Sunteți pe pagina 1din 50

1 AAA

1.1
1.1.1

Config Local AAA Authentication


AAA Methods
Uses the enable password for authentication. Uses the line password for authentication. Uses the local username database for authentication. Uses case-sensitive local username authentication. Uses no authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication.

enable line local local-case none cache group-name group radius group tacacs+ group group-name

Uses a subset of RADIUS or TACACS+ servers for authenticatio the aaa group server radius or aaa group server tacac

1.2 Disable AAA New-Model R1(config)# no aaa new-model 1.3 CLI Config Steps 1. Enable AAA by using the global configuration command: aaa new-model 2. Configure security protocol parameters: Server IP address and Key 3. Define the authentication method lists using: aaa authentication 4. Apply the method lists to a particular interface or line (if required). 5. Optionally configure authorization using the global command: aaa authorization 6. Optionally configure accounting using the global command: aaa accounting

1.4

AAA Config Commands

tacacs-server host ip-address single-connection

Indicates the address of the Cisco Secur and specifies use of the TCP single-conn feature of Cisco Secure ACS. This feature improves performance by m single TCP connection for the life of the between the network access server and Secure ACS server, rather than opening TCP connections for each session (the d

tacacs-server key key

Establishes the shared secret encryption between the network access server and Secure ACS server. Specifies a RADIUS AAA server.

radius-server host ip-address

radius-server key key

Specifies an encryption key to be used w RADIUS AAA server.

1.5 Config the AAA Server Parameters R1(config)# aaa new-model R1(config)# R1(config)# tacacs-server host 192.168.1.101 single-connection R1(config)# tacacs-server key TACACS+Pa55w0rd R1(config)# R1(config)# radius-server host 192.168.1.100 R1(config)# radius-server key RADIUS-Pa55w0rd R1(config)#

1.5.1

Define Methods List

R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.

line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group

1.6

AAA Authentication Commands

default

This command creates a default that is automatically applie interfaces, specifying the method or sequence of methods fo

group group-name group radius group tacacs+

These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously TACACS+ servers. The group-name string allows the use of a predefined group of TACACS+ servers for authentication (created with the aaa grou group server tacacs+ command).

Config the AAA Server R1(config)# aaa new-model R1(config)# R1(config)# tacacs-server host 192.168.1.101 single-connection R1(config)# tacacs-server key TACACS+Pa55w0rd R1(config)# R1(config)# radius-server host 192.168.1.100 R1(config)# radius-server key RADIUS-Pa55w0rd R1(config)# R1(config)# aaa authentication login default group tacacs+ group radius local-case R1(config)#

1.7 Trouble Shoot Server-Based Authentication R1# debug aaa authentication R1# debug tacacs ? R1# debug radius ? 1.8 Server Based Authorization aaa authorization type { default | list-name } method1 [method4] R1(config)# aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. config-commands For configuration mode commands. configuration For downloading configurations from AAA server console For enabling console authorization exec For starting an exec (shell). ipmobile For Mobile IP services. multicast For downloading Multicast configurations from an AAA server network For network services. (PPP, SLIP, ARAP) prepaid For diameter prepaid services. reverse-access For reverse access connections template Enable template authorization R1(config)# aaa authorization exec ? WORD Named authorization list. default The default authorization list. R1(config)# aaa authorization exec default ? group Use server-group. if-authenticated Succeed if user has authenticated. krb5-instance Use Kerberos instance privilege maps. local Use local database. none No authorization (always succeeds). R1(config)# aaa authorization exec default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
1.8.1

Config Authorization

R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN

R1(config-line)# ^Z 1.9 Server Based Accounting aaa accounting type { default | list-name } record-type method1 [method2] R1(config)# aaa accounting ? auth-proxy For authentication proxy events. commands For exec (shell) commands. connection For outbound connections. (telnet, rlogin) delay-start Delay PPP Network start record until peer IP address is known. exec For starting an exec (shell). gigawords 64 bit interface counters to support Radius attributes 52 & 53. multicast For multicast accounting. nested When starting PPP from EXEC, generate NETWORK records before EXECSTOP record. network For network services. (PPP, SLIP, ARAP) resource For resource events. send Send records to accounting server. session-duration Set the preference for calculating session durations suppress Do not generate accounting records for a specific type of user. system For system events. update Enable accounting update records. R1(config)# aaa accounting exec ? WORD Named Accounting list. default The default accounting list. R1(config)# aaa accounting exec default ? none No accounting. start-stop Record start and stop without waiting stop-only Record stop when service terminates. R1(config)# aaa accounting exec default start-stop? broadcast Use Broadcast for Accounting group Use Server-group R1(config)# aaa accounting exec default start-stop group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
1.9.1

Config Accounting Sample Config

R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+

R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z

2 Create an IOS IPS directory in Flash


2.1

Create a directory in flash to store the signature files and configurations.

Use the mkdir directory-name privileged EXEC command to create the directory. Use the rename current-name new-name command to change the name of the directory. To verify the contents of flash, enter the dir flash: privileged EXEC command. R1# mkdir ips Create directory filename [ips]? Created dir flash:ips R1# R1# dir flash: Directory of flash:/ 5 -rw- 51054864 Jan 10 2009 15:46:14 -08:00 c2800nm-advipservicesk9-mz.124-20.T1.bin 6 drw- 0 Jan 15 2009 11:36:36 -08:00 ips 64016384 bytes total (12693504 bytes free) R1#
2.1.1

Configure IOS IPS crypto Key

Configure the crypto key to verify the digital signature for the master signature file (sigdefdefault.xml). The file is signed by a Cisco to guarantee its authenticity and integrity. To configure the IOS IPS crypto key, open the text file, copy the contents of the file, and paste it in the global configuration prompt. The text file issues the various commands to generate the RSA key. R1# conf t R1(config)# ---- (Copy and paste from text file) Remove keys- no crypto key pubkey-chain rsa or no named-key realm-cisco.pub 2.2

Enable IOS IPS

Identify the IPS rule name and specify the location. Use the ip ips name [rule name] [optional ACL] command to create a rule name. An optional extended or standard ACL can be used to filter the traffic.

Traffic that is denied by the ACL is not inspected by the IPS. Use the ip ips config location flash:directory-name command to configure the IPS signature storage location. Prior to IOS 12.4(11)T, the ip ips sdf location command was used R1(config)# ip ips name IOSIPS R1(config)# ip ips name ips list ? <1-199> Numbered access list WORD Named access list R1(config)# R1(config)# ip ips config location flash:ips R1(config)# Enable SDEE and logging event notification. The HTTP server must first be enabled using the ip http server command. SDEE notification must be explicitly enabled using the ip ips notify sdee command. IOS IPS also supports logging to send event notification. SDEE and logging can be used independently or simultaneously. Logging notification is enabled by default. Use the ip ips notify log command to enable logging. R1(config)# ip http server R1(config)# ip ips notify sdee R1(config)# ip ips notify log R1(config)# 2.3

Configure the Signature Category

All signatures are grouped into three common categories: All Basic Advanced Signatures that IOS IPS uses to scan traffic can be retired or unretired. Retired means that IOS IPS does not compile that signature into memory. Unretired instructs the IOS IPS to compile the signature into memory and use it to scan traffic. When IOS IPS is first configured, all signatures in the all category should be retired, and then selected signatures should be unretired in a less memory-intensive category. To retire and unretired signatures, first enter IPS category mode using the ip ips signaturecategory command. Next use the category category-name command to change a category. R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)# R1(config-ips-category)# category IOSIPS basic

R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-category)# exit Do you want to accept these changes? [confirm] y R1(config)# Apply the IPS rule to a desired interface, and specify the direction. Use the ip ips rule-name [in | out] interface configuration command to apply the IPS rule. The in argument means that only traffic going into the interface is inspected by IPS. The out argument specifies that only traffic going out of the interface is inspected. R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip ips IOSIPS in R1(config-if)# ip ips IOSIPS out R1(config-if)# exit R1(config)# exit 2.4

Load the IOS IPS signature

Upload the signature package to the router using either FTP or TFTP. To copy the downloaded signature package from the FTP server to the router, make sure to use the idconf parameter at the end of the command. copy ftp://ftp_user:password@Server_IP_address/signature_package idconf R1# copy ftp://cisco:cisco@10.1.1.1/IOS-S376-CLI.pkg idconf Loading IOS-S310-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 7608873/4096 bytes] *Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDS_STARTED: 16:44:47 PST Jan 15 2008 *Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines *Jan 15 16:44:47 PST: %IPS-6-ENGINE_READY: multi-string - build time 4 ms - packets for this engine will be scanned *Jan 15 16:44:47 PST: %IPS-6-ENGINE_BUILDING: service-http - 622 signatures - 2 of 13 engines *Jan 15 16:44:53 PST: %IPS-6-ENGINE_READY: service-http - build time 6024 ms packets for this engine will be scanned <Output omitted> Verify that the signature package is properly compiled using the show ip ips signature count command.

R1# show ip ips signature count Cisco SDF release version S310.0 signature package release version Trend SDF release version V0.0 Signature Micro-Engine: multi-string: Total Signatures 8 multi-string enabled signatures: 8 multi-string retired signatures: 8 <output omitted> Signature Micro-Engine: service-msrpc: Total Signatures 25

service-msrpc enabled signatures: 25 service-msrpc retired signatures: 18 service-msrpc compiled signatures: 1 service-msrpc inactive signatures - invalid params: 6 Total Signatures: 2136 Total Enabled Signatures: 807 Total Retired Signatures: 1779 Total Compiled Signatures: 351 total compiled signatures for the IOS IPS Basic category Total Signatures with invalid parameters: 6 Total Obsoleted Signatures: 11 R1#

2.5 Modify Signatures-Retire a signature This example shows how to retire individual signatures. In this example, signature 6130 with subsig ID of 10 is retired. R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# ip ips signature-definition R1(config-sigdef)# signature 6130 10 R1(config-sigdef-sig)# status R1(config-sigdef-sig-status)# retired true R1(config-sigdef-sig-status)# exit R1(config-sigdef-sig)# exit R1(config-sigdef)# exit Do you want to accept these changes? [confirm] y R1(config)#
2.5.1

Unretire Signature

R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# ip ips signature-category R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-category)# exit Do you want to accept these changes? [confirm] y R1(config)#
2.5.2

Change Actions for a signature

This example shows how to change signature actions to alert, drop, and reset for signature 6130 with subsig ID of 10. R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# ip ips signature-definition R1(config-sigdef)# signature 6130 10 R1(config-sigdef-sig)# engine R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdef-sig-engine)# event-action deny-packet-inline R1(config-sigdef-sig-engine)# event-action reset-tcp-connection R1(config-sigdef-sig-engine)# exit R1(config-sigdef-sig)# exit R1(config-sigdef)# exit Do you want to accept these changes? [confirm] y R1(config)

2.5.3

Change Actions For a Category

This example shows how to change event actions for all signatures that belong to the signature IOS IPS Basic category.

R1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# ip ips signature-definition R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# event-action produce-alert R1(config-ips-category-action)# event-action deny-packet-inline R1(config-ips-category-action)# event-action reset-tcp-connection R1(config-ips-category-action)# exit R1(config-ips-category)# exit Do you want to accept these changes? [confirm] y R1(config)# 2.6

Verify IOS IPS

R1# show ip ips all IPS Signature File Configuration Status Configured Config Locations: flash:/ipsdir/ Last signature default load time: 04:39:33 UTC Jan 15 2009 Last signature delta load time: -noneLast event action (SEAP) load time: -noneGeneral SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled

IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 693 Total Inactive Signatures: 1443 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name myips IPS fail closed is disabled IPS deny-action ips-interface is false Fastpath ips is enabled Quick run mode is enabled Interface Configuration Interface FastEthernet0/1 Inbound IPS rule is not set Outgoing IPS rule is myips <output omitted> R1# show ip ips configuration Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm Default threshold of recipients for spam signature is 25 PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0 HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0 CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn) Audit Rule Configuration Audit name AUDIT.1 info actions alarm <output omitted> R1# show ip ips interfaces Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set R1# R1# show ip ips signature | include 5000 SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version ----------- -- ------ --- ----- -- -- -- -- ----- ----------

50000:0 50000:1 50000:2 R1#

N N N

A A A

HIGH 0 HIGH 0 HIGH 0

0 0 0

0 0 0

0 0 0

0 0 0

FA N OPACL FA N OPACL FA N OPACL

R1# show ip ips statistics Signature audit statistics [process switch:fast switch] signature 2000 packets audited: [0:2] signature 2001 packets audited: [9:9] signature 2004 packets audited: [0:2] signature 3151 packets audited: [0:12] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 11 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [2:1:0] Last session created 19:18:27 Last statistic reset never HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0 R1# 2.7

Monitoring IOS IPS

R1# config t R1(config)# logging 192.168.10.100 R1(config)# ip ips notify log R1(config)# logging on R1(config)# R1# config t R1(config)# ip http server R1(config)# ip http secure-server R1(config)# ips notify sdee R1(config)# ip sdee events 500 R1(config)#

3 Standard ACLS- Restrict- VTY


R1(config)# ip access-list standard RESTRICT-VTY R1(config-std-nacl)# remark Permit only Admin host R1(config-std-nacl)# permit host 192.168.1.10 R1(config-std-nacl)# exit R1(config)# line vty 0 4 R1(config-line)# access-class RESTRICT-VTY R1(config-line)# exit

3.1
3.1.1

Extended ACL- 1

Create an extended named ACL called ACL-1, applied incoming on the Fa0/0 interface, that denies the workgroup server outside access but permits the remainder of the LAN users outside access using the established keyword.

R1(config)# ip access-list extended ACL-1 R1(config-ext-nacl)# remark LAN ACL R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any established R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# interface Fa0/0 R1(config-if)# ip access-group ACL-1 in R1(config-if)# exit 3.2
3.2.1

Extended ALC-2

Create an extended named ACL called ACL-2, applied outgoing on the Fa0/1 DMZ interface, permitting access to the specified Web and Email servers.

R1(config)# ip access-list extended ACL-2 R1(config-ext-nacl)# remark DMZ ACL R1(config-ext-nacl)# permit tcp any host 192.168.2.5 eq 25 R1(config-ext-nacl)# permit tcp any host 192.168.2.6 eq 80 R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# interface Fa0/1 R1(config-if)# ip access-group ACL-2 out R1(config-if)# exit
3.2.2

Modify ACL using sequence Numbers

R1# show access-list 150 Extended IP acess list 150 10 permit tcp any any eq www 20 permit tcp any any eq telnet 30 permit tcp any any eq smtp 40 permit tcp any any eq pop3 50 permit tcp any any eq 21 60 permit tcp any any eq 20 R1(config)# ip access-list extended 150 R1(config-ext-nacl)# no 20

R1(config)# ip access-list extended 150 R1(config-ext-nacl)# 20 permit tcp host 192.168.1.100 any eq telnet 3.3

TCP Established ACLs

R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established R1(config)# access-list 100 deny ip any any R1(config)# interface s0/0/0 R1(config-if)# ip access-group 100 in 3.4

Reflexive ACL

R1(config)# ip access-list extended INTERNAL_ACL R1(config-ext-nacl)# permit tcp any any eq 80 reflect WEB-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# permit udp any any eq 53 reflect DNS-ONLY-REFLEXIVE-ACL timeout 10 R1(config-ext-nacl)# exit R1(config)# ip access-list extended EXTERNAL_ACL R1(config-ext-nacl)# evaluate WEB-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# evaluate DNS-ONLY-REFLEXIVE-ACL R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# interface s0/0/0 R1(config-if)# ip access-group INTERNAL_ACL out R1(config-if)# ip access-group EXTERNAL_ACL in 3.5

Dynamic ACLS

R3(config)# username Student password cisco R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet R3(config)# access-list 101 dynamic TESTLIST timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255 R3(config)# interface s0/0/1 R3(config-if)# ip access-group 101 in R3(config-if)# exit R3(config)# line vty 0 4 R3(config-line)# login local R3(config-line)# autocommand access-enable host timeout 15 3.6

Time-Based ACL

Time-range EVERYOTHERDAY Periodic Monday Wednesday Friday 8:00 to 17:00 Interface s0/0/0 Ip access-group 101 out

R1(config)# time-range EMPLOYEE-TIME R1(config-time-range)# periodic weekdays 12:00 to 13:00 R1(config-time-range)# periodic weekdays 17:00 to 19:00 R1(config-time-range)# exit R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range EMPLOYEETIME R1(config)# access-list 100 deny ip any any R1(config)# interface FastEthernet 0/1 R1(config-if)# ip access-group 100 in R1(config-if)# exit 3.7

ACL Troubleshooting Commands

Show access-list # Debug ip packet 3.8

Do not allow Adress spoofing

R1(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255 any R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any R1(config)# access-list 150 deny ip host 255.255.255.255 any
3.8.1

Inbound on interface

R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any 3.9

Protect DNS,SMTP and FTP


Outbound on interface

3.9.1

R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq telnet R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq 22 R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq syslog R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq snmptrap 3.10

Filter ICMP Messages

R1(config)# access-list 150 permit icmp any any echo-reply R1(config)# access-list 150 permit icmp any any source-quench R1(config)# access-list 150 permit icmp any any unreachable R1(config)# access-list 150 deny icmp any any R1(config)# access-list 150 permit ip any any
3.10.1 Inbound

R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any echo R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big R1(config)# access-list 105 permit icmp 192.168.1.0 0.0.0.255 any source-quench R1(config)# access-list 105 deny icmp any any R1(config)# access-list 105 permit ip any any 3.11

Object Groups

3.11.1 For

the same topology, using object group configuration, first create the service object for the services:

R1(config)# object-group service Web-svcs-tcp R1(config-service-group)# tcp smtp R1(config-service-group)# tcp www R1(config-service-group)# tcp 443 (using the word https is IOS dependent)
3.11.2 Next,

create the network object for the servers:

This example uses the range keyword, you can also use the host keyword or define a subnet.
R1(config)# object-group network Webservers R1(config-network-group)# range 10.10.10.1 10.10.10.3
3.11.3 Finally,

create the access list and apply it:

R1(config)# ip access-list extended INBOUND R1(config-ext-nacl)# permit object-group Web-svcs-tcp object-group Webservers any R1(config-ext-nacl)# deny tcp any any R1(config-ext-nacl)#exit R1(config)# interface fa0/0 R1(config-if)# ip access-group INBOUND in When a new server or service is added, simply edit the object groupyou dont have to touch the ACL!

R1(config)# ip access-list extended In R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq smtp R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq www R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq https R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq smtp R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq www R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq https R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq smtp R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq www R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq https 3.12

ZPF Configuration

Create the Zones for the firewall. -zone security Define Traffic Classes. - class-map type inspect Specify Firewall Policies. - policy-map type inspect Apply Firewall Policies to pairs of source and destination zones. - zone-pair Assign Router Interfaces to zones. - zone-member security
3.12.1 Final

Configuration ZPF

policy-map type inspect InsideToOutside class FOREXAMPLE inspect ! zone security Inside description Inside network zone security Outside description Outside network zone-pair security InsideToOutside source Inside destination Outside service-policy type inspect InsideToOutside ! interface FastEthernet0/0 zone-member security Inside ! interface Serial0/0/0.100 point-to-point zone-member security Outside ! class-map type inspect FOREXAMPLE

match access-group 101 match protocol tcp match protocol udp match protocol icmp access-list 101 permit ip 10.0.0.0 0.0.0.255 any

4 Managing a secure network


4.1

5 Module 1: Scaling IP Addresses


5.1

NAT and PAT


Configuring static NAT

5.1.1

Router(config)#ip nat inside source static local-ip global-ip Router(config)#interface type number //inside interface Router(config-if)#ip nat inside Router(config-if)#interface type number //outside interface Router(config-if)#ip nat outside Example: Router(config)#ip nat inside source static 10.1.1.2 179.9.8.80 Router(config)#interface eth0 //inside interface Router(config-if)#ip nat inside Router(config-if)#interface ser0 //outside interface Router(config-if ip nat outside

5.1.2

Configuring dynamic NAT

Router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Router(config)#access-list access-list-number permit source [source-wildcard] Router(config)#ip nat inside source list access-list-number pool name Router(config)#interface type number //inside interface Router(config-if)#ip nat inside Router(config-if)#interface type number //outside interface Router(config-if)#ip nat outside Example:

Router(config)#ip nat pool nat-pool1 179.9.8.80 179.9.8.95 netmask 255.255.255.0 Router(config)#access-list 1 permit 10.0.0.0 0.0.255.255 Router(config)#ip nat inside source list 1 pool nat-pool1 Router(config)#interface eth0 //inside interface Router(config-if)#ip nat inside Router(config-if)#interface ser0 //outside interface Router(config-if)#ip nat outside

5.1.3

Configuring NAT Overload (PAT)

Router(config)#list access-list-number permit source [source-wildcard] Router(config)#ip nat inside source list access-list-number interface interface overload Router(config)#ip nat pool name ip-address {netmask netmask | prefix-length prefix-length} Router(config)#ip nat inside source list access-list-number pool name overload Router(config)#interface type number //inside interface Router(config-if)#ip nat inside Router(config-if)#interface type number //outside interface Router(config-if)#ip nat outside Example: Router(config)#access-list 1 permit 10.0.0.0 0.0.255.255 Router(config)#ip nat inside source list 1 interface serial0 overload Router(config)#ip nat pool nat-pool2 179.9.8.20 netmask 255.255.255.240 Router(config)#ip nat inside source list 1 pool nat-pool2 overload Router(config)#interface eth0 //inside interface Router(config-if)#ip nat inside Router(config-if)#interface ser0 //outside interface Router(config-if)#ip nat outside

5.1.4

Verifying NAT and PAT configuration

clear ip nat translation clear ip nat translation inside global-ip local-ip [outside local-ip global-ip] clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port] show ip nat translations show ip nat statistics

5.1.5

Troubleshooting NAT and PAT configuration

debug ip nat debug ip nat detailed

5.2
5.2.1

DHCP
Configuring DHCP Operation

Router(config)#ip dhcp pool name Router(config-dhcp)#network network-number [mask|/prefix-length] Router(config-dhcp)#domain-name domain Router(config-dhcp)#dns-server address [address2address8] Router(config-dhcp)#netbios-name-server address [address2address8] Router(config-dhcp)#default-router address [address2address8] Router(config-dhcp)#lease {days[hours][minutes] | infinite} Router(config)#ip dhcp excluded-address ip-address [end-ip-address] If dhcp-client and dhcp-server are not on the same segment, and separated by a router, the DHCPDISCOVER broadcasts are blocked. By using the helper address feature, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address. Example: Router(config-if)#ip helper-address address

5.2.2 Router#show Router#show Router#show Router#show

Verifying DHCP Operation


ip ip ip ip dhcp dhcp dhcp dhcp binding [address] conflict [address] database [url] server statistics

5.2.3

Troubleshooting DHCP Configuration


ip ip ip ip dhcp dhcp dhcp dhcp server server events server packets server linkage

Router#debug Router#debug Router#debug Router#debug

6 Module 3: Point-to-Point Protocol (PPP)


In module 2: no commands

6.1

Configuring HDLC Encapsulation

Router(config-if)#encapsulation hdlc

6.2

Troubleshooting a Serial Interface

Router#show interface s0 Router#show controllers s0 Router#debug serial interface Router#debug arp Router#debug frame-relay lmi Router#debug frame-relay events Router#debug ppp negotiation Router#debug ppp packet Router#debug ppp errors Router#debug ppp chap

6.3

Configuring PPP Encapsulation

Router#config terminal Router(config)#interface serial 0 Router(config-if)#encapsulation ppp Router(config-if)#compress [predictor | stac] Router(config-if)#ppp quality number_1-100 Router(config-if)#ppp multilink

6.4

Configuring PPP Authentication

Router(config)#hostname name //case sensitive Router(config)#username name password password // Router(config)#service password-encryption Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication {chap | chap pap | pap chap | pap} Router#show interface s0 Router(config-if)#ppp chap hostname hostname Router(config-if)#ppp chap password secret

6.5

Verifying the Serial PPP Encapsulation Configuration

Router#show interfaces Router#debug ppp authentication Router#undebug all

6.6

Troubleshooting the Serial PPP Encapsulation Configuration

Router#debug ppp {packet | negotiation |error | chap}

7 Module 3: ISDN and DDR


7.1

Configuring ISDN BRI


//basic-ni for national ISDN //this interface only

Router(config)#isdn switch-type switch-type Router(config-if)#isdn switch-type switch-type Router(config)#interface bri interface-number Router(config-if)#isdn spid1 spid-number [ldn] Router(config-if)#isdn spid2 spid-number [ldn] Router(config)#isdn switch-type none

//ldn: local dial number

Example: Router(config)#isdn switch-type basic-ni Router(config)#interface bri 0/0 Router(config-if)#isdn spid1 51055540000001 5554000 Router(config-if)#isdn spid1 51055540010001 5554001

7.2

Configuring ISDN PRI

Routers connect to PRI by using T1/E1, there is no interface pri! Router(config)#isdn switch-type switch-type //primary-ni for national ISDN

Router(config)#controller {t1 | e1} {slot/port} Router(config-controller)#framing {sf | esf} //for T1 Router(config-controller)#framing {crc4 | no-crc4} [australia] Router(config-controller)#linecode {ami | b8zs | hdb3 } Router(config-controller)#pri-group [timeslots range] Router(config)#interface serial {slot/port: | unit:} {23 | 15}

//for E1

Attention: S0/0.23 refers to a subinterface (for example: frame relay, vlans) S0/0:23 refers to a channel (PRI)

7.3
Router#show Router#show Router#show Router#show

Verifying the ISDN Configuration


isdn status interfaces bri0/0 isdn active dialer

7.4

Troubleshooting the ISDN Configuration

Router#debug isdn q921 Router#debug isdn q931

7.5

Defining Static Routes for DDR

Router(config)#ip route net-prefix mask {address | interface} [distance] [permanent] Example: Router(config)#ip route 10.40.0.0 255.255.0.0 10.1.0.1 Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.0.2 //default route

7.6

Specifying Interesting Traffic for DDR

Router(config)#dialer-list dialer-group-num protocol protocol-name {permit | deny | list access-list-number} Example: Router(config)#dialer-list 1 protocol ip permit //without access-list, all ip traffic //with access-list //no ftp //no telnet //all other ip

Router(config)#dialer-list 1 protocol ip list 101 Router(config)#access-list 101 deny tcp any any eq ftp Router(config)#access-list 101 deny tcp any any eq telnet Router(config)#access-list 101 permit ip any any

7.7

Configuring DDR Dialer Information

Router(config)#username username password password Router(config)#interface bri interface-number Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap Router(config-if)#ip address ip-address subnet Router(config-if)#dialer-group group-number //same number as with dialer-list

Router(config-if)#dialer map protocol next-hop-address [name hostname] [speed 56 | 64] [broadcast] dial-string Example: Remote(config-if)#dialer map ip 129.30.255.253 name Gent 5551000 Router(config-if)#dialer idle-timeout seconds

7.8

Configuring Dialer Profiles

Router(config)#interface dialer dialer-number Router(config-if)#ip address ip-address subnet Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap Router(config-if)#dialer remote-name remote-name Router(config-if)#dialer string ldn Router(config-if)#dialer pool pool-number Router(config-if)#dialer group group-number Router(config)#interface bri0/0 Router(config-if)#dialer pool-member number priority priority-number

7.9

Verifying the DDR Configuration

Router#show dialer interface interface Router#show isdn active Router#debug ppp authentication Router#debug ppp negotiation Router#debug ppp error

8 Module 5: Frame Relay


8.1

Basic Frame Relay Configuration

Router(config)#interface serial interface-number Router(config-if)#ip address ip-address subnet Router(config-if)#encapsulation frame-relay [cisco | ietf] Router(config-if)#frame-relay lmi-type {ansi | cisco | q933i} Router(config-if)#bandwith kilobits Router(config-if)#frame-relay inverse-arp [protocol] [dlci] Router(config-if)#no shutdown

//11.1 or earlier

8.2
Router#show Router#show Router#show Router#show

Verifying Operation and Confirming Connectivity


frame-relay pvc interfaces serial frame-relay map frame-relay lmi

8.3

Configuring Subinterfaces

Router(config)#interface serial number Router(config-if)#no ip address Router(config-if)#interface serial number.subinterface-number {multipoint | pointto-point} Router(config-if)#ip unnumbered interface //point-to-point and using ip

Router(config-if)#frame-relay interface-dlci dlci-number

8.4

Configuring Optional Commands

Router(config-if)#frame-relay map protocol protocol-address dlci [broadcast] [ietf | cisco | payload-compress packet-by-packet] //when inverse arp disabled Router(config-if)#keepalive number Router(config-if)#frame-relay local-dlci number

For Router-on-a-Stick Configuration: R1(config)# interface Fa0/0 [Select the main interface] R1(config-if)# no ip address [There should not be any IP Address on the main interface] R1(config-if)# interface Fa0/0.10 [Create a sub-interface the number can be anything] R1(config-if)# encapsulation dot1q 10 [Use 802.1Q trunking; assign to this VLAN #] R1(config-if)# ip address 172.16.10.1 255.255.255.255 [define the default-gateway IP] R1(config-if)# interface Fa0/0.99 [Create another sub-interface - this one for native traffic] R1(config-if)# encapsulation dot1q 99 native [802.1Q trunking; VLAN #; and Native] R1(config-if)# ip address 172.16.99.1 255.255.255.224 [Default-gateway IP address] Configuring EIGRP routing (same as usual): R1(config)# router eigrp 25 R1(config-router)# no auto-summary R1(config-router)# passive-interface fastethernet 0/0.10 R1(config-router)# passive-interface fastethernet 0/0.99 R1(config-router)# network 172.16.10.0 0.0.0.255 R1(config-router)# network 172.16.99.0 0.0.0.31 Some Useful Show commands: R1# show ip route [Display the routing table, confirm IP Addresses and ports] R1# show interface fa0/0.10 [Verify 802.1Q encapsulation and VLAN #] Chapter 4 IOS Commands

For VTP Configuration: S1(config)# vtp mode server [configure this switch to be in server mode] S1(config)# vtp mode client [configure this switch to be in client mode] S1(config)# vtp mode transparent [configure this switch to be in transparent mode] S1(config)# vtp domain NAME [change the VTP domain name of this switch to NAME] S1(config)# vtp password PASSWORD [change the VTP password for this switch] S1(config)# vtp pruning [activate VTP pruning Not supported in Packet Tracer] S1(config)# vtp version 2 [change the VTP version to 2] Some Useful Show commands S1# show vtp status [see VTP mode, revision, version, domain name, pruning mode, etc] S1# show vtp password [only way to see the VTP password

ACL
Standard ACL (1-99, and 2000-2699): denies or permits: 1) source IP address Extended ACL (100-199): denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional) 2. Apply: Where to apply an ACL? A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic. An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

IOS Commands
Standard access list command format: access-list <1-99> <deny | permit> <source ip address> <wildcard bits> Standard access list command format: access-list <1-99>< deny | permit> host <source ip address> examples: Deny or permit a class c network: router(config)#access-list 1 deny 192.168.1.0 0.0.0.255 router(config)#access-list 1 permit 192.168.2.0 0.0.0.255 Deny or permit a host: router(config)#access-list 1 deny 192.168.1.100 0.0.0.0

router(config)#access-list 1 deny host 192.168.1.100 router(config)#access-list 1 permit 192.168.1.101 0.0.0.0 router(config)#access-list 1 permit host 192.168.1.101 Deny or permit all hosts: router(config)#access-list 1 deny any router(config)#access-list 1 permit any Apply the access list to a router interface outbound and inbound router(config)#interface fastethernet 0/0 router(config-if)#ip access-group 1 out router(config)#interface fastethernet 0/1 router(config-if)#ip access-group 1 in

IOS Commands
Extended access list command formats: access-list <100-199>< deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service> access-list <100-199>< deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service> access-list <100-199>< deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> Extended access list examples: Deny and permit a source class c network to a destination class c network: router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 Deny or permit a source host to a destination /24 network: router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255 router(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255 router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http): router(config)#access-list 100 deny tcp any any eq 80 router(config)#access-list 100 permit tcp any any eq 80 Deny or permit all hosts: router(config)#access-list 100 deny any any router(config)#access-list 100 permit any any Apply the access list to a router interface outbound and inbound router(config)#interface fastethernet 0/0 router(config-if)#ip access-group 100 out router(config)#interface fastethernet 0/1 router(config-if)#ip access-group 100 in

Overview
A named access list can be either a standard or extended access list, with the only difference being that it is identified by name rather than by number. The IOS command for starting a named access list is slightly different than a numbered access list, in that the command starts with ip access-list rather than just access-list, see below: router>enable router#configure terminal router(config)#ip access-list <standard | extended> <name> router(config-std-nacl)#<permit | deny> <source host or network> <wildcard> <destination host or network> <wildcard> router(config-ext-nacl)#<permit | deny> <protocol> <source host or network> <wildcard> <destination host or network> <wildcard> <operator> <port>

Timeline
This week in the Cisco CCNA curriculum, we will quickly cover Chapter 6: Teleworker Services and start Chapter 7: IP Addressing Services. Chapter 6 is a short chapter with not many hands-on or Packet Tracer labs, so in the interests of time, we will cover chapter 6 in two days, begin testing, and move on to chapter 7. Teleworker Services

With the advent of greater public internet bandwidth, and the security afforded by IPSec and VPN tunneling technology organizations and companies are changing to support remote teleworkers. This chapter covers the advent of remote workers, public high speed internet services and VPN technology. IP Addressing Services In order to manage a router on a local area network you will need to know how to handout IP addresses, in a private address range, and translate them to public addresses when they need to leave the network. To do this, you will need to know how to configure DHCP services, and Network Address Translation (NAT) services. Along with the two important functions of DHCP and NAT, network administrators will also need to prepare for the advent of IPv6.

Ccna Switching Commands

Sw-1(config)#vlan 10, 20, 99 Sw-1(config-vlan)#exit Sw-1(config)#vtp mode server Sw-1(config)#vtp domain CCNA Sw-1(config)#vtp password cisco Sw-1(config)#interface fa0/1 Sw-1(config-if)#switchport mode trunk Sw-1(config-if)#switchport trunk native vlan 1 Sw-1(config-if)#interface range fa0/8 - 15 Sw-1(config-if)#switchport mode access Sw-1(config-if)#switchport access vlan 10 Sw-1(config-if)#switchport port-security Sw-1(config-if)#switchport port-security maximum 5 Sw-1(config-if)#interface fa0/20 Sw-1(config-if)#switchport mode access Sw-1(config-if)#switchport access vlan 20 Sw-1(config-if)#interface vlan 99 Sw-1(config-if)#ip add 192.168.99.5 255.255.255.240 Sw-1(config-if)#no shut Sw-1(config-if)#exit Sw-1(config)#ip default-gateway 192.168.99.1 Sw-1(config)#exit Sw-1# copy running-config startup-config

Sw-2(config)#vtp mode client Sw-2(config)#vtp domain CCNA Sw-2(config)#vtp password cisco Sw-2(config)#spanning-tree vlan 1-99 priority 24576 Sw-2(config)#interface fa0/1 Sw-2(config-if)#switchport mode trunk Sw-2(config-if)#switchport trunk native vlan 1 Sw-2(config-if)#interface fa0/24 Sw-2(config-if)#switchport mode trunk Sw-2(config-if)#switchport trunk native vlan 1 Sw-2(config-if)#interface fa0/5 Sw-2(config-if)#switchport mode access Sw-2(config-if)#switchport access vlan 10 Sw-2(config-if)#interface fa0/15 Sw-2(config-if)#switchport mode access Sw-2(config-if)#switchport access vlan 20 Sw-2(config-if)#interface vlan 99 Sw-2(config-if)#ip add 192.168.99.4 255.255.255.240 Sw-2(config-if)#no shut Sw-2(config-if)#exit Sw-2(config)#ip default-gateway 192.168.99.1 Sw-2(config)#exit Sw-2# copy running-config startup-config

R-1(config)#interface FastEthernet 0/0 R-1(config-if)# no ip address R-1(config-if)#no shut R-1(config-if)#interface FastEthernet 0/0.1 R-1(config-if)# encapsulation dot1q 1 native R-1(config-if)# no ip address R-1(config-if)#interface FastEthernet 0/0.10 R-1(config-if)# encapsulation dot1q 10 R-1(config-if)# ip address 192.168.10.1 255.255.255.0 R-1(config-if)#interface FastEthernet 0/0.20 R-1(config-if)# encapsulation dot1q 20 R-1(config-if)# ip address 192.168.20.1 255.255.255.0 R-1(config-if)#interface FastEthernet 0/0.99 R-1(config-if)# encapsulation dot1q 99 R-1(config-if)# ip address 192.168.99.1 255.255.255.240 To Restore a Switch to Defaults: S1# erase startup-config [hit enter to accept defaults] S1# delete vlan.dat [hit enter to accept defaults] S1# reload [answer no if asked to save current config]

(Router Configuration Continued) R-1(config-if)#exit R-1(config)#router EIGRP 75 R-1(config-router)#network 192.168.10.0 0.0.0.255 R-1(config-router)#network 192.168.20.0 0.0.0.255 R-1(config-router)#network 192.168.99.0 0.0.0.15 R-1(config-router)#exit R-1(config)#exit R-1# copy running-config startup-config

IOS Commands For Management Interface Configuration: S1(config)# interface vlan 1 [create a virtual host on the switch] S1(config-if)# description Management interface for this switch [optional description] S1(config-if)# ip address 192.168.100.50 255.255.255.0 [assign an IP address] S1(config-if)# no shut [must turn it on] S1(config-if)# exit [leave interface config and return to global config] S1(config)# ip default-gateway 192.168.100.1 S1(config)# enable secret class [must have an enable password for remote config] S1(config)# line vty 0 15 [switches may have 16 VTY connections at once] S1(config-line)# password cisco [must set a login password for telnet] S1(config-line)# login [must tell the vty ports to allow remote users] S1(config-line)# transport input telnet [allow only telnet for remote config] [default] For Port Security Configuration: S1(config)# interface fa0/1 or interface range fa0/1 15, gi0/1 S1(config-if)# switchport mode access [change from dynamic to access mode] S1(config-if)# switchport port-security [must do to activate port-security] S1(config-if)# switchport port-security maximum 25 [allow 25 MAC addresses] S1(config-if)# switchport port-security mac-address sticky [memorize MAC addresses] S1(config-if)# switchport port-security violation restrict S1(config-if)# switchport port-security violation protect S1(config-if)# switchport port-security violation shutdown [default] For SSH Configuration: R1(config)# hostname SW-1 [must change the name of the device from the default] R1(config)# username Bob password let-me-in [configure a local user and password] R1(config)# ip domain-name anything.com [must set for crypto-key generation] R1(config)# crypto key generate rsa [make an encryption key - select 1024 bits] R1(config)# ssh version 2 [configure for SSH version 2 - not recognized in Packet Tracer] R1(config)# line vty 0 15 [change parameters for remote access] R1(config-line)# login local [select to authenticate against usernames in this device] R1(config-line)# transport input ssh [only allow ssh for remote management] Some Useful Show commands: S1# show mac-address-table or show mac address-table [varies with different IOS] S1# show ip interface brief [see status of each switchport CCNA 2 Lab Journal Commands-

Router(config)#hostname Cisco Name can be any word you choose Cisco(config)# Router(config)#enable password cisco Sets enable password class Sets enable secret password Router(config)#line con 0 Enters console-line mode Router(config-line)#password console Sets console-line mode password to console Router(config-line)#login Enables password checking at login Router(config)#line vty 0 4 hostname Router(config)#enable secret Password Cisco Login Exit Line con 0 Password cisco Login Line con 0 Logging Syncro Exec-timeout 0 0 Router(config-line)#password telnet Sets vty password to telnet Router(config-line)#login Enables password checking at login Router(config)#line con 0 Router(config-line)#logging synchronous Turns on synchronous logging. Information items sent to console will not interrupt the command you are typing. The command will be moved to a new line Router(config)#line con 0 Router(config-line)#exec-timeout 0 0 Sets time limit when console automatically logs off. Set to0 0 (minutes seconds) means console never logs off

Router erase config Router#erase nvram reload LoopBack interfacesR1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface loopback 0 R1(config-if)#ip address 192.169.1.1 255.255.255.0 R1(config-if)#end R1#copy running-config startup-config NO DNS LOOKUP R4#conf t R4(config)#no ip domain-lookup R4(config)# CTRL+ Z or end RIP PASSIVE INTERFACE (config-router)#passive-interface fastethernet 0/0 (config-router)#end #copy run start Remove Network from RIP R2(config)#router rip R2(config-router)#no network 192.168.4.0

Remove Rip FROM ROUTER R3(config)#no router rip Send Static Route Info RIP R2(config)#router rip R2(config-router)#default-information originate R2(config-router)# Chapter 1 Commands Ctrl + C (Break out command) Show Commands show running-config show ip route show ip interface brief Show Version Chapter 2 Commands Show Controllers Serial 0/0/0 (DCE or DTE) erase startup-config undebug all ( dont use) undebug ip routing ip route- (can copy to text and copy back in with no for no ip route) no ip route Modify a static ip route Chapter 4 Commands RIP Router Configure (config)#router rip (config-router)# (config-router)#network 192.168.1.0 (config-router)#network (example-192.168.2.0) (config-router)#network (example-192.168.2.0) (config-router)#network (example-192.168.2.0 config-router)#end #copy run start Debug ip rip Passive-interface- no updates R2(config-router)#default-information originate- The defaultinformation originate command is used to configure R2 to include the default static route with its RIP updates. Redistribution-( Inject static route(s) into routing protocol updates ) R2(config-router)# redistribute static RIP Default Routing Commands R2(config)# ip route 0.0.0.0 0.0.0.0 (s0/0/1- Next hop ) R2(config)# router rip R2(config-router)# default-information originate R2(config-router)# no network (192.168.1.0) R2(config-router)# end Disabling Auto Summary in RIPv2 R1(config)# router rip R1(config-router)# no auto-summary Steps for router config

erase startup-config- reset Router reload- reload IOS enable hostname Password no ip domain-lookup enable secret password (enter password) logging Synclogin ( enter user)logging synchronousserial Router(config-line)#logging synchronous Fastethernet (LAN) R1#configure terminal R1(config)#interface fastethernet 0/0 R1(config-if)#ip address (ip) (sm) R1(config-if)#no shutdown TImeout R1(config)#line console 0 R1(config-line)#exec-timeout 0 0 R1(config-line)#line vty 0 4 R1(config-line)#exec-timeout 0 0 Serial (WAN) R1#configure terminal R1(config)#interface Serial 0/0/0 R1(config-if)#ip address 172.16.2.1 255.255.255.0 Clock Rate (DCE only) No shutdown Ip route (network ip) network subnet port ( serial or faste # with IP(ip next hop) R1#debug ip routing R1#no debug ip routing (turn off debug) # copy run start Exit ( CTRL+z) NO IP Classless #no ip classless Or #Ip classless Show Commands show running-config logline console show ip route show ip interface brief Show Version Show cdp neighbors- diagnostic tool for cisco devices Show cdp neighbors detail No cdp enable or no cdp run Show ip protocols Show controllers Ip route options Ip route (network ip) network subnet port ( serial or faste # with IP(ip next hop) Ip route (convert to summary route from 172.16.1.0 to 172.16.0.0) convert to new sub mask that fits network ip- ( serial or faste # with IP(ip next hop) Ip route (network ip to al 0.0.0.0) 0.0.0.0=network subnet port ( serial or faste # with IP(ip next hop) or just serial port ex- serial0/0/0 or serial 0/0/1 EIGRP Helpful Commands and Explanations

Router(config)# router eigrp 1 Turns on the EIGRP process.100 is the autonomous system (AS) number, which can be a number between 1 and 65535. All routers in the same AS must use the same AS number. Router(config-router)# network 192.168.1.32 0.0.0.31 Enables EIGRP routing for the 192.168.1.32/27 subnet. Router# show ip eigrp neighbors Displays a neighbor table. Router# show interface serial 0/0/0 Verifies the current EIGRP metrics used for the Serial 0/0/0 interface. Router(config-if)# bandwidth 128 Changes the bandwidth of an interface to 128 kbps. Router# show ip eigrp topology Displays the topology table. This command will s how you where your feasible successors are. Router# show ip eigrp topology all-links Displays the topology table as well as routes that do not match the feasibility condition. Router# debug eigrp fsm Displays events/actions related to the DUAL FSM. Router(config)# ip classless Enables classless routing behavior. Router(config-router)# no auto-summary Turns off the automatic summarization of networks at classful boundaries. Router(config-router)# eigrp log-neighbor-changes Logs any changes to an EIGRP neighbor adjacency. Router(config-if)# ip summary- Enables manual summarization on this specific interface address eigrp 100 10.10.0.0 255.255.0.0 for the 10.10.0.0/16 address space. Router(config-route)# redistribute static Configures EIGRP to include static routes in EIGRP routing updates. Config-if# ip bandwidth-percent eigrp (AS # and percent)- default 50% Config-if# ip hello-interval eigrp AS # secondsConfig-if# ip Hold-time eigrp AS # seconds Bandwidth Command Config-if# Interface (*) Config-if# Bandwidth (speed in kilobites)

OSPF R1(config)#router ospf 1 R1(config-router)# Router(config-router)#network network-address wildcard-mask area area-id show ip protocols Router ID Router(config)#router ospf process-id Router(config-router)#router-id ip-address- ip add ( ID address) Router#clear ip ospf process show ip ospf neighbor R1(config)#interface serial 0/0/0 R1(config-if)#ip ospf cost 1562 Router(config-if)#bandwidth (bandwidth-kbps) ALLSPFRouters hello packets broadcast on 224.0.0.5 r1(config-router)#interface serial0/0/0 r1(config-if)#ip ospf hello-interval 5 r1(config-if)#ip ospf dead-interval 20 rA(config)#interface fastethernet0/0 rA(config-if)#ip ospf priority 255 rA(config-if)#end auto-cost reference-bandwidth 10000

Trouble shooting commands

show ip protocols show ip ospf show ip ospf interface

CCNA Exploration 4 IOS Commands

Mel Ralph, Expl4 IOS.doc, 02/07/2008 Page 1 IOS Commands Last update: 2/7/8 Refs: L Labs All others are Exploration 4 v4 curriculum material TI references. 2.1.6 R(config-f)# encapsulation hdlc HDLC is the default encapsulation show interface serial Determine the ecapsulation show controllers Determine DCE or DTE 2.3.2 interface serial 0/0 encapsulation ppp PPP encapsulation compress [predictor | stac] Options ppp quality percentage ppp callback [accept | request] ppp multilink 2.3.4 debug ppp [packet] [negotiation] [error] 2.4.5 ppp authentication {chap | pap | chap pap | pap chap } [callin] PPP authentication 2.4.5 hostname R1 username R3 password sameone ! int s0/0 encapsulation ppp ppp authentication pap ppp pap sent-username R1 password sameone Configure PAP authentication example hostname R1 username R3 password sameone ! int s0/0 encapsulation ppp ppp authentication chap Configure CHAP authentication example

2.4.6 debug ppp authentication Frame Relay int s0/0 3.1.5 encapsulation frame-relay [cisco | ietf] Default is cisco 3.1.5 frame-relay lmi-type [cisco | ansi | q933a] From IOS 11.2, the default LMI autosense feature detects the LMI type keepalive number Number of secs for LMI keepalive interval. Default 10 secs. no frame-relay inverse-arp Disable inverse arp frame-relay map ip addr dlci [broadcast] [cisco | ietf] Static mapping int s0/0/0 ip address 10.10.10.1 255.255.255.0 encapsulation frame-relay no shutdown no frame-relay inverse-arp frame-relay map ip 10.10.10.2 102 broadcast frame-relay map ip 10.10.10.3 103 broadcast Example: Static mapping frame-relay lmi-type [cisco | ansi | q933a] keepalive Set LMI switch type (pre IOS 11.2) 3.4.1 interface s0/0.103 [multipoint | point-to-point] Creating a FR sub-interface 3.4.1 R1(config-subif)# frame-relay interface-dlci dlci Links a DLCI with a subinterface. Use only with subinterfaces. CCNA Exploration 4 IOS Commands Mel Ralph, Expl4 IOS.doc, 02/07/2008 Page 2 3.4.2 show interfaces show frame-relay pvc [interface interface] [dlci] clear counters 3.1.5 show frame-relay map

3.1.5 show frame-relay lmi debug frame-relay lmi 3.4.2 clear frame-relay inarp Clear dynamically created Frame Relay maps that are created using Inverse ARP 3.4.3 debug frame-relay lmi Network Security 4.2.3 R1(config)# do show run | include string 4.2.3 enable password password 4.2.3 username username password password Local database 4.2.3 service password-encryption Use type 7 password encryption 4.2.3 security passwords min-length n IOS 12.3(1) and later. 4.2.4 line aux 0 login no password Prevent login on a line. Default for VTY. 4.2.4 transport input protocol Specify a VTY connection protocol 4.2.4 line vty 0 4 no transport input transport input telnet ssh Support incoming Telnet and SSH sessions exec-timeout 3 Prevent idle session. 4.2.4 service tcp-keepalives-in Enable TCP keepalives. 4.2.4 hostname R1 ip domain-name cisco.com crypto key generate rsa username student secret password line vty 0 4 transport input ssh login local ip ssh time-out 15 ip ssh authentication-retries 2 Example: Configure SSH 4.2.5

service timestamps Enable time-stamps for debug and log msgs. 4.3.1 no service tcp-small-servers no service udp-small-servers no ip bootp server no ip finger no service finger no ip http server no snmp-server no ip bootp server no ip name-server no cdp run no boot network no service config no ip source-route no ip classless Vulnerable Router Services shutdown no ip directed-broadcast no ip proxy-arp no ip unreachable no ip redirect Interface mode: 4.3.1 ip name-server addresses no ip domain-lookup passive-interface default no passive-interface s0/0/0 4.3.2 key chain RIP_KEY RIPv2 authentication. CCNA Exploration 4 IOS Commands Mel Ralph, Expl4 IOS.doc, 02/07/2008 Page 3 key 1 key-string cisco int s0/0 ip rip authentication mode md5 ip rip authentication key-chain RIP_KEY key chain EIGRP_KEY key 1 key-string cisco int s0/0

ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 EIGRP_KEY Configure authentication for EIGRP: int s0/0 ip ospf message-digest-key 1 md5 cisco ip ospf authentication message-digest router ospf 10 area 0 authentication message-digest Configure authentication for OSPF: 4.3.3 R# auto secure 4.4.2 ip http server ip http secure-server ip http authentication local username Student privilege 15 secret cisco line vty 0 4 privilege level 15 login local transport input telnet ssh Configure a router to use SDM 4.5.1 show file systems 4.5.2 copy system:running-config nvram:startup-config copy system:running-config tftp: copy tftp: system:running-config copy tftp: nvram:startup-config copy command is used to move configuration files 4.5.4 show flash: copy flash: tftp: Backing Up IOS Software Image 4.5.6 service timestamps debug datetime msec show processes no debug all terminal monitor 4.5.7 config-register 0x2102 Configuration register. Factory setting. L 4.6.1 username name [privilege 0-15] password password Default privilege is 0. Cpedia R(config)# username mark password kram

R(config)# line console 0 R(config-line)# login local Use local database to authenticate login R(config)# line console 0 R(config-line)# login R(config-line)# password cisco Use password command, no username. ACLs 5.2.2 R(config)# access-list number {deny|permit|remark} source [source-wildcard] [log] Configuring Standard ACLs no access-list number 5.2.4 R(config-if)# ip access-group {access-list-number | access-list-name} {in|out} Apply an ACL to an interface access-class access-list-number {in [vrf-also] | out} Using an ACL to Control VTY Access CCNA Exploration 4 IOS Commands Mel Ralph, Expl4 IOS.doc, 02/07/2008 Page 4 line vty 0 4 login password class access-class 21 in Example 5.2.5 show run | include access-list no access-list 20 Editing Numbered ACLs access-list number remark remark 5.2.6 ip access-list [standard | extended] name ip access-group name [in|out] Standard Named ACLs 5.2.7 show access-lists [ acl-number|name ] 5.3.2 access-list number {deny | permit | remark} protocol sourceIP [source-wildcard] [op port-number]

destIP [dest-wildcard] [op port-number] [established] Extended ACLs DHCP 7.1.4 ip dhcp excluded-address low-address [high-address] ip dhcp pool name network net-addr subnet-msk default-router ipaddr dns-server ipaddr no service dhcp Enable is the default show ip dhcp binding displays a list of all IP address to MAC address bindings show ip dhcp server count information regarding the number of DHCP messages show ip dhcp pool view multiple pools 7.1.5 ip address dhcp Configuring a router int as a DHCP Client 7.12.8 R2# show ip dhcp conflict access-list 100 permit ip host 0.0.0.0 host 255.255.255.255 debug ip packet detail 100 debug ip dhcp server events NAT 7.2.4 ip nat inside source static 192.168.10.254 209.165.200.254 int s0/0 ip nat inside int s0/1 ip nat outside Static NAT access-list 1 permit 192.168.0.0 0.0.255.255 ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 ip nat inside source list 1 pool NAT-POOL1 Dynamic NAT 7.2.6 ip nat inside source list 1 interface s0/1 overload

NAT Overload for a Single Public IP Address access-list 1 permit 192.168.0.0 0.0.255.255 ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224 ip nat inside source list 1 pool NAT-POOL2 overload NAT Overload for a Pool of Public IP Addresses 7.2.8 show ip nat translations [verbose] show ip nat statistics CCNA Exploration 4 IOS Commands Mel Ralph, Expl4 IOS.doc, 02/07/2008 Page 5 ip nat translation timeout timeout_seconds Default is 24 hrs clear ip nat translation * debug ip nat [detailed] IPv6 7.3.2 ipv6 address ipv6-address/prefix-length Assign address to interface ipv6 address ipv6-prefix/prefix-length eui-64 EUI-64 Interface ID Assignment 7.3.4 ipv6 unicast-routing int fa0/0 ip address 192.168.99.1 255.255.255.0 ipv6 address 3ff:b00:c18:1::3/127 Dual Stacking example 7.3.7 ipv6 host name [port] ipv6-address1 [ipv6-address2...ipv6-address4] Specify host name ip name-server address Specify DNS server 7.3.8 ipv6 unicast-routing ipv6 router rip name int fa0/0 ipv6 rip name enable Configure RIPng with IPv6

DHCP R-1(config)# ip dhcp excluded 172.16.2.1 172.16.2.7 (excluded IP range) R-1(config)# ip dhcp pool LAN-2 (name this DHCP pool) R-1(config-dhcp)# network 172.16.2.0 255.255.255.128 (entire network range) R-1(config-dhcp)# default-router 172.16.2.1 (address on router port) R-1(config-dhcp)# dns-server 140.198.8.14 (DNS server can have up to 4) R-1(config-dhcp)# domain-name MCC.COM (optional domain name) R-1(config-dhcp)# lease-time 5 (optional - change to 5 day lease, 1 day is default) ! R-3(config)# interface fastethernet 0/1 (interface for network with DHCP clients) R-3(config-if)# ip helper-address 192.168.15.2 (address where DHCP server is) ! DOS-PROMPT>ipconfig /release (remove dynamically assigned IP information on PC) DOS-PROMPT>ipconfig /renew (get new IP address from DHCP server) NAT -For both static and dynamic NAT, designate interfaces as inside or outside: R-1(config)# interface fa0/0 (typically designate all interfaces except the outside one) R-1(config-if)# ip nat inside (designate this as an inside interface) R-1(config)# interface serial 0/0/0 (typically there is only one outside interface) R-1(config-if)# ip nat outside (designate this as an outside interface) ! -Static NAT requires only one statement. The IP addresses are inside / outside:

R-1(config)# ip nat inside source static 192.168.10.22 73.2.34.137 ! -Dynamic NAT may use a pool of outside addresses. If you do not use a pool, you will have to use the address on the outside interface. You can use netmask: R-1(config)# ip nat pool NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248 -or- You may choose to use prefix-length: R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 prefix-length 29 ! -Dynamic NAT requires an ACL to define which internal addresses can be NATted: R-1(config)# ip access-list standard NAT-ELIGIBLE R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255 (include all subnets) R-1(config-std-nacl)# deny any ! -Dynamic NAT can use the pool for outside addresses: R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOLNAME -or- Dynamic NAT can use the pool with overload to share outside addresses: R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOLNAME overload -or- Dynamic NAT can use the exit interface almost always will use overload: R-1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload IPv6 R-1(config)# ipv6 unicast-routing (activate IPv6 routing off by default) R-1(config)# interface fa0/0 R-1(config-if)# ipv6 address 3ffe:b00:c18:1::3 /64 (manually enter complete address) -or-

R-1(config-if)# ipv6 address 3ffe:b00:c18:1:: /64 eui-64 (auto configure) R-1(config-if)# ipv6 rip NAME enable (include this interface and subnet in routing) R-1(config-if)# ipv6 rip NAME default-information originate (send default route) ! R-1(config)# ipv6 router rip NAME (name the RIPng instance) R-1(config)# ipv6 route ::/0 S0/0/1 (Default route goes out S0/0/1)

Some Handy Show Commands DOS-PROMPT>ipconfig (see IP configuration information for this PC) DOS-PROMPT>ipconfig /all (see all IP configuration information includes MAC) R-1# show ip dhcp binding (see what IP addresses are assigned & MAC addresses) R-1# show ip nat translations (current translations- dynamic and static) R-1# show ip nat statistics (see # of active translations, role of interfaces, etc) R-1# debug ip nat (see translations as they happen) R-1# Show ipv6 ??? (Executes the ipv6 version of familiar IPv4 commands) Standard Access Lists: -Standard access lists only evaluate the source IP field. They can use the host and any keywords, or apply wildcard masks. They do not use port numbers. **Named Standard Access List : R-1(config)# ip access-list standard NAME (name the list) R-1(config-std-nacl)# deny host 192.168.20.5 log (deny a specific host / log matches) R-1(config-std-nacl)# permit 192.168.20.0 0.0.0.255 (permit subnet 192.168.20.0) R-1(config-std-nacl)# deny any (deny all other IP addresses) **Numbered IP Standard Access List:

R-1(config)# access-list 25 deny host 192.168.20.5 (deny specific host) R-1(config)# access-list 25 permit 192.168.20.0 0.0.0.255 (permit entire subnet) R-1(config)# access-list 25 deny any (deny all other IP addresses) Extended Access Lists: -Extended access lists evaluate multiple criteria:
Action (required) permit deny remark Protocol (required) IP TCP UDP ICMP OSPF EIGRP Etc Source IP Compare (required) (optional) IP address & eq Wildcard gt mask any lt host neq X.X.X.X range Port/Protocol (optional) 23 telnet 80 http 443 https echo (ping) echo-reply Dest IP Compare (required) (optional) IP address & eq Wildcard gt mask any lt host neq X.X.X.X range Port/Protocol (optional) 23 telnet 80 http 443 https echo (ping) echo-reply

There can be additional optional commands (log, time-of-day, established, etc) on the end of most statements. The protocol field must match the destination port / protocol - if they are used (example: TCP=Telnet, ICMP=Ping, UDP=DNS). **Named Extended Access List: R-1(config)# ip access-list extended NAME (name the list) Example: Deny an individual host to an entire subnet for Telnet and also log matches: R-1(config-ext-nacl)# deny tcp host 192.168.20.10 172.16.0.0 0.0.255.255 eq 23 log Example: Permit an entire subnet to go anywhere: R-1(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any Example: Deny everything: R-1(config-ext-nacl)# deny ip any any (this is applied by default if not configured) Applying Access Lists: R-1(config)# interface fastethernet 0/0

R-1(config-if)# ip access-group NAME in (evaluate packets coming in to the router) R-1(config-if)# ip access-group NAME out (evaluate packets leaving the router) R-1(config)# line vty 0 4 R-1(config-line)# access-class NAME in (evaluate packets for telnet or SSH) Dynamic Access List (Stateful-Firewall): BRDR-RTR(config)# ip access-list extended OUTBOUNDTRAFFIC BRDR-RTR(config-ext-nacl)# permit tcp any any reflect TCPTRAFFIC BRDR-RTR(config-ext-nacl)# permit udp any any reflect UDPTRAFFIC BRDR-RTR(config-ext-nacl)# permit icmp any any reflect ICMPTRAFFIC BRDR-RTR(config-ext-nacl)# deny ip any any ! BRDR-RTR(config)# ip access-list extended EVALUATEINBOUND BRDR-RTR(config-ext-nacl)# evaluate TCP-TRAFFIC BRDR-RTR(config-ext-nacl)# evaluate UDP-TRAFFIC BRDR-RTR(config-ext-nacl)# evaluate ICMP-TRAFFIC ! BRDR-RTR(config)# interface serial 0/0/0 BRDR-RTR(config-if)# ip access-group OUTBOUND-TRAFFIC out BRDR-RTR(config-if)# ip access-group EVALUATE-INBOUND in Time-Based ACL: R-1(config)# time-range MON-WED-FRI R-1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00 ! R-1(config)# access-list 133 permit tcp 192.168.20.0 0.0.0.255 any eq telnet time-range MON-WED-FRI

Some Useful Show Commands: R-1# show access-list (see access lists on this router and # of matches per line) R-1# show access-list NAME (see a specific access list and # of matches per line) R-1# show run | begin interface (will start listing at the first instance of interface)
put +V2w a84cNaHsa

Font SizeFormat