Routing (Static, RIP, EIGRP, OSPF)
Configuring Static Routes
R1(config)# ip route 0.0.0.0 0.0.0.0 serial0/0 (default-route goes out serial 0/0)
R1(config)# ip route 0.0.0.0 0.0.0.0 50.77.4.13 (default-route goes to next-hop 50.77.4.13)
R1(config)# ip route 0.0.0.0 0.0.0.0 serial0/0 150 (default-route goes out serial 0/0. An
optional parameter is added to set the administrative distance to 150)
R1(config)# ip route 47.151.2.0 255.255.255.0 172.24.2.11 (to get to network
47.151.2.0/24, go to next-hop address of 172.24.2.11)
R1(config)# ip route 47.151.2.0 255.255.255.0 serial0/1 (to get to network 47.151.2.0/24, go out serial 0/1)
R1(config)# ip route 47.151.2.0 255.255.255.0 192.168.12.2 fastethernet0/0 (to get to
network 47.151.2.0/24, go to the next-hop 192.168.12.2 out Fastethernet0/0; on Ethernet both are needed)
Configuring RIP (IPv4)
R1(config)# no router rip (remove all RIP configurations and routing table entries)
R1(config)# router rip (enter rip configuration commands)
R1(config-router)# network 192.168.10.0 (define which directly connected network(s) to include in RIP update processes. No subnet mask – always classful)
R1(config-router)# passive-interface fastethernet0/0 (prevent RIP updates from broadcasting out this interface)
R1(config-router)# default-information originate (configure RIP to include default-routes in updates to other routers. This is disabled by default. Only on router with default-route)
R1(config-router)# redistribute static (configure RIP to include classful static routes in
updates to other routers. This is disabled by default. Only needed if there are static routes)
R1# debug ip rip (examine RIP updates in real-time)
Additional Commands to configure RIP Version 2
R1(config-router)# version 2 (configure RIP for RIPv2)
R1(config-router)# no auto-summary (turn off automatic classful summarization- suggested)
Configuring RIPng (for IPv6)
R1(config)# ipv6 route ::/0 S0/0/1 (default route goes out S0/0/1)
R1(config)# ipv6 router rip NAME (start the RIPng instance)
R1(config)# interface fa0/1
R1(config-if)# ipv6 rip NAME enable (include this interface and subnet in routing)
R1(config-if)# ipv6 rip NAME default-information originate (send default route)
Configuring IPv4 EIGRP
R1(config)# no router eigrp 100 (completely remove this instance of EIGRP in this router)
R1(config)# router eigrp 100 (100=Process ID within this network – Cisco calls this
R1(config)# eigrp router-id 5.5.5.5 (use this ID when identifying EIGRP neighbors)
R1(config-router)# no auto-summary (the default is to summarize to classful boundaries)
R1(config-router)# network 172.16.0.0 (no subnet or wildcard mask is needed if classful)
R1(config-router)# network 172.16.25.0 0.0.0.255 (wildcard mask – this is inverse of /24)
R1(config-router)# passive-interface default (no routing updates out any interface)
R1(config-router)# no passive-interface fastethernet 0/1 (allow certain interfaces)
R1(config-router)# passive-interface fastethernet 0/0 (no routing updates out Fa0/0)
R1(config-router)# redistribute static (one statement redistributes static routes – including
R1(config-if)# maximum paths 2 (load balancing paths: default=4, no load balancing=1)
R1(config-router)# metric weights 0 k1 k2 k3 k4 k5 (used to modify the metric multipliers)
R1(config-if)# bandwidth 768 (indicate the serial line speed for the routing protocol – this
R1(config-if)# ip summary-address eigrp 100 172.16.24.0 255.255.252.0 (manually
summarized network statement configured on outbound interface)
R1(config-if)# ip bandwidth-percent eigrp 100 40 (in this example limit EIGRP AS=100
updates to a maximum of 40% of the link bandwidth)
R1(config-if)# ip hello-interval eigrp 100 30 (in this example, set hello intervals on this
interface to 30 seconds for EIGRP AS=100)
R1(config-if)# ip hold-time eigrp 100 90 (in this example, set the hold-time on this interface to 90 seconds for EIGRP AS=100)
R1(config)# key chain MYCHAIN (name the key chain – done in global config)
R1(config-keychain)# key 1 (must assign a number – same at both ends of link)
R1(config-keychain-key)# key-string securetraffic (‘securetraffic’ is the passphrase)
R1(config)# interface serial 0/1 (interface to the other EIGRP router)
R1(config-subif)# ip authentication mode eigrp 10 md5 (turn on authentication)
R1(config-subif)# ip authentication key-chain eigrp 10 MYCHAIN (use this key)
R1# show ip eigrp neighbors (see neighbor adjacencies)
R1# show ip eigrp topology (see the EIGRP topology table)
R1# debug eigrp fsm (see what DUAL does when a route is removed from the routing table)
Configuring IPv4 OSPF(v2)
R1(config)# interface loopback 10 (optionally create a virtual interface for OSPF router ID)
R1(config)# router ospf 1 (configure an OSPF routing process)
R1(config-router)# router-id 2.2.2.2 (optionally configure the OSPF Router ID – Suggested)
R1(config-router)# network 172.16.45.0 0.0.0.255 area 0 (include directly connected
networks that match this parameter)
R1(config-router)# default-information originate (propagate the quad-0 default route)
R1(config-router)# redistribute static (propagate classful static routes configured on this
R1(config-router)# redistribute static subnets (propagate classless static routes configured
on this router to other OSPF routers)
R1(config-router)# passive-interface default (no routing updates out any interface)
R1(config-router)# no passive-interface fastethernet 0/1 (allow certain interfaces)
R1(config-router)# passive-interface fastethernet 0/1 (do not send OSPF routing updates
R1(config-router)# area 7 range 172.16.8.0 255.255.248.0 (on ABR summarize addresses)
R1(config-router)# summary address 172.16.8.0 255.255.248.0 (On ASBR – to summarize
non-OSPF routes imported into OSPF)
R1(config-router)# auto-cost reference-bandwidth ??? (optionally change the reference
bandwidth in terms of Mbits per second 1-4294967; must be the same on all routers)
R1(config-router)# area AREA-ID authentication message-digest (globally activate MD-5
authentication within an OSPF area)
R1(config-router)# ip ospf message-digest-key 1 md5 PASSWORD (authentication key)
R1(config-if)# ip ospf message-digest-key 1 md5 PASSWORD (on this interface, configure
the OSPF authentication key – will not activate authentication)
R1(config-if)# ip ospf authentication message-digest (activate OSPF authentication)
R1(config-if)# ip ospf cost 1562 (optionally configure an absolute OSPF cost for a link – this
example same as bandwidth 64)
R1(config-if)# ip ospf hello-interval seconds (change hello timer from default 10 seconds)
R1(config-if)# ip ospf dead-interval seconds (change dead timer from default 40 seconds)
R1(config-if)# ip ospf priority {0 – 255} (for OSPF DR/BDR election, default=1, ineligible=0)
R1# show ip ospf neighbor (display OSPF neighbor adjacencies – State should be ‘FULL’
R1# show ip protocols (includes the OSPF Router ID of this router)
R1# clear ip ospf process (re-calculate OSPF Router ID based on current parameters)
R1# show ip ospf (display OSPF process and router IDs, as well as area information)
R1# show ip ospf interface serial 0/0/0 (see DR/BDR information, hello and dead intervals)
Configure IPv6 OSPF(v3)
R1(config)# ipv6 unicast-routing (turn on ipv6 routing)
R1(config)# no ipv6 router ospf 55 (remove this instance of OSPF in this router)
R1(config)# ipv6 router ospf 100 (create the OSPF process in this router)
R1(config-rtr)# router-id 5.5.5.5 (must have router id)
R1(config-rtr)# default-information originate (redistribute default route to other routers)
R1(config-rtr)# redistribute static (redistribute classful static routes, including default)
R1(config-rtr)# redistribute static subnets (redistribute classless static routes)
R1(config-rtr)# passive-interface default (no routing updates out any interface)
R1(config-rtr)# no passive-interface gi 1/0 (allow updates out this interface)
R1(config-rtr)# passive-interface gi 1/1 (no routing updates out gi 1/1)
R1(config-rtr)# no shutdown (turn it on)
R1(config)# interface gi 1/1 (networks are assigned through the interface)
R1(config-if)# ipv6 enable (allow IPv6 on this interface)
R1(config-if)# ipv6 ospf 100 area 0 (associate this interface with IPv6 OSPF 55, area 0)
Configure IPv6 EIGRP
R1(config)# ipv6 unicast-routing (turn on ipv6 routing)
R1(config)# no ipv6 router eigrp 100 (remove this instance of EIGRP in this router)
R1(config)# ipv6 router eigrp 100 (create the EIGRP process)
R1(config-rtr)# eigrp router-id 5.5.5.5 (must have a router id)
R1(config-rtr)# redistribute static (redistribute static and default routes to other routers)
R1(config-rtr)# passive-interface default (no routing updates out any interface)
R1(config-rtr)# no passive-interface gi 1/0 (allow updates out this interface)
R1(config-rtr)# passive-interface gi 1/1 (no routing updates out gi 1/1)
R1(config-rtr)# no shutdown (must turn on EIGRP in this router)
R1(config)# interface gi 1/1 (networks are assigned through the interface)
R1(config-if)# ipv6 enable (allow IPv6 on this interface)
R1(config-if)# ipv6 eigrp 100 (associate this interface with IPv6 EIGRP process 100)
R1(config-if)# ipv6 summary-address eigrp 100 2001:123A:AAA0::/60 (EIGRP summary
R1(config-if)# ipv6 bandwidth-percent eigrp 100 40 (in this example limit EIGRP AS=100
updates to a maximum of 40% of the link bandwidth)
R1(config)# key chain MYCHAIN (name the key chain – done in global config)
R1(config-keychain)# key 1 (must assign a number – same at both ends of link)
R1(config-keychain-key)# key-string securetraffic (‘securetraffic’ is the passphrase)
R1(config)# interface serial 0/1 (interface to the other EIGRP router)
R1(config-subif)# ipv6 authentication mode eigrp 10 md5 (turn on authentication)
R1(config-subif)# ipv6 authentication key-chain eigrp 10 MYCHAIN (use this key)
PPP and Frame-Relay
Configuring PPP with Authentication
R1(config)# username R-2 password PASSWORD (configure for PAP / CHAP)
If PAP, the username and password must match the sent-username and password
from other router.If CHAP, the username must be the hostname of the other router and the passwords
must be the same in each routers username configuration.
R1(config)# interface serial 0/0/0 (select the interface for ppp configuration)
R1(config-if)# encapsulation ppp (set interface to PPP)
R1(config-if)# compress [predictor / stac] (optional-configure data compression)
R1(config-if)# ppp quality [percentage] (optional-set a threshold of throughput before the
R1(config-if)# ppp authentication pap (optional-configure for PAP authentication)
R1(config-if)# ppp pap sent-username R-1 password PASSWORD (if PAP is used, this
must be configured)
R1(config-if)# ppp authentication chap (optional-configure for CHAP authentication)
R1(config-if)# ppp multilink (optional-combine multiple PPP links for more bandwidth)
R1(config-if)# encapsulation hdlc (reset the interface to the default value of HDLC)
-There are two basic types of Frame-Relay configuration: Point-to-Point and Multi-Point.
-A Point-to-Point link involves a single IP subnet and one DLCI. It may be configured directly on the physical interface or may be done as a sub-interface.
R1(config)# interface serial 0/0/0
R1(config-if)# ip address 192.168.5.1 255.255.255.252 (typically /30)
R1(config-if)# encapsulation frame-relay [ietf, cisco] PVC=IEFT is optional, cisco=default)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is the
local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-if)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2 is
next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config)# interface serial 0/0/0
R1(config-if)# no ip address (no IP address on the main interface)
R1(config-if)# encapsulation frame-relay [ietf, cisco] PVC=IEFT is optional, cisco=default)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# interface serial 0/0/0.752 point-to-point (sub-int # is customarily DLCI #)
R1(config-subif)# ip address 192.168.5.1 255.255.255.252 (typically /30)
R1(config-subif)# frame-relay interface-dlci 752 (DLCI=752, next hop and broadcast are
dynamically assigned)
-Multi-point configurations are when there is one IP subnet with multiple connections (DLCIs).
It may be configured directly on the physical interface or may be done as a sub-interface.
R1(config)# interface serial 0/0/0
R1(config-if)# ip address 192.168.5.1 255.255.255.248 (not /30)
R1(config-if)# encapsulation frame-relay
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is the
local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-if)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2 is
next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config-if)# frame-relay map ip 192.168.5.3 339 broadcast [ietf, cisco] (192.168.5.3 is
next hop, DLCI=339, broadcast is optional, PVC=IEFT is optional – cisco is default)
**Multi-Point no sub-interface; Sample Configuration 3:
**Multi-Point with sub-interface; Sample Configuration 4:
R1(config)# interface serial 0/0/0
R1(config-if)# no ip address (no IP address on the main interface)
R1(config-if)# encapsulation frame-relay (not configured on sub-interface)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# interface serial 0/0/0.752 multipoint (sub-interface # is customarily DLCI #)
R1(config-subif)# ip address 192.168.5.1 255.255.255.248 (not /30)
R1(config-subif)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is
the local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-subif)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2
is next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config-subif)# frame-relay map ip 192.168.5.3 339 broadcast [ietf, cisco] (192.168.5.3
is next hop, DLCI=339, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1# show frame-relay map (display mapping of IPs and DLCIs)
Static: Map entry was from a ‘frame-relay map’ statement.
Dynamic: Map entry was created through inverse-ARP.
R1# show frame-relay lmi (see status of local link to Frame-Relay cloud)
R1# show frame-relay pvc (see which links are actually up end-to-end)
Active: PVC is fully connected and functional.
Inactive: Connected to FR switch, but other side isn’t seen.
Delete: Not talking to the FR switch.
Access Control Lists (ACL)
Standard Access Lists
-Standard access lists only evaluate the source IP field. They can use the ‘host’ and ‘any’
keywords, or apply wildcard masks. They do not use port numbers.
**Named Standard Access List:
R-1(config)# ip access-list standard NAME (name the list)
R-1(config-std-nacl)# deny host 192.168.20.5 log (deny a specific host / log matches)
R-1(config-std-nacl)# permit 192.168.20.0 0.0.0.255 (permit subnet 192.168.20.0)
R-1(config-std-nacl)# deny any (deny all other IP addresses)
**Numbered IP Standard Access List:
R-1(config)# access-list 25 deny host 192.168.20.5 (deny specific host)
R-1(config)# access-list 25 permit 192.168.20.0 0.0.0.255 (permit entire subnet)
R-1(config)# access-list 25 deny any (deny all other IP addresses)
There can be additional optional commands (log, time-of-day, established, etc)
on the end of most statements. The protocol field must match the destination
port / protocol – if they are used (example: TCP=Telnet, ICMP=Ping, UDP=DNS).
**Named Extended Access List:
R-1(config)# ip access-list extended NAME (name the list)
Example: Deny an individual host to an entire subnet for Telnet and also log matches:
R-1(config-ext-nacl)# deny tcp host 192.168.20.10 172.16.0.0 0.0.255.255 eq 23 log
Example: Permit an entire subnet to go anywhere:
R-1(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
Example: Deny everything:
R-1(config-ext-nacl)# deny ip any any (this is applied by default if not configured)
Applying Access Lists
R-1(config)# interface fastethernet 0/0
R-1(config-if)# ip access-group NAME in (evaluate packets coming in to the router)
R-1(config-if)# ip access-group NAME out (evaluate packets leaving the router)
R-1(config)# line vty 0 4
R-1(config-line)# access-class NAME in (evaluate packets for telnet or SSH)
Dynamic Access List (Stateful-Firewall)
R1(config)# ip access-list extended OUTBOUND-TRAFFIC
R1(config-ext-nacl)# permit tcp any any reflect TCP-TRAFFIC
R1(config-ext-nacl)# permit udp any any reflect UDP-TRAFFIC
R1(config-ext-nacl)# permit icmp any any reflect ICMP-TRAFFIC
R1(config-ext-nacl)# deny ip any any
R1(config)# ip access-list extended EVALUATE-INBOUND
R1(config-ext-nacl)# evaluate TCP-TRAFFIC
R1(config-ext-nacl)# evaluate UDP-TRAFFIC
R1(config-ext-nacl)# evaluate ICMP-TRAFFIC
R1(config)# interface serial 0/0/0
R1(config-if)# ip access-group OUTBOUND-TRAFFIC out
R1(config-if)# ip access-group EVALUATE-INBOUND in
Time-Based ACL
R-1(config)# time-range MON-WED-FRI
R-1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00
R-1(config)# access-list 133 permit tcp 192.168.20.0 0.0.0.255 any
eq telnet time-range MON-WED-FRI
R-1# show access-list (see access lists on this router and # of ‘matches’ per line)
R-1# show access-list NAME (see a specific access list and # of ‘matches’ per line)
DHCP and NAT
Configuring DHCP for IPv4
R-1(config)# ip dhcp excluded 172.16.2.1 172.16.2.7 (excluded IP range)
R-1(config)# ip dhcp pool LAN-2 (name this DHCP pool)
R-1(config-dhcp)# network 172.16.2.0 255.255.255.128 (entire network range)
R-1(config-dhcp)# default-router 172.16.2.1 (address on router port)
R-1(config-dhcp)# dns-server 140.198.8.14 (DNS server – can have up to 4)
R-1(config-dhcp)# domain-name MCC.COM (optional domain name)
R-1(config-dhcp)# lease-time 5 (optional – change to 5 day lease, 1 day is default)
R-3(config)# interface fastethernet 0/1 (interface for network with DHCP clients)
R-3(config-if)# ip helper-address 192.168.15.2 (address where DHCP server is)
R-1# show ip dhcp binding (see what IP addresses are assigned & MAC addresses)
DOS-PROMPT>ipconfig /release (remove dynamically assigned IP information on PC)
DOS-PROMPT>ipconfig /renew (get new IP address from DHCP server)
Configuring DHCP for IPv6 Stateless Address Auto-Configuration (SLAAC)
R1(config)# ipv6 unicast routing (make sure IPv6 is activated)
R1(config)# ipv6 dhcp pool LAN-10-STATELESS (create pool for addresses and DNS)
R1(config-dhcpv6)# dns-server 2001:345:ACAD:F::5 (IPv6 DNS server address)
R1(config-dhcpv6)# domain-name cisco.com (optional domain name)
R1(config-if)# ipv6 address 2001:A1B5:C13:10::1/64 (configure IPv6 address)
R1(config-if)# ipv6 dhcp server LAN-10-STATELESS (look to this DHCP pool)
R1(config-if)# ipv6 nd other-config-flag (enable IPv6 Neighbor Discovery)
Configuring DHCP for IPv6 Stateful Address Auto-configuration
R1(config)# ipv6 unicast routing (make sure IPv6 is activated)
R1(config)# ipv6 dhcp pool LAN-10-STATEFUL (create pool for addresses and DNS)
R1(config-dhcpv6)# address prefix 2001:D7B:CAFÉ:10::/64 lifetime infinite infinite
R1(config-dhcpv6)# dns-server 2001:345:ACAD:F::5 (IPv6 DNS server address)
R1(config-dhcpv6)# domain-name cisco.com (optional domain name)
R1(config-if)# ipv6 address 2001:D7B:CAFE:10::1/64 (configure IPv6 address)
R1(config-if)# ipv6 dhcp server LAN-10-STATEFUL (look to this DHCP pool)
R1(config-if)# ipv6 nd managed-config-flag (enable IPv6 Neighbor Discovery)
R-3(config)# interface fastethernet 0/1 (interface for network with DHCP clients)
R-3(config-if)# ip dhcp relay destination 2001:A123:7CA1::15 (IPv6 DHCP server address)
R1# show ipv6 dhcp pool
R1# show ipv6 dhcp binding
Configure NAT for IPv4
-For both static and dynamic NAT, designate interfaces as inside or outside:
R-1(config)# interface fa0/0 (typically designate all interfaces except the outside one)
R-1(config-if)# ip nat inside (designate this as an inside interface)
R-1(config)# interface serial 0/0/0 (typically there is only one outside interface)
R-1(config-if)# ip nat outside (designate this as an outside interface)
-Static NAT requires only one statement. The IP addresses are inside / outside:
R-1(config)# ip nat inside source static 192.168.10.22 73.2.34.137
-Dynamic NAT may use a pool of ‘outside addresses’. If you do not use a pool, you will have to use the address on the outside interface. You can use ‘netmask’:
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248
-or- You may choose to use ‘prefix-length’:
R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 prefix-length 29
-Dynamic NAT requires an ACL to define which internal addresses can be NATted:
R-1(config)# ip access-list standard NAT-ELIGIBLE
R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255 (include all subnets)
-Dynamic NAT can use the pool for outside addresses:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME
-or- Dynamic NAT can use the pool with overload to share outside addresses:
R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME overload
-or- Dynamic NAT can use the exit interface – almost always will use overload:
R-1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload
R-1# show ip nat translations (current translations- dynamic and static)
R-1# show ip nat statistics (see # of active translations, role of interfaces, etc)