Cisco

From Cheatsheet
Jump to navigationJump to search


Some commands don't exist on older versions of Cisco software, and other commands may be deprecated in newer versions.


Basics

Connecting via Console [Windows]

  1. Plug a Console cable into the Cisco switch and connect the cable to your laptop/whatever. Best type of cable to use is USB to Console;
  2. Check Windows "Device Manager" - "Ports (COM & LPT)" to view what COM port is in use;
  3. Use a Serial client (such as Putty) to connect to the switch by filling in the correct COM port;
  4. In the opened CLI, you may have to press Enter to see the first CLI output.

You may have to modify the Serial interface settings in your Serial client depending on the switch you're connecting with. 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp52980
Cisco Catalyst 3750 needs:
- 9600 baud
- 8 data bits
- no parity
- 1 stop bit
- no flow control

Commandline

Basics

# User EXEC mode is the default mode you Console/SSH into.
Switch>

# Enter Privileged EXEC mode from User EXEC mode
enable

# Privileged EXEC mode is used for checking configuration
Switch#

# Enter Global configuration mode from Privileged EXEC mode
configure terminal

# Global configuration mode is used to configure the switch and to enter other configuration-modes
Switch(config)#

# While in Global configuration mode, type in a 'vlan vlan-id' command to enter VLAN configuration mode
Switch(config-vlan)#

# While in Global configuration mode, type in a 'interface [interface-name]' command to enter Interface configuration mode
Switch(config-if)#

# While in Global configuration mode, type in a 'line console' or 'line vty' command to enter Line configuration mode
Switch(config-line)#

# Exit to the 'previous' mode from any mode, or exit the session when in User EXEC mode
exit

# Exit to Privileged EXEC mode from any configuration mode
end
Use the TAB key for command auto-completion when you have typed in sufficient keys.

Use the UP and DOWN keys to 'scroll' through any previous commands you've executed.

# Use "?" to list all available commands in any EXEC mode
sw1-cisco#?
Exec commands:
  <1-99>           Session number to resume
  access-enable    Create a temporary Access-List entry
  access-template  Create a temporary Access-List entry
  archive          manage archive files

# Also use the "?" key to show available parameters to any command
sw1-cisco#show running-config ?
  all        Configuration with defaults
  brief      configuration without certificate data
  full       full configuration

Pipe

# Use the | modifier to pipe/filter input
sw1-thuis#show interfaces | ?
  append    Append redirected output to URL (URLs supporting append operation only)
  begin     Begin with the line that matches
etc

# Filter the input so only anything containing "SSH" is shown
sw1-thuis#show logging | include SSH
000012: *Mar  1 00:01:14.851: %SSH-5-ENABLED: SSH 1.99 has been enabled
000040: *Mar  1 00:13:22.698: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.0.20 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000041: *Mar  1 00:13:26.096: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from 192.168.178.115 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded

# List output starting from any line containing "GigabitEthernet"
sw1-thuis#show running-config | begin GigabitEthernet
interface GigabitEthernet1/0/1
 description Core: Internet-router Ethernet0/1 [100000Mbit] {0001} (Uplink)
 switchport access vlan 666
 switchport mode access

# Filter out any line containing "Hello" from the given input
sw1-thuis#show spanning-tree | exclude Hello
VLAN0100
  Spanning tree enabled protocol ieee
  Root ID    Priority    32868
             Address     0017.e04b.2780
             This bridge is the root

  Bridge ID  Priority    32868  (priority 32768 sys-id-ext 100)
             Address     0017.e04b.2780
             Aging Time 300

Resetting a switch

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp46478
Press and hold the Mode button. The switch LEDs begin blinking after about 3 seconds. Continue holding down the Mode button. The LEDs stop blinking after 7 more seconds, and then the switch reboots. 

# Wipe a switches configuration completely
erase nvram: 
erase startup-config
delete vlan.dat


Update via USB

https://networkproguide.com/how-update-cisco-router-using-usb-drive/ 

# Plug your USB containing Cisco firmware into the Ciso device.

# Note the name of your internal flash storage:
show file systems

# Copy the firmware from your USB to local flash storage:
copy usbflash0:c2900-universalk9-mz.SPA.157-3.M3.bin flash:c2900-universalk9-mz.SPA.157-3.M3.bin

# Verify existence of copied file:
dir flash:

# Inform device to boot from new firmware file:
boot system flash:c2900-universalk9-mz.SPA.157-3.M3.bin

# Save configuration:
copy running-config startup-config

# Reload device:
reload

# Check version after boot
show version




Checks

Common

# Show all logs
show logging

# Show current time
show clock

# Show command history
show history

# Show active SSH sessions
show ssh

# Show active user log-ins
show users

# Show basic login configuration
show login

# Show basic SSH configuration
show ip ssh

Configuration

# Show current configuration
show running-config

# Show current configuration but verbose
show running-config full

# Show current configuration but most verbose
show running-config all

# Show configuration for an interface
show running-config interface GigabitEthernet1/0/25

# Show configuration for a vlan interface
show running-config interface vlan 10

# Show configuration for a port-channel interface
show running-config interface port-channel 48

# Show the saved configuration
show startup-config

Network

Common

# Show all known MAC-adresses and associated IP-addresses + Interfaces
show arp

# Show the MAC-address of a known IP
show ip arp 192.168.10.5

# Show current routes
show ip route

# Show configured MTU values
show system mtu

# Show the reason why a port is in a disabled state (Global configuration mode)
errdisable detect cause all

Interfaces

# Show interfaces, VLANs, speed and status
show interfaces status

# Show all interfaces, their status and packets sent
show interfaces summary

# Show verbose information for all interfaces
show interfaces

# Show all trunk interfaces and their configured VLANs
show interfaces trunk

# Show all interfaces, status' and descriptions
show interfaces description

# Show detailed interface information for GigabitEthernet1/0/1
show interfaces GigabitEthernet1/0/1

# Show detailed information for port-channel interface 1
show interfaces port-channel 1

# Show detailed information for vlan interface 21
show interfaces vlan 21

Spanning Tree

# Show all interfaces with active Spanning Tree instances
show spanning-tree active

# Show verbose Spanning Tree information for all interfaces
show spanning-tree detail

# Show Spanning Tree instances on interface gigabitEthernet1/0/25
show spanning-tree interface gigabitEthernet1/0/25

# Show Spanning Tree instances for vlan 10
show spanning-tree vlan 10

# Show ports where Spanning Tree is being triggered
show spanning-tree inconsistentports

# Show ports blocked by Spanning Tree
show spanning-tree blockedports

Access lists

# Show all access lists
show access-lists

# Show access list 110
show access-lists 110

Hardware

# Show hardware information such as inserted optics and modules.
show inventory

# Show current power usage for slots and Power Supply Units
show power status all

SNMP

# Show created SNMP users
show snmp user

# Show created SNMP groups
show snmp group

# Show active SNMP communities
show snmp community



Configuration

Common commands

# Configure the hostname of your machine
hostname sw1-myswitch

# Configure this switches' domain
ip domain-name mydomain.nl

# Set router for traffic originating from the switch itself
ip default-gateway 192.168.15.1

# Configure a DNS server
ip name-server 10.20.30.1

# Copy the current running configuration to the configuration used at boot
copy running-config startup-config

# Copy the configuration used at boot to the current running configuration
copy startup-config running-config

# Shutdown and restart the switch
reload


Authentication

Common

# Set an unencrypted password for Global Configuration mode
enable secret 0 MyEnablePrivilegeModePassword

# Create the admin user and set an unencrypted password
username admin password 0 myp4ssw0rd

# Encrypt any unencrypted passwords in the switch-configuration
service password encryption

Console

# Enter the console interface, set a password and activate the login function
line console 0
password MyPassword
login

SSH

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

Prerequisites: 

# Set a hostname and domain
hostname sw1-myswitch
ip domain-name mydomain.nl

# Create an user-account
username admin password 0 myp4ssw0rd
# Generate an SSH key to be used with SSH.
crypto key generate rsa
How many bits in
 the modulus [512]: 4096

# Configure basic settings: set the proper SSH version, kill the connection if there is no login after 60 seconds pass at the login prompt, kill connection after 3 failures, log any login attempts
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh logging events
# Configure the virtual SSH interfaces: set input mode to SSH because telnet sucks, don't allow syslog to interrupt your CLI commands, exit the SSH/telnet session after 30 minutes and 0 seconds of inactivity, use locally configured login credentials
line vty 0 4
 transport input ssh
 logging synchronous
 exec-timeout 30 0
 login local
# Set local login as the 'default' for all interfaces: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html
aaa new-model

Radius

Prerequisites: 

aaa new-model
aaa group server radius MyRadius
 server-private 10.0.77.22 key 0 Itsmysecretkey
 ip radius source-interface vlan77

aaa authentication login default group MyRadius local
aaa authentication login console group MyRadius local
aaa authorization console
aaa authorization exec default group MyRadius local


NTP

Timezones based on the Netherlands. 

ntp server 172.16.0.1
ntp server 192.36.143.150
ntp server 193.67.79.202

clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00
# NTP via VRF interface
ntp server vrf Mgmt-intf 10.0.23.1

SNMP

SNMPv2c

snmp-server community MySNMPCommunity ro
snmp-server location NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
snmp ifmib ifindex persist

SNMPv3

snmp-server group MyGroupName v3 priv
snmp-server user MyUser MyGroupName v3 auth sha MyAuthP4ssword priv aes 256 MyCryptoP4ssword
snmp-server host 192.168.100.20 version 3 priv MyUser
snmp-server location NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack
snmp ifmib ifindex persist

Banners

# Display a message upon connecting to the device
banner motd %
*************************************************************\
*========================= COMPANY  =========================*\
*                                                            *\
*                UNAUTHORISED ACCESS PROHIBITED !            *\
*                                                            *\
*                                                            *\
**************************************************************%
# Display a message after login happens
banner login %
*************************************************************\
*========================= COMPANY  =========================*\
*                                                            *\
*                AUTHORISED PERSONNEL ONLY !                 *\
*                                                            *\
*                                                            *\
**************************************************************%

Syslog

service timestamps log datetime
service sequence-numbers
logging trap 6
logging facility local7
login on-succes log
login on-failure log
logging 10.25.60.11
logging on

archive
 log config
  logging enable
  logging size 250
  notify syslog contenttype plaintext
  hidekeys
# Specify interface if necessary:
logging source-interface gigabitEthernet 0
# Log to syslog-server via a vrf interface
logging host 172.16.5.2 vrf Mgmt-intf

# Log via specific vrf interface
logging source-interface GigabitEthernet0 vrf Mgmt-intf


Hardening

# Dangerous services that should always be disabled
no ip rcmd rcp-enable
no ip rcmd rsh-enable
no service tcp-small-servers
no service udp-small-servers
no ip identd

no ip dns server
no service pad

# Disable HTTP/S server
no ip http server
no ip http secure-server

# Disable finger
no ip finger
no service finger

# Disable DHCP
no service dhcp
no ip boot server
no ip bootp server

# Don't load config from the network
no boot network
no service config

# IP source-route is a little-used option that allows the originator of a packet to decide which routers he should go through to get to his destination. He does this by supplying the full path of routers on the options header of the IP packet.
# https://community.cisco.com/t5/other-network-architecture-subjects/no-ip-source-route-question/td-p/325600
no ip source-route

# https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i3.html#wp2123221095
no ip gratuitous-arps

Optimization

no spanning-tree optimize bpdu transmission
vlan dot1q tag native

service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
service sequence-numbers
service nagle



Network

Create VLAN

vlan 500
name myVlan

Routing

# Set router for traffic originating from the switch itself
ip default-gateway 192.168.15.1

# Create a default route using our provider on 20.30.40.1
ip route 0.0.0.0 0.0.0.0 20.30.40.1

# Create a default ipv6 route
ipv6 route ::/0  2001:db8:f:::35

# Route/send traffic going to 192.168.1.0, via gateway 192.168.0.1
ip route 192.168.1.0 255.255.255.0 192.168.0.1

# Route/send traffic going to 10.0.50.0, via interface gigabitethernet0/0
ip route 10.0.50.0 255.255.255.0 gigabitethernet0/0

Interfaces

VLAN

interface vlan 999
 ip address 192.168.99.9 255.255.255.0
 no shutdown

Access

interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport mode access
 switchport access vlan 88
 no shutdown

Trunk

interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 33,99
 no shutdown

Port-channel trunk

Configure all interfaces first and keep them shutdown. 
After configuration is finished, bring online the port-channel first and then the physical interface(s) afterwards. 
Port-channels available are 1-48 for IOS.

interface GigabitEthernet1/1/1
 description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 22,283
 channel-group 48 mode active
 shutdown

interface GigabitEthernet1/1/2
 description Core: TheConnectedDevice01 FastEthernet0/1 [xxxMbit] {CIRCUIT-ID} (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 22,283
 channel-group 48 mode active
 shutdown
 
interface port-channel48
 description Core: TheConnectedDevice01 [xxxMbit] (Put any note in here, for example a PROVIDER and PROVIDER-CID)
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 22,283
 shutdown

Port to ISP/provider

interface GigabitEthernet1/1/3
 description Core: TheConnectedDevice01 GigabitEthernet1/1/24 [xxxMbit] {CIRCUIT-ID} (PROVIDER PROVIDER-CID)
 switchport access vlan 101
 switchport mode access
 no cdp enable
 no lldp transmit
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
 spanning-tree guard root


Spanning Tree

Configuration

# Make this switch the boss for a VLAN
spanning-tree vlan 335 root primary

# Make this switch the backup-boss for a VLAN
spanning-tree vlan 335 root secondary

# Set this switches' priority to 4096 for a VLAN
spanning-tree vlan 335 priority 4096

# Activate spanning-tree for a VLAN
spanning-tree vlan 335

# Set priority for a range of VLANs
spanning-tree vlan 10-100,125,150 priority 4096

Interface configuration

# Dump any packages related to BPDUs
spanning-tree bpdufilter enable

# Shutdown the port upon receiving a BPDU. Only works on portfast ports(??)
spanning-tree bpduguard enable

# If someone on the other side wants to become root, shutdown the port
spanning-tree guard root

Bridge Priorities

# Bridge Priority must be in increments of 4096.
# Allowed values are:
  0     4096  8192  12288 16384 20480 24576 28672
  32768 36864 40960 45056 49152 53248 57344 61440


Retrieved from "https://wiki.brammerloo.nl/index.php?title=Cisco&oldid=812"