Router Switch Commandsc

8/14/2019 Router Switch Commandsc

1/121

Router Commands

Router# Terminal History Size 256Show history

sh processes cpu

Line con 0Logging sync Keeps it on the same line

No ip domain lookup keeps it from auto searching

use ip subnet 0 on the router to allow you to use subnet 0 with a router

Switch#show running-config interface fastethernet 5/6

RouterP(config)#service password-encryption ---encrypts all paswds in wr

Can also do a search on the run configs sh run | begin line vty

alias exec --not quite sure check

Create a vlan with

DLS2(config)#vlan 10DLS2(config-vlan)#no shut%VLAN 10 is not shutdown.DLS2(config-vlan)#vlan 20DLS2(config-vlan)#no shut%VLAN 20 is not shutdown.

DLS2(config-vlan)#vlan 30DLS2(config-vlan)#no shut%VLAN 30 is not shutdown.DLS2(config-vlan)#^Z

Then can make it an SVI with ip routing and then add an address to each vlanunder the interface commandInt vlan 10Network

SSH setup on a switch/router config

Switch(config)# username cisco password cisco

Switch(config)# ip domain-name ciscoSwitch(config)# crypto key generate rsa

Switch(config)# line vty 0 15

Switch(config-line)# login local

Switch(config-line)# transport input ssh

ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh


2/121

To control the protocols that willbe accepted on the vty, use the transport input

Remember that the command to create a standard access list for a single host

is access-list permit host .b. Use this access list to define the access-class for the vty connections.Set the access-class tothe vty lines (0 4) for inbound connections.

Setting up local accounts on the router and what level to authenticate themas ----Only use login local when you have a user account setup 1st****8http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htm

conf tkey chain ^_^

key 1key-string cisco

conf tbanner motd ~

__ _/\ \ \__ _| |_ ___ _ __

/ \/ / _` | __/ _ \ '__|/ /\ / (_| | || __/ |\_\ \/ \__,_|\__\___|_|

.ed"""" """$$$$be.

-" ^""**$$$e.." Authorized Access'$$$c

/ ONLY "4$$bd 3 $$$$$ * .$$$$$$.$ ^c $$$$$e$$$$$$$$.d$L 4. 4$$$$$$$$$$$$$$b$$$$b ^ceeeee. 4$$ECL.F*$$$$$$$

e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$.^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$"**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P""

"*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***"^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP""$$$$$$"'$=e....$*$$**$cz$$" "..d$*""*$$$ *=%4.$ L L$ P3$$$F $$$P"

"$ "%*ebJLzb$e$$$$$b $P"%.. 4$$$$$$$$$$ "$$$e z$$$$$$$$$$%"*$c "$$$$$$$P"."""*$$$$$$$$bc

.-" .$***$$$"""*e.
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htmhttp://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htm


3/121

.-" .e$" "*$c ^*b..=*"""" .e$*" "*bc "*$e..

.$" .z*" ^*$e. "*****e.$$ee$c .d" "*$. 3.^*$E")$..$" * .ee==d%

$.d$$$* * J$$$e*""""" "$$$"

~ExitConf tNo ip domain-lookupip domain-name cisco.comcrypto key generate rsa

ip ssh time-out 15ip ssh authentication-retries 3username cisco priv 15 password ciscoservice password-encryptionenable secret classline con 0

login localpassword classloginlogging synchronous

line vty 0 4transport input sshpassword ciscologin local

int s0/0ip authentication key-chain eigrp 1 ^_^ip authentication mode eigrp 1 md5

R1# conf tR1(config)# interface serial 0/0/0R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYSNow, apply the key chain to the interface with the ip authentication modeeigrp as_number md5 command:

R1(config-if)# ip authentication mode eigrp 1 md5Apply these commands on all active EIGRP interfaces.

R1# conf tR1(config)# interface serial 0/0/0

R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYSR1(config-if)# ip authentication mode eigrp 1 md5R1(config-if)# interface serial 0/0/1R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYSR1(config-if)# ip authentication mode eigrp 1 md5R1(config-if)# interface fastethernet 0/0R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYSR1(config-if)# ip authentication mode eigrp 1 md5


4/121

run tcl script from each router!!!

tclsh

foreach address {192.168.1.1192.168.1.129192.168.1.130192.168.1.161192.168.1.162192.168.1.133192.168.1.13410.1.1.310.1.1.410.4.4.4192.168.1.5192.168.100.1

192.168.1.101192.168.1.105192.168.1.109192.168.1.113} {ping $address}

show controllers - indicates the state of the interface channels and whether acable is attached to the interface

debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If

they are not, a possible timing problem exists on the interface card or in the network.

debug arp - Indicates whether the router is sending information about or learning aboutrouters (with ARP packets) on the other side of the WAN cloud. Use this command whensome nodes on a TCP/IP network are responding, but others are not.

debug frame-relay lmi - Obtains Local Management Interface (LMI) information which

is useful for determining whether a Frame Relay switch and a router are sending andreceiving LMI packets.

debug frame-relay events - Determines whether exchanges are occurring between a

router and a Frame Relay switch.

debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted

during PPP startup where PPP options are negotiated.

debug ppp packet - Shows PPP packets being sent and received. This command displays

low-level packet dumps.

debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP

connection negotiation and operation.

debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol(CHAP) and Password Authentication Protocol (PAP) packet exchanges.


5/121

router# show ip route -> show routing tablerouter# show ip route static shows static routesrouter# show ip int briefrouter# show int router(config)#ip route 0.0.0.0 0.0.0.0 default route

router (config)# logging onrouter (config)# logging console

SSH Configuration refer to CCSP Module 2

Step 7 Setting Privilege LevelsBy default, the Cisco IOS software has two modes of password security: usermode (EXEC) andprivilege mode (enable). There are 16 hierarchical levels of commands foreach mode that can bedefined. By configuring multiple passwords, different sets of users areallowed access to specifiedcommands.

The command to assign allowed commands to a privilege mode is privilege execlevellevel. In this task, assign an enable secret password for privilege level 10for system operators,and make specific debug commands available to anyone with that privilegelevel enabled.a. Begin by entering the global configuration mode, RouterP(config)#, andcomplete the followingsteps:i. Assign privilege level passwordsii. It is recommended to assign a password to each privilege level that isdefined. To set aprivilege level password use the enable secret level level password command.iii. Define an enable secret of pswd10 for level 10 by entering thefollowing command:RouterP(config)#enable secret level 10 pswd10What are the available arguments for the enable secret level 10 command?

Displaying current privilege leveld. To verify the current privilege level, enter the show privilege command.What privilege level is shown?

e. Login to privilege level 10i. To enter into a specific privilege level, use the enable level command.Exit out of therouter and then reconnect. Enter the following commands to enter privilege

level 10:RouterP>enable 10Password: pswd10RouterP#How can current privilege level be displayed? What is the current privilegelevel?

Using the debug ? command, what debug options are available at level 10?d. Exit out of privilege level 10 and return to level 15.


6/121

Next, assign specific commands to be used in privilege level 10. To configurea new privilegelevel for users and associate commands to that privilege level, use theprivilege command.The syntax for the privilege command is privilege mode {level level | reset}command-string. Enter the following commands to assign specific commands tothe privilegelevel 10:RouterP(config)# privilege exec level 10 debug ppp authRouterP(config)# privilege exec level 10 debug ppp errorRouterP(config)# privilege exec level 10 debug ppp negotiationIn the above commands, specific debug commands were allowed for anyonelogging in withprivilege level 10.f. Verify privilege level commandsi. Exit the router and return to privilege level 10. After the currentprivilege level of 10 isconfirmed, verify the previously configured privilege level 10 commands.Enter the followingcommands to verify the defined privileges enter the following commands:

RouterP#debug ?RouterP#debug ppp ?What are the available parameters for the debug ? command?---------------------------------------------------------OSPF

IP OSPF cost can be used to manually set link costs for calculation

show ip ospf database shows link-state age and sequence numbers are kept in the database.debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets areflowing properly between two routers

Using the router-idcommand is the preferred procedure to set the router ID and is always used in

preference to the other two procedures. If not set will use highest loopback ip then physicalAfter the router-idcommand is configured, use the clear ip ospf process command. Thiscommand restarts the OSPF routing process so that it will reselect the new IP address as its router ID.Highest ID wins the battle

show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and otherstatistics, including the number of times the SPF algorithm has been run

show ip protocolsDisplays IP routing protocol parameters about timers, filters, metrics,networks, and other information for the entire router.

show ip route ospfDisplays the OSPF routes known to the router. This command is oneof the most useful in determining connectivity between the local router and the rest of the

internetwork. Optional parameters allow you to further specify the information to be displayed,including the OSPF process ID.

show ip ospf interfaceVerifies that interfaces are configured in the intended areas. Inaddition, this command displays the timer intervals (including the hello interval) and shows theneighbor adjacencies.

show ip ospfDisplays the OSPF router ID, OSPF timers, the number of times the SPFalgorithm has been executed, and LSA information.


7/121

show ip ospf neighborDisplays a list of neighbors, including their OSPF router ID, theirOSPF priority, their neighbor adjacency state (for example, init, exstart, or full), and the deadtimer.

show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure ,the O code represents OSPF routes, and IA is interarea. The 10.2.1.0 subnet is recognized onFastEthernet 0/0 via neighbor 10.64.0.2.

The entry [110/782] represents the administrative distance assigned to OSPF (110), and the totalcost of the route to subnet 10.2.1.0 (782).

The show ip ospf interface [type number] [brief] command displays OSPF-related interface information.

The command output in Figure is from router A from the previous configuration example anddetails the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF isrunning on this particular interface and lists the OSPF area that it is in.

This command also displays other OSPF information, such as the process ID, router ID, networktype, DR and BDR, timers, and neighbor adjacency.

show ip ospf neighbor command. OSPF does not send or receive updates without having fulladjacencies established between neighbors.

The show ip ospf neighbor [type number] [neighbor-id] [detail]

Show ip ospf database nssa-external this displays specific details of eachlsa type 7 update in database

To clear all routes from the IP routing table, use the following command:

Router#clear ip route *

To clear a specific route from the IP routing table, use the following command:

Router#clear ip route A.B.C.D

To debug OSPF operations, use the debug ip ospfcommand with an option listed in Figure .Useful options when troubleshooting include:

Router#debug ip ospf eventsRouter#debug ip packet

To configure an area as a stub, use the following steps:

***must be a different area than area 0 backbone network

Step 1 Configure OSPF.

Step 2 Define the area as a stub by issuing the areaarea-idstubcommand to

all routers within the area. Figure lists the parameters of this command.

To configure an area as totally stubby, use the following steps:


Step 2Define the area as a stub area by issuing the areaarea-idstub command

to all routers within the area.

Step 3At the ABR only, add the no-summary keyword to the areaarea-idstub

command.

Example on 3.7.6

Example 3.7.8

To configure an area as an NSSA, use the following steps:



8/121

Step 2 Define the area as an NSSA by issuing the areaarea-idnssa command

to all routers within the area. All routers in the NSSA must have thiscommand configured. Routers cannot form an adjacency unless both are

configured as NSSA. Figure lists the parameters of this command.

To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N20.0.0.0/0) into the NSSA, use the default-information-originate

option of the areaarea-idnssa command on router 2.

In a multiaccess broadcast environment, each network segment has its own DR and BDR. A routerconnected to multiple multiaccess broadcast networks can be a DR on one segment and a regular routeron another segment.Use the ip ospf priority interface command to designate which router

interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from0 to 255. The interface with the highest priority becomes the DR, and the interface with the second-highest priority becomes the BDR.

Interfaces set to zero priority cannot be involved in the DR or BDR election process.

Here is a configuration example:interface FastEthernet 0/0ip ospf priority 10

--add encap frame-relay if that type is needed

Also in NBMA networks you can yse the neighborcommand in conf t to statically assign a neighbor

To configure basic single-area and multiarea OSPF, complete the following steps:

Step 1 Enable OSPF on the router using the router ospfprocess-idcommand

as shown in Figure .

Note

Unlike the process ID in EIGRP, the OSPF process ID is not an autonomoussystem number. Theprocess-idan be any positive integer and only hassignificance to the local router.

Step 2 Identify which interfaces on the router are part of the OSPF process, using the

network area command, as shown in Figure . This command also

identifies the OSPF area to which the network belongs. Figure describes theparameters of this command.

Uses wild card masks

OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies theconfiguration of unnumbered interfaces. Since the command is configured explicitly on the interface, it

takes precedence over the network area command

Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns allinterfaces defined in the 10.0.0.0 network to OSPF process 1.

Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on allfour octets of the address. This technique allows the operator to define which specific interfaces will runOSPF. Network 10.1.1.1 0.0.0.0 area 0


9/121

Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area1, and router B is the ABR between the two areas.

The configuration for router A is the same as in the previous example.

Router B has a network statement for area 0. The configuration for area 1 in this example uses the ipospf 50 area 1 command. Alternatively, a separate network router configuration command could

have been used.

Virtual links

Use the areaarea-idvirtual-linkrouter-idrouter configuration command, along with any

necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no formof this command.

The area virtual-link command includes the router ID of the far-end router. To find the router ID inthe far-end router, use the show ip ospf, show ip ospf interface, orshow ip protocol

commands on that remote router, as illustrated in Figure .


10/121

show ip ospf virtual-links command to verify that the configured virtual link works properly.

show ip ospf neighbor, show ip ospf database, and debug ip ospf adj

nterarea Route Summarization on an ABRTo configure manual interarea route summarization on an ABR, use the following steps:


11/121


Step 2 Use the area range command to instruct the ABR to summarize routes for aspecific area before injecting them into a different area via the backbone as

type 3 summary LSAs. Figure describes the command parameters.

Cisco IOS software creates a summary route to interface null0 when manual summarization is configured

to prevent routing loops.

area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range ofnetworks to be summarized into area 1. ABR router R1 summarizes the range of subnets from172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.

area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range ofnetworks to be summarized into area 0. ABR router R1 summarizes the range of subnets from172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.

For OSPF to generate a default route, you must use the default-information originatecommand.


12/121


13/121

Note

If the service password-encryption command is not used when configuring OSPF authentication,the key is stored as plain text in the router configuration. If you configure the service password-encryption command, the key is stored and displayed in an encrypted form. When it is displayed, anencryption type of 7 is specified before the encrypted key.

Step 2 Specify the authentication type using the ip ospf authenticationcommand, as shown in Figure .

For simple password authentication, use the ip ospf authentication command with no parameters.Before using this command, configure a password for the interface using the ip ospfauthentication-key command.

To configure OSPF MD5 authentication, a key and key ID must be configured on each router.

To configure MD5 authentication, use the following steps:

Step 1 Assign a key ID and key to be used with neighboring routers that are using theOSPF MD5 authentication, using the ip ospf message-digest-key

command, as shown in Figure .

NoteIn Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure apassword longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOSreleases did not provide this warning.

The key and the key ID specified in the ip ospf message-digest-key command are used togenerate a message digest (also called a hash) of each OSPF packet. The message digest is appendedto the packet. A separate password can be assigned to each network on a per-interface basis.

Usually, one key per interface is used to generate authentication information when sending packets andto authenticate incoming packets. All neighboring routers on the same network must have the samepassword to be able to exchange OSPF information. Therefore, the same key ID on the neighbor routermust have the same keyvalue.

The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish

to change the OSPF password without disrupting communication. If an interface is configured with a newkey, the router sends multiple copies of the same packet, each authenticated by different keys. The routerstops sending duplicate packets when it detects that all of its neighbors have adopted the new key.

For example, if this is the current configuration:

interface FastEthernet 0/0ip ospf message-digest-key 100 md5 OLD

You change the configuration to the following:

interface FastEthernet 0/0ip ospf message-digest-key 101 md5 NEW

The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. Itsends multiple copies of the same packet, each authenticated by different keys. In this example, the

system sends out two copies of the same packet, the first one authenticated by key 100 and the secondone authenticated by key 101.

Rollover allows neighboring routers to continue communication while the network administrator isupdating them with the new key. Rollover stops when the local system finds that all its neighbors know thenew key. The system detects that a neighbor has the new key when it receives packets from the neighborauthenticated by the new key.

After all neighbors have been updated with the new key, the old key should be removed. In this example,you would enter the following:


14/121

interface FastEthernet 0/0no ip ospf message-digest-key 100

Then only key 101 is used for authentication on Fast Ethernet interface 0/0.

It is recommended that you do not keep more than one key per interface. Every time you add a new key,you should remove the old key to prevent the local system from continuing to communicate with a hostilesystem that knows the old key.

Note

If the service password-encryption command is not used when configuring OSPF authentication,the key is stored as plain text in the router configuration. If you configure the service password-encryption command, the key is stored and displayed in an encrypted form. When it is displayed, anencryption type of 7 is specified before the encrypted key.

Step 2 Specify the authentication type using the ip ospf authentication

command, as shown in Figure . For MD5 authentication, use the ip ospfauthentication command with themessage-digest parameter. Beforeusing this command, configure the message digest key for the interface withthe ip ospf message-digest-key command.

The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. Forbackward compatibility, the MD5 authentication type for an area is still supported using the area area-idauthentication message-digest router configuration command.


15/121


16/121


17/121

show ip eigrp traffic command - To display the number of various EIGRP packets sent andreceivedno auto-summary- use when having discontinuous networks between your access

Create your own summarization

EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequal-cost load balancing. The degree to which EIGRP performs load balancing is controlled with the

variance command,

ip bandwidth-percent eigrpas-number percentcommand to specify the maximumpercentage of the bandwidth of an interface that EIGRP will use.--use when link is shared in wan topology to divide bandwidth into half of each link has equally.

To configure MD5 authentication for EIGRP, complete the following steps:


18/121

Step 1 Enter configuration mode for the interface on which you want to enableauthentication.

Step 2 Specify MD5 authentication for EIGRP packets using the ip

authentication mode eigrp md5 command, as shown in Figure .

Step 3 Enable the authentication of EIGRP packets with a key specified in a key

chain by using the ip authentication key-chain eigrp command,as shown in Figure .

Step 4 Enter the configuration mode for the key chain using the key chain

command, as shown Figure .

Step 5 Identify a key ID to use, and enter configuration mode for that key using thekey command, as shown in Figure .

Step 6 Identify the key string (password) for this key using the key-string

command, as shown in Figure .

Step 7 Optionally, specify the time period during which this key is accepted for useon received packets using the accept-lifetime command, as shown in

Figure . Figure displays the parameters for this command.

Step 8 Optionally, specify the time period during which this key can be used forsending packets using the send-lifetime command, as shown in the

Figure . Figure displays the parameters for this command.

NoteIf the service password-encryption command is not used when implementing EIGRPauthentication, the key string is stored as plain text in the router configuration. If you configure theservice password-encryption command, the key string is stored and displayed in anencrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted keystring.


19/121

Eigrp default network

------------------------------------------------------------------------------Passwords

conf tenable secret line con 0password loginline vty 0 4password login


20/121

exit

conf tenable secret ciscoline con 0password classloginline vty 0 4password classloginexit

exampleRouter#configure terminalRouter(config)#hostname ISPISP(config)#enable password ciscoISP(config)#enable secret classISP(config)#line console 0ISP(config-line)#password ciscoISP(config-line)#login

ISP(config-line)#exitISP(config)#line vty 0 4ISP(config-line)#password ciscoISP(config-line)#loginISP(config-line)#exitISP(config)#interface loopback 0ISP(config-if)#ip add 172.16.1.1 255.255.255.255ISP(config-if)#no shutdownISP(config-if)#exitISP(config)#interface serial 0ISP(config-if)#ip add 200.2.2.17 255.255.255.252ISP(config-if)#clock rate 64000no shut - to interfaces

PPP

The following example enables PPP encapsulation on serial interface 0/0:

Router#configure terminalRouter(config)#interface serial 0/0Router(config-if)#encapsulation ppp

Point-to-point software compression can be configured on serial interfaces that use PPPencapsulation. Compression is performed in software and might significantly affect systemperformance. Compression is not recommended if most of the traffic consists of compressedfiles.

To configure compression over PPP, enter the following commands:

Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#compress [predictor | stac]

Enter the following to monitor the data dropped on the link, and avoid frame looping:

Router(config)#interface serial 0/0Router(config-if)#encapsulation ppp


21/121

Router(config-if)#ppp qualitypercentage

The following commands perform load balancing across multiple links:

Router(config)#interface serial 0/0Router(config-if)#encapsulation pppRouter(config-if)#ppp multilink

Use the show interfaces serial command to verify proper configuration of HDLCor PPP encapsulation.When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol(NCP) states can be checked using the show interfaces serial command.


22/121


23/121


24/121

ISDN BRI


25/121

SPIDs are specified in interface configuration mode. To enter interface configuration mode, usethe interface bri command in the global configuration mode:

Router(config)#interface brislot/portRouter(config)#interface bri0/0Router(config-if)#isdn spid1 51055540000001 5554000Router(config-if)#isdn spid2 51055540010001 5554001

ISDN PRI


26/121


27/121


28/121


29/121

Show DialersShow ISDN stat

To configure a static route for IP use the following command:

Router(config)#ip route net-prefix mask{address | interface } [distance ] [permanent]

DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following:

IP traffic of a particular protocol type

Packets with a particular source address or destination

Other criteria as defined by the network administrator

Use the dialer-list command to identify interesting traffic. The command syntax is as follows:

Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit| deny | listaccess-list-number}

Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router.

The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Insteadof permitting all IP traffic, a dialer list can point to an access list in order to specify exactly whattypes of traffic should bring up the link. The reference to access list 101 in dialer list 2 preventsFTP and Telnet traffic from activating the DDR link. Any other IP packet is consideredinteresting, and will therefore initiate the DDR link.

Dialer group command is given on the interface and is the same as the dialer list #.


30/121


31/121

To configure PPP on the DDR interface use the following commands:

Home(config)#username Central password ciscoHome(config)#interface bri0/0Home(config-if)#encapsulation pppHome(config-if)#ppp authentication chap

Home(config-if)#ip address 10.1.0.1 255.255.255.0

The dialer idle-timeoutseconds command may be used to specify the number of idle seconds before a call is disconnected. Theseconds represent the number of seconds until a call isdisconnected after the last interesting packet is sent. The default is 120.


32/121


33/121

Multiple dialer interfaces may be configured on a router. Each dialer interface is the completeconfiguration for a destination. The interface dialer command creates a dialer interface andenters interface configuration mode.

To configure the dialer interface, perform the following tasks:

1. Configure one or more dialer interfaces with all the basic DDR commands:

IP address

Encapsulation type and authentication

Idle-timer

Dialer-group for interesting traffic

2. Configure a dialer string and dialer remote-name to specify the remote router name andphone number to dial it. The dialer pool associates this logical interface with a pool ofphysical interfaces.

3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-

member command.An interface can be assigned to multiple dialer pools by using multiple dialer pool-membercommands. If more than one physical interface exists in the pool, use the priority option of thedialer pool-member command to set the priority of the interface within a dialer pool. If multiplecalls need to be placed and only one interface is available, then the dialer pool with the highestpriority is the one that dials out.

A combination of any of these interfaces may be used with dialer pools:

Synchronous Serial

Asynchronous Serial

BRI

PRI

**Clear int Bri To get the clear out of

REFER TO LAB FOR EXACT SETUP

FRAME RELAY

encapsulation frame-relay[cisco | ietf] command.

cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting toanother Cisco router. Many non-Cisco devices also support this encapsulation type. This isthe default.

ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF)standard RFC 1490. Select this if connecting to a non-Cisco router.


34/121

Set an IP address on the interface using the ip address command. Set thebandwidth of the serial interface using the bandwidth command. Bandwidth isspecified in kilobits per second (kbps). This command is used to notify the routingprotocol that bandwidth is statically configured on the link. The bandwidth value isused by Interior Gateway Routing Protocol (IGRP), Enhanced Interior GatewayRouting Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the

metric of the link.

The local DLCI must be statically mapped to the network layer address of the remote routerwhen the remote router does not support Inverse ARP. This is also true when broadcast trafficand multicast traffic over the PVC must be controlled. These static Frame Relay map entries arereferred to as static maps. Use the frame-relay mapprotocol protocol-address dlci [broadcast]command to statically map the remote network layer address to the local DLCI---Used on HQRouter

Split-horizon updates reduce routing loops by not allowing a routing update received on one

interface to be forwarded out the same interface. One way to solve the split-horizon problem is touse a fully meshed topology. However, this will increase the cost because more PVCs arerequired. The preferred solution is to use subinterfaces.

Create a subinterface by

Int s0.301 point-to-point

To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relaytopology, configure the hub router with logically assigned interfaces. These interfaces arecalled subinterfaces. Subinterfaces are logical subdivisions of a physical interface.

In split-horizon routing environments, routing updates received on one subinterface can be sentout another subinterface. In a subinterface configuration, each virtual circuit can be configuredas a point-to-point connection. This allows each subinterface to act similarly to a leased line.Using a Frame Relay point-to-point subinterface, each pair of the point-to-point routers is onits own subnet.

Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode:

Point-to-point - A single point-to-point subinterface is used to establish one PVC

connection to another physical interface or subinterface on a remote router. In this case,each pair of the point-to-point routers is on its own subnet and each point-to-pointsubinterface would have a single DLCI. In a point-to-point environment, each

subinterface is acting like a point-to-point interface. Therefore, routing update traffic isnot subject to the split-horizon rule.

Multipoint - A single multipoint subinterface is used to establish multiple PVCconnections to multiple physical interfaces or subinterfaces on remote routers. All theparticipating interfaces would be in the same subnet. The subinterface acts like anNBMA Frame Relay interface so routing update traffic is subject to the split-horizonrule.


35/121

The encapsulation frame-relay command is assigned to the physical interface. All otherconfiguration items, such as the network layer address and DLCIs, are assigned to thesubinterface.

Multipoint configurations can be used to conserve addresses that can be especially helpful ifVariable Length Subnet Masking (VLSM) is not being used. However, multipoint

configurations may not work properly given the broadcast traffic and split-horizonconsiderations. The point-to-point subinterface option was created to avoid these issues.

In the figure, Router A has two point-to-point subinterfaces. The s0/0.110 subinterface connectsto router B and the s0/0.120 subinterface connects to router C. Each subinterface is on a differentsubnet. To configure subinterfaces on a physical interface, the following steps are required:

Configure Frame Relay encapsulation on the physical interface using the encapsulation

frame-relay command

For each of the defined PVCs, create a logical subinterface

router(config-if)#interface serialnumber.subinterface-number[multipoint | point-to-point]

To create a subinterface, use the interface serial command. Specify the port number, followedby a period (.), and then by the subinterface number. Usually, the subinterface number is chosento be that of the DLCI. This makes troubleshooting easier. The final required parameter is statingwhether the subinterface is a point-to-point or point-to-multipoint interface. Either themultipoint orpoint-to-point keyword is required. There is no default. The following commandscreate the subinterface for the PVC to router B:

routerA(config-if)#interface serial 0/0.110 point-to-point

If the subinterface is configured as point-to-point, then the local DLCI for the subinterface mustalso be configured in order to distinguish it from the physical interface. The DLCI is alsorequired formultipoint subinterfaces for which Inverse ARP is enabled. It is not required formultipoint subinterfaces configured with static route maps. The frame-relay interface-dlci

command is used to configure the local DLCI on the subinterface

router(config-subif)#frame-relay interface-dlci dlci-number

The show interfaces command displays information regarding the encapsulation and Layer 1and Layer 2 status. It also displays information about the following:

The LMI type

The LMI DLCI

The Frame Relay data terminal equipment/data circuit-terminating equipment(DTE/DCE) type

show frame-relay lmi command to display LMI traffic statistics.

Use the show frame-relay pvc [interface interface] [dlci] command to display the status of eachconfigured PVC as well as traffic statistics. This command is also useful for viewing the numberof BECN and FECN packets received by the router. The PVC status can be active, inactive, ordeleted.

show frame-relay pvc command displays the status of all the PVCs configured on the router.

show frame-relay map command to display the current map entries and information about theconnections.


36/121

debug frame-relay lmi command to determine whether the router and the Frame Relay switchare sending and receiving LMI packets properlyThe "out" is an LMI status message sent by therouter. The "in" is a message received from the Frame Relay switch. A full LMI status message isa "type 0". An LMI exchange is a "type 1". The "dlci 100, status 0x2" means that the status ofDLCI 100 is active. The possible values of the status field are as follows:

0x0 - Added/inactive means that the switch has this DLCI programmed but for somereason it is not usable. The reason could possibly be the other end of the PVC is down.

0x2 - Added/active means the Frame Relay switch has the DLCI and everything is

operational.

0x4 - Deleted means that the Frame Relay switch does not have this DLCI programmed

for the router, but that it was programmed at some point in the past. This could also becaused by the DLCIs being reversed on the router, or by the PVC being deleted by theservice provider in the Frame Relay cloud.

--------------------------------------------------------------------------------------------------------------

Switch Commands

switch(config)#ip default-gateway --> sets the default gateway for theswitch (to be set under conf t)


37/121

**More detailed spanning tree info

spanning-tree portfast > to be used with conf t and maybe on the interface

itself to make the interface instantly up and connected (Use the spanning-tree portfast global configuration command to globally enable BPDU filtering on

Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or thePort Fast feature on all nontrunking ports. The BPDU filtering feature prevents theswitch port from sending or receiving BPDUs. The BPDU guard feature puts PortFast-enabled ports that receive BPDUs in an error-disabled state.)

show trunk

show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info

show spanning-tree or show spanning-tree brief --> used in priv exec mode,shows port status (forwarding/blocking) root router, priority and mac addressuse only on non trunking ports

Show mac-address-table

clear mac-address-table dynamic --> clearsmac addresses

#password configs and hostname is setup the same way (except for line vty 015)

***Add trunking commands to the tutorial guide (DTP) stuff

Switchport mode trunk 802.1q (or

How to setup VLAN -- and what not to forget to setup

switch(config)#int vlan 1switch(config)#ip add


38/121

vlan dat---old way try new commands on the next pictvtp servervtp domain Cisco

2.5.6

Best Practice for VTP Configuration

Following is a list of general best practices with regard to configuring VTP in the enterprisecomposite network model:

Plan boundaries for the VTP domain. Not all switches in the network need informationon all VLANs in the network. In the enterprise composite model, the VTP domain shouldbe restricted to redundant distribution switches and the access switches that they serve.

Have only one or two switches specifically configured as VTP servers and theremainder as clients.

Configure a password so that no switch can join the VTP domain with a domain nameonly (which can be derived dynamically).

Manually configure the VTP domain name on all switches that are installed in thenetwork so that the mode can be specified and the default server mode on all switchescan be overwritten.

When you are setting up a new domain, configure VTP client switches first so that theyparticipate passively. Then configure servers to update client devices.

In an existing domain, if you are performing VTP cleanup, configure passwords onservers first. Clients may need to maintain current VLAN information until the servercontains a complete VLAN database. After the VLAN database on the server is verifiedas complete, client passwords can be configured to be the same as the servers. Clientswill then accept updates from the server.

WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKEIT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBRIS RESET TO ONE SO IT DOESNT OVERRIDE THE OTHER ONE

What VLan you belong to and mode for each interface

interface FastEthernet0/1switchport access vlan 101switchport mode accessno ip addressspanning-tree portfast!interface FastEthernet0/2


39/121

switchport access vlan 101switchport mode accessno ip addressspanning-tree portfast!interface FastEthernet0/3switchport access vlan 102switchport mode accessno ip addressspanning-tree portfast

int range fa 0/2 5

delete vlan.dat or delete flash:vlan.dat

2.5.2

Resolving Issues with 802.1Q Native VLANs

Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link:

The native VLAN interface configurations must match at both ends of the link or the trunkmay not form.

By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on atrunk should be set to a specific VID that is not used for normal operations elsewhere onthe network.

Switch(config-if)#switchport trunk native vlanvlan-id

OR switchport trunk

If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning)issues a native VLAN mismatch error.


40/121

On select versions of Cisco IOS software, CDP may not be transmitted or automaticallyturns off if VLAN1 is disabled on the trunk.

If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops mayoccur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address(0180.c200.0000) untagged.

When troubleshooting VLANs, note that a link can have one native VLAN associationwhen in access mode, and another native VLAN association when in trunk mode.

When implementing VLANs, you should consider a few measures to secure the VLAN and the switchitself. The security policy of the organization will likely have more detailed recommendations, but thesecan provide a foundation.

Create a parking-lot VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switchports in this VLAN. This VLAN may provide the user with some minimal network connectivity.(Check on the security policy of your organization before implementing.)

Disable unused switch ports, depending on the security policy of the organization.

Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports runDynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietaryprotocol can determine an operational trunking mode and protocol on a switch port when it is connectedto another device that is also capable of dynamic trunk negotiation.(show dtp interface)


41/121

To enable trunking to a device that does not support DTP, use the switchport mode trunk

and switchport nonegotiate interface configuration commands to cause the interface to

become a trunk but to not generate DTP frames.

Use the switchport trunk encapsulationisl orswitchport trunk

encapsulationdot1qinterface to select the encapsulation type on the trunk port.

Regardless if a device supports DTP, general best practice is to configure trunks statically by configuringthe interface to trunk and nonegotiate.

2.3.7

Configuring Trunking---has pictures for more examples

Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port asan 802.1Q or an ISL trunking port, follow these steps on each trunk interface.

Step 1 Enter interface configuration mode.

Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration.

Step 3 Select the trunking encapsulation. Note that some switches support only ISL or802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q.

Step 4 Configure the interface as a Layer 2 trunk.

Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match atboth ends of an 802.1Q trunk.


42/121

Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted tocertain trunk links. This is best practice with the Enterprise Composite Network Model and leadsto the correct operation of VLAN interfaces.

Step 7 Use the no shutdown command on the interface to activate the trunking process.

Step 8 Verify the trunk configuration using show commands.

Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames fromVLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport modefor the interface is trunk (on), and no DTP messages will be sent on the interface.

Note:

For security reasons, the native VLAN has been configured to be an unused VLAN. This will bediscussed in more detail later.

Figure describes the commands used to configure a switch port as an 802.1Q trunk link.

3.1

Describing STP

3.1.5

Describing the RootBridge

STP uses a root bridge, root ports, and designated ports to establish a loop free path through thenetwork. The first step in creating a loop free spanning tree is to select a root bridge to be thereference point that all switches use to establish forwarding paths. The STP topology isconverged after a root bridge has been selected, and each bridge has selected its root port,designated bridge, and the participating ports. STP uses BPDUs as it transitions port states toachieve convergence.

Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculationthrough the network is based on the root bridge. The bridge is selected using the bridge ID (BID),which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BIDvalues are preferred. The Priority field value helps determine which bridge is going to be the rootand can be manually altered. In a default configuration, the Priority field is set at 32768. When thedefault Priority field is the same for all bridges, selecting the root bridge is based on the lowestMAC address.

The root bridge maintains the stability of the forwarding paths between all switches for a singleSTP instance. A spanning tree instance is when all switches exchanging BPDUs and participatingin spanning tree negotiation are associated with a single root. If this is done for all VLANs, it iscalled a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree(PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN.

The BID and root ID are each 8-byte fields carried in a BPDU. These values are used tocomplete the root bridge election process. A switch identifies the root bridge by evaluating the rootID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUssent by each switch in the tree.

When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it

populates the Root ID field of outbound BPDUs with its own BID.

The switch with the lowest numerical BID assumes the role of root bridge for that spanning treeinstance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value intothe Root ID field of its outbound BPDUs.

Spanning tree operation requires that each switch have a unique BID. In the original 802.1Dstandard, the BID was composed of the Priority Field and the MAC address of the switch, and allVLANs were represented by a CST. Because PVST requires that a separate instance of spanningtree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which isaccomplished by reusing a portion of the Priority field as the extended system ID.


43/121

To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split

into two fields, resulting in these components in the BID :

Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bitcount, priority is conveyed in discrete values in increments of 4096 rather than discretevalues in increments of 1, as they would be in a full 16-bit field. The default priority, in

accordance with IEEE 802.1D, is 32,768, which is the mid-range value. Extended System ID: A 12-bit field that carries the VID for PVST.

MAC address: A 6-byte field with the MAC address of a single switch.

By virtue of the MAC address, a BID is always unique. When the priority and extended system IDare appended to the switch MAC address, each VLAN on the switch can be represented by aunique BID.

If no priority has been configured, every switch has the same default priority and the election ofthe root for each VLAN is based on the MAC address. This is a fairly random means of selectingthe ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch thatshould serve as root bridge.

Only four bits are used to set the bridge priority. Because of the limited bit count, priority is

configurable only in increments of 4096.A switch responds with the possible priority values if an incorrect value is entered:

Switch(config)#spanning-tree vlan 1 priority 1234

% Bridge Priority must be in increments of 4096.

% Allowed values are:

0 4096 8192 12288 16384 20480 24576 28672

32768 36864 40960 45056 49152 53248 57344 61440

If no priority has been configured, every switch will have the same default priority of 32768.

Assuming all other switches are at default priority, the spanning-tree vlanvlan-id root

primary command sets a value of 24576. Also, assuming all other switches are at default

priority, the spanning-tree vlanvlan-idroot secondary command sets a value of28672.

The switch with the lowest BID becomes the root bridge for a VLAN. Specific configurationcommands are used to determine which switch will become the root bridge.

A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each activeVLAN that is configured on the switch. A unique BID is associated with each instance. For eachVLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever thebridge priority changes, the BID also changes. This results in the recomputation of the root bridgefor the VLAN.

To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree

vlanvlan-IDroot primarycommand.

CAUTION:

Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfigurationoccurs.

A secondary root is a switch that may become the root bridge for a VLAN if the primary rootbridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command

spanning-tree vlanvlan-IDroot secondary. Assuming that the other bridges in the

VLAN retain their default STP priority, this switch will become the root bridge in the event that theprimary root bridge fails. This command can be executed on more than one switch to configure


44/121

multiple backup root bridges.

BPDUs are exchanged between switches, and the analysis of the BID and root ID information

from those BPDUs determines which bridge is selected as the root bridge. and

In the example shown, both switches have the same priority for the same VLAN. The switch withthe lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge

for VLAN 1, with a BID of 0x8001:0c0011111111.

BETTER TO USE RAPID SPANNING TREE PROTOCOL

The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with thatVLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the followingreasons:

To provide a default gateway for a VLAN so that traffic can be routed between VLANs

To provide fallback bridging if it is required for non-routable protocols

To provide Layer 3 IP connectivity to the switch

To support routing protocol and bridging configurations

By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration.Additional SVIs must be explicitly created.

SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI.The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN

ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to eachVLAN SVI that is to route traffic off of and on to the local VLAN.


45/121

Inter-VLAN Routing


46/121

Routed Switch ports

A routed port has the following characteristics and functions:

Physical switch port with Layer 3 capability

Not associated with any VLAN

Serves as the default gateway for devices out that switch port

Layer 2 port functionality must be removed before it can be configured


47/121


48/121


49/121

conf tint range fa0/1 6switchport port-security sets the specific macaddress to that interfaceswitchport port-security max (1-132) how many mac addresses the port is torememberswitchport port-security violation {shutdown, restrict, protect}

port security max-mac-count{1-132}enables port security and sets the max maccountport security action shutdown if more than specified mac address is hit theport is shutdown

arp timeout secondsto a smaller time to mitigate the mac address spoofing

to verify do a show port-security orshow port-security interface

To access this mode, the vlan database command is executed from privileged EXEC mode. From this

mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005.

Note:

This mode has been deprecated and will be removed in some future release. The move to the globalVLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.

----

Configuring Multiple Spanning Tree protocol (MSTP)-refer to 3.3.5-3.3.6 cpt176

Switch#show spanning-tree mst

Switch#show spanning-tree mst

However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receivesIEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the

link unless the legacy switch is the designated switch. Use the following command in this situation :


50/121

Switch#clear spanning-tree detected-protocols

Switch#show spanning-tree mst interface fastethernet 4/4

Switch#show spanning-tree mst 1 interface fastethernet 4/4

This example displays detailed MSTP information for a specific instance.

Switch#show spanning-tree mst 1 detail

-----EtherChannel Configuration 3.4.3---more on part 2 of same page3.4.4

Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel

load balancing, use the port-channel load-balance command. Load balancing can be based on

the following variables: src-mac: Source MAC address

dst-mac:Destination MAC address

src-dst-mac: Source and destination MAC addresses

src-ip: Source IP address

dst-ip: Destination IP address

src-dst-ip: Source and destination IP addresses (default)

src-port: Source TCP/User Datagram Protocol (UDP) port

dst-port: Destination TCP/UDP port

src-dst-port: Source and destination TCP/UDP portsThis example shows an example of how to configure and verify EtherChannel load balancing.

Switch(config)# port-channel load-balance src-dst-ip

Switch(config)# exit

Switch# show etherchannel load-balance

Source XOR Destination IP address


51/121


52/121

interface. Root guard restricts which interface is allowed to be the Spanning-Treeroot port or the path to the root for the switch. Loop guard prevents alternate orroot ports from becoming designated ports when a failure creates a unidirectionallink.**Put loop guard on the trunks

Globally enablespanning-tree portfast bpduguard default**Dont put portfast on trunks or other routers

prevent it from sending default BPDUs out that interface.-----------------------------------------------------------------------------------NAT

Dynamic


53/121


54/121

To define the pool of public addresses, use the ip nat pool command:Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62

netmask 255.255.255.224

Step 8 Define an access list that will match the inside private IP addressesTo define the access list to match the inside private addresses, use theaccess list command:Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255Step 9 Define the NAT translation from inside list to outside poolTo define the NAT translation, use the ip nat inside source command:Gateway(config)#ip nat inside source list 1 pool public-access

router(config-if)#ip nat inside--can be defined inside or outside--translations occur between inside and outside--on router must have and in and out on 2 interfaces

int fa0/0ip add ip nat inside

convert from private to public for an IP (from a server) that needs internetaccess/wanip nat inside source static


55/121

Display active translationrouter#show ip nat translations [verbose]router#show ip nat stat

Debug ip natDebug ip nat detailed

Overloading

Overloading is configured in two ways depending on how public IP addresses have beenallocated. An ISP can allocate a network only one public IP address, and this is typically assignedto the outside interface which connects to the ISP. Figure shows how to configure overloadingin this situation.

Another way of configuring overload is if the ISP has given one or more public IP addresses foruse as a NAT pool. This pool can be overloaded as shown in the configuration in Figure .

Figure shows an example configuration of PAT.


56/121


57/121

-------------------------------------------------------------------------------------DHCP

router(config)#ip dhcp pool --> specifies the DHCP poolrouter(dhcp-config)#network --> specifies the range

*multiple DHCP pools can be created on a server

----------Configure DHCP excluding IP

router(config)#ip dhcp excluded-addressip-add [end-ip-address]

router(config)#ip dhcp excluded-add 172.16.1.1 172.16.1.10 router(config)#ip dhcp excluded-add 172.16.1.254

*address is reserved for the router interface so it needs to be blocked outof the lits

Create the DHCP address poolTo configure the campus LAN pool, use the following commands:

campus(config)#ip dhcp pool campus


58/121

campus(dhcp-config)#network 172.16.12.0 255.255.255.0

campus(dhcp-config)#default-router 172.16.12.1

campus(dhcp-config)#dns-server 172.16.1.2

campus(dhcp-config)#domain-name foo.com

campus(dhcp-config)#netbios-name-server 172.16.1.10

-----------------------------Verifying DHCP

Router#show ip dhcp binding

router#show ip dhcp server events ---> shows leases and expiration

-------------------------------To get a DHCP from the server that is on a different network ex. server on172.17.1.0 clients on 172.16.1.0--look at last slide for ip helpers in module 1

ip helper-addresscommand to relay broadcast requests for these key UDPservices. -> when DHCP tries to broadcast between routers ip helpers dont block it.

6.2.7Configuring SNMP

In order to have the NMS communicate with networked devices, the devices must haveSNMP enabled and the SNMP community strings configured. These devices areconfigured using the command line syntax described in the following paragraphs.

More than one read-only string is supported. The default on most systems for thiscommunity string is public. It is not advisable to use the default value in an enterprisenetwork. To set the read-only community string used by the agent, use the following

command:Router(config)#snmp-server communitystringro

String Community string that acts like a password and permits access to the

SNMP protocol

ro (Optional) Specifies read-only access. Authorized management stations are

only able to retrieve MIB objects.

More than one read-write string is supported. All SNMP objects are available for writeaccess. The default on most systems for this community string is private. It is notadvisable to use this value in an enterprise network. To set the read-write communitystring used by the agent, use the following command:

Router(config)#snmp-server communitystringrw

rw (Optional) Specifies read-write access. Authorized management stations are

able to both retrieve and modify MIB objects

There are several strings that can be used to specify location of the managed device andthe main system contact for the device.

Router(config)#snmp-server location text


59/121


60/121

the command line or by using network administration tools. These tools provide away to specify a range of hosts to ping with one command.

Using the ping sweep, network data can be generated in two ways. First, many ofthe ping sweep tools construct a table of responding hosts. These tables often listthe hosts by IP address and MAC address. This provides a map of active hosts at the

time of the sweep.

As each ping is attempted, an ARP request is made to get the IP address in the ARPcache. This activates each host with recent access and ensures that the ARP table iscurrent. The arp command can return the table of MAC addresses, as discussedabove, but now there is reasonable confidence that the ARP table is up-to-date.

SDM Configuration

Use the following process to access SDM for the first time . This procedure assumes that anout-of-box router with SDM installed is being used, or that a default SDM configuration wasloaded into flash.

Step 1Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable.

Step 2Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0subnet mask.

Step 3Launch a supported web browser.

Step 4Use the URL https://10.10.10.1. A login prompt will appear.

Step 5Log in using the default user account:

Username: sdmPassword: sdm

The SDM startup wizard opens, requiring a basic network configuration to be entered . Toaccess SDM after the initial startup wizard is completed, use eitherhttp: orhttps:, followed bythe router IP address.

When you enterhttps: it specifies that the Secure Sockets Layer (SSL) protocol be used for asecure connection. If SSL is not available, use http: to access the router.

Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface.

NOTE:

The startup wizard information needs to be entered only once and will only appear when adefault configuration is detected.

Troubleshooting SDM AccessUse the following tips to troubleshoot SDM access problems:

First determine if there is a web browser problem by checking the following:


61/121

Are Java and JavaScript enabled on the browser? Enable them.

Are popup windows being blocked? Disable popup blockers on the PC, sinceSDM requires popup windows.

Are there any unsupported Java plug-ins installed and running? Disable themusing the Windows Control Panel.

Is the router preventing access? Remember that certain configuration settings are requiredfor SDM to work. Check the following:

Is one of the default configurations being used, or is an existing routerconfiguration being used? Sometimes new configurations disable SDM access.

Is HTTP server enabled on the router? If it is not, enable it and check that otherSDM prerequisite parameters are configured as well. Refer to the "Downloadingand Installing Cisco SDM" document for the required settings. This document canbe found at the weblink below.

Did SDM access work before, but now its not? Ensure that the PC is not being

blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnetaccess to the router, which could have been inadvertently disabled in a securitylockdown.

Is SDM installed?

The quickest way to determine this is to access it using the appropriate HTTP or

HTTPS method https:///flash/sdm.shtml.

Use the show flash command to view the flash file system and make sure that the

required SDM files are present.

Refer to NS1 labs

PIX

The primary rule for security levels is that an interface with a higher security levelcan access an interface with a lower security level. Conversely, an interface with alower security level cannot access an interface with a higher security level withoutan access control list (ACL). Security levels range from 0 to 100.


62/121

Higher security level interface to a lower security level interface For traffic originatingfrom the inside interface of the PIX with a security level of 100 to the outside interface ofthe PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted byACLs, authentication, or authorization.

Lower security level interface to a higher security level interface For traffic originatingfrom the outside interface of the PIX with a security level of 0 to the inside interface ofthe PIX with a security level of 100,all packets are dropped unless specifically allowedby an access-list command. The traffic can be restricted further if authentication andauthorization is used.

Same secure interface to a same secure interface No traffic flows between twoInterfaces with the same security level.

hostname assigns a hostname to the PIX.

interface Configures the type and capability of each perimeter interface.

nameif

Assigns a name to each perimeter interface.

ip address Assigns an IP address to each interface.

security level Assigns the security level for the perimeter interface.

speed Assigns the connection speed.

duplex Assigns the duplex communications.

n the interface configuration sub-commands, hardware speed and duplex, interfacename, security level, IP address, and many other settings can be configured. For an


63/121


64/121

In Figure , host 10.0.0.11 starts an outbound connection. The nat_idof the outbound

packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is alsoidentified with a nat_idof 1. The PIX assigns an IP address of 192.168.0.20. It is thelowest available IP address of the range specified in the global command. Packets fromhost 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20.

The syntax for the global command is shown in Figure . If the nat command is used,the companion command, global, must be configured to define the pool of translated IPaddresses. Use the no global command to delete a global entry.

NOTE:

The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internalNAT address. After adding, changing, or removing a global statement, use the clear xlatecommand to make the IP addresses available in the translation table.

route command to enter a static route for an interface.

Static routes can be created to access specific networks beyond the locallyconnected networks. For example, in Figure , PIX Security Appliance sends allpackets destined to the 10.0.1.0 255.255.255.0 network out the inside interface tothe router at IP address 10.0.0.102. This static route was created by using thecommand route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knowshow to route the packet to the destination network of 10.0.1.0.


65/121


66/121


67/121

The show run nat command to display a single host or range of hosts to be translated. In Figure, all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security

Appliance. The nat-idis 1.

The show run global command displays the global pools of addresses configured in the PIXSecurity Appliance. In Figure there is currently one pool configured. The pool is configured on

the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. Thenat_idis 1.

The show xlate command displays the contents of the translation slot. In Figure , the numberof currently used translations is 1 with a maximum count of 1. The current translation is a localIP address of 10.0.0.11 to a global IP address of 192.168.0.20.

NTPThe ntp server command synchronizes the PIX Security Appliance with a specified networktimeserver . The PIX can be configured to require authentication before synchronizing with theNTP server. To enable and support authentication, there are several forms of the ntp commandthat work with the ntp server command. Additional information about the ntp command formsand their uses is available in the Command Reference.

The show run ntp command can be used to display the current NTP configuration. The showntp status

0 emergencies System unusable messages

1 alerts Take immediate action

2 critical Critical condition

3 errors Error message

4 warnings Warning message

5 notifications Normal but significant condition

6 informational Information message

7 debugging Debug messages and log FTP commands and WWW URLs

The show loggingCommandUse the show logging command to see the logging configuration and anyinternally buffered messages. Use the clear logging


68/121

The primary rule for security levels is that an interface with a higher security levelcan access an interface with a lower security level.


69/121

Two Interfaces with NATIn Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to startoutbound connections using the IP addresses from a global pool. The second nat commandstatement permits all hosts on the 10.2.0.0 network to do the same. The nat_idin the first nat

command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to thosein the global pool containing the same nat_id. Likewise, the nat_idin the second nat commandstatement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in theglobal pool containing nat_id2.

Three Interfaces with NATIn Figure , the first nat command statement enables hosts on the inside interface, which has asecurity level of 100, to start connections to hosts on interfaces with lower security levels. In thiscase, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). Thesecond nat command statement enables hosts on the DMZ, which has a security level of 50, tostart connections to hosts on interfaces with lower security levels. In this case, that includes onlythe outside interface.

Because both global pools and the nat (inside) command statement use a nat_idof 1, addressesfor hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, whenusers on the inside interface access hosts on the DMZ, their source addresses will be translated toaddresses in the 172.16.0.20172.16.0.254 range from the global (dmz) command statement.When they access hosts on the outside, their source addresses will be translated to addresses inthe 192.168.0.20192.168.0.254 range from the global (outside) command statement.


70/121

When users on the DMZ access hosts on the outside, their source addresses will always betranslated to addresses in the 192.168.0.20192.168.0.254 range from the global (outside)command statement.

Use the static command for outbound connections that must be mapped to thesame global IP address.

the address 192.168.0.9 is not translated. When the command nat (DMZ) 0192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays thefollowing message:

NAT 0 enables the Internet server address to be visible on the outside interface. Theadministrator also needs to add a static in combination with an access-list toallow users on the outside to connect with the Internet server.

The show conn command displays information about the active TCP connections.

Theshow conn detailCommandWhen the show conn detail option is used, the system displays information about the translation

type, interface information, IP address/port number, and connection flags. In Figure , the twoconnections display a flag value of UIO. According the flag definition, the connections are up.The connections are passing inbound and outbound data.

Theshow local-hostCommandThe show local-host command displays the network states of local hosts. A local-host entry iscreated for any host that forwards traffic to, or through, the PIX Security Appliance. Thiscommand shows the translation and connection slots for the local hosts. In Figure , the inside


71/121

host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the showlocal-host command is displayed in Figure .

To configure OSPF on the PIX Security Appliance requires the administrator to do the following:

Enable OSPF

Define the PIX Security Appliance interfaces on which OSPF runs

Define OSPF areas

Enable OSPFTo enable OSPF routing, use the router ospfcommand. The syntax for the router ospfcommand is shown in Figure .

The PIX Security Appliance can be configured for one or two processes, or OSPF routingdomains. If the PIX is functioning as an ABR and it is configured for one process, the PIX willpass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configuredfor one OSPF process, OSPF 1.

Define Network InterfacesTo define the interfaces on which OSPF runs and the area ID for those interfaces, use thenetwork area subcommand.

The syntax for the network area command is shown in Figure .


72/121


73/121

Once a group of VLANs are assigned to a group, the firewall module command associates aVLAN group with a specific FWSM.

The syntax for the firewall module command is shown in Figure

In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLAN-group 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300.

VerifytheMSFCConfigurationThe administrator can verify that the MSFC is properly configured for interaction with theFWSM. The show firewall vlan-group command verifies which VLANs are assigned to eachfirewall. VLAN-group. The show firewall module command verifies that the VLAN-groups areassigned to the associated slot where the FWSM resides .

ConfiguretheFWSMInterfacesThe FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs areassociated with a specific FSWM. The next step is to configure the security policy on theFWSM. The FWSM can be accessed by using the session command. Use the default passwordcisco for the FWSM when prompted. A prompt for an enable mode password is then displayed.By default, there is no password, and the Enter key can be pressed to access the enable mode. Itis recommended that you change the enable password to a valid value and use this for futureaccess to this mode.

Once on the FWSM, standard security appliance commands are used to configure interfacenames, add security levels, and specify IP addresses.

The example in Figure shows the use of the nameifcommand and associates VLAN 100 as theoutside interface and sets the interface with a security level of 0. It also defines VLAN 200 as theinside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ipaddress command is used to add an IP address to each interface.

Configure A Default RouteA default route may also need to be added. In the example in Figure , a default route is created,

pointing to the VLAN 100 interface of the MSFC.

It may also be necessary to create static routes. Multiple context mode does not support dynamicrouting, so static routes must be used to reach any networks to which the FWSM is not directlyconnected, such as when a router is between the destination network and the FWSM.

Static routes might be appropriate in single context mode if:

The network uses a routing protocol other than RIP or OSPF.

The network is small and static routes can be easily managed.

The traffic or CPU overhead associated with routing protocols is to be avoided.

Configure the FWSM access-listsThe administrator needs to create ACLs to allow outbound as well as inbound traffic because theFWSM, unlike the security appliances, denies all inbound and outbound connections that are notexplicitly permitted by ACLs . Explicit access rules need to be configured using the access-listcommand and attached to the appropriate interface using the access-group command to allowtraffic to pass through that interface. Traffic that has been permitted into an interface can exitthrough any other interface. Return traffic matching the session information is permitted withoutan explicit ACL.


74/121

3.8Firewall Services Module Operation

3.8.3

Using PDM with the FWSM

PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the stepsneeded to prepare the FWSM to use PDM. Be sure to initialize the FWSM beforeattempting to install PDM.

Use the copy tftp flash command to copy the PDM image into FWSM flash

copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm

(where XXX = pdm image version number)

Enable the http server on the FWSM. Without it, PDM will not start.

http server enable

Identify the specific hosts/networks that can access the FWSM using HTTP.

http 1.1.1.0 255.255.255.0 inside

Hosts from network 10.1.1.0 (on the inside interface) are permitted http access.

Launch the browser and enter the following address:

https://10.1.1.1 (FWSM inside interface)

Resetting and Rebooting the FWSMIf the module cannot be reached through the CLI or an external Telnet session, enter thehwmod module module_numberreset command to reset and reboot the module. Thereset process requires several minutes. The syntax for the command is shown in Figure .

The example in Figure shows how to reset the module, installed in slot 4, from the CLI.

When the FWSM initially boots, by default it runs a partial memory test. To perform a fullmemory test, use the hw-module module module_numbermem-test-full command. Thesyntax of the command is shown in Figure .

A full memory test takes more time to complete than a partial memory test depending onthe memory size. The table in Figure lists the memory and approximate boot time for along memory test.

PIX ACLs


75/121

The show access-list command also lists a hit count that indicates the number of times anelement has been matched during an access-list command search.

The clear access-list command is used to clear an access list counter. If no ACL is specified, allof the access list counters are cleared. If the counters option is specified, it clears the hit countfor the specified ACL. If no ACL is specified all the access lists counters are cleared.

The no access-list command removes an access-list command from the configuration. If all ofthe access-list command statements in an ACL group are removed, the no access-list commandalso removes the corresponding access-group command from the configuration.

The access-list mode command allows the administrator to specify whether the defined ACLshould be active immediately or when specified. . The access-list commit command activatesthe previously created ACL .

Use the access-list id line line-num command to insert an access-list commandstatement, and the no access-list id line line-num command to delete an access-list command statement. Line numbers are maintained internally in increasingorder, starting from 1. A user can insert a new entry between two consecutive ACEsby choosing the line number of the ACE with the higher line


76/121


77/121

n Figure the users in the corporate office wish to communicate with the branchsite over a VPN tunnel. To accomplish this, the administrator employs nat 0access-list. The IP source network, 10.0.0.0/24, and IP destination network,10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command.Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not

translated by the PIX.


78/121


79/121

ActiveX FilteringAnother application that can be filtered by the PIX Security Appliance in order protect againstmalicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or

other applications. They were formerly known as Object Linking and Embedding (OLE) orObject Linking and Embedding Control (OCX). ActiveX controls create a potential securityproblem because they provide a way for someone to attack servers. Due to this security threat,administrators have the option of using the PIX to block all ActiveX controls.

The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. Inthe example in Figure , the command specifies that ActiveX is being filtered on port 80 fromany internal host and for connection to any external host. The Command Reference providesmore information about the commands and syntax for blocking ActiveX or Java.


80/121

Use the url-server command to designate the server on which the URL filtering application runs,and then enable the URL filtering service with the filter url command.

PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs

longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for theWebsense filtering server. The maximum allowable length of a single URL can be increased byentering the url-blockurl-size command. This option is available with Websense URL filteringonly.

HTTPS and FTP FilteringThis feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter httpscommands were added to the filter command in PIX Security Appliance Softwa

Router Switch Commandsc

Documents

Transcript of Router Switch Commandsc