Comandos_Cisco_Parte 2

Routing (Static, RIP, EIGRP, OSPF)

Configuring Static Routes
R1(config)# ip route 0.0.0.0 0.0.0.0 serial0/0 (default-route goes out serial 0/0)
R1(config)# ip route 0.0.0.0 0.0.0.0 50.77.4.13 (default-route goes to next-hop 50.77.4.13)
R1(config)# ip route 0.0.0.0 0.0.0.0 serial0/0 150 (default-route goes out serial 0/0. An
optional parameter is added to set the administrative distance to 150)
R1(config)# ip route 47.151.2.0 255.255.255.0 172.24.2.11 (to get to network
47.151.2.0/24, go to next-hop address of 172.24.2.11)
R1(config)# ip route 47.151.2.0 255.255.255.0 serial0/1 (to get to network 47.151.2.0/24, go out serial 0/1)
R1(config)# ip route 47.151.2.0 255.255.255.0 192.168.12.2 fastethernet0/0 (to get to
network 47.151.2.0/24, go to the next-hop 192.168.12.2 out Fastethernet0/0; on Ethernet both are needed)

Configuring RIP (IPv4)
R1(config)# no router rip (remove all RIP configurations and routing table entries)
R1(config)# router rip (enter rip configuration commands)
R1(config-router)# network 192.168.10.0 (define which directly connected network(s) to include in RIP update processes. No subnet mask – always classful)
R1(config-router)# passive-interface fastethernet0/0 (prevent RIP updates from broadcasting out this interface)
R1(config-router)# default-information originate (configure RIP to include default-routes in updates to other routers. This is disabled by default. Only on router with default-route)
R1(config-router)# redistribute static (configure RIP to include classful static routes in
updates to other routers. This is disabled by default. Only needed if there are static routes)
R1# debug ip rip (examine RIP updates in real-time)
Additional Commands to configure RIP Version 2
R1(config-router)# version 2 (configure RIP for RIPv2)
R1(config-router)# no auto-summary (turn off automatic classful summarization- suggested)

Configuring RIPng (for IPv6)
R1(config)# ipv6 route ::/0 S0/0/1 (default route goes out S0/0/1)
R1(config)# ipv6 router rip NAME (start the RIPng instance)
R1(config)# interface fa0/1
R1(config-if)# ipv6 rip NAME enable (include this interface and subnet in routing)
R1(config-if)# ipv6 rip NAME default-information originate (send default route)

Configuring IPv4 EIGRP
R1(config)# no router eigrp 100 (completely remove this instance of EIGRP in this router)
R1(config)# router eigrp 100 (100=Process ID within this network – Cisco calls this
R1(config)# eigrp router-id 5.5.5.5 (use this ID when identifying EIGRP neighbors)
R1(config-router)# no auto-summary (the default is to summarize to classful boundaries)
R1(config-router)# network 172.16.0.0 (no subnet or wildcard mask is needed if classful)
R1(config-router)# network 172.16.25.0 0.0.0.255 (wildcard mask – this is inverse of /24)
R1(config-router)# passive-interface default (no routing updates out any interface)
R1(config-router)# no passive-interface fastethernet 0/1 (allow certain interfaces)
R1(config-router)# passive-interface fastethernet 0/0 (no routing updates out Fa0/0)
R1(config-router)# redistribute static (one statement redistributes static routes – including
R1(config-if)# maximum paths 2 (load balancing paths: default=4, no load balancing=1)
R1(config-router)# metric weights 0 k1 k2 k3 k4 k5 (used to modify the metric multipliers)
R1(config-if)# bandwidth 768 (indicate the serial line speed for the routing protocol – this
R1(config-if)# ip summary-address eigrp 100 172.16.24.0 255.255.252.0 (manually
summarized network statement configured on outbound interface)
R1(config-if)# ip bandwidth-percent eigrp 100 40 (in this example limit EIGRP AS=100
updates to a maximum of 40% of the link bandwidth)
R1(config-if)# ip hello-interval eigrp 100 30 (in this example, set hello intervals on this
interface to 30 seconds for EIGRP AS=100)
R1(config-if)# ip hold-time eigrp 100 90 (in this example, set the hold-time on this interface to 90 seconds for EIGRP AS=100)
R1(config)# key chain MYCHAIN (name the key chain – done in global config)
R1(config-keychain)# key 1 (must assign a number – same at both ends of link)
R1(config-keychain-key)# key-string securetraffic (‘securetraffic’ is the passphrase)
R1(config)# interface serial 0/1 (interface to the other EIGRP router)
R1(config-subif)# ip authentication mode eigrp 10 md5 (turn on authentication)
R1(config-subif)# ip authentication key-chain eigrp 10 MYCHAIN (use this key)
R1# show ip eigrp neighbors (see neighbor adjacencies)
R1# show ip eigrp topology (see the EIGRP topology table)
R1# debug eigrp fsm (see what DUAL does when a route is removed from the routing table)

Configuring IPv4 OSPF(v2)
R1(config)# interface loopback 10 (optionally create a virtual interface for OSPF router ID)
R1(config)# router ospf 1 (configure an OSPF routing process)
R1(config-router)# router-id 2.2.2.2 (optionally configure the OSPF Router ID – Suggested)
R1(config-router)# network 172.16.45.0 0.0.0.255 area 0 (include directly connected
networks that match this parameter)
R1(config-router)# default-information originate (propagate the quad-0 default route)
R1(config-router)# redistribute static (propagate classful static routes configured on this
R1(config-router)# redistribute static subnets (propagate classless static routes configured
on this router to other OSPF routers)
R1(config-router)# passive-interface default (no routing updates out any interface)
R1(config-router)# no passive-interface fastethernet 0/1 (allow certain interfaces)
R1(config-router)# passive-interface fastethernet 0/1 (do not send OSPF routing updates
R1(config-router)# area 7 range 172.16.8.0 255.255.248.0 (on ABR summarize addresses)
R1(config-router)# summary address 172.16.8.0 255.255.248.0 (On ASBR – to summarize
non-OSPF routes imported into OSPF)
R1(config-router)# auto-cost reference-bandwidth ??? (optionally change the reference
bandwidth in terms of Mbits per second 1-4294967; must be the same on all routers)
R1(config-router)# area AREA-ID authentication message-digest (globally activate MD-5
authentication within an OSPF area)
R1(config-router)# ip ospf message-digest-key 1 md5 PASSWORD (authentication key)
R1(config-if)# ip ospf message-digest-key 1 md5 PASSWORD (on this interface, configure
the OSPF authentication key – will not activate authentication)
R1(config-if)# ip ospf authentication message-digest (activate OSPF authentication)
R1(config-if)# ip ospf cost 1562 (optionally configure an absolute OSPF cost for a link – this
example same as bandwidth 64)
R1(config-if)# ip ospf hello-interval seconds (change hello timer from default 10 seconds)
R1(config-if)# ip ospf dead-interval seconds (change dead timer from default 40 seconds)
R1(config-if)# ip ospf priority {0 – 255} (for OSPF DR/BDR election, default=1, ineligible=0)
R1# show ip ospf neighbor (display OSPF neighbor adjacencies – State should be ‘FULL’
R1# show ip protocols (includes the OSPF Router ID of this router)
R1# clear ip ospf process (re-calculate OSPF Router ID based on current parameters)
R1# show ip ospf (display OSPF process and router IDs, as well as area information)
R1# show ip ospf interface serial 0/0/0 (see DR/BDR information, hello and dead intervals)

Configure IPv6 OSPF(v3)

R1(config)# ipv6 unicast-routing (turn on ipv6 routing)
R1(config)# no ipv6 router ospf 55 (remove this instance of OSPF in this router)
R1(config)# ipv6 router ospf 100 (create the OSPF process in this router)
R1(config-rtr)# router-id 5.5.5.5 (must have router id)
R1(config-rtr)# default-information originate (redistribute default route to other routers)
R1(config-rtr)# redistribute static (redistribute classful static routes, including default)
R1(config-rtr)# redistribute static subnets (redistribute classless static routes)
R1(config-rtr)# passive-interface default (no routing updates out any interface)
R1(config-rtr)# no passive-interface gi 1/0 (allow updates out this interface)
R1(config-rtr)# passive-interface gi 1/1 (no routing updates out gi 1/1)
R1(config-rtr)# no shutdown (turn it on)
R1(config)# interface gi 1/1 (networks are assigned through the interface)
R1(config-if)# ipv6 enable (allow IPv6 on this interface)
R1(config-if)# ipv6 ospf 100 area 0 (associate this interface with IPv6 OSPF 55, area 0)

Configure IPv6 EIGRP
R1(config)# ipv6 unicast-routing (turn on ipv6 routing)
R1(config)# no ipv6 router eigrp 100 (remove this instance of EIGRP in this router)
R1(config)# ipv6 router eigrp 100 (create the EIGRP process)
R1(config-rtr)# eigrp router-id 5.5.5.5 (must have a router id)
R1(config-rtr)# redistribute static (redistribute static and default routes to other routers)
R1(config-rtr)# passive-interface default (no routing updates out any interface)
R1(config-rtr)# no passive-interface gi 1/0 (allow updates out this interface)
R1(config-rtr)# passive-interface gi 1/1 (no routing updates out gi 1/1)
R1(config-rtr)# no shutdown (must turn on EIGRP in this router)
R1(config)# interface gi 1/1 (networks are assigned through the interface)
R1(config-if)# ipv6 enable (allow IPv6 on this interface)
R1(config-if)# ipv6 eigrp 100 (associate this interface with IPv6 EIGRP process 100)
R1(config-if)# ipv6 summary-address eigrp 100 2001:123A:AAA0::/60 (EIGRP summary
R1(config-if)# ipv6 bandwidth-percent eigrp 100 40 (in this example limit EIGRP AS=100
updates to a maximum of 40% of the link bandwidth)
R1(config)# key chain MYCHAIN (name the key chain – done in global config)
R1(config-keychain)# key 1 (must assign a number – same at both ends of link)
R1(config-keychain-key)# key-string securetraffic (‘securetraffic’ is the passphrase)
R1(config)# interface serial 0/1 (interface to the other EIGRP router)
R1(config-subif)# ipv6 authentication mode eigrp 10 md5 (turn on authentication)
R1(config-subif)# ipv6 authentication key-chain eigrp 10 MYCHAIN (use this key)

PPP and Frame-Relay

Configuring PPP with Authentication
R1(config)# username R-2 password PASSWORD (configure for PAP / CHAP)

If PAP, the username and password must match the sent-username and password
from other router.

If CHAP, the username must be the hostname of the other router and the passwords
must be the same in each routers username configuration.

R1(config)# interface serial 0/0/0 (select the interface for ppp configuration)
R1(config-if)# encapsulation ppp (set interface to PPP)
R1(config-if)# compress [predictor / stac] (optional-configure data compression)
R1(config-if)# ppp quality [percentage] (optional-set a threshold of throughput before the
R1(config-if)# ppp authentication pap (optional-configure for PAP authentication)
R1(config-if)# ppp pap sent-username R-1 password PASSWORD (if PAP is used, this
must be configured)

R1(config-if)# ppp authentication chap (optional-configure for CHAP authentication)
R1(config-if)# ppp multilink (optional-combine multiple PPP links for more bandwidth)
R1(config-if)# encapsulation hdlc (reset the interface to the default value of HDLC)

-There are two basic types of Frame-Relay configuration: Point-to-Point and Multi-Point.
-A Point-to-Point link involves a single IP subnet and one DLCI. It may be configured directly on the physical interface or may be done as a sub-interface.

R1(config)# interface serial 0/0/0
R1(config-if)# ip address 192.168.5.1 255.255.255.252 (typically /30)
R1(config-if)# encapsulation frame-relay [ietf, cisco] PVC=IEFT is optional, cisco=default)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is the
local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-if)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2 is
next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config)# interface serial 0/0/0
R1(config-if)# no ip address (no IP address on the main interface)
R1(config-if)# encapsulation frame-relay [ietf, cisco] PVC=IEFT is optional, cisco=default)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# interface serial 0/0/0.752 point-to-point (sub-int # is customarily DLCI #)
R1(config-subif)# ip address 192.168.5.1 255.255.255.252 (typically /30)
R1(config-subif)# frame-relay interface-dlci 752 (DLCI=752, next hop and broadcast are
dynamically assigned)

-Multi-point configurations are when there is one IP subnet with multiple connections (DLCIs).

It may be configured directly on the physical interface or may be done as a sub-interface.

R1(config)# interface serial 0/0/0
R1(config-if)# ip address 192.168.5.1 255.255.255.248 (not /30)
R1(config-if)# encapsulation frame-relay
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is the
local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-if)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2 is
next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config-if)# frame-relay map ip 192.168.5.3 339 broadcast [ietf, cisco] (192.168.5.3 is
next hop, DLCI=339, broadcast is optional, PVC=IEFT is optional – cisco is default)
**Multi-Point no sub-interface; Sample Configuration 3:
**Multi-Point with sub-interface; Sample Configuration 4:

R1(config)# interface serial 0/0/0
R1(config-if)# no ip address (no IP address on the main interface)
R1(config-if)# encapsulation frame-relay (not configured on sub-interface)
R1(config-if)# frame-relay lmi-type [ansi, q933a, cisco] (optional, cisco=default)
R1(config-if)# interface serial 0/0/0.752 multipoint (sub-interface # is customarily DLCI #)
R1(config-subif)# ip address 192.168.5.1 255.255.255.248 (not /30)
R1(config-subif)# frame-relay map ip 192.168.5.1 752 (to allow local ping- 192.168.5.1 is
the local interface IP, DLCI=752 is a valid DLCI for this interface)
R1(config-subif)# frame-relay map ip 192.168.5.2 752 broadcast [ietf, cisco] (192.168.5.2
is next hop, DLCI=752, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1(config-subif)# frame-relay map ip 192.168.5.3 339 broadcast [ietf, cisco] (192.168.5.3
is next hop, DLCI=339, broadcast is optional, PVC=IEFT is optional – cisco is default)
R1# show frame-relay map (display mapping of IPs and DLCIs)
Static: Map entry was from a ‘frame-relay map’ statement.
Dynamic: Map entry was created through inverse-ARP.
R1# show frame-relay lmi (see status of local link to Frame-Relay cloud)
R1# show frame-relay pvc (see which links are actually up end-to-end)
Active: PVC is fully connected and functional.
Inactive: Connected to FR switch, but other side isn’t seen.
Delete: Not talking to the FR switch.

Access Control Lists (ACL)

Standard Access Lists
-Standard access lists only evaluate the source IP field. They can use the ‘host’ and ‘any’
keywords, or apply wildcard masks. They do not use port numbers.

**Named Standard Access List:
R-1(config)# ip access-list standard NAME (name the list)
R-1(config-std-nacl)# deny host 192.168.20.5 log (deny a specific host / log matches)
R-1(config-std-nacl)# permit 192.168.20.0 0.0.0.255 (permit subnet 192.168.20.0)
R-1(config-std-nacl)# deny any (deny all other IP addresses)

**Numbered IP Standard Access List:
R-1(config)# access-list 25 deny host 192.168.20.5 (deny specific host)
R-1(config)# access-list 25 permit 192.168.20.0 0.0.0.255 (permit entire subnet)
R-1(config)# access-list 25 deny any (deny all other IP addresses)

There can be additional optional commands (log, time-of-day, established, etc)
on the end of most statements. The protocol field must match the destination
port / protocol – if they are used (example: TCP=Telnet, ICMP=Ping, UDP=DNS).
**Named Extended Access List:
R-1(config)# ip access-list extended NAME (name the list)
Example: Deny an individual host to an entire subnet for Telnet and also log matches:
R-1(config-ext-nacl)# deny tcp host 192.168.20.10 172.16.0.0 0.0.255.255 eq 23 log
Example: Permit an entire subnet to go anywhere:
R-1(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 any
Example: Deny everything:
R-1(config-ext-nacl)# deny ip any any (this is applied by default if not configured)

Applying Access Lists
R-1(config)# interface fastethernet 0/0
R-1(config-if)# ip access-group NAME in (evaluate packets coming in to the router)
R-1(config-if)# ip access-group NAME out (evaluate packets leaving the router)
R-1(config)# line vty 0 4
R-1(config-line)# access-class NAME in (evaluate packets for telnet or SSH)

Dynamic Access List (Stateful-Firewall)
R1(config)# ip access-list extended OUTBOUND-TRAFFIC
R1(config-ext-nacl)# permit tcp any any reflect TCP-TRAFFIC
R1(config-ext-nacl)# permit udp any any reflect UDP-TRAFFIC
R1(config-ext-nacl)# permit icmp any any reflect ICMP-TRAFFIC
R1(config-ext-nacl)# deny ip any any
R1(config)# ip access-list extended EVALUATE-INBOUND
R1(config-ext-nacl)# evaluate TCP-TRAFFIC
R1(config-ext-nacl)# evaluate UDP-TRAFFIC
R1(config-ext-nacl)# evaluate ICMP-TRAFFIC
R1(config)# interface serial 0/0/0
R1(config-if)# ip access-group OUTBOUND-TRAFFIC out
R1(config-if)# ip access-group EVALUATE-INBOUND in

Time-Based ACL
R-1(config)# time-range MON-WED-FRI
R-1(config-time-range)# periodic Monday Wednesday Friday 8:00 to 17:00
R-1(config)# access-list 133 permit tcp 192.168.20.0 0.0.0.255 any
eq telnet time-range MON-WED-FRI

R-1# show access-list (see access lists on this router and # of ‘matches’ per line)
R-1# show access-list NAME (see a specific access list and # of ‘matches’ per line)

DHCP and NAT
Configuring DHCP for IPv4
R-1(config)# ip dhcp excluded 172.16.2.1 172.16.2.7 (excluded IP range)
R-1(config)# ip dhcp pool LAN-2 (name this DHCP pool)
R-1(config-dhcp)# network 172.16.2.0 255.255.255.128 (entire network range)
R-1(config-dhcp)# default-router 172.16.2.1 (address on router port)
R-1(config-dhcp)# dns-server 140.198.8.14 (DNS server – can have up to 4)
R-1(config-dhcp)# domain-name MCC.COM (optional domain name)
R-1(config-dhcp)# lease-time 5 (optional – change to 5 day lease, 1 day is default)
R-3(config)# interface fastethernet 0/1 (interface for network with DHCP clients)
R-3(config-if)# ip helper-address 192.168.15.2 (address where DHCP server is)
R-1# show ip dhcp binding (see what IP addresses are assigned & MAC addresses)
DOS-PROMPT>ipconfig /release (remove dynamically assigned IP information on PC)
DOS-PROMPT>ipconfig /renew (get new IP address from DHCP server)

Configuring DHCP for IPv6 Stateless Address Auto-Configuration (SLAAC)
R1(config)# ipv6 unicast routing (make sure IPv6 is activated)
R1(config)# ipv6 dhcp pool LAN-10-STATELESS (create pool for addresses and DNS)
R1(config-dhcpv6)# dns-server 2001:345:ACAD:F::5 (IPv6 DNS server address)
R1(config-dhcpv6)# domain-name cisco.com (optional domain name)
R1(config-if)# ipv6 address 2001:A1B5:C13:10::1/64 (configure IPv6 address)
R1(config-if)# ipv6 dhcp server LAN-10-STATELESS (look to this DHCP pool)
R1(config-if)# ipv6 nd other-config-flag (enable IPv6 Neighbor Discovery)

Configuring DHCP for IPv6 Stateful Address Auto-configuration
R1(config)# ipv6 unicast routing (make sure IPv6 is activated)
R1(config)# ipv6 dhcp pool LAN-10-STATEFUL (create pool for addresses and DNS)
R1(config-dhcpv6)# address prefix 2001:D7B:CAFÉ:10::/64 lifetime infinite infinite
R1(config-dhcpv6)# dns-server 2001:345:ACAD:F::5 (IPv6 DNS server address)
R1(config-dhcpv6)# domain-name cisco.com (optional domain name)
R1(config-if)# ipv6 address 2001:D7B:CAFE:10::1/64 (configure IPv6 address)
R1(config-if)# ipv6 dhcp server LAN-10-STATEFUL (look to this DHCP pool)
R1(config-if)# ipv6 nd managed-config-flag (enable IPv6 Neighbor Discovery)
R-3(config)# interface fastethernet 0/1 (interface for network with DHCP clients)
R-3(config-if)# ip dhcp relay destination 2001:A123:7CA1::15 (IPv6 DHCP server address)
R1# show ipv6 dhcp pool
R1# show ipv6 dhcp binding

Configure NAT for IPv4
-For both static and dynamic NAT, designate interfaces as inside or outside:
R-1(config)# interface fa0/0 (typically designate all interfaces except the outside one)
R-1(config-if)# ip nat inside (designate this as an inside interface)
R-1(config)# interface serial 0/0/0 (typically there is only one outside interface)
R-1(config-if)# ip nat outside (designate this as an outside interface)
-Static NAT requires only one statement. The IP addresses are inside / outside:
R-1(config)# ip nat inside source static 192.168.10.22 73.2.34.137

-Dynamic NAT may use a pool of ‘outside addresses’. If you do not use a pool, you will have to use the address on the outside interface. You can use ‘netmask’:

R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 netmask 255.255.255.248
-or- You may choose to use ‘prefix-length’:

R-1(config)# ip nat pool POOL-NAME 73.2.34.138 73.2.34.143 prefix-length 29
-Dynamic NAT requires an ACL to define which internal addresses can be NATted:
R-1(config)# ip access-list standard NAT-ELIGIBLE
R-1(config-std-nacl)# permit 192.168.10.0 0.0.0.255 (include all subnets)
-Dynamic NAT can use the pool for outside addresses:

R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME
-or- Dynamic NAT can use the pool with overload to share outside addresses:

R-1(config)# ip nat inside source list NAT-ELIGIBLE pool POOL-NAME overload
-or- Dynamic NAT can use the exit interface – almost always will use overload:

R-1(config)# ip nat inside source list NAT-ELIGIBLE interface serial 0/0/0 overload
R-1# show ip nat translations (current translations- dynamic and static)
R-1# show ip nat statistics (see # of active translations, role of interfaces, etc)

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *