Aide Memoire Cisco

EVRARD Benjamin
Aide-Mémoire
CISCO TM
This document is licensed under a

Creative Commons CC BY-SA 3.0 License
Latest version available at http://www.Adelpha.be/Pub/
Foreword
This booklet started as a small aide-mémoire I wrote for myself during my

CCNA & CCNP exam preparation.
With time, I have completed it with templates and configuration commands

for many technologies embedded within the Cisco IOS software that I’ve
encountered until now during my day-to-day job duties.
It is a perpetual work-in-progress that I keep improving when I discover
new topics worth being documented in this quick reference booklet.
I try to maintain it as error-free as can be. Nevertheless, should you en-

counter any, please be kind enough to send me a notification so that I can
make the necessary corrections.
As a true believer in the Open Source spirit, I have chosen to publish this
booklet under a Creative Commons BY-SA license, allowing you to freely
share and remix its content, even for commercial purposes, under the sole
conditions to mention the paternity of this work and re-share it with the
same license.
I hope you will find it helpful and that it will allow you to spend less time
searching after forgotten syntaxes.
EVRARD Benjamin.

Contents Table
- Foreword
- Configuration Register
- Switching
- CDP, SmartPorts Macros, IP Configuration
- Config Backup, Time (NTP), Logging, L3 Routing on L2 Switch
- Access Ports
- Trunk Ports, VLANs & EtherChannels
- Spanning Tree
- First Hop Redundancy Protocols
- Monitoring (RSPAN, NetFlow & SNMP)
- Routing
- Basic Config (CLI Config, SSH, SDM, Boot, Interfaces)
- Logging & Debugging
- CDP, DHCP & NAT
- IP Access Lists, Route Maps, Prefix Lists, VLAN & ARP ACLs
- IP Routing
- Static Routes
- Policy-Based Routing (PBR) & IP SLA-Based Routing
- Routing Protocols Summary Table
- OSPF, EIGRP, BGP, RIP & Multicast
- MPLS
- LDP
- L3VPN
- L2VPN
- VPLS
- Traffic Engineering
- IPv6
- Static Routes
- RIP-NG - OSPFv3 - EIGRP-IPv6
- Transition Tools: GRE, MCE, Auto 6-to-4 & ISATAP Tunnels
- Redistribution
- TroubleShooting ToolKit
- VPN & Crypto
- IPSEc Crypto Maps
- IPSec GRE Crypto Tunnels
- DMVPN
- PPPoE
- PPTP
- PKI Server & Client
- RSA PSK
- DynDNS
- Router IP Traffic Export = RSPAN for Routers
- Quality of Service
- Cisco IOS Firewall
- Router Planes Protection
- Router Hardening Guide
- Authentication, Authorization and Accounting (AAA)
- Role-Based IOS Access
- VoIP Gateway & Call Manager Express
- SCCP
- Call Manager Express
- IP Phones
- SIP
- Call Manager Express
- IP Phones
- Dial-Peers
- H.323
- Dial-Peers
- Gateway
- Gatekeeper
- POTS
- Analog
- FXS & FXO
- Fax Handling
- Modem Handling
- Digital
- Dial-Plan
- Digit manipulation
- Call privileges
- MGCP
- DSP Resources for Conferencing & Transcoding
- CUBE (Cisco Unified Border Element = IP-to-IP Gateway)
- Phone Record Accounting (Call Detail Record)
- CUVA (Cisco Unified Video Advantage)
- Voice TroubleShooting
Configuration Register
Hex Bit Clear Set Default
Meaning
Value # 0 1 Bin Hex
0 0
Boot field : controls the boot sequence.
0x0000 1 0x0 - ROMMOM OS 1
See Table
-
2 0x1 - First IOS in Flash memory Boot Field 0
2
0x000F
0x2 - Boot System as configured in startup-config
3 0
0x0010 4 Bypass bootstrap loader (fast boot) disable enable 0
0x0020 5 Controls the console line speed See Table CLS 0
0x0040 6 Ignore the contents of NVRAM disable enable 0
0
0x0080 7 Original Equipment Manufacturer (OEM) Information display no display 0
0x0100 8 Allows Break key to switch to ROM monitor at anytime allow disable 1
0x0200 9 Use Secondary Bootstrap disable allow 0
0x0400 10 Controls the host portion of the IP broadcast address Ones Zeros 0
1
0x2000 13 Boot ROMs or BOOTFLASH if network boot fails no yes 1
0x4000 14 Controls the subnet portions of the IP broadcast address Ones Zeros 0
2
0x8000 15 Diagnostic mode display and Ignore NVRAM disable enable 0
Console Line Speed (baud) Boot Field

Bit Bit Bit Bin Hex Meaning
5 11 12 Speed 0000 0x0 ROM Monitor OS (ROMMOM)
1 1 1 115200 0001 0x1 First IOS in Flash memory
1 0 1 57600 0010 0x2 Boot the first that succeeds in sequence :
1 1 0 38400 0011 0x3 1. Each boot system command in the
- - starup-config file
1 0 0 19200 2. First IOS in flash memory
1111 0xF
0 0 0 9600 3. ROMMOM OS
0 1 0 4800 Boot System Commands Result
0 1 1 2400 Router(config)#
boot system flash First IOS in flash memory
0 0 1 1200
Router(config)# IOS filename from
Broadcast Address boot system flash <filename> flash memory
Bit Bit Broadcast Address Router(config)#
14 10 (<net> <host>) boot system tftp <filename> IOS filename from
10.1.1.1 tftp server 10.1.1.1
0 0 <ones> <ones>
0 1 <ones> <zeros> Router# show version View confreg
1 1 <zeros> <zeros> Router(config)# config-register 0x2102 Set confreg
1 0 <zeros> <ones>
config-register
EVRARD
Benjamin Default value 0x2102
Switch Configuration
Reset Switch
erase flash:vlan.dat
erase startup-config
vtp mode transparent
Configure CDP/LLDP L2 Broadcast Address

[no] {cdp |lldp} run CDP: 01:00:0c:cc:cc:cc
interface <interface-id> LLDP: 01:80:c2:00:00:0e
[no] {cdp |lldp} enable
show {cdp |lldp}
show {cdp |lldp} neighbors [<interface-id>]
show {cdp |lldp} neighbors detail
show cdp entry {<name> |*}
show cdp interface [<interface-id>]
show cdp traffic
clear cdp {counters |table}
debug cdp {adjacency |events |ip |packets}
Assign IP address to a switch

interface vlan <vlan-id>
ip address {dhcp | <ip> <mask> }
no shutdown
ip default-gateway <gateway>
show interfaces vlan <vlan-id>
show dhcp lease
mls qos enables QoS on the switch
mac address-table aging-time <secs> defaults to 300

mac address-table static <mac-addr> vlan <vlan-id> interface <interface-id>
show mac address-table count

show mac address-table dynamic address <mac-addr>
show mac address-table dynamic interface <interface-id>
clear mac address-table dynamic

[address <mac-addr> |interface <interface-id> | vlan <vlan-id>]
SmartPort Macros / Templates

macro name <macro-name> create macro, name is case-sensitive
#<comment 1> macro contents
<cli command 1> [$<variable>] lines begging with # are comments
#<comment n>
<cli command n>
@ end of macro
macro global {apply |trace} <macro-name> apply global macro

interface <interface-id> execute macro
macro {apply |trace} <macro-name> [$<variable> <value>] [$...]
macro description <description> optionally give description about applied macro
! troubleshoot
show parser macro [brief]
show parser macro {name <macro-name> |description [interface <int-id>]}
show run interface <interface-id>
Backup
ip {ftp |http client} username <username>
ip {ftp |http client} password <password>
ip ftp source-interface <interface-id> loopback0
copy <source> <protocol>://[<user>:<password>@]<destination>
archive
path <protocol>://<destination> $h is replaced by device hostname
time-pediod <minutes> $t is replaced by current time
write-memory !enable triggered creation of backup when config is saved
configure replace <source> [list] [force] replace running-config by source

show archive
Time Synchronisation
clock timezone <name> ±<Hours> [±<Minutes>] Set TimeZone
clock summer-time <name> recurring <DTG-begin> <DTG-end> Set Summer TimeZone
clock set <hh>:<mm>:<ss> <dd> <mmm> <yyyy>
clock calendar-valid defines the local clock as valid (REQUIRED on NTP root server)
! Configure Local NTP Server

ntp master <stratum> stratum should be set 2 unit higher than upstream NTP servers
! Synchronize with NTP Server Sync to a lower stratum server
ntp server <host> [prefer] [source <interface-id>] [key <key-id>]
! Synchronize with peers Peer is used to sync same stratum-level NTP hosts
ntp peer <host> [prefer] [source <interface-id>] [key <key-id>]
! NTP Authentication on both client & server side
ntp authentication-key <key-id> md5 <password> define NTP authentication key
! NTP Authentication only on client side
ntp authenticate activates NTP authentication
ntp trusted-key <key-id> define which key is trusted
! NTP ACL Security
ntp access-group peer <acl-id> restrict servers/peers from which to sync
ntp access-group serve-only <acl-id> restrict clients that can sync to local server
ntp max-associations <value> maximum number of NTP peers & clients for this device
ntp source <interface-id>
ntp logging Severity Levels
0 - Emergencies
! troubleshoot 1 - Alerts
2 - Critical
show clock [detail] 3 - Errors
show ntp {status |association [detail]} 4 - Warnings
5 - Notifications
6 - Informational
Logging 7 - Debugging
services timestamps debug datetime msec show-timezone year

services timestamps log datetime msec show-timezone year
logging on activates logging to all destinations

logging console <severity>
logging buffered <buffer-size> <severity>
logging <log-server-ip>
logging trap <severity>
logging rate-limit all <occurrences> except <severity-level>
terminal monitor redirects console messages to local session

show logging history shows logging buffer
Limited L3 Routing on L2 Switch requires IOS 12.2(55) lanbase

sdm prefer {default | lanbase-routing} routing protocols NOT supported
reload up to 16 static routes, connected ones included
ip routing
Interface-range macros
define interface-range <macro-name> <interface-id> [, <…>]
interface range macro <macro-name>
Configure Access Ports
interface {<interface-id> |range <interface-range>}
shutdown
description <text>
switchport nonegotiate disable DTP messages exchange
switchport mode access
switchport access {vlan <vlan-id> |dynamic}
spanning-tree portfast
spanning-tree bpduguard enable
duplex {auto |full |half} hard-coding speed/duplex disables auto-mdix
speed {auto |1000 |100 |10}
mdix {auto} auto-mdix requires both speed and duplex auto-negotiation
no shutdown
errdisable detect cause {all |<cause>}
errdisable recovery cause [all |<cause>]
errdisable recovery interval <secs> range: 30-86400
! troubleshoot
show interfaces [status] [<interface-id>]
show interfaces <interface-id> switchport
show interface status err-disabled
show mac address-table [dynamic |static] [vlan <vlan-id>]
Configure Voice Ports
shutdown
description <text>
switchport nonegotiate disable DTP messages exchange
switchport access {vlan <vlan-id> |dynamic}
switchport voice vlan {<vlan-id> |dot1p |untagged |none}
spanning-tree portfast allow IP Phone to boot quickly
cdp enable CDP is REQUIRED for Cisco IP Phones
power inline {{auto |static} [max <mW>] |never} Power over Ethernet (PoE)
! define which QoS setting will be trusted Phone Boot Sequence
mls qos trust {cos |ip-precedence |dscp} 1. PoE
! condition the trust to the detection of a cisco phone 2. Boot firmware <— flash
3. CDP -> Phone VLAN
mls qos trust device cisco-phone 4. DHCP —> Option 150
! instruct IP Phone how to extend trust boundary 5. TFTP —> Config Load
switchport priority extend {cos <value> |trust} 6. Registration to CM
auto qos voip {cisco-phone |cisco-softphone |trust}
mls qos !enables QoS on the switch
! troubleshoot
show interfaces <interface-id> switchport
show power inline [<interface-id>] PoE status/Switch Power Budget
show mls qos [interface <interface-id>]
show auto qos [interface <interface-id>]
If port-security, ensure it has a maximum count including the phone MAC ! (+1)
Check Network Services : CDP, DHCP, TFTP, NTP
Check QoS Configuration ; Check VLAN separation ; Check Switch’s Power Budget
Storm-Control
interface <interface-id>
storm-control action {shutdown |trap}
storm-control {broadcast |multicast |unicast} level <%>
show interfaces <interface-id> counters storm-control
show storm-control [<interface-id>] [broadcast |multicast |unicast]
Secure Access Ports
! Port-security
interface {<interface-id>| range <interface-range>}
switchport nonegotiate disable DTP messages exchange (Dynamic Trunking Protocol)
switchport port-security
switchport port-security violation {protect | restrict | shutdown}
switchport port-security maximum <value> default 1
switchport port-security mac-address <mac-address>
switchport port-security mac-address sticky
switchport port-security aging time <mins>
switchport port-security aging type <type>
switchport protected !can only communicate with unprotected port
Is +/- a light version of Private-VLANs
spanning-tree bpduguard enable prevent exchange of BPDU packets
shutdown all unused ports should be disabled
! 802.1x RADIUS Authentication (EAPoL = Ext Auth Protocol over LAN)

aaa new-model enable aaa new-model
define radius server, then auth method for 802.1x
radius-server host {<server>} [auth-port <port>] [key <key>]
aaa authentication dot1x default group radius
dot1x system-auth-control enable 802.1x

switchport access vlan <vlan-id>
to enable 802.1x auth, port-control MUST be set to auto
dot1x port-control {auto |force-authorized* |force-unauthorized}
dot1x host-mode multihost !supports more than 1 host/port
! Mitigate Spoofing attacks

! DHCP Snooping
ip dhcp snooping globally activates DHCP snooping; all ports default to untrusted
ip dhcp snooping vlan <vlan-list> MANDATORY: defines on which vlan it should run
ip dhcp snooping information option add option-82 when forwarding DHCP req
ip dhcp snooping trust trust DHCP replies on the port
ip dhcp snooping limit rate <req/sec> limit DHCP requests on the port
! IP Source Guard !Requires DHCP snooping

ip source binding <mac-addr> vlan <vlan-id> <ip> interface <interface-id>
IP source-guard binding definition
ip verify source [port-security] enable IP source-guard on the port
! Dynamic ARP Inspection !Requires DHCP snooping, drops gratuitous ARPs
ip arp inspection vlan <vlan-list> all ports default to untrusted
ip arp inspection filter <acl-name> vlan <vlan-range> [static]
ip arp inspection validate {[scr-mac] [dst-mac] [ip]}
ip arp inspection trust disable dynamic ARP inspection on the port
arp access-list <acl-name> (mac access-list) mac address ACL
permit ip host <ip> mac host <mac-addr> [log] (implicit deny any at the end)
! troubleshoot
show port-security [interface <interface-id>] [address]
clear port-security dynamic [address <mac-address> |interface <int-id>]
show ip dhcp snooping [binding |database | statistics]
show ip verify source [interface <interface-id>]
show ip source binding [<ip>] [<mac-addr>] [dhcp-snooping |static]
[interface <interface-id>] [vlan <vlan-id>]
show ip arp inspection
Configure VLANs
vlan <vlan-id> (0-1001 ; 1006-4094)
name <name>
no shutdown
show vlan [brief |id <vlan-id> |name <vlan-name> |summary]
show interfaces [<interface-id>] switchport
show vlan-switch on a router etherswitch module
Secure VLANs
! Disable Dynamic Trunking Protocol
switchport nonegotiate
switchport mode {access |trunk}
switchport access vlan <vlan-id>
! VLAN Access Lists

vlan access-map <map-name> [<seq>] create access-map entry
match
[ip address <acl-id>]
[ipx address <acl-id>]
[mac address <acl-id>]
action {drop |forward [capture] |redirect <interface-id>}
vlan filter <map-name> vlan-list <vlan-list> apply access-map
! Avoid VLAN Hopping on dot1q trunking ports

OPTION 1
vlan dot1q tag native apply tag on native vlan
vlan <bogus-vlan-id> OPTION 2

name bogus-native-vlan prune bogus native vlan
switchport trunk encapsulation dot1q
switchport trunk native vlan <bogus-vlan-id>
switchport trunk allowed vlan remove <bogus-vlan-id>
switchport mode trunk
Best practice : Never use VLAN 1 for client and/or management traffic !
! Private VLAN
vtp mode transparent
vlan <sec-vlan> define secondary vlan

private-vlan {isolated |community} (isolated or community)
vlan <pri-vlan>
private-vlan primary define primary vlan; associate with
private-vlan association [add |remove] <sec-vlan-list> secondary vlans
interface <interface-id> config for promiscuous host (ignores the p-vlan rules)
switchport mode private-vlan promiscuous
switchport private-vlan mapping <pri-vlan-id> <sec-vlan-list>
interface <interface-id> config for isolated/community host

switchport mode private-vlan host
switchport private-vlan host-association <pri-vlan-id> <sec-vlan-id>
interface <vlan-id> config for L3 SVI interface

private-vlan mapping [add |remove] <sec-vlan-list>
! troubleshoot
show vlan private-vlan [type]
Configure Trunking Ports Dot1Q = 802.1Q
shutdown
switchport nonegotiate disables DTP ; use only if trunk forced on both ends
switchport mode {trunk |dynamic {auto |desirable} |access}
switchport trunk encapsulation {dot1q| isl| negotiate}
Switchport trunk native vlan <vlan-id>
switchport trunk allowed vlan {all| [add |except |remove] <vlan-list>}
mls qos trust cos !trunks ports should normally trust QoS markings
auto qos voip trust
ip dhcp snooping trust
ip arp instpection trust
no shutdown
! troubleshoot
show interface [<interface-id>] [trunk |switchport]
show dtp [interface <interface-id>]
! Common problems:
—> Native/Allowed VLAN Mismatch ; Encapsulation Mismatch ; DTP negotiation mismatch
Configure VTP
configure terminal
vtp mode {transparent|server*|client}
vtp domain <domain-name> !case-sensitive
vtp password <password> !case-sensitive
vtp pruning enable automatic vlan pruning to limit the extent of broadcasts
vtp version {1|2|3} default to 1; v3 not in IOS, only in CatOS
interface <interface-id> switchport trunk pruning

vlan {add |except |none |remove} <vlan-list>
! troubleshoot
show vtp [status |password |counters]
show vlan brief
show interface <interface-id> {switchport |pruning}
delete flash:vlan.dat !sometimes required when changing vtp settings
delete vtp
! Common problems:
—> VTP domain/password/version Mismatch; verify trunk links; delete vlan.dat & reboot
Configure EtherChannels
interface range <interface-range> Max 8 ports/channel
no ip address
channel-protocol {pagp* |lacp}
channel-group <channel-id> mode {auto |desirable} [non-silent] PAgP
channel-group <channel-id> mode {active |passive} LACP
channel-group <channel-id> mode on No Protocol
lacp port-priority <prio> LACP
<other config commands>
lacp system-priority <prio>
interface port-channel <channel-id>
ip address <ip> <mask>
port-channel load-balance {dst |src |src-dst}-{mac |ip |port}
! troubleshoot
show interface <interface-id> etherchannel
show etherchannel [<channel-id>]
[ brief | detail |load-balance | port | port-channel | summary |protocol]
show {pagp|lacp} neighbor
show lacp sys-id
! Remarks: 802.3ad = LACP
- All port must have same duplex/speed/vlan/trunk config and same etherchannel protocol
- L2/L3 port config must be done before activating the port-channel.
Configure Spanning Tree STP Multicast address : 01-80-c2-00-00-00
root path selection criteria to break any tie are (LOWER wins):
Root Bridge ID > Cost to Root > Sending Bridge ID > Sending Port ID
Bridge ID : Priority (x4096) + VlanID & Switch MAC Address
Port ID : Port Priority & Port Number
802.1d = Legacy Spanning-Tree; 802.1w = Rapid Spanning Tree
spanning-tree mode {mst |rapid-pvst |pvst} configure mode
spanning-tree vlan <vlan-number> root {primary |secondary} set root bridge
[diameter <diameter> [hello-time <secs>]]
spanning-tree vlan <vlan-id> priority <priority> set bridge priority
Priority defaults to 32768 ; lower MAC address breaks the tie.
/!\ Usually LOWER MAC address means OLDER equipment !!
—> NEVER let the default settings determine the ROOT switch !!
spanning-tree extend system-id
! tune Spanning-Tree convergence
spanning-tree portfast default enable portfast on all switchports
spanning-tree backbonefast /!\ should be enabled on ALL switches or NONE
Enables RLQ (Root Link Query) protocol, which is required by BackboneFast
spanning-tree uplinkfast [max-update-rate <packets/sec>]
!not allowed on root bridge, should be limited to leaf (access) switches
! set timers manually default timers are based on a diameter of 7
spanning-tree [vlan <vlan-id>] hello-time <secs> default: 02 secs
spanning-tree [vlan <vlan-id>] forward-time <secs> default: 15 secs
spanning-tree [vlan <vlan-id>] max-age <secs> default: 20 secs
! tune interface settings
spanning-tree [vlan <vlan-id>] cost <cost> set port cost
spanning-tree [vlan <vlan-id>] port-priority {<0-255>} set port prio
[no] spanning-tree portfast [trunk] [dis-] enable portfast (edge port)
spanning-tree link-type point-to-point overrides a port type (RPVST+)
! troubleshoot
show spanning-tree [vlan <vlan-id>] {root |bridge}
show spanning-tree [vlan <vlan-id>] {detail |summary}
show spanning-tree interface <interface-id> [detail]
show spanning-tree blockedports
show spanning-tree {uplinkfast |backbonefast}
debug spanning-tree {events |pvst+ |switch state}
Configure Multiple Spanning Tree 802.1s = Multiple Spanning-Tree

spanning-tree mode mst configure mode
spanning-tree mst configuration
name <name> !name, revision & instance-to-vlan mappings…
revision <version> … MUST match on every switch
instance <mst-id> vlan <vlan-list> mst-id range {0-15}
show pending
exit
spanning-tree mst <mst-id> root {primary |secondary} set root bridge
[diameter <diameter>]
spanning-tree mst <mst-id> priority <priority> set bridge priority
spanning-tree mst pre-standard enables compatibility with prestandard mst
! Set timers manually
spanning-tree mst <mst-id> hello-time <secs>
spanning-tree mst <mst-id> forward-time <secs>
spanning-tree mst <mst-id> max-age <secs>
spanning-tree mst <mst-id> cost <cost> set port cost
spanning-tree mst <mst-id> port-priority {<0-255>} set port prio
! troubleshoot
show spanning-tree mst <mst-id>
clear spanning-tree detected-protocols [interface <interface-id>]
revert the legacy stp mode to mst mode
Stabilize/Protect Spanning Tree
! Protect against unexpected BPDUs (BPDU Guard & Guard Root)
spanning-tree portfast bpdu-guard default enable bpdu-guard globally
bpdu-guard err-disables the port if BPDUs are received on it
spanning-tree portfast BPDU Guard should be enabled on all portfast interfaces
spanning-tree bpduguard enable enable bpdu-guard
spanning-tree guard root prevent the port to become root port on all VLANS
to be activated on ports where a root bridge should NOT be expected
! Protect against sudden loss of BPDUs (Unidirectional ‘wire’ failure)

spanning-tree loopguard default enable loop-guard globally
udld {enable |aggressive |message time <secs>}
enable udld on all fiber-optic switch ports
[no] spanning-tree guard loop [dis-] enable loop-guard
udld {enable |aggressive |disable} unidirectional link detection
udld timers MUST be set to detect a link failure before reaching the STP FWD state
! BPDU Filtering To use carefully, even avoid if possible!

spanning-tree portfast bpdufilter default filters BPGUs on all portfast ports
spanning-tree bpdufilter {enable|disable}
! troubleshoot
show spanning-tree {inconsistentports |summary}
show spanning-tree interface <interface-id> [detail]
show udld <interface-id>
udld reset
RSTP States
State Comment
Bridge ID Discarding Incoming frames dropped except BPDUs
BID Priority MAC-Addr Learning Incoming frames dropped ; MAC addresses learned
Forwarding Frames are forwarded
EBID Prio VLAN MAC-Addr
bits 4 12 48 RSTP Port Roles
Type Comment
STP State RSTP Role RSTP State
Root Port Port with lowest path cost to root switch

Forwarding
Forwarding
Disarding
Disarding
Learning
Designated Pord Port on a network segment with best root path cost
Alternate Port Port with alternative, less desirable path to the root
Backup Port Port providing redudant connection to a network segment
RSTP Link Types

Designated
STP Cost
Alternative
Link
Transition
Disabled
Backup
Root
p2p Full Duplex Bandwidth Orig d-1998 t-2001

MAC
shared Half Duplex 4 Mbps 250 250 5 000 000
BPDU Message 10 Mbps 100 100 2 000 000

Forwarding
Forwarding
Link Priority
Field Bytes 16 Mbps 63 62 1 250 000

Listening
Learning
Blocking
Protocol ID 2 45 Mbps 22 39 444 444

-
PrtNb
Version 1 100 Mbps 10 19 200 000

Msg Type 1 155 Mbps 6 14 129 032
Non designated
Flags 1 622 Mbps 2 6 31 154

STP Role
Designated
Transition
Disabled
Root
Root Bridge ID 8 1 Gbps 1 4 20 000

Cost
Root Path Cost 4 2 Gbps 3 10 000

Sender Bridge ID 8 10 Gbps 0 2 2 000
First Hop Redundancy Protocol
! Redudancy Protocol convergence MUST be SLOWER than Routing Protocol convergence.
! Active Router ideally matches with STP Root Bridge for each VLAN (on L3 switches).
track <tid> {interface |ip route |list |rtr} Defines a tracking object
VRRP - Virtual Router Redundancy Protocol IETF RFC 3768

VRRP Roles: 1 Master router, other ones in backup state
Multicast: 224.0.0.18, IP: 112 - Virtual Mac address: 00:00:5e:00:01:<VRRP-Group>
interface <interface-id> !group-id range {0-255}
vrrp <group-id> ip <vrrp-ip> can be the same as one of the VRRP router IP
vrrp <group-id> priority {0-254} higher wins, default is 100
vrrp <group-id> authentication <string>
vrrp <group-id> timers advertise <secs> skew time depends on priority
Timers default : 1 3+skew Hold timer MUST be higher than IGP convergence time
vrrp <group-id> timers learn !to set on non masters members
vrrp <group-id> preempt [delay <secs>] !preemption is per default
vrrp <group-id> track <tid> [decrement <penalty>] default penalty is 10
show vrrp [brief] VRRP States
show vrrp interface <interface-id> 0. Disabled 2. Backup
debug vrrp <options> 1. Init 3. Master
HSRP - Hot Standby Router Protocol RFC 2281 - Cisco proprietary

HSRP Roles: 1 Active router, 1 Standby, both elected, other ones in listen state
Multicast: 224.0.0.2, UDP: 1985 - Virtual Mac address: 00:00:0c:07:ac:<HSRP-Group>
standby [<group-id>] version {1*|2} gid range {0 - {255 (v1) |4095 (v2)}}
standby [<group-id>] ip <ip-hsrp> !MUST BE UNIQUE
standby [<group-id>] priority {0-255} higher wins, default is 100
if Prio ties, Higher IP address wins
standby [<group-id>] authentication <password>
!max 8 chars, defaults to “cisco”
standby [<group-id>] authentication md5 key-string <key-string>
standby [<group-id>] timers [msec] <hello-time> <hold-time>
Timers default : 3 10 Hold timer MUST be higher than IGP convergence time
standby [<group-id>] preempt /!\ preemption is not default
[{<delay>} [minimum <delay>] [sync <delay>]] preempted device returns to Speak
standby [<group-id>] track {<int-id> |<tid>} [<penalty>] default penalty is 10
show standby [<interface-id>] [<group-id>] [brief] HSRP States
debug standby [[errors] |[terse]]
0. Disabled 3. Speak
debug standby events [<options>] 1. Init 4. Standby
debug standby packets [<packets-types>] [detail] 2. Listen 5. Active
GLBP - Gateway Load Balancing Protocol Cisco Proprietary

GLBP Roles: 1 Active Virtual Gateway (AVG), 1 Standby Virtual Gateway, Other Listen
Up to 4 Active Virtual Forwarders (AVF), Other Listen
AVG designates AVFs & replies to all ARP Requests to load balance traffic between clients
interface <interface-id> group-id range {0-1023}
glbp <group-id> ip <glbp-ip> /!\ MUST BE UNIQUE
glbp <group-id> priority {0-255} defaults to 100, influence election of AVG
glbp <group-id> authentication md5 key-string <password>
glbp <group-id> timers [msec] <hello-time> [msec] <hold-time>
timers default 3 10 Hold timer MUST be higher than IGP convergence time
glbp <group-id> preempt [delay minimum <seconds>] AVG preemption
glbp <group-id> forwarder preempt AVF preemption
glbp <group-id> load-balancing {host-dependant |round-robin |weighted}
Load-balancing mode is defined by the current AVG
glbp <group-id> weighting <weight> lower <threshold> upper <threshold>
glbp <group-id> weighting track <tid> decrement <weight>
Weight is used as balance key to apply unequal load-balancing between AVFs
A router can stay AVF as long as its weight stays above lower threshold
It can recover as AVF after reaching back at least the upper threshold
show glbp [brief]
show blgp <interface-id> Virtual MAC Address: 00:07:b4:<GID>:<GID>:<AVF-ID>
debug blgp terse Multicast: 224.0.0.102, UDP: 3222
Monitoring
! Port mirroring (SPAN — Switched Port Analyzer)
monitor session <id> source interface <interface-id> [rx|tx|both] monitored
monitor session <id> destination interface <interface-id> monitoring
! Remote Port mirroring (RSPAN)

vlan <vlan-id>
name SPAN-VLAN
remote-span allow SPAN with source & destination on different switches
!That VLAN is DEDICATED to SPAN traffic ONLY; other traffic is discarded
monitor session <id> source remote vlan <vlan-id> [rx|tx|both] rspan vlan
monitor session <id> destin remote vlan <vlan-id> rspan vlan
[encaps replicate] [reflector-port <port-id>] uplink port to monitoring switch
show monitor
show vlan remote-span
! NetFlow Export
ip flow-export source <interface-id> ideally set to loopback0
ip flow-export version {1|5|9}
ip flow-export destination <ip> [<port>]
ip flow {ingress |egress} activate flow export for the incoming/outgoing traffic
ip flow-top-talkers configure the N top BW consuming devices view

top <n>
sort-by {bytes |packets}
match <match criteria>
show ip cache flow display flows statistics
show ip flow {interface |export}
show ip flow top-talkers display statistics about the N top BW consuming devices
rmon alarm <alarm-id> <mib-id> <secs> {delta |absolutes}

rising-threshold <value> <event-id>
[falling-threshold <value> <event-id>] [owner <owner>]
rmon event <event-id> description “<description>” [trap <community-string>]
! SNMP Server
snmp-server community <string> [ro |rw] [<acl-id>]
snmp-server contact <contact-info>
snmp-server location <location>
snmp-server ifindex persist persistent interfaces index across reboots
snmp-server source-interface <interface-id> ideally set to loopback0
! SNMPv3
snmp-server view <view-name> system {included |excluded}
snmp-server view <view-name> interfaces included
snmp-server group <group-name> v3 {[no]auth |priv} read <view-name>
snmp-server user <username> <group-name> v3 [encrypted]
[auth {sha |md5} <auth-password>]
[priv {aes {128|192|256} |[3]des} <privacy-password>]
[access <acl-id>]
! SNMP Traps
snmp-server host <trap-server> version <ver> <string>
snmp-server enable traps [<traps>]
Router Configuration
Basic Router Config
hostname <hostname>
ip domain-name <dns-suffix>
ip default-gateway <ip>
ip name-server <pri dns ip>
ip name-server <sec dns ip>
ip domain-list <search-domain>
ip routing (enabled by default)
no ip domain-lookup
show interface
Access Configuration
service password-encryption
enable {secret |password} <password>
user <username> [privilege <level>]

{ password {0|7} |secret {0|5}} <password>
user <username> autocommand <command> auto-execute command at logon
line console 0
login [local |radius]
password <password> login without options
privilege level <level> level range 0-15
transport preferred none
exec-timeout <mm> <ss> mm=0 —> disable timeout
logging synchronous
history <lines>
length <lines>
line vty 0 15
login [local |radius]
password <password> login without options
privilege level <level> level range 0-15
transport input {ssh |telnet |rlogin}
session-timeout <mm>
logging synchronous
history <lines>
banner {login|motd} <delimiter-char> <text> <delimiter-char>

show terminal
SSH Configuration
username <name> privilege <level> secret 0 <password>
ip domain-name <dns-suffix>
ip ssh version 2
crypto key generate rsa [mod <length>] min key length: 768
line vty 0 15
login local
transport input ssh
exit
Cisco SDM
ip http secure-server
ip http authentication local
ip http timeout-policy idle 600 life 86400 request 1000
username <username> privilege 15 secret 0 <password>

line vty 0 15
transport input ssh
Interface Config
interface <type> <module/slot/port>
description <description>
encapsulation <protocol>
ip address {dhcp | <ip> <mask>} [secondary]
no shutdown
parser config cache interface speeds up show run by caching interface settings
show interfaces description
show ip interface brief
Serial PPP/HDLC
interface serial <slot/port>
clock rate <bps> only if DCE
bandwidth <kbps> for routing protocol or QoS computations
encapsulation {ppp |hdlc |frame-relay [ietf |cisco]}
ppp authentication {chap |pap} requires accounts config / PPP only
ppp quality <n> PPP only
ppp multilink PPP only
compress {predictor |stac} PPP only
no shutdown
username <remote-hostname> password <matching-password>
show interfaces <interface-id>
show controllers serial <slot/port>
debug ppp {authentication |negotiation |compression |error}
Serial Frame-Relay
interface serial <slot/port>
ip address <ip> <mask> only if NO sub-if
encapsulation frame-relay [ietf |cisco] mandaroty
frame-relay lmi-type {ansi|q933a |cisco} mandaroty
frame-relay map <protocol> <protocol-address> <dlci>
[broadcast] [ietf | cisco]
keepalive sec
Interface serial <slot/port>.<subif> [point-to-point |multipoint]

ip address <ip> <mask> mandaroty
frame-relay interface-dlci <dlci> [ietf |cisco] mandaroty
frame-relay map <protocol> <protocol-address> <dlci>
broadcast [ietf | cisco]
no frame-relay inverse-arp
show frame-relay {lmi |pvc |map}
debug frame-relay {lmi |events}
Boot Process
config-register 0x2102
boot system flash [<filename>]
boot system {rcp |tftp |ftp} [<filename>] [<server-ip>]
boot system rom
show {version |flash}
Password recovery
[Start with confreg 0x2142]
O /r 0x2142
copy startup-config running-config
[Change passwd]
do copy running-config startup-config
Severity Levels
0 - Emergencies
Logging/Debugging 1
2
-
-
Alerts
Critical
clock timezone <name> ±<Hours> [±<Minutes>] 3 - Errors
4 - Warnings
clock summer-time <name> recurring <DTG-begin> <DTG-end> 5 - Notifications
services timestamps debug datetime msec 6 - Informational
7 - Debugging
ntp server <ip> [prefer]
logging on activates logging to all destinations
logging console <severity>
logging buffered <buffer-size> <severity>
logging <log-server-ip>
logging trap <severity>
terminal monitor redirects console messages to local session
show logging history shows logging buffer
show processes
show running-config [full]
no debug all | undebug all |u all
IOS Console
! output filters / redirectors
| begin <regex> display only from the first match
| include <regex> only include matched lines
| exclude <regex> display all but matched lines
| section <regex> display only matched sections
| redirect <url> write output to url
| append <url> append output to url
| tee <url> both redirect & display locally
Redirectors use regular expression as match string.
alias exec <alias> <command> creates a alias command

alias exec aclist sh ip int | i line pro|access list is [^ ]+$
Telnet/SSH Client
telnet {<hostname>|<ip>}
ssh -l <username> {<hostname>|<ip>} [<command>]
resume <session-id>
disconnect <session-id>
^ = BREAK char (CTRL+SHIFT+ {6|9})
^x interrupt remote session
show sessions
clear line <vty-id>
show users
show ssh
debug {telnet |ssh}
terminal ip netmask-format decimal
Configure CDP/LLDP
[no] {cdp |lldp} run
[no] {cdp |lldp} enable
show {cdp |lldp}
show {cdp |lldp} neighbors [<interface-id>]
show {cdp |lldp} neighbors detail
show cdp entry {<name> |*}
show cdp interface [<interface-id>]
show cdp traffic
clear cdp {counters |table}
debug cdp {adjacency |events |ip |packets}
DHCP Server Config
service dhcp enabled by default
ip dhcp pool <name> (Option #)

network <ip> [<mask>] DHCP Dialog
default-router <ip> (03) D - Discover
dns-server <ip> (06) O - Offer
domain-name <domain> (15) R - Request
netbios-name-server <ip> (44) A - Ack
netbios-node-type <type> (46)
next-server <ip> (66) tftp boot
bootfile <filename> (67)
lease {<days> [<hours>] [<minutes>] |infinite} (51)
option <id> <type> <setting>
ip dhcp excluded-address <first-ip> <last-ip>
ip dhcp ping packets <n> polls <n> times an ip before assignation
ip dhcp ping timeout <ms> default: 2 pings with 500ms timeout
ip dhcp smart-relay
ip dhcp database <url> [timeout <seconds>] [write-delay <seconds>]
no ip dhcp conflict logging
ip helper-address <server-ip> Forwards UDP broadcasts to unicast IP address
forwards UDP: 37 Time, 49 TACACS, 53 DNS, 67-68 DHCP/BootP, 69 TFTP, 137-138 NetBios
[no] ip forward-protocol udp {<port> |<protocol>} changes ip helper behavior
! troubleshoot
show ip dhcp {binding |conflict} [<ip>]
show ip dhcp database [<url>]
show dhcp server
show ip dhcp pool [<pool-name>]
debug ip dhcp server {events | packets | linkage}
clear ip dhcp {binding |conflict} {<ip> |*}
Common problems:
TYPO in Interface or Pool IP Addresses DHCP Relay not enabled
Incorrect Exclusion-range Duplicate IP Addresses
Pool Out of DHCP Addresses
NAT Config
interface <public-int-id>
ip nat outside
interface <private-int-id>
ip nat inside
access-list <acl-id> permit <ip> [<wildcard>]
! STATIC NAT
ip nat inside source static <inside-loc-ip> <inside-glob-ip>
! DYNAMIC NAT
ip nat pool <pool-name> <first-ip> <last-ip> netmask <mask>
ip nat source list <acl-id> pool <pool-name> [overload]
! OVERLOAD NAT / PAT
ip nat inside source list <acl-id> interface <public-int-id> overload
ip nat translation max-entries <number> limits max concurrent translations
ip nat translation [<protocol>-] timeout <seconds> aging time of NAT entries
! troubleshoot
show ip nat {translations |statistics}
clear ip nat translation [*]
debug ip nat
Common problems:
Incorrect ACL reference Specific Application is NOT NAT aware
Incorrect Inside & Outside interface assignation Incorrect IP Address/range reference
Routing Loop occurs as result of NAT
High CPU utilization / high latency <—- excessive amount of NAT entries
IP ACLs Have a guideline, draw/write out the plan, apply it
Beware not to replace existing ACLS!!
reload in 5 safety net : reload the router if not cancelled after ACL activation
reload cancell cancell the reboot if the ACL has not locked you out
! standard ACL ONLY based on source IP address; closer to destination
ip access-list standard <acl-id> (1-99;1300-1999)
{permit|deny} {host <ip> |<ip> <wild>}
deny any ==> implicit at the end !!
! extended ACL closer to the source

ip access-list extended <acl-id> (100-199;2000-2699)
[<sequence-number>] {permit |deny |remark} {<conditions>}
<protocol> ip/tcp/udp/icmp
{host <ip> |<ip> <wild>|any} source host
[{eq |gt |lt |neq |range} <port>] source port
{host <ip> |<ip> <wild>|any} destination host
[{eq |gt |lt |neq |range} <port>] destination port
[<match-bit>] [options <option> ...] options
[reflect] [time-range <range-id>] options
[fragment] fragments are evaluated only on L3 information
/!\ Implicit ‘deny ip any any’ at the end !!
! apply ACL to an interface
ip access-group <acl-id> {in|out}
line vty <range>

ip access-class <acl-id> in
! dynamic ACL (don’t forget to activate vty login)

user <username> [privilege <level>]
{ password {0|7} | secret {0|5}} <password>
user <username> autocommand access-enable host timeout 10
access-list <acl-id> permit tcp any host 10.1.1.1 eq telnet
ip address 10.1.1.1 255.255.255.0
ip access-group <acl-id> in
access-list <acl-id> dynamic testlist timeout 15

permit ip 10.1.1.1 0.0.0.255 172.16.1.0 0.0.0.255
! reflexive ACL
ip access-list extented <acl-out>
permit <protocol> <source> <destination> reflect <reflect-id>
ip access-list extented <acl-in>
evaluate <reflect-id>
ip access-group <acl-in> in
ip access-group <acl-out> out
! time-based ACL
time-range <time-name>
periodic <days> <time>
ip access-list <acl-id> permit time-range <time-name>
! renumber access-list
ip access-list resequence <acl-id> <begin> <step>
! troubleshoot
sh ip interfaces [<interface-id>]
sh [ip] access-list <acl-id>
Route Maps
route-map <map-name> {permit|deny} <seq>
match
[ip address {<acl>|prefix-list <id>}] Protocol can be matched by ACL
[ip {next-hop|route-source} <acl>]
[interface <type> <id>] [tag <tag>]
[source-protocol <protocol>]
[route-type <type>] OSPF or IS-IS route type
[metric <metric> [{+|-} <deviation>]]
[policy-list <list>] [...]
[length <min> <max>]
[local-preference <value>]
set
[[default] ip next-hop <ip> [<ips>]] Policy Based Routing
[[default] interface <interface> [<interfaces>]] Policy Based Routing
[ip next-hop verify-availability <ip> <seq> track <tid>] PBR with SLA
[ip tos {0-15}] [ip precedence {0-7}] [ip dscp <dscp>] QoS
[tag <tag>] Route Tagging/Coloring
[metric-type <type>] OSPF
[metric [+|-] {0-4294967295}] OSPF, RIP, IS-IS
[metric <bw> <delay> <reliability> <load> <mtu>] EIGRP
! bgp attributes
[weight {0-65536}]
[local-preference {0-4294967295}]
[as-path {prepend <asn> |tag}]
[origin {egp <remote-as> |igp |incomplete}]
[nlri [unicast] [multicast]] Network Layer Reachability Information
! troubleshoot
show route-map <map-name>
Prefix-Lists
ip prefix-list <name> description <description>
ip prefix-list <name> [seq <#>]
{permit|deny} <network>/<mask> [le <#> [ge <#>]]
show ip prefix—list [detail] <name>
VLAN ACLs
vlan access-map <map-name> [<seq>] create access-map entry
match
[ip address <acl-id>]
[ipx address <acl-id>]
[mac address <acl-id>]
action {drop |forward [capture] |redirect <interface-id>}
vlan filter <map-name> vlan-list <vlan-list> apply access-map
ARP ACLs
arp access-list <acl-name> create access-map entry
permit ip host <ip> mac host <mac> [log] creates an IP-MAC address mapping
IP Routing
ip routing enables IP unicast routing
ip multicast-routing enables IP multicast routing
no ip source-route disables source-routing (against man in the middle attacks)
ip cef activates Cisco Express Forwarding (recommended)
ip classless
ip subnet-zero
ip route profile measures number & type of routing table update every 5 secs
ip load-sharing {per-packet| per-destination} defaults to per-destination
clear ip route {<ip> |*}
show ip cef summary
show ip cef [<network> [<mask]] [detail| internal]
show ip cef exact-route <src-ip> <dst-ip>
show ip route [<ip> |summary |static |connected |<protocol><pid/asn>]
show ip route [<network> [<mask>] [longer-prefixes]]
show ip route profile see what happens between routing table & routing protocol
show ip arp
show protocols
debug ip routing
Static Routing
ip route <network> [<mask>] {<address>|<interface>}
[distance] [permanent] [tag <tag>]
ip route 0.0.0.0 0.0.0.0 {<address>|<interface>}
ip default-network <network-number>
Policy Based Routing
route-map <map-name> {permit |deny} <seq> See Route-Map § for details
match
[ip address {<acl>|prefix-list <id>}] Protocol can be matched by ACL
[other criteria]
set
[[default] ip next-hop <ip> [<ips>]] Policy Based Routing*
[[default] interface <interface> [<interfaces>]] Policy Based Routing*
[ip next-hop verify-availability <ip> <seq> track <tid>] PBR with SLA
*default : First try PBR, then destination-based logic
*default : First try destination based-logic*, then PBR *ignores default-route
ip local policy route-map <map-name> apply policy to self
interface <interface-id> apply policy to interface
ip policy route-map <map-name>
ip route-cache policy enable fast-switched policy routing
! troubleshoot
show route-map <map-name>
show ip policy
debug ip policy
IOS IP SLA
ip sla monitor <id> Define a SLA Operation
type echo proto ipIcmp <ip> source-int <interface>
frequency <sec>
ip sla monitor schedule <id> life forever start-time now
track <tid> ip sla <id> reachability Define a tracking object
delay up <secs> down <secs>
ip route <network> <wilcard-mask> <gw> track <tid>
! troubleshoot
show ip sla [statistics |configuration] [<id>]
show track [<tid>]
Routing Protocols Characteristics
Route Type Dist Cost Multicast IP Convergence Type Protocol Type
C Connected 0
S Static 1
D EIGRP Summary 5 10^7/BW+Delay(µs) 224.0.0.10 200ms Hybrid IP/88 Cisco
B eBGP 20 Combined Unicast Min<->Hours Path Vector TCP/179 Open
D EIGRP 90 10^7/BW+Delay(µs) 224.0.0.10 200ms Hybrid IP/88 Cisco
I IGRP 100 224.0.0.10 IP/9 Cisco
O OSPF 110 10^8/BW 224.0.0.5-6 900ms Link-State IP/89 Open
i IS-IS 115 10 N/A 900ms Link-State L2 Open
R RIPv2 120 Hops 224.0.0.9 (routeurs*30)/2 Distance Vector UDP Open
o ODR 160 N/A L2/SNAP Cisco
EX EIGRP (Ext) 170 10^7/BW+Delay(µs) 224.0.0.9 200ms Hybrid IP/88 Cisco
B iBGP 200 Combined Unicast Min<->Hours Path Vector TCP/179 Open
S DHCP learned 254 Floating Static Route UDP/67-68 Open
Unknown 255 Will not be used !

OSPF Routing OSPF routes precedence regardless of metric:
intra-area > inter-area > E1 > E2
router ospf <pid> [vrf <VRF>]
router-id <rid-value> (best way to define rid)
area <area-id> authentication [message-digest]
network <address> <wildcard-mask> area <area-id> (old way)
passive interface [<interface> |default]
neighbor <ip> [cost <cost>] [priority {0-255}] not required on both sides,
maximum-path <n> but recommended
max-lsa <#> (to avoid)
log-adjacency-changes [detail] verbose logging
! virtual link / sham link
area <area-id> virtual-link <remote-router-id> !not trough stub/nssa area
[authentication message-digest message-digest-key <id> md5 <key>]
area 0 sham-link <src-ip> <dst-ip> cost <cost> required between MPLS PE routers
to keep MPLS backbone as primary path if another backdoor links exist in the network
! cost & path control
auto-cost referencebandwidth <bandwidth-in-mbps> default is 100
area <area-id> default-cost <cost> set metric of default route (ABR)
distance ospf [external <AD>] [inter-area <AD>] [intra-area <AD>]
distance <AD> <rid-adv-router> <wc-mask> [<acl>]
! summarization
area <area-id> [[stub |nssa [default]] [no-summary]]
area <area-id> range <net> <mask> [[not-]advertise] [cost <n>] (ABR)
summary-address <net> <mask> (ASBR)
! redistribution
redistribute {<protocol> [<pid|asn>]} subnets
[metric <#>] [metric-type {1|2}] [route-map <name>]
[match <ospf-type>] [tag <value>]
default-information-originate [always]
[metric <#>] [metric-type {1|2*}] [route-map <name>] *default type
default redistribution seed metric : BGP 1 / OSPF source / Other 20
default-metric <cost> sets/overrides default redistribution metric
! filtering
area <area-id> filter-list prefix <name> {in |out} area —> area
distribute-list {<acl-id>|prefix <name>} {in |out} lsdb —> routing table
interface loopback <id> (another way to define rid)
ip address <ip> <mask> (Highest Loopback IP is RID)
ip ospf <pid> area <area-id> (new way)
! timers
ip ospf hello-interval <seconds>
ip ospf dead-interval <seconds> defaults to 4x hello-interval
ip ospf dead-interval minimal hello-multiplier <n>
set the dead interval to 1 second and send <n> hellos/second
! authentication
ip ospf authentication [message-digest |null] both commands are mandatory!
ip ospf authentication-key <password> !Max 16 chars
ip ospf message-digest-key <key-num> md5 <password> !Max 16 chars
! tuning
ip ospf network <type>
ip ospf priority {0-255} (election priority, higher wins, non preemptive)
ip ospf cost <cost>
bandwidth <kbps> (required for serial int)
! troubleshoot
show ip ospf interface [brief] Interface Table
show ip ospf neighbor [detail] Neighbor Table
show ip ospf database [<type>] [<id>] LSDB
show ip ospf statistics RIB
show ip ospf {virtual-links |border-router}
debug ip ospf {adj |events |hello |packet |monitor}
clear ip ospf {counters |process}
LSA1,2 LSA3,4 LSA5 LSA7 ASBR
Area Type (All) (Totally) (Normal) (NSSA) (Stub)
Auto Def GW
Normal V V V X V X
Stub V V X X X V
Totally Stubby V X* X X X V
NSSA V V X V V X
Totally NSSA V X* X V V V
Non-Broadcast Multipoint Multipoint
Network Types Broadcast (NBMA) Point-to-Point
Broadcast Non-BroadCast
DR Election V V X X X
Neighbor Discovery V X V X V
Hello/Dead Timer 10/40 30/120 30/120 30/120 10/40
Topology Full-Mesh Full-Mesh Any Any P2P
Defined by Cisco RFC 2328 RFC 2328 Cisco Cisco
OSPF Neighbor States OSPF LSA Types OSPF Messages
Down No hellos received for more than dead-interval 1 Router 1 Hello
Only with manually defined neighbor 2 Network 2 DD
Attempt Unicast Hello Sent, not received answer yet
3 Net Summary 3 LSR
Hello received : own RID not in neighbors
Init or did not pass verification checks 4 ASBR-Summary 4 LSU
Hello received : with own RID embedded, 5 AS External 5 LSAck
2Way and all neighbor checks passed
6 Group Membership OSPF Link Types
Valid final state in multi-access networks
ExStart Negotiating Master/Slave logic for DD Exchange 7 NSSA External 1 Point-to-Point
Exchange Exchanging DD Packets 9 Link Local Opaque 2 Transit Network
Loading Exchanging LSAs (via LSR, LSU, LSAck) 10 Area Local Opaque 3 Stub Network
Check MTU ! 11 AS Opaque (LSA5 eq) 4 Virtual Link
Full Convergence achieved
OSPF Hello Message OSPF Header Common problems:
- Various mismatched parameters
Field Len Field Len - area id
- area flags (normal/stub/nssa)
M Network Mask 32 M Version 8 - authentication
M Hello Interval 16 Type 8 - ip subnet
- hello & dead timers
(M) Options (Stub Flag) 8 Packet Length 16 - virtual-link
- network type
Router Priority 8 U Router-ID 32 - ip MTU
- Duplicate RID
M Dead Interval 32 M Area ID 32 - Passive Interface
- Frame-Relay maps statements in non
DR IP 32 M Auth Type 16 fully-meshed networks
BDR IP 32 M Auth String 64 - Missing ‘subnets’ parameter for
redistribution
Neighbors Var
OSPF Data Structures

Interface Table Lists all interfaces participating in the routing process, excluding passive interfaces.
Lists all neighboring OSPF routers

Neighbor Table Entries are removed if no hellos are received from that entry during the dead-time interval.
LSDB - Link-State Contains the topology information for all areas in which the router participates, in addition to
Database information about how to route traffic to other areas or autonomous systems.
RIB - Routing
Stores the results of the OSPF SPF calculations.
Information Base
EIGRP Routing
router eigrp <asn>
eigrp router-id <rid>
no auto-summary
network <network> [<wildcard>]
passive interface [<interface> |default]
neighbor <ip> <interface> defines a static neighbor
!disables eigrp multicast processing on that interface
! tuning
eigrp stub [connected* |summary* |static |receive-only |redistributed]
maximum-path <n> load balancing
variance {1-128} allows unequal load balancing
timers active-time <min> max time waiting for replies to queries
metric weights 0 <k1> <k2> <k3> <k4> <k5> shall match within the asn
k1—BW ; k2—Load ; k3—Delay ; k4/5—Reliability
distance eigrp <internal AD> <external AD>
distance <AD> <ip-adv-router> <wildcard-mask> [<acl>] !not with redistributed
! redistribution !default redistribution seed metric=infinity / from eigrp=source
redistribute {<protocol> [<pid/asn>]} thus, metric shall be defined
[metric <bw> <delay> <reliab> <load> <mtu>]
[match <ospf-type>] [tag <value>] [route-map <name>]
default-metric <bw> <delay> <reliab> <load> <mtu>
offset-list <acl-id> {in |out} <offset> <interface-id>
! filtering
distribute-list {<acl-id> |prefix <id>} {in |out} <interface-id>
! default network
ip default-network <network>
! timers
ip hello-interval eigrp <asn> <timer-value> configure local behavior
ip hold-time eigrp <asn> <timer-value> configure remote behavior
! tuning
no ip split-horizon eigrp <asn> required on point-to-multipoint if
delay <tens-of-µs>
bandwidth <kbps> important on subinterfaces!
ip bandwidth-percent eigrp <asn> <%>
! summarization
ip summary-address eigrp <asn> <ip> <mask> [<ad>]
! authentication both commands are mandatory!
ip authentication mode eigrp <asn> md5
ip authentication key-chain eigrp <asn> <chain-name>
key chain <chain-name> sends with lowest valid key

key <integer> verifies against all valid keys
key-string <text> key # and key string shall match
accept-lifetime <start-time> {infinite |<end-time> |duration <secs>}
send-lifetime <start-time> {infinite |<end-time> |duration <secs>}
! troubleshoot
show ip eigrp interfaces [detail] [<interface-id>] [<asn>]
show ip eigrp neighbors [<asn> <ip> |detail]
show ip eigrp topology [all-links |summary]
show ip eigrp traffic
show ip protocols (—> k values, passive int)
show {clock |key chain}
debug ip eigrp [neighbor |notifications |summary |vrf]
debug eigrp {packets |neighbor| transmit |fsm |nsf}
EIGRP Data Structures
Interface Table Lists all interfaces participating in the routing process, excluding passive interfaces.
Lists all neighboring EIGRP routers.

Neighbor Table Entries are removed if no hellos are received from that entry during the hold-time lapse.
Lists all routes learned via EIGRP. Only the best route become candidate for injection in the IP
Topology Table routing table. If multiple have equal metric, or variance is configured, more than one can become
candidate, up to a maximum set by the “maximum-path” setting (default to 4).
EIGRP Messages Default K Values EIGRP Metric

1 Hello K1 1
K bandwidth K5
2 Update K2 0 256 ( K1 bandwitdh  2  K3 delay )
256  load reliabilit y  K4
3 Query K3 1
4 Reply K4 0 Common problems:
Missing seed metric for redistribution
5 ACK K5 0 Various mismatched parameters
Stub misconfiguration
BGP Routing BGP Public ASN 00001-64495
router bgp <asn> BGP Private ASN 64512-65534
bgp router-id <id>
bgp log-neighbor-change
bgp timers <hello> <hold> verbose logging
! neighborship config
neighbor <ip> remote-as <own-as> (iBGP)
neighbor <ip> remote-as <remote-as> (eBGP)
neighbor <ip> update-source <interface> (loopback0)
neighbor <ip> ebgp-multihop {1-255} required in eBGP when using Lo0
neighbor <ip> next-hop-self required in iBGP
neighbor <ip> password <secret> md5 authentication
neighbor <ip> ttl-security hops <hops> protects against TCP & spoofing attacks
neighbor <ip> soft-reconfiguration inbound if no route refresh capability
neighbor <ip> timers <hello> <hold> define timers
neighbor <gp> peer-group create a peer-group
neighbor <ip> peer-group <gp> associate a neighbor with a peer group
neighbor <ip> shutdown maintenance/policy change use
! advertisement config
network <ip> mask <mask> only match existing route, prefix MUST match (i)
redistribute {<protocol> [<pid/asn>]} [metric <value>]
[match <type>] [route-map <map-name>] (?)
distance bgp <external-ad> <internal-ad> <local-ad>
maximum-path <value> (applies if routes ties up to step 8)
! influence path discrimination criteria
neighbor <ip> route-map <name> {in |out}
neighbor <ip> weight <value> (weight)
bgp default local-preference <value> (local preference)
default-metric <value> (MED)
bgp deterministic-med
bgp bestpath med missing-as-worst
! filtering
neighbor <ip> distribute-list <acl-name> {in |out}
neighbor <ip> prefix-list <prefix-list-name> {in |out}
neighbor <ip> filter-list <as-path-acl> {in |out}
neighbor <ip> route-map <route-map-name> {in |out}
! summarisation
aggregate-address <network> <mask> [summary-only]
ip route <network> <mask> null0 create a ghost route for summarization
May also be used as “discard route”
! clear BGP neighbor /!\ a neighbor reset has to be done after any change !
clear ip bgp {*|<neighbor-id>} [soft*] [in|out] *if no refresh capability
! Troubleshoot
Exchange PAs & NLRIs (prefixes)
show ip bgp <network> [<mask>]

show ip bgp [neighbors |summary |rib-failure]
show ip bgp neighbors <ip> [received |routes |advertised]
debug ip bgp [updates |events]
Exchange basic settings
show tcp brief

Common problems:
Reset Hold Timer
BGP Messages
AS# mismatch, fault in ACL/Prefix-List/Route-Maps, Missing Static Route for

network command, Lack of IP connectivity between peers, eBPG-multihop not
Notification Signal Errors
correctly
BGP Neighbor States configured ...
Idle Admin down or waiting next retry attempt
Connect Waiting for TCP connection to complete
Active TCP Connection completed, no BGP Msg sent yet

KeepAlive
Update
Open
Opensent Open Message sent, no response back yet

Open Message sent to & received from the neighbor router
Openconfirm
Has yet to receive a Keepalive or Notification message
Established Neighbor settings match, peers can exchange Update messages
1
2
3
4
RIP Routing
router rip
version 2
no auto-summary
network <classfull-network>
passive-interface <interface-id>
! tuning
no ip split-horizon
distance <admin-distance>
maximum-path <n>
offset-list <#> {in |out} <offset> <interface-id>
! redistribution
default-information originate
redistribute {<protocol> [<pid|asn>]} <options>
! filtering
distribute-list <id> out <protocol>
distribute-list <id> {in |out} <interface-id>
ip summary-address rip <ip> <mask>
! authentication both commands are mandatory!
ip rip authentication mode md5
ip rip authentication key-chain <chain-name>
! troubleshoot
show ip rip database
debug ip rip BGP Data Structures
Neighbor Lists all BGP peers including
Common problems: their IP, AS, State & Statistics
Missing seed metric for redistribution Table
Missing no split horizon on multipoint interfaces RIB Contains routes learned from
BGP Table BGP Peers and locally injected
BGP Path Selection
Path Win Influence Propagation
Step Route Def Tool
Attribute Criteria Scope
0 N Next Hop Reachable ? N/A

route-map in / set weight
1 W Weight * Higher Out 0 N/A neighbor <ip> weight
bgp default local preference <value>
2 L Local Preference Higher Out 100 iBGP peers route-map in / set local-preference
3 L Locally Injected Local > BGP N/A N/A

route map {in|out}
4 A AS-Path Shortest Both All / set as-path prepend
5 O Origin IGP > EGP > ? Out All

default-metric <value>
6 M MED Lowest In 0 Next AS route-map out / set metric
7 N Neighbor Type eBGP > iBGP All
8 I IGP Cost to Next Hop Lowest N/A
9 A Route Age Longest-known N/A maximum-path <value>
10 R Neighbor BGP RID Lowest All
11 Neighbor IP Address Lowest All

Multicast Routing
ip multicast-routing enables multicast routing
ip pim bidir-enable enables BIDIR multicast, optimized for ‘many-to-many’ applications
ip pim {dense |sparse |sparse-dense}-mode
If no RP exists for a multicast group, it will NOT be forwarded on interfaces in sparse
mode. It will only be forwarded on interfaces in dense or sparse-dense mode
ip pim passive converts IGMP request to PIM requests; no transit multicast
only one multicast router allowed in the stub VLAN in pim passive mode
Voice VLANs require passive or dense-mode PIM configuration
ip pim query-interval <secs> [msec] 224.0.0.13
ip pim nbma-mode required on point to multipoint interfaces, hub side
ip igmp join-group <mcast-ip> register local router to multicast group
ip igmp version {1|2|3}
ip igmp query-interval <secs> default 60
ip igmp querier-timeout <secs> default 120
ip igmp query-max-response-time <secs> default 10
ip igmp last-member-query-count <1-7> default 2
ip igmp last-member-query-interval <msecs> default 1000
create a static multicast route

ip mroute <source> <mask> {<interface-id>| <rpf-address>}
!configure RV point
! - Statically
ip pim rp-address <rp-ip> [<acl-id>] [override] [bidir] static RP configuration
if override, static config gets priority over dynamic config
ip access-list standard <acl-id>
deny 239.x.x.x <wildcard-mask> multicast address which will work in dense mode
permit 239.x.x.x <wildcard-mask> multicast address defined for the designed RP
! - with Auto-RP 224.0.1.39&40 ; Cisco Proprietary ; PIM v1&v2

ip pim send-rp-announce <interface-id> scope <ttl> Configure Candidate RP
[group-list <acl-id>] [interval <secs>]
ip pim send-rp-discovery <interface-id> scope <ttl> Configure Mapping Agent
ip pim autorp listener Activates dense mode for 224.0.0.39&40 when spare-mode used
= enables the discovery of the RP when in sparse mode
! - with BootStrap 224.0.0.13 ; Standard ; only PIM v2

ip pim bsr-cand <interface-id> [prio <0-255>] Higher value wins BSR-election
ip pim rp-cand <interface-id> [group-list <acl-id>] [bidir] [prio <0-255>]
Lower value wins RP-election
show ip mroute Shows the multicast routing table

show ip pim neighbor Shows the multicast routing neighbors
show ip pim interface
show ip pim rp mapping
show ip igmp interface
show ip igmp groups Shows the list of registered stations to multicast group
debug ip mpacket
MPLS LDP: UDP 224.0.0.2:646 ; TDP: TCP 711
ip cef [distributed] ip CEF MUST be enabled for MPLS

mpls ip activate MPLS; enabled by default and not shown in running-config
mpls label protocol ldp globally defines LDP as label protocol for all MPLS if
mpls ldp router-id <interface-id> force set router-id from defined interface
mpls ldp tcp pak-priority use pak-priority (marks with DSCP CS6) for LDP packets
mpls ldp logging neighbor-changes
mpls label range <min> <max> defaults to 16/100000; max 1048575
!LDP-IGP Sync
router ospf <pid>
mpls ldp autoconfig [area <area-id>] activates MPLS on ALL IGP-enabled interfaces
mpls ldp sync enables IGP-LDP synchronization; recommended for MPLS VPN/AToM
mpls ldp igp sync holddown <msecs> allow IGP adjacency establishment after
holddown timer if LDP session not established when IGP-LDP sync is used
Breaks the chicken-egg problem: LDP needs route to neighbor but IGP need LDP adjacency
!ldp timers settings

mpls ldp discovery [targeted-]hello {holdtime | interval} <secs> default: 15/5
mpls ldp backoff <init> <max> throttles LDP TCP connection attempts; default: 15/120
mpls ldp holdtime <secs> default: 180
!targeted ldp neighborship settings
mpls ldp neighbor [vrf <VRF>] <neighbor> targeted ldp targeted LDP session
mpls ldp discovery targeted-hello accept [from <peer-acl-id>]
accepts incoming targeted LDP sessions, with optional filtering
!ldp neighborship authentication
mpls ldp password required [for <acl-id>]
mpls ldp password fallback <password> defines global ldp fallback password
mpls ldp neighbor [vrf <VRF>] <neighbor> password <password>
!ldp session protection
mpls ldp session protection [vrf <VRF>] [for <peer-acl-id> ]
must be bidirectional or remote side must accept targeted-hellos
!configure label exchange filtering

no mpls ldp advertise-labels disable global network advertising by LDP
mpls ldp advertise-labels [vrf <VRF>] for <pxf-acl-id> [to <peer-acl-id>]
define network to be advertised by LDP; outbound filter
mpls ldp neighbor [vrf <VRF>] <neighbor> label accept <pxf-acl-id>
define network to be accepted by LDP; inbound filter
ip route-cache cef
ip load-sharing {per-packet| per-destination} defaults to per-destination
mpls ip /!\ MPLS must be activated on a per-interface basis
mpls label protocol {ldp |tdp |both} activate label distribution protocol
only required if not globally activated
mpls mtu 1512 should be min 12 units (3 labels) higher than interface MTU
/!\ Do NOT forget to adapt MTU on transit L2 devices
no mpls ldp igp autoconfig exception to global mpls ldp autoconf
no mpls ldp igp sync exception to global mpls ldp sync
show ip cef [<network> [<mask]] [detail| internal]

show mpls interfaces
show mpls ldp neighbor LDP neighbors sessions
show mpls ldp discovery [detail] discovered LDP neighbors & their LDP settings
show mpls ldp parameters discovery & session timers
show mpls ldp bindings advertisement-acls verify label exchange filtering
show mpls ldp igp sync [<interface-id>]
show ip ospf mpls ldp interface <interface-id>
debug mpls ldp sync [interface <interface-id>] [peer-acl <peer-acl-id>]
MPLS VPN L3
ip vrf <VRF> create virtual router instance
rd <AS>:<ID> maps a unique Route Distinguisher to the VRF
route-target {export |import |both} <AS>:<ID> Assign Route Targets
vpn id <AS>:<ID> UNIQUELY identifies a single VPN
Where different RDs could be used for a single VPN
(e.g: one RD per site; two RDs for one site if multi-homed on two different PEs)
a UNIQUE VPN-ID is required for each VPN
interface <interface-id> Assign interface to a VFR
ip vrf forwarding <VRF>
router bgp <ASN> use MP-BGP for route distribution
no bgp default ipv4-unicast optional, disables exchange of non VPNV4 addresses
address-family vpnv4
neighbor <ip> activate each BGP neighbor MUST be individually activated
neighbor <ip> send-community [standard| extended| both] default: extended
neighbor <ip> route-reflector-client
address-family ipv4 unicast vrf <VRF> must be defined for each VRF to be routed
redistribute {connected| ospf <RID> |…}
show bgp vpnv4 unicast all shows BGP next hops for networks in each VRF
show ip bgp vpnv4 all labels shows VRF (Route Distinguisher) MPLS labels
MPLS VPN L2
interface <interface-id> enter into the interface to be bridged
encapsulation <type> optional, MUST match on both ends
xconnect <peer-ldp-rid> <vc-id> encaps mpls <vc-id> MUST match on both ends
Labels in stack: Control Word (optional, 4B), Virtual Circuit (4B), Peer-router (4B)
A targeted LDP session is dynamically established with peer to signal the Virtual Circuit
show mpls l2transport vc [<vc-id> [detail]]
show mpls l2transport binding <vc-id>
MPLS VPLS REQUIRES full-mesh mapping between all VPLS access points
l2 vfi <vpls-id> manual
vpn id <vpn-id>
neighbor <peer-ldp-rid> encaps mpls repeat command for each remote access point
xconnect vfi <vpls-id> Max 1 VLAN per VFI instance
l2protocol-tunnel cdp transparently tunnels CDP
l2protocol-tunnel stp MUST be (de)activated consistently across the whole network
Disabled by default; network kept loop free with default split-horizon rule on VPLS
show vfi <vpls-id>
TSHOOT
show ip cef [detail |table]
show adjacency
clear ip cef {interface |inconsistency}
clear adjacency
show mpls interfaces [detail]
show mpls ldp bindings [<route>] displays LIB (Label Information Base)
show mpls forwarding-table [<route> [detail]] displays LFIB (MPLS Routing Table)
show mpls ip binding
clear mpls ldp neighbor *
MPLS Data Structures
Table Built from Purpose
FIB IGP Routing Process Maps destination networks to next-hop address or outbound interface
LDP or Associate local labels with FEC
LIB other Label Distribution method Also performs label distribution to adjacent peers
LFIB IGP & LDP info Database used to forward labeled packets to next-hop addresses
Adjacency Neighbor Relationship Maintains needed L2 information as well as LDP exchange capabilities
Traffic Engineering
mpls traffic-eng tunnels required to activate MPLS-TE globally

mpls traffic-eng link-management timers periodic-flooding <secs>
Adapts periodic-flooding interval for TE LSAs; default is 180s
mpls traffic-eng reoptimize timers frequency <secs> default is 3600s
mpls traffic-eng reoptimize events link-up triggers if new MPLS-TE link up
mpls traffic-eng signalling interpret explicit-null verbatim
disables penultimate hop popping on TE traffic to preserve QoS information
mpls traffic-eng auto-tunnel backup srlg exclude {force| preferred}
determine if backup tunnels must/should avoid Shared Risk Link Group with primary tunnel
mpls traffic-eng auto-tunnel primary onehop

mpls traffic-eng auto-tunnel backup nhop-only
router ospf <pid>

mpls traffic-eng router-id <interface-id> MPLS TE router-id
mpls traffic-eng area 0 required to enables MPLS-TE extensions for OSPF
interface <wan-interface-id>
mpls traffic-eng tunnels enables interface to carry MPLS-TE tunnels
mpls traffic-eng srlg <srlg-id> all IF sharing same risk should have same SRLG-ID
mpls traffic-eng flooding threshold {up|down} <thresholds>
when reserved bandwidth crosses configured threshold, updated MPLS TE LSAs are flooded
default up{15,30,45,60,75,80,85,90,95,97,98,99,100}
default down{100,99,98,97,96,95,90,85,80,75,60,45,30,15}
mpls traffic-eng administrative-weight <weight> user-specified TE metric
defines link’s TE metric; default to the link’s IGP metric
mpls traffic-eng attribute-flags <0x00000000-0xFFFFFFFF>
attributes are 32 bits flags that can be freely used to characterize the link
characterization MUST be coherent through the whole network
ip rsvp bandwidth <kbps> maximum reservable bandwidth on interface
interface <tunnel-id>
ip unnumbered loopback0
tunnel destination <ip-address>
tunnel mode mpls traffic-eng defines the tunnels type as MPLS TE
tunnel mpls traffic-eng autoroute announce should not be set on backup tunnels
tunnel mpls traffic-eng forwarding-adjacency [holdtime <msecs>]
requires pair of tunnels between two routers;
Advertises TE tunnel pair as a visible link towards the IGP, allowing traffic to be routed
tunnel mpls traffic-eng fast-reroute enables fast-rerouting between known paths
tunnel mpls traffic-eng path-option <pref> lower preference wins
{dynamic| explicit name <path>} [lockdown]
defines possible path; multiple entries allow for multiple path choices
lockdown disables periodic re-optimization
tunnel mpls traffic-eng affinity <properties> [mask <mask>]
defines affinities with regard to attribute-flags and whether each bit is mandatory or not
defaults to {affinity 0x00000000 mask 0x0000FFFF}
tunnel mpls traffic-eng bandwidth <kbps> defines tunnel bandwidth requirement
tunnel mpls traffic-eng priority <setup-prio> [<hold-prio>]
priority value <0-7>; lower wins; setup-prio >= holding-prio to avoid preemption loops
preemption happen if new-tunnel-setup-prio < existing-tunnel-holding-prio
tunnel mpls traffic-eng path-selection metric {igp| te} defaults to igp
Metric to be taken into account for the tunnel creation. IGP Metric vs TE admin weight
E.g.: TE metric could be used to reflect link delay => Voice based on TE, Data on IGP
mpls traffic-eng bandwidth {sub-pool| global} <bandwidth>
ip explicit-path name <path> enable ip explicit-path name <path> enable
next-address <1st hop> exclude-address <excluded hop>
next-address < … hop>
next-address <last-hop>
show mpls traffic-eng

show mpls traffic-eng tunnels <tunnel-id>
show mpls traffic-eng topology <node-ip>
show mpls traffic-eng link-management show TE RSVP information
mpls traffic-eng reoptimize [tunnel <id>] manually triggers re-optimization
MVPN
router ospf <pid>

mpls ldp autoconfig [area <area-id>] activates MPLS on ALL IGP-enabled interfaces
mpls traffic-eng multicast-intact
mpls mldp
mpls mldp [path traffic-eng]
!Multipath support
mpls mldp path multipath
disable mpls mldp forwarding recursive
ip vrf <VRF>
vpn id <AS>:<ID> VPN ID is MANDATORY when working with VMPN
mdt preference mldp [pim] defaults to PIM preferred over MLDP
mdt default mpls mldp <mdt-root-ip> Root of the Multicast Distribution Tree (P)
mdt data mpls mldp <max> max number of data mdt in this VRF
mdt data threshold <kbps> triggers data mdt if mcast traffic flow exceeds value
ip multicast-routing vrf <VRF> enables multicast-routing for the selected vrf
show mpls traffic-eng tunnels [summary | tunnel <tun-id>]

show mpls mldp database
show ip pim vrf <VRF> neighbor
show ip pim mdt
debug mpls mldp {all| packet| neighbor}

debug ip pim [vrf <VRF>] {hello| timer| bsr| auto-rp}
debug ip igmp vrf <VRF>
IPv6
ipv6 unicast-routing
ipv6 cef
ipv6 address <ip>/<length> [eui-64 |anycast]
ipv6 address {autoconfig | dhcp}
ipv6 address <general-prefix> <suffix-ip>/<length>
ipv6 unnumbered <interface-id>
ipv6 address <ip> link-local
show ipv6 {route |neighbors |interface <id> |router}

debug ipv6 nd
ipv6 general-prefix <name> <prefix>/<length>
Static Routing
ipv6 route <prefix/length> {<interface> [<next-hop>] | <next-hop>}
[<ad>] [tag <value>]
RIP-ng
ipv6 router rip <name>
maximum-path <number>
split-horizon
ipv6 {enable |address <…>}
ipv6 rip <name> enable
ipv6 rip default-information {only |originate}
show ipv6 route rip

show ipv6 rip [<name>] [database |next-hops]
debug ipv6 rip
EIGRP-IPv6
ipv6 router eigrp <asn>
eigrp router-id <rid>
no shut
ipv6 eigrp <asn>
show ipv6 route eigrp

show ipv6 eigrp {neighbors |interfaces detail |topology [all-links]}
debug ipv6 eigrp notifications
OSPFv3
ipv6 router ospf <pid>
router-id <rid>
[no] shut
ipv6 ospf <pid> area <area>
ipv6 ospf network <type>
show ipv6 route ospf

show ipv6 ospf [neighbor |interface [brief] |database]
debug ipv6 ospf adj
debug ip ipv6 ospf hello
Transition Tools
MCT/GRE tunnels Point-to-Point tunnel
interface loopback0
ip address <ipv4> <mask>
interface tunnel0
tunnel mode {ipv6ip|gre ipv6}
tunnel source loopback0
tunnel destination <ipv4>
ipv6 address <ip>/<length>
Automatic 6to4 tunnels Multipoint Tunnel

interface loopback0
interface tunnel0
tunnel mode ipv6ip 6to4
ipv6 address 2002:<ipv4:ipv4>::/128
interface fa0/0
ipv6 address 2002:<ipv4:ipv4>:<subnet>:<host-id>/64
ipv6 route 2002::/16 tunnel0 create a static route to reach other 6to4 net
ISATAP tunnels Multipoint Tunnel

interface loopback0
interface tunnel0
tunnel mode ipv6ip isatap
ipv6 address <prefix>/<length> eui-64
interface fa0/0
ipv6 address <ip>/<length>
ipv6 route <prefix>/<length> <isatap-next-hop>
Redistribution
By default, redistribution in IPv6 does NOT redistribute connected routes
Troubleshoot Toolkit
debug condition <type> <value> filters debug output to defined criteria
! Layer 1 Diagnosis
test cable-diagnostics tdr interface <interface-id> test cable length
show cable-diagnostics tdr interface <interface-id> show result of test
!works on 2960 / 3560 / 3750 / 4500 / 6500
show interfaces <interface-id> [counters [errors]]
show interfaces <interface-id> transceiver properties
show controller
! Layer 2 Diagnosis
show interfaces [status | description]
show interfaces {switchport |trunk} R/S
show mac address-table R/S
show vlan
show platform forward S
clear mac address-table dynamic R/S
show spanning-tree [vlan <vlan-id>] R/S
show spanning-tree interface <interface-id> detail R/S
show system mtu S
show interfaces <interface-id> etherchannel
show etherchannel [<channel-id>] [ brief | detail | summary |protocol]
show port-security [interface <interface-id>]
traceroute mac <src-mac> <dst-mac> uses CDP to perform a L2 traceroute; S
! Layer 2/3 Mapping Diagnosis
show ip arp R/S
show frame-relay map R
show adjacency [<interface-id> |detail |internal |summary] R/S
clear ip arp
clear adjacency
! Layer 3 Diagnosis
show ip aliases
show ip route [<ip address> |<network> [longer-prefixes]]
show ip cef [{<ip address> |<network> <mask> [longer-pref]}] [detail]
show ip cef exact-route <source-ip> <destination-ip>
show cef {drop |not-cef-switched
|interface}
show mls cef Structured Troubleshoot Approach
1 - Problem Report
show ip cef - Should be as specific as possible
show ip cache 2 - Collect Information
show ip protocols 3 - Examine Information
show ip route profile - Identify Indicators
- Find Evidence
show {standby |vrrp |glbp} [brief] —> What is happening ?
show ip {ospf |eigrp |bgp} [...] —> What should happen ?
interface <interface-id> 4 - Eliminate Potential Causes
5 - Hypothesize underlying cause
ip route-cache [cef] 6 - Verify Hypothesis
traceroute {<ip> |<hostname>} 7 - Problem Resolution
ping {<ip> |<hostname>}
[source {<interface> |<ip>}] [size <lenght>] [repeat <count>]
[df-bit] [timeout <secs>] [validate <item>]
! Layer 4 Diagnosis
ttcp test TCP: network throughput measurement tool
telnet {<ip> |<hostname>} [<port>]
show ip sockets netstat –n equivalent; R
show tcp brief netstat –n equivalent; R
show control-plane host open-ports netstat –n equivalent; S
show ip access-list [<acl-id> |dynamic]
show route-map [<map> |all |dynamic]
ip inspect audit-trail generates syslog entry for new inspect session
show ip inspect {sessions |detail |all}
show logging displays output from logged ACL entries
! Locate a host
traceroute mac <src-mac> <dst-mac> uses CDP to perform a L2 traceroute; S
traceroute <ip>
! login to the pen-ultimate hop, which is the default gateway of destination
show ip arp <ip>
! login to the switch to locate the physical interface
show mac address-table address
show run interface <interface-id>
!if the interface is a trunk to another switch, identify next switch and repeat step
show cdp neighbor <interface-id> detail
!if the interface is an access port, we have found our host.
! general diagnosis
parser config cache interface !speeds up show run
show run [full]
show tech-support | redirect <url> !!cpu intensive!!
show version
show logging
! hardware diagnosis
show processes cpu [history]
show memory
show interfaces
show controllers give detailed stats for controllers
show platform Examine TCAM and specialized switch hardware components
show inventory List hardware components
show diag gather more detailed info than show inventory
clear counters
show platform switch
! High CPU utilization
show processes cpu [sorted 5min |history] [| exclude 0.00%]
show platform tcam utilization
show tcam inacl <tcam-number> statistics
show platform ip unicast counts
show controllers cpu-interface
show memory allocating-process totals
show arp
show tcp {statistics | brief} Performance TSHOOT
show buffers - CPU
- Processes to Check
squeeze flash - ARP Input Process
- Net Background Process
show debug - IP Background Process
- TCP Timer Process
- Areas to check
- Default Route pointed to interface
(AVOID on broadcast interfaces!!)
- Interfaces Throttles, Overruns, Ignores
- Show TCP statistics / brief
- Show processes CPU
- Memory
Packet Flow with NAT - Symptoms
- Syslog Message: SYS-2-MALLOCFAIL
01. Decryption of IPSec - show commands returning blank output
02. Input ACL - Console : “unable to create exec
03. Input Policing no memory or too many processes”
04. Input Accounting - Areas to check
05. NAT Translation - Wrong IOS image (not enough memory)
(Global to Local; IN->OUT) - Memory Leak due to bad IOS image
- Worm / Virus focused on IOS
06. Policy-Based Routing - BGP (show process memory)
07. Redirection to a web-cache - Interface Utilization
08. NAT Translation - Symptoms
(Local to Global; OUT->IN) - High CPU/Memory Utilization
09. Crypto MAP application - Excessive Packets Drops
10. Output ACL - Unreachable destinations
- Areas to check
11. IOS Firewall Inspection - Verifying Switching Mode
12. TCP Interception - Verifying Routing Table
13. Encryption - Verifying CEF / ARP Cache
IPSec Crypto MAP Drawback: ONLY STATIC ROUTING!
crypto isakmp enable
! Configure ISAKMP Policy step 1 = IKE phase 1
crypto isakmp policy <seq-number> 1.1 Exchange and negotiate policy
authentication {pre-share | rsa-{encr|sig}}
encryption {aes {128|192|256} | [3]des}
hash {sha|md5} SHA is more secure
group {1|2|5|14|15|16|19|20|24} See DH table for key length/type info
lifetime <seconds>
! Configure ISAKMP Identity and/or Dead Peer Detection (both optional)
crypto isakmp identity {address |hostname |dn} defaults to address
crypto isakmp keepalive <secs> [<retries>] {periodic |on-demand}
! Create pre-shared keys for all IPSec Peers 1.2 Configure Keys (if PSK)
crypto isakmp key <shared-key> {addr <remote-peer-ip> |host <remote-host>}
! OR define which rsa-sig domain is accepted 1.3 Verify Identity
crypto isakmp profile <isakmp-profile> NOT if PSK, only with rsa-sig
match identity host [domain] <domain> NOT if PSK, only with rsa-sig
! Configure the IP Transform Sets Step 2 = IKE phase 2
crypto ipsec transform-set <IPSec-TS>
{<AH-Trans> | <ESP-Encryption-Trans> <ESP-Auth-Trans>} [comp-lzs]
mode {tunnel | transport}
crypto ipsec security-association lifetime {sec <seconds> |kilo <kbs>}
! Configure ACL matching targeted traffic for encryption Step 3
ip access-list extended <acl-id> other side HAS to be mirrored
permit <protocol> <source & mask> <destination & mask>
! Configure the Crypto Map Step 4
crypto map <map-name> <seq> ipsec-isakmp
match address <acl-id> defines traffic of interest
set peer <remote-peer-ip> default default is used to set primary peer
set peer <remote-peer-ip> when Dead Peer Detection is used
set transform-set <IPSec-TS>
set isakmp-profile <isakmp-profile> NOT if PSK, only with rsa-sig
set pfs group{1|2|5|14|15|16|19|20|24} sets Perfect Forward Secrecy
qos pre-classify required to apply QoS policy for tunneled traffic
! Configure interface ACL to allow inbound IPSec traffic Step 4’

ip access-list extented <acl-allow-ipsec>
permit ahp host <remote-peer-ip> host <local-ip> IP Protocol 51
permit esp host <remote-peer-ip> host <local-ip> IP Protocol 50
permit udp host <remote-peer-ip> host <local-ip> eq isakmp UDP 500
permit udp host <remote-peer-ip> host <local-ip> eq non500-isakmp UDP 4500
! Apply the Crypto Map & ACL to interface Step 5
crypto map <map-name>
ip access-group <acl-allow-ipsec> in
! Create IP route to remote network Step 6
ip route <destination & mask> <remote-peer-ip>
! Configure Dead Peer Detection Optional
crypto isakmp keepalive <secs> [<retries>] [periodic |on-demand]
! troubleshoot
show crypto isakmp {sa |policy |profile |keys |peers}
show crypto ipsec {sa |policy |profile |client |transform-set}
show crypto session [summary |detail]
show crypto engine connections active
show crypto map
show crypto call admission statistics
debug crypto isakmp
debug crypto ipsec
IPSec GRE Tunnel ALLOWS USE of routing protocols!
ip vrf <F-VRF> Front VRF, Public..

ip vrf <I-VRF> Internal VRF, Private
interface <public-interface-id>
ip vrf forwarding <F-VRF>
! Congifure ISAKMP Policy step 1 = IKE phase 1

crypto isakmp policy <seq-number> 1.1 Exchange and negotiate policy
authentication {pre-share | rsa-{encr|sig}}
encryption {aes {128|192|256} | [3]des}
hash {sha[512]|md5}
group {1|2|5|14|15|16|19|20|24} >5 only with IOS>=15.0
lifetime <seconds>
! Create pre-shared keys for all DMVPN Neighbors 1.2 Configure Keys (if PSK)
crypto keyring <keyring> [vrf <F-VRF>]
pre-shared-key {address |hostname} <desination> key <key>
rsa-pubkey {address |hostname} <desination> {encr |sig}
! OR define which rsa-sig domain is accepted 1.3 Verify Identity (if RSA-SIG)
crypto isakmp profile <isakmp-profile> NOT if PSK, only with rsa-sig
[vrf <F-VRF>]
keyring <keyring>
match identity host [domain] <domain> NOT if PSK, only with rsa-sig
! Configure the IP Transform Sets Step 2 = IKE phase 2

crypto ipsec transform <IPSec-TS> esp-aes 256 esp-sha512-hmac comp-lzs
mode {tunnel | transport}
crypto ipsec security-association lifetime {sec <seconds> |kilo <kbs>}
! Create an IPSec profile Step 3

crypto ipsec profile <IpSec-profile>
set transform-set <IPSec-TS>
set isakmp-profile <isakmp-profile> NOT if PSK, only with rsa-sig
set pfs group{1|2|5|14|15|16|19|20|24}
! Apply the profile to the GRE interface Step 4

interface Tunnel0
ip vrf forwarding <I-VRF>
tunnel vrf <F-VRF>
tunnel protection ipsec profile <IpSec-profile>
qos pre-classify required to apply QoS service-policy for tunneled traffic
Dynamic Multipoint VPN (DMVPN)
! DMVPN Both Sides
interface Tunnel0
ip vrf forwarding <I-VRF>
ip address <ip> <netmask> assign unique address within the VPN
no ip redirects
ip mtu <mtu> for GRE, MTU MUST be 24 bytes smaller than physical output interface
ip tcp adjust-mss <mss> MSS=MTU-40
ip ospf <id> area <area-id> MTU MUST match on both ends
ip pim nbma-mode
ip nhrp authentication <nhrp-key> nhrp auth key MUST match
ip nhrp network-id <nhrp-id> nhrp network id MUST match
ip nhrp holdtime <nhrp-hold> dynamic mapping cache duration
ip nhrp map multicast dynamic allows dynamic mapping for multicast
tunnel vrf <F-VRF>
tunnel source <interface-id> link to physical interface
tunnel protection ipsec profile <IpSec-profile> [shared]
tunnel path-mtu-discovery
! DMVPN Server
interface Tunnel0
description Incoming VPN Tunnels
ip nhrp map group <nhrp-group> service-policy output <policy-id>
tunnel mode gre multipoint mandatory on the server
! DMVPN Client
interface Tunnel0
description VPN Tunnel to Server
ip nhrp map multicast <server-public-ip> define the hub ip for multicast
ip nhrp map <server-private-ip> <server-public-ip>
Map the private (I) address of the server to its public (F) address
ip nhrp nhs <nhrp-server-private-ip> define the “hub” IP
ip nhrp group <nhrp-group> allows hub to apply per-spoke QoS policy
[tunnel mode gre multipoint] only required for spoke-to-spoke tunnels (Phase 2)
! troubleshoot
show ip nhrp
show dmvpn [detail] [static]
debug dmvpn [errors |event |detail |packet |all]
Diffie–Hellman Key Agreement

Group Bits Type Security Platform
1 768 DH Avoid
2 1024 DH Avoid ISR G1
5 1536 DH Avoid
14 2048 DH *
15 3072 DH **
16 4096 DH ***
ISR G2
19 256 ECDH ***
20 384 ECDH ****
24 2048 DH *
!Configure IKEv2 Policy IKE Phase 1
crypto ikev2 proposal <IKEv2-proposal>
encryption aes-cbc-256
integrity sha512
group 20
crypto ikev2 policy <IKEv2-policy>
proposal <IKEv2-proposal>
match {address |fvrf} <value>
!Configure IKEv2 Profile

crypto pki certificate map <PKI-cert-map> <seq>
name co <dns_name> define allowed domain name
crypto keyring <keyring> if no PKI is used, static keys can be defined

rsa-pubkey {name |address} <destination> {encr |sig}
crypto ikev2 profile <IKEv2-profile>

match certificate <PKI-cert-map>
authentication remote {ecdsa-sig |rsa-sig |pre-share}
authentication local {ecdsa-sig |rsa-sig |pre-share}
keyring local <keyring> choose either local keyring
pki trustpoint <pki-trustpoint> OR PKI authentication method
dpd <interval> <retries> {periodic |on-demand}
!Configure the IP Transform set IKE Phase 2

crypto ipsec transform-set <IPSec-Transform> esp-gcm 256
!Create an IPSec Profile

crypto ipsec profile <IPSec-profile>
set transform-set <IPSec-Transform>
set pfs group20
set ikev2-profile <IKEv2-profile>
! Apply the profile to the GRE interface Step 4

interface Tunnel0
tunnel protection ipsec profile <IPSec-profile>
PPPoE
Server Side Step 1
Create BroadBand Aggregation Group
bba-group pppoe <group-id> to handle incoming PPPoE requests
virtual-template <vt-id> Bind it to a virtual-template
sessions per-mac limit <number> Limit number of session per incoming MAC address
Step 2
ip dhcp pool <DHCP-pool> Create a DHCP pool to use for PPPoE clients
network <nerwork> <mask>
dns-server <pri-dns> <sec-dns>
default-router <router-ip>
Step 3
interface Virtual-Template <vt-id> Create template for inbound PPPoE connections
ip address <ip> <mask> Define the server’s IP address
peer default ip address dhcp-pool <DHCP-pool> and the Pool for client address
ppp authentication chap callin Activate Authentication for PPPoE Sessions
interface fa0/0 Step 4

no ip address
pppoe enable group <group-id> Enable incoming PPPoE on a Ethernet interface
no shutdown
Step 5 - create account for PPPoE Clients
username <login> privilege 0 password <password>
username <login> autocommand exit prevent PPPoE client from logging into console
aaa new-model Only if aaa new-model

aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
Client Side
Step 1
interface dialer <id> Create a Dialer Interface
dialer pool <dial-pool-id>
encapsulation ppp
ip address negotiated PPP IPCP address negotiation (DHCP equivalent)
ip mtu 1492 PPP adds 8 bytes of overhead (1500 - 8 = 1492)
ppp chap hostname <login>
ppp chap password <password>
Step 2
interface f0/0 Assign the PPPoE Dial-group to the ISP-facing interface
no ip address
pppoe enable
pppoe-client dial-pool-number <dial-pool-id>
no shutdown
Step 3
interface f0/1 Adjust TCP MSS on the client-facing interface
ip tcp adjust-mss 1452 1500 - PPP (8) - IP (40) = 1452
! troubleshoot
show pppoe session [all]
debug pppoe [data |errors |events |packets]
PPTP
Server Side Step 1
vpdn enable Create VPDN Group
vpdn-group <group-id> to handle incoming PPTP requests
accept-dialin
protocol pptp
virtual-template <vt-id> Bind it to a virtual-template
vpn vrf <I-VRF>
Step 2
ip dhcp pool <DHCP-pool> Create a DHCP pool to use for PPPoE clients
network <nerwork> <mask>
dns-server <pri-dns> <sec-dns>
default-router <router-ip>
interface Loopback <id>

ip address <ip> <mask> Use to announce PPTP subnet in routing protocol
ip ospf <pid> area <area>
Step 3
interface Virtual-Template <vt-id> Create template for inbound PPPoE connections
ip unnumbered Loopback <id> Define the server’s IP address,
peer default ip address dhcp-pool <DHCP-pool> the Pool for client address,
ppp authentication ms-chap-v2 the authentication mechanism,
ppp encrypt mppe {40|128|auto} [required|passive] [stateful] and cipher
interface fa0/0 Step 4

ip vrf forwarding <F-VRF> Defines Front VRF
ip address <ip> <mask> Configure PPTP Server IP address
no shutdown
Step 5 - create account for PPPoE Clients
username <login> privilege 0 password <password>
username <login> autocommand exit prevent PPPoE client from logging into console
aaa new-model Only if aaa new-model

aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
PKI Certificates distribution /!\ config has to be saved after cert generation!
!PKI Server CIA - Confidentiality, Integrity, Availability
ip http server enable HTTP Server
ntp peer <ip> ensure clock is synchronized
clock timezone GMT 0
clock summer-time EDT recurring
!generate & export RSA key-pair on the server, then make it non-exportable (import back)
crypto key generate rsa general-keys label <cs-label> mod 2048 export
crypto key export rsa <cs-label> pem url <url> 3des <passphrase>
crypto key import rsa <cs-label> pem usage url <url> <passphrase>
show crypto key mypubkey rsa export ca for offline trustpoint config
crypto ca export <cs-label> pem terminal 3des <passphrase>
crypto pki server <cs-label> configure PKI Server
database url <root-url> Storage location of the PKI DB
database level {minimum |names |complete} specify DB ‘verbosity’ level
database username <username> [password <password>]
database archive {pkcs12 |pem} [password <password>]
issuer-name CN = <CommonName>, OU = <OU>, O = <Org>, L = <Locality>,
ST = <State>, C = <Country>, EA = <EA>
lifetime ca-certificate <days> Max 1825 days; recommended min 1095
lifetime certificate <days> Max 1825 days ; recommended 750
lifetime crl <hours> Certificate-Revocation-List
lifetime enrollment-request <hours>
auto-rollover 90 enable automatic renewal of root certificate before expiration
grant auto rollover ca-cert push the rollover cert to subordinates CAs
cdp-url <url> Certificate-Revocation-List Distribution Point
grant [auto |none] Automatic signature of certificate requests (Dangerous)
show Verify Server settings
no shutdown Enable PKI Server
crypto pki server <cs-label> {start |stop} enable/disable PKI Server
crypto pki server <cs-label> info {crl |request} Show pending requests
crypto pki server <cs-label> {grant |reject |remove} {all |<req-id>}
crypto pki server <cs-label> [un]revoke <cert-id>
generates a one-time password for SECP
crypto pki server <cs-label> password generate [minutes]
Optional : manually import (enroll) certificate request
crypto pki server <cs-label> request pkcs10 terminal [pem]
show crypto pki server
show crypto ca certificate [verbose]
debug crypto pki server
!PKI Client
ntp server <ip> Ensure clock is synchronized
clock timezone GMT 0
clock summer-time EDT recurring Generate own RSA key-pair
crypto key generate rsa general-keys label <rsa-key> modulus 2048
crypto pki trustpoint <trustpoint> create a CA trustpoint
enrollment mode ra optional, if not set, system auto determines it
enrollment {url <url> |terminal}
revocation-check crl request will have to be manually processed
rsakeypair <rsa-key> determine which rsa key-pair will be used for cert request
auto-enroll <%> [regenerate] auto-request new certificate after <%> of its lifetime
exit
crypto pki authenticate <trustpoint> import and validate CA certificate
crypto pki enroll <trustpoint> submit own certificate for signature by CA
crypto pki import <trustpoint> certificate manually import certificate
show crypto key mypubkey rsa

show crypto ca certificate verify fingerprint on the certificate
show ntp associations
crypto key zeroize rsa delete all RSA Key-pairs
RSA Key to replace PSK for use with “auth rsa-encr” in ISAKMP Policy
!Generate own RSA crypto key
crypto key generate rsa general-keys label <name>
show crypto key mypubkey rsa <name> print own key to paste to remote hosts
!Import Remote RSA crypto key
crypto key pubkey-chain rsa
addressed-key <remote-ip> encryption
Key string
<paste remote rsa key here>
quit
show crypto key pubkey-chain rsa address <remote-ip>
DynDNS Client
ip ddns update method <dnsmethod>
ddns [both] both: PTR RR also updated
interval maximum <days> <hours> <minutes> <seconds>
http use CTRL+V before ‘?’
add http://<user>:<pass>@<dyn.dns.server>/nic/update?
system=dyndns&hostname=<h>&myip=<a>
remove <url>
! <s> —> DynDNS Server ; <h> —> HostName ; <a> —> IP Address
ip ddns update hostname <dyndns-hostname>
ip ddns update <dnsmethod> [host <dyndns-server>]
show ip ddns update

debug ip ddns update
RSPAN for Router = RITE (Router IP Traffic Export)

ip traffic-export profile <profile> create a profile
interface <interface-id> define monitoring port
mac-address <mac-address> define monitoring mac address
bidirectional enable inbound & outbound traffic monitoring
incoming access-list <acl-id> optionally filter mirrored traffic
exit
interface <interface-id> enter the interface to be mirrored

ip traffic-export apply <profile> apply the mirroring profile
! troubleshoot
show ip traffic-export
Quality of Service Impacts: bandwidth, delay, jitter & packet loss
Identify traffic requirements; classify (colorize); define policy per class
! Recommendations
Out of 100 % Link Capacity
- Max 33 % For Real-Time, Priority Traffic (Voice & Video)
- Max 75 % for Guaranteed Traffic, including Priority (-10% Ethernet, IOS hard-coded)
- Min 25 % for Class-Default, Best-Effort (Non-reserved class)
- Max 05 % for Scavenger Class, Policed (optional, from guaranteed traffic)
Mark the traffic AS CLOSE to the source as possible, preferably on switch's —> HW marking
! Don’t Forget : MQC = Modular Qos CLI
Incoming Actions : ONLY Classify, Mark & Police
Outgoing Actions : ALL: Classify, Mark, Police, Shape, Queue, Compress, LFI, …
! Classify Traffic
class-map [match-any] <class-id> default is match-all
match access-group name <acl-id>
match input-interface <interface-id>
match class-map <class-id> Nested class
match vlan <vlan-id>
match protocol <nbar-protocol-pattern>
match [ip] precedence <code>
match [ip] dscp <code>
match cos <cos>
match any useful in class-map match-all mode and with match negations
match not <criteria> <value> all match criteria can be negated
! Assign Policies to Classes

policy-map <policy-id>
class <class-id>
set dscp <code>
set mpls <mpls-experimental-value>
bandwidth {<bw> | percent <%>} Minimum <BW> is reserved; in kbps
priority {<bw> | percent <%>} Maximum <BW> is reserved & given priority; in kbps
shape {peak | average} <bw> Shapes to BW; in bps
shape adaptative <bw> Enables Frame Relay BECN response
shape fecn-adapt Enables Frame Relay FECN response
police <bw> Maximum <BW> is allocated; in bps
conform {drop | transmit | set-<setting> <value>}
exceed {drop | transmit | set-<setting> <value>}
violate {drop | transmit | set-<setting> <value>} only if exceed != drop
fair-queue <queues> number of queues has to be a power of 2
compression header ip {rtp | tcp} enables header compression; !CPU intensive
random-detect [dscp-based] Random Early Detection, default based on IP precedence
random-detect ecn turns on explicit congestion notifications
random-detect dscp <dscp> <min-thr> <max-thr> <mpd>
random-detect precedence <precedence> <min-thr> <max-thr> <mpd>
mpd = Mark Probability Denominator
When max queue length thresholds is reached, 1 on mpd packets will be dropped
service-policy <policy-id> Nested policy; required to SHAPE & QUEUE simultaneously
Requires equivalent class-maps nesting
class class-default WRED & WFQ are mutually exclusive
fair-queue <queues> fair-queue and random-detect can only be
random-detect simultaneously applied on the default-class
! Apply Policy to Interface

service-policy {input |output} <policy-id>
max-reserved-bandwidth <%> Sets the maximum reserved bandwidth on the interface
That command is hidden
interface tunnel <id>
qos pre-classify required to apply QoS service-policy for tunneled traffic
show class-map [<class-id>]

show policy-map [<policy-id>]
show policy-map interface <interface-id> [input |output]
! NBAR Network Based Application Recognition
ip nbar pdlm <path> configures new available NBAR signatures
ip nbar protocol-discovery
show ip nbar protocol-discovery stats bit top <n>
alias exec traffic show ip nbar protocol-discovery stats bit top 10
! Link Efficiency Tools

! Link Fragmentation and Interleaving, RTP & TCP header compression
interface Multilink<mlink-gid>
bandwidth <BW>
header compression is incompatible with frame-relay ietf encapsulation
ip tcp header-compression {{iphc|ietf}-format |passive} [periodic-refresh]
ip rtp header-compression {{iphc|ietf}-format |passive} [periodic-refresh]
Periodic-refresh is required on SatCom link
ip header-compression disable-feedback if RTT>refreshtime, optional on SatCom link
ip header-compression max-{period <packets> |time <secs>}
Configures interval between full headers; defaults to 256 packets or 5 secs
ip header-compression recoverable-loss dynamic Enhanced cRTP, requires ietf
ip rtp compression-connections <number> max simultaneous compressed sessions
! LFI should not be enabled on interfaces with more than 768Kbps BW

! Because Serialization delay is lower than 15 ms for 1500 Bytes.
ppp multilink
ppp multilink group <mlink-gid>
ppp multilink fragment delay <ms> beware not to fragment VoIP packets
ppp multilink interleave minimum delay should be set according to
service-policy output <policy-id> [ bytes]
8000 sizeVoIP packet
interface Serial0/0
[ ms]
delaymin  [ bps]
bandwidth <BW> BWlink
no ip address
no fair-queue
encapsulation ppp
ppp multilink
ppp multilink group <mlink-gid>
show ip rtp header-compression
show ppp multilink
sets last
! Shaping & Queuing example —> Hierarchical MQC Wrr-queue bandwidth <q1> <q2> <q3> <q4>
policy-map <child-policy-id>
class CM_QOS_VOICE
Wrr-queue cos-map <queue> <cos-list>
priority 256
compression header ip rtp
mls qos trust device cisco-phone
mls qos map cos-dscp <dscp list>
class CM_QOS_VIDEO
bandwidth 512
compression header ip rtp
mls qos trust ip-precedence
class CM_QOS_MISSIONCRITICAL
bandwidth 400
random-detect dscp-based
class CM_QOS_TRANSACTIONNAL
maps cos values to queues
mls qos trust device
bandwidth 400
queue as Priority Queue
Priority-queue out
class class-default
fair-queue
policy-map <policy-id>
class class-default
shape average <bps>
mls qos
queue-limit {<packets> | <ms> ms}

service-policy <child-policy-id>
QoS Markings
ToS Precedence
Montetary Cost
802.1p Priority
IP ToS value
Throughput
Code-Point Name
Per Hop Behavior
Drop Precedence
802.1 CoS
Reliability
RFC 2474
ToS Field
RFC1349
RFC3260
RFC 791
Class Selector
Delay
DSCP
/
ToS String
Bits Bits Bits Bits

Dec Dec Hex Dec Hex Dec Hex
0-2 0-5 0-7 3-6
Routine 0 000 BE - BE 000 000 0 0x00 00000000 0 0x00 0000 0 0x0
CS 1 - CS1 001 000 8 0x08 00100000 32 0x20 0000 0 0x0
1 AF11 001 010 10 0x0A 00101000 40 0x28 0100 4 0x4

Priority 1 001
AF 1 2 AF12 001 100 12 0x0C 00110000 48 0x30 1000 8 0x8
3 AF13 001 110 14 0x0E 00111000 56 0x38 1100 12 0xC
CS 2 - CS2 010 000 16 0x10 01000000 64 0x40 0000 0 0x0
1 AF21 010 010 18 0x12 01001000 72 0x48 0100 4 0x4

Immediate 2 010
AF 2 2 AF22 010 100 20 0x14 01010000 80 0x50 1000 8 0x8
3 AF23 010 110 22 0x16 01011000 88 0x58 1100 12 0xC
CS 3 - CS3 011 000 24 0x18 01100000 96 0x60 0000 0 0x0
1 AF31 011 010 26 0x1A 01101000 104 0x68 0100 4 0x4

Flash 3 011
AF 3 2 AF32 011 100 28 0x1C 01110000 112 0x70 1000 8 0x8
3 AF33 011 110 30 0x1E 01111000 120 0x78 1100 12 0xC
CS 4 - CS4 100 000 32 0x20 10000000 128 0x80 0000 0 0x0
Flash 1 AF41 100 010 34 0x22 10001000 136 0x88 0100 4 0x4
4 100
Override AF 4 2 AF42 100 100 36 0x24 10010000 144 0x90 1000 8 0x8
3 AF43 100 110 38 0x26 10011000 152 0x98 1100 12 0xC
CS 5 - CS5 101 000 40 0x28 10100000 160 0xA0 0000 0 0x0

Critical 5 101
EF - EF 101 110 46 0x2E 10111000 184 0xB8 1100 12 0xC
Internetwork CS 6 - CS6 110 000 48 0x30 11000000 192 0xC0 0000 0 0x0
6 110
Control - 110 111 55 0x37 11011100 220 0xDC 1110 14 0xE
Network CS 7 - CS7 111 000 56 0x38 11100000 224 0xE0 0000 0 0x0
7 111
Control - 111 111 63 0x3F 11111100 252 0xFC 1110 14 0xE
!RSVP
ip rsvp bandwidth <max-res-bw> <max-flux-bw> define max reservable bandwidth
ip rsvp signalling dscp <dscp> dscp code for RSVP signalization
Cisco IOS Firewall
Zone-Based Firewall Zone-Based instead of Interface-Based, uses MQC
MQC = Modular QoS CLI
Policies applied between zones
Default deny-all policy, except for the self zone (default allow-all)
Interfaces attached to only one zone
Traffic allowed between all interfaces within the same zone
Traffic cannot flow between zone and non zone interfaces
Cannot be combined with legacy firewall inspection
Inspect cannot be used from and to zone ‘self’, only pass or drop
zone security <zone-id> Step 1

description <string> Create firewall zones
interface <interface-id> Step 2

zone-member security <zone-id> Assign all interfaces to a zone
class–map type inspect match-{all|any} <class-id> Step 3

description <description> Define traffic classes
match access-group name <acl-id>
match class-map <class-id>
match protocol <nbar-protocol-pattern>
policy-map type inspect <policy-id> Step 4
class type inspect <class-id> Define firewalling policy
inspect [<param-map>] context-based access control engine, statefull
/!\ WARNING: Inspect does NOT work with GRE! (Quid ESP/AHP ?)
pass forwards packet without inspection, stateless
service-policy <proto> <policy-id> applies DPI policy
police rate <bps> burst <bytes> limits traffic to rate
drop [log]
class type inspect class-default
no drop overrides the default drop all policy
drop [log]
Step 5
For each pair of zones, apply one firewall policy per direction
zone-pair security <zone-pair-id> source <zone-id> destination <zone-id>
service-policy type inspect <policy-id>
description <string>
Optional
Define Thresholds against DDoS attacks
parameter-map type inspect <param-map>
max-incomplete {low|high} <threshold> max concurrent half-open session
one-minute {low|high} <threshold> max concurrent new not established sessions
dns-timeout <seconds>
icmp idle-time <seconds>
udp idle-time <seconds>
tcp idle-time <seconds>
tcp {syn|fin}wait-time <seconds>
tcp max-incomplete host <threshold> block-time <minutes>
session maximum <threshold>
{alert|audit} {on|off}
show zone security [<zone-id>] lists zones and member interfaces

show zone-pair security [source <zone-id> dest <zone-id>]
show class-map type inspect [<class-id>]
show policy-map type inspect [<policy-id>]
show policy-map type inspect zone-pair <zone-pair-id> [sessions]
show parameter-map type inspect [<policy-id> |default]
Router Planes Protection
! Management-Plane Protection
control-plane host restricts management protocols to specified interface
management-interface <interface-id> allow <protocols>
Management Protocols: beep, ftp, http, https, snmp, ssh, telnet, tftp
Restriction applies both for incoming and outgoing connections
show management-interface [<interface-id> |protocol <protocol>]
! Control-Plane Protection
! Policing
class–map match-{all|any} <class-id>
match <criteria> <value> See QoS match possibilities
policy-map type port-filter <policy-id>

class <class-id>
police <bw> Maximum <BW> is allocated; in bps
conform {drop | transmit | set-<setting> <value>}
exceed {drop | transmit | set-<setting> <value>}
violate {drop | transmit | set-<setting> <value>} only if exceed != drop
! Port-Filtering
class–map type port-filter match-{all|any} <class-id>
match closed-ports
match port {tcp |udp} {<port> |<port-range-start> <port-range-end>}
policy-map type port-filter <policy-id>

class <class-id>
drop
log [interval <ms>] [total-lenght] [ttl]
! Queue-threshold
class–map type queue-threshold match-{all|any} <class-id>
match {protocol <protocols> |host-protocols}
Control-Protocols: bgp, dns, ftp, http, https, igmp, snmp, ssh, syslog, telnet, tftp
policy-map type queue-threshold <policy-id>

class <class-id>
queue-limit <number>
! Logging
class–map type logging match-{all|any} <class-id>
match input-interface <interface-id>
match ipv4 {source |destination} <ip>
match packet {dropped| permitted | error}
policy-map type logging <policy-id>

class <class-id>
! Applying Service-policy (Policing / Port-Filtering / Queue Threshold / Logging)
control-plane [host |transit |cef-exception]
service-policy [type <type>] {in |out} <policy-id>
show policy-map [type <type>] control-plane

[all| host |transit |cef-exception] [in|out [class <class-id>]]
Router Hardening
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
no service password-recovery ! /!\ Use with CAUTION!
service tcp-keepalive-in !Allows removal of orphaned connections from the device
service tcp-keepalive-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption !Ciphers passwords in config file, NO strong encryption
service sequence-numbers !Adds a sequence number on each log message
parser config cache interface

no service config !Prevents attempts to load config by tftp during boot
no service dhcp !Disable DHCP Services
no service pad !Disables Packet Assembler/Disassembler (X.25 Networks)
no service tcp-small-servers !Disables TCP & UDP small Services
no service udp-small-servers !(Echo, Discard, Daytime, Chargen, etc.)
no ip bootp server !Disables BootStrap Protocol
no ip domain-lookup !Disables DNS resolution on the router
no ip finger !Disables the finger service
no ip forward-protocol nd !Disables forwarding of old Sun Network Disk Protocol
no ip gratuitous-arps !Disable emission of gratuitous arps packets
no ip http server !Disables HTTP Server
no ip http secure-server !Disables HTTPS Server
no ip scp server enable !Disables SCP Server
no ip source-route !Disables IP Source-Routing (Man-in-the-middle attacks)
no cdp run !Disables Cisco Discovery Protocol (information leak)
no lldp run global !Disables Link Layer Discovery Protocol (information leak)
ip dhcp bootp ignore !Disables BootP Protocol (Leaves DHCP untouched)
ip tcp synwait-time 10 !Sets timout for TCP connection opening, in secs
ip icmp rate-limit unreachable 250 !Limits ICMP replies to 1/interval, in msecs
ip options drop !do not use if RSVP or other legitimate ip options required
configuration mode exclusive !disables concurrent sessions in config mode
secure boot-image !secures the IOS to a resilient hidden file
secure boot-config !secures the running-config to a resilient hidden file
no mop enabled !Disables Legacy DEC Maintenance Operation Protocol (Ethernet only)
no cdp enable !Disables Cisco Discovery Protocol
no lldp transmit !Disables Link Layer Discovery Protocol TX
no lldp receive !Disables Link Layer Discovery Protocol RX
no ip proxy-arp Disables RFC1027 Proxy-ARP (Potential Man-in-the-middle attacks)
memory reserve console 4096 !Reserves memory for console access, in kbps
memory reserve critical 8192 !Reserves memory for critical notifications, in kbps
scheduler allocate 20000 1000
scheduler interval 500 !Max interval allowed without running system processes, in ms
logging source-interface Lo0
logging rate-limit all 10 except critical !Avoids logging buffer overflow
logging buffered 16384 6
logging trap 6
logging host <ip> !defines the address of the remote logging server
login block-for 120 attempts 3 within 40
login quiet-mode access-class <acl-id>
login delay 10 ! enforced time between login attempts
login on-failure log !logs failed login attempts
login on-success log !logs successful login attempts
security authentication failure rate 5 log
security password min-length 8 !sets minimum password length
username <username> privilege <level> secret <secret>
enable secret <secret>
hostname <hostname>
ip domain-name <domain>
crypto key generate rsa gen modulus 2048 !generates strong RSA crypto key
ip ssh version 2 !enforces use of SSHv2 only (disables SSHv1)

ip ssh time-out 30 !Closes SSH session if not logged-in within 30 seconds
ip ssh authentication-retries 3 !Closes SSH session after 3 failed login attempts
ip cef
interface Loopback0
description Management Interface
ip ssh source-interface Lo0 !Outgoing SSH connections will be sourced from L0
ip ftp source-interface L0 !Outgoing FTP connections will be sourced from L0
ip tftp source-interface L0 !Outgoing TFTP connections will be sourced from L0
ip telnet source-interface L0 !Outgoing Telnet connections will be sourced from L0
ip radius source-interface L0 !Outgoing Radius connections will be sourced from L0
snmp-server source-interface traps Lo0 !SNMP connections will be sourced from L0
snmp-server source-interface informs Lo0 !SNMP connections will be sourced from L0
snmp-server ifindex persist !SNMP interface indexes will persist between reboots
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa authorization console
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authentication default
line vty 0 15
transport input ssh !Allow only SSH for remote management (disables Telnet)
transport output ssh telnet !Limit outgoing connections to SSH & Telnet protocols
transport preferred none !Avoids getting angry when making typo’s in the CLI
logging synchronous !Avoids current typed commands to be cut on console by logging
exec-timeout 9 0 !Closes session after 9 minutes of inactivity
access-class <acl-id> in !Limits hosts that are allowed to connect to this line
line con 0
transport output ssh telnet
logging synchronous
exec-timeout 9 0
line aux 0
transport input none
transport output none
no exec
exec-timeout 0 1
no password
privilege level 0
archive
log config
logging enable !enables logging of configuration changes
logging size 200 !sets the number of entries to be kept in the log file
Hidekeys !suppresses the display of password information in the log file
notify syslog !enables the notification of configuration changes to a remote syslog
path <path> !defines the path of the archive folder
maximum 14 !sets maximum number of previous configuration files to be kept
write-memory !triggers the archival process when saving the configuration
time-period 10080 !triggers the archival process on a regular interval, in secs
control-plane host restricts management protocols to specified interface

management-interface <interface-id> allow ssh https snmp tftp
Secure IOS config and IOS Files
secure boot-image secures the IOS to a resilient hidden file
secure boot-config secures the running-config to a resilient hidden file
secure boot-config restore <filepath> restores the resilient config to a file
show secure bootset show the content of the IOS Resilience archive
rommon> dir slot0:
Logon security enhancement
login block-for <seconds> attempts <number> within <seconds>

login quiet-mode access-class <acl-id>
login delay <seconds> enforced time between login attempts
login on-failure log [every <#>]
login on-success log [every <#>]
security authentication failure rate <threshold> log
security password min-length <0-16>
service password-encryption
service sequence-numbers
AAA - Authentication, Authorization and Accounting

Radius: UDP 1645 & 1812 (Authorization); UDP 1646 & 1813 (Accounting)
TACACS+ : TCP 49
aaa new-model enable aaa new-model (disables ALL OLD commands)

aaa authentication login <aaa-list> group radius local define login method(s)
aaa authentication login default local default aaa login method
aaa authorization exec default local define authorization method
aaa authorization console also apply authorization method on the console
line vty 0 15
login auth <aaa-list>
debug aaa authentication

debug aaa authorization
ip radius source-interface <interface-id> loopback0
Role-based IOS Access

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
enable view
conf t
parser view <view-name>
secret <password>
commands <mode> {include |exclude} [all] <keyword>
parser view <superview-name> superview create a superview combining sub-views

secret <password>
view <view-name>
view <view-name>
enable view <view-name>
username <username> view <view-name> secret <password>

Call Manager Express Configuration Skinny - SCCP
telephony-service Skinny Server
protocol mode {ipv{4|6} |dual-stack [pref ipv{4|6}]}
ip source-address <local-cme-ip> [port <port>] [strict-match]
default: port 2000, any-match
max-dn <value> Max allowed Directory Numbers; pre-allocates required memory
max-ephones <value> Max allowed SCCP EPhones; pre-allocates required memory
load <phone-type> <loadfile-url> define a firmware for each platform
user-locale <0-4> <lang-code> sets available languages on the IP phones
network-locale <0-4> <lang-code> defines call progress tones & ring cadences
time-format {12 | 24}
date-format <xx-xx-xx> dd mm yy
time-zone <zone-id> UTM=22 ; Western-Europe-DST=23
Keepalive <secs> defaults to 30 secs
max-conferences 8 gain -6
moh <path> path to the music-on-hold file
multicast moh <mcast-ip> port <port> [route <ip>] multicast address for moh
Voice VLANs MUST be configured in PIM passive or dense-mode to receive the multicast moh
transfer-system full-{consult |blind} enable H450.2 call transfer
transfer-pattern <pattern> pattern to witch call transfers are allowed
secondary-dialtone <#> usually used for prefix to access external line
no auto-reg-ephone disables automatic phone registration
auto assign <dn> to <dn> [type <type>] automatically assigns dn to unknown ephones
system message <text> replaces “Cisco Unified CME” display on phones by own text
create cnf-files to be executed after config change
web admin {system | customer} name <login> secret 0 <password>
web customize load <path> loads xml file to restrict customer admin pages
dn-webedit allow DN config trough web interface
dn-timeedit do NOT use when NTP is configured, allow time config trough web interface
ip qos dscp <dscp> {signal | media| video| service } default{cs3|ef|af41|0}
restart {all [<interval>] |<mac-address> |cancel |sequence-all} soft reboot
reset {all [<interval>] |<mac-address>} hard reboot
!Phone Hardening NSA I732-001R-2010 & CUCME Configuration Guide

service phone disableSpeaker {true |false*}
service phone disableSpeakerAndHeadset {true |false *}
service phone forwardingDelay {0|1*} 0:disables PC Ethernet port during phone boot
service phone garp {0*|1} 1-disable Gratuitous ARP processing
service phone pcPort {0*|1} 0-enabled; 1-disabled
service phone spanToPcPort {0*|1} 0-enabled; 1-disabled
service phone voiceVlanAccess {0*|1} Spanning: 0-enabled; 1-disabled
service phone settingsAccess {0|1*|2} 0-disabled; 1-enabled ; 2-restricted
service phone webAccess {0*|1|2} 0-enabled; 1-disabled; 2-read-only
ip dhcp pool VOICE

option 150 ip <local-cme-ip> defines TFTP server where phone config is available
tftp-server <file> [alias <alias>] each phone firmware file must be shared by TFTP
Individual config files for IP phones are automatically shared by the telephony-services
!TSHOOT
show telephony-services
[ ephone[-dn] | dial-peer |voice-port |tftp-bind ]
IP Phone Configuration Skinny - SCCP
!SCCP IP Phone Configuration
ephone-dn <e-dn-id> [dual |octo] dual required for multiple calls or conferencing
number <tf-number> [secondary <tf-number>] [no-reg [both|primary]]
description <local display name> displayed on the user’s phone
name <directory entry name> “caller id”, displayed on the called phone
label <line label> displayed next to the line button
corlist in <corlist-in> apply incoming class of restriction
corlist out <corlist-out> apply outgoing class of restriction
pickup-group <pg-id> define a pickup group
transfer-mode {blind |consult} define call transfer mode
ephone <e-ph-id>
type <device-type> [addon 1 <type> [2 <type>]] define the device type
mac-address <aabb.ccdd.eeff>
button <line>:<e-dn-id> [<line>:<e-dn-id>] link the phone to a dial-number
: normal ring - feature ring - beep only - silent - monitor line - watch phone - overlay
codec {g711u |g722r64 |g729r8 [dsp-assist] |ilbc} sets preferred codec
max-calls {1-8}
device-sec {none |auth |encr}
speed-dial <#> <dial-string> define a speed-dial entry
restart soft reboot; suitable for button, line, speed-dial changes; DHCP NOT involved
reset hard reboot; REQUIRED for firmware, locale, url, TFTP changes, DHCP involved
!TSHOOT
! - L1 / PoE —> Switch
test cable-diag tdr interface <interface-id>
show cable-diag tdr interface <interface-id>
show power inline [<interface-id>] PoE status/Switch Power Budget
! - L2 / CDP / VLAN —> Switch
show interface <interface-id> switchport
show {cdp | lldp} neighbors [[<interface-id>] | [detail]]
show vlan
show interface trunk IP Phone Boot Sequence
! - L3 / DHCP —> DHCP Server 1.PoE
show ip dhcp [binding |pool] 2.Boot firmware <— flash
3.CDP/LLDP -> Phone VLAN
debug ip dhcp server events 4.DHCP —> Option 150
show run | s dhcp pool|dhcp excluded 5.TFTP —> Config Load*
! - L7 / TFTP —> CME Router PKI CRT: CTLSEP<MAC>.tlv
show run | i tftp-server SCCP: SEP<MAC>.cnf.xml(.sgn)
show telephony-services tftp-bindings SIP: SIP<MAC>.cnf
Default: XMLDefault.cnf.xml
more system:/its/vrf1/XMLDefault<model>.cnf.xml 6.Registration to CM
debug tftp events
! - L7 / CME —> CME Router
show ephone [ [un]registered | attempt | offhook | dn <dn-id> ]
show telephony-services [ ephone[-dn] | dial-peer |voice-port ]
debug ephone register
Cisco IP Phone Reset:
Soft Reset: Press Settings,
* * #, More, Erase (7945)
* * # * * (6921)
Hard Reset (Forces firmware download):
1) Plug power cord while pressing # AND KEEP it pressed while booting
2) Wait for the line buttons begin to blink
3) Press in sequence: 1 2 3 4 5 6 7 8 9 * 0 #
Secure Call Manager Express Configuration SCCP TLS SRTP
Step 1 - Create a Certificate Authority
crypto key generate rsa general-keys modulus 2048 label CA
crypto pki server <CA>
database level complete
database url flash:/PKI/
grant auto should be disabled after initial setup
lifetime ca-certificate 1095
lifetime certificate 1095
exit
crypto pki trustpoint <CA>

enrollment url http://<CA-IP-Addr>
rsakeypair <Role> 4096
auto
crypto pki server <CA>

no shut
ip http session-module-list HTTP SCEP Defines a list of authorized modules

ip http active-session-modules HTTP Limits HTTP modules to the defined list
ip http server Enables HTTP Server
Step 2 - Create certificates for the required roles:

crypto pki trustpoint <<Role>-TP> SAST, CAPF, CME, TFTP, HTTPS
enrollment url http://<CA-IP-Addr>
rsakeypair <Role> 2048
hash sha512
serial-number
ip-address loopback0
source interface loopback 0
auto-enroll
crypto pki authenticate <<Role>-TP>

crypto pki enroll <<Role>-TP>
Step 3 - Configure CTL Client (Certificate Trust List)

SAST = Site Administrator Security Token; /!\ TWO SASTs are MANDATORY for CTL creation
ctl-client
sast1 trustpoint <SAST1-TP> 1st Certificate used to sign the CTL
sast2 trustpoint <SAST2-TP> 2nd Certificate used to sign the CTL
server cme <CME-IP> trustpoint <CME-TP> Certificate of the CME Server
server tftp <TFTP-IP> trustpoint <TFTP-TP> Certificate of the TFTP Server
server capf <CAPF-IP> trustpoint <CAPF-TP> Certificate of the CAPF Server
regenerate command REQUIRES BOTH SAST to be configured; fails otherwise
Step 4 - Configure CAPF Server (Certificate Authority Proxy Function)

capf-server This proxy will request IP Phones Certificates to the CA
trustpoint-label <CAPF-TP> Certificate of the CAPF Server
cert-enroll-trustpoint <CA> password 0 <password> Link to the CA server
phone-key-size {512| 1024| 2048} Size of the RSA Key for IP phones
source-addr <CAPF-IP> Source IP Address of the CAPF server
port <port> Port on which the CAPF Server will listen; defaults to 3084
auth-mode null-string Method used to identify IP phones prior to issuing certificate
Secure Call Manager Express Configuration (contd) SCCP TLS SRTP
Step 5 - Configure CME to leverage security
(Sign TFTP files and use TLS for signalization)
telephony-service
tftp-server-credentials trustpoint <TFTP-TP>
cnf-file perphone
cnf-file location flash:
load-cfg-file <path> alias <alias> sign create
All tftp-server commands related to IP-Tel MUST be replaced by load-cfg-file commands
as IP phones won’t download any more file that has NOT been signed once they use a CTL.
This includes firmwares, configurations, ringtones, desktop backgrounds, etc.
After the first download of the CTL file, CTL will only be allowed if signed by known SAST
Step 6 - Configure CME to leverage security

(Sign TFTP files and use TLS for signalization)
telephony-service
secure-signaling trustpoint <CME-TP>
server-security-mode secure
Step 7 - Configure IP Phones to leverage security

!Option 1—Globally
capf-server
cert-oper upgrade all Requests certificates for all registered IP phones
telephony-service
device-security mode {none | authenticated | encrypted }
reset all
!Option 2—Per Phone
ephone <eph-id>
device-security mode {none | authenticated | encrypted }
cert-oper upgrade auth-mode null-string Requests certificate to CAPF
reset
Call Manager Express Configuration SIP
voice service voip
allow sip to sip required to allow calls between SIP endpoints
sip required for SIP IP Phones registration
bind {all |media |control} source-int <interface-id> [ipv{4-6} <ip>]
registrar server
session transport {tcp |udp} defines system session transport; defaults to udp
url sips enables SIP-Secure globally: secure signalling
securertp enables Secure-RTP support globally: secure voice payload
securertp fallback enables RTP fallback if SRTP is not supported by endpoind
signal forward {unconditional |none} prints calling name instead of calling number
clid stip pi-restrict blocks caller-id when privacy exists
clid substitutes name substitutes CLID to display number when name is unavailable
voice register global SIP Server

mode cme Call Manager Express
source-address <local-gw-ip> port <port> MUST match bind control source if IP
default port:5060
authenticate register defines SIP authentication method
max-dn <value> Max allowed Directory Numbers; pre-allocates required memory
max-pool <value> Max allowed SIP IP Phones; pre-allocates required memory
tftp-path flash:
network-locale <0-4> <lang-code> defines call progress tones & ring cadences
time-format {12 | 24}
date-format <xx-xx-xx> dd mm yy
timezone <zone-id> UTM=22 ; Western-Europe-DST=23
ntp-server <ip> [mode <mode>]
create profile to be executed after load change
sip-ua
registrar {dhcp | [index] registrar-address[:port]}
authentication username <username> password [0|7] <password>
sip-server {{dns |ip}:<address>[:<port>]} defines SIP-SRV to be referenced in DP
transport {tcp| udp} defines allowed incoming transport; allows all by default
!TSHOOT
! SIP Voice Register (CME)
show voice register [ all | pool | dn | dial-peers | global | tftp-bind ]
debug voice register events debugs SIP phone registration on CME
debug ip dhcp server events
debug tftp events
! SIP User Agent
show sip-ua service status of SIP call service on gateway
show sip-ua status status of SIP user agent: allwed tpt, if binding, sdp options…
show sip-ua register status status of E164# on registrar
show sip-ua timers
show sip-ua connections
show sip-ua calls displays UAC & UAS active call & parameters
show sip-ua statistics
debug ccsip general SIP debugging
debug voip ccapi inout interactions with Call Control API
debug voip ccapi proto headers displays messages between gateways
debug voip dialpeer all monitors Dial-Peer matching process
SIP IP Phone & Dial-Peers Configuration SIP
!SIP IP Phone Configuration
voice register dn <s-dn-id>
number <tf-number>
shared-line [max-calls <2-16>]
label <line display name> displayed next to the line button
name <directory entry name> “caller id”, displayed on the called phone
pickup-group <pg-id> defines a pickup group
voice register pool <s-ph-id>
type <device-type>
id mac <1234.5678.abcd>
number <line> dn <s-dn-id>
dtmf-relay {sip-notify |rtp-nte |cisco-rtp}
voice class codec <codec-tag-id> defaults to G729r8
speed-dial <#> <dial-string> define a speed-dial entry
username <user> password <password>
restart soft reboot; suitable for button, line, speed-dial changes; DHCP NOT involved
reset hard reboot; REQUIRED for firmware, locale, url, TFTP changes, DHCP involved
!SIP Dial-Peer Configuration

dial-peer voice <id> voip
session protocol sipv2
session-target {ipv4:<remote-ip> |sip-server} static or sip-ua defined
session transport {system |top tls |udp} defaults to udp
dtmf-relay {sip-notify |rtp-nte [digit-drop]} disabled by default
clid stip pi-restrict blocks caller-id when privacy exists
clid substitutes name substitutes CLID to display number when name is unavailable
max-conn <#> defines maximum concurrent calls through the dial-peer
voice-class sip
securertp enables Secure-RTP support
securertp fallback enables RTP fallback if SRTP is not supported by endpoind
sip
url sips
interface s x/x/x:15
isdn supp-service name calling sends out calling name on ISDN calls
!Configures a link to a CISCO SIP Proxy Server

sip-ua
sip-server ipv4:<remote-ip>

destination-pattern <pattern>
session target sip-server
!Configures a link to a NON-CISCO SIP Proxy Server
session target ipv4:<remote-ip>
H.323 Gateway & Dial-Peers H.323
H.225: UDP 1720; H.225 RAS: UDP 1719
voice service voip
ip address trusted authenticate requires GW IP identification for call transit
ip address trusted list GW to which dial-peers are defined are automatically trusted
ipv4 <ip> [<mask>] defines an IP/range of trusted gateway(s)
allow-connections h323 to h323
no supplementary-service h225-notify cid-update don’t adapt caller-id on CONNECT
h323 enables H323 services globally
no h225 timeout keepalive avoid dropping of current calls from GW if CM goes down
call start slow disables fast-start (h245 negotiation apart from h225)
call service stop WARNING! disables processing of h323 calls
session transport {tcp |udp} default: tcp. UDP lowers overhead but reliability too
ras rrq dynamic prefixes *registers dial-peers with wildcards dest patterns to GK
*does NOT work with complex patterns
interface loopback0
ip address <local-gw-ip> <mask>
h323-gateway voip interface activate the h323 gateway conf ; mandatory for GK use
h323-gateway voip h323-id <local-gw-id> case-sensitive, must be unique
h323-gateway voip bind srcaddr <local-gw-ip> Optional, defaults to int addr
h323-gateway voip tech-prefix <tech-prefix> REQ if GW registers wildcard prefix
h323-gateway voip id <gk-zone> ip <gk-ip> <port> prio <#> gk-z case-sensitive
gateway starts the h323 gateway and registers to gatekeeper if defined

resource threshold high <%> low <%> report overloaded resources state to GK
security password <password> level all securely logs in to the GK: login=h323-id
dial-peer voice <id> voip default Dial-Peer protocol is H323 “Cisco”

session protocol cisco this is the default
session target {ipv4:<remote-gw-ip> |ras} ras = gatekeeper
destination-pattern <dial-reg-ex> . = single digit, T = 0 to 32 digits
destination-pattern allowed strings: { [0-9], [A-D], #, *, . , T, ^, $, ?, %, +, \ }
preference <#> lower is preferred, defaults to 0
corlist outgoing <corlist-out>
dtmf-relay {h245-{s|a} |cisco |ntp} disabled by default; prefer h245-s
[no] vad [aggressive] normal VAD enabled by default
voice-class codec <codec-tag-id> default DP codec: G729r8, 20ms
voice-class h323 <h323-tag-id>
max-conn <#> defines maximum concurrent calls through the dial-peer
voice class codec <codec-tag-id> list all allowed codecs within the class
codec preference <#> <codec> [bytes <bytes>] one entry for each accepted codec
µ-law in Japan & US, A-law in other countries. A-law preferred for interconnections
voice class h323 <h323-tag-id>

h225 timeout tcp establish <secs> tweak timeout to allow fallback to other DP
h225 timeout setup <secs> tweak timeout to allow fallback to other DP
!TSHOOT
show dial-peer voice summary
show gateway list currently registered numbers & inscription state of local GW on GK
show h323 gateway prefixes show prefixes the local GW has registered to the GK
show h323 gateway show statistics over H225 RAS (Registration, Admission & Status)
show call active {voice |video |fax |media} [compact |brief] detailed
show voice call {status |summary} concise
show voip rtp connections show active RTP sessions information: callID, IPs & ports
debug ras H323 Registration, Admission and Status

debug {h225 [events |q931] |h245 [events]} debug call setup/features process
debug {h225 |h245} {asn1 |events} debug gatekeeper registration process
debug voip dialpeer all monitors Dial-Peer matching process
H.323 Gatekeeper H.323
gatekeeper each site should get his own zone for correct BW management
zone local <zone-id-local> <dns-suffix> <local-gk-ip>
zone remote <zone-id-remote> <dns-suffix> <remote-gk-ip> [<port>]
[cost <cost>] [priority <prio>] [<remote-domain>]
Default cost is 50, lower is preferred
Default prio is 50, higher is preferred
Cost has precedence over priority
zone prefix <remote-zone-id> <destination-pattern>
[blast |seq] [gw-prio <0-10> <gw-id>] default is sequential
GW-Prio defaults to 5, higher wins, 0 prevents uses of the GW
zone prefix <zone-id-remote-DGK> * forward unknown request to Directory GateKeeper
zone-prefix allowed strings: { [0-9], . (single digit), * (joker sequence) }
endpoint ttl <secs> defaults to 60 secs
lrq forward-queries upgrades the gatekeeper to Directory GateKeeper mode
lrq lrj immediate-advance <secs> sets time between LRJ and LRQ to next matching GK
lrq reject-resource-low rejects a request to an overloaded gateway
gw-type-prefix 1#* default-technology required to route calls to wildcard dest
rrq dynamic-prefixes-accept accepts registration of wildcard destination patterns
security token required-for all authenticates GWs by AAA during registration
no shutdown activates GateKeeper
If a zone is removed, all configured prefixes for that zone are automatically deleted
!bandwidth management shall ONLY be configured on LOCAL zones
bandwidth check-destination enables bandwidth verification before allowing call
bandwidth interzone zone <zone-id> <kbps> maximum total BW to/from the zone
bandwidth session zone <zone-id> <kbps> maximum BW per call
bandwidth total zone <zone-id> <kbps> maximum total BW within a zone
bandwidth {i|s|t} default <kbps> defines all-zones default settings
!gatekeeper clustering
gatekeeper
zone local <local-element> <dns-suffix> <local-gk-ip>
zone cluster local <cluster-id> <local-element>
element <remote-element> <remote-gk-ip> <port>
element <remote-element> <remote-gk-ip> <port>
!TSHOOT
show gatekeeper status
show gatekeeper endpoints list all registered GW on GK
show gatekeeper calls list active calls handled by GK
show gatekeeper zone status show status of all zones registered on GK
show gatekeeper zone prefix all show all registered prefixes on GK
show gatekeeper gw-type-prefix show tech-prefixes of GW registered on GK
show gatekeeper cluster show configured gatekeeper cluster
show gatekeeper zone cluster show gatekeeper cluster status

Analog POTS links Analog
!Analog Phone line configuration (FXS) Foreign Xchange Station
voice-port <voice-port-id> must be an FXS port
signal {loopstart |groundstart} default: loopstart
cptone <CC> country code for dial tone
ring cadence {pattern<id> |define <values>}
ring frequency {25|50} necessary to adjust for OLD analog phones
station-id name <displayname> display name
station-id number <tf-number> tf# number
dial-type {dtmf |pulse}
busyout {force |monitor <int-id> | probe <…>} disables the line
timeouts <type> <value>
no register e164 disables the line registration on the GateKeeper
dial-peer voice <tf-number> pots digit-strip is activated by default on pots DP

corlist in <corlist-in>
destination-pattern <tf-number>
port <voice-port-id>
trunkgroup <trunkgroup-id> use of a trunkgroup is preferable for PBNX trunks
[no] vad voice activation detection, reduces call bandwidth
!Analog phone line configuration (FXO) Foreign Xchange Office

voice-port <voice-port-id> must be an FXO port
trunk-group <trunkgroup-id> assigns the port to a trunk group
caller-id enable
secondary dialtone enables secondary dial-tone, BEWARE of toll fraud!
connection plar opx immediate <tf-number> redirects incoming call to tf-number
trunk group <trunkgroup-id> create a trunk group
!Analog Fax handling DP Settings (more specific) overrides global settings

!global settings
voice service voip fax relay mode uses less bandwidth than fax pass-trough
fax protocol t38 configure industry-standard fax relay
[ls-redundancy {0-5} [hs-redundancy {0-2}]] low & high speed redundancy level
[fallback {none |cisco |pass-through {g711alaw |g711ulaw}}]
Fallback protocol configuration if t38 negotiation fails
fax protocol pass-through {g711alaw |g711ulaw} configure fax pass-through
Fax pass-through use G711 codec for fax transport, no echo cancellation and no VAD
!dial-peer settings
no vad required iff fax pass-through
fax proto {system |t38 |cisco |pass} <…> see global settings protocol options
dtmf-relay h245-signal
!Possible troubleshooting settings
fax rate {<rate> |voice |disable} tune speed to specified rate
fax relay ecm disable facilitate fax pass-through by disabling Error Correction Mode
fax relay sg3-to-g3 negotiate down SG3 signaling to group3 (sg3 relay NOT supported)
fax nsf 000000 overwrites the non-standard facility code
voice-port <fax-port-id> must be an FXS port
no echo-cancel enable required iff fax pass-through
!Analog Modem handling If modem relay fails: auto-fallback to modem pass-trough

voice service voip
modem {relay |passthrough} nse codec {g711alaw |g711ulaw}
[redundancy] send redundant packets (RFC 2198, doubles the traffic)
[maximum-sessions <#>] maximum modem sessions allowed simultaneously
[gw-controlled] will not be controlled by an external MGCP call agent
For relay mode (max 33.6kbps), modem MUST be V.34 or V.90 AND use V.42bis compression
modem relay gateway-xid [compress {backward |forward |both |no}] compression
[<dictionary-value>] [<string-lenght–value>] defaults to 1024/32
Digital POTS links Digital
! E1 Link configuration
card type e1 0 1
controller E1 0/1/0
framing [NO-]CRC4
pri-group timeslots 1-31
network-clock-participate wic 1
network-clock-select 1 E1 0/1/0
interface Serial0/1/0:15
description E1 Voice Trunk
no ip address
no logging event link-status
isdn switch-type primary-net5
isdn timer T310 120000
isdn overlap-receiving T302 2000
isdn negotiate-bchan
isdn integrate calltype all
trunk-group pri
no keepalive
no cdp enable
dial-peer voice 1 pots

no digit-strip
port 0/1/0:15
forward-digits all
!TSHOOT
show controller {e1 |t1 |bri} <slot/port>
show voice port [summary]
show dial-peer voice summary
debug isdn {q921| q931}
test voice port <id> inject-tone {network |local} {<freq> |disable}

test voice port <id> loopback {local |network |disable}
csim start <tf-number> initiates a test call to a analog line (undocumented)
Dial-Plan configuration
!Be careful with dial-peer so that numbering stays coherent between
! En-bloc & digit-by-digit numbering
!Digit Manipulation
Opr Order: 1.num-exp, 2.digit-strip, 3.translation-profile, 4.prefix, 5.forward-digits
num-exp <match-pattern> <set-pattern> globally replaces matched by the set string
dial-peer voice <id> <type>

clid {restrict |strip |network <net-number>}
stip completely removes clid information; restrict only prevents it’s presentation
clid substitute name if display name is empty, sets it as calling number
[no] digit-strip strips digits explicitly matched by the destination-pattern
forward-digits {<#> |all |extra [inband]} sets how much digits are forwarded
only available on POTS dial-peers
prefix <string> appends the prefix to the forwarded number; only on POTS DPs
translation-profile {in |out} <vtp-id>
call-block translation-profile {in |out} <vtp-id>
call-block disconnect-cause {in |out} invalid_number
voice translation-rule <vtr-id> maximum 15 embedded rules

rule <#> /<search-exp>/ /<replace-exp>/ expressions written in regex
[type <match-type> [plan <match-type>]]
rule <#> reject <search-exp>/
voice translation-profile <vtp-id>

translate { called |calling } <vtr-id>
!Dialplan-pattern does not apply for analog endpoints (FXS)

{telephony-service | voice register global}
dialplan-pattern <id> <pattern> extension-length <length>
[extension-pattern <ext-pattern> | no-reg] [demote]
!Calling Privileges
!COR Lists Call is accepted if outgoing COR List is a subset of incoming COR List
dial-peer cor custom Step 1 - Define all possible CORs labels
name <name-…> Enter one “name” entry per COR
dial-peer cor list <corlist-id> Step 2 — Define incoming and outgoing COR Lists
member <name-…> one entry for each COR in this list; must be defined in step 1
member <name-…>
dial-peer voice <id> <type> If no CORList defined on a DP, no restriction applied

corlist {incoming |outgoing} <corlist-id> Step 3—Apply COR Lists to dial-peers
{ephone-dn <e-dn-id> | voice register dn <s-dn-id>} See DP comment

corlist {incoming |outgoing} <corlist-id> Step 3—Apply COR Lists to DNs
!TSHOOT
show num-exp view configured number expansion table
show dialplan number <tf-number> show which dial-peer will be used to reach #
show voice translation-rule [<vtr-id>]
show voice translation-profile [<vtp-id>]
test voice translation-rule <vtr-id> <pattern> [type <type>] [plan <type>]
show dial-peer cor show COR names and lists
show dial-peer voice [<id>] | i Voice|COR|tag|desc show in/out corlist applied
RegEx Rule Char match
^ Match Begin of string
$ Match End of string
/ RegEx delimiter
\ Escape special meaning of next character
- Indicates a range
[list] Match any item in the list
[^list] Match any item NOT in the list
. Match any single character (wildcard)
? Match previous regex zero or one time
* Match previous regex zero or more times
+ Match previous regex once or more times
( ) Group regular expressions
Allowed dial-peer chars

0-9,A-D,*,# Standard
^ Match Begin of string
$ Match End of string
\ Escape next character
- Indicate a range
[ ] List
( ) Pattern
. Match any single character (Wildcard)
? Match previous char Zero or one time
% Match previous char Zero or more times
+ Match previous char Once or more times
T Variable-length
RSVP Resources ReserVation Protocol

call rsvp-sync synchronizes RSVP and voice signalling protocol (enabled by default)
call rsvp-sync resv-timer <secs> sets a timeout on bandwidth RSVP attempt
depending on the acc-qos setting in the Dial-Peer, call can be refused if no RSVP answer
interface <id>
ip rsvp bandwidth <max-res-bw> <max-flux-bw> define max reservable bandwidth
ip rsvp signalling dscp <dscp> dscp code for RSVP signalization

req-qos {best-effort| guaranteed-delay| controlled-load}
request bandwidth by RSVP ; defaults to best-effort (=does NOT make RSVP request)
acc-qos {best-effort| guaranteed-delay| controlled-load}
defines the minimum acceptable RSVP profile; defaults to best-effort
best-effort = allow the call even if RSVP cannot deliver the requested bandwidth
Guar-delay & Ctl Load = deny the call if RSVP cannot deliver the requested bandwidth
!TSHOOT
show ip rsvp [interface]
show call rsvp-sync {conf | stats}
show dial-peer voice | i -qos
debug ip rsvp [messages| path| resv]
Dial-peer matching
Outbound can be changed with “dial-peer hunt” command
1. destination-pattern most precise wins
2. preference lowest wins
3. random selection amongst remaining choices
Inbound
1. incoming called-number —> DNIS (Called Number)
2. answer-address —> ANI (Caller ID) Required for digit per digit signalling
3. destination-pattern —> ANI (Caller ID)
4. port —> Incoming Voice Port (POTS)
5. fallback to default dial-peer “0” /!\ Try to NEVER reach that last one
—> No QoS (DSCP=0), no RSVP, Any codec, No DTMF Relay, VAD Enabled, Limited Fax Support
DSP Farm & Conferencing
voice-card <dsp-id>
dspfarm
dsp services dspfarm pool the DSP capacity in a DSPFarm
codec complexity {flex |high |medium |secure} default: flex
sccp local <interface-id> interface to use for dspfarm registration to the CME
sccp ccm <cme-ip> id <sccp-id> [port <port>] version <#> link to the CME
sccp
voice class custom-cptone <cptone-name> optional notification tone definition
dualtone conference
frequency <frequency-1> [<frequency-2> ...] IN(800 1200); OUT(400 600)
cadence {<pattern> |continuous} IN(200 100 200 300 200 100 200); OUT(300 200 300)
dsp farm profile <farm-id> transcode create a DSPFarm transcoding profile
associate application SCCP links the DSPFarm to the SCCP CME
codec <codec> one entry by allowed transcoded codec
maximum sessions <#> maximum simultaneous transcoding session
no shut activates the DSPFarm profile
dsp farm profile <farm-id> conference create a DSPFarm conferencing profile
associate application SCCP links the DSPFarm to the SCCP CME
codec <codec> one entry by allowed transcoded codec
maximum sessions <#> maximum simultaneous conferences
maximum conference-participants <#> maximum participants per conference
conference-join custom-cptone <cptone-name-join> optional notification tone
conference-leave custom-cptone <cptone-name-leave> optional notification tone
no shut activates the DSPFarm profile
sccp ccm group <gid> configure the DSP capacity for registration to a CME
associate ccm <sccp-id> priority <#>
associate profile <farm-id> register <farm-register-id>
keepalive retries <#>
telephony-services
conference hardware enable multi-party conferencing
max-conferences {0-16} gain [-6 |0 |3 |6] maximum supported conferences on CME
sdspfarm units <#> defines how many dspfarms are allowed to register
sdspfarm tag <#> <farm-register-id> defines allowed DSPFarm IDs on CME
sdspfarm transcode sessions <#> maximum transcoding sessions on CME
sdspfarm conference mute-on <string> mute-off <string>
ephone-dn <e-dn-id> dual-line create virtual conferencing rooms
number <tf-number>
conference {ad-hoc |meetme}
preference <#>
no huntstop do NOT configure on the last meeting number
ephone-template <e-dn-t-id> create template with conferencing functions available

conference add-mode [creator]
conference drop-mode [creator | local]
conference admin give admin rights on all locally hosted conferences
softkeys connected {Hold Trnsfer Park Endcall Confrn ConfList Join Select RmLstC}
softkeys hold {Join Newcall Resume Select}
softkeys idle {ConfList Gpickup Join Login Newcall Pickup Redial RmLstC}
softkeys seized {Redial Endcall Cfwdall Pickup Gpickup Callback Meetme}
ephone <e-ph-id>
ephone-template <e-dn-t-id> assign template to allow use of conferencing functions
show dspfarm profile <farm-id>
show dspfarm dsp all
show ephone-dn conference
show telephony-service conference hardware {detail | number <tf-number>}
show voice dsp [detail]
show sccp
show logging | i HWCONF|SDSPFARM more
Cisco Unified Border Element (CUBE) VoIP to VoIP gateway
voice service voip
allow-connections <src-protocol> to <dst-protocol> valid protocols: h323 & sip
By default, only POTS-to-any and any-to-POTS connections are allowed
media {flow-around |flow-through} RTP goes end to end or through the gateway
allow-connections h323 to h323 disabled by default
h323
call start interwork allows H.223 Fast-Start to H.225 Slow-Start call legs
WARNING: this DISALLOWS the gateway to originate calls; DISABLES any-to-H323 calls
call start {fast |slow} forces the H.323 GW in the requested mode
Defaults to H.323 fast-start for outgoing and accepts both incoming
allow-connections h323 to sip mirrored statement REQ for bidir interworking
allow-connections sip to h323 mirrored statement REQ for bidir interworking
CUBE interworking only supports the two following call-setup matching
H323 fast-start with SIP early offer
H323 slow-start with SIP delayed offer
codec transparent prevents the CUBE from intervening in the codec negotiation
media {flow-around |flow-through} RTP goes end to end or through the gateway
!TSHOOT
show dial-peer voice [summary]
show voip rtp connections show active RTP sessions information: callID, IPs & ports
show voice dsp [detail]
show call history <type> [brief |compact]
debug voip ipipgw IP-to-IP Gateway
debug voip dialpeer monitors Dial-Peer matching process
debug cch323 all
debug {h225 |h245} {asn1 |events} debug gatekeeper registration process
debug ccsip message
debug voip ccapi inout
Phone Records Accounting CDR = Call Detail Record

gw-accouting file activates voip gateway accounting
primary ftp <server>/<path> user <user> pass <password> set primary storage
secondary ifs <device>:/<path> Internal FS ; set secondary storage
cdr-format {compact |detailed} select accounting verbosity
maximum buffer-size <kbps> hold capacity before writing acct to storage
maximum cdrflush-timer <min> hold time before writing acct to storage
maximum retry-count {1-5} retries on primary storage before using secondary
maximum fileclose-timer <min> logging timespan per accounting file
call-history-mib max-size <entries>

Call-history-mib retain-timer <min>
file-acct reset switches back to primary storage for file accounting
file-acct flush with[out]-close writes acct buffer to storage
show call history <type> [brief |compact]

debug voip fileacct
debug voip dump-file-acct
Cisco Unified Video Advantage (CUVA)
telephony-service
service phone videoCapability 1 required for video, CASE-SENSITIVE!
video
maximum-bitrate <kbps>
voice service voip

h323
call start slow required for video across h323 gateways
sip
asymmetric payload full
voice class h323 1

call start slow required for video across h323 gateways
ephone <eph-id>
video enables video capability on the device
MGCP configuration
ccm-manager mgcp enables MGCP communications with UCM
mgcp [<port>] starts MGCP daemon; default port is 2427

mgcp bind {control |media} source-interface <interface-id>
mgcp package-capability <package> configures package capabilities
mgcp default-package <package> selects default package capability
mgcp call-agent <agent-address> [port]
[service-type <type> [version <protocol-version>]]
ccm-manager config server <server>
show mgcp displays status and parameters

show mgcp endpoint provides enpoints names, related voice ports & admin status
show mgcp statistics display packet statistics
show ccm-manager shows registration with call agents
—————————————————————————
???
call fallback threshold <type> <value>
call fallback monitor
call fallback active
call fallback
Port L4 Protocol Info Flood
20 TCP FTP Data
File Transfer
21 TCP FTP Control
22 TCP SSH Secure Shell
23 TCP Telnet
25 TCP SMTP Simple Mail Transfer
53 Both DNS Domain Name System
67 UDP DHCP Server
Dynamic Host Configuration
68 UDP DHCP Client
69 UDP TFTP Trivial FTP
80 TCP HTTP Hyper Text Transfer
110 TCP POP3 Post Office
113 TCP Ident Identification
123 UDP NTP Network Time Y
135 Both RPC EM EndPoint Mapper
137 UDP NetBios NS Name Service Y
138 UDP NetBios DGM Datagram Service Y
139 TCP NetBios Ses Session Service
143 TCP IMAP Internet Message Access
161 UDP SNMP
Simple Network Management
162 UDP SNMP Traps
179 TCP BGP Border Gateway
194 TCP IRC Internet Chat Relay
220 TCP IMAPv3 Internet Message Access
389 Both LDAP Lightweight Directory Access Y
443 TCP HTTPS HTTP Secure
445 TCP SMB (Samba) Windows Shares Y
514 UDP Syslog Remote System Event Logging
520 UDP RIP
631 Both CUPS Common Unix Printing Services
636 Both LDAPS LDAP Secure
646 Both MPLS LDP Label Distribution
873 TCP Rsync Remote Sync
989 TCP FTPS Data
FTP Secure
990 TCP FTPS Control
993 TCP IMAPS IMAP Secure
995 TCP POP3S POP3 Secure
Cisco ASA Firewall
write erase resets to default config
hostname <hostname>
domain-name <dns>
passwd <password>
username <user> password <password> privilege {0-15}
Interface Management 0/0

nameif <name-if> gives a friendly name to the interface
security-level <level> range: 0 (untrusted) to 100 (trusted)
ip address dhcp [setroute] [uses the default gateway received by DHCP]
same-security-traffic permit inter-interface allow traffic if sec level =
http server enable enables https interface

http <ip> <mask> management enables management from specified subnet/host
http redirect management http redirects incoming http to https interface
asdm image <path> defines the web interface source files
ntp server <ip> source <name-if>
dhcpd address <pool-start>-<pool-end> <name-if>

dhcpd dns <ip> interface <name-if>
dhcpd domain <dns> interface <name-if>
dhcpd enable <name-if>
session ips starts console to IPS virtual blade module

show ip address
show interface [<interface-id>]
Frame-Relay
LAR = Local Access Rate = Line Speed

CIR = Commited Information Rate —> Average
PIR = Peak Information Rate —> Peak
Tc = Committed Time interval

Bc = Committed Burst
Be = Excess Burst
CIR = Tc x Bc
Binary Tables
IPv4 Addressing Rules
Binary Value Decimal Bits n^2 n^2-1 Mask Wild

128 64 32 16 8 4 2 1 Value 0 1 0 0 255
1 0 0 0 0 0 0 0 128 1 2 1 128 127
2 4 3 192 63
1 1 0 0 0 0 0 0 192
3 8 7 224 31
1 1 1 0 0 0 0 0 224 4 16 15 240 15
1 1 1 1 0 0 0 0 240 5 32 31 248 7
1 1 1 1 1 0 0 0 248 6 64 63 252 3
1 1 1 1 1 1 0 0 252 7 128 127 254 1

8 256 255 255 0
1 1 1 1 1 1 1 0 254
9 512 511
1 1 1 1 1 1 1 1 255 10 1024 1023
HEX BIN D CIDR Values

0 0 0 0 0 0 255.0.0.0 /8 11111111.00000000.00000000.00000000
255.128.0.0 /9 11111111.10000000.00000000.00000000
1 0 0 0 1 1 255.192.0.0 /10 11111111.11000000.00000000.00000000
2 0 0 1 0 2 255.224.0.0 /11 11111111.11100000.00000000.00000000
255.240.0.0 /12 11111111.11110000.00000000.00000000
3 0 0 1 1 3 255.248.0.0 /13 11111111.11111000.00000000.00000000
4 0 1 0 0 4 255.252.0.0 /14 11111111.11111100.00000000.00000000
255.254.0.0 /15 11111111.11111110.00000000.00000000
5 0 1 0 1 5
255.255.0.0 /16 11111111.11111111.00000000.00000000
6 0 1 1 0 6 255.255.128.0 /17 11111111.11111111.10000000.00000000
7 0 1 1 1 7 255.255.192.0 /18 11111111.11111111.11000000.00000000
255.255.224.0 /19 11111111.11111111.11100000.00000000
8 1 0 0 0 8 255.255.240.0 /20 11111111.11111111.11110000.00000000
9 1 0 0 1 9 255.255.248.0 /21 11111111.11111111.11111000.00000000
255.255.252.0 /22 11111111.11111111.11111100.00000000
A 1 0 1 0 10 255.255.254.0 /23 11111111.11111111.11111110.00000000
B 1 0 1 1 11 255.255.255.0 /24 11111111.11111111.11111111.00000000
255.255.255.128 /25 11111111.11111111.11111111.10000000
C 1 1 0 0 12
255.255.255.192 /26 11111111.11111111.11111111.11000000
D 1 1 0 1 13 255.255.255.224 /27 11111111.11111111.11111111.11100000
E 1 1 1 0 14 255.255.255.240 /28 11111111.11111111.11111111.11110000
255.255.255.248 /29 11111111.11111111.11111111.11111000
F 1 1 1 1 15 255.255.255.252 /30 11111111.11111111.11111111.11111100
IPv4 Form at First Octet Value
8 bits 8 bits 8 bits 8 bits From DEC To DEC
Class A Netw ork Host Host Host 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 127
Class B Netw ork Netw ork Host Host 1 0 0 0 0 0 0 0 128 1 0 1 1 1 1 1 1 191
Class C Netw ork Netw ork Netw ork Host 1 1 0 0 0 0 0 0 192 1 1 0 1 1 1 1 1 223
Class D Multicast 1 1 1 0 0 0 0 0 224 1 1 1 0 1 1 1 1 239
Class E Research 1 1 1 1 0 0 0 0 240 1 1 1 1 1 1 1 1 255
IPv4 IP Addresses
Start End Max No. of Netw orks Max No. of Hosts
Class A 1.0.0.0 126.255.255.255 2^(8-1)-2 or 2^7-2 126 2^24-2 16 777 214
Class B 128.0.0.0 191.255.255.255 2^(16-2) or 2^14 16 384 2^16-2 65 534
Class C 192.0.0.0 223.255.255.255 2^(24-3) or 2^21 2 097 152 2^8-2 254
Class D 224.0.0.0 239.255.255.255
Class E 224.0.0.0 239.255.255.255
IPv4 Reserved Private Space Default
From To Subnet Mask MAC Addresses
Class A 10.0.0.0 10.255.255.255 255.0.0.0 Unicast OUI V ID
Class B 172.16.0.0 172.31.255.255 255.255.0.0 C0 00 00 00 00 00
Broadcast
Class C 192.168.0.0 192.168.255.255 255.255.255.0 FF FF FF FF FF FF
APIPA B 169.254.0.0 169.254.255.255 255.255.0.0 Multicast 01 00 5E xx yy zz
n 2^n 2^n - 1 masks
0 1 0 0
Subnetting 1 2 1 128
2 4 3 192
8 16 24 32 3 8 7 224
4 16 15 240
Use 10.0.0.0/9 to make 4 subnet’s 5 32 31 248
6 64 63 252
Method: 7 128 127 254
8 256 255 255
1. 4 net’s = 4 states => 2 bits 9 512 511
10 1024 1023
codable
2. Subnet’s subnet masks: Netblock
9 + 2 = 11 8 16 24 32
3. Step size Use 100.200.100.200/20
216-11 = 25 = 32
100 224-20 = 24 = 16
4. Add step size and subnet 6
mask:
10.0.0.0/11 1. Netblock’s start address:
10.32.0.0/11 6 x 16 = 96 100.200.96.0
10.64.0.0/11 2. Netblock’s last address:
10.96.0.0/11 96 + 16 = 112 -1
100.200.111.255
JORIS Christophe
Subnet mask conversion 2. « Field» Decimal Method:
8 16 24 32
8 16 24 32 from 10.03.0.0/16
Use 100.200.100.200/20 to 10.76.0.0/16
New notation: 3-3/16 = from 10.3.0.0/16 to 10.3.0.0/16
256 – 224-20 = 240 10.3.0.0 3 not divisible by 2 3-3/16
Next = 10.4.0.0 4 : 2x div by 2 n=2 and 2n-1=3

Summerization Range = 4 – (4 + 3) / 16 - 2 4-7/14
1. « Raw » Binary Method: Next = 10.8.0.0 8 : 3x div by 2 n=3 and 2n-1=7
8 16 24 32
Range = 8 – (8 + 7) / 16 - 3 8-15/13
from 10.01.0.0/16
Next = 10.16.0.0 16 : 4x div by 2 n=4 and 2n-1=15
to 10.15.0.0/16 Range = 16–(16+15)/16-4 16-31/12
01 00000001
15 00001111 Next = 10.32.0.0 32 : 5x div by 2 n=5 and 2n-1=31
12 10.0.0.0/12 Range = 32–(32+31)/16-5 32-63/11
Both addresses are included but
loss of 10.0.0.0/16 address Next = 10.64.0.0 64 : 6x div by 2 n=6 and 2n-1= 63
n 2^n 2^n - 1 masks
Next step would be too high change method
0 1 0 0 Substract from the end: 76 – 64 = 12 not 2n-1
1 2 1 128 Closest floor = 7 n=3
2 4 3 192 Range = 64-(64+7)/16-3 64-71/13
3 8 7 224
4 16 15 240
5 32 31 248
Next = 10.72.0.0 76 – 72 =4 n=2 and 2n-1=3
6 64 63 252 Range = 72–(72+3)/16-2 72-75/14
7 128 127 254
8 256 255 255
9 512 511
Last: 76-76/16
10 1024 1023
JORIS Christophe
Variable Length Subnet Masking (VLSM) 1 Back to Back
A
Distribute 177.77.16.0/20 into 5 networks with following
clients: {250,110,300,75,90} 2 B
1. List clients by prio
3 C
2. Compute number of bits needed
D
3. Compute mask
4
E
4. Compute network starting from 1st available address and
using mask for step size 5
# Clients # bits Mask = 32 - # bits Network Netblock
5 300 9 /23 177.77.16.0/23 177.77.16.0 => 177.77.17.255
1 250 8 /24 177.77.18.0/24 177.77.18.0 => 177.77.18.255
3 110 7 /25 177.77.19.0/25 177.77.19.0 => 177.77.19.127
4 90 7 /25 177.77.19.128/25 177.77.19.128 => 177.77.19.255
2 75 7 /25 177.77.20.0/25 177.77.20.0 => 177.77.20.127
5. Compute back to back connections (from end of global netblock)
Back to Mask Last available Network Netblock n 2^n 2^n - 1 masks

back link always /30 address 0 1 0 0
1 2 1 128
A /30 177.77.31.255 177.77.31.252/30 177.77.31.252 => 177.77.31.255 2 4 3 192
3 8 7 224
B /30 177.77.31.251 177.77.31.248/30 177.77.31.248 => 177.77.31.251 4 16 15 240
C /30 177.77.31.247 177.77.31.244/30 177.77.31.244 => 177.77.31.247 5 32 31 248
6 64 63 252
D /30 177.77.31.243 177.77.31.240/30 177.77.31.240 => 177.77.31.243 7 128 127 254
8 256 255 255
E /30 177.77.31.239 177.77.31.236/30 177.77.31.236 => 177.77.31.239 9 512 511
JORIS Christophe
10 1024 1023
RJ45 Ethernet Cable Pinout (8P8C Connector)
T568A T568A Crossover
Pin Pair Signal Color RJ Pin Pair Signal Color
1 3 Tx+ A+ tip White-Green 1 2 Rx+ B+ tip White-Orange
2 3 Tx- A- ring Green 2 2 Rx- B- ring Orange
3 2 Rx+ B+ tip White-Orange 3 3 Tx+ A+ tip White-Green
4 1 C+ ring Blue 4 4 D+ ring White-Brown
5 1 C- tip White-Blue 5 4 D- tip Brown
6 2 Rx- B- ring Orange 6 3 Tx- A- ring Green
7 4 D+ tip White-Brown 7 1 C+ tip Blue
8 4 D- ring Brown 8 1 C- ring White-Blue
T568B T568B Crossover
1 3 Tx+ A+ tip White-Orange 1 2 Rx+ B+ tip White-Green
2 3 Tx- A- ring Orange 2 2 Rx- B- ring Green
3 2 Rx+ B+ tip White-Green 3 3 Tx+ A+ tip White-Orange
4 1 C+ tip Blue 4 1 D+ tip White-Brown
5 1 C- ring White-Blue 5 1 D- ring Brown
6 2 Rx- B- ring Green 6 3 Tx- A- ring Orange
7 4 D+ ring White-Brown 7 4 C+ ring Blue
8 4 D- tip Brown 8 4 C- tip White-Blue
RJ45 E1 Cable Pinout (8P8C Connector)

RJ48C RJ48C Crossed
1 3 Tx+ tip White-Orange 1 1 Rx+ tip Blue
2 3 Tx- ring Orange 2 1 Rx- ring White-Blue
3 2 shield White-Green 3 2 shield White-Green
4 1 Rx+ tip Blue 4 3 Tx+ tip White-Orange
5 1 Rx- ring White-Blue 5 3 Tx- ring Orange
6 2 shield Green 6 2 shield Green
7 4 White-Brown 7 4 White-Brown
8 4 Brown 8 4 Brown
Rollover Cable / YOST Cable / Cisco Console Cable

DTE (Router Side) DCE (Computer Side)
Pin Pair DB9 DB25 Signal Color RJ Pin Pair DB9 DB25 Signal Color
1 1 8 5 CTS White-Orange 1 8 7 4 RTS Brown
2 2 6/1 6/8 DSR/DCD Orange 2 7 4 20 DTR White-Brown
3 3 2 3 RxD White-Blue 3 6 3 2 TxD Green
4 4 5 7 GND Blue 4 5 5 7 GND White-Green
5 5 5 7 GND White-Green 5 4 5 7 GND Blue
6 5 3 2 TxD Green 6 3 2 3 RxD White-Blue
7 7 4 20 DTR White-Brown 7 2 6/1 6/8 DSR/DCD Orange
8 8 7 4 RTS Brown 8 1 8 5 CTS White-Orange
License Creative Commons
Attribution - ShareAlike 3.0 Unported
(CC BY-SA 3.0)
You are free:
to Share — to copy, distribute and transmit the work
to Remix — to adapt the work
— to make commercial use of the work
Under the following conditions:

Attribution — You must attribute the work in the manner specified by the
author or licensor (but not in any way that suggests that they
endorse you or your use of the work).
Share Alike — If you alter, transform, or build upon this work, you may
distribute the resulting work only under the same or similar
license to this one.
With the understanding that:

 Waiver — Any of the above conditions can be waived if you get permission from the
copyright holder.
 Public Domain — Where the work or any of its elements is in the public domain
under applicable law, that status is in no way affected by the license.
 Other Rights — In no way are any of the following rights affected by the license:
 Your fair dealing or fair use rights, or other applicable copyright exceptions and
limitations;
 The author's moral rights;
 Rights other persons may have either in the work itself or in how the work is
used, such as publicity or privacy rights.
 Notice — For any reuse or distribution, you must make clear to others the license
terms of this work. The best way to do this is with the link below.
This is a human-readable summary of the legal code (the full license) available at
http://creativecommons.org/licenses/by-sa/3.0/legalcode
24 February 2014
EVRARD
Benjamin

Aide Memoire Cisco

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aide Memoire Cisco

Uploaded by

Copyright:

Available Formats

EVRARD Benjamin

This document is licensed under a

This booklet started as a small aide-mémoire I wrote for myself during my

With time, I have completed it with templates and configuration commands

I try to maintain it as error-free as can be. Nevertheless, should you en-

Console Line Speed (baud) Boot Field

Configure CDP/LLDP L2 Broadcast Address

Assign IP address to a switch

mac address-table aging-time <secs> defaults to 300

show mac address-table count

clear mac address-table dynamic

SmartPort Macros / Templates

macro global {apply |trace} <macro-name> apply global macro

configure replace <source> [list] [force] replace running-config by source

! Configure Local NTP Server

services timestamps debug datetime msec show-timezone year

logging on activates logging to all destinations

terminal monitor redirects console messages to local session

Limited L3 Routing on L2 Switch requires IOS 12.2(55) lanbase

! 802.1x RADIUS Authentication (EAPoL = Ext Auth Protocol over LAN)

interface {<interface-id> |range <interface-range>}

! Mitigate Spoofing attacks

! IP Source Guard !Requires DHCP snooping

! VLAN Access Lists

! Avoid VLAN Hopping on dot1q trunking ports

vlan <bogus-vlan-id> OPTION 2

vlan <sec-vlan> define secondary vlan

interface <interface-id> config for isolated/community host

interface <vlan-id> config for L3 SVI interface

interface <interface-id> switchport trunk pruning

Configure Multiple Spanning Tree 802.1s = Multiple Spanning-Tree

! Protect against sudden loss of BPDUs (Unidirectional ‘wire’ failure)

! BPDU Filtering To use carefully, even avoid if possible!

Root Port Port with lowest path cost to root switch

RSTP Link Types

p2p Full Duplex Bandwidth Orig d-1998 t-2001

shared Half Duplex 4 Mbps 250 250 5 000 000

BPDU Message 10 Mbps 100 100 2 000 000

Field Bytes 16 Mbps 63 62 1 250 000

Protocol ID 2 45 Mbps 22 39 444 444

Version 1 100 Mbps 10 19 200 000

Flags 1 622 Mbps 2 6 31 154

Root Bridge ID 8 1 Gbps 1 4 20 000

Root Path Cost 4 2 Gbps 3 10 000

VRRP - Virtual Router Redundancy Protocol IETF RFC 3768

HSRP - Hot Standby Router Protocol RFC 2281 - Cisco proprietary

GLBP - Gateway Load Balancing Protocol Cisco Proprietary

! Remote Port mirroring (RSPAN)

ip flow-top-talkers configure the N top BW consuming devices view

rmon alarm <alarm-id> <mib-id> <secs> {delta |absolutes}

user <username> [privilege <level>]

banner {login|motd} <delimiter-char> <text> <delimiter-char>

username <username> privilege 15 secret 0 <password>

Interface serial <slot/port>.<subif> [point-to-point |multipoint]

alias exec <alias> <command> creates a alias command

ip dhcp pool <name> (Option #)

! extended ACL closer to the source

line vty <range>

! dynamic ACL (don’t forget to activate vty login)

access-list <acl-id> permit tcp any host 10.1.1.1 eq telnet

access-list <acl-id> dynamic testlist timeout 15

show ip prefix—list [detail] <name>

vlan filter <map-name> vlan-list <vlan-list> apply access-map

Route Type Dist Cost Multicast IP Convergence Type Protocol Type