enable / disable to switch between user mode or privileged mode

quit disconnects user from terminal

configure terminal enter the global configuration mode from privilege mode
hostname x change switch name to x
no ip domain-lookup disable resolving for misspelled-invalid inputs
<ctrl> + <shitf> + 6 breaks out the domain lookup process before it fails
show running-config see what have been done in Switch's RAM
show startup-config see what have been done in Switch's NVRAM
show running-config int gi0/1 only view the current setting on that interface
copy running-config startup-config copy current coshow data of RAM into startup config of NVRAM - Save changes!
copy startup-config running-config copy startup config of NVRAM into current config data of RAM - Restore changes
# reload restarts the device
show interfaces [int ID] [counter] show descriptive interfaces status and counter of packets
show ver | i uptime Shows device's uptime
write erase | erase startup-config | erase nvram: erases the startup config
erase vlan.dat removes the VLAN config from NVRAM
exit backward 1 level in CLI
end backward to conf level in CLI
telnet x.x.x.x telnets from cisco device to host x.x.x.x
ssh -l [ssh-username] x.x.x.x ssh from cisco device to other devices. -l (L) being pre-parameter of ssh username
show users show currently connected user sessions
setup enter the wizard setup of device
ip name-server 10.0.0.2 sets the global DNS server address
ip domain-lookup should be active
no ip directed-broadcast to disable broadcast frame forwarding for

GigabitEthernet 0/1 = g0/1

FastEthernet 0/1 = fa0/1
Serial 0/1 = s0/1
int# ip address ip mask
ip address dhcp
show ip interface brief
show interfaces x
show protocols
show ip interface brief
to set ip and mask to an interface]
set router ip info based on ISP's dhcp
one one per int info showing status and ip (no mask)
detailed of particular interface x and it's ACLs, DHCP helper address and etc.
1 or 2 line per int confirm of ip/mask and status for interface
one line per int description

(File management)
show file systems shows memory and storage of IOS device
more flash0:/wotemp/fred shows FILE content of that directory on flash
copy tftp flash copies the IOS image from a TFTP server into flash (upgrade)
copy ftp://[ftp_username]:[password]@[ftp_ip]/[path] flash complete statement of above
or ip ftp username [ftp_username] locally save a username password of ftp user on device
ip ftp passsword [password]
copy ftp://[ftp_ip]/[path]

verify /md5 flash0:/C2900........ .bin [hash_value] to verify the MD5 hash of IOS image on device and cisco website

[to enable SCP first enable SSH login, define privilege to an existing user then:]
# username [IOS_user] privilege-level 15 password [password]
# ip scp server enable

[then on desktop command]

> scp [image_filename] [user]@[router_ip]:flash0:[image_filename]
(enter user's password and reload IOS device)

(Backup and Restore)

[BACKUP]
show flash or dir shows flash memory content
dc flash:/xxxx
show flash Changes directory and shows new directory path
dir /recursive shows all files and files inside all directories]
dir nvram: shows content of NVRAM
dir all-filesystems Shows all types of contents inside iOS > flash, nvram, null, system, tar, cns ,....
dir /recursive all-filesystems Shows every content and their files and directories at once
copy running-config tftp Transfers running config into TFTP
copy flash tftp Transfers the selected content of iOS flash into TFTP
copy flash:/xxx/yyy tftp copies the yyy file in xxx directory of flash to TFTP
[RESTORE]
IP_ADDRESS=10.10.10.6
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.10.10.6
TFTP_SERVER=10.10.10.25
TFTP_FILE=c2960x-universalk9-mz.150-2.EX5.bin
tftpdnld
reload

archive tar /create tftp://10.10.10.25/backup.tar flash: Backup all files together

show version shows info on the device

erase startup-config deletes all config files and resets them to default
erase nvram also erases the nvram as startup config holder chip
delete flash:vlan.dat deletes the vlan segmentation config from start up config
reload soft resets the switch with existing startup config parameters

(Archive and Restore)

config# archive to save occasional or schedual backups of config
path ftp://[username]:[password]@[ftp_ip_and_path] define a destination path tftp://10.10.10.25/
time period 1440 set automatic backup based on seconds
write-memory to ask device to save each time user saves the config to startup (saves pre-config setting)
# archive config to archive a version promptly
# show archive to show versions of archived config
# archive replace [ftp_user_pass_ip_filepath] to replace an archived config file into startup. no reload required

(Boot)
(default register bit is 0x2102)
# config-register 0x2100 load ROMMON OS no need to copy run sta.
boot system [flash | flash: file_name | tftp filename ip_address] set boot system setting to look for first file, specific
file or a file in TFTP
bootfiled: 0= ROMMON OS 1=First OS in flash 2-F=First *boot system option> First OS in flash
show version [ | i 0x] shows IOS details or directly shows register bit + previous boot process

(password recovery steps)

config-register 0x2142 skips startup-config load. password recovery purpose
if there is no access to enbale mode, reload, press break key from console during boot to go into ROMMON. or remove flash
ROMMON: confreg 0x2142 inside ROMMON environment is used to change register and ignore startup
copy startup-config running-config return the config from flash to RAM
enable secret [new_secret] while being in enable mode, define the new secret or password
config-reg 0x2102 put back the register bit to its default
copy running-config startup-config now save everything to startup

(AAA)
(config)#line [console 0 | vty 0 15] brings the config to set security through console or vty lines
login local to be checked against locally configured username. Userbased login
login to require the line (console 0 or vty 0 15) to ask for a password
access-list x in according to access-list x, incoming vty sessions will be filtered
exec-timeout 5 30 sets the session time out separately for con and vty to 5minutes and 30 seconds

config# enable password x set an insecure enable mode password cleartext

service password-encryption helps to encrypt configured passwords (not very secure yet level 7)
 enable secret x set a secured enable mode password CONFIG PASS 5]
enable algorithm-type [ md5 | sha-256 | scrypt] secret x alternative secret password type5, 8 or 9 with SHA-
256 hashing. default is md5
config# no enable password or no enable secret revoke password or secret]
username username [password or secret] y to set username with password (pass 7) or secret (pass 5 / preferred) of y
no username x to remove username x with it's secret or password
no password to clean up shared login passwords once using login local per users logins
(remember to have other users or else need to issue *no login local)
show privilege Shows current user's access level]
show run | i user Show the list of users and privileges]

(Banners)
config# banner x .... (enter) x MOTD banner x to be begining and end of msg.
banner login x ... (enter) x login banner
banner exec x ... (enter) x after-login exec banner
no banner [motd | login | exec] disables banner one by one.
show run | in banner

line# exec-time out x to set the season time out on vty to x value or 0 if never time out
line# history size x define number of commands in history buffer. arrow up
terminal history size x changes the buffer size only for running session
show history shows the history of buffer

(to config SSH connection on vty lines with login local to make SSH possible)
config# hostname x
ip domain-name farid.net
crypto key generate rsa to generate SSH key on vty based on hostname and domain name > x.farid.net
show crypto key mypubkey rsa shows the public key of ssh
transport input [all | none | ssh | telnet] to support neither or SSH or Telnet only over vty

ip ssh version 2 optional command to set the SSH version to 2 only. preferred
show ip ssh status about SSH server it self
show ssh status of clients currently connected to device

show mac-address-table or show mac address-table [dynamic | static | secure | address xxx.xxx.xxx] Show Mac add table
of switch
show mac address-table int gi1/0/3 show learnt address of specific interface
show mac address-table dynamic vlan x show diynamic addresses per vlan ID
show mac address-table [aging-time | count] shows the aging time or count of dynamic/static per VLAN
#clear mac address-table dynamic clears entries from mac table

(int)#description xxx to give description to fa port x

speed (10/100 or Auto) to ascertain the speed of the interface
duplex [Auto | half | full] to set the duplicity of the interface]
no [description | speed | duplex] sends the interface back to default auto speed and duplex or no descriptions

(Access list)
#show access-lists Shows current IPv4 Access lists entries
#show ip access-lists Shows current IPv4 and IPv6 Access lists entries
config# access-list {1-99 | 1300-1999} {permit | deny} x.x.x.x standard ACL
access-list {1-99 | 1300-1999} {permit | deny} x.x.x.x 0.0.0.255
int# ip access-group [access-list_number] [in | out] to assign an access list to interface (location) and define
flow in/out (direction)
config# ip access-list extended xxx enters to access-list #xxx in extended mode
permit ip 10.10.10.0 0.0.0.255 host 10.0.0.2 permits Vlan 10 to 02 (default +10)
15 permit ip 10.10.10.0 0.0.0.255 host 10.0.0.2 permits Vlan 10 to 02 with seq #15 in list
15 permit ip host 10.10.10.7 host 10.10.60.20 permits only host to host in 2 Vlans
no 15 removes entry seq #15
access-list deny udp any host 10.0.0.0 0.0.255.255 deny ip udp packets from any node to subnet 10.0.0.0 /16
access-list 178 permit tcp 172.16.1.0. 0.0.0.255 172.16.3.0. 0.0.0.255 eq 21 permit TCP (all) packets from first subnet
to destined subnet (port 21)
access-list 2019 deny udp host 10.10.0.1 ne 68 10.0.0.0 0.0.0.255 range 21 23 deny udp ports which are not on port 68
from host 10.10.0.1 to other subnet on their port 21 to 23
access-list 106 deny tcp any host 10.1.1.1 eq telnet
no access-list 100 permit tcp any 172.16.0.0 0.0.255.255 ne www removes entry for permit all tcp packets from any
source to mentioned subnet excpet if it's http
legend of port comparative operators [ eq: = (equalt) lt: < (lower than) ne: != (not equal) gt: > (greater
than) range: x to y ]
for port and well-known command keyword refer to P. 620 and P. 636
# access-list 1 permit 1.1.1.1
access-list 1 permit 2.2.2.2
or for named standard access list:
# ip access-list standard name or ip access-list extended name
permit 1.1.1.1
permit 2.2.2.2
ip access-list extended farid creates extended ACL under name of farid and place to acl config mode of farid
ip access-lists extended xxx
ip access-lists resequence xxx 1 2 sets the increment of xxx access list to +2 and starting #1
permit any determine the implicit end of list default permit behavior of IOS if no ACL match found
deny any mention to make the default implicit deny register counter of denied packets
access-list# access-list remark xxx leave txt documentation that stays with that ACL
int# no ip access-group x disables the ACL assigned to interface. advised when making changes to ACL
line# access-class number | name [in | out] line subcommand to enable ACLs on vty lines

[no] ip subnet-zero allows or prevents utilization of zero subnet on device

ping [host] source [other-end-interface] extended ping. value after source is a secondary interface of router than the
sending int

(IPv6)
ipv6 unicast-routing to globally enable IPv6 on IOS
ipv6 address address/prefix_length to set the IPv6 on the interface
ipv6 address address/prefix_length eui-64 tell router to find Interface ID accoring to EUI-64. No space /Prefix
ipv6 address dhcp tell the router to learn it's IPV6 using DHCP
ipv6 address autoconfig tell the router to learn it's IPV6 using SLAAC
ipv6 address address link-local to configure link-local address based on FE80::/10 rule
(if not set, interface will calculate link-local using EUI-64 even if unicast address doesn't use EUI-64)
ipv6 enable to just enable IPv6 capability on link to operate over link local without unicast IPv6
ip address 2001:1:1:2::99/128 anycast to set a secondary IP on the interface as anycast service on the router P. 722
show ipv6 interface brief show details of ipv6 with no prefix length info
show ipv6 interface [x] details of ipv6 per interfaces
show ipv6 route [connected | local] shows ipv6 addresses connected to router
ipv6 route 2001:db8:11111:2::/64 [2001:db8:1111:2::3 or s0/0/0] to set static route (R1 to R2) R2 needs a static route to
R1 also
next hop can be global unicast or link local address. if link local needs to have local router's outgoing interface as well!
ipv6 route 2001:db8:1111:2::/64 s0/0/0 FE80::FF:FE00:2 format of referring a next hop link local
show ipv6 route static shows all statically set routes
show ipv6 route 2001:db8:1111:2::22 show the preferred route to that particular address
ipv6 route 3444:4:4:4::/64 3444:2:2:2::2 130 to set floating administrative distance of 130 for a static route
ipv6 address autoconfig [default] tells router to use SLAAC to build it's IPv6 and sets the next-hop as default path ::/0
ipv6 route ::/0 S0/0/1 to set a default route. THIS IS A GLOBAL CONFIG COMMAND NOT AN INTERFACE
COMMAND!

(Log)
config# [no] logging console 1 step setting to view log messages for console users for all severities
config# [no] logging monitor (and) ...
+ # terminal [no] monitor two step setting to enable log on SSH and Telnet user and then receive them on that
session
config# logging buffered to save the log copies into RAM
# show logging to view saved logs and configured setting
config# logging {address | hostname} to set an external syslog server as saved log location
config# no service timestamps toggle off time stamp of logs
service sequence-numbers toggle on the sequence number
logging [console | monitor | buffered | trap] 4 trigger logs for level 0-4 messages to console, vty, RAM and
syslog server
or logging [...trap...] [warning |error | information | ....] may use the keyword of levels as well P.783
# clear logging to clear buffered logs
logging synchronous tell the device to show syslogs only after show commands
debug to let the IOS issue all levels of logs even upon log out. has many options, for troubleshooting
debug ip rip or ntp or all capture and view rip advertisements and activities [ *debug ?]
logging monitor debug to enable debug for vty users
show process cpu lists cpu usage

(Clock)
show clock shows time
config# clock timezone xxx +8 sets timezone to country xxx with +8 zonetime
clock summer-time yyy recurring set daylight saving in spring and fall
# clock set 13:15:00 27 Jan 2019 set time in 24h format

# ntp server [address | hostname] to set device the NTP client of that referred address
# ntp master x to tell device to act as a NTP server with stratum level of x
ntp source loopback [loopback_number] to assign a virtual interaface as ntp source on the device
show ntp associations showing conferencing of ntp server and clients
show ntp status lists details of ntp on device
config# interface loopback [integer_number] to set an internal loopback interface for ntp. prevent ntp master failure if
interface is failed
int# ip address 10.10.10.50 255.255.255.0 to give the loopback virtual interface an address
show interfaces loopback x details of loopback x

(Network Discovery)
show cdp neighbors [number] one line summary of neighbor devices DOES NOT SHOW IOS VERSION!
show cdp neighbors detail details of neighbors including IOS model
show cdp entry name filers details of neighbor based on their hostname including their IOS model
[no] cdp run globally enable or disable cdp on all interfaces
int# [no] cdp enable enable or disable cdp on particular interface
show cdp [interface x] shows cdp setting globally or on interface x
show cdp traffic shows global statistics for cdp transmissions

show lldp [interface x]

show lldp neighbors
show lldp entry R2
lldp run globally enable LLDP
int# lldp transmit enable sending LLDP on interface
int# lldp receive enable receiving LLDP advertisements on interface

show license udi shows details of UDI, PID and SN of device

show license group of lines for each feature installed
show license feature or show version one line detail of feature set
license install [license_path] install the paid-for license key into the device.
config # license boot module c2900 technology-package [securityk9 | datak9 | uck9 ...] activates 60day Trial right-to-use
license but never expires!

(AAA, RADIUS, TACACS+) Chapter 6 CCNA *not in exam

c# aaa new-model first command that enables AAA configuration on that SW or RT. no more local login

c# tacacs server <server-name1> define individual AAA servers

address ipv4 <ip>
key <key-value>
port <port-number>
c# aaa group server <aaa-group-name> create a group of one or more servers
server name <server-name1> refers to the first server above for example
server name <server-name2>

# aaa authentication login default authenticate console, vty and aux using AAA
# aaa authentication [login | line] default <method1> <method2> tries other methods of authentication if AAA is not
reachable
aaa authentication login default aaa-group-name [local | line] if AAA group was not available use line or local logins
SWITCH

(to configure VLAN 1's IP address on Switch so that it can communicate over network and with gateway)
config# interface vlan 1
no switchport [turns the SW L2 int into a L3 compatible interface like router]
ip address 192.168.1.5 255.255.255.0 or ip address dhcp
no shutdown
ip default gateway 192.168.1.1 no need if it's on dynamic IP dhcp

show dhcp lease to see the temporarily leased ip address and other parameters
show ip default-gateway to show the default gateway leased by DHCP

(VLAN Management)
(config)#vlan x [or vlan x,y,z]
name xxx set name of xxx for vlan x
show vlan showing vlans per interface
show vlan [brief |name x | id x | summary] show VLAN info associated with parameter
show vlan id x only shows VLAN x associated with interfaces and trunks carrying that VLAN
show interface gi1/0/11 switchport shows info of the port 1line-1line statuses
show interface gi1/0/11 shows more detail on that interface
show interface trunk show interfaces set as trunk
(config)#interface fa0/x
(no) switcport mode access/trunk/dynamic set interface access mode
(no) switchport access vlan x set (only) access ports to Vlans
interface range gi1/0/11 - 12
switchport trunk encapsulation [dot1q | isl | negotiate] to choose Trunking protocol
switchport nonegotiate a security step to disable DTP negotiations altogether on interface
[no] shutdown vlan x to securely shutdown ports on vlan x. it brings the vlan status as act/1shut

c# vtp mode [server | client | transparent] to set enable VLAN Trunking Protocol mode (updates every 5 min)
c# vtp mode off to disable VTP
# show vtp status to show status of current config on VTP (domain, mode, pruning, MD5)
c# vtp domain [domain-name] group vtp client and servers under the domain name
c# vtp password [password] set a security layer to authorize server/client switches (case-sensitive)
# show vtp password reveal VTP password if set
c# vtp pruning make the domain-wide VTP pruning choice. get rid of unused VLANs in switches
c# vtp version [1 | 2] usage of v.1 or v.2 VTP (compatible together)
# vtp primary select the primary VTP server
# debug sw-vlan vtp [events | packets | pruning | xmit] debug VTP factors
show interfaces switchport detail info per each and every interface stating TRUNK ports
show interfaces status per 1 line status on interfaces
show interfaces description line status and protocol status with description of interfaces

(Interface Port Security)

config# interface range f0/1-15 select a range of interfaces
config# interface fa0/x
int# switchport mode [access | trunk | dynamic desirable | dynamic auto] to set the interface to different mode !Page
262
int# switchport trunk native vlan x defines the native VLAN for a trunk port. must do on both trunks
int# switchport trunk allow vlan 15-20 Allow only these Vlans in that Trunk
int# switchport trunk allowed vlan {all | except | add | remove} vlan-id defines the list of allowed vlans
int# switchport port-security to activate the port security on interface fa0/x
(step 1)
switchport port-security mac-address xxxx.xxxx.xxxx only allow mac to interface
no switchport port-security mac-address xxxx.xxxx.xxxx revert operation
switchport port-security mac-address sticky learn 1st mac for p-security
switchport port-security maximum x max of x mac adds can be learnt sticky
switchport port-security violation shutdown/protect/restrict put violation type
show port-security shows p-security on all interfaces
show port-security interface fa0/x show p-security attributes of fa0/x
show mac address-table secure lists MACs associated with ports that use port secuirty
show mac address-table static lists MACs associated with port security and other statically set MACs

(enable IP routing on some older switches)

config# sdm prefer lanbase-routing (reload)
ip routing
interface vlan vlan_id
ip address x.x.x.x y.y.y.y ip x.x.x.x and mask y.y.y.y
no shutdown

(Setup Telephony Voice and Data vlans)

#vlan x create vlan x for data
vlan y create vlan y for voice under vlan x sub-command
interface x
switchport mode access set the interface as access
switchport access vlan x dedicate data access to vlan x
switchport voice vlan y dedicate voice access to valn y

(STP)
# spanning-tree pathcost method long to change port costs to new criteria of cost values p.55
# spanning-tree mode pvst activate PerVLAN STP on switch
# spanning-tree mode rapid-pvst activate PerVLAN RapidSTP on switch
# spanning-tree mode mst activate Multiple Instances of STP on switch. not per vlan *not in CCNA
# spanning-tree vlan vlan-id root [primary | secondary] manipulate the BID to be main or backup, changes the priority

int # spanning-tree vlan vlan-id priority x define priority to BID to pvst. x to be only multiples of 4096 ranged 0-65535
int # spanning-tree [vlan vlan-id] cost y to define an interface STP cost per VLAN (p. 75), on Trunks
int # spanning-tree cost y to define an interface STP cost for all VLANs, on Trunks !!! check on show run
int # spanning-tree [vlan vlan-id] port-priority x change the port priority for the give VLAN only (x defaults to 128. range 0
255) lower better

int# spanning-tree portfast [disable] enable/disable portfast on access ports. no enable keyword for
enabling
int# spanning-tree [bpduguard | bpdufilter] enable | disable enables BPDU guard or filter on portfast
# [no] spanning-tree portfast default enable/disable portfast on all interfaces by default
# [no] spanning-tree portfast bpduguard default enable/disable PBDU guard on all interfaces by default. portfast keyword
needed

# show spanning-tree [interface x] [detail] shows [details] of STP per/all interface. includes portfast and bpdu guard and etc.
# show spanning-tree vlan 10 shows STP info on vlan 10. Root SW, Local SW, int status
# show spanning-tree [vlan_id] root shows root bridge per VLAN or all VLANs
# show spanning-tree vlan 10 bridge shows local bridge info but with separation of priority and VLAN part of BID
# show spanning-tree int fa0/1 portfast 1-line lists the portfast status of interface for all VLANs. if enabled and if UP
# show spanning-tree summary shows global STP configs. including if portfast and bpdu guard is enabled by default
# show spanning-tree vlan x int gi0/2 state identifies state of a certain int in a particular VLAN STP
# show int status err-disabled to show the port-fast ints which are in error disabled mode (eg. by BPDU guard
violence)
# debug spanning-tree events STP event debugging

(EtherChannel or PortChannel or Channel-group)

int# channel-group number mode [on] [active | passive] [desirable | auto] adds the interface to a channel-group po. [Static,
LACP or PAgP protocol]
# show etherchannel [number] [summary | brief | port | detail] shows status and interfaces of port channel
groups
# show etherchannel [number] port-channel confirms the protocol, lists the interfaces. more details than above
command

ROUTER

show controllers s0/0 confirms the serial connection and clockrate speed
clockrate 128000 puts the serial port clock rate to 128Kbps value supplied by DCE side
bandwidth 1544 puts the bandwidth of interface to 1544kbps
line aux 0 reach aux line configuration mode
show ip route [connected | static | rip] lists routes in routing table
show ip route 192.168.2.0 lists best route with their administrative distance for that subnet
clear ip route * with a parameter of * will remove all RIP routes
show ip protocols info about RIP config, advertisin groutes, neighboring RIP routes, passive, etc.
show ip rip database lists prefix/length of local router's rip best routes
(#router rip) network x
passive-interface g0/1 make the LAN int passive. listens to RIP but doesn't advertise routes
passive-interface default
no passive interface s0/0/0 white list Serial 0/0/0 as an active
(#router rip) maximum-paths 4 set the router equal-cost load balancing feature to UP TO 4 concurrent routes
(#router rip) no auto-summary disable the auto summarization feature on router
show arp or show ip arp shows ARP table of containing IPs and their MAC addresses
clear ip arp [ip address] clears an ip address from arp table

(create default route to router that knows and advertises the default route 0.0.0.0 /0)
# ip route 0.0.0.0 0.0.0.0 192.168.0.1
router rip
default-information originate <<< on the router that points traffic to default route

(Configuring RIP features)

config# router rip
version 2
network 192.168.0.0 to add that subnet into RIP consideration of router

(create .1q vlan trunking RAOS)

int fa0/0 native VLAN
ip address 10.1.10.1 255.255.255.0
or> int fa0/0.10
encapsulation dot1q 10 native
int fa0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0

show vlans showing vlans and their interfaces and native vlan
ip route (dest ip) (dest mask) (next hop ip) or (outgoing port) to create static route in a router
^ permanent to create permanent non-removable static routes ignores router check on route and remains on int
failure
^ 130 sets the administrative distance to value of 130
ip route (dest ip) 255.255.255.255 (next hop ip) or (outgoing port) to set host specific static route
ip route 0.0.0.0 0.0.0.0 (next hop ip) or (outgoing port) creates static route that matches all! packets

(int#) ip address dhcp int will learn the ip, subnet mask, dns and default gateway from dhcp
ip helper-address server-ip to define DHCP server on client routers

(set up DHCP server router)

# ip dhcp exluded-address first_address last_address to set outside pool rule of which ip ranges should not be leased
ip dhcp pool name sets dhcp pool name and navigate to the pool config mode
network 192.168.2.0 255.255.255.0 assign leasable pools
(or) network 192.168.2.0 /24
default-router ip_address define default gateway address
dns-server ip_address1 ip_address2 ... defines DNS server ip
lease [days hours minutes or infinite] length of lease
domain-name name set DNS domain name
next-server ip_address to set TFTP server IP for hosts like IP phones

(DHCP verification show commands)

show ip dhcp binding lists info about each ip leased to clients
show ip dhcp pool poolname lists ranges of addresses and some statistics
show ip dhcp server statistics lists DHCP server statistics
show ip dhcp conflict lists the incidents of ip lease conflicts
clear ip dhcp conflict clear conflict addresses (lets them to be leasing candidate again)

(NDP and DHCPv6)

int# ipv6 dhcp relay destination 2001:db8:1111:3::8 define dhcp to the dhcp relay interface
# show ipv6 neighbor show content of neighbor's table including Routers and Hosts without noting which is router
# clear ipv6 neighbor clear router's neighbor's table
# show ipv6 routers shows other routers advertised them selves in LAN through NDP RA

(NAT configuration)
intA# ip nat inside configure interface as inside nat
intB# ip nat outside configure another interface as outside nat
STATIC NAT:
# ip nat inside source static 10.1.1.2 200.1.1.2 assign client IP from nat interface inside
# ip nat outside source static 10.1.1.1 200.1.1.1 assign client IP from nat interface outside
DYNAMIC Pool:
# ip nat pool [name] [first_address] [last_address] netmask [subnet-mask] registering a pool of public IPs
# access-list x permit 10.1.1.2 0.0.0.2555
# access-list x permit 10.1.1.1 0.0.0.2555
# ip nat inside source list acl_number pool pool_name [overload] assigns the inside global IPs and an ACL
that allows inside local IPs
overload indicates PAT. with this parameter, port address translation will be activated if not it will be NAT only.

.......................... Similar config when ISP leased dynamic public IP (Inside Global)
intA# ip nat inside configure interface as inside nat
intB# ip nat outside configure another interface as outside nat
ip address dhcp >if the public IP is dynamically leased by ISP
>no need for Pool creation
# access-list x permit 10.1.1.2 0.0.0.2555
# access-list x permit 10.1.1.1 0.0.0.2555
# ip nat inside source list acl_number interface_number [overload] >if the public IP is dynamically leased by ISP

show ip nat translation lists NAT entries with their IPs

show ip nat statistics lists interfaces and hits
clear ip nat translation manually clear dynamic entries from NAT table. inside local <-> inside global P. 665
clear ip nat translation * manually clear ALL dynamic entries from NAT table. inside local <-> inside global
debug ip nat to issue debugging msgs every time a packet is translated by NAT

debug ip icmp monitor incoming ICMP packets

telnet x.x.x.x 80 to test a webserver connectivity
(OSPF)
# show ip ospf database lists info about LSDB on router
# show ip ospf neighbors [interface] lists the OSPF neighbors (same VLAN or on ends of serial links)
# show ip route [ospf] lists routes
# show ip ospf x lists info about area x of OSPF
# show ip protocols shows how any routing protocol works and list of passive interfaces
# clear ip ospf process restarts the OSPF process
# show ip ospf interface [brief ] lists all interfaces involved in OSPF mentioning passive ones. with timers. [one line per interface
includes passive interfaces]

c# router ospf <process-id> activate OSPF on that router

router-id x.x.x.x if changed needs a "clear ip ospf process"
network 10.10.10.0 0.0.0.255 area x enabling OSPF on any interface with that network. wildcard netmask
[New style]> int# ip ospf 1 area 23 to enable the interface ip range for OSPF based on new style instead of indirectly
calling network
show ip protocols will indicate "Interfaces configured Explicitly" instead of network
commands
passive-interface gi0/0 no neighbor relationship with that interface
or
passive-interface default
no passive-interface gi0/1 whitelists the non passive interfaces
c# interface loopback <number> set a loopback int
ip address <ip> (chooses the highest loopback address if there are many)
(if not set, chooses the highest IP of all working nonloopbacks)
int# ip ospf cost x manually define a cost value to interface
int# bandwidth 10000 manually set bw of interface in Kbps
r# auto-cost reference-bandwidth 10000 sets a value of Reference bw in Mbps [reference bw (Kbps)/ int bw (Kbps)=Cost] 10000
accomodates 10Gi
r# maximum-paths <number> set maximum equal-cost routes (defaults to 4)

c# ip route 0.0.0.0 0.0.0.0 203.0.16.180 make a static route to ISP

r# default-information originate inject it into routing protocol to be advertised to other routers
network x.x.x.x 255.255.255.252 add the ISP subnet into Routing protocol usually /24 or /30
r# passive-interface se1/0 make the interface toward ISP as passive

r# default-information originate always always advertise the default route no matter if it works or not
# debug ip ospf [hello | adj]

# router ospf 1
[no] shutdown disables ospf 1 but doesn't remove configs

# ip ospf hello-interval <number>

# ip ospf dead-interval <number>

(EIGRP)
# show ip eigrp topology [subnet/prefix] shows the successor and feasible successor routes
# show ip eigrp interfaces [detail] [S0/0] show ints that router has activated EIGRP which are not passive[more details on
timers and split horizon]
# show ip eigrp neighbors listing neighbors based on their interface IP address (not router ID)
# show route ip eigrp [subnet_mask]
# show ip eigrp toplogy | section 10.10.10.0
# show ip eigrp topology all-links shows ALL routes even though they are not successor or FS
# show ip eigrp topology x.x.x.x/xx shows the Successor and FS routes to that subnet in metric break down (NICE)
c# router eigrp <as-number> create EIGRP enter Router config mode
network x.x.x.x [0.0.255.255]
r# eigrp router-id x.x.x.x optionally choosing a router ID
int# ip hello-interval eigrp x <time> optionally set a different hello interval time
int# ip hold-time eigrp x <time> optionally change hold timer
int# bandwidth <value> optionally change the default bw (Kbps)
int# delay <value> optionally change the default delay (tens of microseconds)
r# maximum-paths <number> optionally change the maximum equal cost paths (defaults to 4)
r# variance <1-128> optionally change the sensitivity of variance to choose load balanced successor
r# [no] auto-summary optionally enable/disable automatic summarization
# debug eigrp fsm displays changes to EIGRP successor and FS routes (NICE)
# debug eigrp packets displays other packets including protocol authentication error logs

# router eigrp 1
[no] shutdown

(BGP)
# router bpp <local_asn> locally define the ASN to edge router
neighbor <remote_ip_address> remote-as <remote_asn> manually define a BGP neighbor
network x.x.x.x mask 255.255.0.0 inject a router to BGP to be compared, verified and then
advertised to neighbor
[no] neighbor <peer_ip_address> shutdown disable neighbor using interface address
r# bgp router-id set router ID of BGP
# show tcp brief shows the status of BGP neighbor
# show ip bpg summary show one per line details of BGP local and neighbors
# show ip bgp lists the BGP table p.316
# show ip router 192.0.2.0 255.255.255.0 longer-prefixes lists all routes in the range of 192.0.2.0 /24

# ip route 192.0.2.0 255.255.255.0 null0 adds a discard route to be only advertised to ISP over BGP not to specify
a real usable local route

(to configure VLAN 1's IP address on Switch so that it can communicate over network and with gateway)

# show ip protocols [to show which routing protocol is running with some statistics about that protocol]
# trace 192.168.1.1 [perform a trace route to that IP address]
# show ip rip database [to show any relieved ip routes which might not make it into table]
rip# default-information originate [will inject default static route and advertises to RIP neighbors usually 0.0.0.0 0.0.0.0 to
internet]
rip# timers basic 10 90 90 120 [to change the active, invalid, hold down and flush timer in RIP, do on all routers]
int# ip summary-address rip 10.1.0.0 255.255.0.0 [to manually ad a summarizable range after no autosummary]
ospf# area 0 range 10.1.0.0 255.255.0.0 [to manually summarize ranges of IPs to different OSPF areas to reduce table
load]
area 1 range 10.0.0.0 255.255.0.0
int# switchport trunk native vlan 199 [to set the trunks to a modified native vlan. needs to be done on all trunks]
int# no switchport [turns a L3 Switch interface into a L3 capable interface which then accepts IP]
(HDLC/PPP)
int# ip address <address> <mask> ip is optional for ppp
optional: int# encapsulation [hdlc | ppp] is the default encap if ppp is not overwritten
int# no shutdown if disabled before
int# clock rate <speed> if using DTE/DCE in lab. use this on router with DCE cable (female)
int# bandwidth <speed-in-kbps>
int# description <text>
# show controller serial 0/0 shows the status of DCE/DTE, clockrate etc. in HDLC link activated int

(PPP > CHAP authentication)

# hostname <name> set on each router as username
# username <name> password <pass> set on each router to define hostname and password of the other router
!username is the other router's hostname. pass is the unique same pass for both routers
int# ip address <address> <mask> set on both router's ppp interfaces
int# encapsulation ppp set on both router's ppp interfaces
int# ppp authentication chap set on both router's ppp interfaces

# show ppp all shows ppp enabled interfaces (+ means up/open)

(PPP > PAP authentication)

int# ip address <address> <mask> set on both router's ppp interfaces
int# encapsulation ppp set on both router's ppp interfaces
int# ppp authentication pap
*same above config on both routers and then in routers:
R1 int# ppp pap sent-username R1 password <pass1>
R2# username R1 password <pass1>
R2 int# ppp pap sent-username R2 password <pass2>
R1# username R2 password <pass2>

ISP# ppp authentication pap callin if the pap is 1 way

int# ppp authentication [pap chap] | [chap pap] to set both configs and then choose which first to try

# debug ppp authentication shows issues with authentication. Up/Down state

(MultiLinkPPP )
*configs related to creation of multilink number 1. should be done on both routers
int# interface multilink 1 multilink number should match on both sides
encapsulation ppp
ppp multilink
ip address <address> <mask>
ppp multilink group 1 join the multilink into group 1

*configs related to linking serial interfaces into multilink 1. should be done on both routers all serial links available
int# interface seraial 0/0
encapsulation ppp
ppp multilink enable multilink
no ip address serial interfaces should NOT have L3 address
ppp multilink group 1 join the int into the same group number as multilink
[pap or chap authentication goes here]

# show ppp multilink shows info about the available multilinks and affiliated L2 interfaces