Router Switch Commandsc

Router Commands
Router# Terminal History Size 256

Show history
sh processes cpu
Line con 0Logging sync Keeps it on the same line
No ip domain lookup keeps it from auto searching
use ip subnet 0 on the router to allow you to use subnet 0 with a router
Switch#show running-config interface fastethernet 5/6
RouterP(config)#service password-encryption ---encrypts all paswds in wr
Can also do a search on the run configs

– sh run | begin line vty
alias exec <cmd> --not quite sure check
Create a vlan with
DLS2(config)#vlan 10
DLS2(config-vlan)#no shut
%VLAN 10 is not shutdown.
DLS2(config-vlan)#vlan 20
DLS2(config-vlan)#vlan 30
DLS2(config-vlan)#^Z
Then can make it an SVI with ip routing and then add an address to each vlan
under the interface command
Int vlan 10
Network …
SSH setup on a switch/router config
Switch(config)# username cisco password cisco

Switch(config)# ip domain-name cisco
Switch(config)# crypto key generate rsa
Switch(config)# line vty 0 15
Switch(config-line)# login local
Switch(config-line)# transport input ssh
ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh

To control the protocols that will
be accepted on the vty, use the transport input <protocol>
Remember that the command to create a standard access list for a single host
is access-list
<number> permit host <host-ip>.
b. Use this access list to define the access-class for the vty connections.
Set the access-class to
the vty lines (0 – 4) for inbound connections.
Setting up local accounts on the router and what level to authenticate them
as ----Only use login local when you have a user account setup 1st****8
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios
.htm
conf t
key chain ^_^
key 1
key-string cisco
conf t
banner motd ~
__ _
/\ \ \__ _| |_ ___ _ __
/ \/ / _` | __/ _ \ '__|
/ /\ / (_| | || __/ |
\_\ \/ \__,_|\__\___|_|
.ed"""" """$$$$be.
-" ^""**$$$e.
." Authorized Access'$$$c
/ ONLY "4$$b
d 3 $$$$
$ * .$$$$$$
.$ ^c $$$$$e$$$$$$$$.
d$L 4. 4$$$$$$$$$$$$$$b
$$$$b ^ceeeee. 4$$ECL.F*$$$$$$$
e$""=. $$$$P d$$$$F $ $$$$$$$$$- $$$$$$
z$$b. ^c 3$$$F "$$$$b $"$$$$$$$ $$$$*" .=""$c
4$$$$L \ $$P" "$$b .$ $$$$$...e$$ .= e$$$.
^*$$$$$c %.. *c .. $$ 3$$$$$$$$$$eF zP d$$$$$
"**$$$ec "\ %ce"" $$$ $$$$$$$$$$* .r" =$$$$P""
"*$b. "c *$e. *** d$$$$$"L$$ .d" e$$***"
^*$$c ^$c $$$ 4J$$$$$% $$$ .e*".eeP"
"$$$$$$"'$=e....$*$$**$cz$$" "..d$*"
"*$$$ *=%4.$ L L$ P3$$$F $$$P"
"$ "%*ebJLzb$e$$$$$b $P"
%.. 4$$$$$$$$$$ "
$$$e z$$$$$$$$$$%
"*$c "$$$$$$$P"
."""*$$$$$$$$bc
.-" .$***$$$"""*e.
.-" .e$" "*$c ^*b.
.=*"""" .e$*" "*bc "*$e..
.$" .z*" ^*$e. "*****e.
$$ee$c .d" "*$. 3.
^*$E")$..$" * .ee==d%
$.d$$$* * J$$$e*
""""" "$$$"
~
Exit
Conf t
No ip domain-lookup
ip domain-name cisco.com
crypto key generate rsa
ip ssh time-out 15
ip ssh authentication-retries 3
username cisco priv 15 password cisco
service password-encryption
enable secret class
line con 0
login local
password class
login
logging synchronous
line vty 0 4
transport input ssh
password cisco
login local
int s0/0
ip authentication key-chain eigrp 1 ^_^
ip authentication mode eigrp 1 md5
R1# conf t
R1(config)# interface serial 0/0/0
R1(config-if)# ip authentication key-chain eigrp 1 EIGRP-KEYS
Now, apply the key chain to the interface with the ip authentication mode
eigrp as_number md5 command:
R1(config-if)# ip authentication mode eigrp 1 md5

Apply these commands on all active EIGRP interfaces.
R1# conf t
R1(config)# interface serial 0/0/0
R1(config-if)# interface serial 0/0/1
R1(config-if)# interface fastethernet 0/0
run tcl script from each router!!!
tclsh
foreach address {
192.168.1.1
192.168.1.129
192.168.1.130
192.168.1.161
192.168.1.162
192.168.1.133
192.168.1.134
10.1.1.3
10.1.1.4
10.4.4.4
192.168.1.5
192.168.100.1
192.168.1.101
192.168.1.105
192.168.1.109
192.168.1.113
} {
ping $address
}
show controllers - indicates the state of the interface channels and whether a
cable is attached to the interface
• debug serial interface - Verifies whether HDLC keepalive packets are incrementing. If
they are not, a possible timing problem exists on the interface card or in the network.
• debug arp - Indicates whether the router is sending information about or learning about
routers (with ARP packets) on the other side of the WAN cloud. Use this command when
some nodes on a TCP/IP network are responding, but others are not.
• debug frame-relay lmi - Obtains Local Management Interface (LMI) information which
is useful for determining whether a Frame Relay switch and a router are sending and
receiving LMI packets.
• debug frame-relay events - Determines whether exchanges are occurring between a
router and a Frame Relay switch.
• debug ppp negotiation - Shows Point-to-Point Protocol (PPP) packets transmitted
during PPP startup where PPP options are negotiated.
• debug ppp packet - Shows PPP packets being sent and received. This command displays
low-level packet dumps.
• debug ppp - Shows PPP errors, such as illegal or malformed frames, associated with PPP
connection negotiation and operation.
• debug ppp authentication - Shows PPP Challenge Handshake Authentication Protocol
(CHAP) and Password Authentication Protocol (PAP) packet exchanges.
router# show ip route -> show routing table
router# show ip route static <or dynamic>  shows static routes
router# show ip int brief
router# show int <interface name>
router(config)#ip route 0.0.0.0 0.0.0.0 <interface or next hop address> 
default route
router (config)# logging on

router (config)# logging console
SSH Configuration refer to CCSP Module 2
Step 7 Setting Privilege Levels

By default, the Cisco IOS software has two modes of password security: user
mode (EXEC) and
privilege mode (enable). There are 16 hierarchical levels of commands for
each mode that can be
defined. By configuring multiple passwords, different sets of users are
allowed access to specified
commands.
The command to assign allowed commands to a privilege mode is privilege exec
level
level. In this task, assign an enable secret password for privilege level 10
for system operators,
and make specific debug commands available to anyone with that privilege
level enabled.
a. Begin by entering the global configuration mode, RouterP(config)#, and
complete the following
steps:
i. Assign privilege level passwords
ii. It is recommended to assign a password to each privilege level that is
defined. To set a
privilege level password use the enable secret level level password command.
iii. Define an enable secret of pswd10 for level 10 by entering the
following command:
RouterP(config)#enable secret level 10 pswd10
What are the available arguments for the enable secret level 10 command?
Displaying current privilege level

d. To verify the current privilege level, enter the show privilege command.
What privilege level is shown?
e. Login to privilege level 10

i. To enter into a specific privilege level, use the enable level command.
Exit out of the
router and then reconnect. Enter the following commands to enter privilege
level 10:
RouterP>enable 10
Password: pswd10
RouterP#
How can current privilege level be displayed? What is the current privilege
level?
Using the debug ? command, what debug options are available at level 10?
d. Exit out of privilege level 10 and return to level 15.
Next, assign specific commands to be used in privilege level 10. To configure
a new privilege
level for users and associate commands to that privilege level, use the
privilege command.
The syntax for the privilege command is privilege mode {level level | reset}
command-string. Enter the following commands to assign specific commands to
the privilege
level 10:
RouterP(config)# privilege exec level 10 debug ppp auth
RouterP(config)# privilege exec level 10 debug ppp error
RouterP(config)# privilege exec level 10 debug ppp negotiation
In the above commands, specific debug commands were allowed for anyone
logging in with
privilege level 10.
f. Verify privilege level commands
i. Exit the router and return to privilege level 10. After the current
privilege level of 10 is
confirmed, verify the previously configured privilege level 10 commands.
Enter the following
commands to verify the defined privileges enter the following commands:
RouterP#debug ?
RouterP#debug ppp ?
What are the available parameters for the debug ? command?
---------------------------------------------------------
OSPF
IP OSPF cost – can be used to manually set link costs for calculation
show ip ospf database – shows link-state age and sequence numbers are kept in the database.
debug ip ospf packet command is used in troubleshooting and to verify that OSPF packets are
flowing properly between two routers
Using the router-id command is the preferred procedure to set the router ID and is always used in
preference to the other two procedures. If not set will use highest loopback ip then physical
After the router-id command is configured, use the clear ip ospf process command. This
command restarts the OSPF routing process so that it will reselect the new IP address as its router ID.
Highest ID wins the battle
show ip ospf command to verify the OSPF router ID - also displays OSPF timer settings and other
statistics, including the number of times the SPF algorithm has been run
• show ip protocols—Displays IP routing protocol parameters about timers, filters, metrics,

networks, and other information for the entire router.
• show ip route ospf—Displays the OSPF routes known to the router. This command is one
of the most useful in determining connectivity between the local router and the rest of the
internetwork. Optional parameters allow you to further specify the information to be displayed,
including the OSPF process ID.
• show ip ospf interface—Verifies that interfaces are configured in the intended areas. In
addition, this command displays the timer intervals (including the hello interval) and shows the
neighbor adjacencies.
• show ip ospf—Displays the OSPF router ID, OSPF timers, the number of times the SPF
algorithm has been executed, and LSA information.
• show ip ospf neighbor—Displays a list of neighbors, including their OSPF router ID, their
OSPF priority, their neighbor adjacency state (for example, init, exstart, or full), and the dead
timer.
• show ip route ospf command to verify the OSPF routes in the IP routing table. In Figure ,
the O code represents OSPF routes, and IA is “interarea.” The 10.2.1.0 subnet is recognized on
FastEthernet 0/0 via neighbor 10.64.0.2.
• The entry [110/782] represents the administrative distance assigned to OSPF (110), and the total
cost of the route to subnet 10.2.1.0 (782).
• The show ip ospf interface [type number] [brief] command displays OSPF-
related interface information.
• The command output in Figure is from router A from the previous configuration example and
details the OSPF status of FastEthernet 0/0 interface. This command verifies that OSPF is
running on this particular interface and lists the OSPF area that it is in.
• This command also displays other OSPF information, such as the process ID, router ID, network
type, DR and BDR, timers, and neighbor adjacency.
show ip ospf neighbor command. OSPF does not send or receive updates without having full
adjacencies established between neighbors.
The show ip ospf neighbor [type number] [neighbor-id] [detail]
Show ip ospf database nssa-external – this displays specific details of each
lsa type 7 update in database
To clear all routes from the IP routing table, use the following command:
Router#clear ip route *
To clear a specific route from the IP routing table, use the following command:
Router#clear ip route A.B.C.D
To debug OSPF operations, use the debug ip ospf command with an option listed in Figure .
Useful options when troubleshooting include:
Router#debug ip ospf events
Router#debug ip packet
To configure an area as a stub, use the following steps:
***must be a different area than area 0 backbone network
Step 1 Configure OSPF.
Step 2 Define the area as a stub by issuing the area area-id stub command to
all routers within the area. Figure lists the parameters of this command.
To configure an area as totally stubby, use the following steps:
Define the area as a stub area by issuing the area area-id stub command
Step 2
to all routers within the area.
At the ABR only, add the no-summary keyword to the area area-id stub
Step 3
command.
Example on 3.7.6
Example 3.7.8
To configure an area as an NSSA, use the following steps:
Step 2 Define the area as an NSSA by issuing the area area-id nssa command
to all routers within the area. All routers in the NSSA must have this
command configured. Routers cannot form an adjacency unless both are
configured as NSSA. Figure lists the parameters of this command.
To cause router 2 (the NSSA ABR) to generate an O *N2 default route (O *N2
0.0.0.0/0) into the NSSA, use the default-information-originate
option of the area area-id nssa command on router 2.
In a multiaccess broadcast environment, each network segment has its own DR and BDR. A router
connected to multiple multiaccess broadcast networks can be a DR on one segment and a regular router
on another segment.Use the ip ospf priority interface command to designate which router
interfaces on a multiaccess link are the DR and the BDR. The default priority is 1, and the range is from
0 to 255. The interface with the highest priority becomes the DR, and the interface with the second-
highest priority becomes the BDR.
Interfaces set to zero priority cannot be involved in the DR or BDR election process.
Here is a configuration example:
interface FastEthernet 0/0
ip ospf priority 10
--add encap frame-relay if that type is needed
Also in NBMA networks you can yse the neighbor command in conf t to statically assign a neighbor
To configure basic single-area and multiarea OSPF, complete the following steps:
Step 1 Enable OSPF on the router using the router ospf process-id command
as shown in Figure .
Note
Unlike the process ID in EIGRP, the OSPF process ID is not an autonomous
system number. The process-id an be any positive integer and only has
significance to the local router.
Step 2 Identify which interfaces on the router are part of the OSPF process, using the
network area command, as shown in Figure . This command also
identifies the OSPF area to which the network belongs. Figure describes the
parameters of this command.
Uses wild card masks
OSPF can be enabled directly on the interface using the ip ospf area command, which simplifies the
configuration of unnumbered interfaces. Since the command is configured explicitly on the interface, it
takes precedence over the network area command
Router A uses a general network 10.0.0.0 0.255.255.255 statement. This technique assigns all
interfaces defined in the 10.0.0.0 network to OSPF process 1.
Router B uses a specific host address technique. The wildcard mask of 0.0.0.0 requires a match on all
four octets of the address. This technique allows the operator to define which specific interfaces will run
OSPF. Network 10.1.1.1 0.0.0.0 area 0
Figure shows an example of a multiarea OSPF configuration. Router A is in area 0, router C is in area
1, and router B is the ABR between the two areas.
The configuration for router A is the same as in the previous example.
Router B has a network statement for area 0. The configuration for area 1 in this example uses the ip
ospf 50 area 1 command. Alternatively, a separate network router configuration command could
have been used.
Virtual links
Use the area area-id virtual-link router-id router configuration command, along with any
necessary optional parameters, to define an OSPF virtual link. To remove a virtual link, use the no form
of this command.
The area virtual-link command includes the router ID of the far-end router. To find the router ID in
the far-end router, use the show ip ospf, show ip ospf interface, or show ip protocol
commands on that remote router, as illustrated in Figure .
show ip ospf virtual-links command to verify that the configured virtual link works properly.
show ip ospf neighbor, show ip ospf database, and debug ip ospf adj
nterarea Route Summarization on an ABR

To configure manual interarea route summarization on an ABR, use the following steps:
Step 2 Use the area range command to instruct the ABR to summarize routes for a
specific area before injecting them into a different area via the backbone as
type 3 summary LSAs. Figure describes the command parameters.
Cisco IOS software creates a summary route to interface null0 when manual summarization is configured
to prevent routing loops.
• area 0 range 172.16.96.0 255.255.224.0: Identifies area 0 as the area containing the range of
networks to be summarized into area 1. ABR router R1 summarizes the range of subnets from
172.16.96.0 to 172.16.127.0 into one range: 172.16.96.0 255.255.224.0.
• area 1 range 172.16.32.0 255.255.224.0: Identifies area 1 as the area containing the range of
networks to be summarized into area 0. ABR router R1 summarizes the range of subnets from
172.16.32.0 to 172.16.63.0 into one range: 172.16.32.0 255.255.224.0.
For OSPF to generate a default route, you must use the default-information originate
command.
To configure OSPF simple password authentication, use the following steps:
Step 1 Assign a password to be used with neighboring routers using the ip ospf
authentication-key command, as shown in Figure .
Note
In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a
password longer than eight characters, and only the first eight characters will be used. Some earlier Cisco
IOS releases did not provide this warning.
The password created by this command is used as a key that is inserted directly into the OSPF header
when Cisco IOS software originates routing protocol packets. A separate password can be assigned to
each network on a per-interface basis. All neighboring routers on the same network must have the same
password to be able to exchange OSPF information.
Note
If the service password-encryption command is not used when configuring OSPF authentication,
the key is stored as plain text in the router configuration. If you configure the service password-
encryption command, the key is stored and displayed in an encrypted form. When it is displayed, an
encryption type of 7 is specified before the encrypted key.
Step 2 Specify the authentication type using the ip ospf authentication

command, as shown in Figure .
For simple password authentication, use the ip ospf authentication command with no parameters.
Before using this command, configure a password for the interface using the ip ospf
authentication-key command.
To configure OSPF MD5 authentication, a key and key ID must be configured on each router.
To configure MD5 authentication, use the following steps:
Step 1 Assign a key ID and key to be used with neighboring routers that are using the
OSPF MD5 authentication, using the ip ospf message-digest-key
Note
In Cisco IOS Software Release 12.4, the router gives a warning message if you try to configure a
password longer than 16 characters, and only the first 16 characters are used. Some earlier Cisco IOS
releases did not provide this warning.
The key and the key ID specified in the ip ospf message-digest-key command are used to
generate a message digest (also called a hash) of each OSPF packet. The message digest is appended
to the packet. A separate password can be assigned to each network on a per-interface basis.
Usually, one key per interface is used to generate authentication information when sending packets and
to authenticate incoming packets. All neighboring routers on the same network must have the same
password to be able to exchange OSPF information. Therefore, the same key ID on the neighbor router
must have the same key value.
The key ID allows for uninterrupted transitions between keys, which is helpful for administrators who wish
to change the OSPF password without disrupting communication. If an interface is configured with a new
key, the router sends multiple copies of the same packet, each authenticated by different keys. The router
stops sending duplicate packets when it detects that all of its neighbors have adopted the new key.
For example, if this is the current configuration:
ip ospf message-digest-key 100 md5 OLD
You change the configuration to the following:
ip ospf message-digest-key 101 md5 NEW
The system assumes that its neighbors do not have the new key yet, so it begins a rollover process. It
sends multiple copies of the same packet, each authenticated by different keys. In this example, the
system sends out two copies of the same packet, the first one authenticated by key 100 and the second
one authenticated by key 101.
Rollover allows neighboring routers to continue communication while the network administrator is
updating them with the new key. Rollover stops when the local system finds that all its neighbors know the
new key. The system detects that a neighbor has the new key when it receives packets from the neighbor
authenticated by the new key.
After all neighbors have been updated with the new key, the old key should be removed. In this example,
you would enter the following:
no ip ospf message-digest-key 100
Then only key 101 is used for authentication on Fast Ethernet interface 0/0.
It is recommended that you do not keep more than one key per interface. Every time you add a new key,
you should remove the old key to prevent the local system from continuing to communicate with a hostile
system that knows the old key.
Note
If the service password-encryption command is not used when configuring OSPF authentication,
the key is stored as plain text in the router configuration. If you configure the service password-
encryption command, the key is stored and displayed in an encrypted form. When it is displayed, an
encryption type of 7 is specified before the encrypted key.
Step 2 Specify the authentication type using the ip ospf authentication

command, as shown in Figure . For MD5 authentication, use the ip ospf
authentication command with the message-digest parameter. Before
using this command, configure the message digest key for the interface with
the ip ospf message-digest-key command.
The ip ospf authentication command was introduced in Cisco IOS Software Release 12.0. For
backward compatibility, the MD5 authentication type for an area is still supported using the area area-
id authentication message-digest router configuration command.
debug ip ospf adj command displays OSPF adjacency-related events and is very useful when
troubleshooting authentication.
---------------------------------------------------------
EIGRP
Perform the following steps to configure EIGRP for IP:

Step 1 Enable EIGRP and define the autonomous system using the router eigrp
autonomous-system-number command. The autonomous system number
value must match on all routers within the autonomous system.
Step 2 Indicate which networks are part of the EIGRP autonomous system using the
network command. This command determines which interfaces of the router
are participating in EIGRP and which networks the router advertises. Figure
lists the parameters for the network command. USE wildcard mask on that
Step 3 When using serial links, define the bandwidth of the link for the purpose of
sending routing update traffic, using the bandwidth kilobits command. In
this command, the parameter kilobits indicates the intended bandwidth in
kilobits per second.
For example, for a 64-kbps link, use the following command:
router(config-if)#bandwidth 64
If you do not change the bandwidth for serial interfaces, EIGRP assumes that
the bandwidth on the link is the default T1 speed. If the link is actually slower,
the router might not be able to converge, or routing updates might be lost.
For generic serial interfaces such as PPP or High-Level Data Link Control
(HDLC), set the bandwidth to the line speed. For Frame Relay on point-to-point
interfaces, set the bandwidth to the committed information rate (CIR). For
Frame Relay multipoint connections, set the bandwidth to the sum of all CIRs,
or if the permanent virtual circuits (PVCs) have different CIRs, set the
bandwidth to the lowest CIR multiplied by the number of PVCs on the
multipoint connection.
You can create an EIGRP default route with the ip default-network network-number global
configuration command. The configured router advertises the specified network listed as the gateway of
last resort. Other routers use their next-hop address to the advertised network as their default route.
Static Default Routes

EIGRP and IGRP behave differently than RIP when you are using the ip route 0.0.0.0 0.0.0.0
command. For example, EIGRP does not redistribute the 0.0.0.0 0.0.0.0 default route by default.
The configuration in Figure results in the 0.0.0.0 route being passed to the EIGRP neighbors of the
router.
Show ip eigrp neighbors
Show ip eigrp topology
show ip eigrp neighbors command to verify that the router recognizes its neighbors. Use the
show ip route eigrp command to verify that the router recognizes routes from its neighbors.
show ip protocols command gives information about all dynamic routing protocols running on the
router--- Shows current K value settings Because the routers must have identical K values for EIGRP to
establish an adjacency
The internal distance (administrative distance 90) applies to networks from other routers inside the
autonomous system. The external distance (administrative distance 170) applies to networks introduced
to EIGRP from outside this autonomous system through redistribution.
show ip eigrp interfaces command displays information about interfaces configured for EIGRP.
show ip eigrp topology –

• P (Passive): Network is available, and installation can occur in the routing table. Passive is the
correct state for a stable network.
• A (Active): Network is currently unavailable, and installation cannot occur in the routing table.
Active means that there are outstanding queries for this network.
• U (Update): Network is being updated (placed in an update packet). This code also applies if the
router is waiting for an acknowledgment for this update packet.
• Q (Query): Outstanding query packet for this network. This code also applies if the router is
waiting for an acknowledgment for a query packet. Basically, this code indicates that the router
has sent a query packet to a neighbor router.
• R (Reply status): Router is generating a reply for this network or is waiting for an
acknowledgment for the reply packet.
• S (Stuck-in-active status): EIGRP convergence problem for the network with which it is
associated.
show ip eigrp traffic command - To display the number of various EIGRP packets sent and
received
no auto-summary- use when having discontinuous networks between your access
Create your own summarization
EIGRP can also balance traffic across multiple routes that have different metrics, which is called unequal-
cost load balancing. The degree to which EIGRP performs load balancing is controlled with the
variance command,
ip bandwidth-percent eigrp as-number percent command to specify the maximum

percentage of the bandwidth of an interface that EIGRP will use.
--use when link is shared in wan topology to divide bandwidth into half of each link has equally.
To configure MD5 authentication for EIGRP, complete the following steps:

Step 1 Enter configuration mode for the interface on which you want to enable
authentication.
Step 2 Specify MD5 authentication for EIGRP packets using the ip
authentication mode eigrp md5 command, as shown in Figure .
Step 3 Enable the authentication of EIGRP packets with a key specified in a key
chain by using the ip authentication key-chain eigrp command,
as shown in Figure .
Step 4 Enter the configuration mode for the key chain using the key chain
command, as shown Figure .
Step 5 Identify a key ID to use, and enter configuration mode for that key using the
key command, as shown in Figure .
Step 6 Identify the key string (password) for this key using the key-string
Step 7 Optionally, specify the time period during which this key is accepted for use
on received packets using the accept-lifetime command, as shown in
Figure . Figure displays the parameters for this command.
Step 8 Optionally, specify the time period during which this key can be used for
sending packets using the send-lifetime command, as shown in the
Figure . Figure displays the parameters for this command.
Note
If the service password-encryption command is not used when implementing EIGRP
authentication, the key string is stored as plain text in the router configuration. If you configure the
service password-encryption command, the key string is stored and displayed in an
encrypted form. When it is displayed, an encryption type of 7 is specified before the encrypted key
string.
Eigrp default network
------------------------------------------------------------------------------
Passwords
conf t
enable secret <password>
line con 0
password <enter password here>
login
line vty 0 4
password <enter password here>
login
exit
conf t
enable secret cisco
line con 0
password class
login
line vty 0 4
password class
login
exit
example
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#enable password cisco
ISP(config)#enable secret class
ISP(config)#line console 0
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#interface loopback 0
ISP(config-if)#ip add 172.16.1.1 255.255.255.255
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface serial 0
ISP(config-if)#ip add 200.2.2.17 255.255.255.252
ISP(config-if)#clock rate 64000
no shut - to interfaces
PPP
The following example enables PPP encapsulation on serial interface 0/0:

Router#configure terminal
Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Point-to-point software compression can be configured on serial interfaces that use PPP
encapsulation. Compression is performed in software and might significantly affect system
performance. Compression is not recommended if most of the traffic consists of compressed
files.
To configure compression over PPP, enter the following commands:
Router(config-if)#compress [predictor | stac]
Enter the following to monitor the data dropped on the link, and avoid frame looping:
Router(config-if)#ppp quality percentage
The following commands perform load balancing across multiple links:
Router(config-if)#ppp multilink
Use the show interfaces serial command to verify proper configuration of HDLC
or PPP encapsulation.
When PPP is configured, its Link Control Protocol (LCP) and Network Control Protocol
(NCP) states can be checked using the show interfaces serial command.
ISDN BRI
SPIDs are specified in interface configuration mode. To enter interface configuration mode, use
the interface bri command in the global configuration mode:
Router(config)#interface brislot/port
Router(config)#interface bri0/0
Router(config-if)#isdn spid1 51055540000001 5554000
Router(config-if)#isdn spid2 51055540010001 5554001
ISDN PRI
Defining static routes for DDR (Dial on demand routing)
Clear int bri 0  to erase spid id
Show Dialers
Show ISDN stat
To configure a static route for IP use the following command:
Router(config)#ip route net-prefix mask {address | interface } [distance ] [permanent]
DDR calls are triggered by interesting traffic. This traffic can be defined as any of the following:
• IP traffic of a particular protocol type
• Packets with a particular source address or destination
• Other criteria as defined by the network administrator
Use the dialer-list command to identify interesting traffic. The command syntax is as follows:
Router(config)#dialer-listdialer-group-num protocolprotocol-name {permit | deny | listaccess-
list-number }
Thedialer-group-num is an integer between 1 and 10 that identifies the dialer list to the router.
The command dialer-list 1 protocol ip permit will allow all IP traffic to trigger a call. Instead
of permitting all IP traffic, a dialer list can point to an access list in order to specify exactly what
types of traffic should bring up the link. The reference to access list 101 in dialer list 2 prevents
FTP and Telnet traffic from activating the DDR link. Any other IP packet is considered
interesting, and will therefore initiate the DDR link.
Dialer group command is given on the interface and is the same as the dialer list #.
Configure routing protocols as uninteresting so line doesn’t keep coming up. Also use no cdp to
keep the line from going up (MAKE INTERFACE PASSIVE TO NOT GIVE OUT UPDATE
TRAFFIC)
A dialer list specifying the interesting traffic for this DDR interface needs to be associated with
the DDR interface. This is done using the dialer-group group-number command:
Home(config-if)#dialer-group 1
In the command, group-number specifies the number of the dialer group to which the interface
belongs. The group number can be an integer from 1 to 10. This number must match the dialer-
listgroup-number . Each interface can have only one dialer group. However, the same dialer list
can be assigned to multiple interfaces with the dialer-group command.
The correct dialing information for the remote DDR interface needs to be specified. This is done
using the dialer map command.
The dialer map command maps the remote protocol address to a telephone number. This
command is necessary to dial multiple sites.
Router(config-if)#dialer map protocol next-hop-address [name hostname ] [speed 56 | 64]
[broadcast] dial-string
If dialing only one site, use an unconditional dialer string command that always dials the one
phone number regardless of the traffic destination. This step is unique to legacy DDR. Although
the information is always required, the steps to configure destination information are different
when using dialer profiles instead of legacy DDR.
To configure PPP on the DDR interface use the following commands:
Home(config)#username Central password cisco
Home(config)#interface bri0/0
Home(config-if)#encapsulation ppp
Home(config-if)#ppp authentication chap
Home(config-if)#ip address 10.1.0.1 255.255.255.0
The dialer idle-timeoutseconds command may be used to specify the number of idle seconds
before a call is disconnected. The seconds represent the number of seconds until a call is
disconnected after the last interesting packet is sent. The default is 120.
Multiple dialer interfaces may be configured on a router. Each dialer interface is the complete
configuration for a destination. The interface dialer command creates a dialer interface and
enters interface configuration mode.
To configure the dialer interface, perform the following tasks:
1. Configure one or more dialer interfaces with all the basic DDR commands:
• IP address
• Encapsulation type and authentication
• Idle-timer
• Dialer-group for interesting traffic
2. Configure a dialer string and dialer remote-name to specify the remote router name and
phone number to dial it. The dialer pool associates this logical interface with a pool of
physical interfaces.
3. Configure the physical interfaces and assign them to a dialer pool using the dialer pool-
member command.
An interface can be assigned to multiple dialer pools by using multiple dialer pool-member
commands. If more than one physical interface exists in the pool, use the priority option of the
dialer pool-member command to set the priority of the interface within a dialer pool. If multiple
calls need to be placed and only one interface is available, then the dialer pool with the highest
priority is the one that dials out.
A combination of any of these interfaces may be used with dialer pools:
• Synchronous Serial
• Asynchronous Serial
• BRI
• PRI
**Clear int Bri
 To get the clear out of
REFER TO LAB FOR EXACT SETUP
FRAME RELAY
encapsulation frame-relay[cisco | ietf] command.
cisco Uses the Cisco proprietary Frame Relay encapsulation. Use this option if connecting to
another Cisco router. Many non-Cisco devices also support this encapsulation type. This is
the default.
ietf Sets the encapsulation method to comply with the Internet Engineering Task Force (IETF)
standard RFC 1490. Select this if connecting to a non-Cisco router.
Set an IP address on the interface using the ip address command. Set the
bandwidth of the serial interface using the bandwidth command. Bandwidth is
specified in kilobits per second (kbps). This command is used to notify the routing
protocol that bandwidth is statically configured on the link. The bandwidth value is
used by Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway
Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) to determine the
metric of the link.
The local DLCI must be statically mapped to the network layer address of the remote router
when the remote router does not support Inverse ARP. This is also true when broadcast traffic
and multicast traffic over the PVC must be controlled. These static Frame Relay map entries are
referred to as static maps. Use the frame-relay map protocol protocol-address dlci [broadcast]
command to statically map the remote network layer address to the local DLCI---Used on HQ
Router
Split-horizon updates reduce routing loops by not allowing a routing update received on one
interface to be forwarded out the same interface. One way to solve the split-horizon problem is to
use a fully meshed topology. However, this will increase the cost because more PVCs are
required. The preferred solution is to use subinterfaces.
Create a subinterface by
Int s0.301 point-to-point
To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relay

topology, configure the hub router with logically assigned interfaces. These interfaces are
called subinterfaces. Subinterfaces are logical subdivisions of a physical interface.
In split-horizon routing environments, routing updates received on one subinterface can be sent
out another subinterface. In a subinterface configuration, each virtual circuit can be configured
as a point-to-point connection. This allows each subinterface to act similarly to a leased line.
Using a Frame Relay point-to-point subinterface, each pair of the point-to-point routers is on
its own subnet.
Frame Relay subinterfaces can be configured in either point-to-point or multipoint mode:
• Point-to-point - A single point-to-point subinterface is used to establish one PVC
connection to another physical interface or subinterface on a remote router. In this case,
each pair of the point-to-point routers is on its own subnet and each point-to-point
subinterface would have a single DLCI. In a point-to-point environment, each
subinterface is acting like a point-to-point interface. Therefore, routing update traffic is
not subject to the split-horizon rule.
• Multipoint - A single multipoint subinterface is used to establish multiple PVC
connections to multiple physical interfaces or subinterfaces on remote routers. All the
participating interfaces would be in the same subnet. The subinterface acts like an
NBMA Frame Relay interface so routing update traffic is subject to the split-horizon
rule.
The encapsulation frame-relay command is assigned to the physical interface. All other
configuration items, such as the network layer address and DLCIs, are assigned to the
subinterface.
Multipoint configurations can be used to conserve addresses that can be especially helpful if
Variable Length Subnet Masking (VLSM) is not being used. However, multipoint
configurations may not work properly given the broadcast traffic and split-horizon
considerations. The point-to-point subinterface option was created to avoid these issues.
In the figure, Router A has two point-to-point subinterfaces. The s0/0.110 subinterface connects
to router B and the s0/0.120 subinterface connects to router C. Each subinterface is on a different
subnet. To configure subinterfaces on a physical interface, the following steps are required:
• Configure Frame Relay encapsulation on the physical interface using the encapsulation
frame-relay command
• For each of the defined PVCs, create a logical subinterface
router(config-if)#interface serialnumber.subinterface-number [multipoint | point-to-point]
To create a subinterface, use the interface serial command. Specify the port number, followed
by a period (.), and then by the subinterface number. Usually, the subinterface number is chosen
to be that of the DLCI. This makes troubleshooting easier. The final required parameter is stating
whether the subinterface is a point-to-point or point-to-multipoint interface. Either the
multipoint or point-to-point keyword is required. There is no default. The following commands
create the subinterface for the PVC to router B:
routerA(config-if)#interface serial 0/0.110 point-to-point
If the subinterface is configured as point-to-point, then the local DLCI for the subinterface must
also be configured in order to distinguish it from the physical interface. The DLCI is also
required for multipoint subinterfaces for which Inverse ARP is enabled. It is not required for
multipoint subinterfaces configured with static route maps. The frame-relay interface-dlci
command is used to configure the local DLCI on the subinterface
router(config-subif)#frame-relay interface-dlci dlci-number
The show interfaces command displays information regarding the encapsulation and Layer 1
and Layer 2 status. It also displays information about the following:
• The LMI type
• The LMI DLCI
• The Frame Relay data terminal equipment/data circuit-terminating equipment
(DTE/DCE) type
show frame-relay lmi command to display LMI traffic statistics.
Use the show frame-relay pvc [interface interface] [dlci] command to display the status of each
configured PVC as well as traffic statistics. This command is also useful for viewing the number
of BECN and FECN packets received by the router. The PVC status can be active, inactive, or
deleted.
show frame-relay pvc command displays the status of all the PVCs configured on the router.
show frame-relay map command to display the current map entries and information about the
connections.
debug frame-relay lmi command to determine whether the router and the Frame Relay switch
are sending and receiving LMI packets properlyThe "out" is an LMI status message sent by the
router. The "in" is a message received from the Frame Relay switch. A full LMI status message is
a "type 0". An LMI exchange is a "type 1". The "dlci 100, status 0x2" means that the status of
DLCI 100 is active. The possible values of the status field are as follows:
• 0x0 - Added/inactive means that the switch has this DLCI programmed but for some
reason it is not usable. The reason could possibly be the other end of the PVC is down.
• 0x2 - Added/active means the Frame Relay switch has the DLCI and everything is
operational.
• 0x4 - Deleted means that the Frame Relay switch does not have this DLCI programmed
for the router, but that it was programmed at some point in the past. This could also be
caused by the DLCIs being reversed on the router, or by the PVC being deleted by the
service provider in the Frame Relay cloud.
-----------------------------------------------------------------------------
---------------------------------
Switch Commands
switch(config)#ip default-gateway <ip> --> sets the default gateway for the
switch (to be set under conf t)
**More detailed spanning tree info
spanning-tree portfast —> to be used with conf t and maybe on the interface
itself to make the interface instantly up and connected (Use the spanning-
tree portfast global configuration command to globally enable BPDU filtering on
Port Fast-enabled ports, the BPDU guard feature on Port Fast-enabled ports, or the
Port Fast feature on all nontrunking ports. The BPDU filtering feature prevents the
switch port from sending or receiving BPDUs. The BPDU guard feature puts Port
Fast-enabled ports that receive BPDUs in an error-disabled state.)
show trunk
show interface vlan 1 --> used in priv exec mode, shows mac, ip, and port info
show spanning-tree or show spanning-tree brief --> used in priv exec mode,
shows port status (forwarding/blocking) root router, priority and mac address
use only on non trunking ports
Show mac-address-table
clear mac-address-table dynamic --> clearsmac addresses
#password configs and hostname is setup the same way (except for line vty 0
15)
***Add trunking commands to the tutorial guide (DTP) stuff
Switchport mode trunk 802.1q (or
How to setup VLAN -- and what not to forget to setup
switch(config)#int vlan 1
switch(config)#ip add <IP & Subnet)
switch(config)#NO SHUT
Vlan dat
vlan 101 name Voice101
To setup VTP (designated switch to duplicate vlan configurations to other

switches that are connected together) VLAN Trunking Protocol
vlan dat
vtp client
vtp domain Cisco
vlan dat---old way – try new commands on the next pict
vtp server
vtp domain Cisco
2.5.
Best Practice for VTP Configuration
6
Following is a list of general best practices with regard to configuring VTP in the enterprise
composite network model:
• Plan boundaries for the VTP domain. Not all switches in the network need information
on all VLANs in the network. In the enterprise composite model, the VTP domain should
be restricted to redundant distribution switches and the access switches that they serve.
• Have only one or two switches specifically configured as VTP servers and the
remainder as clients.
• Configure a password so that no switch can join the VTP domain with a domain name
only (which can be derived dynamically).
• Manually configure the VTP domain name on all switches that are installed in the
network so that the mode can be specified and the default server mode on all switches
can be overwritten.
• When you are setting up a new domain, configure VTP client switches first so that they
participate passively. Then configure servers to update client devices.
• In an existing domain, if you are performing VTP cleanup, configure passwords on
servers first. Clients may need to maintain current VLAN information until the server
contains a complete VLAN database. After the VLAN database on the server is verified
as complete, client passwords can be configured to be the same as the servers. Clients
will then accept updates from the server.
• WHEN ADDING A DIFFERENT SWITCH TO A NETWORK (MOVING CABLES) TAKE
IT OUT OF THE VTP DOMAIN, CHANGE, THEN RE-ADD SO THE REVISION NUMBR
IS RESET TO ONE SO IT DOESN’T OVERRIDE THE OTHER ONE
What VLan you belong to and mode for each interface
interface FastEthernet0/1
switchport access vlan 101
switchport mode access
no ip address
spanning-tree portfast
!
no ip address
!
no ip address
int range fa 0/2 – 5
delete vlan.dat or delete flash:vlan.dat
2.5.
Resolving Issues with 802.1Q Native VLANs
2
Consider the following issues when you are configuring a native VLAN on an 802.1Q trunk link:
• The native VLAN interface configurations must match at both ends of the link or the trunk
may not form.
• By default, the native VLAN is VLAN1. For the purpose of security, the native VLAN on a
trunk should be set to a specific VID that is not used for normal operations elsewhere on
the network.
Switch(config-if)#switchport trunk native vlan vlan-id
• OR switchport trunk
• If there is a native VLAN mismatch on an 802.1Q link, CDP (if used and functioning)
issues a “native VLAN mismatch” error.
• On select versions of Cisco IOS software, CDP may not be transmitted or automatically
turns off if VLAN1 is disabled on the trunk.
• If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may
occur because VLAN 1 STP BPDUs are sent to the IEEE STP MAC address
(0180.c200.0000) untagged.
• When troubleshooting VLANs, note that a link can have one native VLAN association
when in access mode, and another native VLAN association when in trunk mode.
When implementing VLANs, you should consider a few measures to secure the VLAN and the switch
itself. The security policy of the organization will likely have more detailed recommendations, but these
can provide a foundation.
• Create a “parking-lot” VLAN with a VLAN ID (VID) other than VLAN1, and place all unused switch
ports in this VLAN. This VLAN may provide the user with some minimal network connectivity.
(Check on the security policy of your organization before implementing.)
• Disable unused switch ports, depending on the security policy of the organization.
Trunk links should be configured statically whenever possible. However, Cisco Catalyst switch ports run
Dynamic Trunking Protocol (DTP), which can automatically negotiate a trunk link. This Cisco proprietary
protocol can determine an operational trunking mode and protocol on a switch port when it is connected
to another device that is also capable of dynamic trunk negotiation.
(show dtp interface)
• To enable trunking to a device that does not support DTP, use the switchport mode trunk
and switchport nonegotiate interface configuration commands to cause the interface to
become a trunk but to not generate DTP frames.
• Use the switchport trunk encapsulation isl or switchport trunk
encapsulation dot1q interface to select the encapsulation type on the trunk port.
Regardless if a device supports DTP, general best practice is to configure trunks statically by configuring
the interface to trunk and nonegotiate.
2.3.
Configuring Trunking---has pictures for more examples
7
Switch ports are configured for trunking using Cisco IOS commands. To configure a switch port as
an 802.1Q or an ISL trunking port, follow these steps on each trunk interface.
Step 1 Enter interface configuration mode.
Step 2 Shut down the interface to prevent the possibility of premature autoconfiguration.
Step 3 Select the trunking encapsulation. Note that some switches support only ISL or
802.1Q. In particular, the Catalyst 2950 and 2960 support only 802.1Q.
Step 4 Configure the interface as a Layer 2 trunk.
Step 5 Configure the trunking native VLAN number for 802.1Q links. This number must match at
both ends of an 802.1Q trunk.
Step 6 Configure the allowable VLANs for this trunk. This is necessary if VLANs are restricted to
certain trunk links. This is best practice with the Enterprise Composite Network Model and leads
to the correct operation of VLAN interfaces.
Step 7 Use the no shutdown command on the interface to activate the trunking process.
Step 8 Verify the trunk configuration using show commands.
Figure shows how to configure interface Fast Ethernet 5/8 as an 802.1Q trunk. Frames from
VLANs 1, 5, 11, and 1002 to 1005 will be allowed to traverse the trunk link. The switchport mode
for the interface is trunk (on), and no DTP messages will be sent on the interface.
Note:
For security reasons, the native VLAN has been configured to be an “unused” VLAN. This will be
discussed in more detail later.
Figure describes the commands used to configure a switch port as an 802.1Q trunk link.
3.
Describing STP
1
Describin
3.1.
g the Root
5
Bridge
STP uses a root bridge, root ports, and designated ports to establish a loop free path through the
network. The first step in creating a loop free spanning tree is to select a root bridge to be the
reference point that all switches use to establish forwarding paths. The STP topology is
converged after a root bridge has been selected, and each bridge has selected its root port,
designated bridge, and the participating ports. STP uses BPDUs as it transitions port states to
achieve convergence.
Spanning tree elects a root bridge in each broadcast domain on the LAN. Path calculation
through the network is based on the root bridge. The bridge is selected using the bridge ID (BID),
which consists of a 2-byte Priority field plus a 6-byte MAC address. In spanning tree, lower BID
values are preferred. The Priority field value helps determine which bridge is going to be the root
and can be manually altered. In a default configuration, the Priority field is set at 32768. When the
default Priority field is the same for all bridges, selecting the root bridge is based on the lowest
MAC address.
The root bridge maintains the stability of the forwarding paths between all switches for a single
STP instance. A spanning tree instance is when all switches exchanging BPDUs and participating
in spanning tree negotiation are associated with a single root. If this is done for all VLANs, it is
called a Common Spanning Tree (CST) instance. There is also a Per VLAN Spanning Tree
(PVST) implementation that provides one instance, and therefore one root bridge, for each VLAN.
The BID and root ID are each 8-byte fields carried in a BPDU. These values are used to
complete the root bridge election process. A switch identifies the root bridge by evaluating the root
ID field in the BPDUs that it receives. The unique BID is carried in the Root ID field of the BPDUs
sent by each switch in the tree.
When a switch first boots and begins sending BPDUs, it has no knowledge of a root ID, so it
populates the Root ID field of outbound BPDUs with its own BID.
The switch with the lowest numerical BID assumes the role of root bridge for that spanning tree
instance. If a switch receives BPDUs with a lower BID than its own, it places the lowest value into
the Root ID field of its outbound BPDUs.
Spanning tree operation requires that each switch have a unique BID. In the original 802.1D
standard, the BID was composed of the Priority Field and the MAC address of the switch, and all
VLANs were represented by a CST. Because PVST requires that a separate instance of spanning
tree run for each VLAN, the BID field is required to carry VLAN ID (VID) information, which is
accomplished by reusing a portion of the Priority field as the extended system ID.
To accommodate the extended system ID, the original 802.1D 16-bit Bridge Priority field is split
into two fields, resulting in these components in the BID :
• Bridge Priority: A 4-bit field that carries the bridge priority. Because of the limited bit
count, priority is conveyed in discrete values in increments of 4096 rather than discrete
values in increments of 1, as they would be in a full 16-bit field. The default priority, in
accordance with IEEE 802.1D, is 32,768, which is the mid-range value.
• Extended System ID: A 12-bit field that carries the VID for PVST.
• MAC address: A 6-byte field with the MAC address of a single switch.
By virtue of the MAC address, a BID is always unique. When the priority and extended system ID
are appended to the switch MAC address, each VLAN on the switch can be represented by a
unique BID.
If no priority has been configured, every switch has the same default priority and the election of
the root for each VLAN is based on the MAC address. This is a fairly random means of selecting
the ideal root bridge and, for this reason, it is advisable to assign a lower priority to the switch that
should serve as root bridge.
Only four bits are used to set the bridge priority. Because of the limited bit count, priority is
configurable only in increments of 4096.
A switch responds with the possible priority values if an incorrect value is entered:
Switch(config)#spanning-tree vlan 1 priority 1234
% Bridge Priority must be in increments of 4096.
% Allowed values are:
0 4096 8192 12288 16384 20480 24576 28672
32768 36864 40960 45056 49152 53248 57344 61440
If no priority has been configured, every switch will have the same default priority of 32768.
Assuming all other switches are at default priority, the spanning-tree vlan vlan-id root
primary command sets a value of 24576. Also, assuming all other switches are at default
priority, the spanning-tree vlan vlan-id root secondary command sets a value of
28672.
The switch with the lowest BID becomes the root bridge for a VLAN. Specific configuration
commands are used to determine which switch will become the root bridge.
A Cisco Catalyst switch running PVST maintains an instance of spanning tree for each active
VLAN that is configured on the switch. A unique BID is associated with each instance. For each
VLAN, the switch with the lowest BID becomes the root bridge for that VLAN. Whenever the
bridge priority changes, the BID also changes. This results in the recomputation of the root bridge
for the VLAN.
To configure a switch to become the root bridge for a specified VLAN, use the spanning-tree
vlan vlan-ID root primary command.
CAUTION:
Spanning tree commands take effect immediately, so network traffic is disrupted while the reconfiguration
occurs.
A secondary root is a switch that may become the root bridge for a VLAN if the primary root
bridge fails. To configure a switch as the secondary root bridge for the VLAN, use the command
spanning-tree vlan vlan-ID root secondary. Assuming that the other bridges in the
VLAN retain their default STP priority, this switch will become the root bridge in the event that the
primary root bridge fails. This command can be executed on more than one switch to configure
multiple backup root bridges.
BPDUs are exchanged between switches, and the analysis of the BID and root ID information
from those BPDUs determines which bridge is selected as the root bridge. and
In the example shown, both switches have the same priority for the same VLAN. The switch with
the lowest MAC address is elected as the root bridge. In the example, switch X is the root bridge
for VLAN 1, with a BID of 0x8001:0c0011111111.
BETTER TO USE RAPID SPANNING TREE PROTOCOL
The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that
VLAN. Only one SVI can be associated with a VLAN. You configure an SVI for a VLAN for the following
reasons:
• To provide a default gateway for a VLAN so that traffic can be routed between VLANs
• To provide fallback bridging if it is required for non-routable protocols
• To provide Layer 3 IP connectivity to the switch
• To support routing protocol and bridging configurations
By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration.
Additional SVIs must be explicitly created.
SVIs are created the first time a VLAN interface configuration mode is entered for a particular VLAN SVI.
The VLAN corresponds to the VLAN tag associated with data frames on an Ethernet trunk or to the VLAN
ID (VID) configured for an access port. An IP address is assigned in interface configuration mode to each
VLAN SVI that is to route traffic off of and on to the local VLAN.
Inter-VLAN Routing
Routed Switch ports
A routed port has the following characteristics and functions:
• Physical switch port with Layer 3 capability
• Not associated with any VLAN
• Serves as the default gateway for devices out that switch port
• Layer 2 port functionality must be removed before it can be configured
conf t
int range fa0/1 – 6
switchport port-security <specific mac address> sets the specific mac
address to that interface
switchport port-security max (1-132) how many mac addresses the port is to
remember
switchport port-security violation {shutdown, restrict, protect}
port security max-mac-count{1-132}enables port security and sets the max mac
count
port security action shutdown  if more than specified mac address is hit the
port is shutdown
arp timeout seconds to a smaller time to mitigate the mac address spoofing
to verify do a show port-security <ip add>

or
show port-security interface <interface id>
To access this mode, the vlan database command is executed from privileged EXEC mode. From this
mode, you can add, delete, and modify configurations for VLANs in the range 1 to 1005.
Note:
This mode has been deprecated and will be removed in some future release. The move to the global
VLAN configuration mode is consistent with a more traditional Cisco router IOS-type approach.
----
Configuring Multiple Spanning Tree protocol (MSTP)
-refer to 3.3.5-3.3.6 cpt176
Switch#show spanning-tree mst
Switch#show spanning-tree mst <mst instance #>
However, the switch does not automatically revert to Rapid PVST+ or MSTP mode if it no longer receives
IEEE 802.1D BPDUs, because it cannot determine whether the legacy switch has been removed from the
link unless the legacy switch is the designated switch. Use the following command in this situation :
Switch#clear spanning-tree detected-protocols
Switch#show spanning-tree mst interface fastethernet 4/4

Switch#show spanning-tree mst 1 interface fastethernet 4/4
This example displays detailed MSTP information for a specific instance.
Switch#show spanning-tree mst 1 detail
-----
EtherChannel Configuration 3.4.3---more on part 2 of same page3.4.4
Load balancing is applied globally for all EtherChannel bundles in the switch. To configure EtherChannel
load balancing, use the port-channel load-balance command. Load balancing can be based on
the following variables:
• src-mac: Source MAC address
• dst-mac: Destination MAC address
• src-dst-mac: Source and destination MAC addresses
• src-ip: Source IP address
• dst-ip: Destination IP address
• src-dst-ip: Source and destination IP addresses (default)
• src-port: Source TCP/User Datagram Protocol (UDP) port
• dst-port: Destination TCP/UDP port
• src-dst-port: Source and destination TCP/UDP ports

This example shows an example of how to configure and verify EtherChannel load balancing.
Switch(config)# port-channel load-balance src-dst-ip
Switch(config)# exit
Switch# show etherchannel load-balance
Source XOR Destination IP address

Switch DHCP spoofing
DHCP Snooping Configuration Guidelines
These are the configuration guidelines for DHCP snooping.
• DHCP snooping must be enabled globally on the switch.
• DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
• Before configuring the DHCP information option on the switch, make sure to configure
the device that is acting as the DHCP server. For example, you must specify the IP
addresses that the DHCP server can assign or exclude must be specified, or DHCP
options for devices must be configured.
Conf t
Ip dhcp snooping  Must be specified to a vlan to take effect
Ip dhcp snooping vlan vlan_id {,vlan_ID}
Interface <blahblah>
Ip dhcp snooping trust  make that port a trusted DHCP port snooper
Ip dhcp snooping limit rate 100 set rate to limit dhcp snooping on that
interface (DHCP packets per second (100) usually don’t do more than 100
packets–do both commands on the same interface
The show ip dhcp snooping binding command displays the DHCP snooping
binding entries for a switch, as shown in Figure
One of the more important elements is to use dedicated VLAN IDs for all trunk ports.
Also, disable all unused switch ports and place them in an unused VLAN. Set all user
ports to non-trunking mode by explicitly turning off DTP on those ports. This is
accomplished on IOS switches by setting the switch port mode to access with the
switchport mode access interface configuration command.
ACLs can be configured on the router port to mitigate private VLAN attacks. VLAN
ACLs (VACLs) can also be used to help mitigate the effects of private VLAN attacks.
An example of using ACLs on the router port is if a server farm segment were
172.16.34.0/24, then configuring the ACLs shown in Figure on the default gateway
would mitigate the private VLAN proxy attack.
Conf t
Int <blahblah>
Use the spanning-tree guard <loop or root> interface configuration command to
enable root guard or loop guard on all the VLANs associated with the selected
interface. Root guard restricts which interface is allowed to be the Spanning-Tree
root port or the path to the root for the switch. Loop guard prevents alternate or
root ports from becoming designated ports when a failure creates a unidirectional
link.
**Put loop guard on the trunks
Globally enable
spanning-tree portfast bpduguard default
**Don’t put portfast on trunks or other routers
prevent it from sending default BPDUs out that interface.

-----------------------------------------------------------------------------
------
NAT
Dynamic
To define the pool of public addresses, use the ip nat pool command:
Gateway(config)#ip nat pool public-access 199.99.9.40 199.99.9.62
netmask 255.255.255.224
Step 8 Define an access list that will match the inside private IP addresses
To define the access list to match the inside private addresses, use the
access list command:
Gateway(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Step 9 Define the NAT translation from inside list to outside pool
To define the NAT translation, use the ip nat inside source command:
Gateway(config)#ip nat inside source list 1 pool public-access
router(config-if)#ip nat inside

--can be defined inside or outside
--translations occur between inside and outside
--on router must have and in and out on 2 interfaces
int fa0/0
ip add <ip & subnet>
ip nat inside <or outside>
convert from private to public for an IP (from a server) that needs internet
access/wan
ip nat inside source static <internal ip> <external ip>
Display active translation
router#show ip nat translations [verbose]
router#show ip nat stat
Debug ip nat
Debug ip nat detailed
Overloading
Overloading is configured in two ways depending on how public IP addresses have been
allocated. An ISP can allocate a network only one public IP address, and this is typically assigned
to the outside interface which connects to the ISP. Figure shows how to configure overloading
in this situation.
Another way of configuring overload is if the ISP has given one or more public IP addresses for
use as a NAT pool. This pool can be overloaded as shown in the configuration in Figure .
Figure shows an example configuration of PAT.
-----------------------------------------------------------------------------
--------
DHCP
router(config)#ip dhcp pool <name ex. NET(range)> --> specifies the DHCP pool
router(dhcp-config)#network <IP & Subnet>--> specifies the range
*multiple DHCP pools can be created on a server
----------
Configure DHCP excluding IP
router(config)#ip dhcp excluded-address

ip-add [end-ip-address]
router(config)#ip dhcp excluded-add 172.16.1.1 172.16.1.10 <low to high

range>
router(config)#ip dhcp excluded-add 172.16.1.254
*address is reserved for the router interface so it needs to be blocked out

of the lits
Create the DHCP address pool

To configure the campus LAN pool, use the following commands:
campus(config)#ip dhcp pool campus
campus(dhcp-config)#network 172.16.12.0 255.255.255.0
campus(dhcp-config)#default-router 172.16.12.1
campus(dhcp-config)#dns-server 172.16.1.2
campus(dhcp-config)#domain-name foo.com
campus(dhcp-config)#netbios-name-server 172.16.1.10
-----------------------------
Verifying DHCP
Router#show ip dhcp binding
router#show ip dhcp server events ---> shows leases and expiration
-------------------------------
To get a DHCP from the server that is on a different network ex. server on
172.17.1.0 clients on 172.16.1.0
--look at last slide for ip helpers in module 1
ip helper-addresscommand to relay broadcast requests for these key UDP
services. -> when DHCP tries to broadcast between routers ip helpers don’t block it.
6.2.7
Configuring SNMP
In order to have the NMS communicate with networked devices, the devices must have
SNMP enabled and the SNMP community strings configured. These devices are
configured using the command line syntax described in the following paragraphs.
More than one read-only string is supported. The default on most systems for this
community string is public. It is not advisable to use the default value in an enterprise
network. To set the read-only community string used by the agent, use the following
command:
Router(config)#snmp-server community string ro
• String – Community string that acts like a password and permits access to the
SNMP protocol
• ro – (Optional) Specifies read-only access. Authorized management stations are
only able to retrieve MIB objects.
More than one read-write string is supported. All SNMP objects are available for write
access. The default on most systems for this community string is private. It is not
advisable to use this value in an enterprise network. To set the read-write community
string used by the agent, use the following command:
Router(config)#snmp-server community string rw
• rw – (Optional) Specifies read-write access. Authorized management stations are
able to both retrieve and modify MIB objects
There are several strings that can be used to specify location of the managed device and
the main system contact for the device.
Router(config)#snmp-server location text
Router(config)#snmp-server contact text
• text – String that describes the system location information
These values are stored in the MIB objects sysLocation and sysContact .
Network management in an internetworked environment typically requires one

monitor per subnetwork.
SNMP Configuration (string values are private or public)  other apps to monitor
Host commands
C:\host1>arp –an
Route commands
Netstat
Route print and other route commands
Ping Sweep
Another method for collecting MAC addresses is to employ a ping sweep across a
range of IP addresses. A ping sweep is a scanning method that can be executed at
the command line or by using network administration tools. These tools provide a
way to specify a range of hosts to ping with one command.
Using the ping sweep, network data can be generated in two ways. First, many of
the ping sweep tools construct a table of responding hosts. These tables often list
the hosts by IP address and MAC address. This provides a map of active hosts at the
time of the sweep.
As each ping is attempted, an ARP request is made to get the IP address in the ARP
cache. This activates each host with recent access and ensures that the ARP table is
current. The arp command can return the table of MAC addresses, as discussed
above, but now there is reasonable confidence that the ARP table is up-to-date.
SDM Configuration
Use the following process to access SDM for the first time . This procedure assumes that an
out-of-box router with SDM installed is being used, or that a default SDM configuration was
loaded into flash.
Step 1
Connect a PC to the lowest number LAN Ethernet port of the router using a cross-over cable.
Step 2
Assign a static IP address to the PC. It is recommended to use 10.10.10.2 with a 255.255.255.0
subnet mask.
Step 3
Launch a supported web browser.
Step 4
Use the URL https://10.10.10.1. A login prompt will appear.
Step 5
Log in using the default user account:
Username: sdm
Password: sdm
The SDM startup wizard opens, requiring a basic network configuration to be entered . To
access SDM after the initial startup wizard is completed, use either http: or https:, followed by
the router IP address.
When you enter https: it specifies that the Secure Sockets Layer (SSL) protocol be used for a
secure connection. If SSL is not available, use http: to access the router.
Once the WAN interface is configured, SDM is accessible through a LAN or WAN interface.
NOTE:
The startup wizard information needs to be entered only once and will only appear when a
default configuration is detected.
Troubleshooting SDM Access
Use the following tips to troubleshoot SDM access problems:
• First determine if there is a web browser problem by checking the following:
○ Are Java and JavaScript enabled on the browser? Enable them.
○ Are popup windows being blocked? Disable popup blockers on the PC, since
SDM requires popup windows.
○ Are there any unsupported Java plug-ins installed and running? Disable them
using the Windows Control Panel.
• Is the router preventing access? Remember that certain configuration settings are required
for SDM to work. Check the following:
○ Is one of the default configurations being used, or is an existing router
configuration being used? Sometimes new configurations disable SDM access.
○ Is HTTP server enabled on the router? If it is not, enable it and check that other
SDM prerequisite parameters are configured as well. Refer to the "Downloading
and Installing Cisco SDM" document for the required settings. This document can
be found at the weblink below.
○ Did SDM access work before, but now its not? Ensure that the PC is not being
blocked by a new ACL. Remember that SDM requires HTTP, SSH, and Telnet
access to the router, which could have been inadvertently disabled in a security
lockdown.
• Is SDM installed?
○ The quickest way to determine this is to access it using the appropriate HTTP or
HTTPS method https://<router IP address>/flash/sdm.shtml.
○ Use the show flash command to view the flash file system and make sure that the
required SDM files are present.
Refer to NS1 labs
PIX
The primary rule for security levels is that an interface with a higher security level
can access an interface with a lower security level. Conversely, an interface with a
lower security level cannot access an interface with a higher security level without
an access control list (ACL). Security levels range from 0 to 100.
• Higher security level interface to a lower security level interface – For traffic originating
from the inside interface of the PIX with a security level of 100 to the outside interface of
the PIX with a security level of 0, all IP-based traffic is allowed unless it is restricted by
ACLs, authentication, or authorization.
• Lower security level interface to a higher security level interface – For traffic originating
from the outside interface of the PIX with a security level of 0 to the inside interface of
the PIX with a security level of 100,all packets are dropped unless specifically allowed
by an access-list command. The traffic can be restricted further if authentication and
authorization is used.
• Same secure interface to a same secure interface – No traffic flows between two
Interfaces with the same security level.
• hostname – assigns a hostname to the PIX.
• interface – Configures the type and capability of each perimeter interface.
• nameif – Assigns a name to each perimeter interface.
• ip address – Assigns an IP address to each interface.
• security level – Assigns the security level for the perimeter interface.
• speed – Assigns the connection speed.
• duplex – Assigns the duplex communications.
n the interface configuration sub-commands, hardware speed and duplex, interface
name, security level, IP address, and many other settings can be configured. For an
interface to pass traffic, the nameif, ip address, security level, and no
shutdown interface configuration sub-commands are necessary
nameif assigns a name to each interface on the PIX Security Appliance. The first
two interfaces have the default names inside and outside
ip address dhcp – have it acquire ip information
If it is necessary that interfaces with the same security level are able to
communicate, use the same-security-traffic command. Two interfaces could be
assigned to the same level to allow them to communicate without using NAT
• nat-control – Enable or disable NAT configuration requirement.

• nat – Shields IP addresses on the inside network from the outside network.
• global – Creates a pool of one or more IP addresses for use in NAT and PAT.
• route – Defines a static or default route for an interface.
• he nat Command
The first step in enabling NAT on a PIX Security Appliance is entering the nat command.
The nat command can specify translation for a single host or a range of hosts. The nat
command has two major components, nat_id and IP address or range of IP addresses. A
nat_id is a number from 1 to 2147483647 which specifies the hosts for dynamic address
translation. The dynamic addresses are chosen from a global address pool created with
the global command. The nat command nat_id number must match the nat_id number in
the global command if you want to use that specific global pool of IP addresses for the
dynamic address translation.
• For example, the nat (inside) 1 10.0.0.0 255.255.255.0 command means that all
outbound connections from a host within the specified network, 10.0.0.0, can pass
through the PIX Security Appliance with address translation. The nat (inside) 1 10.0.0.11
255.255.255.255 command means that only outbound connections originating from the
inside host 10.0.0.11 are translated as the packet passes through the PIX. Administrators
can use 0.0.0.0 to allow all hosts to be translated. The 0.0.0.0 can be abbreviated as 0. As
shown in the Figure all inside hosts making outbound connections with the nat (inside)
1 0.0.0.0 0.0.0.0 command are translated. The nat_id identifies the global address pool
the PIX will use for the dynamic address translation.
• The syntax for the nat command is shown in Figure .
• The global Command
In order for a local address to be translated using NAT, a global pool of addresses must be
defined. In a PIX Security Appliance configuration, there may be more than one global
pool configured. Each outbound network address translation is associated with a nat id.
Each global pool has a corresponding nat_id. The PIX uses the nat_id of the outbound IP
packet to identify which global pool of addresses to select a translation IP address from.
The nat_id of the outbound packet must match the nat_id of the global pool. The PIX
assigns addresses from the designated global pool starting from the low end to the high
end of the range specified in the global command. The pool of global IP addresses is
configured with the global command.
• In Figure , host 10.0.0.11 starts an outbound connection. The nat_id of the outbound
packet is 1. In this instance, a global IP address pool of 192.168.0.20-254 is also
identified with a nat_id of 1. The PIX assigns an IP address of 192.168.0.20. It is the
lowest available IP address of the range specified in the global command. Packets from
host 10.0.0.11 are seen on the outside as having a source address of 192.168.0.20.
• The syntax for the global command is shown in Figure . If the nat command is used,
the companion command, global, must be configured to define the pool of translated IP
addresses. Use the no global command to delete a global entry.
NOTE:
The PIX Security Appliance uses the global addresses to assign a virtual IP address to an internal
NAT address. After adding, changing, or removing a global statement, use the clear xlate
command to make the IP addresses available in the translation table.
route command to enter a static route for an interface.
Static routes can be created to access specific networks beyond the locally
connected networks. For example, in Figure , PIX Security Appliance sends all
packets destined to the 10.0.1.0 255.255.255.0 network out the inside interface to
the router at IP address 10.0.0.102. This static route was created by using the
command route inside 10.0.1.0 255.255.255.0 10.0.0.102 1. The router knows
how to route the packet to the destination network of 10.0.1.0.
Commonly Used show Commands
The show memory command displays a summary of the maximum physical memory, current
used memory, and current free memory available to the PIX Security Appliance operating
system.
The show cpu usage command displays CPU use.
Use the show version command to display the PIX Security Appliance software version,
operating time since the last reboot, processor type, Flash memory type, interface boards, serial
number, BIOS identification, and activation key value .
The show ip address command is used to view the IP addresses that are assigned to the network
interfaces.
The show interface command is used to view network interface information. This is one of the
first commands that should be used when trying to establish connectivity.
Use the show nameif command to view the named interfaces. In Figure , the first two
interfaces have the default names inside and outside. The inside interface has a default security
level of 100, and the outside interface has a default security level of 0. Ethernet2 is assigned a
name of dmz with a security level of 50.
If it is necessary to allow internal hosts to be able to ping external hosts, an ACL for
echo reply is necessary. If pings through the PIX Security Appliance between hosts
or routers are not successful, use the debug icmp trace command to monitor the
success of the ping.
The show run nat command to display a single host or range of hosts to be translated. In Figure
, all hosts on the 10.0.0.0 network will be translated when traversing the PIX Security
Appliance. The nat-id is 1.
The show run global command displays the global pools of addresses configured in the PIX
Security Appliance. In Figure there is currently one pool configured. The pool is configured on
the outside interface. The pool has an IP address range of 192.168.0.20 to 192.168.0.254. The
nat_id is 1.
The show xlate command displays the contents of the translation slot. In Figure , the number
of currently used translations is 1 with a maximum count of 1. The current translation is a local
IP address of 10.0.0.11 to a global IP address of 192.168.0.20.
NTP
The ntp server command synchronizes the PIX Security Appliance with a specified network
timeserver . The PIX can be configured to require authentication before synchronizing with the
NTP server. To enable and support authentication, there are several forms of the ntp command
that work with the ntp server command. Additional information about the ntp command forms
and their uses is available in the Command Reference.
The show run ntp command can be used to display the current NTP configuration. The show
ntp status
• 0 – emergencies – System unusable messages
• 1 – alerts – Take immediate action
• 2 – critical – Critical condition
• 3 – errors – Error message
• 4 – warnings – Warning message
• 5 – notifications – Normal but significant condition
• 6 – informational – Information message
• 7 – debugging – Debug messages and log FTP commands and WWW URLs
The show logging Command
Use the show logging command to see the logging configuration and any
internally buffered messages. Use the clear logging
The primary rule for security levels is that an interface with a higher security level
can access an interface with a lower security level.
Two Interfaces with NAT
In Figure , the first nat command statement permits all hosts on the 10.0.0.0 network to start
outbound connections using the IP addresses from a global pool. The second nat command
statement permits all hosts on the 10.2.0.0 network to do the same. The nat_id in the first nat
command statement tells the PIX Security Appliance to translate the 10.0.0.0 addresses to those
in the global pool containing the same nat_id . Likewise, the nat_id in the second nat command
statement tells the PIX to translate addresses for hosts on network 10.2.0.0 to the addresses in the
global pool containing nat_id 2.
Three Interfaces with NAT
In Figure , the first nat command statement enables hosts on the inside interface, which has a
security level of 100, to start connections to hosts on interfaces with lower security levels. In this
case, that includes hosts on the outside interface and hosts on the demilitarized zone (DMZ). The
second nat command statement enables hosts on the DMZ, which has a security level of 50, to
start connections to hosts on interfaces with lower security levels. In this case, that includes only
the outside interface.
Because both global pools and the nat (inside) command statement use a nat_id of 1, addresses
for hosts on the 10.0.0.0 network can be translated to those in either global pool. Therefore, when
users on the inside interface access hosts on the DMZ, their source addresses will be translated to
addresses in the 172.16.0.20−172.16.0.254 range from the global (dmz) command statement.
When they access hosts on the outside, their source addresses will be translated to addresses in
the 192.168.0.20−192.168.0.254 range from the global (outside) command statement.
When users on the DMZ access hosts on the outside, their source addresses will always be
translated to addresses in the 192.168.0.20−192.168.0.254 range from the global (outside)
command statement.
Use the static command for outbound connections that must be mapped to the
same global IP address.
the address 192.168.0.9 is not translated. When the command nat (DMZ) 0
192.168.0.9 255.255.255.255 is entered, the PIX Security Appliance displays the
following message:
NAT 0 enables the Internet server address to be visible on the outside interface. The
administrator also needs to add a static in combination with an access-list to
allow users on the outside to connect with the Internet server.
The show conn command displays information about the active TCP connections.
The show conn detail Command

When the show conn detail option is used, the system displays information about the translation
type, interface information, IP address/port number, and connection flags. In Figure , the two
connections display a flag value of UIO. According the flag definition, the connections are up.
The connections are passing inbound and outbound data.
The show local-host Command
The show local-host command displays the network states of local hosts. A local-host entry is
created for any host that forwards traffic to, or through, the PIX Security Appliance. This
command shows the translation and connection slots for the local hosts. In Figure , the inside
host 10.0.0.11 establishes a web connection with server 192.168.10.11. The output of the show
local-host command is displayed in Figure .
To configure OSPF on the PIX Security Appliance requires the administrator to do the following:
• Enable OSPF
• Define the PIX Security Appliance interfaces on which OSPF runs
• Define OSPF areas
Enable OSPF
To enable OSPF routing, use the router ospf command. The syntax for the router ospf
command is shown in Figure .
The PIX Security Appliance can be configured for one or two processes, or OSPF routing
domains. If the PIX is functioning as an ABR and it is configured for one process, the PIX will
pass type 3 LSA between defined OSPF areas. In the example in Figure , the PIX is configured
for one OSPF process, OSPF 1.
Define Network Interfaces
To define the interfaces on which OSPF runs and the area ID for those interfaces, use the
network area subcommand.
The syntax for the network area command is shown in Figure .
FWSM, the following tasks must be completed:
• Initialize the FWSM.
• Configure the switch VLANs.
• Associate VLANs with the FWSM.
The switch CLI is accessible through a Telnet connection to the switch or through the switch
console interface.
Verify FWSM Installation
Before the FWSM can be used, it must be verified that the card is installed and recognized by the
switch. Enter the show module command to verify that the system acknowledges the new
module and has brought it online .
The syntax for the show module command is shown in Figure .
Configure the Switch VLANs
The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces
. Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent
mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then
configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the
FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM.
The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be
inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall
command.
The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group
parameter. The syntax for the firewall vlan-group command is shown in Figure .
Once a group of VLANs are assigned to a group, the firewall module command associates a
VLAN group with a specific FWSM.
The syntax for the firewall module command is shown in Figure
In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLAN-
group 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300.
Verify the MSFC Configuration
The administrator can verify that the MSFC is properly configured for interaction with the
FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each
firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are
assigned to the associated slot where the FWSM resides .
Configure the FWSM Interfaces
The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are
associated with a specific FSWM. The next step is to configure the security policy on the
FWSM. The FWSM can be accessed by using the session command. Use the default password
cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed.
By default, there is no password, and the Enter key can be pressed to access the enable mode. It
is recommended that you change the enable password to a valid value and use this for future
access to this mode.
Once on the FWSM, standard security appliance commands are used to configure interface
names, add security levels, and specify IP addresses.
The example in Figure shows the use of the nameif command and associates VLAN 100 as the
outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the
inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip
address command is used to add an IP address to each interface.
Configure A Default Route
A default route may also need to be added. In the example in Figure , a default route is created,
pointing to the VLAN 100 interface of the MSFC.
It may also be necessary to create static routes. Multiple context mode does not support dynamic
routing, so static routes must be used to reach any networks to which the FWSM is not directly
connected, such as when a router is between the destination network and the FWSM.
Static routes might be appropriate in single context mode if:
• The network uses a routing protocol other than RIP or OSPF.
• The network is small and static routes can be easily managed.
• The traffic or CPU overhead associated with routing protocols is to be avoided.
Configure the FWSM access-lists
The administrator needs to create ACLs to allow outbound as well as inbound traffic because the
FWSM, unlike the security appliances, denies all inbound and outbound connections that are not
explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list
command and attached to the appropriate interface using the access-group command to allow
traffic to pass through that interface. Traffic that has been permitted into an interface can exit
through any other interface. Return traffic matching the session information is permitted without
an explicit ACL.
Firewall Services Module Operation
3.8
3.8. Using PDM with the FWSM
3
PDM v. 4.0 can be used to configure and monitor FWSM v. 2.2. Figure shows the steps
needed to prepare the FWSM to use PDM. Be sure to initialize the FWSM before
attempting to install PDM.
• Use the copy tftp flash command to copy the PDM image into FWSM flash
copy tftp://10.1.1.1/pdm-XXX.bin flash:pdm
(where XXX = pdm image version number)
• Enable the http server on the FWSM. Without it, PDM will not start.
http server enable
• Identify the specific hosts/networks that can access the FWSM using HTTP.
http 1.1.1.0 255.255.255.0 inside
Hosts from network 10.1.1.0 (on the inside interface) are permitted http access.
• Launch the browser and enter the following address:
https://10.1.1.1 (FWSM inside interface)
Resetting and Rebooting the FWSM
If the module cannot be reached through the CLI or an external Telnet session, enter the
hwmod module module_number reset command to reset and reboot the module. The
reset process requires several minutes. The syntax for the command is shown in Figure .
The example in Figure shows how to reset the module, installed in slot 4, from the CLI.
When the FWSM initially boots, by default it runs a partial memory test. To perform a full
memory test, use the hw-module module module_number mem-test-full command. The
syntax of the command is shown in Figure .
A full memory test takes more time to complete than a partial memory test depending on
the memory size. The table in Figure lists the memory and approximate boot time for a
long memory test.
PIX ACLs
The show access-list command also lists a hit count that indicates the number of times an
element has been matched during an access-list command search.
The clear access-list command is used to clear an access list counter. If no ACL is specified, all
of the access list counters are cleared. If the counters option is specified, it clears the hit count
for the specified ACL. If no ACL is specified all the access lists counters are cleared.
The no access-list command removes an access-list command from the configuration. If all of
the access-list command statements in an ACL group are removed, the no access-list command
also removes the corresponding access-group command from the configuration.
The access-list mode command allows the administrator to specify whether the defined ACL
should be active immediately or when specified. . The access-list commit command activates
the previously created ACL .
Use the access-list id line line-num command to insert an access-list command
statement, and the no access-list id line line-num command to delete an access-
list command statement. Line numbers are maintained internally in increasing
order, starting from 1. A user can insert a new entry between two consecutive ACEs
by choosing the line number of the ACE with the higher line
n Figure the users in the corporate office wish to communicate with the branch
site over a VPN tunnel. To accomplish this, the administrator employs nat 0
access-list. The IP source network, 10.0.0.0/24, and IP destination network,
10.200.0.0/24, are defined in the ACL. The ACL is applied to the nat 0 command.
Any VPN traffic originating at 10.0.0.0/24 and destined for 10.200.0.0/24 is not
translated by the PIX.
ActiveX Filtering
Another application that can be filtered by the PIX Security Appliance in order protect against
malicious applets is ActiveX. ActiveX controls are applets that can be inserted in Web pages or
other applications. They were formerly known as Object Linking and Embedding (OLE) or
Object Linking and Embedding Control (OCX). ActiveX controls create a potential security
problem because they provide a way for someone to attack servers. Due to this security threat,
administrators have the option of using the PIX to block all ActiveX controls.
The filter {activex | java} command filters out ActiveX or Java usage from outbound packets. In
the example in Figure , the command specifies that ActiveX is being filtered on port 80 from
any internal host and for connection to any external host. The Command Reference provides
more information about the commands and syntax for blocking ActiveX or Java.
Use the url-server command to designate the server on which the URL filtering application runs,
and then enable the URL filtering service with the filter url command.
PIX Security Appliance Software Versions 6.1 and earlier do not support the filtering of URLs
longer than 1159 bytes. PIX version 6.2 supports the filtering of URLs up to 6 KB for the
Websense filtering server. The maximum allowable length of a single URL can be increased by
entering the url-block url-size command. This option is available with Websense URL filtering
only.
HTTPS and FTP Filtering
This feature extends Web-based URL filtering to HTTPS and FTP. The filter ftp and filter https
commands were added to the filter command in PIX Security Appliance Software Version 6.3.
The filter ftp command enables FTP filtering. The filter https command enables HTTPS
filtering. The filter ftp and filter https commands are available with Websense URL filtering
only.
The example command in Figure instructs the PIX Security Appliance to send all URL
requests to the URL filtering server to be filtered. The allow option in the filter command is
crucial to the use of the PIX URL filtering feature. If the allow option is used and the URL
filtering server goes offline, the PIX lets all FTP and HTTPS URL requests continue without
filtering. If the allow option is not specified, all FTP and HTTPS URL requests are stopped until
the server is back online.
• Network – Used to group client hosts, server hosts, or subnets.

• Protocol – Used to group protocols. It can contain one of the keywords icmp, ip, tcp, or
udp, or an integer in the range 1 to 254 representing an IP protocol number. Use the
keyword ip to match any Internet protocol, including ICMP, TCP, and UDP.
• Service – Used to group TCP or UDP port numbers assigned to a different service.
• ICMP-type – Used to group ICMP message types which are permitted or dennied access.
Applying a PIX Security Appliance object group to a command is the equivalent of applying
every element of the object group to the command. In the example shown in Figure , the group
DMZ_Servers contains servers 192.168.0.10, 192.168.0.11, and 192.168.0.12. The group
DMZ_Services supports HTTP, HTTPS, and FTP protocols. Applying the groups DMZ_Servers
and DMZ_Services to an ACE is the same as applying all of the hosts and protocols individually.
9.2.2
Getting started with object groups
Complete the following steps to configure an object group and to use it in the
configuration of ACLs:
Step 1 Use the object-group command to enter the appropriate subcommand mode for
the type of group to be configured. All subcommands entered from the subcommand
prompt apply to the object group identified by the object-group command.
Step 2 In subcommand mode, define the members of the object group. In subcommand
mode, object grouping subcommands as well as all other PIX Security Appliance
commands can be entered, including show commands and clear commands. Enter a
question mark (?) in the subcommand mode to view the permitted subcommands.
Step 3 (Optional) Use the description subcommand to describe the object group.
Step 4 Return to configuration mode by entering the exit command or the quit command.
When any valid configuration command other than one designed for object grouping is
entered, the subcommand mode is terminated.
Step 5 (Optional) Use the show object-group command to verify that the object group
has been configured successfully. This command displays a list of the currently configured
object groups of the specified type. Without a parameter, the command displays all object
groups.
Step 6 Apply the object group to the access-list command. Replace the parameters of the
access-list command with the corresponding object group, as summarized in Figure .
Step 7 (Optional) Use the show access-list command to display the expanded ACEs.
The group-object command is used to construct hierarchical, or nested, object groups. The
group-object command, which is not to be confused with the object-group command, places
one object group into another .
The difference in object groups and group objects is as follows:
• An object group is group consisting of objects.
• A group object is an object in a nested group and is itself a group.
Nested Object Group Examples
In Figure , the access-list named ALL enables all hosts in HOSTGROUP1 and
HOSTGROUP2 to make outbound FTP connections. Without nesting, all the IP addresses in
HOSTGROUP1 and HOSTGROUP2 would have to be redefined in the ALLHOSTS group. With
nesting, however, the duplicated definitions of the hosts are eliminated.
Figure illustrates multiple nested object groups configured so that one ACL entry enables
remote hosts 172.26.26.50 and 172.26.26.51 to initiate FTP and SMTP connections to all local
hosts in the ALLHOSTS group. Note that with object grouping configured, only one ACL entry
is required.
• show object-group
• no object-group
• clear object-group
9.3.2
Configure a class map
The class-map command is used to classify a set of traffic with which security actions
may be associated. Configuring a class map is a two step process. The steps are to name a
class of traffic and define the attributes of the traffic. A name is assigned to each
individual class of traffic. For example in Figure , there are four traffic classes named.
The class-map se command identifies the system engineer remote VPN traffic from the
system engineers. The class-map s2s command identifies the remote VPN traffic from the
system engineers.
The syntax of the class-map commands is as follows:
class-map class_map_name
After a class of traffic is named, the characteristics of the traffic flow are identified. To be
considered part of a named class, a traffic flow must match a defined set of attributes.
There are various types of match criteria in a class map. One example of match criteria is
an access list that defines all traffic from the Internet to the DMZ. Another match is VPN
tunnel-group. This includes all members of the SE and EXEC tunnel-groups. Another such
match is a TCP or UDP port number. This could be used to define all HTTP or FTP traffic.
The following is the class matching criteria :
• match access-list – This keyword specifies to match an entry in an access-list.
• match any – This keyword specifies that all traffic is to be matched. Match any is
used in the class-default class-map.
• match dcsp – This keyword specifies to match the IETF defined Differentiated
Service Code Point (DSCP) value in the IP header. This allows the administrator to
define classes based on the DCSP values defined within the TOS byte in the IP
header.
• match flow – This keyword specifies to match each IP flow within a tunnel-group.
This match command must be used in conjunction with the match tunnel-group
command.
• match port – This keyword specifies to match traffic using a TCP or UDP
destination port.
• match precedence – This keyword specifies to match the precedence value
represented by the TOS byte in the IP header. This allows the administrator to
define classes based on the precedence defined within the TOS byte in the IP
header.
• match rtp – This keyword specifies to match Real-Time Transport Protocol (RTP)
destination port. This allows the administrator to match on a UDP port number
within the specified range. The allowed range is targeted at capturing applications
likely to be using RTP.
• match tunnel-group – This keyword specifies to match tunnel traffic.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP
traffic with a port value of 21 and 80 may be classified as an Internet traffic class.
9.3.3
Configure a policy map
The policy-map command is used to configure various policies. A policy consists of a
class command and its associated actions. The PIX Security Appliance supports one
policy per interface and one global policy. Each policy map may support multiple classes
and policy actions. In the example in Figure , there are two policy maps, the outside
policy map and the global policy map. The outside policy map supports four class maps,
these are the Internet, SE, EXEC, and S2S class maps. IDS, Inspect, police, and priority
actions are associated with the aforementioned classes. The global policy map supports
default inspection criteria for all traffic.
The following steps are use to define a policy map:
Step 1 Name the policy.
Step 2 Identify a class of traffic covered by this policy.
Step 3 Associate an action or actions with each traffic flow.
The first step is to define the policy maps. In the example in Figure , there are two
policy maps, outside and global.
The next step is to identify which traffic flows, or classes, are specified in a policy map.
Each traffic flow is identified by a class map name. In the example in Figure , the
outside policy map is identified. Internet class traffic flow is assigned to the outside policy
map.
The syntax of the policy-map commands is as follows:
policy-mappolicymap_name
description text
classclassmap_name
The last step is to associate actions with specific traffic flows within a policy map. In the
example in Figure , the policy map name, outside, is defined. The Internet class of
traffic is defined. The administrator must next associate actions with this traffic flow. The
policy action options are to forward traffic to IDS, perform specified protocol inspections,
police the bandwidth used by the specified flow, direct the flow to the low latency queue,
or set connection parameters on these flows.
To display all of the policy map configurations or the default policy map configuration,
use the show running-config policy-map command.
More information about the syntax of the policy-map command is available in the
Command Reference.
9.3.4
Configure a service policy
To activate a policy map globally on all interfaces or on a single interface, use the service-
policy command in privileged EXEC mode . The interface can be a VLAN interface or
a physical interface. In general, a service-policy command can be applied to any interface
that can be defined by the nameif command. To disable, use the no form of this command.
To display all currently running service policy configurations, use the show running-
config service-policy command in global configuration mode .
To display the configured service policies, use the show service-policy command in
global configuration mode .
The syntax for these commands is available in the Command Reference.
Advanced protocol inspection how to add an insepection and set a policy
se the ftp-map command to define which FTP commands should be blocked. After the
administrator enters the ftp-map command and a map name, the system enters the FTP map
configuration mode. The deny-request-cmd command enables the administrator to list which
FTP request commands should be blocked. In the example in Figure , the inbound_ftp ftpmap
was defined. The inbound_ftp ftp-map identifies the commands to be filtered.
In the example in Figure , the inbound_ftp ftp-map identifies six FTP request commands to
filter. The class map inbound_ftp_traffic matches traffic defined by access-list 101, FTP traffic
between any host and host 192.168.1.11, the FTP server. In the inbound policy map, the FTP
command request restrictions defined in the ftp map inbound_ftp, are associated with the
inbound_ftp_traffic class of traffic. Lastly, the inbound policy is enabled on the outside interface.
To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced
rules that apply to HTTP traffic are defined by http-map command.
9.4.5Enhanced HTTP Inspection Configuration
Configuring enhanced HTTP inspection is a four step process . The four steps in the process
are as follows:
Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters
and the action taken when a parameter in the configured category is detected.
Step 2 Identify the flow of traffic using the class-map command. The administrator can use the
default class map, inspection_default. The administrator can also define a new traffic flow, for
example any hosts trying to access the corporate web server from the internet.
Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The
administrator can use the default policy map, asa_global_fw_policy. The administrator can also
define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate
web server from the internet.
Step 4 Apply the policy to an interface, or globally, using the service-policy command. The
administrator can use the default service-policy, asa_global_fw_policy. The administrator can
also define a new service policy, such as a policy for all inbound internet-sourced traffic, and
apply the service policy to the outside interface.
In the example in Figure , the administrator created a new modular policy for HTTP traffic
from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than
modify the existing default global modular policy. To accomplish this, the administrator
configured a new HTTP map, class map, policy map and service policy. The administrator
created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods,
defined message critera, and restricted HTTP applications. In the class map, they identified the
traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator
associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new
service policy is enabled on the outside interface.
Passive interface on Redistributing Routes

However, sending updates out E0 is a waste of resources, since no other routers on the 10.4.4.0
subnetwork can receive the updates. Meanwhile, sending updates creates a slight overhead and may
cause a potential security risk. A malicious user could use a packet sniffer to capture routing updates and
glean key network information.
A passive interface essentially makes a router a silent host on a network. Identifying an interface as
passive prevents routing updates for a routing protocol from being sent through a router interface.
You can use the passive-interface command with most IP interior gateway protocols, including RIP,
EIGRP, OSPF, and IS-IS. To configure a passive interface, use the following procedure:
Step 1 Select the router and routing protocol that requires the passive interface.
Step 2 Determine the interfaces through which you do not want routing update traffic (or
hellos for link-state routing protocols and EIGRP) to be sent.
Step 3 Configure the router using the passive-interface command. Figure
displays the command parameters.
5.3.3
To solve this configuration scalability, the passive-interface default command can be used to set
all interfaces to passive. You can then enable routing on individual interfaces where you require
adjacencies using the no passive-interface command.
Block propagation of distributed lists with Distribute Lists (5.3.5)

Multicast
show ip igmp group
When there are two IGMP routers on the same Ethernet segment (broadcast domain), the router with the
highest IP address is the designated querier.
In IGMPv3, reports are sent to 224.0.0.22 rather than 224.0.0.2.
Use the show ip igmp interface command to determine which version of IGMP is currently active
on an interface.
The solution is to implement IGMP snooping on high-end switches with special application-specific
integrated circuits (ASICs) that can perform the IGMP checks in hardware. CGMP is a better option for
low-end switches without special hardware.
There are basically two types of multicast routing protocols: dense mode and sparse mode:
• Dense mode protocols flood multicast traffic to all parts of the network and prune the flows where
there are no receivers, using a periodic flood-and-prune mechanism.
• Sparse mode protocols use an explicit join mechanism where distribution trees are built on
demand by explicit tree join messages sent by routers that have directly connected receivers
The global command ip multicast-routing enables support for IP multicast on a router.
• The interface command ip pim sparse-mode enables PIM-SM operation on the selected
interface. The ip pim sparse-dense-mode command enables the interface on the router to
operate in PIM-SM for sparse-mode groups (those with known RPs) and in dense mode for other
groups.
• The global command ip pim send-rp-announce {interface type} scope {ttl}
group-list {acl} is issued on the router that you want to be an RP. This router sends an
auto-RP message to 224.0.1.39, announcing the router as a candidate RP for the groups in the
range described by the access list.
• The global command ip pim send-rp-discovery {interface type} scope {ttl}
configures the router as an RP mapping agent. It listens to the 224.0.1.39 address and sends a
RP-to-group mapping message to 224.0.1.40. Other PIM routers listen to 224.0.1.40 to
automatically discover the RP.
• The ip pim spt-threshold {rate | infinity} command controls the switchover from
the shared distribution tree to the SPT in sparse mode. The keyword infinity means the
switchover will never occur.
Note
The recommended method for configuring an interface for PIM-SM operation is to use the ip pim
sparse-dense-mode interface command. This method permits auto RP, bootstrap router (BSR), or
statically defined RPs to be used with the least configuration effort.
The show ip mroute command is the most useful command for determining the state of multicast
sources and groups from the perspective of the selected router.
When PIM-SM is configured, the first step in verifying proper operation is to check PIM-enabled interfaces
and to determine whether the PIM neighbors are correct.
You can use the following commands to accomplish this:
• show ip pim interface: Displays the information about interfaces configured for PIM.
• show ip pim neighbor: Displays the discovered PIM neighbors.
• mrinfo: Displays information on multicast routers that are peering with the local router (no
address) or with the addressed router.
show ip pim interface
show ip pim neighbor
he RP for a certain multicast group operating in PIM-SM has to be reachable and known to the router. In
addition to using a unicast ping, you can use the following commands when troubleshooting RP
reachability:
• show ip pim rp: Displays, without arguments, RP information on active groups. If the group
address or name is provided, only the RP information for the selected group is shown (assuming
that it is an active group).
• show ip pim rp mapping: Displays the contents of the important group-to-RP mapping
cache that contains the information about which RP is active for which group range. This cache is
populated by the auto-RP or BSR mechanisms and by static RP assignments. It is very important
to check this information to verify that the router possesses the RP mapping information
consistent with proper network operation.
• show ip rpf: Displays RPF information for the RP or for the source.
The show ip pim rp command just lists all active groups and their associated RPs. This form of the
command is becoming obsolete, because it offers limited information. In most cases, you should use the
show ip pim rp mapping instead , because it provides details on the actual contents of the group-
to-RP mapping cache, such as the following:
show ip rpf command displays RPF information associated with the specified source address.
• ip igmp join-group <address>: The router accepts the multicast packets in addition to
forwarding them. Accepting the multicast packets prevents the router from fast switching.
• ip igmp static-group: The router does not accept the packets but forwards them. Hence,
this method allows fast switching. The outgoing interface appears in the IGMP cache, but the
router itself is not a member, as evidenced by the lack of an L (local) flag in the multicast route
entry.
show ip igmp snooping command to display the snooping configuration information for all VLANs on
the switch or for a specified VLAN.
show mac-address-table multicast command to display the entries in the MAC address table for
a VLAN that has IGMP snooping enabled.
7.2
Configuring 802.1x Port-Based Authentication
7.2.2
Enabling 802.1x authentication
To enable 802.1x port-based authentication, AAA must be enabled and an authentication

method list must be specified. A method list describes the sequence and authentication
methods to be queried to authenticate a user.
The software uses the first method listed to authenticate users. If that method fails to
respond, the software selects the next authentication method in the list. This process
continues until there is successful communication with a listed authentication method or
until all defined methods are exhausted. If authentication fails at any point in this cycle,
the authentication process stops, and no other authentication methods are attempted.
Beginning in privileged EXEC mode, the following steps are used to configure 802.1x
port-based authentication. The associated commands are shown in Figure .
Step 1
Enter global configuration mode.
Step 2
Enable AAA.
Step 3
Create an authentication method list with the aaa authentication dot1x {default}
method1 [method2...] command. To create a default list that is used when a named list is
not specified in the authentication command, use the default keyword followed by the
methods that are to be used in default situations. The default method list is automatically
applied to all interfaces. At least one of the following keywords must be entered:
• group radius – Use the list of all RADIUS servers for authentication.
• none – Use no authentication. The client is automatically authenticated by the
switch without using the information supplied by the client.
Step 4 Enter interface configuration mode, and specify the interface connected to the
client that is to be enabled for 802.1x authentication.
Step 5 Enable 802.1x authentication on the interface.
The port authorization state is controlled by using the dot1x port-control interface
configuration command and the following keywords:
• force-authorized – disables 802.1x and causes the port to transition to the
authorized state without any authentication exchange required. The port transmits
and receives normal traffic without 802.1x-based authentication of the client. This
is the default setting.
• force-unauthorized – causes the port to remain in the unauthorized state, ignoring
all attempts by the client to authenticate. The switch cannot provide authentication
services to the client through the interface.
• auto – enables 802.1x authentication and causes the port to begin in the
unauthorized state, allowing only EAPOL frames to be sent and received through
the port. The authentication process begins when the link state of the port
transitions from down to up, or when an EAPOL-start frame is received. The
switch requests the identity of the client and begins relaying authentication
messages between the client and the authentication server. Each client attempting
to access the network is uniquely identified by the switch by using the client's
MAC address.
Step 6
Return to privileged EXEC mode.
Step 7
Verify the configuration.
To disable 802.1x AAA authentication, use the no aaa authentication dot1x {default |
list-name} method1 [method2...] global configuration command. To disable 802.1x
authentication, use the dot1x port-control force-authorized or the no dot1x port-
control interface configuration command.
The example in Figure shows how to enable AAA and 802.1x on Fast Ethernet port
0/12.
7.2.3
Configuring the switch-to-RADIUS-server communication
RADIUS security servers are identified by host name or IP address, host name and
specific UDP port numbers, or IP address and specific UDP port numbers. The
combination of the IP address and UDP port number creates a unique identifier, which
enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP
address. If two different host entries on the same RADIUS server are configured for the
same service, such as authentication, the second host entry configured acts as the fail-over
backup to the first one. The RADIUS host entries are tried in the order that they are
configured.
Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server
parameters on the switch.
Step 1 Enter global configuration mode.
Step 2 Configure the RADIUS server parameters on the switch with the radius-server
host {hostname | ip-address} auth-port port-number key string command.
For hostname | ip-address, specify the host name or IP address of the remote RADIUS
server. For auth-port port-number, specify the UDP destination port for authentication
requests. The default is 1812. For key string, specify the authentication and encryption
key used between the switch and the RADIUS server. The key is a text string that must
match the encryption key used on the RADIUS server.
NOTE:
Always configure the key as the last item in the radius-server host command syntax
because leading spaces are ignored, but spaces within and at the end of the key are used. If
spaces are used in the key, do not enclose the key in quotation marks unless the quotation
marks are part of the key.
If multiple RADIUS servers are to be used, re-enter this command.
Step 3 Return to privileged EXEC mode.
Step 4 Verify the configuration.
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-
address} global configuration command.
The example in Figure shows how to specify the server with IP address 172.20.39.46 as
the RADIUS server, to use port 1612 as the authorization port, and to set the encryption
key to rad123, matching the key on the RADIUS server.
The timeout, retransmission, and encryption key values for all RADIUS servers can be
globally configured by using the radius-server host global configuration command. To
configure these options on a per-server basis, use the radius-server timeout, radius-
server retransmit, and the radius-server key global configuration commands.
Some settings on the RADIUS server need to be configured as well. These settings
include the IP address of the switch and the key string to be shared by both the server and
the switch.
Periodic 802.1x client re-authentication, as well as how often it occurs, can be configured . If a
time period before enabling re-authentication is not specified, the number of seconds between re-
authentication attempts is 3600.
Automatic 802.1x client re-authentication is a global setting and cannot be set for clients
connected to individual ports.
Beginning in privileged EXEC mode, the following steps are used to enable periodic re-
authentication of the client and to configure the number of seconds between re-authentication
attempts:
Step 2 Enable periodic re-authentication of the client, which is disabled by default, with the
dot1x re-authentication command.
Step 3 Set the number of seconds between re-authentication attempts with the dot1x timeout re-
authperiod seconds command. The range is 1 to 4294967295 and the default is 3600 seconds.
This command affects the behavior of the switch only if periodic re-authentication is enabled.
Step 5 Verify the configuration.
To disable periodic re-authentication, use the no dot1x re-authentication global configuration
command. To return to the default number of seconds between re-authentication attempts, use the
no dot1x timeout re-authperiod global configuration command.
The example in Figure shows how to enable periodic re-authentication and set the number of
seconds between re-authentication attempts to 4000.
The client connected to a specific port can be manually re-authenticated at any time by
entering the dot1x re-authenticate interface interface-id privileged EXEC command.
-------
7.2.6
Enabling multiple hosts
Multiple hosts can be attached to a single 802.1x-enabled port. In this mode, only one of
the attached hosts must be successfully authorized for all hosts to be granted network
access. If the port becomes unauthorized, such as in the case that re-authentication fails or
an EAPOL-logoff message is received, all attached clients are denied access to the
network.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts on an
802.1x-authorized port that has the dot1x port-control interface configuration command
set to auto. The commands used in this process are shown in Figure .
Step 2 Enter interface configuration mode, and specify the interface to which multiple
hosts are indirectly attached.
Step 3 Allow multiple hosts on an 802.1x-authorized port with the dot1x multiple-hosts
command. Make sure that the dot1x port-control interface configuration command set is
set to auto for the specified interface.
Step 5 Verify the configuration with the show dot1x interface interface-id command.
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface
configuration command.
The example in Figure shows how to enable 802.1x on FastEthernet interface 0/1 and to
allow multiple hosts.
7.2
Configuring 802.1x Port-Based Authentication
7.2.7
Resetting the 802.1x configuration to the default values
Beginning in privileged EXEC mode, follow these steps to reset the 802.1x configuration
to the default values :
Step 2 Reset the configurable 802.1x parameters to the default values with the dot1x
default command.
Step 4 Verify the configuration with the show dot1x command.
---
To display 802.1x statistics for all interfaces, use the show dot1x statistics privileged EXEC
command. To display 802.1x statistics for a specific interface, use the show dot1x statistics
interface interface-id privileged EXEC command.
To display the 802.1x administrative and operational status for the switch, use the show dot1x
privileged EXEC command. To display the 802.1x administrative and operational status for a
specific interface, use the show dot1x interface interface-id privileged EXEC command.
QoS
VOIP
2.5.
Cisco IOS Configurations for VoIP
6
Cisco IOS routers can be used as VoIP gateways. For a basic VoIP configuration, two
gateways are needed. Both need a connection to a traditional telephony device, such as an
analog telephone. The gateways themselves must have IP connectivity.
In Figure , the first router has these configuration settings:
• Name: R1
• IP address: 10.1.1.1/24
• IP interface: FastEthernet 0/0
• Voice port: 1/0/0
• Extension of the telephone connected to the voice port: 1111
The second router is configured with similar settings:
• Name: R2
• IP address: 10.2.2.2/24
• IP interface: FastEthernet 0/0
• Voice port: 1/0/0
• Extension of the telephone connected to the voice port: 2222
Based on this information, this configuration is applied to the first router:
hostname R1
ip address 10.1.1.1 255.255.255.0
!
dial-peer voice 1 pots
destination-pattern 1111
port 1/0/0
!
dial-peer voice 2 voip
session target ipv4:10.2.2.2
!
The second router has these configuration commands:
hostname R2
ip address 10.2.2.2 255.255.255.0
!
dial-peer voice 1 pots
port 1/0/0
!
dial-peer voice 2 voip
session target ipv4:10.1.1.1
!
The voice-specific commands in the configurations (two dial peers in each configuration) are
highlighted in gray. A dial peer describes where to find a telephone number, and the
collection of all dial peers makes up the call routing table of a voice gateway. Two types of
dial peers are shown in this example: POTS dial peers and VoIP dial peers. POTS dial peers
indicate that the telephone number that is specified in the dial peer is found at a physical
port. A VoIP dial peer refers to the IP address of a VoIP device. Figures and list the
commands used for dial peers. The Voice-Specific Commands table provides details.
Voice-Specific Commands
Command Description
dial-peer voice tag type Use the dial-peer voice command to
enter the dial peer subconfiguration mode.
The tag value is a number that must be
unique for all dial peers within the same
gateway. The type value indicates the type
of the dial peer (for example, POTS or VoIP).
destination-pattern The destination-pattern command,
telephone_number entered in dial peer subconfiguration mode,
defines the telephone number that applies to
the dial peer. A call that is placed to this
number is routed according to the
configuration type and port (in the case of a
POTS type dial peer) or session target (in the
case of a VoIP type dial peer) of the dial
peer.
port port-number The port command, entered in POTS dial
peer subconfiguration mode, defines the
port number that applies to the dial peer.
Calls that are routed using this dial peer are
sent to the specified port. The port command
can be configured only on a POTS dial peer.
session target ipv4:ip-address The session target command, entered in
VoIP dial peer subconfiguration mode,
defines the IP address of the target VoIP
device that applies to the dial peer. Calls that
are routed using this dial peer are sent to the
specified IP address. The session target
command can be configured only on a VoIP
dial peer.
--more picts and examples in the section
-------------------=======================================
HSRP (hot standby routing protocol) Cisco proprietary
Switch#show running-config
Building configuration...
Current configuration:!
<output omitted>
interface Vlan11
ip address 172.16.11.113 255.255.255.0
no ip redirects
standby 11 ip 172.16.11.115
Another way to verify the HSRP configuration is with the show standby brief command, which
displays abbreviated information about the current state of all HSRP operations on the device.
To set the priority value of a router (default is 100), enter this command in interface configuration mode:
Switch(config-if)#standby group-number priority priority-value
Figure describes the variables for the standby command.
During the election process, the router with the highest priority in an HSRP group becomes the active
router. In the case of a tie, the router with the highest configured IP address is chosen.
-------
A former active router can be configured to resume the forwarding router role from a router with a lower
priority by using the following command in interface configuration mode:
Switch(config-if)#standby [group-number] preempt [{delay} [minimum delay]
[sync delay]]
If the routers do not have preempt configured, a router that boots up significantly faster than the others in
the standby group becomes the active router, regardless of the configured priority.
------
The default hello and hold times are 3 and 10 seconds, respectively, which means failover time could be
as much as 10 seconds for clients to start communicating with the new default gateway. In some cases,
this interval may be excessive for application support.
You can change the default values of the timers to milliseconds to accommodate subsecond failovers.
Lowering the hello timer results in increased traffic for hello messages and should be used cautiously.
The hold time should be at least three times the value of the hello time.
To change the timers, enter this command in interface configuration mode:
Switch(config-if)#standby group-number timers [msec] hellotime holdtime
Note:
Hello and dead timers intervals must be identical for all devices within an HSRP group.
-------
Interface tracking enables the priority of a standby group router to be automatically adjusted based on the
availability of that router’s interfaces. When a tracked interface becomes unavailable, the HSRP priority of
the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with
an unavailable key interface relinquishes the active router role.
VRRP IEEE adopted
A VRRP group has one master router and one or more backup routers. The LAN workstations are then
configured with the address of the virtual router as their default gateway. VRRP is supported on Ethernet,
Fast Ethernet, and Gigabit Ethernet interfaces, and with Multiprotocol Label Switching (MPLS), virtual
private networks (VPNs), and VLANs.
**The master virtual router may have the same IP address as the virtual router group.
With VRRP, only the master sends advertisements (the equivalent of HSRP hellos). Advertisements are
sent on multicast 224.0.0.18 protocol number 112 at a default interval of 1 second.
With GLBP, resources can be fully utilized without the administrative burden of configuring multiple groups
and managing multiple default gateway configurations as is required with HSRP and VRRP.
GLBP is supported on select Cisco Catalyst platforms.

The following example configures GLBP on two multilayer switches:
SwitchA(config)#interface vlan7
SwitchA(config-if)#ip address 10.1.7.5 255.255.255.0
SwitchA(config-if)#glbp 7 ip 10.1.7.1
SwitchA(config-if)#glbp 7 priority 150
SwitchA(config-if)#glbp 7 timers msec 250 msec 750
SwitchB(config)#interface vlan7
SwitchB(config-if)#ip address 10.1.7.6 255.255.255.0
SwitchB(config-if)#glbp 7 ip 10.1.7.1
SwitchB(config-if)#glbp 7 priority 100
SwitchB(config-if)#glbp 7 timers msec 250 msec 750
SwitchA#show glbp 7
++++++++++++++++++++++++++++++++++++++++
POE (power over Ethernet)
Switch port configuration for PoE:
• Enables and disables PoE
○ Auto (default)
 Power detection enabled
 Power is supplied if required by device
○ Never
 Power disabled
 Port shutdown turns power off
The show power inline command displays the configuration and statistics about the power drawn by
connected PDs and the capacity of the power supply.
• Ethernet pair 1,2 and 3,6
• Ethernet pair 4,5 and 7,8
The spare pairs 4,5 and 7,8 are used, which requires 8-wire cabling. This technique does not extend
the 100-meter Fast Ethernet cable limit. You cannot use this approach for 1000TX Gigabit Ethernet, which
uses all eight wires, so no spares wires are available.
Changing the IOS on a lightweight/wlan controller
Need to use the controller to upload the ioses

-go through the GUI prompt to download and upload the IOSs and the logs
under the management tab
-must go into rommon and upgrade the IOS for the lightweights (ctrl +r
during reload)
-the controller pushes the IOSs to the lightweights
- in rommon set ip address
-set server ipaddress
-IMAGE=”image name from tftp”
-then do a tftp download (or transfer command)
-type set to see what needs to be configured
-set the gateway to the server addy
-that didn’t work for use so we are using the GUI under commands and
download file to controller
-file type is code
-file path is ./ (root of the tftp server share)
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4119124M.ht
ml#wp1086312
Converting Indoor Access Points to Mesh Access Points

(1130AG, 1240AG)
Before you can install a 1130AG or 1240AG indoor access point into an indoor mesh
deployment you must do the following.
1. Convert the autonomous access point (k9w7 image) to a lightweight access point.
A detailed explanation of this process is located at:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804
fc3dc.html
2. Convert the lightweight access point to either a mesh access point (MAP) or root access
point (RAP).
Indoor mesh access points (1130 and 1240) can function as either a root access point (RAP) or a
mesh access point (MAP). By default, all are configured as MAPs.
At least one access point within a mesh network must be configured to function as a RAP.
Note The access point reboots after entry of the conversion commands (CLI, GUI, and WCS
noted below), and initially reloads its existing non-mesh image (k9w8) and then rejoins the
controller. After successfully rejoining, the access point receives a download of the mesh image
(k9w9) from the controller. The mesh image then reloads and replaces the non-mesh image on
the access point. Afterwards, the access point rejoins the controller as a mesh access point
operating in the bridging mode as either a MAP or RAP as configured.
Note The indoor mesh access point image (k9w9) is a different image than the autonomous
(k9w7) and lightweight access point images (k9w8).
• To convert the access point to a mesh access point using the CLI, enter the commands noted
in either Step a or b below.
a. To convert from a lightweight access point to a MAP, enter the following CLI commands:
config ap mode bridge AP_name
The mesh access point image (k9w9) is downloaded.
b. To convert from a lightweight access point to a RAP, enter the following CLI commands:
config ap mode bridge AP_name
config ap role rootAP AP_name
The mesh access point image (k9w9) is downloaded and the mesh access point is configured to
operate as a RAP.
• To convert the access point to a mesh access point using the GUI, do the following.
a. Choose Wireless and click on the AP Name link for the 1130 or 1240 indoor access point
you want to convert.
b. At the General Properties panel, select Bridge from the AP Mode drop-down menu.
The access point loads the new image (k9w9) and reboots.
c. At the Mesh panel, select either RootAP or MeshAP from the AP Role drop- down menu.
d. Click Apply and Save Configuration.
• To convert the access point to a mesh access point using Cisco WCS, do the following.
a. Choose Configure > Access Points and click on the AP Name link for the 1130 or 1240
indoor access point you want to convert.
b. At the General Properties panel, select Bridge as the AP Mode (left-side) and either RAP or
MAP as the AP Role (right-side).
c. Click Save.
Changing MAP and RAP Roles for Indoor Mesh Access Points (1130AG,
1240AG)
Indoor mesh access points can function as either root access points (RAPs) or mesh access points
(RAPs). To change from one role to another, follow the appropriate step below.
1. To change the role of an indoor access point from MAP to RAP or RAP to MAP using the
CLI, enter the following command choosing the appropriate option:
config ap role {rootAP | meshAP} AP_name
2. To change the role of an indoor access point using the GUI, do the following.
you want to change.
b. At the Mesh panel, select MeshAP or RootAP from the AP Role drop-down menu.
c. Click Apply and Save Configuration.
3. To change the role of an indoor access point using Cisco WCS, do the following
indoor access point you want to change.
b. At the General Properties panel, select either RAP or MAP as the AP Role (right-side).
c. Click Save.
Note The access point reboots after the role is changed.
Note When changing from a MAP to RAP, a Fast Ethernet connection between the MAP and
controller is recommended.
Note After a RAP to MAP conversion, the MAP's connection to the controller is a wireless
backhaul rather than a Fast Ethernet connection. It is the responsibility of the user to ensure that
the Fast Ethernet connection of the RAP being converted is disconnected before the MAP comes
up so that the MAP can join over air.
Note The recommended power source for MAPs is either a power supply or power injector.
PoE is not a recommended power source for MAPs.
Converting Indoor Mesh Access Points to Non-Mesh Lightweight Access Points

(1130AG, 1240AG)
The access point reboots after entry of the conversion commands (noted below), and initially
reloads its existing mesh image (k9w9) and then rejoins the controller. After successfully
rejoining, the access point receives a download of the non-mesh image (k9w8) from the
controller. The non-mesh image reloads and replaces the mesh image on the access point.
Afterwards, the access point rejoins the controller as a non-mesh lightweight access point
operating in the local mode.
Note A Fast Ethernet connection to the controller for the conversion from a mesh (bridge) to
non-mesh (local) access point is recommended. If the backhaul is a radio, after the conversion
you must enable Ethernet and then reload the access image. After the reload and reboot the
backhaul is Fast Ethernet.
Note When a root access point is converted back to a lightweight access point, all of its
subordinate mesh access points lose connectivity to the controller. Consequently, a mesh access
point is unable to service its clients until the mesh access point is able to establish connectivity to
a different root access point in the vicinity. Likewise, clients might connect to a different mesh
access point in the vicinity to maintain connectivity to the network.
1. To convert an indoor mesh access point (MAP or RAP) to a non-mesh lightweight access
point using the CLI, enter the following command.
 config ap mode local AP_name
The access point loads the non-mesh image (k9w8).
point using the GUI, do the following.
you want to convert.
b. At the General Properties panel, select Local from the AP Mode drop-down menu.
c. Click Apply and Save Configuration.
point using Cisco WCS, do the following.
indoor access point you want to convert.
b. At the General Properties panel, select Local as the AP Mode (left-side).
c. Click Save.
Configuring QoS on a IP phone connected to a switch with the PC connected to the

phone
Switch port Security Module 8 Cisco 176
Mitigate mac address flooding so the switch will forward all traffic out all of the ports
(DOS attack or information gathering
Can stop this my setting security mac addresses on the switch to access restrict it
– Could also use AAA method (like crown and firewall user
permissions)
–
– Until the workstation is authenticated, 802.1x access control allows only
Extensible Authentication Protocol over LAN (EAPOL) traffic through the
port to which the workstation is connected. After authentication
succeeds, normal traffic can pass through the port.
You control the port authorization state by using the dot1x port-control interface configuration
command and these keywords:
• force-authorized: Disables 802.1x port-based authentication and causes the port to transition to
the authorized state without any authentication exchange required. The port transmits and
receives normal traffic without 802.1x-based authentication of the client. This is the default
setting.
• force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts
by the client to authenticate. The switch cannot provide authentication services to the client
through the interface.
• auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized
state, allowing only EAPOL frames to be sent and received through the port. The authentication
process begins when the link state of the port transitions from down to up (authenticator initiation)
or when an EAPOL-start frame is received (supplicant initiation). The switch requests the identity
of the client and begins relaying authentication messages between the client and the
authentication server. The switch uniquely identifies each client attempting to access the network
with the client MAC address.
–
–
“sticky learning,” which is available on some switch platforms, combines the features of dynamically
learned and statically configured addresses. When this feature is configured on an interface, the interface
converts dynamically learned addresses to “sticky secure” addresses. The addresses are added to the
running configuration as if they were configured using the switchport port-security mac-
address command.
The following command converts all dynamic port security–learned MAC addresses to sticky secure MAC
addresses:
switchport port-security mac-address sticky
This command cannot be used on ports where voice VLANs are configured.
Step 1 Port security is enabled on a port-by-port basis.

Step 2 By default, only one MAC address is allowed access through a given switch port when port
security is enabled. This parameter increases that number. It places no restriction on specific MAC
addresses, just on the total number of addresses that can be learned by the port. Learned addresses are
not aged out by default, but can be configured to do so after a specified time using the switchport
port-security aging command. The value parameter can be any number from 1 to 1024, with some
restrictions regarding the number of ports on a given switch with port security enabled.
Note:
Be sure to set the value parameter to a value of 2 when you are configuring a port to support VoIP and
requires a phone and computer accessible on the port. If the default value is used, a port security
violation occurs.
Step 3 Access to the switch port can be restricted to one or more specific MAC addresses. If the number
of MAC addresses assigned is lower than the value parameter set in Step 2, the remaining allowed
addresses can be learned dynamically. If you specify a set of MAC addresses that is equal to the
maximum number allowed, access is limited to that set of MAC addresses.
Step 4 By default, if the maximum number of connections is achieved and a new MAC address attempts
to access the port, the switch must take one of the following actions:
• Protect: Frames from the non-allowed address are dropped, but there is no log of the violation.
Note:
The protect argument is platform or version dependent.
• Restrict: Frames from the non-allowed address are dropped, a log message is created, and a
Simple Network Management Protocol (SNMP) trap is sent.
• Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a
log entry is made, an SNMP trap is sent, and manual intervention or errdisable recovery must be
used to make the interface usable.
Use show commands to verify the port security configuration.
The show port-security command lists the ports on which port security has been enabled. It also
displays count information and security actions to be taken per interface.
The full command syntax is as follows:
Switch#show port-security [interface interface_id] address
You can view port security status by interface or by the addresses associated with port security on all
interfaces.
Figure displays output from the show port-security command when you do not enter an interface.
Use the interface keyword to provide output for a specific interface.
Figure displays output from the show port-security command for a specified interface.
Use the address keyword to display MAC address table security information. Figure displays output
from the show port-security address privileged EXEC command. The Remaining Age column is
populated only if specifically configured for a given interface.
Now we have VLAN hoping

Another method of VLAN hopping is for a workstation to generate frames with two 802.1Q headers to get
the switch to forward the frames onto a VLAN that would be inaccessible to the attacker through
legitimate means.
To stop this
• Configure all unused ports as access ports so that trunking cannot be negotiated across those
links.
• Place all unused ports in the shutdown state and associate with a VLAN designated only for
unused ports, carrying no user data traffic.
• When establishing a trunk link, configure the following:
○ Make the native VLAN different from any data VLANs
○ Set trunking as “on,” rather than negotiated
○ Specify the VLAN range to be carried on the trunk
If you do a policy on the vty line then you won’t be able to port scan or see the
telnet option is available.
Can also do
• Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed
ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for
specific directions (inbound or outbound). You can apply one access list in each direction. To
improve performance in Cisco Catalyst multilayer switches, RACLs are supported in ternary
content addressable memory (TCAM).
• Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel
port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can
filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you
apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port.
• VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering
based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by
direction (input or output).
Which is only supported on certain equipment. 8.2.4 examples
Also could use private vlans
8.2.
Configuring PVLANs
6
To configure a PVLAN on an IOS-based Catalyst 3560, 3750, 4500, or 6500, follow these steps:
Step 1 Set VTP mode to transparent.
Step 2 Create the secondary VLANs.
Note:
Isolated and community VLANs are secondary VLANs.
Step 3 Create the primary VLAN.
Step 4 Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be
mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary
VLAN.
Step 5 Configure an interface as an isolated or community port.
Step 6 Associate the isolated port or community port with the primary-secondary VLAN pair.
Step 7 Configure an interface as a promiscuous port.
Step 8 Map the promiscuous port to the primary-secondary VLAN pair.
Use these commands to configure a VLAN as a PVLAN:
Switch(config)#vlan vlan_ID
Switch(config-vlan)#[no] private-vlan {isolated | primary}
The following example shows how to configure VLAN202 as a primary VLAN and verify the
configuration:
Switch#configure terminal
Switch(config)#vlan 202
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#end
Switch#show vlan private-vlan type
Primary Secondary Type Interfaces

------- --------- ----------------- ------------
202 primary
This example shows how to configure VLAN 200 as an isolated VLAN and verify the
configuration:
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#end
Switch#show vlan private-vlan type
Primary Secondary Type Interfaces

------- --------- ----------------- ------------
202 primary
200 isolated
To associate secondary VLANs with a primary VLAN, perform this procedure:
Switch(config)#vlan primary_vlan_ID
Switch(config-vlan)#[no] private-vlan association
{secondary_vlan_list | add secondary_vlan_list | remove
secondary_vlan_list}
When you associate secondary VLANs with a primary VLAN, note the following:
• The
secondary_vlan_list parameter contains only one isolated VLAN ID.
• Use the
remove keyword with the secondary_vlan_list parameter to clear the association between
the secondary and primary VLANs. The list can contain only one VLAN.
• Use the
no keyword to clear all associations with the primary VLAN.
• The command does not take effect until you exit VLAN configuration mode.
To configure a Layer 2 interface as a PVLAN promiscuous port, perform this procedure:
Switch(config)#interface {fastethernet | gigabitethernet}
slot/port
Switch(config-if)#switchport mode private-vlan {host |
promiscuous}
Switch(config-if)#[no] switchport private-vlan mapping
primary_vlan_ID {secondary_vlan_list | add secondary_vlan_list |
remove secondary_vlan_list}
When you configure a Layer 2 interface as a PVLAN promiscuous port, note the following:
• The
secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-
separated items. Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs.
• Enter a
secondary_vlan_list or use the add keyword with a secondary_vlan_list to map the
secondary VLANs to the PVLAN promiscuous port.
• Use the
remove keyword with a secondary_vlan_list to clear the mapping between secondary
VLANs and the PVLAN promiscuous port.
• Use the
no keyword to clear all mappings with the PVLAN promiscuous port.
This example shows how to configure interface FastEthernet 5/2 as a PVLAN promiscuous port,
map it to a PVLAN, and verify the configuration:
Switch(config)#interface fastethernet 5/2
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 202 440
Switch(config-if)#end
Switch#show interfaces fastethernet 5/2 switchport
Name: Fa5/2
Switchport: Enabled
Administrative Mode: private-vlan promiscuous

Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: none ((Inactive))
Administrative private-vlan mapping: 202 (VLAN0202) 440 (VLAN0440)
Operational private-vlan: none

Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
To configure a Layer 2 interface as a PVLAN host port, perform this procedure:
Switch(config)#interface {fastethernet | gigabitethernet}
slot/port
Switch(config-if)#switchport mode private-vlan {host |
promiscuous}
Switch(config-if)#[no] switchport private-vlan host-association
primary_vlan_ID secondary_vlan_ID
This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify
the configuration:
Switch(config)#interface fastethernet 5/1
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan host-association 202 440
Switch#show interfaces fastethernet 5/1 switchport
Name: Fa5/1
Switchport: Enabled
Administrative Mode: private-vlan host

Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: 202 (VLAN0202)

Administrative private-vlan mapping: none
Operational private-vlan: none

Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
To permit routing of secondary VLAN ingress traffic, perform this procedure:
Switch(config)#interface vlan primary_vlan_ID
Switch(config-if)#[no] private-vlan mapping primary_vlan_ID
{secondary_vlan_list | add secondary_vlan_list | remove
secondary_vlan_list}
When you permit routing on the secondary VLAN ingress traffic, note the following:
• Enter a value for the
secondary_vlan_list parameter or use the add keyword with the secondary_vlan_list
parameter to map the secondary VLANs to the primary VLAN.
• Use the
remove keyword with the secondary_vlan_list parameter to clear the mapping between
secondary VLANs and the primary VLAN.
• Use the
no keyword to clear all mappings with the PVLAN promiscuous port.
This example shows how to permit routing of secondary VLAN ingress traffic from PVLAN440 and
verify the configuration:
Switch(config)#interface vlan 202
Switch(config-if)#private-vlan mapping add 440
Switch#show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- --------- -----------------
vlan202 440 isolated
DHCP snooping stops DHCP packets from being streamed into the network
8.3.3 configs and examples
ARP poisoning and directing
Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the MAC address-to-IP
address bindings stored in a DHCP snooping database. Additionally, DAI can validate ARP packets based
on user-configurable ACLs for hosts that use statically configured IP addresses.
To prevent ARP spoofing or “poisoning,” a switch must ensure that only valid ARP requests and
responses are relayed. To ensure that only valid ARP requests and responses are relayed, DAI takes the
following actions:
• Forwards ARP packets received on a trusted interface without any checks
• Intercepts all ARP packets on untrusted ports
• Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding
packets that can update the local ARP cache
• Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings
Generally, all access switch ports should be cofigured as untrusted and all switch ports connected to
other switches as trusted. All ARP packets traversing the network from an upstream distribution or core
switch c
The following example shows how to configure DAI for hosts on VLAN 1, where client devices are located
for switch 2. All client ports are untrusted by default. Only port 3/3 is trusted, because this is the only port
where DHCP replies would be expected.
Switch S2(config)#ip arp inspection vlan 1
Switch S2(config)#interface fastethernet 3/3
Switch S2(config-if)#ip arp inspection trust
***Default to untrusted…must specify what is to be trusted to relieve packet
inspection
BPDU guard prevents loops and also stops other switches from being the root SPT
To enable BPDU guard globally on the switch, use this command:

Switch(config)#spanning-tree portfast bpduguard default
----this enables bpdu port guard by default on all portfast ports
The no form of the command disables the feature on the switch.
To enable PortFast BPDU guard on a specific switch port, use this command:
Switch(config)#spanning-tree bpduguard enable
Not quite sure what this does
To enable PortFast BPDU filtering globally on the switch, use this command:
Switch(config)#spanning-tree portfast bpdufilter default
To enable PortFast BPDU filtering on a specific switch port, use this command:
Switch(config-if)#spanning-tree bpdufilter enable
Protoecting the root bridge with STP security
To enable root guard on a Layer 2 access port (to force it to become a designated port), use the following
command. To disable root guard, use the no form of the command.
Switch(config-if)#spanning-tree guard root
Figure demonstrates how to verify the root guard configuration. To display the interface configuration,
use the following command:
Switch#show running-config interface fastethernet 5/8
To determine whether any ports are in a root-inconsistent state, use the following command:
Switch#show spanning-tree inconsistentports
More stp stuff

Unidirectional links
The function of UDLD is to prevent one-way communication between adjacent devices. When UDLD
detects a one-way conversation, it can do one of two things, depending on whether UDLD is configured in
normal or aggressive mode. In normal mode, UDLD changes the UDLD-enabled port to an undetermined
state when it stops receiving UDLD messages from its directly connected neighbor. Aggressive mode
makes eight attempts to re-establish the UDLD neighbor relation before error disabling the port.
Aggressive mode is the preferred method of configuring UDLD and is the only mode that can detect a
UDLD condition on twisted-pair cable.
UDLD is used when a link should be shut down because of a hardware failure that is causing
unidirectional communication. In an EtherChannel bundle, UDLD shuts down only the physical link that
has failed.
UDLD can be enabled globally for all fiber interfaces or on a per-interface basis.
To enable UDLD on an interface, use the following command:
Switch(config-if)#udld port
To enable UDLD globally on all fiber-optic interfaces, use the following command:
Switch(config)#udld enable
UDLD shuts down interfaces. To reset all interfaces that have been shut down, use the following
command:
Switch#udld reset
To verify the UDLD configuration for an interface, use this command:
Switch#show udld interface
CDP is necessary for management applications and cannot be disabled without impairing some network-
management applications. However, CDP can be selectively disabled on interfaces where management is
not being performed. The interface command no cdp enable disables CDP on an individual interface.
Figure describes how CDP can be used maliciously.
8.6.
vty ACLs
4
Cisco provides ACLs to permit or deny Telnet access to the vty ports of a switch. Cisco devices
vary in the number of vty ports that are available by default. When configuring vty ACLs, ensure
that all default ports are removed or have a specific vty ACL applied.
Telnet filtering is normally considered an extended IP ACL function because it is filtering a higher
level protocol. However, because the access-class command filters incoming Telnet sessions
by source address and applies filtering to vty lines, you can use standard IP ACL statements to
control vty access. The access-class command also applies standard IP ACL filtering to vty
lines for outgoing Telnet sessions originating from the switch.
You can apply vty ACLs to any combination of vty lines. You can apply the same ACL to all vty
lines or specifically to each vty line. The most common practice is to apply the same ACL to all vty
lines.
To configure vty ACLs on a Cisco switch, create a standard IP ACL and apply it to the vty interfaces.
Different from applying an ACL to a data interface, apply it to a vty line or range of lines with the access-
class command.
Consider this example. Permission is granted to any device on network 192.168.1.0/24 to establish a
virtual terminal (Telnet) session with the switch. Of course, the user must know the appropriate passwords
to enter user mode and privileged mode. Identical restrictions have been set on every vty line, because
the line on which the vty user connects cannot be controlled. The implicit deny any statement at the end
of the access list still applies to the ACL when it is used as an access-class entry.
Switch(config)# access-list 12 permit 192.168.1.0 0.0.0.255
Switch(config)# line vty 0 15
Switch (config-line)# access-class 12 in
8.6.
Best Practices for Switch Security
6
Network security vulnerabilities include loss of privacy, data theft, impersonation, and loss of
integrity. Basic security measures should be taken on every network to mitigate adverse effects of
user negligence or acts of malicious intent.
The following steps are required whenever placing new equipment in service:
Step 1 Consider or establish organizational security policies.
Step 2 Secure switch devices.
Step 3 Secure switch protocols.
Step 4 Mitigate compromises launched through a switch.
You should consider the policies of an organization when determining which level and type of
security to implement. You must balance the goal of reasonable network security with the
administrative overhead of extremely restrictive security measures.
A well-established security policy has these characteristics:
• Provides a process for auditing existing network security
• Provides a general security framework for implementing network security
• Defines disallowed behaviors toward electronic data
• Determines which tools and procedures are needed for the organization
• Communicates consensus among a group of key decision-makers and defines the
responsibilities of users and administrators
• Defines a process for handling network security incidents
• Enables an enterprise-wide, all-site security implementation and enforcement plan
Follow these best practices for secure switch access:
• Set system passwords: Use the
enable secret command to set the password that grants enabled access to the Cisco
IOS system. Because the enable secret command simply implements a Message
Digest 5 (MD5) hash on the configured password, that password still remains vulnerable
to dictionary attacks. Therefore, apply standard practices in selecting a feasible
password. Try to pick passwords that contain letters, numbers, and special characters, for
example, “$pecia1$” instead of “specials,” where the “s” has been replaced by “$,” and
the “l” has been replace with "1" (one).
• Secure access to the console: Console access requires a minimum level of security
both physically and logically. An individual who gains console access to a system can
recover or reset the system-enable password, thus allowing that person to bypass all
other security implemented on that system. Consequently, it is imperative to secure
access to the console.
• Secure access to vty lines: The minimum recommended steps for securing Telnet
access are:
○ Apply the basic ACL for in-band access to all vty lines.
○ Configure a line password for all configured vty lines.
• Use SSH: The SSH protocol and application provide a secure remote connection to a
switch. It encrypts all traffic, including passwords, between a remote console and a
switch. Because SSH sends no traffic in clear text, network administrators can conduct
remote access sessions that casual observers cannot view. The SSH server in Cisco IOS
software works with publicly and commercially available SSH clients.
• Configure system-warning banners: For both legal and administrative purposes,
displaying a system-warning banner prior to login is a convenient and effective way of
reinforcing security and general usage policies. By clearly stating the ownership, usage,
access, and protection policies before a login, you provide more solid backing for
potential future prosecution.
• Disable unneeded services: By default, Cisco devices implement multiple TCP and
User Datagram Protocol (UDP) servers to facilitate management and integration into
existing environments. For most installations, these services are typically not required,
and disabling them can greatly reduce overall security exposure. These commands
disable services not typically used:
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
• Disable the integrated HTTP daemon if not in use: Although Cisco IOS software
provides an integrated HTTP server for management, it is highly recommended that it be
disabled to minimize overall exposure. If HTTP access to the switch is absolutely
required, use basic ACLs to permit access from only trusted subnets.
• Configure basic logging: To assist and simplify problem troubleshooting and security
investigations, monitor the switch subsystem information received from the logging facility.
View the output in the on-system logging buffer memory. To render the on-system logging
useful, increase the default buffer size.
Follow these best practices for switch security :
• Use CDP only as needed: CDP does not reveal security-specific information, but it is
possible for an attacker to exploit this information in a reconnaissance attack, whereby an
attacker learns device and IP address information for the purpose of launching other
types of attacks. Two practical guidelines should be followed for CDP.
○ If CDP is not required, or the device is located in an unsecure environment,
disable CDP globally on the device.
○ If CDP is required, disable CDP on a per-interface basis on ports connected to
untrusted networks. Because CDP is a link-level protocol, it is not transient
across a network (unless a Layer 2 tunneling mechanism is in place). Limit it to
run only between trusted devices and disable it everywhere else. However, CDP
is required on any access port when you are attaching a Cisco phone to establish
a trust relationship.
• Secure the spanning tree topology: It is important to protect the STP process of the
switches that compose the infrastructure. Inadvertent or malicious introduction of STP
BPDUs could potentially overwhelm a device or pose a DoS attack. The first step in
stabilizing a spanning tree installation is to positively identify the intended root bridge in
the design and to hard set the STP bridge priority of that bridge to an acceptable root
value. Do the same for the designated backup root bridge. These actions protect against
inadvertent shifts in STP due to an uncontrolled introduction of a new switch.
On some platforms, the BPDU guard feature may be available. If so, enable it on access ports in
conjunction with the PortFast feature to protect the network from unwanted BPDU traffic injection.
Upon receipt of a BPDU, the feature automatically disables the port.
Follow these best practices to mitigate compromises through a switch:
• Proactively configure unused router and switch ports:
○ Execute the shut command on all unused ports and interfaces.
○ Place all unused ports in a “parking-lot” VLAN used specifically to group unused
ports until they are proactively placed into service.
○ Configure all unused ports as access ports, disallowing automatic trunk
negotiation.
• Disable automatic trunk negotiation: By default, Cisco Catalyst switches running Cisco
IOS software are configured to automatically negotiate trunking capabilities. This situation
poses a serious hazard to the infrastructure because an unsecured third-party device can
be introduced to the network as a valid infrastructure component. Potential attacks
include interception of traffic, redirection of traffic, and DoS. To avoid this risk, disable
automatic negotiation of trunking and manually enable it on links that require it. Ensure
that trunks use a native VLAN that is dedicated exclusively to trunk links.
• Monitor physical device access: Avoid rogue device placement in wiring closets with
direct access to switch ports.
• Establish port-based security: Specific measures should be taken on every access port
of any switch placed into service. Ensure that a policy is in place outlining the
configuration of both used and unused switch ports. For ports enabled for end-device
access, the macro
switchport host takes the following actions when executed on a specific switch port:
○ Sets the switch port mode to access
○ Enables spanning tree PortFast
○ Disables channel grouping.

Router Switch Commandsc

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Router Switch Commandsc

Diunggah oleh

Hak Cipta:

Format Tersedia

Router Commands

Router# Terminal History Size 256

Line con 0Logging sync Keeps it on the same line

No ip domain lookup keeps it from auto searching

Switch#show running-config interface fastethernet 5/6

RouterP(config)#service password-encryption ---encrypts all paswds in wr

Can also do a search on the run configs

alias exec <cmd> --not quite sure check

Create a vlan with

Switch(config)# username cisco password cisco

ssh -l cisco 172.16.254.241 ---to connect to a remote host with ssh

R1(config-if)# ip authentication mode eigrp 1 md5

router (config)# logging on

SSH Configuration refer to CCSP Module 2

Step 7 Setting Privilege Levels

Displaying current privilege level

e. Login to privilege level 10

• show ip protocols—Displays IP routing protocol parameters about timers, filters, metrics,

--add encap frame-relay if that type is needed

nterarea Route Summarization on an ABR

Step 2 Specify the authentication type using the ip ospf authentication

Step 2 Specify the authentication type using the ip ospf authentication

Perform the following steps to configure EIGRP for IP:

Static Default Routes

show ip eigrp topology –

Create your own summarization

ip bandwidth-percent eigrp as-number percent command to specify the maximum

To configure MD5 authentication for EIGRP, complete the following steps:

The following example enables PPP encapsulation on serial interface 0/0:

REFER TO LAB FOR EXACT SETUP

encapsulation frame-relay[cisco | ietf] command.

To enable the forwarding of broadcast routing updates in a hub-and-spoke Frame Relay

clear mac-address-table dynamic --> clearsmac addresses

***Add trunking commands to the tutorial guide (DTP) stuff

Switchport mode trunk 802.1q (or

How to setup VLAN -- and what not to forget to setup

To setup VTP (designated switch to duplicate vlan configurations to other

What VLan you belong to and mode for each interface

int range fa 0/2 – 5

delete vlan.dat or delete flash:vlan.dat

BETTER TO USE RAPID SPANNING TREE PROTOCOL

to verify do a show port-security <ip add>

Switch#show spanning-tree mst interface fastethernet 4/4

• src-dst-mac: Source and destination MAC addresses

• src-ip: Source IP address

• dst-ip: Destination IP address

• src-dst-ip: Source and destination IP addresses (default)

• src-port: Source TCP/User Datagram Protocol (UDP) port

• dst-port: Destination TCP/UDP port

• src-dst-port: Source and destination TCP/UDP ports

Source XOR Destination IP address

prevent it from sending default BPDUs out that interface.

router(config-if)#ip nat inside

*multiple DHCP pools can be created on a server

router(config)#ip dhcp excluded-address

router(config)#ip dhcp excluded-add 172.16.1.1 172.16.1.10 <low to high

*address is reserved for the router interface so it needs to be blocked out

Create the DHCP address pool

Router#show ip dhcp binding

router#show ip dhcp server events ---> shows leases and expiration

Network management in an internetworked environment typically requires one

ip address dhcp – have it acquire ip information

• nat-control – Enable or disable NAT configuration requirement.