V3.5 !!************************************ !!**SIRE_ADMIN and Davester14's AMAZING CHEAT SHEET** !!** THIS CHEATSHEET IS NOT SAFE FOR YOUR GRANDMOTHER! EXPLICIT CONTENT WITHIN ** !! !!************************************ !!************************************ \\\\\\\\\\\\\\\\ENJOY!!!!!!!!!!!!!!!!! !COPY-PASTE CONFIGS - CREDIT TO JAKOB AND STEFAN !VAR CALL FOR EDITABLE VARS, IE SWITCH NAME !ROUTER AND SWITCH, ERASE AND RELOAD enable erase startup-config y delete vlan.dat y reload !COM END CONFIGURATION !SWITCH, BASIC SETUP enable conf terminal no ip domain-lookup hostname Switch1 !VAR enable secret class !VAR banner motd $ THIS IS A PRIVATE SYSTEM, FUTHER UNAUTHORIZED ACCESS IS ILLEGAL $ line vty 0 4 logging synchronous password cisco !VAR transport input all login exit line con 0 logging synchronous password cisco !VAR login exit int range f0!1-24, g0!1-2 !VAR shut exit !COM ReEnable Needed Ports no ip http server no ip https server !END CONFIG !!DIAGNOSTICS (AKA: Shit hit the fan and you're trying to fix it) #show running-config !!Displays CONFIG stored in RAM #show startup-config !!Displays CONFIG stored in ROM #show ip route !!Display routing table on ROUTER!MULTILAYER SWITCH #show ip interface brief !!Display interfaces, their IP and their status #show ip interface {INTERFACE} !!Good for diagnosing interfaces getting IPs from DHCP #show ip protocols !!Shows a bunch of useful information #show ip rip database !!Show what's being advertiesed on RIP #show port-security interface {INTERFACE} !!Stats about interface's port security #show vlan brief !!VLAN Names, status & assigned ports #show interface {INTERFACE} switchport !!Switchport Info including mode, encapsulation and negotiation #show vtp status !!Stuff about VTP #show spanning-tree !!Root ID, Bridge ID, Priority, Cost, Interfaces & Roles #show ip nat translations !!If text appears, NAT is working #show sdm prefer !!Show Switching Database Manager Preference !!PANIC ACTION: RELOADED ROUTER AND IT LOST ALL MY SETTINGS! # copy startup-config running-config !!Now bring each interface online with (config-if)# no shutdown !!If switch said "VTP VLAN CONFIGURATION NOT ALLOWED WHEN DEVICE IS IN CLIENT MODE" (config)# no vtp mode !!OTHER IMPORTANT COMMANDS !!SET SDM to IPv6-IPv6 Dual Stack (config)# sdm prefer dual-ipv4-and-ipv6 default (config)# exit # reload !!NTP & Time and Date !!Manually configuring time and date !!Setting time and date: switch# clock set [HH:MM:SS] [DAY] [MONTH] [YEAR] !!Enable Daylight Savings time: switch# clock summer-time EDT recurring !!configuring NTP (client + server ntp) !!set NTP master If you have no access to a reliable NTP server, you can configure a router or switch as one. (config)# ntp master [STRATUM_NUMBER] Lowest stratum number is selected, so use a high number for backups !!set NTP server on client: (config)# ntp server [IPADDRESS] !!configure timezone: (config)# clock timezone EDT -5 !!configure daylight savings time: switch# clock summer-time EDT recurring !!Securing NTP operation using ACL and Auth !!configure ntp authentication on server (config)# ntp authenticate (config)# ntp authentication-key 1 md5 [password] (config)# ntp trusted-key 1 !!configure ntp authentication on client (config)# ntp authentication-key 1 md5 [password] (config)# ntp authenticate (config)# ntp trustedd-key 1 !!securing NTP with ACL: (config)# access-list 1 permit 127.127.1.1 this references the internal server for NTP (config)# access-list 2 permit [NETWORK | IPADDRESS] this will allow the clients to use the NTP server (config)# ntp access-group peer 1 Allows those who pass to reach this server, which is the NTP (config)# ntp access-group serve-only 2 Restricts the access to who can request time and date info from server !!SNMP (Simple Network Management Protocol): !!configure SNMPv3 !!configure general SNMP info (identify the device, location and contact) **not really nessisary???** (config)# snmp-server location [variables] i.e "DLS1 Rack 1" this is for ease of administration, and is similar to a description (config)# snmp-server contact [variable] i.e "student" same as above, it is for ease of administration, tells admins who to contact about this snmp server (config)# snmp-server chassis-id [variable] i.e "Cisco 3560v2 SN FTX222222222" !!configure acls for SNMP: (config)# ip access-list standard [SNMPSERVERACL] (config-std-nacl)# permit [IPADDRESS | NETWORK] (config-std-nacl)# exit !!configure snmp views idk man, just do it cause cisco says to..... (config)#snmp-server view [SNMPVIEWNAME] iso included (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.2.1.4.21 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.2.1.4.22 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.2.1.4.35 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.2.1.3 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.6.3.15 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.6.3.16 excluded (config)#snmp-server view [SNMPVIEWNAME] 1.3.6.1.6.3.18 excluded !!configure SNMP groups: (config)# snmp-server group [GroupName] v3 priv read [SNMPVIEW] access [ACL] !!configure SNMP users: (config)# snmp-server user [USERNAME] [GROUPNAME] v3 auth sha [PASSWORD] priv aes 128 [password] !!configure SNMP trap reciever (config)# snmp-server host [IPADDDRESS] traps version 3 priv [USERNAME] !!configure interface index persistance (config)# snmp-server ifindex persist keeps interface index number persistant to allow for either documentation !!enable SNMP trap sending (config)# snmp-server enable traps !!configuring SNMPv2c !!configure community string (config)# snmp-server community [communitystring] view [SNMPVIEWNAME] ro [SNMPSERVERACL] !!configure snmp trap reciever (config)# snmp-server host [IPADDRESS] version 2c [COMMUNITYSTRING] !!configure interface index persistance (config)# snmp-server ifindex persist keeps interface index number persistant to allow for either documentation !!enable SNMP trap sending (config)# snmp-server enable traps !!SPAN and RSPAN (Switched Port analyzer!Port Mirroring) !!Configuring SPAN !!Clear existing session!ensure session not already defined (config)# no monitor session [SESSIONNUM] !!Configuring SPAN session source [This is the port you want to view inbound!outbound traffic on] (config)# monitor session [SESSIONNUM] source interface [INTERFACE] [in | out | both] !!Configuring SPAN destination port (config)# monitor session [SESSIONNUM] destination [INTERFACE] !!Configuring RSPAN Send SPAN info to a port on another VLAN !!Configure RSPAN VLAN on the VTP server (config)# vlan [VLANID] (config)# name [VLANNAME] (config)# remote-span !!Configure RSPAN on the local switch !!Clear existing session!ensure session not already defined (config)# no monitor session [SESSIONNUM] !!Configure RSPAN Session Source (config)# monitor session [SESSIONNUM] source interface [INTERFACE] [in | out | both] !!Configure the RSPAN destination (config)# monitor session [SESSIONNUM] destination remote vlan [VLANID] !!Configure RSPAN session destination on the destination switch !!Clear existing session!ensure session not already defined (config)# no monitor session [SESSIONNUM] !!Configure Session source (config)# monitor session [SESSIONNUM] source remote vlan [VLANID] !!Configure Session Destination port (config)# monitor session [SESSIONNUM] destination interface [INTERFACE] !!VLANS AND TRUNKING !!(SWITCH) "Create" a VLAN (Note: VLAN will auto-create if assigned, this lets you name it). (config)# vlan {VLAN} !!Switch to VLAN number (config-vlan)# name {VLAN_NAME} !!Give VLAN a Name !!(SWITCH) Assign VLAN to SWITCHPORT (NOTE: NOT FOR ROUTERS!) (config)# interface {INTERFACE} !!Select the interface being assigned (config-if)# switchport access vlan {VLAN} !!Set the VLAN the interface is assigned to !!(SWITCH) Assign IP to VLAN (configure VLAN as management VLAN) (config)# ip default-gateway {ADDRESS} !!Required for inter-LAN TELNET (config)# interface vlan {VLAN} !!Switch to {VLAN} (config-if)# ip add {ADDRESS} {SUBNET} !!Assign IP and Subnet (config-if)# no shut !!Bring interface online !!(SWITCH) Configure a manual TRUNK port (Carry multiple VLANs through one interface) (config)# int {INTERFACE} (config-if)# switchport mode trunk (config-if)# switchport trunk allowed vlan {VLAN} !!NOTE: Input OVERWRITES previous, so VLANs must be entered all at once! !!Acceptable {VLAN} inputs are (examples): 10 10,11,12 3-90 10,3-27,35,40-90,99 !!(SWITCH) Assign a Voice VLAN (config-if) switchport voice {VLAN} !!(SWITCH) DTP SWITCHPORT MODES !!Automatically negotiates Trunk Ports when configured. (config)# int {INTERFACE} (config-if)# switchport mode {MODE} {DYNAMIC-PROTO} !!{MODE} can be ACCESS or TRUNK (See above), but if DYNAMIC is used, {PROTO} can be AUTO or DESIRABLE !!"DESIRABLE" is "ACTIVE" and will actively seek out a trunk port from the connected interface !!"AUTO" is "PASSIVE" and will establish a trunk port IF ASKED by a DESIRABLE!TRUNK port !!FOR EXAMPLE: (config-if)# switchport mode dynamic desirable !!Will make the port push out DTP requests. (config-if)# switchport nonegotiate !!Disable automatic forming of trunks; so they must be set manually using switchport trunk allowed vlan (config-if)# switchport trunk encapsulation dot1q !!Useful if your switch complains about being unable to set trunk mode. !!(ROUTER) Configure encapsulation (trunking router port) (config)# interface {INTERFACE}.{SUBINTERFACE} !!IMPORTANT!! Note {SUBINTERFACE}, is !should! match your VLAN#! !!Example: interface G0!1.22 for interface Gigabit0!1, subinterface (or VLAN) 22 (config-if)# encapsulation dot1q {VLAN} !!Enable "trunk mode" for {VLAN} (config-if)# ip address {ADDRESS} {SUBNET} !!Since it's a router, it needs an interface address (config-if)# int {INTERFACE} !!Switch to the HOST interface (config-if)# no shutdown !!Bring interface online. Enables ALL subinterfaces. !!(SWITCH) VTP !!VTP MODES !!REMEMBER: VLANS MUST BE CREATED ON SERVER TO BE BROADCAST! !!TRANSPARENT (Pass along but don't read!create VTP packets) !!REQUIRED FOR EXTENDED VLANS (config)# vtp mode transparent !!Switch DOES NOT create or respond to VTP packets, BUT WILL forward them. No further config required !!makes switch primary vtp server for VLAN and MST Switch# vtp primary vlan !!VTP SERVER (Tell other switches about VLANs) (config)# vtp mode server !!Set mode (config)# vtp domain {DOMAIN} !!Set VTP domain to {DOMAIN}, usually CCNA. All clients must share this (config)# vtp password {PASSWORD} !!Pretty obvious, all VTP clients must share this too !!VTP CLIENT (config)# vtp mode client !!Listen for VTP info (config)# vtp domain {DOMAIN} !!Must be in the same domain as server (config)# vtp password {PASSWORD} !!Must be same password as server !!(SWITCH) Private VLANs *** VTP must be in transparent for Private VLANS to work **** !!Private Isolated or Community: !!Configure Private isolated or community VLANs !!Primary VLANS (Promiscuous) !!Isolated VLANS: cannot communicate with each other but can communicate with promiscuous ports !!Community VLANS: can communicate with each other, and can communicate with promiscuous ports (config)# vlan [VLANID] (config-vlan)# private vlan [isolated | community] !!Private Primary: !!Configure Private Primary VLANs !!Create, or edit primary private vlan (config)# vlan [VLANID] (config-vlan)# private vlan primary (config-vlan)# association [VLANS] VLANs that are allowed to talk to the primary !!Configuring SVI for private vlans (config)# interface vlan [VLANID] (config-if)# private-vlan mapping [VLANs] allows vlans to talk with primary and each others !!Configuring switchports for private vlans (config)# interface [INTERFACE] (config-if)# switchport mode private-vlan promiscuous (config-if)# switchport private-vlan mapping [PRIMARYVLAN] [ASSOCIATEDVLANS] !!Configuring host ports for isolated or community private vlans (config)# interface range [interfaces] (config-if)# switchport mode private-vlan host (config-if)# switchport private-vlan host-association [primaryvlan] [ASSOCIATEDVLAN] !!MULTIPLE SPANNING TREE !!All switches in the same region need to have the same region name, revision number and VLAN-to-instance mappings (config)# spanning-tree mode mst (config)# do clear spanning-tree detected-protocols !!Clear all detected spanning tree protocols and force reconvergence. I dont know if this is neccesary !! !!CONFIGURE MST (MUST BE DONE FOR EACH SWITCH THAT WILL BE VTP SERVERS FOR MST) (config)# spanning-tree mst configuration (config-mst)# name [NAME] (config-mst)# revision [REVISION-NUMBER] (config-mst)# instance [INSTANCE-NUMBER] vlan [VLAN NUMBERS] !!VLAN or range of VLANs Example 10,20 (config-mst)# exit !!IMPORTANT: Must be done to apply configuration !!SHOW COMMANDS IN MST CONFIG MODE (config-mst)# show current !!Show current MST configuration (config-mst)# show pending !!Show MST configuration not yet applied !!PROPAGATE MST VIA VTP !!VTP ON ALL SWITCHES MUST BE VERSION 3 (config)# vtp version 3 !!VTP PRIMARY SERVER FOR MST (config)# vtp mode server mst !!Set VTP server for MST Switch# vtp primary mst !!Make the switch the primary server for MST !!VTP CLIENT FOR MST (config)# spanning-tree mode mst (config)# vtp version 3 (config)# vtp mode client mst !!SET PRIMARY AND SECONDARY ROOT BRIDGES AND PRIORITY (config)# spanning-tree mst [INSTANCE-NUMBERS] root [primary/secondary] !!Can also use a range of instance numbers eg. 0,2 (config)# spanning-tree mst [INSTANCE-NUMBERS] priority [PRIORITY] !!REDUNDANCIES AND FALLBACKS (STP, ETHERCHANNEL) !!ETHERCHANNEL !!NOTE: You DO NOT have to configure underlying ports! !!Configure ONLY the etherchannel! Unplugging a cable WILL NOT break the settings! !! (config)# int range {INTERFACES} !!Select {INTERFACES} to be used in channel (config-if-range)# channel-group {GROUP-ID} mode {MODE} !!{GROUP-ID} is the "name" of the etherchannel, {MODE} is the mode of the ports (see below) !!{MODE} Prot. Desc. !!Active LACP Send initiation requests for LACP link !!Passive LACP Listen for LACP requests and form if available. Will form link with Active !!Desirable PAgP Send initiation requests for PAgP (CISCO) link !!Auto PAgP Listen for PAgP requests and form if available. Will form link with Desireable (config-if-range)# exit !!EDIT SETTINGS FOR AN EXISTING ETHERCHANNEL (config)# int port-channel {GROUP-ID} !!{GROUP-ID} is the channel "name", see above (config-if)# !!Enter commands here as if they were going into a single interface !! LAYER 3 ETHERCHANNEL: (config)# interface range [INTERFACES] (config-if-range)# shutdown (config-if-range)# no switchport (config-if-range)# channel-group [GROUPID] mode [SEE ABOVE FOR MODE EXPLANATION] (config-if-range)# end #config t (config)# interface [INTERFACE {ITS THE PORTCHANNEL U JUST CREATED, ya dingus}] (config-if)# ip address [IPADDDRESS] //do this on both sides ok (config-if)# no sh (config-if)# interface range [ORIGINALPORTSINPORTCHANNEL] (config-if-range)# no sh (config-if-range)# end !!STP Root Bridge: the switch to which STP calculations are based against and traffic is sent to. !!STP PORT MODES: !!ROOT !!Port traffic is sent through to get to Root Bridge !!DESIGNATED !!Traffic can be sent through it away from ROOT SWITCH !!One End of Trunk MUST be DESIGNATED !!ALL Ports on ROOT BRIDGE are DESIGNATED !!ALTERNATE !BLOCKING !!Packets are DROPPED !!Only used when DESIGNATED is down !!Trunk: One end must be DESIGNATED !!STP PORT COSTS Speed Cost "Old" Cost 10 Mbps 100 100 100 Mbps 19 10 1 Gbps 4 1 10 Gbps 1 1 !!STP PORT SELECTION A) Lowest BID B) Lowest Port PRIORITY !!PORT PRIORITY IS DIFFERENT FROM PORT COST! C) Lowest Port Number !!STP Manually Set Cost (Effects path calculation) !!Pretty sure this must be set on both sides. Dunno. **TEST** (config)# int {INTERFACE} !!Interface you're gonna configure (config-if)# spanning-tree cost {COST} !!{COST} is the port's cost. (config-if)# exit !!GTFO !!STP Get rid of Manual COSTS (config)# int {INTERFACE} !!Interface you're gonna configure (config-if)# no spanning-tree cost !!Undo your mistake (config-if)# exit !!GTFO !!STP Port-fast (config)# interface [Interface] (config-if)# spanning-tree portfast this is to be done on one or more interfacename !!PVST+ (config)# spanning-tree mode rapid-pvst !!configuring pvst+ on vlans (config)#spanning-tree vlan {vlannumber} !!configure switch as primary root bridge (config)# spanning-tree vlan {vlan} root primary [diameter {dia}] [hello-time {time}] !!configuring switch as secondary root bridge (config)# spanning-tree vlan {vlan} root secondary [diameter {dia}] [hello-time {time}] !!configur rapid pvst+ port priority (lower the value, higher the priority) (config-if)# spanning-tree {vlan} port-priority {priority 0-224} !!configuring pathcost and port cost (config)# spanning-tree pathcost method {long | short} !!configuring spanning-tree cost on interfaces (short = 1 to 65535, long 1 to 200000000) (config-if)# spanning-tree vlan {vlan} cost {value} !!SPAN SPAN takes packets coming on the source port and sends a copy out the destination port toward a packet analyzer !!associate a span session with a source port (config)# monitor session *sessionnumber* source [interface *intname* | vlan *vlannum*] !!associate a span session with a destination port (config)# monitor session *sessionnumber* destination [interface *intname* | vlan *vlannum*] !!ACLs !!NOTE: ACLs are NOT the same thing as Port Security! DO NOT USE ACLs TO DO PORT SECURITY! !!ACL's should be applied as close as possible. !!comments on ACLs: (config)# access-list {ACL_ID} remark {comment} !!STANDARD: NUMBERED !!Numbers 1 - 99 (config)# access-list {ACL_ID} {ACL_ACTION} {ACL_TARGET} !!{ACL_ID} = 1-99, {ACL_ACTION} = PERMIT!DENY, {ACL_TARGET} = (see {ACL_TARGET} Below) !!STANDARD: NAMED !!Each "Named" ACL is assigned numbered rules, each of which are set up like standard numbered ACLs !!Each rule in a Named ACL can be individually removed with the "no" command. (config)# ip access-list standard {NAME} !!{NAME} Name of the ACL (config-std-nacl)# {ACL_ACTION} {ACL_TARGET} !!{ACL_ACTION} = PERMIT!DENY, {ACL_TARGET} = (see {ACL_TARGET} Below) !!EXTENDED: NUMBERED !!Extended ACLs allow filtering protocols, ports, source and destination addresses. I cannot list all the options here, so start typing the command and hit "?" (config)# access-list {ACL_ID} {ACL_ACTION} {ACL_TARGET} {EACL_OPTION} !!{EACL_OPTION} Extended ACL Option should be found using ?, it can be destination IP or port !!EXTENDED: NAMED (config)# ip access-list extended {NAME} !!{NAME} Name of the EACL (config-ext-nacl)# {ACL_ACTION} {ACL_TARGET} {EACL_OPTION} !!Again, {EACL_OPTION} should be found using "?" !!{ACL_TARGET} !!This can be a single device: "host 192.168.1.1" or "192.168.1.1 0.0.0.0" !!Or a subnetwork "192.168.1.1 0.0.0.255" !!Keep in mind ACL subnet masks are "backwards", so a !24 network would be 0.0.0.255. This is a bitch. See the SUBNET MASK REFFERENCE for the translations, it's called the "Wildcard mask". !!OR ANY any !!this will allow anything through or block everything. !!Appyling ACL on the interfaces (config-if)# ip access-group {ACL_ID} {in!out} !!VLAN Maps(VACLs) !!Configuring VLAN MAPs !!Create ACLs to allow traffic (config)# vlan access-map [VLANMAPNAME] [VLANMAPID] (config-access-map)# match ip address [ACLID] (config-access-map)# action [Forward | Drop] (config-access-map)# exit (config)# vlan filter [VLANMAPNAME] vlan-list [VLANID] !!DHCP !!Router as Server (Assigning IP Addresses) !!Only the pool name and addresses are required, the rest will be specified if needed (config)# ip dhcp excluded-address {ADDRESS} !!{ADDRESS} can be a single address (192.168.1.1) or a range (192.168.1.1 192.168.1.25). New entries will be added, use "no" to get rid of an entry (config)# ip dhcp pool {POOL_NAME} !!{POOL_NAME} = Name of the pool of IP Addresses (dhcp-config)# network {ADDRESS} {SUBNET} !!{ADDRESS} and {SUBNET} of the DHCP pool. Setting 192.168.1.0 255.255.255.0 will make 192.168.1.1 through 192.168.1.254 available. (dhcp-config)# default-router {ADDRESS} !!{ADDRESS} = DHCP Client's default gateway, usually the first router's interface. !!NOTE: If you have a DHCP relay, this IP is the FIRST router the packet hits, NOT the router dealing out IP addresses (dhcp-config)# dns-server {ADDRESS_1} {ADDRESS_2} !!NOTE!!! I could not simulate this in Packet Tracer, but the internets say it *should* work! (dhcp-config)# domain-name {DOMAIN} !You'll probably never use this, but if you're given a DOMAIN.COM it goes here. (dhcp-config)# exit !!Router as Relay (Allow DHCP Passthrough) !!NOTES: This must only be configured on the first router the DHCP request hits. So, given: !!PC1 -> Switch1 -> Router1 -> Router2 -> Switch2 -> DHCPServer !!The Relay must be configured ONLY on Router1 to service PC1. (config)# interface {INTERFACE} !!{INTERFACE} = Port on the ROUTER that the CLIENT is connected to. (config-if)# ip helper-address {ADDRESS} !!{ADDRESS} of the DHCP Server (config-if)# exit !!Router as Client (Get IP from DHCP server) (config)# interface {INTERFACE} !!{INTERFACE} that will recieve an address from DHCP (config-if)# ip address dhcp !!Tells interface to get its address from DHCP (config-if)# no shutdown !!You know this one. (config-if)# exit !!PC as CLIENT (Windows) ipconfig !!Show client IP address ipconfig !renew !!Poll DHCP server for new info. Run this after updating router DHCP settings. !!Stateless DHCPv6 Client (config)# interface {INTERFACE} !!Select client interface. (config-if)# ipv6 enable (config-if)# ipv6 address autoconfig !!Not gonna lie, no idea what these do. !!LLDP (config)# lldp run (config)# interface {INTERFACE} (config-if)# lldp transmit (config-if)# lldp recieve !!SSH (config)# ip domain-name {NAME} !!Set the domain name (config)# username {UNAME} privilege {PRIV} secret {PASS} !!{UNAME} and {PASS} are self-explainatory, privilege is confusing so use 15 (config)# line vty 0 4 (config-line)# transport input ssh (config-line)# login local (config-line)# exit (config)# crypto key generate rsa modulus 1024 !!On some devices "modulus 1024" doesn't have to be specified. !!EIGRP !!configure EIGRP process: (config}# router eigrp {as-id} (config-router)# network {networkaddress} {subnet or reverse subnetmask} configures network to be advertised by eigrp !!configure passive-interfaces: (config-router)# passive-interface {interfacename} configures interface to not participate in advertisement of EIGRP !!IPV6 EIGRP: !!configure ipv6 eigrp (config)# ipv6 router eigrp [as-id] (config-router)# router-id [ipv4add] !!configure ipv6 networks (config-if)# ipv6 eigrp [as-id] !!NAMED EIGRP !!configuring named EIGRP process: (config)# ipv6 unicast-routing (config)# router eigrp {NAME} !!configuring named ipv4 eigrp address-families: (config-router)# address-family ipv4 unicast autonomous-system 4 (config-router-af)# eigrp router-id {router-id} (config-router-af)# network (networkaddress) !!Configuring named ipv6 eigrp address-families: (config-router)# address-family ipv6 unicast autonomous-system 6 (config-router-af)# eigrp router-id {router-id} (config-router-af)# network (networkaddress) !!Configuring passive interfaces in named EIGRP address-families: (config-router-af)# af-interface {interfacename} (config-router-af-interface)# passive-interface !!Configuring interfaces to not participate in EIGRP on a IPv6 interface: (config-router)# address-family ipv6 unicast autonomous-system 6 (config-router-af)# af-interface {interfacename} (config-router-af-interface)# shutdown !!Configure and distribute a default static route in named eigrp: (config)# ip route 0.0.0.0 0.0.0.0 {nexthop} (config)# ipv6 route ::!0 (nexthop) (config)# router eigrp {name} (config-router)# address-family ipv4 unicast autonomous-system 4 (config-router-af)# topology base (config-router-af-topology)# redistribute static (config-router-af-topology)# exit-af-topology (config-router-af)# exit-address-family (config-router)# address-family ipv6 unicast autonomous-system 6 (config-router-af)# topology base (config-router-af-topology)# redistribute static (config-router-af-topology)# exit-af-topology !!EIGRP for IPv6 !!Configure EIGRP process: (config)# ipv6 unicast-routing (config)# ipv6 router eigrp 1 (config-router)# eigrp router-id {router-id} (config-router)# no shutdown !!Configure EIGRP for IPv6 on interfaces: (config)# interface {interfacename} (config-if)# ipv6 eigrp {as-id} !!Configure passive interfaces in EIGRP for IPv6: (config)# router eigrp {as-id} (config-router)# passive-interface {interfaceName} !!Configure a summary route in eigrp for IPv6: (config)# interface {interfaceName} (config)# ipv6 summary-address eigrp {as-id} {Summary-Address) !!Configure a default static router in EIGRP for IPv6: (config)# ipv6 route ::!0 {nexthop} (config)# ipv6 router eigrp {as-id} (config-router)# redistribute static !!holy fuck that was long but its over, until u get to ospf ._. !!OSPF !!OSPFv2 !!Enabling OSPFv2: (config)# router ospf {as-id} (config-router)# router-id {routerid) (config-router)# network {ipv4address} {inversesubnetmask} area {area number} for single area ospf, area must be the same. (config-router)# passive-interface {int} no ospf advertisements will be sent to these interfaces (config-if)# ip ospf network point-to-point tells ospf to advertise a interface as a network and not a host address !!Configuring cost: (config-router)# auto-cost reference-bandwidth {value} Configures the default reference bandwidth on all ports (config-if)# bandwith {Cost} Configures individual interface cost !!Configuring a virtual link: (config)# router ospf {as-id} (config-router)# area {area-id} virtual-link {oppositerouter'srouterid} If your configuring R2 to have a link with R3, the routerid of r3 goes on r2. !!on opposite router (config)# router ospf {as-id} (config-router)# area [area-id} virtual-link {oppositerouter'srouterid} in this instance you configure router2's router-id here. !!Configuring a supernet (a summary route for the area) (config)# router ospf {as-id} (config-router)# area {area-id} range {networkaddress} {subnet mask} !!Configuring a OSPFv2 stub area (config)# router ospf {as-id} (config-router)# area {area-id} stub !!Configuring a totally stubby area (config)# router ospf {as-id} (config-router)# area {area-id} stub no-summary !!OSPFv3 !!Configuring OSPFv3 router process (config)# ipv6 unicast-routing (config)# ipv6 router ospf {as-id} (config-rtr)# router-id {router-id} (config-rtr)# exit !!Configuring a interface as participating in OSPFv3 (config)# interface {interfaceName} (config-if)# ipv6 ospf {as-id} area {area-id} (config-if)# exit !!Configuring a interface as a point-to-point interface in OSPF (tells ospf to advertise a interface as a network and not a host address) (config)# interface {interfaceName} (config-if)# ipv6 ospf {as-id} area {area-id} (config-if)# ipv6 ospf network point-to-point (config-if)# exit !!Propogating default routing into OSPFv3 (config)# ipv6 route ::!0 {nextHop} (config)# ipv6 router ospf {as-id} (config-rtr)# default-information originate (config-rtr)# exit !!Propogating static routes into OSPFv3 (config)# ipv6 route 2001:db8:99:1::!64 2001:db8:feed:77::1 (config)# ipv6 router ospf 2 (config-rtr)# redistribute static !!Configuring OSPFv3 stub area (config)# ipv6 router ospf {as-id} (config-rtr)# area {area-id} stub (config)# ipv6 router ospf {as-id} (config-rtr)# area {area-id} stub !!Configuring OSPFv3 totally stubby area (config)# ipv6 router ospf 2 (config-rtr)# area 51 stub no-summary !!OSPFv3 Address Families !!Configuring OSPFv3 address families (config)# ipv6 unicast-routing (config)# router ospfv3 {as-id} (config-router)# address-family [ipv4|ipv6] unicast (config-router-af)# router-id {router-id} !!Configuring interfaces to use OSPFv3 address family (config)# interface {interfaceName} (config-if)# ospfv3 {as-id} ipv4 area {area-id} !!Configure default routes for either ipv4 or ipv6 into OSPFv3 (config)# ip route 0.0.0.0 0.0.0.0 192.168.77.1 (config)# ipv6 route ::!0 2001:db8:feed:77::1 (config)# router ospfv3 {as-id} (config-router)# address-family ipv4 unicast (config-router-af)# default-information originate (config-router-af)# exit-address-family (config-router)# address-family ipv6 unicast (config-router-af)# default-information originate (config-router-af)# exit-address-family !!Configuring stub networks on address-families (OSPFv3) (config)# router ospfv3 {as-id} (config-router)# address-family ipv4 unicast (config-router-af)# area {area-id} stub (config-router-af)# exit-address-family (config-router)# address-family ipv6 unicast (config-router-af)# area {area-id} stub !!Configuring totally stubby area in OSPFv3 (config)# router ospfv3 {as-id} (config-router)# address-family ipv4 unicast (config-router-af)# area {area-id} stub no-summary (config-router-af)# exit-address-family (config-router)# address-family ipv6 unicast (config-router-af)# area {area-id} stub no-summary (config-router-af)# !!Redistribution !!INTO EIGRP redistribution: (config-router)# redistribute {sourceroutingprotocol} {as-id} metric {bandwidth[Kbps]} {delay[ms]} {reliability [1-255]} {load[0-255]} {mtu size} !!OSPFV3 into EIGRP for IPv6 (config)# ipv6 router eigrp {as-id} (config-router)# redistribute {sourceroutingprotocol} {as-id} metric {cost[1-65000]} metric-type {1|2} subnets !!INTO OSPFv2 redistribution: (config-router)# redistribute {sourceroutingprotocol} {as-id} metric {cost[1-65000]} metric-type {1|2} subnets !!EIGRP for IPv6 into OSPFv3: (config)#ipv6 router ospf {as-id} (config-router)#redistribute eigrp {as-id} metric-type {1|2} (config-router)#distribute-list {aclnum} in allows!denies traffic from coming into the router (config-router)#distribute-list {aclnum} out does not permit packets from being routed, traffic is still able to reach the router (config-router)#distribute-list {aclnum} out {interface} only applies to routing updates being sent out this interface !!Prefix lists: !ge = greater than !le = lesser than !equal = ?!?!? (config}#ip prefix-list {NAME} {SEQUENCENUM} {permit|deny} {networkaddress !mask} {filters} (config-router)#distribute-list prefix {NAME} {in|out} (sourceroutingprotocol) {sourceroutingprotocol-as-id} !!Route maps: (config)# route-map {NAME} {permit|deny} {sequenceNumber} {match statements} {match statements} {set statemetns} {set statements} Match options: match community Matches a BGP community match interface Matches any routes that have the next hop out of one of the interfaces specified match ip address Matches any routes that have a destination network number address that is permitted by a standard or extended ACL match ip next-hop Matches any routes that have a next hop router address that is passed by one of the ACLs specified match ip routesource Matches routes that have been advertised by routers and access servers at the address that is specified by the ACLs match length Matches based on the layer 3 length of a packet match metric Matches routes with the metric specified match route-type Matches routes of the specified type match tag Matches tag of a route Set options: set as-path Modifies an AS path for BGP routes set automatic-tag Computes automatically the tag value set community Sets the BGP communities attribute set default interface Indicates where to output packets that pass a match clause of a route map for policy routing and have no explicit route to the destination set interface Indicates where to output packets that pass a match clause of a route map for policy routing set ip default nexthop Indicates where to output packets that pass a match clause of a route map for policy routing and for which the Cisco IOS software has no explicit route to a destination set ip next-hop Indicates where to output packets that pass a match clause of a route map for policy routing set level Indicates where to import routes for ISNIS and OSPF set local-preference Specifies a BGP local preference value set metric Sets the metric value for a routing protocol set metric-type Sets the metric type for the destination routing protocol set tag Sets tag value for destination routing protocol set weight Specifies the BGP weight value !!Route Map tagging: (config)# route-map {name} {permit|deny} {sequenceNumber} (config)# set tag {tagvalue} (config-router)# redistribute {sourceroutingprotocol} {sourceroutingprotocol-as-id} subnets route-map {name} !!Adjusting Administrative distance: (config-router)# distance {routingprotocol} intra-area {value} inter-area {value} external {value} !!MPLS !!enabling MPLS ***REQUIRES CEF ENABLED (CEF is enabled by default....)***** (config)# interface [INTERFACE] (config-if)# mpls ip !!VRF !!RDs - Route distingushers !!RTs - Route Target !!Configuring VRF (config)# ip vrf [NAME] (config-vrf)# rd [RD - either AS or randomnum] (config-vrf)# route-target [Import | export | both] [Routetarget] !!Configuring VRF on an interface (config)# interface [INTERFACE] (config-if)# ip vrf forwarding [VRFNAME] !!BGP (config)# router bgp [as-id] enabled bgp routing (config-router)# network [network-address] mask [network-mask] advertises a network to bgp neighbours (config-router) neighbor [ipaddress] default-originate !!injects default route into routing table of associated routers Router#clear ip bgp * hard reset -- STRONGLY ADVISED FOR LAB ENVIROMENT Router#clear ip bpg * soft soft reset -- takes it's time, not recommended if ur in a rush. !!iBGP (config-router)#neighbor [NEIGHBORROUTERLOOPBACKIP] remote-as [NEIGHBOURAS#] (config-router)#neighbor [NEIGHBORROUTERLOOPBACKIP] update-source [LOOPBACK] (config-router)#neighbor [NEIGHBORROUTERLOOPBACKIP] next-hop-self !!marks network as next hop to their ibgp peer !!eBGP (config-router)# neighbor [ip-add] remote-as [neighbour as-id] Specifies a bgp neighbour !!no update-source is required for eBGP !!mp-BGP (the pain in the ass of the bunch [I'm looking at you ipv6]) (config)# ipv6 unicast-routing u need dee ipv6 to be routed nimrod (config)# router bgp [as-num] !!ipv4 [NEIGHBOURS MUST BE ACTIVATED IN BGP-AFs] (config-router)# router-id [Routeridnum] (config-router)# address-family ipv4 [unicast | mulicast | vrf {vrf-name}} (config-router-af)# network [networkaddress] mask [netmask] (config-router-af)# neighbor [neighborip] activate !!ipv6 (config-router)# address-family ipv6 [unicast | mulicast | vrf {vrf-name}} (config-router-af)# network [ipv6add]![suffix] (config-router-af)# neighbor [neighborip] activate (config-router)# neighbor [ipv6addd] remote-as [as] (config-router)# neighbor [ipv6add] update-source [LOOPBACK] (config-router)# neighbor [ipaddress] remote-as [as] (config-router)# neighbor [NEIGHBORROUTERLOOPBACKIP] update-source [LOOPBACK] !!BGP uses the following to determine best path (in this order): weight (HIGHEST == Winner) LOCAL_PREF (highest == winner) networks originating from the "network" command AS_PATH (SHORTEST == winner) lowest origin type (igp>egp>incomplete) MED (lowest == winner) eBGP over iBGP etc.... too lazy to put the others below..... :! !!BGP local preference (influencing outbound traffic) {HIGHER === FAVOURABLE} (config}#route-map {name} {permit|deny} {sequenceNumber} (config)# set local-preference {tagvalue} !!then configure on the bgp as (config)# router bgp [AS] (config-router)# neighbor [nexthop] route-map [name] in !!AS_PATH {SHORTEST ==== FAVOURABLE} (config)#ip as-path access-list [ACL#] deny | permit [PARAMETERS] parameter must be a cisco "regular expression" (config)#ip as-path access-list [ACL#] deny | permit .* explicit permit or deny !!BGP MED (influencing inbound traffic) {LOWER ==== FAVOURABLE} (config}#route-map {name} {permit|deny} {sequenceNumber} (config)# set metric {tagvalue} !!then configure on the bgp AS (config)# router bgp [AS] (config-router)# neighbor [nexthop] route-map [name] out !!Hot Standby Routing Protocol (HSRP) !!Add Switch/Router to a standby group (config-if)# standby [STANDBYGROUPNUM] ip [STANDBYGROUPIP] (config-if)# standby [STANDBYGROUPNUM] priority [STANDBYGROUPRIORITY] !!HIGHER the priority = more likely it is to be the primary !! Standby preempt - When preempt is configured, the original router will take over when it comes back up from a failure (config-if)# standby [STANDBYGROUPNUM] preempt (config-if)# standby [STANDBYGROUPNUM] premept delay minimum [DELAY IN SEC] !! Playing with HSRP hello timers (config-if)# standby [STANDBYGROUPNUM] timers [hellovalue] [holdvalue] //default is 1 sec for hellos, 3 seconds for hold !! HSRP interface tracking **preempt req.* (config-if)# standby [STANDBYGROUPNUM] track [INTERFACE] [DECREMENTVALUE] //tracks a interface, and if it goes down, it decrements the priority by this specified value !!HSRP Object tracking !! Define IP SLA ICMP echo test (config)# ip sla [SLANUM] (config-ip-sla)# icmp-echo [IPADDRESS] (config-ip-sla-echo)# frequency [FREQUENCY] (config-ip-sla-echo)# exit (config-ip-sla)# exit (config)# ip sla schedule [SLANUM] life [LIFETIMEOFSLA] start-time [STARTIME] //typical life = forever & typical start-time = now !! Create object and track ip sla interface (config)# track [TRACKNUM] ip sla [SLANUM] !! Configure HSRP to track object and decrement priority (config)# int [INTERFACE] (config-if)# standby [STANDBYGROUPNUM] track [TRACKNUM] decrement [DECREMENTVALUE] !!HSRP Authentication (HSRPv2 req.) (config)# key chain [CHAINNAME] (config-keychain)# key [KEYNUMBER] (config-keychain-key)# key-string [0 | 7] [STRING] (config-keychain-key)# exit (config)# interface [INTERFACE] (config-if)# standby [STANDBYNUM] version 2 (config-if)# standby [STANDBYGROUPNUM] authentication md5 key-chain [CHAINNAME] !!Virtual Router Redundancy Protocol (VRRP): !!uses three times advertisement interval: time between advertisements (default:1sec) master down interval: number of seconds to declare master down (default: 3 x advertisement interval + skew time) skew time: ensures backup router with highest priority becomes new master (default: {[256-priority]/256}) !! Configuring VRRP (config)# interface [INTERFACE] (config-if))# ip add [IPADDDRESS] [SUBNET] (config-if)# vrrp [VRNUMBER] ip [VRIP] (config-if)# vrrp [VRNUMBER] priority [PRIORITY] (config-if)# vrrp [VRNUMBER] timers advertise [TIMERVALUE] //on master set this to 4. !!VRRP object tracking (config)# track [TRACKNUM] interface [INTERFACE] line-protocol (config)# interface [INTERFACE] (config-if)# vrrp [VRPNUM] track [TRACKNUM] decrement [DECREMENTVALUE] !!VRRP Authentication (config)# interface [INTERFACE] (config-if)# vrrp [VRPNUM] authentication md5 key-string [KEYSTRINGNAME] !! Gateway Load Balancing Protocol (GLBP) !! Configuring GLBP (config)# interface vlan [VLAN] (config-if)# ip add [IPADDRESS] [SUBNET] (config-if)# glbp [GLBPID] load-balancing [ round-robin | weighted | host-dependant ] //default is round-robin (config-if)# glbp [GLBPID] ip [IPADDRESS] (config-if)# glbp [GLBPID] priority [PRIORITY] (config-if)# glbp [GLBPID] preempt delay minimum [DELAYINSEC] (config-if)# glbp [GLBPID] timers msec [HELLOTIMER] msec [HOLDTIMER] !! Configuring GLBP tracking (config)# track [TRACKNUM] interface [INTERFACE] line-protocol (config)# interface [INTERFACE] (config-if)# glbp [GLBPID] [IPADDRESS] (config-if)# glbp [GLBPID] weighting [MAXIMUM] lower [LOWER] upper [UPPER] (config-if)# glbp [GLBPID] weighting track [TRACKNUM] decrement [DECREMENTVALUE] !! GLBP authentication: (config)# interface [INTERFACE] (config-if)# ip address [IPADDDRESS] [SUBNET] (config-if)# glbp [GLBPID] authentication md5 key-string [KEYSTRING] (config-if)# glbp [GLBPID] ip [IPADDDRESS] !!IP Multicast routing: !!Enabling IP Multicast Routing (config)# ip multicast-routing distributed !!enabling PIM on an interface (config)# ip pim spare-mode !!Configuring a rendezvous point (config)# ip pim rp-address [IPADDRESS] [ACLID] !!Enabling IGMP Snooping on access layer switches !!Enabling IGMP snooping (config)# ip igmp snooping !!GRE Tunneling (config)# int tunnel0 (config-if)# tunnel mode gre ip (config-if)# ip add [ip add] [mask] assigns a ip address (config-if)# tunnel source [interfacename] (config-if)# tunnel destination [ip address] !!PORT SECURITY (Switch) (config)# int {INTERFACE} (config-if)# switchport mode access !!Set access mode for port (config-if)# switchport port-security !!Enable Port Security (config-if)# switchport port-security maximum {MAX} !!Max number of allowed MAC addresses (config-if)# switchport port-security violation {ACTION} !!What to do if a violation occurs !!PROTECT: Only drop packets from unauthorized MACs !!RESTRICT: Drop packets from unauthorized MACs AND increment the Security Violation Counter !!SHUTDOWN: Shut down interface until it's brought back online manually (config-if)# switchport port-security mac-address {sticky!MAC} !!Enable sticky learning, or provide a MAC !!DHCP snooping !!midigates dhcp spoofing !!Configure on Distribution layer: !!Configure DHCP snooping (config)# ip dhcp snooping information option allow-untrusted Enables DHCP Snooping to allow untrusted ports with option 82 already populated (config)# ip dhcp snooping (config)# ip dhcp snooping vlan [VLAN] !!Configure on Access Layer: !!Configure DHCP Snooping (config)# ip dhcp snooping (config)# interface [INTERFACE] (config-if)# ip dhcp snooping trust Set this on trusted ports or port channels (config-if)# exit (config)# int | int range [INT(s)] untrusted port(s) (config-if)# ip dhcp snooping limit rate 20 (config-if)# exit (config)# ip dhcp snooping vlan [VLAN] (config)# exit !!Configuring DHCP snooping database agent to store the bindings at a given location (config)# ip dhcp snooping database tftp:!![IPADDRESS]!directory!files !!ERASING NVRAM (config)# erase nvram: (config)# delete vlan.dat (config)# reload !!NAT (PAT) !!First, create an access list for the translations (config)# access-list {ACCESS-LIST} permit {INSIDE_NETWORK} {WILDCARD} !!{ACCESS-LIST} = new ACL number, {INSIDE_NETWORK} = internal network address, {WILDCARD} see subnet mask translations !!Next, enable NAT (config)# int {INSIDE_INTERFACE} !!Switch to interface for internal network (config-if)# ip nat inside !!Enable NAT on interface, and set as inside (config-if)# exit !!Leave (config)# int {OUTSIDE_INTERFACE}} !!Switch to interface for external network (config-if)# ip nat outside !!Enable NAT on interface, and set as outside (config)# exit !!Leave (config)# ip nat inside source list {ACCESS-LIST} interface {OUTSIDE_INTERFACE} overload !!I have no idea what this one does, but forget or fuck it up, nothing works !!PPP (config-if)# encapsulation ppp !!CHAP (config)# username [OPPOSITE DEVICENAME] password [PASSWORD IS SAME ON EACH END] (config-if)# ppp authentication chap !!Telephony Services !!CME !!TFTP Server !!Configure HTTP, HTTPS, and HTTP AUTHENTICATION LOCAL !! Hunt Groups (SCCP and SIP) !!Longest idle- Rings the phone in the hunt group that has been idle the longest. !! !!Peer - A circular algorithm where the first number tried is configured directly to the right of the last number attempted. !! !!Sequential - Rings the extensions in the exact order they were configured. Once it gets to the end of the list, it dials the configured final number. !! !!Parallel *Allows an incoming call to simultaneously ring all the numbers in the hunt group. !! only available in sccp and sip method, not the sccp only method !! router(config)# voice hunt-group [num] [longest-idle | peer | sequential | parallel] router(config-voice-hunt-group)# pilot [EXT] router(config-voice-hunt-group)# list [EXTS] router(config-voice-hunt-group)# timeout [seconds] !! SCCP (Skinny) !!restart causes phones to connect to the TFTP and update their configuration file. Updates: DNs,Phone Buttons, Speed Dial !! Restart all ur phones: router(config)# telephony-service router(config-telephony)# restart all !!restart only one phone router(config)# ephone [ID] router(config-ephone)# restart !!Reset causes a full boot of the phone Updates: Date/Time, Phone Firmware, CUCME source ip address, TFTP download path, voicemaill access number !!reset all the phones router(config)# telephony-service router(config-telephony)# reset all !!reset only one phone router(config)# ephone [ID] router(config-ephone)# reset !!Configure ePhone display options router(config-telephony)# system message [MESSAGE] !!Configure url to be displayed on the phone when it is idle fot he set number of seconds router(config-telephony)# urt idle [URL] idle-timeout [SECS] !!Configure Directory entries router(config-telephony)# directory entry [entrynum (1-100)] [NUMBER] name [NAME] !!Localizations !!Set locale language router(config-telephony)# user-locale [Value] !!Set network-locale configures local tone variables - busy signals are not the same everywhere in the world router(config-telephony)# network-locale [VALUE] !!Setup Router(config)# telephony-service Router(config-telephony)# ip source-address [IPADDRESS] port [PORT] !!If no port is specified, defaults are used (SCCP>2000/SIP>5060) !!configure distribution of firmware router(config)# telephony-service router(config-telephony)# load [phone-type] [file] !!Setup max number of phones and Directory numbers Router(config)# telephony-service Router(config-telephony)# max-ephone [NUMBER] Router(config-telephony)# max-dn [NUMBER] !!Configure Auto Registration Router(config-telephony)# [no] auto assign [NUMBER] to [NUMBER] !!do/don't auto assign ephones to pick up extentions, if set to no, you will need to configure ext's manually !!Configure e-phone registration to off [This setting is configured by default to ON] Router(config-telephony)# no auto-reg-ephone !!Setup time and date formatting Router(config-telephony)# date-format [mm]-[dd]-[yy] Router(config-telephony)# time-format [12 | 24] !!12hr or 24hr formatting !!generate and server phone configurations router(config)# telephony-service router(config-telephony)# create cnf-files !!verify creation of cnf-files router# show telephony tftp-bindings !!Configuration of a virtual phone line (ext) !!Configure a new ephone (phone) router(config)# ephone-dn [NUMBER] !!Configuration of ePhone-DNs types: !! Types: !! !! Single - Supports one call, at one time. If shared, only one phone can use at a time, no call waiting, no transfer will full consult [Exclusive] !! !! Dual-Line - Can handle two calls at the same time (supports call waiting), if shared, the line still can only be used by one phone at a time. [Shared-Exclusive]!! !! Octo-Line - Up to 8 voice channels - Can handle eight calls on many phones at the same time, if shared, many phones can use the same line at one time [Shared-NonExclusive] - Calls on hold can be answered by anyone !! router(config)# ephone-dn [DN-NUM] [single-line | dual-line | octo-line] !! default is single-line !!Configure number (extension) router(config-ephone-dn)# number [NUMBER] !!Configure name (Call Display Name) router(config-ephone-dn)# name [NAME] !!label (Phone line button label) router(config-ephone-dn)# label [LABEL] !!Description (SCCP ONLY!) !!This displays a text-string in the IP Header Bar router(config-ephone-dn)# description [DESCRIPTION] !!configuring preference for the number associated with the ext (lower is more desirable) router(config-ephone-dn) preference [0-9] !! 0 is default !! configure huntstop (do we want to continue looking for someone to pick up the call?) router(config-ephone-dn) no huntstop !! don't stop hunting, keep looking for a DN to take the call. lack of this command means it is the last dn to try, and it will stop hunting. !! for dual and octo lines: if one channel is taken up on a DN, don't wait, bump the signal to the next DN. router(config-ephone-dn)# huntstop channel !!configure shared line between SCCP and SIP router(config-ephone-dn)# shared-line sip !!Configure Ephone-Hunt Groups router(config)# ephone-hunt [group] [longest-idle | peer | sequential] router(config-ephone-hunt)# pilot [ext] router(config-ephone-hunt)# list [Exts] router(config-ephone-hunt)# timeout [seconds] !!Configuration of a Physical Phone router(config)# ephone 1 !!MAC ADDRESS router(config-ephone)# mac-address [MACADDRESS] !!Type (Assign the Phone type/model for cnf files and template) router(config-ephone)# type [TYPE] !!Button (Associate Buttons with DNs) !!Ring Types: !! !! ':' - Normal Ring - for incoming calls on this ext !! !! s - Silent, no audible ring !! !! b - Beep/no ring. - Ring is silenced, but call-waiting beeps !! !! f - feature ring - differentiates calls on other lines !! !! m - monitor mode - !! monitors the line to see if it is in use or not !! Monitors a DN !! !! w - watches all lines on a phone for which the DN is the primary line !! Monitors a Phone !! router(config-ephone)# button [ButtonNum][RingType][ephone-dn] !!Configure Speed-dials router(config-ephone)# speed-dial [NUM] [DN] label [LABEL] !!SIP !!restart causes phones to connect to the TFTP and update their configuration file. Updates: DNs,Phone Buttons, Speed Dial !! Restart all ur phones: router(config)# voice register global router(config-register-global)# restart !!Restart individual phones router(config)# voice register pool [ID] router(config-register-pool)# restart !!Reset causes a full boot of the phone Updates: Date/Time, Phone Firmware, CUCME source ip address, TFTP download path, voicemaill access number !!reset all the phones router(config)# voice register global router(config-register-global)# reset !!reset only one phone router(config)# voice register pool [ID] router(config-register-pool)# reset !!Setup router(config)# voice service voip router(conf-voi-serv)# allow connections sip to sip router(conf-voi-serv)# sip router(conf-serv-sip)# registrar server [expires [max 1200] [min 300] router(conf-serv-sip)# voice register global router(config-register-global)# mode cme router(config-register-global)# source-address [IPADDRESS] port [PORT] !!If no port is specified, defaults are used (SCCP>2000/SIP>5060) !!configure distribution of firmware router(config)# voice register global router(config-register-global)# load [phone-type] [file] !!setup max number of phones and directory numbers router(config)# voice register global router(config-register-global)# max-pool [NUMBER] router(config-register-global)# max-dn [NUMBER] !!force SIP Usr/PWD authentication router(config-register-global)# authenticate register !!create profile router(config-register-global)# create profile !!setup time and date formatting router(config-register-global)# date-format [M]/[D]/[Y] router(config-register-global)# timezone [12] !!UNLIKE SCCP, this references the timezone, NOT the 12 vs 24hr clock format. !!generate and serve cnf-files router(config)# voice register global router(config-register-global)# create profile !!verify creation of cnf-files router# show voice register tftp-bind !!Configuration of a virutal phone line (ext) !!Configure a new ephone (phone) router(config)# voice register dn [NUMBER] !!Configure number (extension) router(config-register-dn)# number [NUMBER] !!Configure name (Call Display Name) router(config-register-dn)# name [NAME] !!label (Phone line button label) router(config-register-dn)# label [LABEL] !!configure shared line between SCCP and SIP router(config-register-dn)# allow watch router(config-register-dn)# shared-line max-calls 8 !!Configuration of a Physical Phone router(config)# voice register pool 1 !!MAC ADDRESS router(config-register-pool)# id mac [MACADDRESS] !!Associate ephone-DNs with a individual button router(config-register-pool)# number [lineNumber] dn [ephone-DN] !!provide credentials for SIP registrar router(config-register-pool)# username [USR] password [PASS] !!codec !!uh yea... so his slides don't go into details on this so just do this: router(config-register-pool)# codec g711ulaw !!CCP !!Configure CCP !! Create a local user for access control router(config)# username Neo privilege 15 password cisco !!Enable HTTP and HTTP Secure router(config)# ip http server router(config)# ip http secure-server !!Configure the http server to use local credentials for authentication router(config)# ip http authentication local !!Configure Telnet/SSH router(config)# transport input telnet ssh !! PSTN !! FXS: the provider !! FXO: the receiver !! CAS: signalling is sent over the same line as the voice calls !! CCS: subtracts a line from the pool, and uses it soley for signalling !!FXS/O Voice Port configuration !!Configure FXS !! Initalize slot router(config)# voice-port [slot] !! Configure Signalling Method router(config-voiceport)# signal [loopstart | groundstart] !!configure call progress tone router(config-voiceport)# cptone [Region] !!configure station id name router(config-voiceport)# station id name [NAME] !!configure station id number router(config-voiceport)# station id number [NUMBER] !!bring the voice port up no shutdown !! Configure PLAR !! Choose Voice Port for the PLAR router(config)# voice-port [slot] !! Choose EXT to ring through to router(config-voiceport)# connection plar [EXT] !!Configure FXO !!Initialize slot router(config)# voice-port [slot] !! configure signalling method router(config-voiceport)# signal [loopstart | groundstart] !! dial-type dtmf - is touch tone, pulse is rotary router(config-voiceport)# dial-type [dtmf | pulse | mf] !! Configuring CAS !!setting card type - important for cards that support both t1 and e1 router(config)# card type [e1 | t1] [SLOT] !!Initalize and configure controller router(config)# controller [T1 | E1] [SLOT] !!Configure framing type [sf - super frame, esf - extended super frame] router(config-controller)# framing [sf | esf] !!Configure linecode default for t1 is b8zs router(config-controller)# linecode [ami | b8zs | hdb3] !!Configure clock source router(config-controller)# clock source [line | internal] !!configure channel group router(config-controller)# ds0-group [group] timeslots [range (between 1-24)] type [fxo-loop-start] !! Configuring CCS !! configure the switch type [Service provider tells u the switch type router(config)# isdn switch-type primary-ni !! if u get a 0 from telco, the call failed router(config)# isdn voice-call-failure 0 !! who is setting the clock rate router(config)# network-clock-participate wic 1 !!configure the controller !!card type router(config)# card type [e1 | t1] [slot] !!Initialize router(config)# controller [t1 | e1] [slot] !!framing router(config-controller)# framing [sf | esf] !!linecode router(config-controller)# linecode [ami | b8zs | hdb3] !!primary rate group timeslots router(config-controller)# pri-group timeslots [range,setup] !!Configure the virtual serial interface router(config-if)# no ip add router(config-if)# no ip redirect router(config-if)# encapsulation hdlc router(config-if)# isdn switch-type primary-ni router(config-if)# isdn incoming-voice voice router(config-if)# isdn supp-service name calling router(config-if)# no cdp enable !!Configuring dial peers !!Desination Pattern WildCards: !!Period (.) - Matches any entered digit !!Plus Sign (+) - matches one or more instances of the preceding digit !!Carrat (^) - indicates digits are NOT to match !!Brackets ([]) - indicate a range of digits for a single placeholder !!Dollar Sign ($) - matches the null string at the end of the input string !![#]T - Control character that tells the phone to wait until the user is done entering numbers. !!POTS Dial Peer (Calls to voice ports [FXO, FXS, T1 ports]) router(config)# dial-peer voice [number] pots router(config-dialpeer)# destination-pattern [extension] router(config-dialpeer)# port [nexthop] !!Additional Configuration Options: num-exp [match] [changeto] !!Changes matching dialed nums to new number router(config-dial-peer)# forward-digits [# | all] !!can be used to do digit manipulation (putting 4, sends the last 4 digits) router(config-dial-peer)# no digit-strip !!POTS by default strips all matching bits, this forwards all bits. !!VOIP Dial peer (calls to sessions [IP or DNS Hostname]) router(config)# dial-peer voice [number] voip router(config-dial-peer)# destination pattern [number/ext] router(config-dial-peer)# session target [nexthop] !!Inbound Dial Peers incoming called-number [phonennum] !! Matches based on the number that was called answer-address [phonenum] !! Matches based on the number that is calling !!Translation Rules: !!Wildcards: !! ^ -- Match expression at the start of the line !! $ -- Match the expression at the end of the line !! / -- Delimiter that marks the start and end of both th ematching and replacement strings !! \ -- Escape the special meaning of the next character !! - -- Indicates a range when used within brackets !![list] -- Match a single character !![^list] -- Do not match a single character specificed in the list !! . -- Match any single character !! * -- Repeat the previous regular expression zero or more times !! + -- Repeat the previous regular expressino one or more times !! ? -- Repeat the previous regular expression zero or one time !!() -- Groups regular expressions. Use \1-9 to refer to matched groups !!& -- Match the substring (matched string). You may also use \0. voice translation-rule [tag] rule [tag] [match] [replacement] !! voice translation-rule 1 rule 1 /123/ /456/ -- replaces the first instance of 123 with 456 !! Dial-Peer COR Lists: !! 1. Define COR Tags dial-peer cor custom name [name] !! 2. create outbound list dial-peer cor list [name] member [name] !! 3. create inbound lists dial-peer cor list [name] member [name] !! 4. Assign the outbound cor lists: (config-dial-peer)# corlist outgoing [name] !! 5. Assign the inbound cor lists: (config-dial-peer)# corlist incoming [name] !! QOS !!Weight Fair Queuing: !!Configuring Weight Fair Queuing !!CDT = num of messages allowed in each queue (16-4096) [default is 64] !!dynamic-queues = number of dynamic queues used for best-effort conversations (values = 16, 32, 64, 128, 256, 512, 1024, 2048 [default is 256]) !!reservable-queues = number of reservable queues for reserved conversations (0-1000 [default=0]) fair-queue [cdt [dynamic-queues [reservable-queues]]] !!WFQ Maximum Limit Configuration !!Specifies the maximum number of packets that can be in all output queues on the interface at any time (default = 1000) hold-queue max-limit out [value] !! Modular QoS with Class and Policy Maps & Service Policies !!Class Maps = What traffic are we matching?? !!Configuring Class Maps class-map [match-all | match-any] class-map-name !!Match conditions match [any | not] [match criteria] !!Descriptions are for the weak description [description] !!O BOY U GET TO MAKE AN ACL [silently killing self] !!once u do that lets set the class map to match the acl: match access-group [acl-numberorname] !! Policy Maps = What do we want to do with the matches? !!Make them policy maps: policy-map [policy map name] !! wot class map u want to match from??? class [classname | class-default] !! Service Policies = Where am I doing this policy? !! link policy map to an interface service-polcy [input | output] [policy-map-name] !! NBAR (Network-Based Application Recognition) !!Configuring NBAR to discover the protocols on an interface (config-if)# ip nbar protocol-discovery !!Configure a class map to match based off of NBAR protocol discovery (config-cmap)# match protocol [protocol] !!Going further down the rabbit hole NBAR for RTP: (config-cmap)# match protocol rtp [audio | video | payload-type | payload-string] !! Class Based Weighted Fair Queuing (CBWFQ) !!Allocates a fixed amount of bandwidth to a class of a policy map: (config-pmap-c)# bandwidth [amount in kbps] !!Allocates a percentage of the bandwidth to a class of a policy map: (config-pmap-c)# percent [percentage] !!Allocates a percentage of available bandwidth to a class of a policy map: (config-pmap-c)# bandwidth remaining precent [percentage] !! Sets maximum number of packets that this queue can hold [Default = 64] (config-pmap-c)# queue-limit [value] !! Set the number of dynamic queues: (Default = 256) (values can be powers of 2 from 16 to 4096) fair-queue [number of dynamic queues] !! Set the default class to use WFQ (config-pmap)# class class-default (config-pmap-c)# fair-queue !! LLQ - Low Latecny Queuing !! configure bandwidth priority amount in kbps (config-pmap-c)# priority [kbps] !! configure bandwidtch priority in percentage: (config-pmap-c)# priority percent [percentage] !!Class Based Weighted Random Early Detection (CBWRED) !!Enable IP precendence-based WRED in the policy map class: (config-pmap-c)# random-detect !! Change the WRED Traffic profile: (config-pmap-c)# random-detect precedence [precedence] [min-threshold] [max-threshold] [mark-prob-denominator] !!DSCP-Based CBWRED (config-pmap-c)# random-detect dscp-based (config-pmap-c)# random-detect dscp [dscpvalue] [min-threshold] [max-threshold] [prob-denominator] !!GENERAL COMMANDS QUICK REFFERENCE !!NAVIGATION (Honestly, if you don't know these by now, hit up your local McDonald's for a job) > enable !!Upgrade access to # (privileged EXEC mode) #configure terminal !!Enter primary configuration mode *exit !!Exit current menu mode, into the next lower teir #end !!Exits config directly to # !!CONFIGURATION #password !!Set the unencrypted password, usually for CONSOLE #enable password !!Set the unencrypted password for ENABLE MODE (rarely used) #enable secret !!Set ENCRYPTED password for ENABLE MODE !!INTERFACE CONFIGURATION !!NOTE: Some switches will use "F0!1", others will use "F1!0!1" #interface {g0!1} !!Select interface g0!1 #no shutdown !!Bring interface UP (used after updating info, eg ip address) #ip address {ADD SUBNET} !!Enter IP and Subnet for selected #ipv6 address {ADD BIT} !!Set IPv6 address and network bits for selected port !!INTERFACE RANGES (config)# interface {F!G}{0}{FIRST_INT}-{LAST_INT} !!So, to select interfaces Fa0!3, Fa0!4, Fa0!5, Fa0!6, Fa0!7 the command would be (config)# interface range F0!3-7 !!OTHER SHIT (config-line)# logging synchronous !!Pretty sure you just have to type as-is, reduces the output to the terminal so you can type !!SUBNET MASK REFFERENCE Slash Addresses Hosts Netmask Wildcard Mask Amount of a Class C !30 4 2 255.255.255.252 0.0.0.3 1!64 !29 8 6 255.255.255.248 0.0.0.7 1!32 !28 16 14 255.255.255.240 0.0.0.15 1!16 !27 32 30 255.255.255.224 0.0.0.31 1!8 !26 64 62 255.255.255.192 0.0.0.63 1!4 !25 128 126 255.255.255.128 0.0.0.127 1!2 !24 256 254 255.255.255.0 0.0.0.255 1 !23 512 510 255.255.254.0 0.0.1.255 2 !22 1024 1022 255.255.252.0 0.0.3.255 4 !21 2048 2046 255.255.248.0 0.0.7.255 8 !20 4096 4094 255.255.240.0 0.0.15.255 16 !19 8192 8190 255.255.224.0 0.0.31.255 32 !18 16384 16382 255.255.192.0 0.0.63.255 64 !17 32768 32766 255.255.128.0 0.0.127.255 128 !16 65536 65534 255.255.0.0 0.0.255.255 256 !!Benjamin Franklin once said "Diligence is the mother of good luck." If you're reading below this point, I hope to God you have diligence, because luck can't save you now. !!RECOVER A PASSWORD Step 1: Shut down router. Step 2: Console into router (reccomed doing it within the lab. Step 3: Power on the Router, establish a console session and FUCKING MASH Ctrl-Break until you get Rommon 1> Step 4: At "Rommon 1>" type "confreg 0x2142". This bypasses loading startup-config on power-on. Rommon 1> confreg 0x2142 Step 5: Router should now offer "Rommon 2>", type "reset". Rommon 2> reset Step 6: If router asks to enter initial configuration, decline. Step 7: Enter enable mode Router> enable !!You've started the router on a default configuration, and are now in 'enable' mode, bypassing the password the hacker set BUT not having access to the configuration. !!You are now going to copy the stored configuration into RAM, keeping your enable status, then change the saved password. Step 8: Copy saved (with bad password) config into RAM Router# copy startup-config running-config Step 9: Go to Configure Terminal to change password Router# conf t Step 10: Change password Router(config)# enable secret {NEW PASSWORD} Step 11: Reset the register Router(config)#config-register 0x2102 Step 12: Re-boot the router, place your palms on the floor, and pray. Router(config)# exit Router# reload "Our Father, Who art in Heaven... (etc)"