Arab Academy for Science & Technology & Maritime Transport

Collage of Engineering and Technology

Department of Electronics & Communication Engineering

(EC521) COMMUNICATION NETWORKS

Portable Command Guide
Requirement Cisco Command

Enter privilege mode Router>enable

Return to user mod Router# disable

Enter the configuration mode Router# configuration terminal

To add hostname for router or switch Router(config)#hostname router_name

To display the motd banner Router(config)#banner motd “type message here”

Password Encryption
Router(config)#line con 0
Set a console password to cisco Router(config-line)#login
Router(config-line)#password cisco
Router(config)#line vty 0 15
Set a telnet password Router(config-line)#login
Router(config-line)#password cisco
Set the enable password to cisco Router(config)#enable password cisco
Set the enable secret password.
This password overrides the enable password Router(config)#enable secret class
and is encrypted within the config file
Configuring a Gigabit Ethernet Interface with IPv4
Moves to gigabitethernet 0/0 interface
Router(config)#interface gigabitethernet 0/0
configuration mode
Optional descriptor of the link is locally
Router(config-if)#description Accounting LAN
significant
Router(config-if)#ip address 192.168.20.1
Assigns address and subnet mask to interface
255.255.255.0
Turns interface on Router(config-if)#no shutdown

Configuring a Gigabit Ethernet Interface with IPv6

Mostafa Abdelrahman
 Enables the forwarding of IPv6 unicast
Router (config)#ipv6 unicast-routing
datagrams globally on the router
 Moves to gigabitethernet 0/0 interface
Router(config)#interface gigabitethernet 0/0
configuration mode
Router (config-if)#ipv6 address
 Assigns an IPv6 address to this interface
2001:db8:c003:1104::1/64
 Optional descriptor of the link is locally
Router(config-if)#description Accounting LAN
significant
 Configures a specific link-local IPv6 address Router(configif)#ipv6 address fe80::2 link-local

 Turns interface on Router(config-if)#no shutdown

Basic Security Practices

 Encrypt all passwords in the R(Config)# service password-encryption
configuration file:
A specific amount of time using the command
 This command will block login attempts
R(Config)# login block-for 120 attempts 3 within 60
for 120 seconds if there are three failed
login attempts within 60 seconds

 Security passwords min-length R(Config)# Security passwords min-length 10

R(Config)# Line console 0

 Exec timeout on a router
R(Config-lin)# exec-timeout 10
o For Console line:
R(Config-lin)# exit
R(Config)# Line VTY 0 15
o For VTY line: R(Config-lin)# exec-timeout 10
R(Config-lin)# exit

SSH (A Cisco device to support SSH using four steps)

• Step 1: Configure the IP domain name. R(config) # ip domain-name cisco.com

R(config) # crypto key generate rsa press Enter

• Step 2: Generate one-way secret keys.
1024
• Step 3: Verify or create a local database R(config) # username Bop privilege 15 Secret Class
entry.
OR
• Create a user Bop with a privilege level of R(config) # username Bop password Class
15 using the encrypted password for Class.
OR
Mostafa Abdelrahman
 • Create a user Bop with password for Class.

R(config) # Line vty 0 4

R(config-line) # login local
• Step 4: Enable VTY inbound SSH sessions
R(config-line) # transport input ssh
R(config-line) # exit

SSH version 2 R(config) # ip ssh version 2

limited to 2 authentication attempts R(config) # ip ssh authentication-retries 2

a 60 second timeout R(config) # ip ssh time-out 60

• To Disable DNS lookup:

• To decrease user delays if no DNS server R(Config)# no ip domain-lookup
is configured.
To save the current configuration from DRAM
Router# Copy running-config startup-config
(running-config) to NVRAM (startup-config)
Router# Copy running-config tftp:
To save the current configuration from DRAM to
Address or name of remote host [ ]? 192.168.1.20
TFTP Server

Configuring a SVI Interface with IPv4 on a Switch

Moves to VLAN interface configuration mode Switch (config)#interface VLAN 1
Switch (config-if)#ip address 192.168.0.1
Assigns address and subnet mask to interface
255.255.255.0
 Configure the default gateway. Switch(config)#ip default-gateway 192.168.0.1

Mostafa Abdelrahman
 Common show commands include:
• show running-config
• show interfaces
• show ip interface brief
• show arp
• show ip route
• show protocols
• show version
 When using windows, use the tracert command.
 When performing a trace from a router CLI, use the traceroute command.
 On a Windows computer, the IP address of the default gateway can be viewed by using the ipconfig
command.
• The ipconfig /all command can be used to view the MAC address as well as other important
details regarding the Layer 3 addressing of the device.
• The ipconfig /displaydns command displays all of the cached DNS entries on a Windows
computer system.
 On a Windows computer, the arp -a command lists all devices currently stored in the ARP cache of a
particular host.
 The arp cache can be cleared using the command arp-d
 show cdp neighbors detail
• To disable CDP globally, use the global configuration command no cdp run. To disable CDP on
an interface, use the interface command no cdp enable.
 Use the show ip route command to verify that the default route has been set.

Mostafa Abdelrahman
 VLAN
Creating Static VLANs
Switch(config)#vlan 3
• Creating Static VLANs
Switch(config-vlan)#name Engineering
Switch(config-vlan)#exit
Assigning Ports as access to VLANs
Switch(config)#interface fastethernet 0/1
• Assigning Ports to VLANs Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface range fastethernet 0/1 – 9
• Using the range Command Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10
VLAN Trunking Protocol
Switch(config)#interface fastethernet 0/1
Puts the interface into permanent trunking Switch(config-if)#switchport mode trunk
mode and negotiates to convert the link into
a trunk link. Switch(config-if)#switchport trunk native VLAN 99
Switch(config-if)#switchport trunk allowed VLAN 10,20,30,99
Verifying VLAN Information and Erasing VLAN
Verifying VLAN Information
 Displays VLAN information
Switch#show vlan
 Displays VLAN information in brief
 Displays information about VLAN 2 Switch#show vlan brief
only
Switch#show vlan id 2
 Displays information about VLAN
 named marketing only Switch#show vlan name marketing
 Displays interface characteristics for
Switch#show interfaces vlan x
the specified VLAN
 Displays VLAN information for all Switch#show interfaces switchport
interfaces
Erasing VLAN Configurations
Switch#delete flash:vlan.dat
 Removes the entire VLAN database from
flash.
 Moves to interface configuration mode. Switch(config)#interface fastethernet 0/5
 Removes port from VLAN 5 and reassigns Switch(config-if)#no switchport access vlan 5
it to VLAN 1—the default VLAN.

Mostafa Abdelrahman
 Removes VLAN 5 from the VLAN Switch(config)#no vlan 5
database.
Inter-VLAN Communication Using an External Router: Router-on-a-Stick
Router(config)#interface gigabitethernet 0/0
Moves to interface configuration mode. Router(config-if)#no shutdown
Enables the interface. Router(config-if)#exit

 Creates subinterface 0/0.10 and

moves to subinterface configuration
Router(config-subif)#interface gigabitethernet 0/0.10
mode.
Router(config-subif)#description HR VLAN 10
 (Optional) Sets the locally significant
Router(config-subif)#encapsulation dot1q 10
description of the subinterface.
Router(config-subif)#ip address 192.168.10.1
 Assigns VLAN 10 to this subinterface.
255.255.255.0
This subinterface will use the 802.1q
Router(config-subif)# exit
trunking protocol.
 Assigns the IP address and netmask.
For subinterface of Native VLAN
 Creates subinterface 0/0.99 and
moves to subinterface configuration
Router(config-if)#interface gigabitethernet 0/0.99
mode.
Router(config-subif)#description Management VLAN 99
 (Optional) Sets the locally significant
Router(config-subif)#encapsulation dot1q 99 native
description of the subinterface.
Router(config-subif)#ip address 192.168.1.1
 Assigns VLAN 99 to this subinterface.
255.255.255.0
VLAN 99 will be the native VLAN. This
Router(config-subif)# exit
subinterface will use the 802.1q
trunking protocol.
 Assigns the IP address and netmask.

Mostafa Abdelrahman
Layer 3 Switching
Multilayer switches provide high-packet processing rates using hardware-based switching
 Catalyst multilayer switches support the following types of Layer 3 interfaces:
•Routed port - A layer 3 interface
•Switch virtual interface (SVI) - Virtual Interface for inter- VLAN routing

Layer 3 Switching Configuration

MLS(config)# interface g0/2
 Configure G0/2 as a routed MLS(config-if)# no switchport
port and assign an IP address
MLS(config-if)# ip address 209.165.200.225 255.255.255.252

MLS(config)# interface vlan 10

MLS(config-if)# ip address 192.168.10.254 255.255.255.0

 Configure SVI on MLS.
MLS(config)# interface vlan 20

MLS(config-if)# ip address 192.168.20.254 255.255.255.0

 Enable routing. MLS(config)# ip routing

Mostafa Abdelrahman
Dynamic Trunking Protocol (DTP)
Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP). DTP is a Cisco proprietary
protocol

DTP Configuration
 Switchport mode access - interface becomes
a nontrunk interface. S1(config)# Switchport mode access
 Switchport mode dynamic auto - interface
becomes a trunk if the neighboring interface S1(config)# Switchport mode dynamic auto
is set to trunk or desirable mode.
 Switchport mode dynamic desirable -
interface becomes a trunk if the neighboring
interface is set to trunk, desirable, or S1(config)# Switchport mode dynamic desirable
dynamic auto mode.
 Switchport mode trunk - interface becomes
a trunk even if the neighboring interface is S1(config)# Switchport mode trunk
not a trunk interface.
 Switchport nonegotiate - prevents the
interface from generating DTP frames. S1(config)# Switchport nonegotiate
 Use show dtp interface to verify DTP.
S1# show dtp interface

Mostafa Abdelrahman
EtherChannel
 EtherChannel:
 EtherChannel groups multiple physical ports into one or more logical EtherChannel
links.

Link Aggregation Protocols:

1- Port Aggregation Protocol (PAgP) 2- Link Aggregation Control Protocol (LACP)
Cisco-proprietary protocol Is part of IEEE (IEEE.3AD)

 To create a channel in PAgP, sides must be set to

o Auto-Desirable
o Desirable-Desirable
 To create a channel in LACP, sides must be set to
o Active-Active
o Active-Passive
 This configuration creates EtherChannel with LACP and configures trunking.

• Step 1: Specify the interfaces that compose the EtherChannel group.

• Step 2: Create the port channel interface with the channel-group command in active mode. (Channel
group number needs to be selected.)

• Step 3: Change Layer 2 settings in port channel interface configuration mode.

Mostafa Abdelrahman
 EtherChannel with LACP and configures
 Places the interface into an  S1(config)#interface range fastethernet 0/1 – 2
active negotiating state— S1 (config-if)#channel-group 1 mode Active
will send LACP packets to S1 (config-if)#exit
start negotiations.
 S1(config)#interface port-channel 1
 Configure Port Channel S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
S1 (config-if)#exit
 Places the interface into a  S1(config)#interface range fastethernet 0/1 – 2
passive negotiating state— S1 (config-if)#channel-group 1 mode passive
will respond to LACP S1 (config-if)#exit
packets but will not initiate
 S1(config)#interface port-channel 1
LACP negotiation. S1(config-if)# Switchport mode Trunk
 Configure Port Channel S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
S1 (config-if)#exit
EtherChannel with PAgP and configures
 Places the interface into an  S1(config)#interface range fastethernet 0/1 – 2
active negotiating state— S1 (config-if)#channel-group 1 mode Desirable
will send PAgP packets to S1 (config-if)#exit
start negotiations.
 S1(config)#interface port-channel 1
 Configure Port Channel S1(config-if)# Switchport mode Trunk
S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20
 Places the interface into a  S1(config)#interface range fastethernet 0/1 – 2
passive negotiating state— S1 (config-if)#channel-group 1 mode Auto
will respond to PAgP S1 (config-if)#exit
packets but will not initiate
 S1(config)#interface port-channel 1
PAgP negotiation. S1(config-if)# Switchport mode Trunk
 Configure Port Channel S1(config-if)# switchport trunk native vlan 999
S1(config-if)# switchport trunk allowed vlan 1,10,20

Mostafa Abdelrahman
 Verifying EtherChannel
Displays all EtherChannel Switch#show etherchannel
information
Displays port channel information Switch#show etherchannel 1 portchannel

Displays a summary of Switch#show etherchannel summary

EtherChannel information
Displays the general status of Switch#show interface port-channel 1
EtherChannel 1
Shows PAgP neighbor information Switch#show pagp neighbor

Mostafa Abdelrahman
Switch Port Security
VLAN

Moves to interface configuration mode. Switch(config)#interface fastethernet 0/1

Enables port security on the interface. Switch(config-if)#switchport port-security

Sets a maximum limit of four MAC addresses

that will be allowed on this port. Switch(config-if)#switchport port-security maximum 4

Static MAC Addresses

Sets a specific secure MAC address Switch(config-if)#switchport port-security mac-
1234.5678.90ab. You can add additional address 1234.5678.90ab
secure MAC addresses up to the maximum
value configured.
Sticky MAC Addresses
Converts all dynamic port security learned Switch(config-if)#switchport port-security mac-
MAC addresses to sticky secure MAC address sticky
addresses.
security violation
 Configures port security to shut down the
interface if a security violation occurs.
Switch(config-if)#switchport port-security violation
 NOTE In shutdown mode, the port is
shutdown
errdisabled, a log entry is made, and
manual intervention or errdisable
recovery must be used to reenable the
interface.
security violation
Configures port security to restrict mode if a
security violation occurs. Switch(config-if)#switchport port-security violation
NOTE In restrict mode, frames from a restrict
nonallowed address are dropped, and a log
entry is made. The interface remains
operational.
security violation
Configures port security to protect mode if a
security violation occurs. Switch(config-if)#switchport port-security violation
NOTE In protect mode, frames from a protect
nonallowed address are dropped, but no log
entry is made. The interface remains
operational.

Mostafa Abdelrahman
Mitigate DHCP Attacks
DHCP Snooping Configuration Example

1. DHCP snooping is first enabled on S1.

2. The upstream interface to the DHCP server is explicitly trusted.
3. F0/5 to F0/24 are untrusted and are, therefore, rate limited to six packets
per second.
4. Finally, DHCP snooping is enabled on VLANS 5, 10, 50, 51, and 52.

Mostafa Abdelrahman
 Mitigate ARP Attacks
Dynamic ARP Inspection
• DHCP snooping is enabled because
DAI requires the DHCP snooping
binding table to operate.
• Next, DHCP snooping and ARP
inspection are enabled for the PCs on
VLAN10.
• The uplink port to the router is trusted,
and therefore, is configured as trusted
for DHCP snooping and ARP inspection.

The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to
configure DAI to drop ARP packets when the IP addresses are invalid.
• It can be used when the MAC addresses in the body of the ARP packets do not match the
addresses that are specified in the Ethernet header.
• Notice in the following example how only one command can be configured.

Therefore, entering multiple ip arp inspection validate commands overwrites the previous
command.
• To include more than one validation method, enter them on the same command line as
shown in the output.

Mostafa Abdelrahman
Setting the System Clock

Typically, the date and time settings on a router or switch can be set using one of two methods:

 Manually configure the date and time, as shown in the figure

 Configure the Network Time Protocol (NTP)

Configure and Verify NTP

 Configure R1 to use an external public NTP server with an IP address of 209.165.200.225.

R1# configure terminal
R1(config)# ntp server 209.165.200.225
R1(config)# end

 Verify that R1 is associated with the NTP server at IP address 209.165.200.225.

R1# show ntp associations

 Verify that R1 is synchronized with the NTP server at IP address 209.165.200.225.

R1# show ntp status

Mostafa Abdelrahman
 VTP, Extended VLANs, and DTP
1. VLAN Trunking Protocol (VTP):
Reduces administration in a switched network. A switch in VTP server mode can manage
additions, deletions and renaming of VLANs across the domain.

VTP Configuration
1. Configure the VTP Server. S1(config)# vtp mode server

2. Configure the VTP Domain Name and Password. S1(config)# vtp domain CCNA
S1(config)# vtp password cisco
S2(config)# vtp mode client
3. Configure the VTP Clients. S2(config)# vtp domain CCNA
S2(config)# vtp password cisco
4. Configure VLANs on the VTP Server. S1(config)# vlan 10
S1(config-vlan)# name Red
5. Verify the VTP Clients have received the new S2# show vtp status
VLAN information. S2# show vtp password

2. Extended VLANs
 Extended range VLANs are identified by a VLAN ID between 1006 and 4094.
 To configure an extended VLAN on a 2960 switch it must be set to VTP transparent mode. (By
default 2960 switches do not support Extended range VLANs.)

Configuring Extended VLANs

6. Configure the VTP transparent mode. S1(config)# vtp mode transparent

7. Create Extended VLAN S1(config)# VLAN 2000

S1(config-vlan)# end
Mostafa Abdelrahman
STP
Spanning Tree Protocol (STP) is a Layer 2 protocol that helps especially when there are redundant links.

Changing the Spanning-Tree Mode

Enables PVST. This is the default
Switch(config)#spanning-tree mode pvst
setting.
Enables Rapid PVST+. Switch(config)#spanning-tree mode rapid-pvst

Configuring the Root primary Switch

Switch recalculates timers along
with priority to allow the switch to Switch(config)#spanning-tree vlan 5 root primary
become the root switch for VLAN 5.
Configuring the Root primary Switch
Switch recalculates timers along
with priority to allow the switch to
Switch(config)#spanning-tree vlan 10 root secondary
become the root switch for VLAN 5
should the primary root switch fail.
Configuring by the Switch Priority
Configures the switch priority of
Switch(config)#spanning-tree vlan 5 priority 24576
VLAN 5 to 24576
Optional STP Configurations
PortFast
Enters interface range configuration Switch(config)#interface range fastethernet 0/1 – 5
mode.
Enables PortFast on an access port. Switch(config-if)#spanning-tree portfast

BPDU Guard
Enters interface range configuration Switch(config)#interface range fastethernet 0/1 – 5
mode.

Mostafa Abdelrahman
Enables BPDU Guard on the Switch(config-if)#spanning-tree bpduguard enable
interface.
STP
Verifying STP
Displays STP information Switch#show spanning-tree

Displays STP information on active Switch#show spanning-tree active

interfaces only
Displays a brief status of the STP Switch#show spanning-tree brief

Displays a detailed summary of Switch#show spanning-tree detail

interface information
Displays STP information for Switch#show spanning-tree interface gigabitethernet 0/1
interface gigabitethernet 0/1
Displays a summary of port states Switch#show spanning-tree summary

 CAUTION Cisco recommends caution when using this command. Cisco further
recommends that the spanning-tree vlan x root primary or the spanning-tree vlan x root
secondary command be used instead to modify the switch priority.

Edge Ports

 PortFast is used on ports that have end devices attached.

• Puts a port in the forwarding state
Mostafa Abdelrahman
 • Allows DHCP to work properly
 BPDU Guard disables a port that has PortFast configured on it if a BPDU is received

Dynamic Host Configuration Protocol (DHCPv4)

Configuring a DHCP Server on an IOS Router

 Creates a DHCP pool named internal. The
name can be anything of your choosing.
 Defines the range of addresses to be
leased. Router(config)#ip dhcp pool internal
 Defines the address of the default router Router(dhcp-config)#network 172.16.10.0
for the client. 255.255.255.0
 Defines the address of the Domain Name Router(dhcp-config)#defaultrouter 172.16.10.1
System (DNS) server for the client Router(dhcp-config)#dns-server 172.16.10.10
 Defines the address of the NetBIOS server Router(dhcp-config)#domain-name cisco.com
for the client. Router(dhcp-config)#exit
 Defines the domain name for the client.
 Returns to global configuration mode.

 Specifies the range of addresses not to be Router(config)#ip dhcp excluded-address

leased out to clients. 172.16.10.1 172.16.10.9
Configuring a DHCP Helper Address
 Moves to interface configuration mode.
Router(config)#interface gigabitethernet 0/0
 DHCP broadcasts will be forwarded as a
Router(config-if)#ip helper-address 172.16.20.2
unicast to this specific address rather than
be dropped by the router.
DHCP Client on a Cisco IOS Software Ethernet Interface
 Moves to interface configuration mode Router(config)# interface gigabitethernet 0/0
 Specifies that the interface acquire an IP Router(config-if)# ip address dhcp
address through DHCP

Mostafa Abdelrahman
HSRP
First Hop Redundancy Protocols
 To prevent a single point of failure at the default gateway, implement a virtual router.
 First Hop Redundancy Protocols:
 Hot Standby Router Protocol (HSRP)
 Virtual Router Redundancy Protocol (VRRP)
 Gateway Load Balancing Protocol (GLBP)

HSRP Configuration Commands

Step 1. Configure HSRP version 2.
Step 2. Configure the virtual IP address for the group.
Step 3. Configure the priority for the desired active router to be greater than 100.
Step 4. Configure the active router to preempt the standby router in cases where the active
router comes online after the standby router.

Mostafa Abdelrahman
 Static Route
There are two common types of static routes in the routing table:

 Static route to a specific network

 Default static route

Configuring a Static Route on a Router

When using the ip route command, you can identify where packets should be routed in two ways:
 The next-hop address
 The exit interface
Configuring a Static Route on a Router
10.1.1.0 = destination network.
255.255.255.0 = subnet mask.
209.165.200.226 = next-hop address.
R1(config)#ip route 10.1.1.0 255.255.255.0
Read this to say, “To get to the destination
209.165.200.226
network of 10.1.1.0, with a subnet mask of
255.255.255.0, send all packets to
209.165.200.224.”
10.1.1.0 = destination network.
255.255.255.0 = subnet mask.
209.165.200.226 = next-hop address.
Read this to say, “To get to the destination R1(config)#ip route 10.1.1.0 255.255.255.0 serial 0/0/0
network of 10.1.1.0, with a subnet mask of
255.255.255.0, send all packets out interface
serial 0/0/0.”
Configuring a Default Route on a Router
Send all packets destined for networks not in
my routing table to next hop IP Router(config)# ip route 0.0.0.0 0.0.0.0 209.165.200.226
209.165.200.226.

Mostafa Abdelrahman
Send all packets destined for networks not in
my routing table out my exit Interface serial Router(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0
0/0 interface.
Floating Static Route

Floating Static Route

Configured a Primary static
route.
Because no administrative
Router(config)#ip route 209.165.200.224 255.255.255.248 S0/0/0
distance is configured, the
default value (1) is used for this
static route.
Configured a floating static
route with an administrative Router(config)#ip route 209.165.200.224 255.255.255.248 S0/0/1 5
distance of 5

Verifying Static Routes

 Router# show ip route

To display the contents of the IP routing  Router# show ip route static

table, enter the following command:
 Router# show ip route networ

Mostafa Abdelrahman