常用IOS指令

(1)

種類指令 VTY& Console&enable pwd VTY passwd Router(config)#line vty 0 4 Router(config-line)#password password

Router(config-line)#history size 35 (history buffer)

Router(config-line)#exec time-out 60(六十秒不用就斷線) Router(config-line)#login

使用 ACL 控制 VTY 連線

Router (config)#access list 11 permit host 192.168.1.1 Router(config)#line vty 0 4 Switch(config-line)#access-class 11 in Console passwd Switch(config)#line console 0 Switch(config-line)#password password Switch(config-line)#login Enable passwd

Router(config)#enable password password Router(config)#enable secret password 會在 show run 密碼加密

Router(config)#service password-encryption（weak Cisco Type 7 encryption method）

建立帳號會產生 local authentication database Router(config)#username cm password ming Router (config)#line console 0

Router (config-line)#login local 使用 SSH 連線

Router(config)#username cm password ming Router(config)#ip domain-name cisco.com Router(config)#crypto key generate rsa Router(config)#ip ssh version 2

Router(config)#line vty 0 15 Router(config-line)#login local

Router(config-line)#transport input telnet ssh (只允許 telnet 連線到 vty) 登入時顯示提示訊息

Router(config)#banner motd # TEXT # Router(config)#banner login %TEXT % 設定預設路由

Router(config)#ip route 0.0.0.0 0.0.0.0

logging synchronous

In order to keep the unsolicited output separate from your input, enter line configuration mode for the consoled port and add the logging synchronous command,

General

(2)

Upgrade R2#show flash 下載新的 os R2#copy tftp flash

指定下次開機檔案名稱，重新載入新的 os

R2(config)#boot system flash:/c1841-ipbasek9-mz.124-12.bin R2#copy running-config startup-config

R2#reload 備份檔案到 tftp server R2#copy flash tftp IOS image Recovery 在 ROMMon 下設定 tftp IP

rommon 7 > IP_ADDRESS=192.168.1.2 (router ip) rommon 8 > IP_SUBNET_MASK=255.255.255.0 rommon 9 > DEFAULT_GATEWAY=192.168.1.1 rommon 10 > TFTP_SERVER=192.168.1.1(server ip)

rommon 11 > TFTP_FILE=c1841-ipbasek9-mz.124-12.bin (iso filename) rommon 12 > tftpdnld(download)

rommon 12 > reset(reload)

Enable Password Recovery

Router Password Recovery: Step1: 強迫進入 ROMMon

Press “Crtl+Break” on the terminal keyboard within 60 seconds of power up

Step2: Bypass Startup configure

rommon 1> confreg 0x2142 rommon 2 > reset

Step3: Access NVRAM configure file

R1#copy startup-config running-config

Step3: Reset Password

R1(config)# enable secret cisco R1(config)#config-register 0x2102 R1#copy running-config startup-config

Switch Password Recovery： Step1: 強迫進入 Flash 模式

按下 switch 面板上的 mode 按鈕會出現下列模式

Switch:

再執行 flash_init

Step2: 更改 config.text 名稱

Switch: rename flash:config.text flash:config.text.old 載入 os

Switch:boot

Step3:複製 config.text.old config.text

Switch#copy flash:config.text system:running-config 修改密碼後存到 startup 重新開機

(3)

Switch#reload

關閉 DNS name resolution no ip domain-lookup

殺掉 startup-config

#erase nvram: or #erase startup-config

default settings for Terminal Configuration

Bits Per Second = 9600 Data Bits = 8

Parity = None Stop Bits = 1

Flow Control = None

Vlan

啟動 vlan (config)#vlan 20

(config-vlan)#name student (config)#interface fa0/18

(config-if)#switchport mode access (config-if)#switchport access vlan 20 啟動 trunk

(config)#interface fa0/1

(config-if)#switchport mode trunk 取消 vlan

(config-if)#no switchport access vlan 刪除 vlan

#no vlan 20

#delete flash:vlan.dat 查看 vlan

#show vlan brief #show vlan summary #show vlan vlan 20 #show interface vlan 20 #show interface trunk

#show interface fa0/1 switchport 啟動 port security

S1-Central(config-if)#switchport mode access(一定要 access mode) S1-Central(config-if)#switchport port-security

S1-Central(config-if)#switchport port-security mac-address 0000.0c9b.d2d8 S1-Central(config-if)#switchport port-security mac-address sticky

S1-Central(config-if)# switchport port-security violation shutdown S1-Central#show port-security int fa0/24

Switch

VTP

啟動 VTP

(config)#vtp mode server (config)#vtp domain cisco

(4)

(config)#vtp version (config)#vtp password xxxx

Reset Revisiom number(更改 domain 名稱後再更改回來)

(config)#vtp domain tesd

(config)#vtp domain cisco 查看 VTP

#show vtp status 啟動 pruning

(config)# vtp pruning

SPT

變更 switch 優先權(用來決定選舉 root bridge) (config)#spanning-tree vlan 1 priority xxxxx (config)#spanning-tree vlan 1 root primary(second) 變更 port cost(用來決定最佳路徑到 root, root port) (config)#interface fa0/1

(config-if)#spanng-tree cost 24 Pathcost 一樣時比較 port priority (config-if)#spanng-tree port-priority 124

同一個 segment 的倆個 designate port, 比較各自 switch BID, BID 小的為 designate port, 另外則為 non-designate port

更換 spaning-tree 版本

S1(config)#spanning-tree mode rapid-pvst 查看 Spannig-Tree

#show spanning-tree

#show spanning-tree summary 啟動 portfast

(config-if)#spanng-tree portfast #show run (查看 portfast)

Router-on-a –Stick(In ter-Valn Rrouting)

在 switch 端中 fa0/5 接到 router fa0/1，此 port 設定 trunk S1(config-if)#interface fa0/5

S1(config-if)#switchport mode trunk

在 router 端中 fa0/1 設定 subinterface 來對定兩各 vlan R1(config)#interface fa0/1.10

R1(config-subif)#encapsulation dot1Q 10(vlan id) R1(config-subif)#ip address 172.17.10.1 255.255.255.0 R1(config-subif)#interface fa0/1.30 R1(config-subif)#encapsulation dot1Q 30 R1(config-subif)#ip address 172.17.30.1 255.255.255.0 Router RIP 啟動 RIP1

(config)# router rip

(config-router)# network 172.16.1.16 將此路由器的 default route 傳出

(5)

(config-router)#default-information originate 查看 RIP #show ip protocols 除錯 #debug ip rip #undebug all 停止 fa0/0 送出 update 訊息 (config)# router rip

(config-if)# passive-interface fa0/0 停止某各網段位置

(config-if)# no network 192.168.4.0 限制傳送與接收的版本

Router1(config)#interface FastEthernet0/0 (Rip 傳送介面) Router1(config-if)# ip rip send version <1 | 2 | 1 2>

Router1(config-if)# ip rip receive version <1 | 2 | 1 2> 停止 rip

(config)#no router rip

RIP2

啟動 RIP2

R(config)# router rip R(config-router)#version 2

R(config-router)# network 172.16.1.16 加密傳送

Router1(config)#key chain ORA Router1(config-keychain)#key 1

Router1(config-keychain-key)#key-string oreilly Router1(config-keychain-key)#exit

Router1(config)#interface FastEthernet0/0 (Rip 傳送介面) Router1(config-if)#ip rip authentication key-chain ORA Router1(config-if)#ip rip authentication mode text(or md5) Router1(config-if)#exit

Router1(config)#end 手動 summarization

R3(config)#interface serial0/0/0

R3(config-if)#ip summary-address rip 192.168.0.0 255.255.252.0 更新路由協定的 AD 值 R(config-router)#distance 200(內部) 100(外部) 更新靜態路由的 AD 值 R(config)#ip route 192.168.0.0 255.255.255.0 s0/0 200 EIGRP 啟動 EIGRP R1(config)#router eigrp 1

(6)

R1(config-router)# network 192.168.11.1 0.0.0.0(只有這個界面參予 eigrp) 設定頻寬 R3(config)#interface serial0/0/1 R1(config-if)#bandwidth 1024 設定傳送佔用頻寬比 Router1(config)#interface Serial0.1

Router1(config-subif)#ip bandwidth-percent eigrp 55 40 (最高使用 40%) 修改 hello 的傳送時間

Router1(config)#interface Serial0.1

Router1(config-subif)#ip hello-interval eigrp 55 3 Router1(config-subif)#ip hold-time eigrp 55 9

Add loopback addresses

R3(config)#interface loopback1

R3(config-if)#ip address 192.168.2.1 255.255.255.0 將此路由器的 default route 傳出

Redistribute static or ip default-network EIGRP 不支援 default-information originate 關閉自動 summarization

R1(config)#router eigrp 1

R1(config-router)#no auto-summary 手動 summarization

R3(config-if)#ip summary-address eigrp 1 192.168.0.0 255.255.252.0 設定為末端路由

R1(config-router)# eigrp stub

router# show ip eigrp neighbor detail 過濾從 Serial0/0 進來的路由資訊

Router2(config)#access-list 34 deny 192.168.30.0 Router2(config)#access-list 34 permit any Router2(config)#router eigrp 55

Router2(config-router)#distribute-list 34 in Serial0/0 加密傳送

(7)

Router1(config)#key chain ORA 設定開鎖的第一把鑰匙 Router1(config-keychain)#key 1 Router1(config-keychain-key)#key-string rocket 設定可以開鎖的時間 Router1(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 1993 00:15:00 Nov 1 2006 Router1(config-keychain-key)#send-lifetime 00:00:00 Jan 1 1993 00:00:00 Nov 1 2006 設定開鎖的第二把鑰匙 Router1(config-keychain-key)#key 2 Router1(config-keychain-key)#key-string martian 設定那個介面要使用 Router1(config)#interface Serial0/1

Router1(config-if)#ip authentication mode eigrp 55 md5 Router1(config-if)#ip authentication key-chain eigrp 55 ORA

OSPF

啟動 ospf

(config)# router ospf 1

(config-router)#network 172.16.1.16 0.0.0.15 area 0 查看 ospf

#show ip protocols #show ip ospf neighbor #show ip ospf database

#show ip ospf interface serial 0/0/0 用 lookback 設定 router ID (config)#interface lookback 0 (config-if)#ip add 10.1.1.1 255.255.255.255 直接設定 router ID R1(config)#router ospf 1 R1(config-router)#router-id 10.4.4.4 改變ospf priority

Router(config-if)#ip ospf priority

DR and BDR election:

1. compare with each router interface priority 2. compare with each router-id

將此路由器的 default route 傳出

(config-router)#default-information originate 重新啟動OSPF

R1# clear ip ospf process

改變 Metric 值

(config)#interface serial 0/0 (config-if)#bandwidth 64 (config-if)#ip ospf cost 144

(8)

一般加密傳送

RTA(config)#router ospf 1

RTA(config-router)#area 0 authentication RTA(config-router)#exit

RTA(config)#int s0/1/0

RTA(config-if)#ip ospf authentication-key cisco (cisco:passwd)

Md5 加密傳送

RTA(config)#router ospf 1

RTA(config-router)#area 0 authentication message-digest RTA(config-router)#exit

RTA(config)#int s0/1/0

RTA(config-if)#ip ospf message-digest-key 10 md5 cisco (10: key-id, cisco:passwd)

NAT SERVCIE

啟動 NAT SERVCIE

設定那些內部 IP 要使用 Internet R2(config)#ip access-list standard R2NAT

R2(config-std-nacl)# permit 192.168.10.0 0.0.0.255 R2(config-std-nacl)# permit 192.168.20.0 0.0.0.255 R2(config-std-nacl)# permit 192.168.30.0 0.0.0.255 設定可用合法 IP 範圍

R2(config)#ip nat pool R2POOL 209.165.202.128 209.165.202.130 netmask 255.255.255.252

設定 static Nat

R2(config)#ip nat inside source static 192.168.20.254 209.165.202.131 對應內部 IP 與合法 IP

R2(config)#ip nat inside source list R2NAT pool R2POOL overload 對內的 Interface 設定 inside

R2(config-if)#int s0/0/1 R2(config-if)#ip nat inside 對外的 Interface 設定 outside R2(config-if)#int s0/1/0

R2(config-if)#ip nat outside 查看 NAT 狀況

R2#show ip nat statistics R2#show ip nat translationis

DHCP Service

啟動 DHCP Service 排除不被分配的 IP

R1(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.9 設定要分配的 IP 範圍

R1(config)#ip dhcp pool R1LAN

R1(dhcp-config)#network 192.168.10.0 255.255.255.0 R1(dhcp-config)#default-router 192.168.10.1

(9)

R1(dhcp-config)#dns-server 192.168.20.254 R1(dhcp-config)#domain-name span.com 查看目前 IP 分配狀況

R1#show ip dhcp binding

R1#show ip dhcp server statistics

WAN

ACL

利用數字方式啟動 Standard ACL

R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255(wildcard) R1(config)#interface fa0/1

R1(config-if)#ip access-group 10 out/in 利用命名方式啟動 Standard ACL

R3(config)#ip access-list standard NO_ACCESS(naming) R3(config-std-nacl)#deny host 192.168.30.128

R3(config)#interface fa0/0

R3(config-if)#ip access-group NO_ACCESS in/out 利用數字方式啟動 Extended ACL

R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet R1(config)#access-list 110 permit ip any any

R1(config)#interface fa0/0

R1(config-if)#ip access-group 110 in 利用命名方式啟動 Extended ACL

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www R2(config-ext-nacl)#permit tcp any any established (任何 tcp 的連線) R2(config-ext-nacl)#permit icmp any any echo-reply(任何 ping ) R2(config-if)#ip access-group FIREWALL in

加入註解

R1(config)#access-list 110 Remark permit ip any any Or

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#Remark permit tcp any host 192.168.20.254 eq www

Support Establish Traffic

R1(config)#access-list 101 permit tcp any any established R1(config)#access-list 101 permit icmp any any echo-reply R1(config)#access-list 101 permit icmp any any unreachable

ACL Time-Range

R2(config)#time-range xxxx

R2(config- time-range)#periodic Monday Friday 8:00 to 17:00 R1(config)#access-list 110 permit ip any any time-range xxxx

Reflexive Access-Lists(You MUST use named access lists)

interface Serial0/0/0

description Internet connection ip access-group INBOUND in ip access-group OUTBOUND out

(10)

ip access-list extended OUTBOUND

permit tcp host 122.22.22.1 any reflect PROXYTCP

permit udp host 122.22.22.1 any eq domain reflect PROXYUDP ip access-list extended INBOUND

evaluate PROXYTCP evaluate PROXYUDP !查看 ACL 內容 #show access-lists HDCL EnableHDLC Encapsulation (config)#interface serial 0/0 (config-if)# encapsulation hdlc PPP Enable ppp Encapsulation (config)#interface serial 0/0 (config-if)# encapsulation ppp (config-if)# compress (啟動軟體壓縮會影響效能) (config-if)# ppp quality 80(LQM 監控傳輸效能低於 80%就關閉連線) (config-if)# ppp multilink（啟動多個連線傳輸） 設定 PAP(R1 and R2, R2 也一樣設定) R1(config)#username R2 password cisco123 R1(config)#interface s0/0/0

R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication pap

R1(config-if)#ppp pap sent-username R1 password cisco123 設定 CHAP（R3 and R2, R2 也一樣設定）

R3(config)#username R2 password cisco123 R3(config)#interface s0/0/1

R3(config-if)#encapsulation ppp R3(config-if)#ppp authentication chap

Frame-relay

Enable Frame-Relay Encapsulation(R1-R2)

R1(config-if)#encapsulation frame-relay

R1(config-if)#frame-relay map ip 10.10.10.2(R2) 102(DLCI) broadcast R1(config-if)#frame-relay lmi-type ansi

查看 frame-relay ip mapping #show frame-relay map

#show frame-relay lmi #show frame-relay pvc

另一種 Frame-relay 封裝 IETF