Basic Device Configuration
Configure SSH
# Encrypt plain text passwords
service password-encryption
# Configure domain name
ip domain-name <name>
# Generate an RSA-key
crypto key generate rsa
# Setup admin user with secret password
username admin secret cisco
# Config VTY lines (ssh proof)
line vty 0 15
login local
transport input ssh
no password cisco
Config Router Interfaces
Single Area OSPF
# Show adjecency database
show ip ospf neighbor
# Show linkstate database
show ip ospf database
# Show forwarding database
show ip route
OSPFv2 Configuration
# enable OSPF
router ospf <process-id>
# Configure router-ID
router-id <router-id>
# Reset router-ID
clear ip ospf process
# Network command ssyntax
network <address> <wildcard> area <area-id>
# config OSPF directly on interface
ip ospf <process-id> area <area-id>
# Prevent transit of messages
router ospf <process-id>
passive-interface loopback 0
end
# Verify OSPF config on interface
sh ip ospf int <interface-name>
# Remove interface from passive list
router ospf <process-id>
passive-interface default
no passive-interface <interface-name>
end
# Config interface priority
int <interface-name>
ip ospf priority <value>
end
# Adjust reference bandwith
auto-cost reference-bandwith <bytes-per-second>
# Change the cost on interface
ip ospf cost <cost>
Modify OSPF interval configuration:
# Set Hello interval
ip ospf hello-interval <seconds>
# Reset Hello interval
no ip ospf hello-interval
# Set Dead interval
ip ospf dead-interval <seconds>
# Reset Dead interval
no ip ospf dead-interval
Propagate a default static route:
# Example of a static route with OSPF
int <interface-name>
ip address <ip-address> <subnet-mask>
exit
ip route 0.0.0.0 0.0.0.0 next-hop int
router ospf
default-information originate
end
ACL Concepts
Standard ACL Configuration
Create and remove standard ACLs:
# Create a numbered ACL
access-list <number> (deny | permit | remark) <source> <source-wildcard>
# Create a named ACL
ip access-list standard <acl-name>
# Remove ACL
no access-list <number>
Link a standard ACL to an interface:
# Link ACL to interface
ip access-group <acl-name> (in | out)
Permit traffic from hosts:
# Permit traffic from a specific host
access-list <number> permit host <ip-address> do sh access-list
# Permit traffic from all hosts on network
access-list <number> permit <ip-address> <subnet-mask> do sh access-list
int <interface-name>
ip access-group <number> out
end
Review standard ACL configuration:
# Show ACLs
sh access-lists
# Review ACL configuration
sh (run | section) access-list
# Clear ACL statistics
clear access-list counters
Modify standard ACL sequences:
# Set ACL sequence number method
ip access-list standard <number>
no <sequence-number>
<sequence-number> deny host <ip-address>
end
Secure standard ACL access:
# Secure remote admin access
access-class <acl-name> (in | out)
# Secure VTY accesss example
username <username> secret <password>
ip access-list standard <acl-name>
permit <ip-address>
deny any
exit
line vty 0 4
login local
transport input telnet
access-class <acl-name> in
end
line vty 0 4
login local
transport input ssh
access-class <acl-name> in
end
Extended ACL Configuration
Create extended ACLs:
# Create a numbered ACL
access-list <number> (deny | permit) <protocol>
# Apply a numbered extended ACL
access-list <number> permit tcp <ip-address> <wildcard> any eq <port>
int <interface-name>
ip access-group <number> in
exit
# Extended ACL to filter HTTP
access-list <number> permit tcp any any 80
Edit extended ACLs:
# Edit extended ACL
ip access-list extended <acl-name>
no <sequence-number>
<sequence-number> (permit | deny) host <ip-address>
end
Examples of a named extended IPv4 ACL configurations:
# Setup an extended ACL to permit HTTP and HTTPS traffic
ip access-list extended <acl-in-name>
permit tcp <ip-address> <subnet-mask> any eq 80
permit tcp <ip-address> <subnet-mask> any eq 443
exit
ip access-list extended <acl-out-name>
permit tcp any <ip-address> <subnet-mask> established
exit
int <interface-name>
ip access-group <acl-in-name> in
ip access-group <acl-out-name> out
end
# Setup an extended ACL to permit access to internet and deny all other hosts
ip access-list extended <acl-name>
permit tcp host <ip-address> any eq 80
deny ip <ip-address> <subnet-mask> any
exit
int <interface-name>
ip access-group <acl-name> in
end
# Setup an extended ACL to permit specified returning TCP traffic and implicitly deny all other traffic
ip access-list extended <acl-name>
permit tcp any host <ip-address> established
exit
int <interface-name>
ip access-group <acl-name> out
end
NAT for IPv4
Static NAT Configuration
Dynamic NAT Configuration
PREVIOUSVim Cheatsheet