種類 指令 VTY& Console&enable pwd VTY passwd Router(config)#line vty 0 4 Router(config-line)#password password
Router(config-line)#history size 35 (history buffer)
Router(config-line)#exec time-out 60(六十秒不用就斷線) Router(config-line)#login
使用 ACL 控制 VTY 連線
Router (config)#access list 11 permit host 192.168.1.1 Router(config)#line vty 0 4 Switch(config-line)#access-class 11 in Console passwd Switch(config)#line console 0 Switch(config-line)#password password Switch(config-line)#login Enable passwd
Router(config)#enable password password Router(config)#enable secret password 會在 show run 密碼加密
Router(config)#service password-encryption(weak Cisco Type 7 encryption method)
建立帳號 會產生 local authentication database Router(config)#username cm password ming Router (config)#line console 0
Router (config-line)#login local 使用 SSH 連線
Router(config)#username cm password ming Router(config)#ip domain-name cisco.com Router(config)#crypto key generate rsa Router(config)#ip ssh version 2
Router(config)#line vty 0 15 Router(config-line)#login local
Router(config-line)#transport input telnet ssh (只允許 telnet 連線到 vty) 登入時顯示提示訊息
Router(config)#banner motd # TEXT # Router(config)#banner login %TEXT % 設定預設路由
Router(config)#ip route 0.0.0.0 0.0.0.0
logging synchronous
In order to keep the unsolicited output separate from your input, enter line configuration mode for the consoled port and add the logging synchronous command,
General
Upgrade R2#show flash 下載新的 os R2#copy tftp flash
指定下次開機檔案名稱,重新載入新的 os
R2(config)#boot system flash:/c1841-ipbasek9-mz.124-12.bin R2#copy running-config startup-config
R2#reload 備份檔案到 tftp server R2#copy flash tftp IOS image Recovery 在 ROMMon 下設定 tftp IP
rommon 7 > IP_ADDRESS=192.168.1.2 (router ip) rommon 8 > IP_SUBNET_MASK=255.255.255.0 rommon 9 > DEFAULT_GATEWAY=192.168.1.1 rommon 10 > TFTP_SERVER=192.168.1.1(server ip)
rommon 11 > TFTP_FILE=c1841-ipbasek9-mz.124-12.bin (iso filename) rommon 12 > tftpdnld(download)
rommon 12 > reset(reload)
Enable Password Recovery
Router Password Recovery: Step1: 強迫進入 ROMMon
Press “Crtl+Break” on the terminal keyboard within 60 seconds of power up
Step2: Bypass Startup configure
rommon 1> confreg 0x2142 rommon 2 > reset
Step3: Access NVRAM configure file
R1#copy startup-config running-config
Step3: Reset Password
R1(config)# enable secret cisco R1(config)#config-register 0x2102 R1#copy running-config startup-config
Switch Password Recovery: Step1: 強迫進入 Flash 模式
按下 switch 面板上的 mode 按鈕 會出現下列模式
Switch:
再執行 flash_init
Step2: 更改 config.text 名稱
Switch: rename flash:config.text flash:config.text.old 載入 os
Switch:boot
Step3:複製 config.text.old config.text
Switch#copy flash:config.text system:running-config 修改密碼後 存到 startup 重新開機
Switch#reload
關閉 DNS name resolution no ip domain-lookup
殺掉 startup-config
#erase nvram: or #erase startup-config
default settings for Terminal Configuration
Bits Per Second = 9600 Data Bits = 8
Parity = None Stop Bits = 1
Flow Control = None
Vlan
啟動 vlan (config)#vlan 20
(config-vlan)#name student (config)#interface fa0/18
(config-if)#switchport mode access (config-if)#switchport access vlan 20 啟動 trunk
(config)#interface fa0/1
(config-if)#switchport mode trunk 取消 vlan
(config)#interface fa0/18
(config-if)#no switchport access vlan 刪除 vlan
#no vlan 20
#delete flash:vlan.dat 查看 vlan
#show vlan brief #show vlan summary #show vlan vlan 20 #show interface vlan 20 #show interface trunk
#show interface fa0/1 switchport 啟動 port security
S1-Central(config-if)#switchport mode access(一定要 access mode) S1-Central(config-if)#switchport port-security
S1-Central(config-if)#switchport port-security mac-address 0000.0c9b.d2d8 S1-Central(config-if)#switchport port-security mac-address sticky
S1-Central(config-if)# switchport port-security violation shutdown S1-Central#show port-security int fa0/24
Switch
VTP
啟動 VTP
(config)#vtp mode server (config)#vtp domain cisco
(config)#vtp version (config)#vtp password xxxx
Reset Revisiom number(更改 domain 名稱後 再更改回來)
(config)#vtp domain tesd
(config)#vtp domain cisco 查看 VTP
#show vtp status 啟動 pruning
(config)# vtp pruning
SPT
變更 switch 優先權(用來決定選舉 root bridge) (config)#spanning-tree vlan 1 priority xxxxx (config)#spanning-tree vlan 1 root primary(second) 變更 port cost(用來決定最佳路徑到 root, root port) (config)#interface fa0/1
(config-if)#spanng-tree cost 24 Pathcost 一樣時 比較 port priority (config-if)#spanng-tree port-priority 124
同一個 segment 的倆個 designate port, 比較各自 switch BID, BID 小的為 designate port, 另外則為 non-designate port
更換 spaning-tree 版本
S1(config)#spanning-tree mode rapid-pvst 查看 Spannig-Tree
#show spanning-tree
#show spanning-tree summary 啟動 portfast
(config)#interface fa0/1
(config-if)#spanng-tree portfast #show run (查看 portfast)
Router-on-a –Stick(In ter-Valn Rrouting)
在 switch 端中 fa0/5 接到 router fa0/1,此 port 設定 trunk S1(config-if)#interface fa0/5
S1(config-if)#switchport mode trunk
在 router 端中 fa0/1 設定 subinterface 來對定兩各 vlan R1(config)#interface fa0/1.10
R1(config-subif)#encapsulation dot1Q 10(vlan id) R1(config-subif)#ip address 172.17.10.1 255.255.255.0 R1(config-subif)#interface fa0/1.30 R1(config-subif)#encapsulation dot1Q 30 R1(config-subif)#ip address 172.17.30.1 255.255.255.0 Router RIP 啟動 RIP1
(config)# router rip
(config-router)# network 172.16.1.16 將此路由器的 default route 傳出
(config-router)#default-information originate 查看 RIP #show ip protocols 除錯 #debug ip rip #undebug all 停止 fa0/0 送出 update 訊息 (config)# router rip
(config-if)# passive-interface fa0/0 停止某各網段位置
(config-if)# no network 192.168.4.0 限制傳送與接收的版本
Router1(config)#interface FastEthernet0/0 (Rip 傳送介面) Router1(config-if)# ip rip send version <1 | 2 | 1 2>
Router1(config-if)# ip rip receive version <1 | 2 | 1 2> 停止 rip
(config)#no router rip
RIP2
啟動 RIP2
R(config)# router rip R(config-router)#version 2
R(config-router)# network 172.16.1.16 加密傳送
Router1(config)#key chain ORA Router1(config-keychain)#key 1
Router1(config-keychain-key)#key-string oreilly Router1(config-keychain-key)#exit
Router1(config)#interface FastEthernet0/0 (Rip 傳送介面) Router1(config-if)#ip rip authentication key-chain ORA Router1(config-if)#ip rip authentication mode text(or md5) Router1(config-if)#exit
Router1(config)#end 手動 summarization
R3(config)#interface serial0/0/0
R3(config-if)#ip summary-address rip 192.168.0.0 255.255.252.0 更新路由協定的 AD 值 R(config-router)#distance 200(內部) 100(外部) 更新靜態路由的 AD 值 R(config)#ip route 192.168.0.0 255.255.255.0 s0/0 200 EIGRP 啟動 EIGRP R1(config)#router eigrp 1
R1(config-router)# network 192.168.11.1 0.0.0.0(只有這個界面參予 eigrp) 設定頻寬 R3(config)#interface serial0/0/1 R1(config-if)#bandwidth 1024 設定傳送佔用頻寬比 Router1(config)#interface Serial0.1
Router1(config-subif)#ip bandwidth-percent eigrp 55 40 (最高使用 40%) 修改 hello 的傳送時間
Router1(config)#interface Serial0.1
Router1(config-subif)#ip hello-interval eigrp 55 3 Router1(config-subif)#ip hold-time eigrp 55 9
Add loopback addresses
R3(config)#interface loopback1
R3(config-if)#ip address 192.168.2.1 255.255.255.0 將此路由器的 default route 傳出
Redistribute static or ip default-network EIGRP 不支援 default-information originate 關閉自動 summarization
R1(config)#router eigrp 1
R1(config-router)#no auto-summary 手動 summarization
R3(config)#interface serial0/0/0
R3(config-if)#ip summary-address eigrp 1 192.168.0.0 255.255.252.0 設定為末端路由
R1(config-router)# eigrp stub
router# show ip eigrp neighbor detail 過濾從 Serial0/0 進來的路由資訊
Router2(config)#access-list 34 deny 192.168.30.0 Router2(config)#access-list 34 permit any Router2(config)#router eigrp 55
Router2(config-router)#distribute-list 34 in Serial0/0 加密傳送
Router1(config)#key chain ORA 設定開鎖的第一把鑰匙 Router1(config-keychain)#key 1 Router1(config-keychain-key)#key-string rocket 設定可以開鎖的時間 Router1(config-keychain-key)#accept-lifetime 00:00:00 Jan 1 1993 00:15:00 Nov 1 2006 Router1(config-keychain-key)#send-lifetime 00:00:00 Jan 1 1993 00:00:00 Nov 1 2006 設定開鎖的第二把鑰匙 Router1(config-keychain-key)#key 2 Router1(config-keychain-key)#key-string martian 設定那個介面要使用 Router1(config)#interface Serial0/1
Router1(config-if)#ip authentication mode eigrp 55 md5 Router1(config-if)#ip authentication key-chain eigrp 55 ORA
OSPF
啟動 ospf
(config)# router ospf 1
(config-router)#network 172.16.1.16 0.0.0.15 area 0 查看 ospf
#show ip protocols #show ip ospf neighbor #show ip ospf database
#show ip ospf interface serial 0/0/0 用 lookback 設定 router ID (config)#interface lookback 0 (config-if)#ip add 10.1.1.1 255.255.255.255 直接設定 router ID R1(config)#router ospf 1 R1(config-router)#router-id 10.4.4.4 改變ospf priority
Router(config-if)#ip ospf priority
DR and BDR election:
1. compare with each router interface priority 2. compare with each router-id
將此路由器的 default route 傳出
(config-router)#default-information originate 重新啟動OSPF
R1# clear ip ospf process
改變 Metric 值
(config)#interface serial 0/0 (config-if)#bandwidth 64 (config-if)#ip ospf cost 144
一般加密傳送
RTA(config)#router ospf 1
RTA(config-router)#area 0 authentication RTA(config-router)#exit
RTA(config)#int s0/1/0
RTA(config-if)#ip ospf authentication-key cisco (cisco:passwd)
Md5 加密傳送
RTA(config)#router ospf 1
RTA(config-router)#area 0 authentication message-digest RTA(config-router)#exit
RTA(config)#int s0/1/0
RTA(config-if)#ip ospf message-digest-key 10 md5 cisco (10: key-id, cisco:passwd)
NAT SERVCIE
啟動 NAT SERVCIE
設定那些內部 IP 要使用 Internet R2(config)#ip access-list standard R2NAT
R2(config-std-nacl)# permit 192.168.10.0 0.0.0.255 R2(config-std-nacl)# permit 192.168.20.0 0.0.0.255 R2(config-std-nacl)# permit 192.168.30.0 0.0.0.255 設定可用合法 IP 範圍
R2(config)#ip nat pool R2POOL 209.165.202.128 209.165.202.130 netmask 255.255.255.252
設定 static Nat
R2(config)#ip nat inside source static 192.168.20.254 209.165.202.131 對應內部 IP 與合法 IP
R2(config)#ip nat inside source list R2NAT pool R2POOL overload 對內的 Interface 設定 inside
R2(config-if)#int s0/0/1 R2(config-if)#ip nat inside 對外的 Interface 設定 outside R2(config-if)#int s0/1/0
R2(config-if)#ip nat outside 查看 NAT 狀況
R2#show ip nat statistics R2#show ip nat translationis
DHCP Service
啟動 DHCP Service 排除不被分配的 IP
R1(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.9 設定要分配的 IP 範圍
R1(config)#ip dhcp pool R1LAN
R1(dhcp-config)#network 192.168.10.0 255.255.255.0 R1(dhcp-config)#default-router 192.168.10.1
R1(dhcp-config)#dns-server 192.168.20.254 R1(dhcp-config)#domain-name span.com 查看目前 IP 分配狀況
R1#show ip dhcp binding
R1#show ip dhcp server statistics
WAN
ACL
利用數字方式啟動 Standard ACL
R1(config)#access-list 10 deny 192.168.10.0 0.0.0.255(wildcard) R1(config)#interface fa0/1
R1(config-if)#ip access-group 10 out/in 利用命名方式啟動 Standard ACL
R3(config)#ip access-list standard NO_ACCESS(naming) R3(config-std-nacl)#deny host 192.168.30.128
R3(config)#interface fa0/0
R3(config-if)#ip access-group NO_ACCESS in/out 利用數字方式啟動 Extended ACL
R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet R1(config)#access-list 110 permit ip any any
R1(config)#interface fa0/0
R1(config-if)#ip access-group 110 in 利用命名方式啟動 Extended ACL
R2(config)#ip access-list extended FIREWALL
R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www R2(config-ext-nacl)#permit tcp any any established (任何 tcp 的連線) R2(config-ext-nacl)#permit icmp any any echo-reply(任何 ping ) R2(config-if)#ip access-group FIREWALL in
加入註解
R1(config)#access-list 110 Remark permit ip any any Or
R2(config)#ip access-list extended FIREWALL
R2(config-ext-nacl)#Remark permit tcp any host 192.168.20.254 eq www
Support Establish Traffic
R1(config)#access-list 101 permit tcp any any established R1(config)#access-list 101 permit icmp any any echo-reply R1(config)#access-list 101 permit icmp any any unreachable
ACL Time-Range
R2(config)#time-range xxxx
R2(config- time-range)#periodic Monday Friday 8:00 to 17:00 R1(config)#access-list 110 permit ip any any time-range xxxx
Reflexive Access-Lists(You MUST use named access lists)
interface Serial0/0/0
description Internet connection ip access-group INBOUND in ip access-group OUTBOUND out
ip access-list extended OUTBOUND
permit tcp host 122.22.22.1 any reflect PROXYTCP
permit udp host 122.22.22.1 any eq domain reflect PROXYUDP ip access-list extended INBOUND
evaluate PROXYTCP evaluate PROXYUDP !查看 ACL 內容 #show access-lists HDCL EnableHDLC Encapsulation (config)#interface serial 0/0 (config-if)# encapsulation hdlc PPP Enable ppp Encapsulation (config)#interface serial 0/0 (config-if)# encapsulation ppp (config-if)# compress (啟動軟體壓縮 會影響效能) (config-if)# ppp quality 80(LQM 監控傳輸效能 低於 80%就關閉連線) (config-if)# ppp multilink(啟動多個連線傳輸) 設定 PAP(R1 and R2, R2 也一樣設定) R1(config)#username R2 password cisco123 R1(config)#interface s0/0/0
R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username R1 password cisco123 設定 CHAP(R3 and R2, R2 也一樣設定)
R3(config)#username R2 password cisco123 R3(config)#interface s0/0/1
R3(config-if)#encapsulation ppp R3(config-if)#ppp authentication chap
Frame-relay
Enable Frame-Relay Encapsulation(R1-R2)
R1(config)#interface serial0/0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay map ip 10.10.10.2(R2) 102(DLCI) broadcast R1(config-if)#frame-relay lmi-type ansi
查看 frame-relay ip mapping #show frame-relay map
#show frame-relay lmi #show frame-relay pvc
另一種 Frame-relay 封裝 IETF