Luca's System Engineer Learning Path

Cisco Networking Cheatsheet

  • Mar 27, 2023

Basic Device Configuration

Configure SSH

# Encrypt plain text passwords
service password-encryption

# Configure domain name
ip domain-name <name>

# Generate an RSA-key
crypto key generate rsa

# Setup admin user with secret password
username admin secret cisco

# Config VTY lines (ssh proof)
line vty 0 15
    login local
    transport input ssh
    no password cisco

Config Router Interfaces

Single Area OSPF

# Show adjecency database
show ip ospf neighbor

# Show linkstate database
show ip ospf database

# Show forwarding database
show ip route

OSPFv2 Configuration

# enable OSPF
router ospf <process-id>

# Configure router-ID
router-id <router-id>
# Reset router-ID
clear ip ospf process

# Network command ssyntax
network <address> <wildcard> area <area-id>

# config OSPF directly on interface
ip ospf <process-id> area <area-id>

# Prevent transit of messages
router ospf <process-id>
    passive-interface loopback 0
    end

# Verify OSPF config on interface
sh ip ospf int <interface-name>

# Remove interface from passive list
router ospf <process-id>
    passive-interface default
    no passive-interface <interface-name>
    end

# Config interface priority
int <interface-name>
    ip ospf priority <value>
    end

# Adjust reference bandwith
auto-cost reference-bandwith <bytes-per-second>

# Change the cost on interface
ip ospf cost <cost>

Modify OSPF interval configuration:

# Set Hello interval
ip ospf hello-interval <seconds>
# Reset Hello interval
no ip ospf hello-interval

# Set Dead interval
ip ospf dead-interval <seconds>
# Reset Dead interval
no ip ospf dead-interval

Propagate a default static route:

# Example of a static route with OSPF
int <interface-name>
    ip address <ip-address> <subnet-mask>
    exit
ip route 0.0.0.0 0.0.0.0 next-hop int

router ospf
    default-information originate
    end

ACL Concepts

Standard ACL Configuration

Create and remove standard ACLs:

# Create a numbered ACL
access-list <number> (deny | permit | remark) <source> <source-wildcard>
# Create a named ACL
ip access-list standard <acl-name>

# Remove ACL
no access-list <number>

Link a standard ACL to an interface:

# Link ACL to interface
ip access-group <acl-name> (in | out)

Permit traffic from hosts:

# Permit traffic from a specific host
access-list <number> permit host <ip-address> do sh access-list
# Permit traffic from all hosts on network
access-list <number> permit <ip-address> <subnet-mask> do sh access-list

int <interface-name>
    ip access-group <number> out
    end

Review standard ACL configuration:

# Show ACLs
sh access-lists

# Review ACL configuration
sh (run | section) access-list

# Clear ACL statistics
clear access-list counters

Modify standard ACL sequences:

# Set ACL sequence number method
ip access-list standard <number>
    no <sequence-number>
    <sequence-number> deny host <ip-address>
    end

Secure standard ACL access:

# Secure remote admin access
access-class <acl-name> (in | out)

# Secure VTY accesss example
username <username> secret <password>
ip access-list standard <acl-name>
    permit <ip-address>
    deny any
    exit
line vty 0 4
    login local
    transport input telnet
    access-class <acl-name> in
    end
line vty 0 4
    login local
    transport input ssh
    access-class <acl-name> in
    end

Extended ACL Configuration

Create extended ACLs:

# Create a numbered ACL
access-list <number> (deny | permit) <protocol>

# Apply a numbered extended ACL
access-list <number> permit tcp <ip-address> <wildcard> any eq <port>
int <interface-name>
    ip access-group <number> in
    exit

# Extended ACL to filter HTTP
access-list <number> permit tcp any any 80

Edit extended ACLs:

# Edit extended ACL
ip access-list extended <acl-name>
    no <sequence-number>
    <sequence-number> (permit | deny) host <ip-address>
    end

Examples of a named extended IPv4 ACL configurations:

# Setup an extended ACL to permit HTTP and HTTPS traffic
ip access-list extended <acl-in-name>
    permit tcp <ip-address> <subnet-mask> any eq 80
    permit tcp <ip-address> <subnet-mask> any eq 443
    exit
ip access-list extended <acl-out-name>
    permit tcp any <ip-address> <subnet-mask> established
    exit
int <interface-name>
    ip access-group <acl-in-name> in
    ip access-group <acl-out-name> out
    end

# Setup an extended ACL to permit access to internet and deny all other hosts
ip access-list extended <acl-name>
    permit tcp host <ip-address> any eq 80
    deny ip <ip-address> <subnet-mask> any
    exit
int <interface-name>
    ip access-group <acl-name> in
    end

# Setup an extended ACL to permit specified returning TCP traffic and implicitly deny all other traffic
ip access-list extended <acl-name>
    permit tcp any host <ip-address> established
    exit
int <interface-name>
    ip access-group <acl-name> out
    end

NAT for IPv4

Static NAT Configuration

Dynamic NAT Configuration

Search