SAYED HAMZA JILLANI

CCNA- Portable Command Guide

Requirement Cisco Command

Enter privilege mode Router>enable

Return to user mod Router# disable

Enter the configuration mode Router# configuration terminal

To add hostname for router or switch Router(config)#hostname router_name

To display the motd banner Router(config)#banner motd “type message here”

Password Encryption
Router(config)#line con 0
Set a console password to cisco Router(config-line)#login
Router(config-line)#password cisco
Router(config)#line vty 0 15
Set a telnet password Router(config-line)#login
Router(config-line)#password cisco
Set the enable password to cisco Router(config)#enable password cisco
Set the enable secret password.
This password overrides the enable password Router(config)#enable secret class
and is encrypted within the config file
Configuring a Gigabit Ethernet Interface with IPv4
Moves to gigabitethernet 0/0 interface
Router(config)#interface gigabitethernet 0/0
configuration mode
Optional descriptor of the link is locally
Router(config-if)#description Accounting LAN
significant
Router(config-if)#ip address 192.168.20.1
Assigns address and subnet mask to interface
255.255.255.0
Turns interface on Router(config-if)#no shutdown

Configuring a Gigabit Ethernet Interface with IPv6

 Enables the forwarding of IPv6 unicast
Router (config)#ipv6 unicast-routing
datagrams globally on the router
 Moves to gigabitethernet 0/0 interface
Router(config)#interface gigabitethernet 0/0
configuration mode
Router (config-if)#ipv6 address
 Assigns an IPv6 address to this interface
2001:db8:c003:1104::1/64

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
 Optional descriptor of the link is locally
Router(config-if)#description Accounting LAN
significant
 Configures a specific link-local IPv6 address Router(configif)#ipv6 address fe80::2 link-local

 Turns interface on Router(config-if)#no shutdown

Basic Security Practices

 Encrypt all passwords in the R(Config)# service password-encryption
configuration file:
A specific amount of time using the command
 This command will block login attempts
R(Config)# login block-for 120 attempts 3 within 60
for 120 seconds if there are three failed
login attempts within 60 seconds

 Security passwords min-length R(Config)# Security passwords min-length 10

R(Config)# Line console 0

 Exec timeout on a router
R(Config-lin)# exec-timeout 10
o For Console line:
R(Config-lin)# exit
R(Config)# Line VTY 0 15
o For VTY line: R(Config-lin)# exec-timeout 10
R(Config-lin)# exit

SSH (A Cisco device to support SSH using four steps)

• Step 1: Configure the IP domain name. R(config) # ip domain-name cisco.com

R(config) # crypto key generate rsa press Enter

• Step 2: Generate one-way secret keys.
1024
• Step 3: Verify or create a local database
entry. R(config) # username Bop privilege 15 Secret Class
• Create a user Bop with a privilege level of
OR
15 using the encrypted password for Class. R(config) # username Bop password Class
OR
• Create a user Bop with password for Class.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
• Step 4: Enable VTY inbound SSH sessions
SSH version 2
limited to 2 authentication attempts
a 60 second timeout
• To Disable DNS lookup:
• To decrease user delays if no DNS server
is configured.
To save the current configuration from DRAM
(running-config) to NVRAM (startup-config)
To save the current configuration from DRAM to
TFTP Server
Configuring a SVI Interface with IPv4 on a Switch
Moves to VLAN interface configuration mode
Assigns address and subnet mask to interface
 Configure the default gateway.
Software / Network Engineer
R(config) # Line vty 0 4
R(config-line) # login local
R(config-line) # transport input ssh
R(config-line) # exit
R(config) # ip ssh version 2
R(config) # ip ssh authentication-retries 2
R(config) # ip ssh time-out 60
R(Config)# no ip domain-lookup
Router# Copy running-config startup-config
Router# Copy running-config tftp:
Address or name of remote host [ ]? 192.168.1.20
Switch (config)#interface VLAN 1
Switch (config-if)#ip address 192.168.0.1
255.255.255.0
Switch(config)#ip default-gateway 192.168.0.1
whatsapp | +923059299396 |
 SAYED HAMZA JILLANI
 Common show commands include:
• show running-config
• show interfaces
• show ip interface brief
• show arp
• show ip route
• show protocols
• show version
 When using windows, use the tracert command.
 When performing a trace from a router CLI, use the traceroute command.
 On a Windows computer, the IP address of the default gateway can be viewed by using the ipconfig
command.
• The ipconfig /all command can be used to view the MAC address as well as other important
details regarding the Layer 3 addressing of the device.
• The ipconfig /displaydns command displays all of the cached DNS entries on a Windows
computer system.
 On a Windows computer, the arp -a command lists all devices currently stored in the ARP cache of a
particular host.
 The arp cache can be cleared using the command arp-d
 show cdp neighbors detail
• To disable CDP globally, use the global configuration command no cdp run. To disable CDP on
an interface, use the interface command no cdp enable.
 Use the show ip route command to verify that the default route has been set.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Switch Port Security

VLAN

Moves to interface configuration mode. Switch(config)#interface fastethernet 0/1

Enables port security on the interface. Switch(config-if)#switchport port-security

Sets a maximum limit of four MAC addresses

that will be allowed on this port. Switch(config-if)#switchport port-security maximum 4

Static MAC Addresses

Sets a specific secure MAC address Switch(config-if)#switchport port-security mac-
1234.5678.90ab. You can add additional address 1234.5678.90ab
secure MAC addresses up to the maximum
value configured.
Sticky MAC Addresses
Converts all dynamic port security learned Switch(config-if)#switchport port-security mac-
MAC addresses to sticky secure MAC address sticky
addresses.
security violation
 Configures port security to shut down the
interface if a security violation occurs.
Switch(config-if)#switchport port-security violation
 NOTE In shutdown mode, the port is
shutdown
errdisabled, a log entry is made, and
manual intervention or errdisable
recovery must be used to reenable the
interface.
security violation
Configures port security to restrict mode if a
security violation occurs. Switch(config-if)#switchport port-security violation
NOTE In restrict mode, frames from a restrict
nonallowed address are dropped, and a log
entry is made. The interface remains
operational.
security violation
Configures port security to protect mode if a
security violation occurs. Switch(config-if)#switchport port-security violation
NOTE In protect mode, frames from a protect
nonallowed address are dropped, but no log
entry is made. The interface remains
operational.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Mitigate DHCP Attacks

DHCP Snooping Configuration Example

1. DHCP snooping is first enabled on S1.

2. The upstream interface to the DHCP server is explicitly trusted.
3. F0/5 to F0/24 are untrusted and are, therefore, rate limited to six packets
per second.
4. Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Mitigate ARP Attacks

Dynamic ARP Inspection
• DHCP snooping is enabled because
DAI requires the DHCP snooping
binding table to operate.
• Next, DHCP snooping and ARP
inspection are enabled for the PCs on
VLAN10.
• The uplink port to the router is trusted,
and therefore, is configured as trusted
for DHCP snooping and ARP inspection.

The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to
configure DAI to drop ARP packets when the IP addresses are invalid.
• It can be used when the MAC addresses in the body of the ARP packets do not match the
addresses that are specified in the Ethernet header.
• Notice in the following example how only one command can be configured.

Therefore, entering multiple ip arp inspection validate commands overwrites the previous
command.
• To include more than one validation method, enter them on the same command line as
shown in the output.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

VLAN
Creating Static VLANs
Switch(config)#vlan 3
• Creating Static VLANs
Switch(config-vlan)#name Engineering
Switch(config-vlan)#exit
Assigning Ports as access to VLANs
Switch(config)#interface fastethernet 0/1
• Assigning Ports to VLANs Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface range fastethernet 0/1 – 9
• Using the range Command Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
VLAN Trunking Protocol
Switch(config)#interface fastethernet 0/1
Puts the interface into permanent trunking Switch(config-if)#switchport mode trunk
mode and negotiates to convert the link into
a trunk link. Switch(config-if)#switchport trunk native VLAN 99
Switch(config-if)#switchport trunk allowed VLAN 10,20,30,99
Verifying VLAN Information and Erasing VLAN
Verifying VLAN Information
 Displays VLAN information
Switch#show vlan
 Displays VLAN information in brief
 Displays information about VLAN 2 Switch#show vlan brief
only
Switch#show vlan id 2
 Displays information about VLAN
 named marketing only Switch#show vlan name marketing
 Displays interface characteristics for
Switch#show interfaces vlan x
the specified VLAN
 Displays VLAN information for all Switch#show interfaces switchport
interfaces
Erasing VLAN Configurations
Switch#delete flash:vlan.dat
 Removes the entire VLAN database from
flash.
 Moves to interface configuration mode. Switch(config)#interface fastethernet 0/5
 Removes port from VLAN 5 and reassigns Switch(config-if)#no switchport access vlan 5
it to VLAN 1—the default VLAN.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
 Removes VLAN 5 from the VLAN Switch(config)#no vlan 5
database.
Inter-VLAN Communication Using an External Router: Router-on-a-Stick
Router(config)#interface gigabitethernet 0/0
Moves to interface configuration mode. Router(config-if)#no shutdown
Enables the interface. Router(config-if)#exit

 Creates subinterface 0/0.10 and

moves to subinterface configuration
Router(config-subif)#interface gigabitethernet 0/0.10
mode.
Router(config-subif)#description HR VLAN 10
 (Optional) Sets the locally significant
Router(config-subif)#encapsulation dot1q 10
description of the subinterface.
Router(config-subif)#ip address 192.168.10.1
 Assigns VLAN 10 to this subinterface.
255.255.255.0
This subinterface will use the 802.1q
Router(config-subif)# exit
trunking protocol.
 Assigns the IP address and netmask.
For subinterface of Native VLAN
 Creates subinterface 0/0.99 and
moves to subinterface configuration
Router(config-if)#interface gigabitethernet 0/0.99
mode.
Router(config-subif)#description Management VLAN 99
 (Optional) Sets the locally significant
Router(config-subif)#encapsulation dot1q 99 native
description of the subinterface.
Router(config-subif)#ip address 192.168.1.1
 Assigns VLAN 99 to this subinterface.
255.255.255.0
VLAN 99 will be the native VLAN. This
Router(config-subif)# exit
subinterface will use the 802.1q
trunking protocol.
 Assigns the IP address and netmask.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Dynamic Host Configuration Protocol (DHCPv4)

Configuring a DHCP Server on an IOS Router

 Creates a DHCP pool named internal. The
name can be anything of your choosing.
 Defines the range of addresses to be
leased. Router(config)#ip dhcp pool internal
 Defines the address of the default router Router(dhcp-config)#network 172.16.10.0
for the client. 255.255.255.0
 Defines the address of the Domain Name Router(dhcp-config)#defaultrouter 172.16.10.1
System (DNS) server for the client Router(dhcp-config)#dns-server 172.16.10.10
 Defines the address of the NetBIOS server Router(dhcp-config)#domain-name cisco.com
for the client. Router(dhcp-config)#exit
 Defines the domain name for the client.
 Returns to global configuration mode.

 Specifies the range of addresses not to be Router(config)#ip dhcp excluded-address

leased out to clients. 172.16.10.1 172.16.10.9
Configuring a DHCP Helper Address
 Moves to interface configuration mode.
Router(config)#interface gigabitethernet 0/0
 DHCP broadcasts will be forwarded as a
Router(config-if)#ip helper-address 172.16.20.2
unicast to this specific address rather than
be dropped by the router.
DHCP Client on a Cisco IOS Software Ethernet Interface
 Moves to interface configuration mode Router(config)# interface gigabitethernet 0/0
 Specifies that the interface acquire an IP Router(config-if)# ip address dhcp
address through DHCP

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Setting the System Clock

Typically, the date and time settings on a router or switch can be set using one of two methods:

 Manually configure the date and time, as shown in the figure

 Configure the Network Time Protocol (NTP)

Configure and Verify NTP

 Configure R1 to use an external public NTP server with an IP address of 209.165.200.225.

R1# configure terminal
R1(config)# ntp server 209.165.200.225
R1(config)# end

 Verify that R1 is associated with the NTP server at IP address 209.165.200.225.

R1# show ntp associations

 Verify that R1 is synchronized with the NTP server at IP address 209.165.200.225.

R1# show ntp status

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

VTP, Extended VLANs, and DTP

1. VLAN Trunking Protocol (VTP):

Reduces administration in a switched network. A switch in VTP server mode can manage
additions, deletions and renaming of VLANs across the domain.

VTP Configuration
1. Configure the VTP Server. S1(config)# vtp mode server

2. Configure the VTP Domain Name and Password. S1(config)# vtp domain CCNA
S1(config)# vtp password cisco
S2(config)# vtp mode client
3. Configure the VTP Clients. S2(config)# vtp domain CCNA
S2(config)# vtp password cisco
4. Configure VLANs on the VTP Server. S1(config)# vlan 10
S1(config-vlan)# name Red
5. Verify the VTP Clients have received the new S2# show vtp status
VLAN information. S2# show vtp password

2. Extended VLANs
 Extended range VLANs are identified by a VLAN ID between 1006 and 4094.
 To configure an extended VLAN on a 2960 switch it must be set to VTP transparent mode. (By
default 2960 switches do not support Extended range VLANs.)

Configuring Extended VLANs

6. Configure the VTP transparent mode. S1(config)# vtp mode transparent

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

7. Create Extended VLAN S1(config)# VLAN 2000

S1(config-vlan)# end

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Dynamic Trunking Protocol (DTP)

Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP). DTP is a Cisco proprietary
protocol

DTP Configuration
 Switchport mode access - interface becomes
a nontrunk interface. S1(config)# Switchport mode access
 Switchport mode dynamic auto - interface
becomes a trunk if the neighboring interface S1(config)# Switchport mode dynamic auto
is set to trunk or desirable mode.
 Switchport mode dynamic desirable -
interface becomes a trunk if the neighboring
interface is set to trunk, desirable, or S1(config)# Switchport mode dynamic desirable
dynamic auto mode.
 Switchport mode trunk - interface becomes
a trunk even if the neighboring interface is S1(config)# Switchport mode trunk
not a trunk interface.
 Switchport nonegotiate - prevents the
interface from generating DTP frames. S1(config)# Switchport nonegotiate
 Use show dtp interface to verify DTP.
S1# show dtp interface

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Layer 3 Switching
Multilayer switches provide high-packet processing rates using hardware-based switching
 Catalyst multilayer switches support the following types of Layer 3 interfaces:
• Routed port - A layer 3 interface

• Switch virtual interface (SVI) - Virtual Interface for inter- VLAN routing

Layer 3 Switching Configuration

MLS(config)# interface g0/2
 Configure G0/2 as a routed MLS(config-if)# no switchport
port and assign an IP address
MLS(config-if)# ip address 209.165.200.225 255.255.255.252

MLS(config)# interface vlan 10

MLS(config-if)# ip address 192.168.10.254 255.255.255.0

 Configure SVI on MLS.
MLS(config)# interface vlan 20

MLS(config-if)# ip address 192.168.20.254 255.255.255.0

 Enable routing. MLS(config)# ip routing

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

STP
Spanning Tree Protocol (STP) is a Layer 2 protocol that helps especially when there are redundant links.

Changing the Spanning-Tree Mode

Enables PVST. This is the default
Switch(config)#spanning-tree mode pvst
setting.
Enables Rapid PVST+. Switch(config)#spanning-tree mode rapid-pvst

Configuring the Root primary Switch

Switch recalculates timers along
with priority to allow the switch to Switch(config)#spanning-tree vlan 5 root primary
become the root switch for VLAN 5.
Configuring the Root primary Switch
Switch recalculates timers along
with priority to allow the switch to
Switch(config)#spanning-tree vlan 10 root secondary
become the root switch for VLAN 5
should the primary root switch fail.
Configuring by the Switch Priority
Configures the switch priority of
Switch(config)#spanning-tree vlan 5 priority 24576
VLAN 5 to 24576
Optional STP Configurations
PortFast
Enters interface range configuration Switch(config)#interface range fastethernet 0/1 – 5
mode.
Enables PortFast on an access port. Switch(config-if)#spanning-tree portfast

BPDU Guard
Enters interface range configuration Switch(config)#interface range fastethernet 0/1 – 5
mode.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
Enables BPDU Guard on the Switch(config-if)#spanning-tree bpduguard enable
interface.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

STP
Verifying STP
Displays STP information Switch#show spanning-tree

Displays STP information on active Switch#show spanning-tree active

interfaces only
Displays a brief status of the STP Switch#show spanning-tree brief

Displays a detailed summary of Switch#show spanning-tree detail

interface information
Displays STP information for Switch#show spanning-tree interface gigabitethernet 0/1
interface gigabitethernet 0/1
Displays a summary of port states Switch#show spanning-tree summary

 CAUTION Cisco recommends caution when using this command. Cisco further
recommends that the spanning-tree vlan x root primary or the spanning-tree vlan x root
secondary command be used instead to modify the switch priority.

Edge Ports

 PortFast is used on ports that have end devices attached.

• Puts a port in the forwarding state
• Allows DHCP to work properly

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
 BPDU Guard disables a port that has PortFast configured on it if a BPDU is received

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

EtherChannel
 EtherChannel:
 EtherChannel groups multiple physical ports into one or more logical EtherChannel
links.

Link Aggregation Protocols:

1- Port Aggregation Protocol (PAgP) 2- Link Aggregation Control Protocol (LACP)
Cisco-proprietary protocol Is part of IEEE (IEEE.3AD)

 To create a channel in PAgP, sides must be set to

o Auto-Desirable
o Desirable-Desirable
 To create a channel in LACP, sides must be set to
o Active-Active
o Active-Passive
 This configuration creates EtherChannel with LACP and configures trunking.

• Step 1: Specify the interfaces that compose the EtherChannel group.

• Step 2: Create the port channel interface with the channel-group command in active mode. (Channel
group number needs to be selected.)

• Step 3: Change Layer 2 settings in port channel interface configuration mode.

Software / Network Engineer whatsapp | +923059299396 |


EtherChannel with LACP and configures
 Places the interface into an
active negotiating state—
will send LACP packets to
start negotiations.
 Configure Port Channel
 Places the interface into a
passive negotiating state—
will respond to LACP
packets but will not initiate
LACP negotiation.
 Configure Port Channel
EtherChannel with PAgP and configures
 Places the interface into an
active negotiating state—
will send PAgP packets to
start negotiations.
 Configure Port Channel
 Places the interface into a
passive negotiating state—
will respond to PAgP
packets but will not initiate
PAgP negotiation.
 Configure Port Channel
Software / Network Engineer
SAYED HAMZA JILLANI
 S1(config)#interface range fastethernet 0/1 – 2
S1 (config-if)#channel-group 1 mode Active
S1 (config-if)#exit
 S1(config)#interface port-channel 1
S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
S1 (config-if)#exit
 S1(config)#interface range fastethernet 0/1 – 2
S1 (config-if)#channel-group 1 mode passive
S1 (config-if)#exit
 S1(config)#interface port-channel 1
S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
S1 (config-if)#exit
 S1(config)#interface range fastethernet 0/1 – 2
S1 (config-if)#channel-group 1 mode Desirable
S1 (config-if)#exit
 S1(config)#interface port-channel 1
S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
 S1(config)#interface range fastethernet 0/1 – 2
S1 (config-if)#channel-group 1 mode Auto
S1 (config-if)#exit
 S1(config)#interface port-channel 1
S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
whatsapp | +923059299396 |
 SAYED HAMZA JILLANI

Verifying EtherChannel
Displays all EtherChannel Switch#show etherchannel
information
Displays port channel information Switch#show etherchannel 1 portchannel

Displays a summary of Switch#show etherchannel summary

EtherChannel information
Displays the general status of Switch#show interface port-channel 1
EtherChannel 1
Shows PAgP neighbor information Switch#show pagp neighbor

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

HSRP
First Hop Redundancy Protocols
 To prevent a single point of failure at the default gateway, implement a virtual router.
 First Hop Redundancy Protocols:
 Hot Standby Router Protocol (HSRP)
 Virtual Router Redundancy Protocol (VRRP)
 Gateway Load Balancing Protocol (GLBP)

HSRP Configuration Commands

Step 1. Configure HSRP version 2.
Step 2. Configure the virtual IP address for the group.
Step 3. Configure the priority for the desired active router to be greater than 100.
Step 4. Configure the active router to preempt the standby router in cases where the active
router comes online after the standby router.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Static Route
There are two common types of static routes in the routing table:

 Static route to a specific network

 Default static route

Configuring a Static Route on a Router

When using the ip route command, you can identify where packets should be routed in two ways:
 The next-hop address
 The exit interface
Configuring a Static Route on a Router
10.1.1.0 = destination network.
255.255.255.0 = subnet mask.
209.165.200.226 = next-hop address.
R1(config)#ip route 10.1.1.0 255.255.255.0
Read this to say, “To get to the destination
209.165.200.226
network of 10.1.1.0, with a subnet mask of
255.255.255.0, send all packets to
209.165.200.224.”
10.1.1.0 = destination network.
255.255.255.0 = subnet mask.
209.165.200.226 = next-hop address.
Read this to say, “To get to the destination R1(config)#ip route 10.1.1.0 255.255.255.0 serial 0/0/0
network of 10.1.1.0, with a subnet mask of
255.255.255.0, send all packets out interface
serial 0/0/0.”
Configuring a Default Route on a Router
Send all packets destined for networks not in
my routing table to next hop IP Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.226
209.165.200.226.
Send all packets destined for networks not in
my routing table out my exit Interface serial Router(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0
0/0 interface.
Software / Network Engineer whatsapp | +923059299396 |
 SAYED HAMZA JILLANI

Floating Static Route

Floating Static Route

Configured a Primary static
route.
Because no administrative
Router(config)#ip route 209.165.200.224 255.255.255.248 S0/0/0
distance is configured, the
default value (1) is used for this
static route.
Configured a floating static
route with an administrative Router(config)#ip route 209.165.200.224 255.255.255.248 S0/0/1 5
distance of 5

Verifying Static Routes

 Router# show ip route

To display the contents of the IP routing  Router# show ip route static

table, enter the following command:
 Router# show ip route networ

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Dynamic Routing
Open Shortest Path First (OSPF)
1. Single-Area OSPF

Configuring single Area OSPF

Starts OSPF process 100. The process ID is
any positive integer value between 1 and
R2(config)#router ospf 100
65,535. The process ID is not related to
the OSPF area
Router ID
Sets the router ID to 10.1.1.1. If this
command is used on an OSPF router
process that is already active (has
Router(config-router)# router-id 10.1.1.1
neighbors), the new router ID is used at
the next reload or at a manual OSPF
process restart.

R2(config-router)# network 172.16.2.0 0.0.0.255

 OSPF advertises interfaces, not
area 0
networks. Uses the wildcard mask to
R2(config-router)# network 172.16.3.0 0.0.0.3
determine which interfaces to
area 0
advertise.
R2(config-router)# network 192.168.10.8 0.0.0.3
OR
area 0
 Read this line to say “Any interface
with an exact address of
OR
172.168.10.9, 172.16.3.1 and
R2(config-router)# network 172.16.2.2 0.0.0.0
172.16.2.2 is to be put into area 0.”
area 0
Software / Network Engineer whatsapp | +923059299396 |
 SAYED HAMZA JILLANI
Passive Interfaces
1. Disables the sending of routing
updates on this interface.
2. Disables the sending of routing
updates out all interfaces.Enables
routing updates to be sent out
interface serial 0/0/1, thereby allowing
neighbor adjacencies to form.
R2(config-router)# network 172.16.3.1 0.0.0.0
area 0
R2(config-router)# network 192.168.10.9 0.0.0.0
area 0
Router(configrouter)# passive-interface
fastethernet 0/0
OR
Router(configrouter)# passive-interface default
Router(config-router)#no passive-interface serial
0/0/1

OSPF auto-cost reference-bandwidth

Changes the reference bandwidth that Router(config-router)# auto-cost reference-
OSPF uses to calculate the cost of an bandwidth 1000
interface. Accurate to 1 Gbps
Propagating a Default Route
Router(config)#ip route 0.0.0.0 0.0.0.0 s0/0/0
Creates a default route.
Router(config)#router ospf 100
Starts OSPF process 100.
Router(config-router)#defaultinformation
Sets the default route to be propagated
originate
to all OSPF routers.

Timers
Changes the Hello Interval timer to 20
seconds.
Changes the Dead Interval timer to 80 Router(config)# interface S0/0/0
seconds. Router(config-if)#ip ospf hello-interval timer 20
NOTE Hello and Dead Interval timers must Router(config-if)#ip ospf dead-interval 80
match for routers to become neighbors.

Modifying Cost Metrics

Changes the router to interface
configuration mode.
Router(config)#interface serial 0/0/0
 If you change the bandwidth, OSPF
Router(configif)# bandwidth 128
recalculates the cost of the link.
Router(config-if)#ip ospf cost 1564
Or
 Changes the cost to a value of
1564.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
NOTE The cost of a link is determined by
dividing the reference bandwidth by the
interface bandwidth.
The bandwidth of the interface is a
number between 1 and 10,000,000. The
unit of measurement is kilobits. The cost
is a number between 1 and 65,535. The
cost has no unit of measurement—it is
just a number.

Multi-Area OSPF

Configuring Multi-Area OSPF

Starts OSPF process 1. The
process ID is any positive
integer value between 1 and R1(config)# router ospf 1
65,535. The process ID is not
related to the OSPF area.
Read this line to say “Any
interface with an address of
Router(config-router)# network 192.168.10.0 0.0.0.3 area 0
172.16.10. x is to be put into
area 0.”

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI
 Uses the wildcard mask to Router(config-router)# network 10.1.1.0 0.0.0.255 area 1
determine which interfaces Router(config-router)# network 10.1.2.0 0.0.0.255 area 1
to advertise.
OR OR
 Read this line to say “Any
interface with an exact Router(config-router)# network 10.1.1.1 0.0.0.0 area 1
address of 10.1.1.1 and Router(config-router)# network 10.1.2.1 0.0.0.0 area 1
10.1.2.1 is to be put into
area 1.”
• show ip ospf neighbor
• show ip ospf
• show ip ospf interface
 Commands to verify
• Show ip protocols
multiarea OSPFv2
• show ip ospf interface brief
• show ip route ospf
• show ip ospf database

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Device Discovery with CDP

• For Cisco devices, CDP is enabled by default.

• Device Discovery with CDP

To enable CDP globally for all the supported interfaces on the
R1(config)# cdp run
device.
R1(config)# interface g 0/1
To enable CDP on the specific interface again,
R1(config-if)# cdp enable
 Use the show command to display the interfaces that are CDP-
enabled on a device. R1# show cdp interface
 Use the show command can be used to determine the network R1# show cdp neighbors
layout R1# show cdp neighbors detail

Device Discovery with LLDP

• Link Layer Discovery Protocol (LLDP) is a vendor-neutral neighbor discovery protocol similar to CDP.

• Device Discovery with CDP

 To enable LLDP globally for all the supported
interfaces on the device, command in the global Switch(config)# lldp run
configuration mode.
Switch(config)# interface gigabitethernet 0/1

 To enable CDP on the specific interface again, Switch(config-if)# lldp transmit

Switch(config-if)# lldp receive

 With LLDP enabled, device neighbors can be S1# show lldp neighbors
discovered S1# show lldp neighbors detail

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Router and Switch File Maintenance

Using TFTP to Back Up and Restore a Configuration
Follow these steps to back up the running configuration to a TFTP server:
Step 1. Enter the copy running-config tftp command.
Step 2. Enter the IP address of the host where the configuration file will be stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.
Use the following steps to restore the running configuration from a TFTP server:
Step 1. Enter the copy tftp running-config command.
Step 2. Enter the IP address of the host where the configuration file is stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.

R1# copy running-config tftp

Remote host []?192.168.10.254
Name of the configuration file to write[R1-config]? R1-Jan-2019
Write file R1-Jan-2019 to 192.168.10.254? [confirm]
Writing R1-Jan-2019 !!!!!! [OK]

Using USB to Back Up and Restore a Configuration

R1# copy running-config usbflash0:
Destination filename [running-config]? R1-Config
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
5024 bytes copied in 1.796 secs (2797 bytes/sec)
R1#

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Password Recovery Procedures

Passwords on devices are used to prevent unauthorized access. For encrypted passwords, such as the enable
secret passwords, the passwords must be replaced after recovery. Depending on the device, the detailed
procedure for password recovery varies.
However, all the password recovery procedures follow the same principle:
Step 1. Enter the ROMMON mode. With console access, a user can access the ROMMON mode by using a
break sequence during the boot up process or removing the external flash memory when the device is
powered off.
When successful, the rommon 1 > prompt displays, as shown in the example.
Step 2. Change the configuration register. The confreg 0x2142 command allows the user to set the
configuration register to 0x2142, which causes the device to ignore the startup config file during startup.
Step 3. Copy the startup-config to the running-config.
CAUTION: Do not enter copy running-config startup-config. This command erases your original
startup configuration.
Step 4. Change the password.
Step 5. Save the running-config as the new startup-config. After the new passwords are configured, change
the configuration register back to 0x2102
Step 6. Reload the device.
Readonly ROMMON initialized
monitor: command "boot" aborted due to user interrupt
rommon 1 >
rommon 1 > confreg 0x2142
rommon 2 > reset
System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.
(output omitted)
Router# copy startup-config running-config
Destination filename [running-config]?
1450 bytes copied in 0.156 secs (9295 bytes/sec)
R1#
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# enable secret cisco

R1(config)# config-register 0x2102

R1(config)# end
R1# copy running-config startup-config
Destination filename [startup-config]? Building configuration...
[OK]
R1#
R1#Reload

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

IOS Image Management

TFTP Servers as a Backup Location

Copy an IOS Image to a Device Example

The boot system Command

R1# configure terminal
R1(config)# boot system flash0:isr4200-universalk9_ias.16.09.04.SPA.bin
R1(config)# exit
R1# copy running-config startup-config
R1# reload

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

ACLs for IPv4 Configuration

1. Standard IPv4 ACL
a. Numbered Standard IPv4 ACL Syntax

Apply a Standard IPv4 ACL

Numbered Standard ACL Example

The example ACL permits

traffic from host
192.168.10.10 and all
hosts on the
192.168.20.0/24 network
out interface serial 0/1/0
on router R1.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

b.Named Standard ACL

The example ACL permits traffic from

host 192.168.10.10 and all hosts on the
192.168.20.0/24 network out interface
serial 0/1/0 on router R1.

• Use the show access-list command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.

• Secure VTY Ports with a Standard IPv4 ACL

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Modify IPv4 ACLs

There are two methods to use when modifying an ACL:
1. Use a text editor.
• To correct an error in an ACL:
• Copy the ACL from the running configuration and paste it into the text editor.
• Make the necessary edits or changes.
• Remove the previously configured ACL on the router.
• Copy and paste the edited ACL back to the router.
2. Use sequence numbers.

An ACL ACE can be deleted or added using

the ACL sequence numbers.
• Use the ip access-list standard
command to edit an ACL.
• Statements cannot be overwritten
using an existing sequence number.
The current statement must be
deleted first with the no 10
command. Then the correct ACE can
be added using sequence number.

Named ACLs can also use sequence numbers to delete and add ACEs. In the example an ACE is added to deny
hosts 192.168.10.11.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Extended IPv4 ACLs

Extended ACLs provide a greater degree of control. They can filter on source address, destination address,
protocol (i.e., IP, TCP, UDP, ICMP), and port number.
Extended ACLs can be created as:
• Numbered Extended ACL - Created using the access-list access-list-number global configuration
command.
• Named Extended ACL - Created using the ip access-list extended access-list-name.
Protocols and Port Numbers Configuration Examples
 Extended ACLs can filter on different port number and port name options.
 This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port
name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.

 Configuring the port number is required when there is not a specific protocol name listed such as SSH
(port number 22) or an HTTPS (port number 443), as shown in the next example.

Apply a Numbered Extended IPv4 ACL

 In this example, the ACL permits both HTTP
and HTTPS traffic from the 192.168.10.0
network to go to any destination.
 Extended ACLs can be applied in various
locations. However, they are commonly
applied close to the source. Here ACL 110 is
applied inbound on the R1 G0/0/0 interface.

TCP Established Extended ACL

TCP can also perform basic stateful firewall services using
the TCP established keyword.
• The established keyword enables inside traffic to exit
the inside private network and permits the returning
reply traffic to enter the inside private network.
• TCP traffic generated by an outside host and
attempting to communicate with an inside host is
denied.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Named Extended IPv4 ACL

Naming an ACL makes it easier
to understand its function. To
create a named extended ACL,
use the ip access-list extended
configuration command.

For example:
ACL 103 allows requests to port 80 and 443.
ACL 104 allows established HTTP and
HTTPS replies.
The established parameter allows only
responses to traffic that originates from the
192.168.10.0/24 network to return to that
network.

o The show ip interface command is used to verify the ACL on the interface and the direction in which
it was applied.
o The show access-lists command can be used to confirm that the ACLs work as expected. The
command displays statistic counters that increase whenever an ACE is matched.
Note: Traffic must be generated to verify the operation of the ACL.

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Network Address Translation (NAT)

 NAT is used to translate private IP addresses used inside a company to public addresses that can be
routed over the Internet.

Private Addresses
Class RFC 1918 Internal Address Range CIDR Prefix
A 10.0.0.0–10.255.255.255 10.0.0.0/8
B 172.16.0.0–172.31.255.255 172.16.0.0/12
C 192.168.0.0–192.168.255.255 192.168.0.0/16

1. Static NAT
Static address translation (static NAT) assigns one public IP address to one private IP
address

Configuring Static NAT: One Private to One Permanent Public Address

Translation
 Permanently translates the inside address
of 192.168.10.10 to a public address of
209.165.200.226. R2(config)#ip nat inside source static 192.168.10.10
 Use the command for each of the private IP 209.165.200.226
addresses you want to statically map to a
public address.
 Define which interfaces are inside (contain R2(config)#interface gigabitethernet 0/0
the private addresses). R2(config-if)#ip nat inside
 Define the outside interface (the interface R2(config)#interface serial 0/0/0
leading to the public network). R2(config-if)#ip nat outside

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

2. Dynamic NAT –
Dynamic NAT assigns a public IP address from a pool of addresses to each packet that
originates from a device that has a private IP address assigned when that packet is
destined to a network outside the company.

Configuring Dynamic NAT

 Defines the following: The name of the pool
is scott. (The name of the pool can be
R2(config)#ip nat pool NAT-POOL1 209.165.200.226
anything.) The start of the pool is
209.165.200.240 netmask 255.255.255.224
209.165.200.226. The end of the pool is
209.165.200.240. The subnet mask is
255.255.255.224.
 Create an access control list (ACL) that will
R2(config)#access-list 1 permit 192.168.0.0
identify which private IP addresses will be
0.0.255.255
translated.
 Link the ACL to the pool of addresses R2(config)#ip nat inside source list 1 pool NAT-
(create the translation). POOL1
 Define which interfaces are inside (contain R2(config)#interface gigabitethernet 0/0
the private addresses). R2(config-if)#ip nat inside
 Define the outside interface (the interface R2(config)#interface Serial 0/0/0
leading to the public network). R2(config-if)#ip nat outside

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

3. Port Address Translation (PAT)

PAT (otherwise known as NAT overload) can use one public IPv4 address to allow
thousands of private IPv4 addresses to communicate with outside network devices.

a. Configuring PAT: Address Pool

Configuring PAT: Address Pool

 Defines the following: The name of the pool
is scott. (The name of the pool can be
R2(config)#ip nat pool NAT-POOL1 209.165.200.226
anything.) The start of the pool is
209.165.200.240 netmask 255.255.255.224
209.165.200.226. The end of the pool is
209.165.200.240. The subnet mask is
255.255.255.224.
 Create an access control list (ACL) that will
R2(config)#access-list 1 permit 192.168.0.0
identify which private IP addresses will be
0.0.255.255
translated.
 Link the ACL to the pool of addresses R2(config)#ip nat inside source list 1 pool NAT-
(create the translation). POOL1 Overload
 Define which interfaces are inside (contain R2(config)#interface gigabitethernet 0/0
the private addresses). R2(config-if)#ip nat inside
 Define the outside interface (the interface R2(config)#interface Serial 0/0/0
leading to the public network). R2(config-if)#ip nat outside

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

b. Configuring PAT: Single Pool

Configuring PAT: Single Address

 Defines the following: The name of the pool
is scott. (The name of the pool can be
R2(config)#ip nat pool NAT-POOL1 209.165.200.225
anything.) The start of the pool is
209.165.200.225 netmask 255.255.255.224
209.165.200.226. The end of the pool is
209.165.200.240. The subnet mask is
255.255.255.224.
 Create an access control list (ACL) that will
R2(config)#access-list 1 permit 192.168.0.0
identify which private IP addresses will be
0.0.255.255
translated.
 Link the ACL to the pool of addresses R2(config)#ip nat inside source list 1 pool NAT-
(create the translation). POOL1 Overload
 Define which interfaces are inside (contain R2(config)#interface gigabitethernet 0/0
the private addresses). R2(config-if)#ip nat inside
 Define the outside interface (the interface R2(config)#interface Serial 0/0/0
leading to the public network). R2(config-if)#ip nat outside

OR

Configuring PAT: Single Address

 Create an access control list (ACL) that will
identify which private IP addresses will be
translated.
 Link the ACL to the pool of addresses
(create the translation).
 Define which interfaces are inside (contain
the private addresses).
 Define the outside interface (the interface
leading to the public network).
R2(config)#access-list 1 permit 192.168.0.0
0.0.255.255
R2(config)#ip nat inside source list 1 interface serial
0/1/0 Overload
R2(config)#interface gigabitethernet 0/0
R2(config-if)#ip nat inside
R2(config)#interface Serial 0/0/0
R2(config-if)#ip nat outside

Software / Network Engineer whatsapp | +923059299396 |

 SAYED HAMZA JILLANI

Software / Network Engineer whatsapp | +923059299396 |