Tài liệu CCIE Study sheet docx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (450.57 KB, 26 trang )
CCIE Study sheet
Foreword 4
Access Lists 4
Standard Access Lists 4
Extended Access Lists 4
Named Access Lists 5
Reflexive Access Lists 5
Aliases 5
ATM 5
ATM PVCs – Point-to-Point 5
ATM PVCs – Multipoint 5
ATM SVCs 6
ATM – ARP Server (Classical IP) 6
Bridging 7
Global 7
Interface 7
Bridging – IRB 7
Global 7
Interface 7
Bridging – CRB 7
Global 7
Interface 8
CET – Cisco Encryption Technology 8
Dial 8
Basic Configuration 8
Dialer Stings 8
Dialer Maps 8
Dialer Profiles 9
Callback 9
Floating Static Routes 9
Dial Watch 9
Snapshot routing 9
DLSW 10
Global 10
Interface 10
Firewalls 10
Context Based Access Control (CBAC) 10
Reflexive Access Lists 10
Lock and Key Access 11
Frame Relay 11
Frame-Relay Switching 11
Frame-Relay 12
Frame-Relay Traffic Shaping 12
HSRP 13
ISAKMP 13
1
IPSEC 13
IPX 14
Filtering 14
RIP and SAP 14
NLSP 14
NLSP Route Aggregation 15
Local Area Mobility 15
Multicast 15
IGMP 15
CGMP 15
PIM 15
Network Address Translation (NAT) 16
Outgoing 16
Incoming 16
NTP 17
Password Recovery 17
2500/4000 17
2600/3600/4500 17
Catalyst 1200 and 5000 18
Queuing and Traffic Shaping 18
Priority Queuing 18
Custom Queuing 19
Frame-Relay 19
Regular Expressions 19
Route Maps 19
Policy Route Maps 19
Routing 20
BGP 20
RIP 20
IGRP 20
EIGRP 20
OSPF 21
IS-IS 21
Redistribute 21
Script for all routers 21
Source Route Bridging 22
Global 22
Interface 22
Source Route Translational Bridging 22
Switches 22
Catalyst 5000 22
Catalyst 3920 23
Terminal Server Configuration 24
Trunking 24
ISL: 24
802.1Q: 24
2
ATM PVCs: 25
Tunnels 25
Voice Over FR 25
Voice Over IP 26
3
Foreword
The CCIE test is demanding. However your mental state of mind can have a
dramatic outcome on your performance. Study the material well and be confident
that you will succeed. There is tremendous power in positive thinking!
At some point a few days before you take the exam (when you are relaxed)
visualize passing the test. Visualize walking into the lab, seeing the rack and
getting handed the test. Visualize seeing several things (core topics) on the test
that you know cold. There will also be some topics you are very unfamiliar with –
this is expected. Part of the CCIE testing is seeing if you can react quickly. These
are usually only worth a few points and are not incredibly difficult. Don’t get
psyched out by the exam!
Visualize yourself completing one task, then another, then another. Visualize
completing day 1 with an hour or two left to check your work (and please check it
– there will be a few “stupid” mistakes. In fact, given the option of spending the
final hour trying to get something to work that has alluded you, you’re probably
better off spending it reviewing for completeness all the things you’ve finished.)
Visualize walking in the second day and having the instructor say, “Good job,
you’re going on to day 2.” Visualize completing the morning of day 2, then going
into troubleshooting. Visualize nailing troubleshooting, as that actually isn’t
terribly difficult. Visualize getting your CCIE number and imagine what that will
feel like.
Do this entire process several times; it will help reinforce your confidence. Make
up your mind that you are going to study hard, prepare well, execute beautifully
and pass the test!
Access Lists
Standard Access Lists
access-list 1 permit 10.2.50.0 0.0.0.255
access-list 1 permit 10.10.0.0 0.0.255.255
interface serial 0/1
ip access-group 1 in
line vty 0-4
access-class 1 in
Extended Access Lists
access-list 100 permit ip 172.18.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 101 permit tcp 155.182.10.0 0.0.0.255 192.233.145.0 0.0.0.255 eq 23
access-list 101 permit udp 10.0.0.0 0.255.255.255 gt 1023 192.168.0.0 0.0.255.255
access-list 101 permit icmp any any echo-reply
4
router eigrp 200
distribute-list 101 out
Named Access Lists
ip access-list (standard|extended) nameoflist
permit ip 208.14.35.0 0.0.0.255 any
permit tcp 155.182.0.0 0.0.255.255 eq 80 any
Reflexive Access Lists
See “Firewalls”
Aliases
alias exec i show ip route
ATM
interface ATM1/0
ip address 20.20.20.1 255.255.255.0
map-group cisco
atm pvc 1 5 45 aal5snap
!
map-list cisco
ip 20.20.20.2 atm-vc 1 broadcast
Note: the “new” way to define pvc’s does not need map-groups:
interface ATM1/0
ip address 20.20.20.1 255.255.255.0
pvc 0/600
protocol ip 20.20.20.2 broadcast
encapsulation aal5snap
ATM PVCs – Point-to-Point
interface ATM2/0
no ip address
!
interface ATM2/0.1 point-to-point
ip address 10.2.0.254 255.255.255.0
atm pvc 1 2 254 aal5snap inarp
!
interface ATM2/0.3 point-to-point
ip address 166.90.188.14 255.255.255.252
atm pvc 3 20 300 aal5snap inarp
ATM PVCs – Multipoint
interface ATM0
no ip address
atm max-paks-vc 40
5
!
interface ATM0.100 multipoint
ip address 172.20.10.2 255.255.255.0
atm pvc 1 0 101 aal5snap
atm pvc 2 0 201 aal5snap
map-group map1
ipx network 304
!
map-list map1
ipx 304.3.3.3 atm-vc 1 broadcast
ipx 405.2.2.2 atm-vc 2 broadcast
ip 172.20.10.1 atm-vc 1 broadcast
ip 172.20.20.1 atm-vc 2 broadcast
!
ATM SVCs
interface atm 0
atm pvc 1 0 5 qsaal
atm pvc 2 0 16 ilmi (optional – you can manually define the ATM address)
!
interface atm 0.1 multipoint
ip address 131.108.192.1 255.255.255.0
atm nsap-address 11.1111.00000000000000000000.000000000000.00
map-group svc-ip-routerA
map-list svc-ip-routerA
ip 131.108.192.2 atm-nsap
22.2222.00000000000000000000.000000000000.00 broadcast
ip 131.108.192.3 atm-nsap
33.3333.00000000000000000000.000000000000.00 broadcast
ip 131.108.192.4 atm-nsap
44.4444.00000000000000000000.000000000000.00 broadcast
ATM – ARP Server (Classical IP)
On the ATM ARP Server:
interface atm0
atm pvc 1 0 5 qsaal
atm nsap-address 11.1111.00000000000000000000.000000000000.00
atm arp-server self
On the ATM ARP Client:
interface atm0
atm pvc 1 0 5 qsaal
atm nsap-address 22.2222.00000000000000000000.000000000000.00
atm arp-server nsap 11.1111.00000000000000000000.000000000000.00
or better yet:
On the ATM ARP Server:
interface atm0
6
atm pvc 1 0 5 qsaal
atm pvc 2 0 16 ilmi
atm esi-address 3333.3333.3333.00
atm arp-server self
On the ATM ARP Client:
interface atm0
atm pvc 1 0 5 qsaal
atm pvc 2 0 16 ilmi
atm esi-address 2222.2222.2222.00
atm arp-server nsap 47.0091810000000060705A9801.333333333333.00
where ilmi provides the atm prefix and 47.0091810000000060705A9801 was
identified with a “show atm ilmi-status” on the arp-server router.
Bridging
Global
bridge 1 protocol ieee
bridge 1 priority 100
Interface
interface e0
bridge-group 1
bridge-group 1 path-cost 50
Bridging – IRB
Global
bridge irb
to allow IRB to bridge and route a protocol (since bridging is enabled by default):
bridge 1 route IPX (bridge bridge-group route protocol)
to allow IRB to route – but not bridge – a protocol:
bridge 1 route IP (bridge bridge-group route protocol)
no bridge 1 bridge IP (no bridge bridge-group bridge protocol)
Interface
interface bvi 1 (interface bvi bridge-group)
ip address 10.10.10.1 255.255.255.0
ipx network 1234
ip ospf cost 200
(any protocol info for protocols that will be routed and bridged together…)
Bridging – CRB
Global
bridge crb
7
Interface
Same as irb, above.
CET – Cisco Encryption Technology
The basic steps for configuring CET are
1. Generate DSS public/private keys
2. Exchange DSS public/private keys between routers
3. Enable DES encryption algorithms
4. Define crypto maps and apply them to an interface
crypto key generate dss Router1 (often the name of the router)
show crypto key mypubkey dss (view public keys)
copy system:running-config nvram:startup-config (save private keys)
Configure one router to be “active” in key exchange, the other to be “passive”:
crypto key exchange dss passive (on one router)
crypto key exchange dss ip_address_of_passive Router1 (key name)
crypto cisco algorithm des
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.15.0 0.0.0.255
crypto map mymap 10 cisco
set peer Router2 (key name received from other router)
match address 100
set algorithm des
interface serial 0
crypto map mymap
If a router has more than one CET peer, simply add more sequences to the
crypto map, one for each remote peer.
Dial
Basic Configuration
isdn switch-type basic-ni1
interface bri0
encapsulation ppp
dialer-group 1
ppp authentication chap (optional)
dialer-list 1 protocol ip permit
Dialer Stings
interface bri0
dialer string 1111
Dialer Maps
interface bri0
ip address 172.24.1.3 255.255.255.0
8
dialer map ip 172.24.1.1 name router1 broadcast 1111111
dialer map ip 172.24.1.2 name router2 broadcast 1112222
Remember the
name
of the other router!
Dialer Profiles
interface bri0
no ip address
encapsulation ppp
ppp authentication chap ! (optional)
dialer pool-member 1
interface dialer 1
encapsulation ppp ! (required!!!)
ip address 192.168.1.1 255.255.255.0
dialer remote-name router5 ! (if authentication is used)
dialer string 1112223333
dialer pool 1
dialer-group 1
ppp authentication chap
Callback
On the “client” router (makes first call):
int bri0
ppp callback request
On the “server” router (makes return call):
int bri0
ppp callback accept
dialer map ip 192.168.2.1 class myclass name r1 broadcast 5552020
!
map-class dialer myclass
dialer callback-server username
Floating Static Routes
ip route 192.168.100.0 255.255.255.0 172.24.1.1 (or interface BRI0) 200
ipx route default 10.0000.0000.0001 (or bri0) floating-static
Dial Watch
This can be handy because it is similar to floating statics, but doesn’t actually use
statics (often forbidden on CCIE lab). It also works with any routing protocol –
though especially well with EIGRP. It looks for routes (as specified in watch-list)
to disappear:
int bri0 (or int dialer0 – dialer int seems to work better)
dialer watch-group 1
dialer map ip 10.205.205.0 name r1 broadcast 5551212
!
dialer watch-list 1 ip 10.205.205.0 255.255.255.0
Snapshot routing
The following commands are configured on the client router:
9
interface bri 0
snapshot client 5 360 dialer
dialer map snapshot 1 4155556734
dialer map snapshot 2 7075558990
The following commands are configured on the server router:
interface bri 0
snapshot server 5 dialer
DLSW
Global
source-bridge ring-group 800
dlsw local-peer peer-id 172.21.200.1 promiscuous group 1 border
dlsw remote-peer 0 tcp 172.21.200.19
dlsw remote-peer 0 fst 192.168.154.32
dlsw bridge-group 1
dlsw remote-peer 3 tcp 192.168.10.1
dlsw ring-list 3 rings 5 18 109
Interface
interface token ring 0
source-bridge 2176 1 800
interface Ethernet 0
bridge-group 1
Firewalls
Context Based Access Control (CBAC)
ip inspect name myfirewall tcp
interface Ethernet 0 (inside interface)
ip inspect myfirewall in
interface serial 0 (outside interface)
ip access-group 100 in
access-list 100 deny ip any any
Reflexive Access Lists
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
10
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
!
ip access-list extended inboundfilters
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Lock and Key Access
interface serial 0
ip address 172.17.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp any host 172.17.1.1 eq telnet
access-list 101 dynamic dunno permit ip any any
!
line vty 0 4
password mypassword
login
autocommand access-enable
This works, however everyone who telnets to the router activates the
autocommand and gets disconnected – not very useful! A better way is:
username bob password 0 cisco
username bob autocommand access-enable
username sue password 0 mypass
interface serial 0
ip address 172.17.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp any host 172.17.1.1 eq telnet
access-list 101 dynamic dunno permit ip any any
!
line vty 0 4
password mypassword
login local
Frame Relay
Frame-Relay Switching
frame-relay switching
interface s0
encapsulation frame-relay
frame-relay intf-type dce (nni if connecting to another frame switch)
frame-relay route 100 interface s1 150 (in-dlci out-interface out-
dlci)
clock rate 512000 (if using a DCE cable)
11
Frame-Relay
Interface s0
Ip address 172.24.1.1. 255.255.255.0
encapsulation frame-relay
frame-relay map ip 172.24.1.2 330 broadcast
frame-relay map ip 172.24.1.3 340 broadcast
Or…
interface s0
no ip address
encapsulation frame-relay
interface s0.1 point-to-point
ip address 172.24.1.1 255.255.255.0
frame-relay interface-dlci 330
interface s0.2 point-to-point
ip address 172.24.2.1 255.255.255.0
frame-relay interface-dlci 340
Or…
interface s0
no ip address
encapsulation frame-relay
interface s0.1 multipoint
ip address 192.168.1.1 255.255.255.0
frame-relay map ip 192.168.1.2 101 broadcast
frame-relay map ip 192.168.1.3 102 broadcast
Frame-Relay Traffic Shaping
interface s0
frame-relay traffic-shaping
frame-relay class example1 (<- for all DLCI’s)
frame-relay interface-dlci 101
class example1 (<- on a per-DLCI basis)
!
map-class frame-relay example1
frame-relay priority-group 7 (<- priority queuing, or
frame-relay custom-queue-list 3 <- custom queuing)
frame-relay cir 128000
frame-relay bc 256000
frame-relay adaptive-shaping becn
!
priority-list 7 protocol ip high
priority-list 7 protocol ipx normal
!
queue-list 3 protocol ip 11
queue-list 3 protocol ipx 12
queue-list 3 protocol ip 10 tcp telnet
queue-list 3 default 13
queue-list 3 queue 10 byte-count 3000
12
queue-list 3 queue 11 byte-count 2000
queue-list 3 queue 12 byte-count 1000
queue-list 3 queue 13 byte-count 1000
HSRP
standby 1 ip 172.24.1.1
standby 1 priority 105
standby 1 preempt (good idea to use this!)
standby 1 authentication password
standby 1 track Ethernet 0
standby 2 ip 172.24.1.2
standby 2 priority 95
standby 2 track serial 1
ISAKMP
Note: ISAKMP uses UDP port number 500 (ACLs).
crypto isakmp policy 1
encryption des
hash md5
authentication {rsa-encr|pre-share}
group 1 (sets the Diffe-Hellman group)
lifetime 3600
For RSA encrypted nonces:
crypto key generate rsa
show crypto key mypubkey rsa (to show your public key which was just
generated by the previous command)
crypto key pubkey-chain rsa
addressed-key ip_address_of_remote_peer
key-string public_key_identified_at_peer_with_”show crypto key
mypubkey rsa” command
Repeat the last few commands at each peer.
For pre-shared keys:
crypto isakmp key keystring address address_of_remote_peer
Repeat these steps at each peer with the identical key.
IPSEC
Note: The IPSec ESP and AH protocols use IP protocol
numbers 50 and 51 (ACLs).
Manual IPSec security associations:
crypto ipsec transform-set myset esp-des
!
crypto map mymap local-address Loopback1
crypto map mymap 10 ipsec-manual
13
set peer 10.8.1.1
set session-key inbound esp 1000 cipher 1234567812345678
set session-key outbound esp 1000 cipher 1234567812345678
set transform-set myset
match address 100
interface serial 0
crypto map mymap
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.8.1.0 0.0.0.255
ISAKMP negotiated IPSec security associations:
(configure ISAKMP, then…)
crypto ipsec transform-set myset esp-des esp-sha
crypto isakmp key mypassword address 10.8.1.1
crypto map mymap 10 ipsec-isakmp
match address 100
set peer 10.1.1.1
set transform-set myset
interface Ethernet 0
crypto map mymap
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
If a router has more than one IPSec peer, simply add more sequences to the
crypto map, one for each remote peer.
IPX
Filtering
RIP and SAP
To control the route and SAP information learned at a router level:
ipx router rip|eigrp|nlsp
distribute-list 800 in|out [interface name|process name]
distribute-sap-list 1000 in|out [interface name|process name]
To control the route and SAP information learned at an interface level:
interface Ethernet 0
ipx input-network-filter 800
ipx input-sap-filter 1000
ipx output-network-filter 801
ipx output-sap-filter 1001
NLSP
ipx routing 1.1.1 (where 1 represents “router 1” or “r1”)
ipx internal-network 1
ipx router nlsp <tag> (<tag> is optional)
14
area-address <network and mask that represent the networks in this area>
interface ethernet0
ipx network e005 encapsulation novell-ether
ipx nlsp enable <tag>
interface serial0
ipx nlsp enable <tag>
NLSP Route Aggregation
ipx router nlsp <tag>
area-address <network and mask that represent the networks in this area>
route-aggregation
redistribute nlsp <tag> access-list 1200 [optional, only for ACL?]
redistribute rip access-list 1201
redistribute eigrp 100 access-list 1202
access-list 120x deny <network and masks to summarize>
access-list 120x permit –1
Local Area Mobility
interface Ethernet 0
ip address 172.16.17.1 255.255.255.0
ip mobile arp timers 120 600 access-group 2
router eigrp 1
network 172.16.0.0
redistribute mobile
default-metric 80 70 60 70 100
access-list 2 deny 172.16.5.0 0.0.0.255
access-list 2 deny 172.16.12.16 0.0.0.0
access-list 2 permit 172.16.0.0 0.0.255.255
Multicast
IGMP
Router(config)#interface Ethernet 0
Router(config-if)#ip igmp join-group 224.1.2.3
Console(config)#set igmp enable
Console(config)#set multicast router 3/5 (required for IGMP)
CGMP
Router(config)#interface Ethernet 0
Router(config-if)#ip cgmp
Console(config)#set cgmp enable
PIM
ip multicast-routing
interface serial 0
ip pim sparse-dense-mode (or ip pim sparse-mode or ip pim dense-mode)
interface ethernet 0
ip pim sparse-dense-mode (or ip pim sparse-mode or ip pim dense-mode)
15
ip igmp join-group 225.1.1.1 (place this on to test – should be pingable)
interface Ethernet 0
ip pim sparse-mode
ip pim rp-address address of rendevous router
or use auto-rp discovery – but requires pim sparse-dense mode!
Network Address Translation (NAT)
Outgoing
Static:
ip nat inside source static 10.15.20.1 204.193.24.5
interface ethernet0
ip nat inside
interface serial0
ip nat outside
Dynamic:
ip nat pool mypool 207.242.100.1 207.242.100.50 netmask 255.255.255.0
ip nat inside source list 1 pool mypool overload
interface ethernet0
ip nat inside
interface serial0
ip nat outside
access-list 1 permit 192.168.2.0 0.0.0.255
Incoming
Static:
review this
ip nat outside source static 12.12.12.12 200.192.253.12
interface ethernet0
ip nat inside
interface serial0
ip nat outside
Dynamic:
?
ip nat outside source
list (or static)
•
translates the source of the IP packets that
are traveling outside to inside
•
translates the destination of the IP packets
that are traveling inside to outside
ip nat inside source
•
translates the source of IP packets that are
16
list (or static) traveling inside to outside
•
translates the destination of the IP packets
that are traveling outside to inside
NTP
Client:
r1# clock timezone EST -5
r1# clock summer-time EDT recurring
r1#(config) ntp server 192.168.254.1
Master:
r2# calendar set 10:05:00 4 April 2000 (if the machine has a permanent calendar)
r2# clock calendar-valid (if the machine has a permanent calendar)
r2# clock set 10:05:00 4 April 2000 (only if the machine doesn’t have a permanent calendar)
r2#(config) ntp master 5
Password Recovery
If you have to break in, make sure you do a “no shut” on interfaces if necessary.
2500/4000
Reboot router.
Type BREAK (control-shift-6 b on Cisco terminal server, control-F6-break on
Hyperterm).
Type o/r 0x2142 at the “>” prompt (to boot from flash).
Type I at the “>” prompt to reboot the router.
Answer no to all set-up questions.
Type enable at the Router> prompt.
Type copy start run (brings in old config) Å Watch this!! Not the other way around!!
Type config term, then either enable secret <password>. or enable password
<password>.
Type config term, then config-register 0x2102.
Verify the config now in running-config is correct.
Type copy run start.
(Type reload. – optional)
2600/3600/4500
Reboot router.
Type BREAK (control-shift-6 b on Cisco terminal server, control-F6-break on
Hyperterm).
Type confreg 0x2142 at the "ROMMON>" prompt (to boot from flash).
Type reset at the "ROMMON>" prompt to reboot the router.
Answer no to all set-up questions.
Type enable at the Router> prompt.
17
Type copy start run (brings in old config) Å Watch this!! Not the other way around!!
Type config term, then either enable secret <password>. or enable password
<password>.
Type config term, then config-register 0x2102.
Verify the config now in running-config is correct.
Type copy run start.
(Type reload. – optional)
Catalyst 1200 and 5000
To recover a lost password on Catalyst 1200, Catalyst 5000, and all concentrators:
1. You must be on the console.
2. Reboot the device.
3. When you see the password prompt, press Enter (null password for 30
seconds).
4. Type Enable.
5. When you see the password prompt press Enter (null password for 30
seconds).
6. Change the password:
Console> (enable) set pass[Enter]
Enter old password:[Enter]
Enter new password:a[Enter]
Retype new password:a[Enter]
Password changed.
Console> (enable) set enablep[Enter]
Enter old password:[Enter]
Enter new password:a[Enter]
Retype new password:a[Enter]
Password changed.
Console> (enable)
Queuing and Traffic Shaping
There are as many Cisco variations of queuing as there are flavors of ice cream.
However here are a few powerful ones that can satisfy many requirements:
Priority Queuing
Bruce Caslow describes priority queuing as a “facist” queuing strategy since it is
very strict in its approach. Higher queues get priority, period. Given enough high
priority traffic, other queues can go for days without tranmitting.
priority-list 1 protocol dlsw high
priority-list 1 protocol ip high tcp 23
priority-list 1 protocol ipx medium list 900
access-list 900 permit ncp any 451 any 451
18
interface serial 0
priority-group 1
Custom Queuing
Customer queuing is fairer since it can allocate percentages of bandwidth to
given queues. Typically this is done by assigning byte counts to queues. The
default byte count for each queue is 1500 bytes. Thus to give a queue more
bandwidth than other queues, assign it more than1500 bytes. There can be up to
16 queues, but only as many as are configured will be active.
queue-list 9 protocol dlsw 1
queue-list 9 protocol ip 1 tcp 23
queue-list 9 protocol ipx 2 list 900
queue-list 9 queue 1 byte-count 3000
queue-list 9 default 4
access-list 900 permit ncp any 451 any 451
interface serial 1
custom-queue-list 9
Frame-Relay
interface serial 0.0
ip addr 172.16.1.1 255.255.255.0
encapsulation frame-relay
frame-relay traffic-shaping
frame-relay interface-dlci 102
class myclass
map-class frame-relay myclass
frame-relay cir 56000 (defines CIR)
frame-relay bc 8000 (defines burst amount in bits)
frame-relay be 16000 (defines excess burst in bits)
fragment 160 (defines packets > 160 be fragmented)
no frame-relay adaptive-shaping
Regular Expressions
^ Denotes the start of the AS path
$ Denotes the end of the AS path
_ Will match a white space in the AS path (space between ASNs)
. Will match any single character
.* Will match any number of characters
Route Maps
Policy Route Maps
interface e2/0
ip policy route-map example
route-map example permit 10
match ip address 102
19
set ip next-hop 172.20.1.1
access-list 102 permit ip host 172.18.56.1 192.168.1.0 0.0.0.255
To enable the router to policy route for locally generated traffic (pings, etc.):
ip local policy route-map mymap
Routing
BGP
router bgp 65000
no synchronization
neighbor 10.2.1.1 remote-as 65001
neighbor 10.2.1.1 distribute-list 3 in
neighbor 10.10.150.2 remote-as 65000
network 10.10.10.0 mask 255.255.255.0
network 150.150.0.0
no auto-summary
access-list 3 permit 192.168.17.0
access-list 3 permit 172.16.0.0
RIP
router rip
version 2
no auto-summary (only applies if version 2 is used)
network 10.0.0.0
network 131.15.0.0
network 207.244.11.0
distribute-list 105 in ethernet0
default-metric 5 (used for routes learned via redistribution – assigns
metric of 5)
offset-list 10 in 4
access-list 10 permit 10.1.99.0 0.0.0.255
IGRP
router igrp
network 10.0.0.0
network 131.15.0.0
network 207.244.11.0
d
offset-list 6 in 1000
istribute-list 106 out
access-list 6 permit 10.1.99.0 0.0.0.255
EIGRP
20
interface serial0
ip summary-address eigrp 10 176.14.0.0 255.255.0.0
router eigrp 10
no auto-summary
network 24.0.0.0
network 176.14.0.0
network 200.1.155.0
distribute-list 107 in serial0
OSPF
interface serial 0
ip ospf network point-to-multipoint
ip ospf priority 10
ip ospf authentication-key 0 password
router ospf 100
network 10.12.140.128 0.0.0.127 area 0
area 1 stub
area 2 stub no-summary
area 3 authentication
area 4 range 10.10.0.0 255.255.0.0
area 5 virtual-link 192.168.1.1 (Router ID at the other end)
summary-address 172.16.8.0 255.255.254.0
IS-IS
router isis (area tag)
net 49.1111.0000.0000.2222 (where 1=area and 2=router ID)
interface ethernet 0
ip router isis (area tag)
interface serial 0
ip router isis (area tag)
Note: the last byte of the net address is the selector byte. The preceding 6 bytes are the system
ID (i.e. mac-address like). All other bytes are an area address (is this true?).
Redistribute
router ospf 1
redistribute rip metric 100 metric-type 1 route-map rob subnets
router eigrp 1
redistribute bgp 65000 metric 1000 10 100 100 1500
Script for all routers
It is helpful to use a program like Notepad to record standard commands you
want to place in every router. Then you can cut & paste them into the config.
Here is mine:
alias exec i show ip route
alias exec c show running-config
alias exec b show ip int brief
alias exec t config term
21
no ip domain-lookup
ip classless
ip tcp synwait-time 5
line console 0
exec-timeout 0
length 42
no login
privilege level 15
logg syn
exit
line vty 0 4
exec-timeout 0
length 42
no login
privilege level 15
logg syn
exit
line aux 0
no login
privilege level 15
The “logg syn” (logging synchronous) is optional. It does a nice job of ‘repainting’
your command when a debug message comes through, but it also delays debugs
(such as until a ping ends) which can be annoying…
Source Route Bridging
Global
source-bridge ring-group 800
source-bridge remote-peer 800 tcp 172.21.200.1
Interface
Interface token-ring 0
source-bridge 2176 1 800
source-bridge spanning
Source Route Translational Bridging
source-route transparent 1000 500 5 1
1000 = ring group
500 = pseudo-ring given to all of the Transparent bridge group
5 = source route bridge bridge ID
1 = bridge-group number (transparent bridge-group)
Switches
Catalyst 5000
set interface sc0 up
set interface sc0 2 192.168.1.1 255.255.255.0 (indicates vlan 2,
specifying the vlan is optional, but recommended)
22
set password password for the console, vty, etc.
set enablepass enablepass for enable mode
set port speed 2/6 100
set port name 3/17 To_r1
set port duplex 2/24 half
set vtp domain robsdomain
set vlan 3 name First_Ethernet
set vlan 4 2/1
set vlan 5 3/3-6
set ip permit enable (only affects telnet and SNMP)
set ip permit 10.128.0.0 255.255.0.0 telnet
set ip route default 172.16.1.1
set ip route 172.18.0.0/20 172.16.1.2
set logout minutes
set logging session (log to vty; log to console on by default)
show cam
show port 4/15
show port status
show vlan
show vlan 2
Catalyst 3920
You may have to reset after giving it an IP address! When assigning a port to a
VLAN you must select the VLAN with a space – not a return!
All configuration on the 3920 is screen-based. Move the arrows to the field to be
changed. Hitting “enter” will give you your choices. It may be smart to manually
set the speed and duplex mode (for example, 16 Mb/s, half duplex) on ports. All
ports default to “port” (rather than “station”). Port mode allows a router to be
plugged in.
VLANs with the 3920 are known as TrCRFs. Each TrCRF is its own VLAN; ports
can belong to any TrCRF. Each TrCRF has a “parent” TrBRF. Each TrBRF acts
as a bridge. Thus, TrCRFs that belong to the same TrBRF will be bridged
together. TrCRFs that belong to different TrBRFs will be totally isolated.
For example, to create three completely isolated VLANs, create three TrBRFs
and three TrCRFs. Assign each TrCRF to a different TrBRF. Assign ports to each
TrCRF as necessary.
Watch the Local_state of the CRFs and BRFs. They should be preferred, but
may not default this way.
23
Remember the 3920 uses hex for ring numbers but router default to using
decimal (but can use hex with a leading 0x)
Terminal Server Configuration
interface loopback 0
ip address 10.1.1.1 255.255.255.0
ip host r1 2001 10.1.1.1
ip host r2 2002 10.1.1.1
ip host switch 2003 10.1.1.1
line 1 8
no exec
transport input all
Important note:
• Type
control-shift-6 x
to send an escape sequence to the term server
which will bring you back to the terminal server prompt.
• Type
control-shift-6 b
to send a break to a router that is being
accessed via the terminal server (handy for password recovery).
• To send an escape sequence to a router that is being accessed via the
terminal server, type control-shift-6 control-shift-6
. This prevents
you from getting tossed all the way back to the term server. Very handy for
pings or traceroutes that are not completing.
• You may even have to type control-shift-6
four times. For example, if
you are using a term server to access a router, then that router is telnetted
into another router. This requires control-shift-6
four times to escape.
Trunking
ISL:
On the Catalyst 5000:
Console> (enable) set trunk 1/1 on isl
To prevent vlan 50 from using the trunk:
Console> (enable) clear trunk 1/1 50
On the Cisco 3600/4000/4500:
interface Fast Ethernet 0/0.1
encapsulation isl vlan_number
802.1Q:
On the Catalyst 5000:
24
Console> (enable) set trunk 1/1 on dot1q
To prevent vlan 50 from using the trunk:
Console> (enable) clear trunk 1/1 50
On the Cisco 3600/4000/4500:
interface Fast Ethernet 0/0.1
encapsulation dot1Q vlan_number
ATM PVCs:
On the Catalyst 5000:
Console> (enable) set vlan 5 2/7 (place Eth port 2/7 into VLAN 5)
Console> (enable) session 4 (session to slot 4, ATM module)
ATM# config t
ATM# interface atm0
ATM# atm pvc vcd vpi vci aal5snap
ATM# atm bind pvc vlan vcd 5 (bind the PVC (vcd) to vlan 5)
On the Cisco 3600/4000/4500:
interface ATM0
no ipaddress
interface ATM0.1 point-to-point
ip address 10.1.1.1 255.255.255.0
atm pvc 5 1 100 aal5snap
Tunnels
interface tunnel 0
tunnel source 10.100.5.1
tunnel destination 10.10.10.10
tunnel mode gre ip (optional – defaults to gre)
ipx network 1000
etc.
Voice Over FR
dial-peer voice 1 vofr
destination-pattern 1000
session target serial 0/0 101
!
dial-peer voice 2 pots
destination-pattern 2000
port 1/0/0
interface serial 0/0
frame-relay traffic-shaping
frame-relay interface-dlci 101
vofr cisco
25
