CCNA R&S: Cisco Commands List. Portable command guide for dummies


CCNA R&S: Cisco Commands List. Portable command guide for dummies


4.6 (14) votes
This posts consists of a list of important CCNA commands that you may need to use both in CCNA exams and in real world. When you start preparing for CCNA exam, you start developing concepts on various networking topics, but in the real world when you will work as a network engineer or in any other relevant position, you will need to know when and how to apply your CCNA knowledge. This posts aims to equip you with all the necessary commands with in-depth illustrations to make your familiarize with network configuration environment so that you know exactly which command to use in a particular situation.
This posts has included all the CCNA commands that an exam. candidate may need to solve CCNA simulation lab, and to solve switching and routing problems in real networks.
Router Modes:
  • Router>: User mode = Limited to basic monitoring commands
  • Router#: Privileged mode (exec-level mode) = Provides access to all other router commands
  • Router(config)#: global configuration mode = Commands that affect the entire system
  • Router(config-if)#: interface mode = Commands that affect interfaces
  • Router(config-subif)#: subinterface mode = Commands that affect subinterfaces
  • Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…)
  • Router(config-router)#: router configuration mode
Changing switch hostname
Switch(config)#hostname SW1
Configuring passwords
SW1(config)#enable secret ciscoMD5 hash.
SW1(config)#enable password notciscoClear text.
Securing console port
SW1(config)#line con 0
SW1(config-line)#password cisco
SW1(config-line)#login
Securing terminal lines
SW1(config)#line vty 0 4
SW1(config-line)#password cisco
SW1(config-line)#login
Encrypting passwords
SW1(config)#service password-encryption
Configuring banners
SW1(config)#banner motd $
=================================
UNAUTHORIZED ACCESS IS PROHIBITED
=================================
$
Giving the switch an IP address
SW1(config)#interface vlan 1
SW1(config-if)#ip address 172.16.1.1 255.255.255.0 (or dhcp)
SW1(config-if)#no shutdown
Setting the default gateway
SW1(config)#ip default-gateway 172.16.1.1
Saving configuration
SW1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
Press enter to confirm file name.
SW1#wr
Building configuration…
[OK]
Short for write memory.
Working environment
(name lookup, history, exec-timeout and logging behavior)
SW1(config)#no ip domain-lookup
SW1(config)#line vty 0 4
SW1(config-line)#history size 15
SW1(config-line)# exec-timeout 10 30
SW1(config-line)#logging synchronous
Also valid for line con 0
Configuring switch to use SSH
  • Configure DNS domain name:
  • SW1(config)#ip domain-name example.com
  • Configure a username and password:
  • SW1(config)#username admin password cisco
  • Generate encryption keys:
  • SW1(config)#crypto key generate rsa
    How many bits in the modulus [512]: 1024
  • Define SSH version to use:
  • SW1(config)#ip ssh version 2
  • Enable vty lines to use SSH:
  • SW1(config)#line vty 0 4
    SW1(config-line)#login local
    SW1(config-line)#transport input telnet ssh
The size of the key modulus in the range of 360 to 2048.
You can set vty lines to use only telnet or only ssh or both as in the example.
Aliases
SW1(config)#alias exec c configure terminal
SW1(config)#alias exec s show ip interface brief
SW1(config)#alias exec sr show running-config
Used to create shortcuts for long commands.
Description, speed and duplex
SW1(config)#interface fastEthernet 0/1
SW1(config-if)#description LINK TO INTERNET ROUTER
SW1(config-if)#speed 100 (options: 10, 100, auto)
SW1(config)#interface range fastEthernet 0/5 – 10
SW1(config-if-range)#duplex full (options: half, full, auto)
The range keyword used to set a group of interfaces at once.
Verify Basic Configuration
SW1#show versionShows information about the switch and its interfaces, RAM, NVRAM, flash, IOS, etc.
SW1#show running-configShows the current configuration file stored in DRAM.
SW1#show startup-configShows the configuration file stored in NVRAM which is used at first boot process
SW1#show historyLists the commands currently held in the history buffer.
SW1#show ip interface briefShows an overview of all interfaces, their physical status, protocol status and ip address if assigned.
SW1#show interface vlan 1Shows detailed information about the specified interface, its status, protocol, duplex, speed, encapsulation, last 5 min traffic.
SW1#show interfaces descriptionShows the description of all interfaces
SW1#show interfaces statusShows the status of all interfaces like connected or not, speed, duplex, trunk or access vlan.
SW1#show crypto key mypubkey rsaShows the public encryption key used for SSH.
SW1#show dhcp leaseShows information about the leased IP address (when an interface is configured to get IP address via a dhcp server)
Configuring port security
  • Make the switch interface as access port:
  • SW1(config-if)#switchport mode access
  • Enable port security on the interface:
  • SW1(config-if)#switchport port-security
  • Specify the maximum number of allowed MAC addresses:
  • SW1(config-if)#switchport port-security maximum 1
  • Define the action to take when violation occurs:
  • SW1(config-if)#switchport port-security violation shutdown (options: shutdown, protect, restrict)
  • Specify the allowed MAC addresses:
  • SW1(config-if)#switchport port-security mac-address 68b5.9965.1195(options: H.H.H, sticky)
The sticky keyword is used to let the interface dynamically learns and configures the MAC addresses of the currently connected hosts.
Verify and troubleshoot port security
SW1#show mac-address-tableShows the entries of the mac address table
SW1#show port-securityoverview of port security of all interfaces
SW1#show port-security interface fa0/5Shows detailed information about port security on the specified interface
Configuring VLANs
  • Create a new VLAN and give it a name:
  • SW1(config)#vlan 10 SW1(config-vlan)#name SALES
  • Assign an access interface to access a specific VLAN:
  • SW1(config)#interface fastEthernet 0/5
    SW1(config-if)#switchport mode access
    SW1(config-if)#switchport access vlan 10
Configuring an auxiliary VLAN for cisco IP phones
SW1(config)#interface fastEthernet 0/5
SW1(config-if)#switchport access vlan 10
SW1(config-if)#switchport voice vlan 12
accessing vlan 10 (data) and 12 (VoIP)
Configuring Trunks
SW1(config)#interface fastEthernet 0/1
SW1(config-if)#switchport mode trunk
(options: access, trunk, dynamic auto, dynamic desirable)
SW1(config-if)#switchport trunk allowed vlan add 10 (options: add, remove, all, except)
Securing VLANS and Trunking
  • Administratively disable unused interfaces:
  • SW1(config-if)#shutdown
  • Prevent trunking by disabling auto negotiation on the interface:
  • SW1(config-if)#nonegotiate (or hardcode the port as an access port)
    SW1(config-if)#switchport mode access
  • Assign the port to an unused VLAN:
  • SW1(config-if)#switchport access vlan 222
Configuring VTP
  • Configure VTP mode:
  • SW1(config)#vtp mode server (options: server, client, transparent)
  • Configure VTP domain name:
  • SW1(config)#vtp domain EXAMPLE (case-sensitive)
  • Configure VTP password: (optional)
  • SW1(config)#vtp password cisco (case-sensitive)
  • Configure VTP pruning: (optional)
  • SW1(config)#vtp pruning (only works on VTP servers)
  • Enable VTP version 2: (optional)
  • SW1(config)#vtp version 2
  • Bring up trunks between the switches
The transparent VTP mode is used when an engineer wants to deactivate VTP on a particular switch
Verify and troubleshoot VLANS and VTP
SW1#show interfaces if switchportLists information about administrative setting and operation status of interface
SW1#show interfaces trunkLists all the trunk ports on a switch including the trunk allowed VLANS
SW1#show vlan {brief id| name summary}Lists information about the VLANs
SW1#show vtp statusLists VTP configuration (mode, domain name, version, etc) and revisionnumber
SW1#show vtp passwordShows the VTP password
STP optimization
  • Hard coding the root bridge (changing bridge priority):
  • SW1(config)#spanning-tree vlan 1 root primary
    SW1(config)#spanning-tree vlan 1 root secondary
    SW1(config)#spanning-tree [vlan 1] priority 8192
  • Changing the STP mode:
  • SW1(config)#spanning-tree mode rapid-pvst (options: mst, pvst, rapid-pvst)
  • Enabling portfast and BPDU guard on an interface:
  • SW1(config-if)#spanning-tree portfast
    SW1(config-if)#spanning-tree bpduguard enable
  • Changing port cost:
  • SW1(config-if)#spanning-tree [vlan 1] cost 25
  • Bundling interfaces into an etherchannel:
  • SW1(config-if)#channel-group 1 mode on (options: auto, desirable, on)
Priority must be a multiply of 4096
Portfast and BPDU guard are enabled only on interfaces connected to end user hosts
STP verification and troubleshooting
SW1#show spanning-treeShows detailed info about STP state
SW1#show spanning-tree interface fa0/2Shows STP info only on a specific port
SW1#show spanning-tree vlan 1Shows STP info only for a specific VLAN
SW1#show spanning-tree [vlanl] rootShows info about the root switch
SW1#show spanning-tree [vlanl] bridgeShows info about the local switch
SW1#show etherchannel 1Show the state of the etherchannels
SW1#debug spanning-tree eventsProvides informational messages about the changes in the STP topology
Enabling or disabling CDP
  • Enabling CDP globally on a switch:
  • SW1(config)#cdp run
  • Disabling CDP on a given interface:
  • SW1(config-if)#no cdp enable
Using CDP for network verification and troubleshooting
SW1#show cdpShows global information about CDP itself
SW1#show cdp interface fa0/2Shows information about CDP on a specific interface
SW1#show cdp neighborsShows information about the directly connected ciscodevices including interfaces names capabilities
SW1#show cdp neighbors detailShows detailed information about the neighboring ciscodevices including device address and version of IOS they run
SW1#show cdp entry *Same as show cdp neighbor detail
SW1#show cdp entry SW2Shows detailed information about the specified entry only
Router Basic configuration
Router(config)#hostname R1
Rl(config)#enable secret cisco
Rl(config)#line con 0
Rl(config-line)#password cisco
Rl(config-line)#login
Rl(config-line)»logging synchronous
Rl(config-line)#exec-timeout 30 0
Rl(config-line)#exit
Rl(config)#line vty 0 4
Rl(config-line)#password cisco
Rl(config-line)#login
Rl(config-line)»logging synchronous
Rl(config-line)#exec-timeout 30 0
Rl(config-line)#exit
Rl(config)#line aux 0
Rl(config-line)#password cisco
Rl(config-line)#login
Rl(config-line)Slogging synchronous
Rl(config-line)#exec-timeout 30 0
Rl(config-line)#exit
Rl(config)#banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
UNAUTHORIZED ACCESS IS PROHIBITED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$
Rl(config)#alias exec c configure terminal
Rl(config)#alias exec s show ip interface brief
Rl(config)#alias exec sr show running-config
Rl(config)#no ip domain-lookup
Rl(config)#service password-encryption
Rl(config)#ip domain-name example.com
Rl(config)#username admin password cisco
Rl(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
Rl(config)#ip ssh version 2
Rl(config)#line vty 0 4
Rl(config-line)#login local
Rl(config-line)#transport input telnet ssh
This section includes IOS commands that are absolutely identical on both routers and switches, except the part of line aux 0 which is configured only on router because switches do not have an auxiliary port.
Configuring router interfaces
Rl(config)#interface fastEthernet 0/0
R1(config-if)#description LINK_T0_L0CAL_LAN_THR0UGH_SW1
Rl(config-if)#ip address 172.16.1.1 255.255.255.0
Rl(config-if)#no shutdown
Rl(config-if)#exit
Rl(config)#interface serial 0/1/0
R1(config-if)#description WAN_C0NNECTI0N_T0_R2
Rl(config-if)#ip address 10.1.1.1 255.255.255.252
Rl(config-if)#clock rate 128000
Rl(config-if)#no shutdown
Clock rate is set only on the DCE side, typically the ISP side. On your router which is DTE you don’t need to set clocking.
Configuring Router-On-Stick for vlan routing
Rl(config)#interface fastEthernet 0/0
Rl(config-if)#no shutdown
Rl(config)# interface fastEthernet 0/0.10
Rl(config-subif)# encapsulation dotlq 10
Rl(config-subif)#ip address 192.168.10.1 255.255.255.0
Rl(config-subif)# interface fastEthernet 0/0.20
Rl(config-subif)# encapsulation dotlq 20
Rl(config-subif)#ip address 192.168.20.1 255.255.255.0
Static routes
Rl(config)#ip route 10.1.2.0 255.255.255.0 10.1.128.1Using next hop
Rl(config)#ip route 10.1.2.0 255.255.255.0 Serial 0/0
*Note: Exit interface can be used in point-to-point serial links.
Using exit interface
Default Route
Rl(config)#ip route 0.0.0.0 0.0.0.0 199.1.1.1
RIPv2 Configuration
Rl(config)#router rip
Rl(config-router)#version 2
Rl(config-router)#network 10.0.0.0 (written as an original class A)
Rl(config-router)#no autosummary
Rl(config-router)#passive-interface serial 0/0
RIPv2 Verification
Rl#show ip protocolsShows information about the running routing protocol process
Rl#show ip routeShows the entire routing table
Rl#show ip route rip</td>
Shows routes learned via RIP only
Rl#show ip route 10.1.1.1Shows detailed information about the route to the specified destination network
OSPF Configuration
  • Enter OSPF router configuration mode:
  • Rl(config)#router ospf 10 (process ID)
  • Configure one or more network commands to identify which interfaces will run OSPF:
  • Rl(config-router)#network 10.0.0.0 0.255.255.255 area 0 
    Rl(config-router)#network 172.16.8.0 0.0.7.255 area 0 
    Rl(config-router)#network 192.168.1.254 0.0.0.0 area 1
  • Configure router ID either by: (Optional)
  • Using router-id ospf subcommand:
    Rl(config-router)#router-id 1.1.1.1
    Configuring an IP address on a loopback interface:
    Rl(config)#interface loopback 0
    Rl(config-if)#ip address 1.1.1.1 255.255.255.255
  • Change Hello and Dead intervals per interface: (Optional)
  • Rl(config-if)#ip ospf hello-interval 2
    Rl(config-if)#ip ospf dead-interval 6
  • Impact routing choices by tuning interface cost using one of the following ways: (Optional)
  • – Changing interface cost:
    Rl(config-if)#ip ospf cost 55
    – Changing interface bandwidth:
    Rl(config-if)#bandwidth 128 (Kbps)
    – Changing the reference bandwidth that used by OSPF to calculate the cost:
    Rl(config-router)#auto-cost reference-bandwidth 1000 (Mbps)
  • Disabling OSPF on a certain interface: (Optional)
  • Rl(config-router)#passive-interface serial 0/0
  • Configuring OSPF authentication: (Optional)
  • Type 0 authentication (none):
    Rl(config-if)#ip ospf authentication null
    Type 1 authentication (clear text):
    Rl(config-if)#ip ospf authentication Rl(config-if)#ip ospf authentication-key cisco o Type 2 authentication (md5):
    Rl(config-if)#ip ospf authentication message-digest
    Rl(config-if)#ip ospf message-digest-key 1 mdS cisco
  • Configure maximum equal-cost paths: (Optional)
  • Rl(config-router)#maximum paths 6
OSPF verification
Rl#show ip protocolsShows information about the running routing protocol process
Rl#show ip routeShows the entire routing table
Rl#show ip route ospfShows routes learned via OSPF only
Rl#show ip ospf neighborsShows all neighboring routers along with their respective adjacency state
Rl#show ip ospf databaseShows all the information contained in the LSDB
Rl#show ip ospf interfaces serial 0/0Shows detailed information about OSPF running on a specific interface
EIGRP Configuration
  • Enter EIGRP configuration mode and define AS number:
  • Rl(config)#router eigrp 121 (AS number)
  • Configure one or more network commands to enable EIGRP on the specified interfaces:
  • Rl(config-router)#network 10.0.0.0
    Rl(config-router)#network 172.16.0.0 0.0.3.255
    Rl(config-router)#network 192.168.1.1 0.0.0.0
    Rl(config-router)#network 0.0.0.0 255.255.255.255
  • Disable auto summarization: (Optional)
  • Rl(config-router)#no autosummary
  • Disable EIGRP on a specific interface: (Optional)
  • Rl(config-router)#passive-interface serial 0/0
  • Configure load balancing parameters: (Optional)
  • Rl(config-router)#maximum-paths 6
    Rl(config-router)#variance 4
  • Change interface Hello and Hold timers: (Optional)
  • Rl(config-if)#ip hello-interval eigrp 121 3
    Rl(config-if)#ip hold-time eigrp 121 10
  • Impacting metric calculations by tuning BW and delay of the interface: (Optional)
  • Rl(config-if)#bandwidth 265 (kbps)
    Rl(config-if)#delay 120 (tens of microseconds)
EIGRP Authentication
  • Create an authentication key chain as follows:
  • Create a key chain and give it a name:
    Rl(config)#key chain MY_KEYS
    – Create one or more keys giving them numbers:
    Rl(config-keychain)#key 1
    – Define the key value:
    Rl(config-keychain-key)#key-string 1stKEY
    – Define the life time of the keys (optional):
    Rl(config-keychain-key)#send-lifetime [start time] [end time]
    Rl(config-keychain-key)#accept-lifetime [start time] [end time]
  • Enable md5 authentication mode for EIGRP on the interface:
  • Rl(config-if)#ip authentication mode eigrp 121 md5
  • Refer to the correct key chain to be used on the interface:
  • Rl(config-if)#ip authentication key-chain eigrp 121 MY_KEYS
The key-string value and the mode must be the same on both routers. Lifetime options of the keys requires the clock of the routers to be set correctly, better use NTP, or it can cause problems
EIGRP Verification
Rl#show ip route eigrpShows routes learned via EIGRP only
Rl#show ip eigrp neighborsShows EIGRP neighbors and status
Rl#show ip eigrp topologyShows EIGRP topology table, including successor and feasible successor
Rl#show ip eigrp interfacesShows interfaces that run EIGRP
Rl#show ip eigrp trafficLists statistics on numbers of EIGRP messages sent and received by the router
Access Control Lists (ACLs)
Standard ACL
  • Plane the location (router and interface) and direction (in or out) on that interface:
  • – Standard ACL should be placed as close as possible to the destination of the packet.
    – Identify the source IP addresses of packets as they go in the direction that the ACL is examining.
  • Use a remark to describe the ACL: (Optional):
  • Rl(config)#access-list 1 remark ACL TO DENY ACCESS FROM SALES VLAN
  • Create the ACL, keeping the following in mind:
  • – ACL uses first-match logic.
    – There is an implicit deny any at the end of the ACL.
    Rl(config)#access-list 2 deny 192.168.1.77
    Rl(config)#access-list 2 deny 192.168.1.64 0.0.0.31
    Rl(config)#access-list 2 permit 10.1.0.0 0.0.255.255
    Rl(config)#access-list 2 deny 10.0.0.0 0.255.255.255
    Rl(config)#access-list 2 permit any
  • Enable the ACL on the chosen router interface in the correct direction (in or out):
  • Rl(config-if)#ip access-group 2 out
Standard ACL number ranges: 1-99 and 1300 – 1999.
  • Using standard ACL to limit telnet and SSH access to a router:
  • Create the ACL that defines the permitted telnet clients:
    Rl(config)#access-list 99 remark ALLOWED TELNET CLIENTS
    Rl(config)#access-list 99 permit 192.168.1.128 0.0.0.15
    – apply the ACL inbound the vty lines
    Rl(config)#line vty 0 4
    Rl(config-line)#access-class 99 in
Extended ACL
  • Note:
  • – Extended ACL should be placed as close as possible to the source of the packet.
    – Extended ACL matches packets based on source & des. IP addresses, protocol, source & des. Port numbers and other criteria as well.
    Rl(config)#access-list 101 remark MY_ACCESS_LIST
    Rl(config)#access-list 101 deny ip host 10.1.1.1 host 10.2.2.2
    Rl(config)#access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 23 
    Rl(config)#access-list 101 deny icmp 10.1.1.1 0.0.0.0 any
    Rl(config)#access-list 101 deny tcp host 10.1.1.0 host 10.0.0.1 eq 80
    Rl(config)#access-list 101 deny udp host 10.1.1.7 eq 53 any
    Rl(config)#access-list 101 permit ip any any
    Rl(config)#interface fastEthernet 0/0
    Rl(config-if)#ip access-group 101 in
Extended ACL number ranges: 100 – 199 and 2000 – 2699.
Named ACL
  • Note:
  • – Named ACLs use names to identify ACLs rather than numbers, and commands that permit or deny traffic are written in a sub mode called named ACL mode (nacl).
    – Named ACL enables the editing of the ACL (deleting or inserting statements) by sequencing statements of the ACL.
  • Named standard ACL:
  • Rl(config)#ip access-list standard MY_STANDARD_ACL
    Rl(config-std-nacl)#permit 10.1.1.0 0.0.0.255
    Rl(config-std-nacl)#deny 10.2.2.2
    Rl(config-std-nacl)#permit any
    Rl(config)#interface fastEthernet 0/1
    Rl(config-if)#ip access-group MY_STANDARD_ACL out
  • Named extended ACL:
  • Rl(config)#ip access-list extended MY_EXTENDED_ACL 
    Rl(config-ext-nacl)#deny icmp 10.1.1.1 0.0.0.0 any
    Rl(config-ext-nacl)#deny tcp host 10.1.1.0 host 10.0.0.1 eq 80
    Rl(config-ext-nacl)# permit ip any any
    Rl(config)#interface fastEthernet 0/1
    Rl(config-if)#ip access-group MY_EXTENDED_ACL in
  • Editing ACL using sequence numbers:
  • Rl(config)#ip access-list extended MY_EXTENDED_ACL
    Rl(config-ext-nacl)#no 20 (deletes the statement of sequence number 20)
    Rl(config)#ip access-list standard 99
    Rl(config-std-nacl)#5 deny 1.1.1.1 (inserts a statement with sequence 5)
You can edit numbered ACLs using the configuration style of the named ACLs in as shown in the last example.
Verifying ACLs
Rl#show access-listsShows all ACLs configured on a router with counters at the end of each statement
Rl#show ip access-listSame as the previous command
Rl#show ip access-list 101Shows only the specified ACL
Rl#show ip interface f0/0Includes a reference to the on that interface either in ACLs enabled or out.
DHCP Server
  • Define a DHCP pool and give it a name:
  • Rl(config)#ip dhcp pool MY_POOL
  • Define network and mask to use in this pool and the default gateway:
  • R1(dhcp-config)»network 192.168.1.0 255.255.255.0 R1(dhcp-config)»default-router 192.168.1.1
  • Define one or more DNS server (OPTIONAL):
  • R1(dhcp-config)»dns-server 213.131.65.20 8.8.8.8
  • Confine the lease time (OPTIONAL):
  • Rl(dhcp-config)lease 2 (days)
  • Define one or more scopes of excluded (reserved) addresses (OPTIONAL):
  • Rl(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.100
    Rl(config)#ip dhcp excluded-address 192.168.1.200 192.168.1.254
DHCP Verification and Troubleshooting
Rl»show ip dhcp pool POOL_1shows the status of the specified pool and the leased addresses from that pool
Rl»show ip dhcp bindingShows all the leased ip addresses from all configured DHCP pools
Rl»show ip dhcp conflictShows any conflicts that occurred
PPP Configuration
Rl(config)#interface serial 0/0
Rl(config-if)#encapsulation ppp
PPP Authentication
CHAP
  • Configure the hostname:
  • Rl(config)#hostname ALPHA
  • Configure the name of the other end router and the shared password:
  • ALPHA(config)#username BETA password XYZ
  • Enable CHAP authentication on the interface:
  • ALPHA(config)#interface serial 0/0 ALPHA(config-if)#ppp authentication chap
The password used is shared password, that means it must be the same on both routers
PAP
  • Configure the hostname:
  • Rl(config)#hostname ALPHA
  • Configure the name of the other end router and the shared password:
  • ALPHA(config)#username BETA password XYZ
  • Enable PAP authentication on the interface and define the username and password to be sent by PAP:
  • ALPHA(config)#interface serial 0/0
    ALPHA(config-if)#ppp authentication pap
    ALPHA(config-if)#ppp pap sent-username ALPHA password XYZ
PPP Verification and troubleshoot
R1#show interface s0/0Shows the encapsulation type and the
control protocols of PPP
R1#show runUseful for viewing the configuration of usernames and passwords used to authenticate ppp
R1#debug ppp authenticationDisplays the authentication process of ppp in real time
Frame Relay
Multipoint (one subnet)
  • Give the interface an ip address and enable Frame Relay encapsulation:
  • Rl(config)#interface serial 0/0
    Rl(config-if)#ip address 1.1.1.1 255.255.255.0
    Rl(config-if)#encapsulation frame-relay (ietf)
  • Configure LMI signaling type: (Optional as discussed with ISP)
  • Rl(config-if)#frame-relay lmi-type ansi
    (options: ansi, cisco, q933a)
  • Configure Frame Relay mapping:
  • Rl(config-if)#frame-relay map ip 1.1.1.2 102 broadcast (ietf)
    Rl(config-if)#frame-relay map ip 1.1.1.3 103 broadcast
R2(config)#interface serial 0/0
R2(config-if)#ip address 1.1.1.2 255.255.255.0
R2(config-if)#encapsulation frame-relay
R2(config-if )#frame-relay map ip 1.1.1.1 201 broadcast
R2(config-if)#frame-relay map ip 1.1.1.3 201 broadcast
R3(config)#interface serial 0/0
R3(config-if)#ip address 1.1.1.3 255.255.255.0
R3(config-if)#encapsulation frame-relay
R3(config-if)#frame-relay map ip 1.1.1.1 301 broadcast
R3(config-if)#frame-relay map ip 1.1.1.2 301 broadcast
Point-to-point (different subnets; one subnet per subinterface)
  • Enable Frame Relay encapsulation:
  • Rl(config)#interface serial 0/0 Rl(config-if)#encapsulation frame-relay
  • Give an ip address to a subinterface and configure its DLCI
  • Rl(config)#interface serial 0/0.102 point-to-point
    Rl(config-subif)#ip address 1.1.1.1 255.255.255.0
    Rl(config-subif)#frame-relay interface-dlci 102
    Rl(config)#interface serial 0/0.103 point-to-point
    Rl(config-subif)#ip address 2.2.2.1 255.255.255.0
    Rl(config-subif)#frame-relay interface-dlci 103
R2(config)#interface serial 0/0
R2(config-if)#encapsulation frame-relay
R2(config)#interface serial 0/0.201 point-to-point
R2(config-subif)#ip address 1.1.1.2 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 201
R3(config)#interface serial 0/0
R3(config-if)#encapsulation frame-relay
R3(config)#interface serial 0/0.301 point-to-point
R3(config-subif)#ip address 2.2.2.2 255.255.255.0 
R3(config-subif)#frame-relay interface-dlci 301
Frame Relay Verification and troubleshoot
Rl#show interfaces serial 0/0Shows the encapsulation type
Rl#show frame-relay PVCLists PVC status information
Rl#show frame-relay mapLists DLCI to IP mapping
Rl#show frame-relay lmiLists LMI status information
Rl#debug frame-relay lmiDisplays the content of LMI messages
Rl#debug frame-relay eventsLists messages about certain Frame Relay events, including Inverse ARP messaeges
Network Address Translation (NAT)
Static NAT
  • Define the outside and inside interfaces:
  • Rl(config)#interface serial 0/0 Rl(config-if)#ip nat outside Rl(config)#interface FastEthernet 1/1 Rl(config-if)#ip nat inside
  • Configure static NAT statement:
  • Rl(config)#ip nat inside source static 192.168.1.10 200.1.1.1
Dynamic NAT
  • Define the outside and inside interfaces:
  • Create an ACL that determines the IP addresses that are allowed to be translated:
  • Rl(config)#access-list 3 permit 192.168.1.0 0.0.0.255
  • Create a pool of public IP addresses:
  • Rl(config)#ip nat pool PUB 200.1.1.1 200.1.1.6 netmask 255.255.255.248
  • Configure NAT statement:
  • Rl(config)#ip nat inside source list 3 pool PUB
NAT Overload (PAT)
  • The same as dynamic NAT with the use of the overload keyword at the end of NAT statement:
  • Rl(config)#ip nat inside source list 3 pool PUB overload
NAT verification and troubleshoot
Rl#show runUseful in viewing the configuration of NAT pool and the inside and outside interfaces
Rl#show access-listsDisplays access lists, including the one used for NAT
Rl#show ip nat stasiticsShows counters for packets and NAT table entries, as well as basic configuration information
Rl#show ip nat translationsDisplays the NAT table
Rl#clear ip nat translations *Clears all the dynamic entries in the NAT table
Rl#debug ip natIssues a log message describing each packet whose ip address is translated with NAT

Comments

Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall