway
172.17.99.1
Return to the privileged EXEC mode: S1(config-if)# end
Save the running config to the startup config:S1# copy running-config startup-
config

SWITCH VERIFICATION COMMANDS


Display interface status and configuration: S1# show interfaces [interface-id]
Display current startup configuration: S1# show startup-config
Display current running configuration: S1# show running-config
Display information about flash file system: S1# show flash
Display system hardware and software status: S1# show version
Display history of command entered: S1# show history
Display IP information about an interface: S1# show ip interface [interface-id]
Display the MAC address table: S1# show mac address-table

CONFIGURING SSH
S1(config)# ip domain-name cisco.com
S1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
S1(config)# username admin secret ccna
S1(config)# line vty 0 15
S1(config-line)# transport input ssh // utilizar ssh, si no hago esto configuro telnet
S1(config-line)# login local
S1(config-line)# exit
S1(config)# ip ssh version 2

TO DISPLAY: S1# show ip ssh


Configure Basic Router Settings
Router# configure terminal
Router(config)# hostname R1
R1(config)# enable secret class
R1(config)# line console 0
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# exit
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# exit
R1(config)# service password-encryption

Configure a banner
R1(config)# banner motd #AUTHORIZED ACCESS ONLY!#

Configure Router Interfaces


R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# description Link to LAN 1
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface gigabitethernet 0/0/1
R1(config-if)# ip address 192.168.11.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:2::1/64
R1(config-if)# description Link to LAN 2
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface serial 0/0/0
R1(config-if)# ip address 209.165.200.225 255.255.255.252
R1(config-if)# ipv6 address 2001:db8:acad:3::225/64
R1(config-if)# description Link to R2
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#

Interface Verification Commands


show ip interface brief and show ipv6 interface brief: These display a summary
for all interfaces including the IPv4 or IPv6 address of the interface and current
operational status.
show running-config interface interface-id - This displays the commands applied
to the specified interface.
show ip route and show ipv6 route - These display the contents of th IPv4 or IPv6
routing table stored in RAM. In Cisco IOS 15, active interfaces should appear in the
routing table with two related entries identified by the code ‘C’ (Connected -
DIRECTLY CONNECTED
AL NETWORK QUE ESTÁ DIRECTAMENTE CONECTADA) or ‘L’ (Local
*DIRECCIÓN FÍSICA DE MI INTERFACE).

VLAN Creation
Switch# configure terminal
Switch(config)# vlan vlan-id
Switch(config-vlan)# name vlan-name
Switch(config-vlan)# end

VLAN Port Assignment Commands


Switch# configure terminal
Switch(config)# interface interface-id
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-id
Switch(config-if)# end

VLANs are configured on the switch port and not on the end device.

Verify VLAN Information


Display VLAN name, status, and its ports one VLAN per line: brief
Display information about the identified VLAN ID number. For vlan-id, the range is 1
to 4094: id vlan-id
Display information about the identified VLAN name. The vlan-name is an ASCII
string from 1 to 32 characters: name vlan-name
Display VLAN summary information: summary
● If the switch access port has been incorrectly assigned to a VLAN, then
simply re-enter the switchport access vlan vlan-id interface configuration
command with the correct VLAN ID.
● To change the membership of a port back to the default VLAN 1, use the no
switchport access vlan interface configuration mode command as shown.
● In the output for example, Fa0/18 is configured to be on the default VLAN 1 as
confirmed by the show vlan brief command.
● Delete a VLAN: no vlan vlan-id

Trunk Configuration Commands


Switch# configure terminal
Switch(config)# interface interface-id
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan vlan-list
Switch(config-if)# end

● Use the no switchport trunk allowed vlan and the no switchport trunk
native vlan commands to remove the allowed VLANs and reset the native
VLAN of the trunk.

S1 VLAN and Trunking Configuration


S1(config)# vlan 10
S1(config-vlan)# name LAN10
S1(config-vlan)# exit
S1(config)# vlan 20
S1(config-vlan)# name LAN20
S1(config-vlan)# exit
S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)#
S1(config)# interface vlan 99
S1(config-if)# ip add 192.168.99.2 255.255.255.0
S1(config-if)# no shut
S1(config-if)# exit
S1(config)# ip default-gateway 192.168.99.1
S1(config)#
S1(config)# interface fa0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 10
S1(config-if)# no shut
S1(config-if)# exit
S1(config)#
S1(config)# interface fa0/1
S1(config-if)# switchport mode trunk
S1(config-if)# no shut
S1(config-if)# exit
S1(config)# interface fa0/5
S1(config-if)# switchport mode trunk
S1(config-if)# no shut
S1(config-if)# end

S2 VLAN and Trunking Configuration


S2(config)# vlan 10
S2(config-vlan)# name LAN10
S2(config-vlan)# exit
S2(config)# vlan 20
S2(config-vlan)# name LAN20
S2(config-vlan)# exit
S2(config)# vlan 99
S2(config-vlan)# name Management
S2(config-vlan)# exit
S2(config)#
S2(config)# interface vlan 99
S2(config-if)# ip add 192.168.99.3 255.255.255.0
S2(config-if)# no shut
S2(config-if)# exit
S2(config)# ip default-gateway 192.168.99.1
S2(config)# interface fa0/18
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 20
S2(config-if)# no shut
S2(config-if)# exit
S2(config)# interface fa0/1
S2(config-if)# switchport mode trunk
S2(config-if)# no shut
S2(config-if)# exit
S2(config-if)# end

R1 Subinterface Configuration
R1(config)# interface G0/0/1.10
R1(config-subif)# description Default Gateway for VLAN 10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip add 192.168.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.20
R1(config-subif)# description Default Gateway for VLAN 20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip add 192.168.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.99
R1(config-subif)# description Default Gateway for VLAN 99
R1(config-subif)# encapsulation dot1Q 99
R1(config-subif)# ip add 192.168.99.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1
R1(config-if)# description Trunk link to S1
R1(config-if)# no shut
R1(config-if)# end
R1#

Layer 3 Switch Configuration


D1(config)# vlan 10
D1(config-vlan)# name LAN10
D1(config-vlan)# vlan 20
D1(config-vlan)# name LAN20
D1(config-vlan)# exit
D1(config)#
D1(config)# interface vlan 10
D1(config-if)# description Default Gateway SVI for 192.168.10.0/24
D1(config-if)# ip add 192.168.10.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
D1(config)# int vlan 20
D1(config-if)# description Default Gateway SVI for 192.168.20.0/24
D1(config-if)# ip add 192.168.20.1 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
D1(config)# interface GigabitEthernet1/0/6
D1(config-if)# description Access port to PC1
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 10
D1(config-if)# exit
D1(config)#
D1(config)# interface GigabitEthernet1/0/18
D1(config-if)# description Access port to PC2
D1(config-if)# switchport mode access
D1(config-if)# switchport access vlan 20
D1(config-if)# exit
D1(config)# ip routing
D1(config)#

Routing Configuration on a Layer 3 Switch


D1(config)# interface GigabitEthernet1/0/1
D1(config-if)# description routed Port Link to R1
D1(config-if)# no switchport
D1(config-if)# ip address 10.10.10.2 255.255.255.0
D1(config-if)# no shut
D1(config-if)# exit
D1(config)#
D1(config)# ip routing
D1(config)#
D1(config)# router ospf 10
D1(config-router)# network 192.168.10.0 0.0.0.255 area 0
D1(config-router)# network 192.168.20.0 0.0.0.255 area 0
D1(config-router)# network 10.10.10.0 0.0.0.3 area 0
D1(config-router)# exit
D1#

ETHERCHANNEL
S1(config)# interface range FastEthernet 0/1 - 2
S1(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
S1(config-if-range)# exit
S1(config-if)# interface port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 1,2,20

DHCPv4
STEPS TO CONFIGURE A CISCO IOS DHCPv4 SERVER

Step 1. Exclude IPv4 addresses.


Router(config)# ip dhcp excluded-address low-address [high-address]

Step 2. Define a DHCPv4 pool name.


Router(config)# ip dhcp pool pool-name
Router(dhcp-config)#

Step 3. Configure the DHCPv4 pool.


Define the address pool: network network-number [mask | / prefix-length]
Define the default router or gateway: default-router address [
address2….address8]
Define a DNS server: dns-server address [ address2…address8]
Define the domain name: domain-name domain
Define the duration of the DHCP lease: lease {days [hours [ minutes]] |
infinite}
Define the NetBIOS WINS server: netbios-name-server address
[ address2…address8]

VERIFICATION COMMANDS
show running-config | section dhcp: Displays the DHCPv4 commands configured
on the router.
show ip dhcp binding: Displays a list of all IPv4 address to MAC address bindings
provided by the DHCPv4 service.
show ip dhcp server statistics: Displays count information regarding the number of
DHCPv4 messages that have been sent and received.

CONFIGURE CISCO ROUTER AS A DHCPv4 CLIENT


SOHO(config)# interface G0/0/1
SOHO(config-if)# ip address dhcp
SOHO(config-if)# no shutdown

VERIFICATION
SOHO# show ip interface g0/0/1

SLAAC AND DHCPv6


CONFIGURE A STATELESS DHCPv6 SERVER
Step 1. Enable IPv6 routing:
R1(config)# ipv6 unicast-routing
R1(config)#

Step 2. Define a DHCPv6 pool name.


R1(config)# ipv6 dhcp pool IPV6-STATELESS
R1(config-dhcpv6)#

Step 3. Configure the DHCPv6 pool:


R1(config-dhcpv6)# dns-server 2001:db8:acad:1::254
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)# exit
R1(config)#

Step 4. Bind the DHCPv6 pool to an interface:


R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd other-config-flag
R1(config-if)# ipv6 dhcp server IPV6-STATELESS
R1(config-if)# no shut
R1(config-if)# end
R1#
Step 5. Verify that the hosts have received IPv6 addressing information.
To verify stateless DHCP on a Windows host, use the ipconfig /all command.

CONFIGURE A STATELESS DHCPv6 CLIENT


Step 1. Enable IPv6 routing:
R3(config)# ipv6 unicast-routing
R3(config)#

Step 2. Configure the client router to create an LLA:


R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)#

Step 3. Configure the client router to use SLAAC:


R3(config-if)# ipv6 address autoconfig
R3(config-if)# end
R3#

Step 4. Verify that the client router is assigned a GUA.


R3# show ipv6 interface brief

Step 5. Verify that the client router received other necessary DHCPv6
information.
R3# show ipv6 dhcp interface g0/0/1

ENABLE STATELESS DHCPv6 on an Interface


CONFIGURE A STATEFUL DHCPv6 SERVER
Step 1. Enable IPv6 routing:
R1(config)# ipv6 unicast-routing
R1(config)#

Step 2. Define a DHCPv6 pool name.


R1(config)# ipv6 dhcp pool IPV6-STATEFUL
R1(config-dhcpv6)#

Step 3. Configure the DHCPv6 pool:


R1(config-dhcpv6)# address prefix 2001:db8:acad:1::/64
R1(config-dhcpv6)# dns-server 2001:4860:4860:8888
R1(config-dhcpv6)# domain-name example.com
R1(config-dhcpv6)# exit
R1(config)#

Step 4. Bind the DHCPv6 pool to an interface:


R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# description Link to LAN
R1(config-if)# ipv6 address fe80::1 link-local
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# ipv6 nd managed-config-flag
R1(config-if)# ipv6 nd prefix default no-autoconfig
R1(config-if)# ipv6 dhcp server IPV6-STATELESS
R1(config-if)# no shut
R1(config-if)# end
R1#

Step 5. Verify that the hosts have received IPv6 addressing information.
To verify stateless DHCP on a Windows host, use the ipconfig /all command.

ENABLE STATEFUL DHCPv6 on an Interface


CONFIGURE A STATEFUL DHCPv6 CLIENT
Step 1. Enable IPv6 routing:
R3(config)# ipv6 unicast-routing
R3(config)#

Step 2. Configure the client router to create an LLA:


R3(config)# interface g0/0/1
R3(config-if)# ipv6 enable
R3(config-if)#

Step 3. Configure the client router to use SLAAC:


R3(config-if)# ipv6 address dhcp
R3(config-if)# end
R3#

Step 4. Verify that the client router is assigned a GUA.


R3# show ipv6 interface brief

Step 5. Verify that the client router received other necessary DHCPv6
information.
R3# show ipv6 dhcp interface g0/0/1

CONFIGURE A DHCPv6 RELAY AGENT


Router(config-if)# ipv6 dhcp relay destination ipv6-address [interface-type
interface-number]

TO VERIFY:
- The DHCPv6 relay agent can be verified using the show ipv6 dhcp interface
command. This will verify that the G0/0/1 interface is in relay mode.
- Use the show ipv6 dhcp binding command to verify if any hosts have been
assigned an IPv6 configuration.
- Finally, use ipconfig /all on PC1 to confirm that it has been assigned an IPv6
configuration.

DHCPv6 SERVER VERIFICATION COMMANDS:


The show ipv6 dhcp pool command verifies the name of the DHCPv6 pool and its parameters.
The command also identifies the number of active clients.
Use the show ipv6 dhcp binding command output to display the IPv6 link-local address of the
client and the global unicast address assigned by the server.

SWITCH SECURITY CONFIGURATION


Secure Unused Ports: Switch(config)# interface range type module/first-number
– last-number

Enable Port Security:


S1(config)# interface f0/1
S1(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1#

Use the show port-security interface command to display the current port security
settings for FastEthernet 0/1

Limit and Learn MAC Addresses: Switch(config-if)# switchport port-security


maximum value
1. Manually Configured: Switch(config-if)# switchport port-security
mac-address mac-address
2. Dynamically Learned: switchport port-security
3. Dynamically Learned Sticky: Switch(config-if)# switchport port-
security mac-address sticky

Port Security Aging: Switch(config-if)# switchport port-security aging { static | time


time | type {absolute | inactivity}}

Port Security Violation Modes: Switch(config-if)# switchport port-security


violation { protect | restrict | shutdown}
Use the show port-security interface command to view details for a specific
interface, as shown previously and in this example.

Steps to Mitigate VLAN Hopping Attacks


Step 1: Disable DTP (auto trunking) negotiations on non-trunking ports by
using the switchport mode access interface configuration command.
Step 2: Disable unused ports and put them in an unused VLAN.
Step 3: Manually enable the trunk link on a trunking port by using the
switchport mode trunk command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports by using
the switchport nonegotiate command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by using the
switchport trunk native vlan vlan_number command.

Steps to Implement DHCP Snooping


Step 1: Enable DHCP snooping by using the ip dhcp snooping global
configuration command.
Step 2: On trusted ports, use the ip dhcp snooping trust interface
configuration command.
Step 3: Limit the number of DHCP discovery messages that can be received
per second on untrusted ports by using the ip dhcp snooping limit rate
interface configuration command.
Step 4: Enable DHCP snooping by VLAN, or by a range of VLANs, by using
the ip dhcp snooping vlan global configuration command.

Configuration Example:
S1(config)# ip dhcp snooping
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5 - 24
S1(config-if-range)# ip dhcp snooping limit rate 6
S1(config-if)# exit
S1(config)# ip dhcp snooping vlan 5,10,50-52
S1(config)# end
S1#

Mitigate ARP Attacks


Configuration Example:
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspe

Configure PortFast
PortFast can be enabled on an interface by using the spanning-tree portfast
interface configuration command. Alternatively, Portfast can be configured globally
on all access ports by using the spanning-tree portfast default global configuration
command.
To verify whether PortFast is enabled globally you can use either the show running-
config | begin span command or the show spanning-tree summary command. To
verify if PortFast is enabled an interface, use the show running-config interface
type/number command, as shown in the following example. The show spanning-
tree interface type/number detail command can also be used for verification.

Configure BPDU Guard


BPDU Guard can be enabled on a port by using the spanning-tree bpduguard
enable interface configuration command. Alternatively, Use the spanning-tree
portfast bpduguard default global configuration command to globally enable BPDU
guard on all PortFast-enabled ports.

To display information about the state of spanning tree, use the show spanning-
tree summary command. In the example, PortFast default and BPDU Guard are
both enabled as the default state for ports configured as access mode.

IPv4 Static Route Command


Router(config)# ip route network-address subnet-mask { ip-address | exit-intf
[ip-address]} [distance]

IPv6 Static Route Command


Router(config)# ipv6 route ipv6-prefix/prefix-length {ipv6-address | exit-intf
[ipv6-address]} [distance

IPv4 Default Static Route Command


Router(config)# ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}

IPv6 Default Static Route Command


Router(config)# ipv6 route ::/0 {ipv6-address | exit-intf}

c
tion trust
CCVCha

You might also like