CCNA Cheat Sheet: https://github.com/HerrSpace/CCNA-Cheat-Sheet/

Configure basic Networking

Command	Description
(config)# interface g1/0	Enter their interface config mode
(config-if)# description Link to Somehost	Human readable link description
(config-if)# ip address 10.23.42.5 255.255.0.0	Add IPv4 address to interface.
(config-if)# mac address 1234.5678.90AB	Overwrite MAC address.
(config-if)# no mac address	Remove MAC overwrite.
(config-if)# ipv6 address 2001:41d0:8:e115::ccc/64	Add IPv6 address to interface.
(config-if)# ipv6 address 2001:41d0:8:e115::/64 eui-64	Add IPv6 address based on MAC to interface.
(config-if)# ip address dhcp	Get IPv4 address via dhcp.
(config-if)# ipv6 address autoconfig [default]	Get IPv6 address [and default route] via autoconfig
(config-if)# ip dhcp client client-id asccii SW2	Set hostname transmitted as dhcp client to SW2
(config)# interface g1/0 - 2	Configure both interfaces at once.
(config-if)# [no] shutdown	En- or Disable interface. Often shutdown is the default.
(config)# ip default-gateway 10.23.42.1	Set 10.23.42.1 as the default gateway
(config)# ip route 10.20.30.0 255.255.255.0 {1.2.3.4,e0/0} [ad]	Add static route via next hop or interface
(config)# ipv6 route 2001:41d0:8:e115::/64 [g1/1] [next hop]	Next hop is required for Ethernet interface in IPv6
(config)# ip host the-space.agency 178.32.222.21	Create a static host entry on this device.
(config)# ipv6 unicast-routing	Globally enable ipv6 routing.

Troubleshoot basic Networking

Command	Description
# show interfaces [if-name]	Show interfaces mac, bandwidth, mtu, packet stats…
# show ip[v6] route [static]	Show routes and how they were learned.
# show ip[v6] interface [if-name]	Show interfaces ip/arp/icmp/nd… configuration
# show ip[v6] interface brief [if-name]	Only show ip, status and operational status
# show protocols [if-name]	Much like show ip int brief, w/ cidr, w/o ok/method
# show mac address-table	Show the mac address table of a switch.
# clear mac address-table [dynamic]	Clear the dynamically learned mac address table entries.
# show arp	Show {ip,ipx,appletalk}-mac bindings
# show ip arp [{ip, mac, if-name}]	Show ip-mac bindings
# clear [ip] arp 192.168.1.1	Remove arp entry for ip
# debug arp	Show debug messages when receiving/sending arp packets
# undebug all	Disable all previously enabled debugs
# show ipv6 neighbors	Show neighbor discovery table cache
# ping 1.2.3.4 [source g1/1]
# traceroute 1.2.3.4 [source g1/1]
# show control-plane host open-ports	netstat -tulpn on this cisco device, basically

Troubleshoot networks with SPAN

Command	Description
(config)# monitor session 23 source interface g1/1 {rx,tx,both}	Define SPAN #23 input as g1/1
(config)# monitor session 23 destination interface g1/2	Define SPAN #23 output as g1/2
# show monitor	Show all configured SPANs

Port Security

Command	Description
(config-if)# switchport mode {access, trunk}
(config-if)# [no] switchport port-security	En/Disable port-security
(config-if)# switchport port-security maximum 1	Number of allowed MACs.
(config-if)# switchport port-security mac-address 1234.5678.9abc	Manually allow a MAC on this port.
(config-if)# switchport port-security mac-address sticky	Allow learning of connected macs until mac reached.
(config-if)# switchport port-security violation shutdown	Shutdown port when other device gets connected.
(config-if)# shutdown (config-if)# no shutdown	Reenable if after port-security violation.
(config)# errdisable recovery cause psecure-violation	Reenable if automatically after problem is fixed.
(config)# errdisable recovery interval 42	Recheck every 42 seconds. (min 30, default 300)

Port-security violation terms

Term	Definition
protect	Drops packets, no alert
restrict	Drops packets, increments security-violation count
shutdown	Shuts down the port (default)

Troubleshooting Port Security

Command	Description
# show port-security [interface g1/1]	port status, violation mode, max/total MACs,…
# show port-security address	Secure MACs on ports.
# show errdisable recovery	Check if autorecovery is enabled. Disabled by default.

Configure vlans

Note: Even when a switch port is changed from access to trunk, its access vlan is maintained in the config. When automatic trunk negotiation fails (e.g. because I unplug a link between to switches and put it into my laptop) the configured access vlan becomes active once again and I might be able to reach network parts I’m not supposed to. Always disable DTP / trunk auto negotiation.

Layer2 Switch Vlan Config

Command	Description
(config)# [no] vlan 23	[delete vlan or] create vlan and enter config-vlan mode
(config-vlan)# name TelephoneSanitizer	Name this vlan TelephoneSanitizer
(config)# int g1/1
(config-if)# switchport mode access	Make frames out this port untagged
(config-if)# switchport access vlan 23
(config)# int g1/2
(config-if)# switchport mode trunk	Make frames out this port tagged by default
(config-if)# switchport trunk encapsulation dot1q	Sometimes the default is ciscos old isl.
(config-if)# switchport trunk native vlan 256	Except for vlan 256, which is still untagged.
(config-if)# switchport nonegotiate	Disable DTP

Layer3 Switch Vlan Config

Command	Description
(config)# interface vlan 23	enter interface config mode
(config-if)# ip address 1.2.3.4 255.255.255.0	set device ip in vlan 23
(config-if)# no shutdown	virtual interfaces are disabled by default
(config-if)# int g
(config)# no vlan 23	delete vlan 23

Router (on a Stick) Vlan Config

Command	Description
(config)# interface g1/1.10	Create subinterface g1/1.10 on g1/1
(config-subif)# encapsulation dot1q 10	enable ieee 802.1Q vlan tagging with vlan 10 on the subinterface
(config-subif)# ip address 10.0.10.1 255.255.255.0
# show vlans	Show vlans and their trunk interfaces

Troubleshoot Vlans on a switch

Command	Description
# show vlan [{id 23, name TelephoneSanitizer}] [brief]	Show vlan settings for all switch ports
# show interfaces g1/1 switchport	Verify mode and vlan of g1/1
# show interfaces g1/1 trunk	Show trunk settings and state
# show run interface vlan 1	Quick way to search the running config.
# show interface status	Show trunk mode / access vlan
# show dtp interface g1/1	Show current DTP mode for g1/1

VTP

Command	Description
(config)# vtp mode [server, client, transparent]
(config)# vtp domain
(config)# vtp password
(config)# vtp pruning

Troubleshoot VTP

Command	Description
show vtp status	show vtp domain, pruning, mode and more
show vtp password

STP

Spaning Tree Protocol (802.1D) blocks ports with redundant links to prevent layer 2 loops and broadcast storms.

Command	Description
(config)# spanning-tree vlan 1 root {primary, secondary}	Make this device the primary/secondary root bridge.
(config)# spanning-tree portfast bpduguard default	Enable bpdu guard for all portfast enable interfaces
(config)# spanning-tree portfast default	Enable portfast for all non-trunk interfaces
(config-if)# spanning-tree bpduguard enable	Enable gpduguard on this interface
(config-if)# spanning-tree portfast	Enable portfast on this interface
(config-if)# spanning-tree guard root	Enable root guard on this interface

Troubleshoot STP

Command	Description
# show spanning-tree [vlan 1]	Who’s the root and how do I get there?
# show spanning-tree summary	Is global portfast/bpduguard configured?
# show running-config interface g1/1	Is portfast/bpduguard configured on this interface?
# show spanning-tree interface g1/1 portfast	Is portfast active on this interface?

RSTP

Rapid Spanning Tree Protocol (802.1w) reduces convergence time after a topology change compares to STP.

Command	Description
(config)# spanning-tree mode rapid-pvst	Change spanning-tree mode to RSTP

Etherchannel (Link Aggregation)

How to set LACP? TODO: Look at modes again

Command	Description
(config)# interface range g1/1 - 2	configure g1/1 and g1/2 at the same time
(config-if-range)# channel-group 1 mode {auto, desirable}	Add both interfaces to etherchannel 1 (PAgP)
(config-if-range)# channel-group 1 mode {active, passive}	Add both interfaces to etherchannel 1 (LACP)
(config-if-range)# channel-group 1 mode on	Add both interfaces to etherchannel 1 (Static)
(config)# interface port-channel 1	Configure virtual interface for etherchannel 1
(config-if)# switchport mode trunk	Put etherchannel 1 in trunk mode
(config-if)# switchport trunk allowed vlan 10,20,30	Add tagged vlans 10,20,30 on ethercahnnel 1

Troubleshoot Etherchannel (Link Aggregation)

Command	Description
# show interface port-channel 1	Has the combined bandwidth and members as extra info.
# show etherchannel summary	Show etherchannel protocols and members as a list
# show etherchannel port-channel 1	Show per member state and stats

Configure a Serial

Layer 1 link speed is dictated by a CSU/DSU, in a lab without an external CSU/DSU a DTE (Data Terminal Equipment) cable and DCE (Data Communications Equipment) cable are used.

Command	Description
(config)# interface serial 1/0	Configure interface serial 1/0
(config-if)# clock rate 128000	Set clock rate on DCE router side to 128 kbps
(config)# show controllers serial 1/0	Verify clock rate for serial interface 1/0

ACLs

1-99,1300-1999: Standard IPv4 ACL

100-199,2000-2699: Extended IPv4 ACL

Default mask for standard ACLs: 0.0.0.0

Command	Description
(config)# access-list 23 permit 1.2.3.4 [0.0.255.255]	Create ACL #23 or append a rule to ACL #23, allow 1.2.x.x
(config)# no access-list 23	Delete entire ACL #23
(config)# ip[v6] access-list resequence local_only 5 10	Renumber ACL Rules, put first on #5, increment by 10.
(config)# ip access-list {standard, extended} 23	Create ACL and/or enter config mode for ACL #23
(config)# ip access-list {standard, extended} local_only	Create ACL and/or enter config mode for ACL ‘local_only’
(config-std-nac1)# permit 10.20.30.0 0.0.0.255	Append rule to standard ACL ‘local_only’
(config-std-nac1)# 5 permit 10.20.30.0 0.0.0.255	Append rule to ACL at sequence number 5.
(config-std-nac1)# no <sequence#>	Remove rule with sequence# from ACL
(config-ext-nac1)# deny tcp any any
(config-ext-nac1)# permit udp host 10.20.30.40 any lt 1024
(config-ext-nac1)# permit udp host 10.20.30.40 any eq dns
(config-ext-nac1)# deny udp host 10.20.30.40 any
(config-ext-nac1)# permit ip any any

Interface ACLs

Command	Description
(config)# inter g1/1	Enter if-config mode for g1/1
(config-if)# ip access-group 23 out	Apply ACL #23 to outgoing packets, not send by the router
(config-if)# ip access-group 42 in	Apply ACL #42 to incoming packets
(config-if)# ip access-group local_only in	Overwrite the used ACL, only one ACL per if + proto + direction!
(config-if)# ipv6 traffic-filter 23 out	The v6 syntax of course differs…
# show ip interface g1/1 \| incl access list	Show ACLs on g1/1 (When none set shows not set for v4 and nothing for v6)

Troubleshooting ACLs

Command	Description
# show [ip[v6]] access-lists	Show all configured ACLs
# show access-list 10	Display all rules in ACL #10 and how often they matched.

NAT

Local addresses are any address as it appears inside the network. Global addresses are any address as it appears outside the network.

Term	Definition
inside local	IP address assigned to a host inside the network, non-routable
inside global	IP address assigned by Network Information Center or ISP, routable
outside local	IP address of a remote host as it appears inside the network, non-routable
outside global	IP address of a remote host assigned by the host owner, routable

Command	Description
(config)# int g1/1	Enter if-config mode for g1/1
(config-if)# ip address 1.2.3.4 255.255.255.240	configure 1.2.3.4/28 on g1/1
(config-if)# ip nat outside	Packets going out, need to change their src, incoming their dest ip.
(config)# int g1/2	Enter if-config mode for g1/2
(config-if)# ip address 10.10.23.1 255.255.255.0	configure 10.10.23.1/24 on g1/2
(config-if)# ip nat inside	Packets going out, need to change their dest, incoming their src ip.

SNAT

Command	Description
(config)# ip nat inside source static 10.10.23.2 1.2.3.5	SNAT - statically map an internal ip 1:1 to an external ip.

DNAT

Command	Description
(config)# access-list 42 permit 10.10.23.0 0.0.0.255	Create an ACL identifying 10.10.23/24
(config)# ip nat pool POOL 1.2.3.5 1.2.3.10 netmask 255.255.255.240	Create an IP Address Pool for NATing
(config)# ip nat inside source list 42 pool POOL	DNAT IPs matching ACL #42 1:1 with IPs from nat pool ‘POOL’.

Note the missing overload.

PAT

The overload keyword means, that one or a couple of external IPs are to be used for multiple internal IPs. Higher level information like connection port numbers are used to identify the correct internal destination for incoming packets. Cisco calls this PAT, while this is what your average joes home router would call NAT.

Command	Description
(config)# access-list 10 permit 10.10.0.0 0.0.255.255	Create an ACL identifying 10.10/16
(config)# ip nat inside source list 10 interface g1/1 overload	PAT IPs matching ACL #10 many:1 with g1/1s public IP

Troubleshooting NAT

Command	Description
# show ip nat translations	Show nat table entries if any
# show ip nat statistics	Show translations are actually used and interfaces are marked in/out correctly.
# clear ip nat translation {ip, *}	Clear dynamic translations. Doesn’t mess with SNAT!
# debug ip nat [detailed]

Is the ACL correct? Is there a route to the address? Note: NAT Table entries are kept for 24h after the last use by default.

DHCP Server

Command	Description
(config)# ip dhcp excluded-address 10.30.4.1 10.30.4.100	Don’t distribute these IPs in leases
(config)# ip dhcp pool PCs	Creat and/or enter dhcp config for pool ‘PCs’
(dhcp-config)# network 10.30.4.0 /24	define pool addresses
(dhcp-config)# default-router 10.2.1.1	define default-gateway to be distributed in the leases
(dhcp-config)# dns-server 10.30.4.1
(dhcp-config)# domain-name acme.com
(dhcp-config)# lease	lease validity time
(config)# int g1/1	Enter interface config mode on client facing interface
(config-if)# ip helper-address 192.168.1.1	Relay DHCP Requests to this host

Troubleshooting DHCP

Command	Description
# debug ip dhcp server packet
# show dhcp lease	Show dhcp lease information
# show ip dhcp pool	Show pool size and addresses in use
# show ip dhcp binding	Show which mac got which ip
# sh run \| section dhcp	See if ip dhcp exclude-address / pool stuff is wrong.
# sh run int g1/1	See if ip helper-address is wrong.

HSRP

Command	Description
(config-if)# standby [group-number] ip	Join HSRP Group
(config-if)# standby [group-number] priority	(optional) Set prio of this router.
(config-if)# standby [group-number] preempt	(optional) Preempt other routers when this router becomes active
(config-if)# standby {1,2}	(optional) Set HSRP Version

Troubleshooting HSRP

Command	Description
# show standby	HSRP Groups, their VIPs, state, active router, standby router, preemption.

SLAs

Command	Description
(config)# ip sla 23	Create ip sla test #23 and enter its config mode.
(config-ip-sla)# icmp-echo 1.2.3.4	Define icmp-echo test.
(config-ip-sla)# frequency 42	frequency in seconds.
(config)# ip sla schedule 23 life {forever, seconds} start-time now	Start test #23 now and until manually stopped.

Troubleshooting SLAs

Command	Description
# show ip sla configuration	Show all configured ip sla configs
# show ip sla statistics	Show sla results

Device Management

Command	Description
(config)# hostname R1	Set hostname to R1
(config)# enable password	Set enable passwort.
(config)# enable secret	Same, but with hashing.
(config)# service password-encryption	Very weak encryption of passwords passwords.
# copy flash0: tftp:	Copy something from flash to tftp. Wizard asks for details. Works both ways.
# write	# copy running-config startup-config
# write erase	# erase startup-config
# reload	restart the device and load the startup-config
# copy running-config tftp:	copy running-config to an tftp server. (interactive)
# copy running-config	Merge source config into the running config.
# setup	initial configuration dialog
# show version	ios, bootloader and hardware infos, uptime, configuration register
# show {running,startup}-config

Firmware Management

Note: flash: is the main flash memory on all iOS devices

Command	Description
(config)# boot system flash:filename.bin	Boot filename.bin from flash memory.
(config)# boot system tftp://10.20.30.40/filename.bin	Boot filename.bin from tftp.
(config)# boot system rom	Boot ROM monitor as a backup.
(config)# config-register 0x2342	Set the 16bit Configuration Register value used after reboot.

# show file systems	Lists available file systems
# show flash0:	List fs content and free space.

License Management

Command	Description
# license save flash:licenses.lic	Save a copy of all licenses.
# license install flash0:license.xml	Install a license.
(config)# license boot module technology-package	active a evaluation right-to-use license.
# reload	Reboot to activate the package and right to use license.

(config)# license boot module technology-package disable	deactive a technology-package.
# reload	Reboot without that technology-package.
# license clear	Remove license from the license storage.
(config)# no license boot module technology-package disable	Remove the no longer needed line from the config.
# reload	I don’t even know why this is needed. Fu cisco.

# show license	active licenses
# show license feature	technology packe and feature licenses supported.
# show license udi	product id and serial number needed to order licenses

Reset Password

Command	Description
> confreq	Show the configuration register in rom monitor
> confreq 0x2142	Set the configuration register in rom monitor to not load startup-conf
> reset	Reboot in rom monitor
# copy startup running
(config)# enable secret foobar	Overwrite forgotten password
(config)# config-register 0x2102	Do load startup-config after boot again.
# save

Telnet / Console

Command	Description
(config)# banner login “Insert snarky banner.”	Make sure to include legal terms to sound smart.
(config)# banner motd “Insert snarky banner.”	Set Login Banner.
(config)# line vty 0 4	Enter config mode for vty 0 to 4 (up to 15 allowed).
(config)# line console 0	Enter config mode for the console port
(config-line)# login	Require login on telnet/console connection.
(config-line)# password	Enable Telnet and set vty login password.
(config-line)# access-class 10 in	Set ACL to limit inbound IPs allowed to access vty
(config-line)# access-class 42 in	Overwrite the used ACL, only one ACL per vty + direction!
(config-line)# exec-timeout 10	Autologout after 10 Minutes
(config-line)# login local	Require login on telnet/console connection via local users.
(config)# username h.acker secret C1sco123	Create local user with encrypted password.

SSH

Command	Description
(config)# hostname Foobar	Required to generate SSH keys.
(config)# ip domain-name example.com	Required to generate SSH keys.
(config)# crypto key generate rsa modulus 2048	Generate keys like it’s 1995! Potentially takes forever.
(config)# ip ssh version 2	Force SSHv2
(config-line)# transport input ssh	Force ssh, disable telnet.
# show ip ssh	SSH version, timeout time, auth retries..
# show ssh	List of active connections

Clock

Command	Description
# show clock	Show time and date
(config)# clock set 23:50:42 10 Jan 2017	Update clock
(config)# clock timezone EST 0	Update timezone to EST
(config)# ntp server 10.20.30.40	Configure upstream ntp server.
(config)# ntp master [stratum]	Enable ntp server.
# show ntp associations	ntp connections.
# show ntp status	synchronized?, statum, …

Disable unused services

Command	Description
# show control-plane host open-ports	Show open ports
(config)# no ip http server	Stop the http server (but not https).
(config)# no cdp enable	Stop CDP
# auto secure

Radius

Command	Description
(config)# username password	Local backup user.
(config)# aaa new-model	Enable aaa services.
(config)# radius server	Add and define Radius conf.
(config-radius-server)# address ipv4 [auth-port ]	Use this hostname/ip of server.
(config-radius-server)# key	Radius PSK
(config)# aaa group server radius	Create authentication group.
(config-sg-radius)# server name	Using the radius config.
(config)# aaa authentication login group local	Allow that group and local users in.

TACACS+

Command	Description
(config)# username password	Local backup user.
(config)# aaa new-model	Enable aaa services.
(config)# tacacs server	Add and define TACACS conf.
(config-server-tacacs)# address ipv4
(config-server-tacacs)# [port ]
(config-server-tacacs)# key
(config)# aaa group server tacacs+	Multiple possible.
(config-sg-tacacs+)# server name
(config)# aaa authentication login group local	Allow that group and local users in.

Syslog

Command	Description
# logging 10.20.30.40	Log to this syslog server (name or ip)
# logging trap informational	Only log messages with min. informational sev.

service sequence-number | Needed for seqence number in syslog messages service time stamps log [datetime, log] | Needed for date and time in syslog messages

Command	Description
# show logging	syslog status, local logging buffer

SNMP

Command	Description
(config)# snmp-server contact admin@example.com	Contact email
(config)# snmp-server location RZ-Hamburg	Where is the device
(config)# snmp-server community [ro, rw]	Add community
(config)# snmp-server host 10.20.30.40	SNMP notifications recipient

Command	Description
# show snmp community
# show snmp location
# show snmp contact
# show snmp host

CDP - Cisco Discovery Protocol

Command	Description
# [no] cdp run	Enables cdp globaly and on all interfaces (default)
# (config-if)# [no] cdp enable	Enable cdp on an interface
# show cdp neighbors [detail]	List connected cisco devices (name, local/remote port, [ip] ..)
# show cdp entry *

LLDP - Link Layer Discovery Protocol

Command	Description
# [no] lldp run	Enables lldp globaly and on all interfaces
(config-if)# [no] lldp transmit	Enable lldp packet transmission on interface
(config-if)# [no] lddp receive	Enable lldp packet reception on interace

PPP

Command	Description
(config)# username fnord password pass	Create users for pap auth.
(config)# inteface S0/0/0
(config-if)# clock rate 125000	Baud rate. Only on DCE cable!
(config-if)# bandwidth 125	Logical speed used for routing cost calc, RSVP…
(config-if)# encapsulation ppp	Default is HDLC
(config-if)# ppp authentication pap	Require remote to authenticate via pap
(config-if)# ppp pap sent-username fnord password pass	Authenticate to remote pap

(config)# hostname routy1	Required for CHAP, used as chap client username
(config)# username routy2 password foobar	Create users for chap auth for routy2
(config)# inteface S0/0/0
(config-if)# no ppp authentication pap	Remove in favor of chap
(config-if)# no ppp pap sent-username fnord password pass	Remove in favor of chap
(config-if)# ppp authentication chap	Require remote to authenticate via chap

Note: When routy1 connects to routy2 it looks in it’s local user database for a user named routy2 and uses that users password. This means the passwords have to be the same on both sides and the usernames must be the other sides hostname.

Troubleshooting PPP

Command	Description
# show controllers S0/0/0	interface, connected type of cable, clock rate
# show interfaces	encapsulation, logical bandwidth
# show ppp all	session state, auth type, peer ip and name
# debug ppp authentication

MLP

Command	Description
(config)# interface Multilink23	Create and configure virtual if
(config-if)# ip address 10.20.30.40 255.255.255.0
(config-if)# ppp multilink	Enable mlp
(conifg-if)# ppp multilink group 23	Make phys ifs with mlp #23 join.
(config)# interface s0/0/0	Configure phys ifs
(config-if)# no ip address	Remove ip addrs.
(config-if)# encapsulation ppp
(config-if)# ppp multilink
(config-if)# ppp multilink group 23	Join mlp group #23.

Troubleshooting MLP

Command	Description
show ppp multilink	Physical IFs,

PPPoE

Command	Description
(config)# interface Dialer23	Create and configure virtual dialer interface.
(config-if)# ip address negotiated	Get IP via PPP/IPCP
(config-if)# encapsulation ppp
(config-if)# dialer pool 23	The dialer interface is a member of one dialer pool…
(config)# interface s0/0/0
(config-if)# no ip address
(config-if)# pppoe-client dial-pool-number 23	… the pool is a group of one or more physical interfaces.

Troubleshooting PPPoE

Command	Description
# show ip interface brief	is the dialer if up? Does the dialer have an IP via IPCP?
# show pppoe session	Are PPPoE sessions established? Which ports.

GRE

Note: We can run OSPF and other routing protocols through this gre tunnel, as gre supports multicast.

Command	Description
(config)# interface tunnel23
(config-if)# ip address 192.168.1.1 255.255.255.0	transit net
(config-if)# tunnel source 10.20.30.40	local, can be linklocal
(config-if)# tunnel destination 6.5.4.3	remote, can be linklocal

tunnel mode gre ip ip mtu

Troubleshooting GRE

Command	Description
# show ip interface brief tunnel23	Line hould be up, given a route to the destination.
# show inteface tunnel23	Tunnel source, dest, protocol
# show ip route	Should include the transit net as directly connected.

RIPv2

Command	Description
(config)# router rip	Enable RIP and enter it’s config mode
(config-router)# version 2	Set RIPv2, which is Classless
(config-router)# network 192.168.0.0	Advertise connected networks which are within .
(config-router)# network 0.0.0.0	Advertise all connected networks.
(config-router)# timers basic
(config-router)# no auto-summary	Don’t summarize a smaller subnet route in a bigger one.
(config-router)# passive-interface g1/1	Don’t send RIP updates out this interface
(config-router)# passive-interface default	Don’t send RIP updates on any if by default
(config-router)# no passive-interface g1/2	Overwrite passive-interface default
(config-router)# default information originate	Advertise the default route.
(config-if)# no ip rip advertise 123

Troubleshooting RIPv2

Command	Description
# show ip[v6] protocols	Show rip timers, interfaces, networks,
# show ip rip database	Routes learned by rip, used to combile the routing table
# show ip route	Show learned routes
# clear ip route *	Get rid of all routes

EIGRP

Note: The network command enables any interface with an ip in that net to send and receive EIGRP updates. Also it enables routes to this nets to start beeing advertised.

Command	Description
# show run &#124 section eigrp	Show EIGRP settings.
# show interfaces g1/1	Show configured/default bandwith and delay.
(config-if)# bandwidth	Overwrite bandwidth used for eigrp metric.
(config-if)# delay	Overwrite deplay used for eigrp metric.
(config)# router eigrp 23	Add and conf EIGRP AS#23
(config-router)# network 10.20.30.0 0.0.0.255	Announce routes to 10.20.30.0/24
(config-router)# no shutdown	On some iOS versions it’s off by default.
(config-router)# [no] eigrp router-id	Defaults to highest loopback ip
(config-router)# [no] passive-interface g1/2	Disable EIGRP here. Ignore incoming pkgs.
(config-router)# [no] passive-interface default	Disable EIGRP on all ifs by default.
(config-router)# maximum-paths	Default 4, must match, number of loadbalanced paths.
(config-router)# variance 4	Default 1, Max 4:1 variance for unequal lb.
(config-router)# no auto-summary	Don’t summarize a smaller subnet route in a big one.
# show ip[v6] eigrp neighbors	Neighbor addr, if, hold time, uptime, queued pkgs
# show ip[v6] eigrp interfaces [if-name]	If, Number of peers, pending routes, queued pkgs
# show ip[v6] route [eigrp]	Routes starting with D were learned via EIGRP
# show ip[v6] eigrp topology [all-links]	Topology table, as#, router-id

EIGRP with ipv6

Command	Description
(config)# ipv6 unicast-routing	Enable v6 routing on the router
(config)# ipv6 router eigrp 23	Configure eigrp as #23
(config-rtr)# no shutdown	Enable this eigrp routing process.
(config-if)# [no] ipv6 eigrp 23	Enable eigrp with ipv6 for as #23 on this if.

OSPF

cost = reference bandwidth / interface bandwidth

The default reference bandwith is 100Mbps. Everything faster has a cost of 1.

Command	Description
(config)# router ospf 1	1 is the pid, not the area.
(config-router)# router-id 1.2.3.4	Defaults to highest IPv4 on lo, then other ifs.
(config-router)# network 10.20.30.0 0.0.0.255 area 0	enable interfaces for ospf with matching IPs
(config-router)# (no) passive-interface g1/1	Stop in- and egress ospf hello packets.
(config-router)# passive-interface default	Mark all ifs passive by default.
(config-router)# default-information originate (always)	Advertise default routes into a normal area
(config-router)# auto-cost reference-bandwidth <refbw in Mb/s>	Change reference bandwidth speed
(config-if)# ip ospf cost 23	Overwrite interface cost to 23
(config-if)# bandwidth <bw in kb/s>	Change interface bandwidth

Router Types

Term	Definition
Internal Router	All OSPF interfaces in one area
Backbone Router	Has one or more OSPF interfaces in the backbone
Area Boundary Router (ABR)	Has at least one interface in the backbone area and at least one in another area
Autonomous System Boundary Router (ASBR)	Injects routes into OSPF via redistribution from other routing protocols

OSPF with ipv6 (OSPFv3)

Command	Description
(config)# ipv6 unicast-routing
(config)# ipv6 router ospf
(config-router)# router-id	Required if we don’t have any v4 addrs configured.
(config-if)# ipv6 ospf area	Required for OSPFv3.

The networks command does not exist, non mentioned commands are the same.

Troubleshooting OSPF

Command	Description
# show run \| sect ospf
# show ip(v6) protocols	Other protocols with lower AD?
# show ipv6 ospf	reference bandwidth, router id, networks, interface per area
# show ip(v6) ospf neighbor	neighbor IDs, IPs and via interface.
# show ip(v6) ospf neighbor detail	dr, bdr, timers, …
# show interface brief	admin down? link?
# show ip(v6) ospf interface brief	ospf enabled interfaces
# show ip(v6) ospf interface g1/1	ospf related infos for g1/1, passive?
# show ip(v6) route (ospf)	ospf routes are marked O, show route ad and cost

BGP

Note: In other routing protocols the network statement is used to determin the interfaces over which the protocol should talk to its neighbors. In BGP it indicates only which routes should be advertised to the BGP neighbors. The network needs to match an exact route in the routing table or it will still not be announced.

Command	Description
(config)# router bgp	Create routing process.
(config)# neighbor remote-as	BGP does not auto discover neighbors.
(config)# network [mask ]	Advertise this network.

Command	Description
# show run \| sect bgp
# show ip bgp summary	neighbors IPs, ASs and session states, bgp version
# show ip bgp neighbors [peer-ip]	tcp sessions and timers, bgp parameters
# show ip bgp	routing infos received from all peers

CLI

Default Behavior

Here I’ll collect crazy default behaviors and how to fix them, I guess..

Command	Description
(config)# no ip domain-lookup	Don’t try to telnet unknown single word commands

Modes

Mode	Prompt	enter
User	>	N/A
Exec	#	> enable
Config	(config)#	# configure terminal
Interface	(config-if)#	(config)# interface g1/0
Line	(config-line)#	(config)# line vty 0 4
DHCP	(dhcp-config)#	(config)# ip dhcp pool Foobar

Filters

Name	Function
include hostname	find a line including ‘hostname’
section interface	find a section including ‘interface’
begin interface	Show remaining config starting with the first line containing ‘interface’
exclude !	exclude all line containing ! (comments)

Sequence	Function
Ctrl-Shfit-6	Kill many commands
Ctrl-Shift-6 x	Move telnet session to background
Esc-B	Ctrl-Left arrow
Esc-F	Ctrl-Right arrow
Ctrl-R	Redraw the current line
Ctrl-U	Erase line
Ctrl-W	Delete the word left of the cursor
Ctrl-C	Drop back to Exec, does not kill processes..
Ctrl-A	Move Cursor to the beginning of the line
Ctrl-E	Move Cursor to the end of the line
Tab	Autocompletion
?	Help, can be entered mostly everywhere

Packet Types

Ethernet Frame

Field	Field Length	Description
Preamble	8 bytes	Alternating 1s and 0s used to synchronize
Destination MAC (DA)	6 bytes	MAC of recipient
Source MAC (SA)	6 bytes	MAC of sender
802.1Q tag (optional)	4 bytes	Optional vlan tag. Starts with 0x8100 to mark 802.1Q mode in type location.
Type or Length	2 bytes	Layer three type OR length if smaler then 1536 bytes.
Data	46 - 1500 bytes	Payload
Frame check sequence (FCS)	4 bytes	32 bit CRC Checksum

IPv4 Header

Field	Field Length	Description
Version	4 bits	IP Version, always four
Internet Header Length (IHL)	4 bits	Length of the header
Service Type	8 bits	Desired QOS information (DSCP and ECN)
Total Length	2 bytes	Packet length, including this header
Identification	2 bytes	A unique ID
Flag	3 bits	fragmentation behaviour
Fragment Offset	13 bits
TTL	1 byte	TTL, decreased by every router by one.
Protocol	1 byte	Layer four type
Header Checksum	2 bytes
Options (optional)	16 bytes
Padding	max. 31 bits	Pad to the nearest 32 bit boundary

TCP Segment

Field	Field Length	Description
Source Port	2 bytes
Destination Port	2 bytes
Squence Number	4 bytes	Unique Number for this Segment
Acknowledgement Number	4 bytes	Next expected sequence number, acknowledge all prior Segments.
Header Lenght	4 bits	Header size in multiples of 4 bytes, sometimes also called Data Offset.
Reserved	3 bits	N/A
Flags	9 bits	Control Flags like SYN, ACK, FIN, RST and Flags for congestion control.
Window size	2 bytes	bytes sender is currently willing to receive
Checksum	2 bytes	Header Checksum
Urgent Pointer	2 bytes	Points to the last ‘urgent’ byte in the Segment, used when URG flag is set.
Options	0 - 320 bits	The Size is determined by Header length. TODO:
Data	variable

UDP Segment

Field	Field Length	Description
Source Port	2 bytes
Destination Port	2 bytes
Length	2 bytes	Length of the whole Segment
Checksum (optional)	2 bytes	Checksum of the whole Segment
Data	variable

To Sort and Misc

Command	Description
# telnet 1.2.3.4 23	Telnet to `1.2.3.4` using port `23`
# disconnect	Disconnect background telnet session
# ssh -l h.acker 1.2.3.4	SSH to `1.2.3.4` using `h.acker` user
(config-if)# duplex {full, auto}	Set duplex mode or set it to autonegotiation.
(config-if)# speed {100, auto}	Set speed or set it to autonegotiation.

🌔

Explorer

CCNA Cheatsheet