Reset the machine
Reference: Cisco Doc
- Condition 1: you have password
switch> enable
switch# write erase
switch# reload
! waiting for a while
switch> enable
switch# copy running-config startup-config
- Condition 2: you forget password
- Unplug the power cord
- Plug in the power cord and immediately hold down the“MODE" button for a while
- Connect the ethernet cable to the console port on the switch
- ssh into the switch with your pc or notebook
- MacOS:
ls /dev/tty.*,screen /dev/tty.~ - (replace tty.~ as your
lsresult) - windows: use Putty
- MacOS:
If the switch show the Username to login(After reset)
- default username: cisco
- default password: cisco
Mount flash file system
The system has been interrupted ...
...
switch: flash_init
Show files
switch: dir flash: Directory of flash:/
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
Delete config.text and vlan.dat
switch: delete flash:config.text
switch: delete flash:vlan.dat
Boot
switch: boot
...
Continue with the configuration dialog? [yes/no]: N
Switch>
Configure state
switch> enable
switch# configure terminal
switch(config)# exit
switch# exit
switch>
When you don’t know how to set the config
switch# ?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
...
switch# copy ?
/erase Erase destination file system.
/error Allow to copy error file.
...
Save the config as startup-config
switch# copy running-config startup-config
Show the current config
switch# show running-config
! grep specific config
switch# show running-config | include vlan
Basic command
Modify hostname
switch(config)# hostname _HOSTNAME
Disable setting (add no at the front of command)
switch(config)# no hostname _HOSTNAME
Add user
switch(config)# username USERNAME secret PASSWORD
Allow ssh
switch(config)# ip domain name www.domain.com
switch(config)# crypto key generate rsa
switch(config)# ip ssh version 2
switch(config)# line vty 0 15
switch(config-line)# transport input ssh
switch(config-line)# login local
VLANS
Setting vlan
- Create new vlan
switch(config)# vlan vlan_num
switch(config-if)# name VLAN_NAME
! It's optional to set vlan name
- Setting on interface
switch(config)# interface INTERFACE_TYPE INTERFACE_NUMBER
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan VLAN_NUMBER
switch(config)# interface gigabitEthernet 0/1
switch(config-if)# switchport trunk allowed vlan 10,20
switch(config-if)# switchport mode trunk
! switch 2960 has no encapsulation command
L3switch(config)# interface gigabitEthernet 1/0/1
L3switch(config-if)# switchport trunk encapsulation dot1q
L3switch(config-if)# switchport trunk allowed vlan 10,20
L3switch(config-if)# switchport mode trunk
! L3 switch 3650 上有 encapsulation 的指令,但只有 dot1q 的選項 ...
Modify trunk link
switch(config-if)# switchport trunk allowed vlan {add|remove} VLAN_LIST
Modify native vlan
switch(config-if)# switchport trunk native vlan VLAN_NUM
SVI
switch(config)# interface vlan VLAN_NUM
switch(config-if)# ip address IP NETMASK
Enable ip routing on L3 device
switch(config)# ip routing
Converts port from physical Layer 2 to physical Layer 3
switch(config)# interface gigabitEthernet 1/0/1
switch(config-if)# no switchport
STP
switch# show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0025.b4c1.b400
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0025.b4c1.b400
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Change bridge priority
! method 1
switch(config)# spanning-tree vlan VLAN_ID root [ primary | secondary ]
! method 2
switch(config)# spanning-tree vlan VLAN_ID priority VALUE
Change spanning tree mode
switch(config)# spanning-tree mode MODE
Setting portfast
! Single port
switch(config)# interface INTERFACE
switch(config-if)# spanning-tree portfast
! Every port
switch(config)# spanning-tree portfast default
BPDU Guard
switch(config)# interface INTERFACE
switch(config-if)# spanning-tree bpduguard enable
BPDU Filter
! Single port
switch(config)# interface INTERFACE
switch(config-if)# spanning-tree bpdufilter enable
! Every port
switch(config)# spanning-tree portfast bpdufilter default
Root Guard
switch(config)# interface INTERFACE
switch(config-if)# spanning-tree guard root
RIP & routing
Check routing table
router# show ip route
Configure static route
router(config)# ip route IP_ADDRESS NETMASK { ip-address | exit-intf }
- Method #1 | exit-interface (routing table only needs to search once)
router(config)# ip route 192.168.4.0 255.255.255.0 GigabitEthernet 0/0
- Method #2 | IP-address (routing table needs to search twice)
router(config)# ip route 192.168.1.0 255.255.255.0 192.168.3.1
Default Static Route (Matches any network address)
router(config)# ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}
RIP setting
router(config)# router rip
router(config-router)# version 2
router(config-router)# network _SUBNET
Propagate a Default Route
- Default static route be advertised to all other routers in the RIP routing domain
- Tell others in the same RIP routing domain where to connect Internet
router(config)# ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}
router(config)# router rip
router(config-router)# default-information originate
Disable auto-summary
router(config)# router rip
router(config-router)# no auto-summary
Passive interface
- Method #1: Passive all and no specific
router(config)# router rip
router(config-router)# passive-interface default
router(config-router)# no passive-interface Gigabit 0/1
- Method #2: Passive specific
router(config-router)# passive-interface GigabitEthernet 0/0
OSPF
show some information
router# show ip protocols
router# show ip ospf neighbor
router# show ip ospf 42 database router (Type 1)
router# show ip ospf 42 database network (Type 2)
router# show ip ospf 42 database summary (Type 3)
router# show ip ospf 42 database asbr-summary (Type 4)
router# show ip ospf 42 database external (Type 5)
router# show ip ospf 42 database
router# show ip route 192.168.1.5
Setting loopback interface
router(config)# interface loopback 0
router(config-if)# ip address 140.113.0.1 255.255.255.255
Single area
- The Process ID value is locally significant. (In example, The Process ID is 42)
- A router can have several OSPF processes.
Basic OSPF setting
router(config)# router ospf 42
router(config-router)# network 10.113.0.0 0.0.0.255 area 0
router(config-router)# network 172.16.0.0 255.255.255.0 area 0
Setting router-id
router(config)# router ospf 42
router(config-router)# router-id 140.113.0.2
Multi-instance OSPF
- Each process owns its instance.
- Each instance owns its database.
- A single process is sufficient for simple topology.
router(config)# router ospf 113
router(config-router)# exit
router(config)# router ospf 192
Add interface into OSPF
router(config)# interface GigabitEthernet 0/0
router(config-if)# ip ospf 42 area 0
router(config)# interface GigabitEthernet 0/1
router(config-if)# ip ospf 42 area 0
Propagate Default Route
router(config)# ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0
router(config)# router ospf 42
router(config-router)# default-information originate
Passive interface
router(config)# router ospf 42
! Method 1
router(config-router)# passive-interface GigabitEthernet 0/1
router(config-router)# passive-interface GigabitEthernet 0/2
! Method 2
router(config-router)# passive-interface default
router(config-router)# no passive-interface GigabitEthernet 0/0
Reload OSPF Process
- To update the Router ID, we must reboot the router or reload the ospf process.
- If something weird happens, try to reload or reboot.
- We might reload the ospf process for all routers and see how it establishes a neighbor.
router# clear ip ospf process
Setting interface priority (For DR/BDR)
router(config)# interface GigabitEthernet 0/0
router(config-if)# ip ospf priority 255
Setting interface cost (For routing path)
router(config)# interface GigabitEthernet 0/1
router(config-if)# ip ospf cost 100
Multi area
Distribute RIP subnet
- OSPF metric-type 1 includes both the external metric and the internal OSPF cost
- Metric-type 2 means the route will maintain a fixed external metric (in this case, 99) regardless of the internal OSPF cost. This is often used when the external metric should not be adjusted by internal OSPF costs.
router(config)# router ospf 42
router(config-router)# redistribute rip subnets
router(config-router)# redistribute rip subnets metric-type 1 metric 99
router(config-router)# redistribute rip subnets metric-type 2 metric 99
Stub Area
router(config)# router ospf 42
router(config-router)# area 10 stub
router(config)# router ospf 42
router(config-router)# area 10 stub no-summary
! no-summary only needs to be configured on ABR
Not-So-Stubby Area
router(config)# router ospf 42
router(config-router)# no area 20 stub
router(config-router)# area 20 nssa
router(config)# router ospf 42
router(config-router)# area 20 nssa no-summary
ACL
Show ACL
router# show ip access-lists
Standard IP access list test-acl
10 permit host 192.168.2.2
20 permit host 192.168.2.3
router# show ip access-lists test-acl
Standard IP access list test-acl
permit host 192.168.2.2
permit host 192.168.2.3
-
Access Control List (ACL) - Wildcard Masking
- 32-bit string
- To determine which bits of the address to examine for a match
- Wildcard masks use the following rules to match binary 1s and 0s:
- Wildcard mask bit 0 - Match the corresponding bit value in the address
- Wildcard mask bit 1 - Ignore the corresponding bit value in the address
- Wildcard masks are often referred to inverse mask
- Usually considered as opposite of subnet mask
- But can be non-contiguous
- Wildcard mask keywords
- host: 0.0.0.0
- any: 255.255.255.255
- 32-bit string
-
Standard ACL
- Only based on source IP address
- Placed close to the destination due to the inability to specify destination address
Standard Numbered ACL
router(config)# access-list LIST_NUMBER {deny|permit} SOURCE_IP [wildcard]
router(config)# access-list LIST_NUMBER remark DESCRIPTION
Standard Named ACL
router(config)# ip access-list [standard|extended] LISTNAME
router(config-std-nacl)# [permit|deny|remark] SOURCE_IP [wildcard]
Example
router(config)# access-list 20 permit 192.168.2.2
router(config)# access-list 20 permit 192.168.2.3
router(config)# ip access-list standard test-acl
router(config-std-nacl)# permit 192.168.2.2
router(config-std-nacl)# permit 192.168.2.3
- Extended ACL
- Based on source IP, source port, destination IP, destination port and protocol
- Placed close to the source to filter undesirable traffic
Extended Numbered ACL
router(config)# access-list LIST_NUMBER {permit|deny} PROTOCOL SRC_IP [wildcard] [operator {port-num|service}] DST_IP [wildcard] [operator {port-num|service}]
Extended Named ACL
router(config)# ip access-list extended LISTNAME
router(config-ext-nacl)# {permit|deny} PROTOCOL SRC_IP [wildcard] [operator {port|service}] DST_IP [wildcard] [operator {port-num|service}]
Example
router(config)# ip access-list extended PC-1-to-2
router(config-ext-nacl)# permit ip host 192.168.1.2 host 192.168.2.2
router(config-ext-nacl)# permit ip host 192.168.1.3 host 192.168.2.3
router(config-ext-nacl)# ^Z
router# show ip access-lists PC-1-to-2
Extended IP access list PC-1-to-2
10 permit ip host 192.168.1.2 host 192.168.2.2
20 permit ip host 192.168.1.3 host 192.168.2.3
- Access Control List (ACL) - Flow Direction
- Inbound ACL
- Filter packets coming to a specific interface, before routed to outbound interface
- Outbound ACL
- Filter packets after being routed, regardless of the inbound interface
- Inbound ACL
Apply to interface
router(config-if)# ip access-group {list-number|list-name} {in|out}
Apply to line (e.g. console, vty)
router(config-line)# access-class {list-number|list-name} {in|out}
- Sequence Numbers
- Every time you add a new entry in ACL, it is added at the end of it.
- According to first match rule, that entry will be checked at last.
- How to insert an entry between previous ACL entries?
- Use sequence numbers
- Sequence numbers help you make the proper order of ACL entries
- Every time you add a new entry in ACL, it is added at the end of it.
Example
router(config)# do show ip access-lists
...
Extended IP access list PC-1-to-2
10 permit ip host 192.168.1.2 host 192.168.2.2
20 permit ip host 192.168.1.3 host 192.168.2.3
...
router(config)# ip access-list extended PC-1-to-2
router(config-ext-nacl)# no 10
router(config-ext-nacl)# 10 permit ip host 192.168.1.1 any
router(config-ext-nacl)# do show ip access-lists
...
Extended IP access list PC-1-to-2
10 permit ip host 192.168.1.1 any
20 permit ip host 192.168.1.3 host 192.168.1.3
...
AAA
RADIUS for Router - Configuration
Enable AAA
router(config)# aaa new-model
Enter radius server config mode
router(config)# radius server SERVER_NAME
Configure server IP address
router(config-radius-server)# address ipv4 SERVER_IP [auth-port SERVER_PORT]
Add radius key
router(config-radius-server)# key _SECRET
Configure authentication method list
router(config)# aaa authentication login LIST_NAME AUTH_LIST
Apply the list to connections (e.g. console, vty, …)
router(config-line)# login authentication LIST_NAME
RADIUS for Router - Example
router(config)# aaa new-model
router(config)# radius server radius
router(config-radius-server)# address ipv4 192.168.1.1
router(config-radius-server)# key radiuskey
Configure authentication provider group - Example
router(config)# aaa authentication login ccna group radius local
router(config)# line vty 0 15
router(config-line)# login authentication ccna
RADIUS for switch 2960 - Configuration
Enable AAA
switch(config)# aaa new-model
Configure radius server
switch(config)# radius-server host SERVER_IP key _SECRET
Configure authentication method list
switch(config)# aaa authentication login LIST_NAME AUTH_LIST
Apply the list to connections (e.g. console, vty, …)
switch(config-line)# login authentication list-name
RADIUS for 2960 - Example
router(config)# aaa new-model
router(config)# radius-server host 192.168.1.1 key radiuskey
First Hop Redundancy Protocol (FHRP)
- The default gateway for end devices is called first-hop.
- FHRP allows 2+ routers to provide backup for gateway address.
- When master is dead, backup routers will take over within seconds.
- FHRP is a category, there are several FHRP protocols:
- VRRP, Virtual Router Redundancy Protocol
- HSRP, Hot Standby Router Protocol
- GLBP, Gateway Load Balancing Protocol
VRRP
Command
router(config-if)# vrrp group ip ip-addr
! Makes the interface a member of the vrrp group and assign the virtual IP address. (The virtual IP address can be the same as the interface IP address of one member in the group)
router(config-if)# vrrp group priority priority
! Set the VRRP router priority from 1 to 254 (Default is 100).
router(config-if)# vrrp group timers advertise timer
! Change the advertisement timer (Default 1 second).
router(config-if)# vrrp group-num timers learn
! Learn the advertisement interval from the master router.
router(config-if)# vrrp group preempt [delay seconds]
! Change the preempt delay.
router(config-if)# no vrrp group preempt
! Disable preempting. (Default is to preempt)
router(config-if)# vrrp group track object-number [decrement priority]
! Track an object and decrease the priority when the object is down.
Example
R1(config)# interface vlan 50
R1(config-if)# ip address 192.0.2.1 255.255.255.0
R1(config-if)# vrrp 1 priority 200
R1(config-if)# vrrp 1 ip 192.0.2.254
R2(config)# interface vlan 50
R2(config-if)# ip address 192.0.2.2 255.255.255.0
R2(config-if)# ! vrrp 1 priority 100
R2(config-if)# vrrp 1 ip 192.0.2.254
R2(config-if)# no vrrp 1 preempt
R2# show vrrp detail
HSRP
- A Cisco-proprietary FHRP protocol.
- Send periodic Hello messages to all-routers multicast address.
- HSRP group consist of 1 active router + 1 standby router.
- Others remain in the speak state.
- Use MAC address 00:00:0C:07:AC:XX or 00:00:0C:9F:FX:XX.
HSRP States
Initial | When HSRP is disabled or the interface first comes up.
Learn | The router has not determined the virtual IP address.
Listen | Waiting for Hello message from active or standby router.
Speak | Participating in the HSRP election.
Standby | The router is a candidate to become the next active router
Active | Forwarding packets that are sent to the group's virtual IP / MAC address.
-
Sends Hello messages periodically: Speak, Standby, Active
-
At most one router in: Standby, Active
-
Election
- Determine the role of each router in HSRP group based on the priority value.
- HSRP priority
- Range from 0 to 255 (Default 100)
- Highest priority in the group = Active router
- If the priorities are equal, router with numerically highest IPv4 address is elected.
- By default, the active router won’t be replaced by a router with higher priority.
Setting priority
router(config-if)# standby _group priority _priority
router(config-if)# standby _group preempt [ delay [ minimum _seconds ] [ reload _seconds ]]
Config Steps
- Configure the HSRP version 2.
- Set the virtual IP address for the group.
- The IP address of interface and the virtual address should be in the same IP subnet.
- Configure the priority for the desired active router.
- Make the active router to be preemptive.
router(config-if)# standby version 2
router(config-if)# standby [ group-number ] ip [ ip-address ]
router(config-if)# standby [ group-number ] priority priority-value
router(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]]
Config Example
R1(config)# interface Gi0/1
R1(config-if)# ip address 203.0.113.251 255.255.255.0
R1(config-if)# standby version 2
R1(config-if)# standby 1 ip 203.0.113.254
R1(config-if)# standby 1 priority 160
R1(config-if)# standby 1 preempt
R1(config-if)# no shutdown
R2(config)# interface Gi0/1
R2(config-if)# ip address 203.0.113.252 255.255.255.0
R2(config-if)# standby version 2
R2(config-if)# standby 1 ip 203.0.113.254
R2(config-if)# no shutdown
R1# show standby
R1# show standby brief
GLBP
- Another Cisco-proprietary FHRP protocol.
- Active Virtual Gateway & Active Virtual Forwarder
- Support load balancing and authentication.
- Load balancing modes: round-robin, host-dependent, weighted
EtherChannel
- Grouping multiple physical ports into one or more logical EtherChannel links.
- Interface types can’t be mixed.
- Each EtherChannel can consist of up to 16 physical ports.
- But Only 8 interfaces can be active.
- Those interfaces inactive will be used as backup.
- Group member port configuration must be consistent on both devices.
- Same Media type (Fast, Gigabit, 10-Gigabit)
- Same Speed and Duplex mode
- Same VLAN configs (native VLAN and allowed VLAN)
- Same VLAN modes (Access or Trunk Mode)
- All ports must be configured as L2 (Data link layer) ports.
- Can be formed through negotiation using PAgP or LACP.
Load Balance (* : XOR of two values)
Method Value | Hash Input
src-port | Source port number
dst-port | Destination port number
src-dst-port * | Source and destination port number
src-ip | Source IP address
dst-ip | Destination IP address
src-dst-ip * | Source and destination IP address
src-mac | Source MAC address
dst-mac | Destination MAC address
src-dst-mac * | Source and destination MAC address
Setting load balance method (configure globally)
Switch(config)# port-channel load-balance METHOD
! Enter "port-channel load-balance ?" to list all method and description
Config Steps
- Setting LACP system priority & port priority.
- Optional, Not support in Packet Tracer.
- Assign the interfaces to EtherChannel group (channel-group)
- Config the correspond port-channel interface.
- switchport mode, trunk allowed vlan
Assign an interface to a channel group and specify control protocol If the group is not existed, this will create it.
Switch(config)# int interface
Switch(config-if)# channel-group CHANNEL_NUM mode CHANNEL_MODE
! channel-mode:
! desirable Enable PAgP unconditionally
! auto Enable PAgP only if a PAgP device is detected
! active Enable LACP unconditionally
! passive Enable LACP only if an LACP device is detected
! on Enable Etherchannel only
Switch(config-if)# channel-protocol {lacp|pagp}
Remove an interface from a channel group
Switch(config)# int interface
Switch(config-if)# no channel-group
Change EtherChannel setting after creation
Switch(config)# interface port-channel 5
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 28,420
Avoiding misconfiguration with EtherChannel. (Enabled by default)
Switch(config)# spanning-tree etherchannel guard misconfig
Verification
switch# show interfaces port-channel identifier
! Displays the general status of the port-channel interface.
switch# show etherchannel summary
! Simply display one line of information per port-channel.
switch# show etherchannel port-channel
! Display detailed information of port-channel.
switch# show interfaces interface etherchannel
! Display role of particular interface in an EtherChannel. (Not support in Packet Tracer.)
Static
- Simply creates a channel without negotiating parameters with the peer device
- NO misconfiguration protection.
- It will not even check if peer device have set up EtherChannel.
- Any misconfiguration can ruin everything.
- Not recommended to use in almost every case
- unless you have device too old to support dynamic negotiation protocol, like PAgP or LACP.
Port Aggregation Protocol (PAgP)
- Cisco-proprietary protocol for negotiating and managing EtherChannel links.
- Sends PAgP packets every 30 seconds.
- Checks config consistency.
- Stop establishing EtherChannel link when misconfiguration occurred.
- Manages link additions and failures.
- Combine a maximum of 8 physical links into a single virtual link.
Link Aggregation Control Protocol (LACP)
- Industrial standard, IEEE 802.1AX (previously 802.3ad).
- Performs similar to Cisco PAgP
- Periodically send LACPDU to exchange information
- Config consistency, addition of link, detect and remove failure link.
- Cisco device support both LACP and PAgP
- Can be used to facilitate EtherChannels in multi-vendor environments.
- LACP allows for 8 active links and 8 standby links.
- A standby link will become active when one of the current active links fails.
- How to decide which links to be active or standby?
- System priority
- Decide which switch to become leader first.
- 2 bytes of priority (0 - 65535) + 6 bytes of MAC address
- Default priority = 32768
- Switch with the lower value will become the leader.
- Port priority
- The leader chooses which ports to be active or standby.
- 2 bytes of priority (0 - 65535) + 2 bytes of port number
- Default priority = 32768
- Port (and correspond link) with the lower value will be chosen to be active.
Setting lacp System priority
switch(config)# lacp system-priority PRIORITY_VALUE
Setting lacp port priority
switch(config)# int interface
switch(config-if)# lacp port-priority PRIORITY_VALUE
Example
Switch(config)# lacp system-priority 100
Switch(config)# interface range Gi0/1-4
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 5 mode active
Switch(config-if)# lacp port-priority 1024