Cisco CLI Cheatsheet
Routerbefehle
Grundkonfiguration
Hostname
#Hostname
enable
configure terminal
hostname NAME
Passwords
#Terminal Password
#i.e. enable Passwort
enable
configure terminal
enable secret cisco
"secret" erstellt ein verschlüsseltes Passwort. Man könnte "password" nutzen, allerdings ist dass Passwort dann in Klartext gespeichert.
#Line Password
#i.e. Passwort für SSH/Serial
enable
configure terminal
line console 0
# für ssh "vty 0 15", i.e. virtual ty 0-15
password cisco #set password
login #require login
#Password encryption
enable
configure terminal
service password-encryption
Verschlüsselt auch alle bestehenden Passwörter.
Show and save config
#Show config in RAM (running-config)
enable
show running-config
#Configuration speichern
#RAM -> NVRAM
copy running-config startup-config
#alternativ
write-memory #Kann mit "w" abgekürzt werden
Execute terminal command from any level
do [command]
Interfaces
enable
configure terminal
#select interface (or if-group)
interface GigabitEthernet0/0 #short "int gig0/0"
#interface range gig0/1-0/4
#set address with SNM
ip address 192.168.1.254 255.255.255.0
#activate interface
no shutdown
Routing
#Add Route
enable
configure terminal
ip route 192.168.2.0 255.255.255.0 212.20.20.10
#ip route [Net] [SNM] [NextHop]
NextHop kann IP des NextHop sein, oder ausgehende Schnittstelle (z.B. gig 1/0).
Loopback
(config)#ip route 0.0.0.0 0.0.0.0 loopback 0
(config)#ipv6 route ::/0 loopback 0
Information
| cmd | Output |
|---|---|
| show running-config | Current config |
| show startup-config | Startup/saved config |
| show ip route | Routing table |
| show ip interface brief | Kurzzusammenfassung der Interfaces |
| show ip interface gig 0/0 | Details zu Interface gig 0/0 |
| show flash | Content and Usage of Flash |
| show version | Version of OS and Bootloader |
| show ip rip databse | RIP DB |
| debug ? | Debugging |
RIP
(config)#router rip
(config-router)#version 2
(config-router)#network 192.168.1.0
(config-router)#passive-interface gig0/0
(config-router)#default-information originate ;Router gibt Default-Route weiter
(config-router)#timers basic [upd] [inv] [holddown] [flush] (in Sekunden)
NAT
;ACL
(config)#ip access-list standard NAME
(config-std-NAME)#permit 192.168.1.0 0.0.0.255
;Outside Interface
(config-if)#ip nat outside
;Inside Interface
(config-if)#ip nat inside
;NAT Enable
(config)#ip nat inside source list LIST-NAME interface OUTSIDE-IF overload
OSPF
(config)#router ospf 1 ;<- Process ID
(config-router)#network NET-ID WILDCARD-MASK area ZONE
(config-router)#auto-cost bandwith-reference REF-IN-MBIT
(config-if)#ip ospf cost N
DHCP
(config)#ip dhcp excluded-address [start] [end]
(config)#ip dhcp pool POOL
(dhcp-config)#network [id] [snm]
(dhcp-config)#default-router [std-gw]
(dhcp-config)#domain-name domain.net
VLAN
Auf Switches sind Ports Default UP
# Management VLAN
(config)#interface vlan 2
(config-if)#ip address [ip] [snm]
(config-if)#description mgmt
(config-if)#no shutdown
(config)#ip default-gateway [ip]
# VLANs erstellen und Ports zuweisen
# Native VLAN ändern
(config)#vlan 3
(config-vlan)#name VLAN3
(config-vlan)#vlan 4
(config-vlan)#name native
# Inter-Switch Ports
(config)#interface range gig0/1-2
(config-if-range)#switchport mode trunk
(config-if-range)#switchport trunk native vlan 4
(config-if-range)#switchport trunk allowed vlan 2, 3, 4
# User Ports
(config)#interface range gig0/3-10
(config-if-range)#switchport mode access
(config-if-range)#switchport access vlan 3
(config-if-range)#switchport port-security
(config-if-range)#switchport port-security maximum 3 #max 3 learned MAC
Subinterfaces (Router on a stick)
(config)#ipv6 unicast-routing
(config)#interface gig0/0/1.2
(config-subif)#encapsulation dot1Q 2
(config-subif)#description VLAN2
(config-subif)#ip address [ip] [snm]
(config-subif)#ipv6 address fe80::1 link-local
(config-subif)#ipv6 address [ip]/[cidr]
[...]
(config)#interface gig0/0/1
(config-if)#no shutdown
Etherchannel
(config)#interface range gig0/1-2
(config-if-range)#channel-group 1 mode active
Firewalls
### ACL
(config)#ip access-list extended [NAME]
(config-ext-nacl)#deny/permit [PROTO] [RULE]
#RULE -> SOURCE TARGET
#SOURCE/TARGET ->
host [IP] (eq [PORT])
[NET] [WILDCARD] (eq [PORT])
any (eq [PORT])
#z.B.
(config)#ip access-list extended [NAME]
(config-ext-nacl)#permit tcp any any eq www
(config-ext-nacl)#permit tcp any any eq 110
(config-ext-nacl)#permit icmp host 192.168.1.1 host 192.168.1.254
### Assign to IF
(config-if)#ip access-group [NAME] in/out
### make firewall statefull
(config)#ip inspect [NAME] [PROTO]
# für jedes Protokoll, i.e. icmp, tcp usw.
# auf outgoing interface aktivieren
(config-if)ip inspect [NAME] out
### Stats
#show access-list [NAME]
Misc
;DHCP-"Relay"
(config-if)#ip helper-address IP-DHCP-SRV