Cisco: Difference between revisions

From Cheatsheet
Jump to navigationJump to search
VisualWikitext
(Created page with "Cheatsheets <section begin="cisco-intro"/> Some commands don't exist on older versions of Cisco software, and other commands may be deprecated in newer versions. <section end="cisco-intro"/> <section begin="cisco-basics"/> == Basics == === Connecting via Console === # Plug a '''Console cable''' into the Cisco switch and connect the cable to your laptop/whatever. Best type of cable to use is USB to Console; # Check Windows "Device Manager" - "Por...")
 
Line 266: Line 266:
# Configure this switches' domain
# Configure this switches' domain
ip domain-name mydomain.nl
ip domain-name mydomain.nl
# Set router for traffic originating from the switch itself
ip default-gateway 192.168.15.1
</syntaxhighlight>
</syntaxhighlight>


Revision as of 13:12, 29 July 2023


Some commands don't exist on older versions of Cisco software, and other commands may be deprecated in newer versions.


Basics

Connecting via Console

  1. Plug a Console cable into the Cisco switch and connect the cable to your laptop/whatever. Best type of cable to use is USB to Console;
  2. Check Windows "Device Manager" - "Ports (COM & LPT)" to view what COM port is in use;
  3. Use a Serial client (such as Putty) to connect to the switch by filling in the correct COM port;
  4. In the opened CLI, you may have to press Enter to see the first CLI output.

You may have to modify the Serial interface settings in your Serial client depending on the switch you're connecting with. 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp52980
Cisco Catalyst 3750 needs:
- 9600 baud
- 8 data bits
- no parity
- 1 stop bit
- no flow control

Commandline

Basics

# User EXEC mode is the default mode you SSH into.
Switch>

# Enter Privileged EXEC mode from User EXEC mode
enable

# Privileged EXEC mode is used for checking configuration
Switch#

# Enter Global configuration mode from Privileged EXEC mode
configure terminal

# Global configuration mode is used to configure the switch and to enter other configuration-modes
Switch(config)#

# While in Global configuration mode, type in a 'vlan vlan-id' command to enter VLAN configuration mode
Switch(config-vlan)#

# While in Global configuration mode, type in a 'interface [interface-name]' command to enter Interface configuration mode
Switch(config-if)#

# While in Global configuration mode, type in a 'line console' or 'line vty' command to enter Line configuration mode
Switch(config-line)#

# Exit to the 'previous' mode from any mode, or exit the session when in User EXEC mode
exit

# Exit to Privileged EXEC mode from any configuration mode
end

Advanced



Resetting a switch


https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp46478
Press and hold the Mode button. The switch LEDs begin blinking after about 3 seconds. Continue holding down the Mode button. The LEDs stop blinking after 7 more seconds, and then the switch reboots. 








Update via USB


https://networkproguide.com/how-update-cisco-router-using-usb-drive/



# Plug your USB containing Cisco firmware into the Ciso device.

# Note the name of your internal flash storage:
show file systems

# Copy the firmware from your USB to local flash storage:
copy usbflash0:c2900-universalk9-mz.SPA.157-3.M3.bin flash:c2900-universalk9-mz.SPA.157-3.M3.bin

# Verify existence of copied file:
dir flash:

# Inform device to boot from new firmware file:
boot system flash:c2900-universalk9-mz.SPA.157-3.M3.bin

# Save configuration:
copy running-config startup-config

# Reload device:
reload

# Check version after boot
show version













Checks


Common


# Show all logs
show logging

# Show current time
show clock

# Show command history
show history

# Show active SSH sessions
show ssh

# Show active user log-ins
show users

# Show basic login configuration
show login

# Show basic SSH configuration
show ip ssh


Configuration


# Show current configuration
show running-config

# Show current configuration but verbose
show running-config full

# Show current configuration but most verbose
show running-config all

# Show configuration for an interface
show running-config interface GigabitEthernet1/0/25

# Show configuration for a vlan interface
show running-config interface vlan 10

# Show configuration for a port-channel interface
show running-config interface port-channel 48

# Show the saved configuration
show startup-config


Network


Common


# Show all known MAC-adresses and associated IP-addresses + Interfaces
show arp

# Show the MAC-address of a known IP
show ip arp 192.168.10.5

# Show current routes
show ip route

# Show configured MTU values
show system mtu

# Show the reason why a port is in a disabled state (Global configuration mode)
errdisable detect cause all


Interfaces


# Show interfaces, VLANs, speed and status
show interfaces status

# Show all interfaces, their status and packets sent
show interfaces summary

# Show all interfaces, status' and descriptions
show interfaces description

# Show detailed interface information for GigabitEthernet1/0/1
show interfaces GigabitEthernet1/0/1

# Show detailed for port-channel interface 1
show interfaces port-channel 1

# Show detailed information for vlan interface 21
show interfaces vlan 21

# Show verbose information for all interfaces
show interfaces

# Show all trunk interfaces and their configured VLANs
show interfaces trunk

# Show all interfaces, status' and descriptions
show interfaces description


Spanning Tree


# Show all interfaces with active Spanning Tree instances
show spanning-tree active

# Show verbose Spanning Tree information for all interfaces
show spanning-tree detail

# Show Spanning Tree instances on interface gigabitEthernet1/0/25
show spanning-tree interface gigabitEthernet1/0/25

# Show Spanning Tree instances for vlan 10
show spanning-tree vlan 10

# Show ports where Spanning Tree is being triggered
show spanning-tree inconsistentports

# Show ports blocked by Spanning Tree
show spanning-tree blockedports


Access lists


# Show all access lists
show access-lists

# Show access list 110
show access-lists 110


Hardware


# Show hardware information such as inserted optics and modules.
show inventory

# Show current power usage for slots and Power Supply Units
show power status all


SNMP


# Show created SNMP users
show snmp user

# Show created SNMP groups
show snmp group

# Show active SNMP communities
show snmp community










Common configuration


Common


# Configure the hostname of your machine
hostname sw1-myswitch

# Configure this switches' domain
ip domain-name mydomain.nl

# Set router for traffic originating from the switch itself
ip default-gateway 192.168.15.1







Authentication


Users & passwords


username admin password 0 myp4ssw0rd
enable password 0 MyEnablePrivilegeModePassword
service password encryption


SSH


https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

Prerequisites:



hostname sw1-myswitch
ip domain-name mydomain.nl


# Generate an SSH key to be used with SSH.
crypto key generate rsa
How many bits in
 the modulus [512]: 4096

ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh logging events


line vty 0 4
 transport input ssh
 logging synchronous
 exec-timeout 30 0
 login local


# Set local login as the 'default' for all interfaces: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html
aaa new-model


Radius


Prerequisites:



aaa new-model


aaa group server radius MyRadius
 server-private 10.0.77.22 key 0 Itsmysecretkey
 ip radius source-interface vlan77

aaa authentication login default group MyRadius local
aaa authentication login console group MyRadius local
aaa authorization console
aaa authorization exec default group MyRadius local







NTP


Timezones based on the Netherlands.



ntp server 192.168.0.1
ntp server 192.36.143.150
ntp server 193.67.79.202

clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00


# NTP via VRF interface
ntp server vrf Mgmt-intf 10.0.23.1


SNMP



SNMPv2c


snmp-server community MySNMPCommunity ro
snmp-server location NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
snmp ifmib ifindex persist


SNMPv3



snmp-server group MyGroupName v3 priv
snmp-server user MyUser MyGroupName v3 auth sha MyAuthP4ssword priv aes 256 MyCryptoP4ssword
snmp-server host 192.168.100.20 version 3 priv MyUser
snmp-server location NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
snmp ifmib ifindex persist




banner login %
*************************************************************\
*========================= COMPANY  =========================*\
*                                                            *\
*                UNAUTHORISED ACCESS PROHIBITED !            *\
*                                                            *\
*                                                            *\
**************************************************************%


Syslog


service timestamps log datetime
service sequence-numbers
logging trap 6
logging facility local7
login on-succes log
login on-failure log
logging 10.25.60.11
logging on

archive
 log config
  logging enable
  logging size 250
  notify syslog contenttype plaintext
  hidekeys


# Specify interface if necessary:
logging source-interface gigabitEthernet 0


# Log to syslog-server via a vrf interface
logging host 172.16.5.2 vrf Mgmt-intf

# Log via specific vrf interface
logging source-interface GigabitEthernet0 vrf Mgmt-intf







Hardening



# Dangerous services that should always be disabled
no ip rcmd rcp-enable
no ip rcmd rsh-enable
no service tcp-small-servers
no service udp-small-servers
no ip identd

no ip dns server
no service pad

# Disable HTTP/S server
no ip http server
no ip http secure-server

# Disable finger
no ip finger
no service finger

# Disable DHCP
no service dhcp
no ip boot server
no ip bootp server

# Don't load config from the network
no boot network
no service config

# IP source-route is a little-used option that allows the originator of a packet to decide which routers he should go through to get to his destination. He does this by supplying the full path of routers on the options header of the IP packet.
# https://community.cisco.com/t5/other-network-architecture-subjects/no-ip-source-route-question/td-p/325600
no ip source-route

# https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp2123221095
no ip gratuitous-arps


Optimization


no spanning-tree optimize bpdu transmission
vlan dot1q tag native

service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
service sequence-numbers
service nagle










Network


Create VLAN


vlan 500
name myVlan


Routing


# Set router for traffic originating from the switch itself
ip default-gateway 192.168.15.1

# Route traffic going to 192.168.1.0 via gateway 192.168.0.1
ip route 192.168.1.0 255.255.255.0 192.168.0.1


Interfaces



VLAN


interface vlan 999
 ip address 192.168.99.9 255.255.255.0
 no shut


Access


interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport mode access
 switchport access vlan 88
 no shutdown


Trunk


interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 33,99
 no shutdown


Port-channel trunk


Configure all interfaces first and keep them shutdown. 
After configuration is finished, bring online the port-channel first and then the physical interface(s) afterwards. 
Port-channels available are 1-48 for IOS.



interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 22,283
 channel-group 48 mode active
 shutdown

interface GigabitEthernet1/1/2
 description Core: TheConnectedDevice01 FastEthernet0/1 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 22,283
 channel-group 48 mode active
 shutdown
 
interface port-channel48
 description Core: TheConnectedDevice01 [xxxMbit] (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 22,283
 shutdown


Port to ISP/provider


interface GigabitEthernet1/1/3
 description Core: TheConnectedDevice01 GigabitEthernet1/1/24 [xxxMbit] {CIRCUIT-ID} (PROVIDER PROVIDER-CID)
 switchport access vlan 101
 switchport mode access
 no cdp enable
 no lldp transmit
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 spanning-tree guard root







Spanning Tree


Configuration


# Make this switch the boss for a VLAN
spanning-tree vlan 335 root primary

# Set this switches' priority to 4096 for a VLAN
spanning-tree vlan 335 priority 4096

# Activate spanning-tree for a VLAN
spanning-tree vlan 335

# Set priority for a range of VLANs
spanning-tree vlan 10-100,125,150 priority 4096


Interface configuration


# Dump any packages related to BPDUs
spanning-tree bpdufilter enable

# Shutdown the port upon receiving a BPDU. Only works on portfast ports(??)
spanning-tree bpduguard enable

# If someone on the other side wants to become root, shutdown the port
spanning-tree guard root


Bridge Priorities


# Bridge Priority must be in increments of 4096.
# Allowed values are:
  0     4096  8192  12288 16384 20480 24576 28672
  32768 36864 40960 45056 49152 53248 57344 61440







Retrieved from "https://wiki.brammerloo.nl/index.php?title=Cisco&oldid=35"