Scribd
Upload
4 views19 pages

CommandReference NET225 ENSAv7

Uploaded by

fallj366
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views19 pages

CommandReference NET225 ENSAv7

Uploaded by

fallj366
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Command Reference Guide for

CCNA Cisco IOS Commands

NET 225

Enterprise Networking,
Security, and Automation
V7

13 March 2020

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 1 of 19


[ This page intentionally left blank. ]

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 2 of 19


Chapter 2: Configuring the IOS CLI for Single Area OSPF

Configuring OSPFv2 for IPv4


R1 (config)# router ospf 1

R1 (config-router)# router-id 1.1.1.1


R1 (config-router)# network 192.168.1.0 0.0.0.255 area 0 *sets network and OSPF area

R1 (config-router)# network 10.1.1.0 0.0.0.3 area 0 *sets network and OSPF area

R1 (config-router)# passive-interface g0/0 *passives LAN interface

R1 (config-router)# auto-cost reference-bandwidth 1000 *sets bandwidth to 1000

Propagate the Default Static Route for OSPFv2


R1 (config)# ip route 0.0.0.0 0.0.0.0 s0/0/0
R1 (config)# router ospf 1
R1 (config-router)# default-information originate

Configuring an OSPF Point-to-Point Network Through an Interface


R1 (config)# interface g0/0
R1 (config-if)# ip ospf network point-to-point *Creates a point-to-point network
where the interface’s subnet mask is
what’s being advertised

Verifying and Troubleshooting OSPFv2

R1# show ip ospf *shows ospf data such as PID, RID,


SPF, and area
R1# show ip protocols *shows PID, RID, networks,
neighbors, admin distance, etc.…

R1# show ip ospf neighbor *Adjacencies and Neighbor data

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 3 of 19


R1# show ip ospf interface *summary and status
R1# show ip ospf interface brief *summary and status of ospf
Interfaces
R1# show ip ospf route *shows only ospf routes in routing
Table

R1# clear ip ospf process *resets neighbor adjacencies

Configuring OSPFv2 Hello and Dead Intervals


R1 (config)# interface s0/0/0

R1 (config-if)# ip ospf hello-interval 5 *hello timer set to 5 sec


R1 (config-if)# ip ospf dead-interval 20 *dead timer set to 20 sec

R1 (config)# interface s0/0/0


R1 (config-if)# no ip ospf hello-interval *resets interval to default of10 sec

R1 (config-if)# no ip ospf dead-interval 20 * resets interval to default of40 sec

Configuring OSPFv2 Interface Priority


R1 (config)# interface g0/1

R1 (config)# ip ospf priority # *# is between 1-255 (default=1). The


highest priority number will be
determines as Designated Router

R1 (config)# end
R1# clear ip ospf process

Configuring OSPFv3 for IPv6


R1 (config)# ipv6 router ospf 1
R1 (config-rtr)# router-id 1.1.1.1 *sets an IPv4 address as ID
R1 (config-rtr)# auto-coat reference-bandwidth 1000

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 4 of 19


R1 (config)# interface g0/1
R1 (config-if)# ipv6 ospf 1 area 0 *sets ospf on interface g0/1
R1 (config-if)# interface s0/0/0
R1 (config-if)# ipv6 ospf 1 area 0 *sets ospf on interface s0/0/0

Propagate the Default Static Route for OSPFv3


R1 (config)# ip route ::/0 s0/0/0
R1 (config)# ipv6 router ospf 1
R1 (config-router)# default-information originate

Verifying and Troubleshooting OSPFv3

R1# show ipv6 ospf *shows ospf data such as PID, RID,
SPF, and area
R1# show ipv6 protocols *shows PID, RID, networks,
neighbors, admin distance, etc.…
R1# show ipv6 ospf neighbor *Adjacencies and Neighbor data
R1# show ipv6 ospf interface *summary and status
R1# show ipv6 ospf interface brief *summary and status of ospf
Interfaces
R1# show ipv6 ospf route *shows only ospf routes in routing
Table

R1# clear ipv6 ospf process *resets neighbor adjacencies

Configuring OSPFv3 Hello and Dead Intervals


R1 (config)# interface s0/0/0
R1 (config-if)# ipv6 ospf hello-interval 5 *hello timer set to 5 sec
R1 (config-if)# ipv6 ospf dead-interval 20 *dead timer set to 20 sec
R1 (config)# interface s0/0/0

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 5 of 19


R1 (config-if)# no ipv6 ospf hello-interval *resets interval to default of10 sec

R1 (config-if)# no ipv6 ospf dead-interval 20 * resets interval to default of40 sec

Configuring OSPFv3 Interface Priority


R1 (config)# interface g0/1

R1 (config)# ipv6 ospf priority # *# is between 1-255 (default=1). The


highest priority number will be
determines as Designated Router

R1 (config)# end
R1# clear ipv6 ospf process

Configuring OSPF cost on an Interface


R1 (config)# int s0/0/0
R1 (config-if)# ip ospf cost 16000

Configuring MTU Size on an Interface


R1 (config)# interface s0/0/0

R1 (config)# ip mtu size *MTU size


R1 (config)# ipv6 mtu size *MTU size

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 6 of 19


Chapter 5: Access Control Lists for IPv4 Configurations

**NOTE: Standard ACLs are not part of the NET225 v7 core requirements but have been left in the
document due to ACLs being covered. Core requirements for NET225 v7 is Extended ACLs only.

Standard Access Control List


R1(config)# access-list 1 permit 192.168.30.0 0.0.0.255

R1(config)# access-list 1 permit 192.168.10.0


R1(config)# access-list 1 permit 192.168.11.0
R1(config)# access-list 1 permit 192.168.10.0 0.0.1.255 both Same as pervious two (covers
networks)

R1(config)# access-list 1 permit 192.168.10.10 0.0.0.0 Single host address


R1(config)# access-list 1 permit host 192.168.10.10 Single host address
R1(config)# access-list 1 permit 192.168.10.10 Single host address

R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Permit any address


R1(config)# access-list 1 permit any Permit any address

Standard ACL Command Syntax


R1(config)# access-list ACL-Number {permit|deny|remark} SRC-IP [WC-Mask] [log]

ACL-Number Number of ACL: 1 to 99 or 1300 – 1999


deny Deny access if condition is met permit
Permit access if condition is met remark Add a
Remark to ACL
SRC-IP Source IP Address: Network or Host from where the traffic is being sent
WC-Mask Source IP Address Wild Card Mask log Optional: logs
messages

Standard ACL Example with Remark


R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 ACL 1 statement
R1(config)# access-list 1 remark this permits hosts from the 192.168.1.0 LAN

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 7 of 19


To Remove an ACL
R1(config)# no access-list 1 To remove ACL 1

Properly Ordered ACL Statement


R1(config)# access-list 1 permit host 192.168.1.10 Permits the single host
192.168.1.10 thru first
R1(config)# access-list 1 deny 192.168.1.0 0.0.0.255 that Then denies all other hosts in
network

Improperly Configured ACL Statement


R1(config)# access-list 1 deny 192.168.1.0 0.0.0.255 Denies all hosts in the
192.168.1.0 network
R1(config)# access-list 1 permit host 192.168.1.10 This host has been denied by
previous statement and can’t
get thru

Links an ACL Statement to an Interface


R1(config)# interface g0/0
R1(config-if)# ip access-group {ACL Number or Name} {in | out}

To Remove an ACL Statement from an Interface


R1(config)# interface g0/0
R1(config-if)# no ip access-group 1 out

Example of an Outbound Standard ACL Statement


R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# interface g0/0
R1(config-if)# ip access-group 1 out

Example Standard ACL Denying a Specific Host Address While Allowing a Specific Subnet
R1(config)# access-list 1 deny host 192.168.1.10 denies the single host
192.168.1.10 first
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Permits the rest of the
192.168.1.0/24 subnet
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 1 out

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 8 of 19


Example Standard ACL Denying a Specific Host Address While Allowing All Other Traffic
R1(config)# access-list 1 deny host 192.168.1.10 denies the single host
192.168.1.10 first
R1(config)# access-list 1 permit any Permits all other traffic
R1(config)# interface g0/0
R1(config-if)# ip access-group 1 in

Standard Named ACL


R1(config)# ip access-list standard ACL-Name ACL-Name is the name of the
ACL
R1(config-std-nacl)# {permit | deny | remark} {SRC-IP & SRC-WCMASK}
R1(config)# interface Int-#
R1(config-if)# ip access-group ACL-Name {in | out}

Example Standard Named ACL with a Remark


R1(config)# ip access-list standard No_Access
R1(config-std-nacl)# remark Denys access from host 192.168.1.10
R1(config-std-nacl)# deny host 192.168.1.10
R1(config-std-nacl)# permit any
R1(config-std-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group No_Access out

Editing a Standard ACL with New Replacement Statement


R1(config)# access-list deny host 192.168.1.25 Denies host – Carries an ACL
sequence number of 10
R1(config)# access-list permit 192.168.1.0 0.0.0.255 permits rest of Subnet – Carries
an ACL sequence number of 20
R1(config)# ip access-list standard 1 Going to correct an ACL
statement
R1(config-std-acl)# no 10 Removing sequence 10
statement
R1(config-std-acl)# 10 deny host 192.168.1.10 Adding replacement statement
to sequence 10 spot

Show Commands for ACL Verification


R1# show ip interface s0/0/0
R1# show access-list

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 9 of 19


R1# show access-list ACL-Number
R1# show access-list ACL-Name
R1# clear access-list counters ACL-Number Clears the number of times the
ACL has been acted against
R1# clear access-list counters ACL-Name Clears the number of times the
ACL has been acted against

Standard ACL Securing the VTY Lines


R1(config)# access-list 1 permit host 192.168.1.10 Permits host 192.168.1.10
access to VTY lines
R1(config)# access-list 1 deny any Denies all other traffic to the
VTY lines
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# access-class 1 in

Extended ACL Syntax


Access-list ACL-Number {deny | permit | remark}
Protocol Ex: icmp, tcp, udp, etc..
SRC-IP & SCR-WCMASK
DEST-IP & DEST-WCMASK
eq Equals
port {port-#} Associates port-# or service to
protocol
Established TCP only; for established or
active traffic

EX: Extended Numbered ACL Applied to Interface


R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80
R1(config)# access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443
R1(config)# access-list 102 permit tcp any 192.168.1.0 0.0.0.255 established
R1(config)# interface g0/0
R1(config-if)# ip access-group 101 in
R1(config-if)# ip access-group 102 out

EX: Extended Numbered ACL Denying FTP


R1(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255.255 eq ftp

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 10 of 19


R1(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255.255 eq ftp-data
R1(config)# access-list 101 permit ip any any Permits all other traffic
R1(config)# interface g0/0
R1(config-if)# ip access-group 101 in

Or

R1(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255.255 eq 20 R1(config)#
access-list 101 deny tcp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255.255 eq 21
R1(config)# access-list 101 permit ip any any Permits all other traffic
R1(config)# interface g0/0
R1(config-if)# ip access-group 101 in

EX: Extended Named ACL for Web Traffic


R1(config)# ip access-list extended SURFING
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80 Permits unsecure web traffic
from Subnet
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443 Permits secure web traffic from
Subnet
R1(config-ext-nacl)# exit
R1(config)# ip access-list extended BROWSING
R1(config-ext-nacl)# permit tcp any 192.168.1.0 0.0.0.255 established Permits established traffic to the
Subnet
R1(config-ext-nacl)# exit
R1(config)# interface g0/0
R1(config-if)# ip access-group SURFING in
R1(config-if)# ip access-group BROWSING out

EX: IPv6 ACL


R1(config)# ipv6 access-list NO-R3-LAN-ACCESS
R1(config-ipv6-acl)# deny ipv6 2001:db8:acad:30::/64 any
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# exit
R1(config)# interface s0/0/0
R1(config-if)# ipv6 traffic-filter NO-R3-LAN-ACCESS in

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 11 of 19


Removing an IPv6 ACL
R1(config-if)# no ipv6 traffic-filter
R1(config-if)# exit
R1(config)# no ipv6 access-list

EX: IPv6 ACL to Deny FTP


R1(config)# ipv6 access-list NO-FTP-TO-13
R1(config-ipv6-acl)# deny tcp 2001:db8:acad:13::/64 eq ftp
R1(config-ipv6-acl)# deny tcp 2001:db8:acad:13::/64 eq ftp-data
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# exit
R1(config)# interface g0/0
R1(config-if)# ipv6 traffic-filter NO-FTP-TO-13 in

Using ACLs to Debug


R1(config)# access-list 100 permit udp any any eq 67
R1(config)# access-list 100 permit udp any any eq 68
R1(config)# end
R1# debug ip packet 100
R1# no debug ip packet 100

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 12 of 19


Chapter 6: NAT (Network Address Translation) for IPv4

Configuring Static NAT


R1(config)# ip nat inside source static LOCAL-IP GLOBAL-IP
R1(config)# interface Type-Number
R1(config-if)# ip nat inside Specifies the inside interface
R1(config-if)# exit
R1(config-if)# interface Type-Number
R1(config-if)# ip nat outside Specifies the outside
interface

Removing a Translation
R1(config)# no ip nat inside source static

EX: Static NAT

R1(config)# ip nat inside source static 192.168.1.10 209.165.201.1 209.165.201.1 using actual

interface
Address (Used in above network example) or
R1(config)# ip nat inside source static 192.168.1.10 209.165.201.254 209.165.201.254 using
manually created
IP address
R1(config)# interface s0/0/0
R1(config-if)# ip address 209.165.201.1 255.255.255.240
R1(config-if)# ip nat outside

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 13 of 19


R1(config-if)# exit
R1(config-if)# interface g0/0
R1(config-if)# ip nat inside

Configuring Dynamic NAT


R1(config)# ip nat pool NAME START-IP END-IP [netmask Mask | prefix-length LEN]
R1(config)# access-list ACL-NUMBER permit Source [Source-WCMASK]
R1(config)# ip nat inside source list ACL-NUMBER pool NAME
R1(config)# interface TYPE NUMBER
R1(config-if)# ip nat inside
R1(config)# interface TYPE NUMBER
R1(config-if)# ip nat outside

EX: Dynamic NAT


R1(config)# ip nat pool NAT-POOL1 209.1.1.1 209.1.1.15 netmask 255.255.255.240
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 pool NAT-POOL1
R1(config-if)# interface g0/0
R1(config-if)# ip nat inside
R1(config-if)# interface s0/0/0
R1(config-if)# ip nat outside

Verifying NAT Operations


R1# show ip nat translations
R1# show ip nat translations verbose
R1# clear ip nat translations Clears translation data
R1# clear ip nat statistics Clears statistics data
R1# show ip nat statistics

Clear a Simple Dynamic Translation Entry


R1# clear ip nat translation inside GLOBAL LOCAL [outside LOCAL GLOBAL]

Configuring PAT for a Pool of Public IP Addresses


R1(config)# ip nat pool NAME START-IP END-IP [netmask MASK | prefix-length LEN]

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 14 of 19


R1(config)# Access-list ACL-NUMBER permit SOURCE [SOURCE-WCMASK]
R1(config)# ip nat inside source list ACL-NUMBER pool NAME overload
R1(config)# interface TYPE NUMBER
R1(config-if)# ip nat inside
R1(config)# interface TYPE NUMBER
R1(config-if)# ip nat outside

EX: Configuring PAT for a Pool of Public IP Addresses


R1(config)# ip nat pool NAT-POOL2 209.165.201.1 209.165.201.15 netmask 255.255.255.240
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 pool NAT-POOL2 overload
R1(config)# interface g0/0
R1(config-if)# ip nat inside
R1(config)# interface s0/0/0
R1(config-if)# ip nat outside

EX: Configuring PAT for a Single Public IP Address


R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
R1(config)# ip nat inside source list 1 interface s0/0/0 overload
R1(config)# interface g0/0
R1(config-if)# ip nat inside
R1(config)# interface s0/0/0
R1(config-if)# ip nat outside

EX: Configuring Port Forwarding


R1(config)# ip nat inside source static tcp 192.168.1.254 80 209.1.2.255 8080
R1(config)# interface g0/0
R1(config-if)# ip nat inside
R1(config)# interface s0/0/0
R1(config-if)# ip nat outside

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 15 of 19


Commands to Troubleshoot NAT
R1# show access-list translation Check the ACL for the
R1# show ip nat statistics
R1# show ip nat translations
R1# debug ip nat
R1# debug ip nat detailed

R1# no debug ip nat Turns off debug


R1# no debug ip nat detailed Turns off debug

Fixing Incorrect Inside Assignment and ACL Statement


R1(config)# int g0/0
R1(config-if)# no ip nat outside
R1(config-if)# ip nat inside

R1(config)# no access-list 1
R1(config)# access-list 1 permit 192.168.1.0 0.0.0.255

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 16 of 19


Chapter 10: Network Management

Transferring Configurations to a TFTP Server


S1# copy running-config startup-config
S1# copy running-config tftp: *Copies config to TFTP
Address or name of remote host []? 192.168.1.3 *Replace address as
needed
Source filename []? S1-confg.txt *Chosen filename
Destination filename [running-config]?
Accessing tftp://192.168.1.3/S1-confg.txt...
Loading Switch1-confg.txt from 192.168.1.3 (via Vlan1): !
[OK - 1580 bytes]
[OK]
1580 bytes copied in 9.118 secs (173 bytes/sec)
*Mar 1 00:21:16.242: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write
memory" to save new certificate

*Mar 1 00:21:16.251: %SYS-5-CONFIG_I: Configured from tftp://192.168.1.3/S1-confg.txt by console

S1# copy startup-config tftp: *Copies config to TFTP


Address or name of remote host []? 192.168.1.3 *Replace address as
needed
Source filename []? S1-confg.txt *Chosen filename
Destination filename [running-config]?
Accessing tftp://192.168.1.3/S1-confg.txt...
Loading Switch1-confg.txt from 192.168.1.3 (via Vlan1): !
[OK - 1580 bytes]
[OK]
1580 bytes copied in 9.118 secs (173 bytes/sec)
*Mar 1 00:21:16.242: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write
memory" to save new certificate

*Mar 1 00:21:16.251: %SYS-5-CONFIG_I: Configured from tftp://192.168.1.3/S1-confg.txt by console

S1#

Copy a Router’s running Configuration to flash


R1# copy running-config flash:

R1# dir flash: *Shows backup file on flash


Destination filename [running-config]? R1-running-config *Name your file

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 17 of 19


2169 bytes copied in 0.968 secs (2241 bytes/sec)

R1# more flash:R1-running-config *Show contents of file

Restoring Running-config from Flash


Router# copy flash:R1-running-config running-config

Copy Running-config to USB Flash Drive


R1# copy running-config usb0:
Destination filename [running-config]? R1-running-config.txt *Name your file
2198 bytes copied in 0.708 secs (3105 bytes/sec)

R1# dir usb0: *Shows backup file on USB

Restoring Running-config from USB


Router# copy usb0:R1-running-config running-config.txt running-config
Destination filename [running-config]?
2344 bytes copied in 0.184 secs (12739 bytes/sec)

R1#

Network Discovery with CDP


R1# show cdp interface | include interfaces *Only shows cdp interfaces
R1# show cdp entry S1 *Shows only data for S1

R1# show cdp traffic *Shows CDP packet data

Disable CDP
R1(config)# no cdp run

Enable Network Discovery with LLDP


R1(config)# lldp run

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 18 of 19


R1# show lldp entry S1 *Show only lldp data for S1

Configuring NTP

R1(config)# ntp master 4 *Configures NTP master with


stratum of level 4
R2(config)# ntp server 10.22.0.1 *Configures R2 as a client
pointing to the NTP server
using IP address
R2(config)# ntp update-calendar *Periodically updates R2’s
calendar and/or hardware
clock
R1# show ntp status| include Clock *Displays ntp data to include
Clock
R1# show ntp associations *Displays ntp data to include
association components

CommandReference-NET225-ENSAv7.docx Updated 3/13/20 Page 19 of 19

You might also like