Complete CCNA CLI Reference Guide - Comprehensive Edition

This expanded guide covers every CCNA topic with in-depth explanations, complete command variations,
detailed troubleshooting, and real-world scenarios.

1. Network Fundamentals

1.1 Routers - Complete Configuration and Management

Routers are Layer 3 devices that forward packets between networks based on IP addresses. They maintain
routing tables, make forwarding decisions, and provide interconnection between different network
segments.

Router Boot Process and Initial Configuration:

bash
# Boot Process Overview:
# 1. Power-On Self Test (POST)
# 2. Bootstrap program loads IOS from Flash
# 3. IOS loads configuration from NVRAM
# 4. If no config, enters Setup mode

# Router Navigation Modes

Router> enable # User EXEC mode to Privileged EXEC
Router# configure terminal # Enter global configuration mode
Router(config)# exit # Return to privileged EXEC
Router(config)# end # Direct jump to privileged EXEC
Router# disable # Return to user EXEC mode

# Context-sensitive help
Router> ? # Available commands in user mode
Router# ? # Available commands in privileged
mode
Router(config)# ? # Available global config commands
Router(config-if)# ? # Available interface commands

# Command abbreviation and completion

Router# sh run # Abbreviation for 'show running-
config'
Router# show ru<Tab> # Tab completion
Router# show running-config | ? # Pipe options
Hostname and Banner Configuration:

bash
# Hostname Configuration
Router(config)# hostname R1 # Set device hostname
Router(config)# no hostname # Reset to default (Router)

# Banner Configuration - Multiple Types

Router(config)# banner motd #
Unauthorized access is prohibited!
Contact admin@company.com for access.
#

Router(config)# banner login #

Please enter your credentials
#

Router(config)# banner exec #

Welcome to Production Router R1
All activities are logged and monitored
#

Router(config)# banner incoming #

You have connected to router R1
#

# Remove banners
Router(config)# no banner motd
Router(config)# no banner login

Password Security Configuration:

bash
# Enable Password (less secure - plaintext storage)
Router(config)# enable password cisco123 # Plaintext password

# Enable Secret (more secure - MD5 hash)

Router(config)# enable secret cisco123 # Encrypted password
Router(config)# enable secret level 5 user123 # Level 5 enable password
Router(config)# enable secret level 10 admin123 # Level 10 enable password

# Service Password Encryption (Type 7 - weak encryption)

Router(config)# service password-encryption # Encrypt all passwords
Router(config)# no service password-encryption # Disable encryption
# Strong Password Policies
Router(config)# security passwords min-length 8 # Minimum password length
Router(config)# security authentication failure rate 5 log # Log failed attempts
Router(config)# login block-for 300 attempts 5 within 60 # Block after failures

# Line Password Configuration

Router(config)# line console 0 # Console line
Router(config-line)# password console123 # Console password
Router(config-line)# login # Enable authentication
Router(config-line)# exec-timeout 5 30 # Timeout: 5 min 30 sec
Router(config-line)# logging synchronous # Synchronous logging
Router(config-line)# history size 50 # Command history size

Router(config)# line aux 0 # Auxiliary port

Router(config-line)# password aux123
Router(config-line)# login

Router(config)# line vty 0 4 # VTY lines 0-4

Router(config-line)# password vty123
Router(config-line)# login # Password authentication
Router(config-line)# login local # Local user authentication
Router(config-line)# transport input ssh # SSH only
Router(config-line)# transport input telnet ssh # Telnet and SSH
Router(config-line)# transport input none # No remote access
Router(config-line)# access-class 10 in # Apply ACL

Interface Configuration - Complete Reference:

bash
# Interface Selection Methods
Router(config)# interface gigabitethernet 0/0 # Full name
Router(config)# interface gi0/0 # Abbreviated
Router(config)# interface g0/0 # Short form
Router(config)# interface range gi0/0-3 # Range configuration
Router(config)# interface range gi0/0-1,gi0/3 # Multiple interfaces

# IP Address Configuration
Router(config-if)# ip address 192.168.1.1 255.255.255.0 # Primary IP
Router(config-if)# ip address 192.168.1.10 255.255.255.0 secondary # Secondary IP
Router(config-if)# ip address dhcp # DHCP client
Router(config-if)# ip address dhcp hostname R1 # DHCP with hostname
Router(config-if)# ip address negotiated # PPP negotiated address

# Interface Status and Properties

Router(config-if)# no shutdown # Enable interface (administratively
up)
Router(config-if)# shutdown # Disable interface
(administratively down)
Router(config-if)# description "WAN Connection to ISP" # Interface description

# Physical Layer Configuration

Router(config-if)# speed 10 # 10 Mbps
Router(config-if)# speed 100 # 100 Mbps
Router(config-if)# speed 1000 # 1 Gbps
Router(config-if)# speed auto # Auto-negotiate speed
Router(config-if)# duplex half # Half duplex
Router(config-if)# duplex full # Full duplex
Router(config-if)# duplex auto # Auto-negotiate duplex

# Bandwidth and Delay (affects routing metrics)

Router(config-if)# bandwidth 1544 # T1 bandwidth (Kbps)
Router(config-if)# bandwidth 10000 # 10 Mbps bandwidth
Router(config-if)# delay 100 # Delay in tens of microseconds

# Media Type Configuration

Router(config-if)# media-type rj45 # RJ45 connector
Router(config-if)# media-type sfp # SFP module

# Serial Interface Configuration

Router(config-if)# encapsulation ppp # PPP encapsulation
Router(config-if)# encapsulation hdlc # HDLC encapsulation (default)
Router(config-if)# encapsulation frame-relay # Frame Relay
Router(config-if)# clock rate 64000 # DCE clock rate (64 Kbps)
Router(config-if)# clock rate 128000 # 128 Kbps
Router(config-if)# clock rate 1544000 # T1 speed
Router(config-if)# clock rate 2048000 # E1 speed

# Loopback Interface Configuration

Router(config)# interface loopback 0 # Loopback interface
Router(config-if)# ip address 10.1.1.1 255.255.255.255 # /32 host route
Router(config-if)# description "Router ID Interface"

Advanced Router Configuration:

bash
# Domain Name and Host Resolution
Router(config)# ip domain-name company.com # Domain name
Router(config)# ip domain-lookup # Enable DNS lookups (default)
Router(config)# no ip domain-lookup # Disable DNS lookups
Router(config)# ip name-server 8.8.8.8 # DNS server
Router(config)# ip name-server 8.8.4.4 8.8.8.8 # Multiple DNS servers

# Host Table Entries

Router(config)# ip host R2 192.168.1.2 # Static host entry
Router(config)# ip host server1 10.1.1.100 # Server host entry

# IP Services
Router(config)# ip routing # Enable IP routing (default on
routers)
Router(config)# no ip routing # Disable IP routing
Router(config)# ip classless # Classless routing behavior
Router(config)# ip subnet-zero # Allow subnet zero usage

# Source Interface for Services

Router(config)# ip tftp source-interface gi0/0 # TFTP source interface
Router(config)# ip ftp source-interface gi0/0 # FTP source interface
Router(config)# ip ssh source-interface gi0/0 # SSH source interface

# Router Information
Router(config)# snmp-server location "Building A Rack 1" # Physical location
Router(config)# snmp-server contact "admin@company.com" # Contact information

Comprehensive Verification Commands:

bash
# Configuration Display
Router# show running-config # Current active configuration
Router# show startup-config # Saved configuration in NVRAM
Router# show running-config | section interface # Interface configurations only
Router# show running-config | include hostname # Lines containing 'hostname'
Router# show running-config | exclude ! # Exclude comment lines
Router# show running-config | begin line vty # Start from 'line vty'

# System Information
Router# show version # IOS version, uptime, hardware info
Router# show tech-support # Complete technical information
Router# show inventory # Hardware inventory
Router# show environment # Environmental status (temp, power)
Router# show processes # Running processes
Router# show processes cpu # CPU utilization
Router# show memory # Memory usage
Router# show stacks # Stack trace information

# Interface Verification
Router# show interfaces # All interfaces detailed info
Router# show ip interface brief # IP interface summary
Router# show interface gi0/0 # Specific interface details
Router# show interface description # Interface descriptions
Router# show interface status # Interface status summary
Router# show interface counters # Interface packet counters
Router# show interface counters errors # Interface error counters
Router# show controllers serial 0/0/0 # Controller information

# Clock and Time

Router# show clock # Current date and time
Router# show calendar # Hardware calendar (if available)
Router# show ntp status # NTP synchronization status

# File System Information

Router# show flash # Flash memory contents
Router# show file systems # Available file systems
Router# dir # Directory listing (current)
Router# dir flash: # Flash directory
Router# dir nvram: # NVRAM directory

# History and Sessions

Router# show history # Command history
Router# show users # Current users
Router# show sessions # Outgoing sessions
Router# show line # Line status
Router# show logging # System log messages

Router Troubleshooting Commands:

bash
# Connectivity Testing
Router# ping 8.8.8.8 # Basic ping
Router# ping 8.8.8.8 source gi0/0 # Ping with source interface
Router# ping 8.8.8.8 size 1500 # Large packet ping
Router# ping 8.8.8.8 repeat 100 # Extended ping
Router# ping 8.8.8.8 timeout 10 # Custom timeout

# Extended ping (interactive)

Router# ping
Protocol [ip]: ip
Target IP address: 8.8.8.8
Repeat count [5]: 100
Datagram size [33]: 1500
Timeout in seconds [39]: 5
Extended commands [n]: y
Source address or interface: gi0/0
Type of service : 0
Set DF bit in IP header? [no]: no
Validate reply data? [no]: no
Data pattern [0xABCD]: 0x0000
Loose, Strict, Record, Timestamp, Verbose[none]: none
Sweep range of sizes [n]: n

# Traceroute Testing
Router# traceroute 8.8.8.8 # Basic traceroute
Router# traceroute 8.8.8.8 source gi0/0 # Source interface traceroute
Router# traceroute 8.8.8.8 numeric # Numeric output only

# DNS Resolution Testing

Router# nslookup google.com # DNS lookup
Router# nslookup google.com 8.8.8.8 # Specific DNS server

# Telnet Testing
Router# telnet 192.168.1.2 # Telnet to device
Router# telnet 192.168.1.2 23 # Telnet to specific port

# Debug Commands (use with caution)

Router# debug ip packet # Debug IP packets
Router# debug ip packet detail # Detailed IP packet debug
Router# debug ip icmp # Debug ICMP messages
Router# debug arp # Debug ARP
Router# undebug all # Turn off all debugging

# Clear Commands
Router# clear counters # Clear interface counters
Router# clear arp-cache # Clear ARP cache
Router# clear ip route * # Clear all dynamic routes
Router# clear logging # Clear log buffer

Configuration Management:

bash
# Save Configuration
Router# copy running-config startup-config # Save to NVRAM
Router# write memory # Alternative save command
Router# copy run start # Abbreviated save
Router# wr # Shortest save command

# Backup and Restore Configuration

Router# copy running-config tftp://192.168.1.100/R1-config.txt
Router# copy tftp://192.168.1.100/R1-config.txt running-config
Router# copy running-config ftp://user:pass@192.168.1.100/R1-backup.cfg

# Configuration Archive
Router(config)# archive
Router(config-archive)# path flash:archive-config # Archive path
Router(config-archive)# maximum 14 # Keep 14 versions
Router(config-archive)# time-period 1440 # Archive every 24 hours

# Archive Operations
Router# archive config # Archive current config
Router# show archive # Show archived configs
Router# configure replace flash:archive-config-1 # Replace with archived config

# Reset Configuration
Router# write erase # Erase startup configuration
Router# erase startup-config # Alternative erase command
Router(config)# config-register 0x2142 # Boot without startup-config
Router# reload # Restart router

# Password Recovery Mode

# Boot router and interrupt boot process (Ctrl+Break)
rommon> confreg 0x2142 # Bypass startup config
rommon> boot # Boot normally
Router> enable # Enter privileged mode
Router# copy startup-config running-config # Copy saved config
Router# configure terminal
Router(config)# enable secret newpassword # Set new password
Router(config)# config-register 0x2102 # Normal boot mode
Router(config)# exit
Router# copy running-config startup-config # Save changes
Router# reload # Restart with new config

Router-on-a-Stick Setup

What Is It?

“Router-on-a-Stick” is a network setup where a single physical router interface (usually connecting to a
switch) is used to route traffic between multiple VLANs. This is achieved by configuring subinterfaces on the
router, each corresponding to a different VLAN, and using 802.1Q trunking.

Where to use:

• Campus networks with multiple VLANs and Layer 2 switches only (no multilayer/L3 switches).
• Small to medium deployments with low inter-VLAN traffic demand.
Topology Example

• Switch connects all VLAN hosts.

• Router connects to switch with a single Ethernet cable.
• The switch port is set as a trunk, and router interface is divided into logical subinterfaces.

Step-by-Step Configuration

1. VLAN and Access Port Setup on the Switch

bash
# Create VLANs
Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config)# vlan 20
Switch(config-vlan)# name IT

# Assign switchports to VLANs

Switch(config)# interface fastethernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Switch(config)# interface fastethernet0/3

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 20

2. Configure the Trunk Port to the Router

bash
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport trunk encapsulation dot1q # May be required on some
switches
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate # Optional: disables DTP
Switch(config-if)# description Trunk to Router
3. Router Subinterface Configuration

Suppose you’re using GigabitEthernet0/0.

bash
Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown

# Subinterface for VLAN 10

Router(config)# interface GigabitEthernet0/0.10
Router(config-if)# encapsulation dot1Q 10
Router(config-if)# ip address 192.168.10.1 255.255.255.0

# Subinterface for VLAN 20

Router(config)# interface GigabitEthernet0/0.20
Router(config-if)# encapsulation dot1Q 20
Router(config-if)# ip address 192.168.20.1 255.255.255.0

• encapsulation dot1Q xx: Enables 802.1Q tagging, tags this subinterface’s traffic with VLAN ID.
• ip address: Acts as the default gateway for all devices in that VLAN.

4. Configure End Devices

• VLAN 10 devices: IP in 192.168.10.x/24; Gateway: 192.168.10.1

• VLAN 20 devices: IP in 192.168.20.x/24; Gateway: 192.168.20.1

5. Optional: Native VLAN (untagged)

If you need the native VLAN (untagged):

bash
Router(config)# interface GigabitEthernet0/0.99
Router(config-if)# encapsulation dot1Q 99 native
Router(config-if)# ip address 192.168.99.1 255.255.255.0

Verification

bash
# On Router:
show ip interface brief
show running-config interface GigabitEthernet0/0.10
show running-config interface GigabitEthernet0/0.20

# On Switch:
show interfaces trunk
show vlan brief
show mac address-table vlan 10
show mac address-table vlan 20

# Test:
ping 192.168.10.1 # From VLAN 10 client to gateway
ping 192.168.20.1 # From VLAN 20 client to its gateway
ping 192.168.20.10 # From VLAN 10 client to VLAN 20 client (test inter-VLAN)

Summary Table

Device/Port VLAN IP address/Gateway Notes

Fa0/2 (Switch) 10 Host: 192.168.10.x sales devices
Fa0/3 (Switch) 20 Host: 192.168.20.x IT devices
Fa0/1 (Switch <-> Router) Trunk — Carries all VLANs
Gi0/0.10 (Router) 10 192.168.10.1/24 Gateway for VLAN 10
Gi0/0.20 (Router) 20 192.168.20.1/24 Gateway for VLAN 20

Best Practices & Notes

• Use descriptive interface and VLAN names.

• The trunk must be 802.1Q (dot1q), not ISL.
• Only one physical link is used for all VLANs, so performance is limited by that link.
• Use a Layer 3 switch for high-throughput environments.

1.2 Layer 2 and Layer 3 Switches - Advanced Configuration

Switches forward frames based on MAC addresses (Layer 2) or route packets between VLANs (Layer 3).
Modern switches combine both functions for efficient network operation.

Switch Boot Process and Modes:

bash
# Switch Boot Process:
# 1. POST (Power-On Self Test)
# 2. Boot Loader initialization
# 3. IOS loading from flash
# 4. Configuration loading from NVRAM
# 5. VLAN database loading

# Switch Navigation (similar to router)

Switch> enable
Switch# configure terminal
Switch(config)# hostname SW1
Switch(config)# enable secret switch123

# Switch-specific Information
Switch# show version # Switch IOS and hardware
Switch# show system # System information
Switch# show switch # Stack information (if stackable)
Switch# show module # Module information

VLAN Configuration - Complete Implementation:

bash
# VLAN Creation and Management
Switch(config)# vlan 10 # Create VLAN 10
Switch(config-vlan)# name Users # VLAN name
Switch(config-vlan)# state active # VLAN state (active/suspend)
Switch(config-vlan)# exit

# Multiple VLAN Creation

Switch(config)# vlan 10,20,30 # Multiple VLANs
Switch(config)# vlan 100-110 # VLAN range

# Extended VLANs (1006-4094)

Switch(config)# vtp mode transparent # Required for extended VLANs
Switch(config)# vlan 2000
Switch(config-vlan)# name Extended_VLAN
Switch(config-vlan)# state active

# VLAN Interface (SVI) Configuration

Switch(config)# interface vlan 10 # VLAN interface
Switch(config-if)# ip address 192.168.10.1 255.255.255.0 # Gateway IP
Switch(config-if)# description "Users Gateway" # Description
Switch(config-if)# no shutdown # Enable SVI
Switch(config-if)# ip helper-address 192.168.100.10 # DHCP relay

# Advanced SVI Configuration

Switch(config-if)# ip proxy-arp # Enable proxy ARP
Switch(config-if)# ip redirects # Enable ICMP redirects
Switch(config-if)# ip unreachables # Enable ICMP unreachables
Switch(config-if)# standby 1 ip 192.168.10.254 # HSRP configuration
Switch(config-if)# standby 1 priority 110 # HSRP priority

# VLAN Verification
Switch# show vlan # Detailed VLAN information
Switch# show vlan brief # VLAN summary
Switch# show vlan id 10 # Specific VLAN
Switch# show vlan name Users # VLAN by name
Switch# show interfaces vlan 10 # SVI information
Switch# show ip interface brief # All IP interfaces

Port Configuration - Comprehensive Guide:

bash
# Interface Selection Methods
Switch(config)# interface fastethernet 0/1 # Single interface
Switch(config)# interface range fa0/1-24 # Port range
Switch(config)# interface range fa0/1-10,fa0/15-24 # Multiple ranges
Switch(config)# interface range gi0/1-2 # Gigabit range

# Access Port Configuration

Switch(config-if)# switchport mode access # Static access port
Switch(config-if)# switchport access vlan 10 # Assign to VLAN 10
Switch(config-if)# switchport voice vlan 20 # Voice VLAN (IP phones)
Switch(config-if)# description "User Workstation" # Port description

# Voice VLAN Advanced Configuration

Switch(config-if)# switchport voice vlan dot1p # 802.1p priority tagging
Switch(config-if)# switchport voice vlan untagged # Untagged voice traffic
Switch(config-if)# switchport voice vlan none # Disable voice VLAN
Switch(config-if)# mls qos trust cos # Trust CoS markings

# Trunk Port Configuration

Switch(config-if)# switchport mode trunk # Static trunk
Switch(config-if)# switchport trunk encapsulation dot1q # 802.1Q (if required)
Switch(config-if)# switchport trunk allowed vlan 10,20,30 # Allowed VLANs
Switch(config-if)# switchport trunk allowed vlan add 40 # Add VLAN
Switch(config-if)# switchport trunk allowed vlan remove 30 # Remove VLAN
Switch(config-if)# switchport trunk allowed vlan all # All VLANs (default)
Switch(config-if)# switchport trunk allowed vlan except 999 # All except specific
Switch(config-if)# switchport trunk native vlan 99 # Native VLAN

# DTP (Dynamic Trunking Protocol) Configuration

Switch(config-if)# switchport mode dynamic desirable # Active DTP
Switch(config-if)# switchport mode dynamic auto # Passive DTP
Switch(config-if)# switchport nonegotiate # Disable DTP

# Port Security Configuration (Detailed in Section 5.5)

Switch(config-if)# switchport port-security # Enable port security
Switch(config-if)# switchport port-security maximum 2 # Max MAC addresses
Switch(config-if)# switchport port-security mac-address sticky # Sticky learning
Switch(config-if)# switchport port-security violation shutdown # Violation action

# Layer 3 Port Configuration (Routed Port)

Switch(config)# interface gi0/1
Switch(config-if)# no switchport # Make it Layer 3 port
Switch(config-if)# ip address 10.1.1.1 255.255.255.0 # Assign IP address
Switch(config-if)# description "Routed uplink to R1"
Switch(config-if)# no shutdown

# Interface Status and Troubleshooting

Switch(config-if)# speed 100 # Force 100 Mbps
Switch(config-if)# duplex full # Force full duplex
Switch(config-if)# mdix auto # Auto MDIX
Switch(config-if)# flowcontrol receive on # Flow control
Switch(config-if)# no cdp enable # Disable CDP
Switch(config-if)# no lldp transmit # Disable LLDP transmit

Layer 3 Switch Routing Configuration:

bash
# Enable IP Routing
Switch(config)# ip routing # Enable routing capability

# Routing Protocol Configuration (OSPF example)

Switch(config)# router ospf 1 # OSPF process
Switch(config-router)# router-id 1.1.1.1 # Router ID
Switch(config-router)# network 192.168.10.0 0.0.0.255 area 0
Switch(config-router)# network 192.168.20.0 0.0.0.255 area 0
Switch(config-router)# passive-interface default # All interfaces passive
Switch(config-router)# no passive-interface gi0/1 # Active interface

# Static Route Configuration

Switch(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 # Default route
Switch(config)# ip route 172.16.0.0 255.255.0.0 10.1.1.2 # Static route

# Inter-VLAN Routing Verification

Switch# show ip route # Routing table
Switch# show ip route connected # Connected routes
Switch# show ip interface brief # IP interface status
Switch# ping 192.168.20.1 source 192.168.10.1 # Test inter-VLAN connectivity

Advanced Switch Verification Commands:

bash
# Interface and Port Information
Switch# show interfaces status # Port status summary
Switch# show interfaces description # Port descriptions
Switch# show interfaces trunk # Trunk port information
Switch# show interfaces switchport # Switchport information
Switch# show interfaces gi0/1 switchport # Specific port switchport info

# VLAN and Spanning Tree

Switch# show vlan brief # VLAN summary
Switch# show spanning-tree # STP information
Switch# show spanning-tree summary # STP summary
Switch# show spanning-tree interface gi0/1 # Interface STP status

# MAC Address and ARP Tables

Switch# show mac address-table # MAC address table
Switch# show mac address-table dynamic # Dynamic MAC entries
Switch# show mac address-table static # Static MAC entries
Switch# show mac address-table aging-time # Aging timer
Switch# show arp # ARP table (Layer 3 switches)

# System and Environment

Switch# show environment # Temperature, power, fans
Switch# show power # Power consumption
Switch# show module # Module information
Switch# show inventory # Hardware inventory

# CDP and LLDP

Switch# show cdp neighbors # CDP neighbors
Switch# show cdp neighbors detail # Detailed CDP info
Switch# show lldp neighbors # LLDP neighbors
Switch# show lldp neighbors detail # Detailed LLDP info

# Switch Stack Information (if applicable)

Switch# show switch # Stack information
Switch# show switch stack-ports # Stack port status
Switch# show redundancy # Redundancy status
1.3 Next-Generation Firewalls and IPS - Advanced Security

NGFWs provide comprehensive security beyond traditional packet filtering, including application awareness,
intrusion prevention, URL filtering, and malware detection.

Zone-Based Firewall Configuration:

bash
# Security Zones Creation
Router(config)# zone security INSIDE # Internal trusted zone
Router(config-sec-zone)# description "Internal LAN Zone"

Router(config)# zone security OUTSIDE # External untrusted zone

Router(config-sec-zone)# description "Internet Zone"

Router(config)# zone security DMZ # DMZ zone

Router(config-sec-zone)# description "Demilitarized Zone"

Router(config)# zone security GUEST # Guest network zone

Router(config-sec-zone)# description "Guest Access Zone"

# Interface Assignment to Zones

Router(config)# interface gi0/0 # Internal LAN interface
Router(config-if)# zone-member security INSIDE
Router(config-if)# exit

Router(config)# interface gi0/1 # Internet interface

Router(config-if)# zone-member security OUTSIDE
Router(config-if)# exit

Router(config)# interface gi0/2 # DMZ interface

Router(config-if)# zone-member security DMZ
Router(config-if)# exit

# Class Maps for Traffic Classification

Router(config)# class-map type inspect match-all HTTP_TRAFFIC
Router(config-cmap)# match protocol http # HTTP traffic
Router(config-cmap)# match access-group 110 # ACL-based matching
Router(config-cmap)# exit

Router(config)# class-map type inspect match-all HTTPS_TRAFFIC

Router(config-cmap)# match protocol https # HTTPS traffic
Router(config-cmap)# exit

Router(config)# class-map type inspect match-all EMAIL_TRAFFIC

Router(config-cmap)# match protocol smtp # SMTP traffic
Router(config-cmap)# match protocol pop3 # POP3 traffic
Router(config-cmap)# match protocol imap # IMAP traffic
Router(config-cmap)# exit

Router(config)# class-map type inspect match-all DNS_TRAFFIC

Router(config-cmap)# match protocol dns # DNS traffic
Router(config-cmap)# exit

Router(config)# class-map type inspect match-any WEB_TRAFFIC

Router(config-cmap)# match class-map HTTP_TRAFFIC # Include HTTP class
Router(config-cmap)# match class-map HTTPS_TRAFFIC # Include HTTPS class
Router(config-cmap)# exit

# Policy Maps for Security Actions

Router(config)# policy-map type inspect WEB_POLICY
Router(config-pmap)# class type inspect WEB_TRAFFIC
Router(config-pmap-c)# inspect # Stateful inspection
Router(config-pmap-c)# exit
Router(config-pmap)# class type inspect EMAIL_TRAFFIC
Router(config-pmap-c)# inspect # Allow email
Router(config-pmap-c)# exit
Router(config-pmap)# class type inspect DNS_TRAFFIC
Router(config-pmap-c)# inspect # Allow DNS
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# drop log # Drop and log other traffic
Router(config-pmap-c)# exit

# Advanced Policy Map with Rate Limiting

Router(config)# policy-map type inspect ADVANCED_POLICY
Router(config-pmap)# class type inspect WEB_TRAFFIC
Router(config-pmap-c)# inspect
Router(config-pmap-c)# police rate 10000000 # Rate limit to 10 Mbps
Router(config-pmap-c)# exit

# Zone Pairs and Policy Application

Router(config)# zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination
OUTSIDE
Router(config-sec-zone-pair)# service-policy type inspect WEB_POLICY
Router(config-sec-zone-pair)# description "Inside to Outside traffic policy"
Router(config-sec-zone-pair)# exit

Router(config)# zone-pair security OUTSIDE_TO_DMZ source OUTSIDE destination DMZ

Router(config-sec-zone-pair)# service-policy type inspect DMZ_POLICY
Router(config-sec-zone-pair)# exit
Router(config)# zone-pair security DMZ_TO_INSIDE source DMZ destination INSIDE
Router(config-sec-zone-pair)# service-policy type inspect INTERNAL_POLICY
Router(config-sec-zone-pair)# exit

# Self Zone Configuration (for router management)

Router(config)# class-map type inspect match-all MANAGEMENT_TRAFFIC
Router(config-cmap)# match protocol ssh # SSH management
Router(config-cmap)# match protocol snmp # SNMP
Router(config-cmap)# match protocol ntp # NTP
Router(config-cmap)# exit

Router(config)# policy-map type inspect SELF_POLICY

Router(config-pmap)# class type inspect MANAGEMENT_TRAFFIC
Router(config-pmap-c)# pass # Allow management traffic
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# drop # Drop other traffic to router
Router(config-pmap-c)# exit

Router(config)# zone-pair security INSIDE_TO_SELF source INSIDE destination self

Router(config-sec-zone-pair)# service-policy type inspect SELF_POLICY
Router(config-sec-zone-pair)# exit

IPS (Intrusion Prevention System) Configuration:

bash
# IPS Global Configuration
Router(config)# ip ips config location flash:/ipsdir/ # IPS signature location
Router(config)# ip ips name IPS_RULE # Create IPS rule
Router(config)# ip ips notify log # IPS logging
Router(config)# ip ips notify syslog # Syslog notifications

# Signature Category Configuration

Router(config)# ip ips signature-category # Enter signature config
Router(config-ips-category)# category all # All signature categories
Router(config-ips-category-action)# retired true # Include retired signatures
Router(config-ips-category-action)# exit
Router(config-ips-category)# category ios_ips basic # Basic signature set
Router(config-ips-category-action)# retired false # Active signatures only
Router(config-ips-category-action)# exit

# Custom Signature Configuration

Router(config-ips-category)# category attack
Router(config-ips-category-action)# retired false
Router(config-ips-category-action)# exit
Router(config-ips-category)# category policy
Router(config-ips-category-action)# retired false
Router(config-ips-category-action)# exit

# Apply IPS to Interfaces

Router(config)# interface gi0/0
Router(config-if)# ip ips IPS_RULE in # Inbound inspection
Router(config-if)# exit

Router(config)# interface gi0/1

Router(config-if)# ip ips IPS_RULE out # Outbound inspection
Router(config-if)# exit

# IPS Event Action Override

Router(config)# ip ips signature 2004 0 # Specific signature
Router(config-ips-sig)# engine # Engine configuration
Router(config-ips-sig-engine)# event-action produce-alert # Generate alert
Router(config-ips-sig-engine)# event-action drop-packet # Drop malicious packets
Router(config-ips-sig-engine)# exit

# IPS Monitoring and Verification

Router# show ip ips all # All IPS information
Router# show ip ips interfaces # IPS-enabled interfaces
Router# show ip ips signatures # Active signatures
Router# show ip ips statistics # IPS statistics
Router# show ip ips events # IPS events/alerts

# IPS Troubleshooting
Router# debug ip ips # Debug IPS operations
Router# show logging | include IPS # IPS-related logs
Router# clear ip ips statistics # Clear IPS statistics

URL Filtering and Application Control:

bash
# URL Filtering (using zone-based firewall with URL filtering)
Router(config)# parameter-map type urlfilter URLF_PARAM
Router(config-profile)# server vendor websense # Websense server
Router(config-profile)# server 192.168.100.50 # URL filtering server
Router(config-profile)# port 8080 # Server port
Router(config-profile)# timeout 5 # Timeout value
Router(config-profile)# cache 1000 # Cache size
Router(config-profile)# exit
Router(config)# class-map type urlfilter match-any URLFILTER_CLASS
Router(config-cmap)# match server-response refuse # Blocked URLs
Router(config-cmap)# exit

Router(config)# policy-map type inspect urlfilter URLFILTER_POLICY

Router(config-pmap)# class type urlfilter URLFILTER_CLASS
Router(config-pmap-c)# reset # Reset connection
Router(config-pmap-c)# exit

# Application-level Gateway (ALG) Configuration

Router(config)# ip inspect name FIREWALL_ALG ftp timeout 300 # FTP ALG
Router(config)# ip inspect name FIREWALL_ALG tftp timeout 300 # TFTP ALG
Router(config)# ip inspect name FIREWALL_ALG http timeout 300 # HTTP ALG
Router(config)# ip inspect name FIREWALL_ALG smtp timeout 300 # SMTP ALG

# Apply ALG to Interface

Router(config)# interface gi0/0
Router(config-if)# ip inspect FIREWALL_ALG in # Apply ALG inspection
Router(config-if)# exit

NGFW Verification and Monitoring:

bash
# Zone-Based Firewall Verification
Router# show zone security # Security zones
Router# show zone-pair security # Zone pairs
Router# show policy-map type inspect # Inspect policies
Router# show class-map type inspect # Inspect class maps

# Session and Connection Information

Router# show ip inspect sessions # Active sessions
Router# show ip inspect statistics # Inspection statistics
Router# show ip inspect config # Inspection configuration
Router# show ip inspect all # All inspection info

# Logging and Monitoring

Router# show logging # System logs
Router# show access-lists # Access control lists
Router# show ip access-lists # IP access lists

# Performance Monitoring
Router# show processes cpu | include IP inspect # CPU usage
Router# show memory statistics | include inspect # Memory usage
Router# show ip traffic # IP traffic statistics
# Troubleshooting Commands
Router# debug zone # Debug zone operations
Router# debug policy-firewall # Debug firewall policies
Router# debug ip inspect # Debug inspection
Router# undebug all # Turn off all debugging

1.4 Access Points and Controllers - Comprehensive Wireless Management

Access Points provide wireless connectivity while controllers centrally manage multiple APs, enforce
policies, and optimize RF performance.

Autonomous Access Point Configuration:

bash
# Basic AP Setup and Management
AP> enable
AP# configure terminal
AP(config)# hostname Office-AP-01 # Set AP hostname
AP(config)# enable secret AP123secret # Enable password
AP(config)# username admin privilege 15 secret AdminPass123 # Local user

# Management Interface Configuration

AP(config)# interface bvi 1 # Bridge virtual interface
AP(config-if)# ip address 192.168.1.50 255.255.255.0 # Management IP
AP(config-if)# no shutdown
AP(config-if)# exit

AP(config)# ip default-gateway 192.168.1.1 # Default gateway

AP(config)# ip domain-name company.com # Domain name
AP(config)# ip name-server 8.8.8.8 # DNS server

# SSH Configuration
AP(config)# crypto key generate rsa general-keys modulus 1024
AP(config)# line vty 0 4
AP(config-line)# transport input ssh # SSH only
AP(config-line)# login local # Local authentication
AP(config-line)# exec-timeout 10 0 # 10-minute timeout
AP(config-line)# exit

# SNMP Configuration
AP(config)# snmp-server community public ro # Read-only community
AP(config)# snmp-server location "Building A Floor 2" # Location
AP(config)# snmp-server contact "netadmin@company.com" # Contact
Radio Interface Configuration - Detailed:

bash
# 2.4 GHz Radio Configuration
AP(config)# interface dot11radio 0 # 2.4 GHz radio
AP(config-if)# no shutdown # Enable radio
AP(config-if)# ssid Corporate_24GHz # SSID name
AP(config-if)# channel 6 # Channel (1, 6, or 11 recommended)
AP(config-if)# power local maximum # Maximum power output
AP(config-if)# antenna gain 0 # Antenna gain setting
AP(config-if)# rts threshold 2347 # RTS threshold
AP(config-if)# fragmentation-threshold 2346 # Fragmentation threshold
AP(config-if)# beacon period 100 # Beacon interval (ms)
AP(config-if)# dtim-period 2 # DTIM period
AP(config-if)# exit

# 5 GHz Radio Configuration

AP(config)# interface dot11radio 1 # 5 GHz radio
AP(config-if)# no shutdown # Enable radio
AP(config-if)# ssid Corporate_5GHz # 5 GHz SSID
AP(config-if)# channel 36 # 5 GHz channel
AP(config-if)# power local maximum # Maximum power
AP(config-if)# channel width 80 # 80 MHz channel width
AP(config-if)# world-mode dot11d country US # Country code
AP(config-if)# exit

# 802.11n/ac Configuration
AP(config-if)# 802.11n # Enable 802.11n
AP(config-if)# mbssid # Multiple BSSID support
AP(config-if)# 802.11n only # 802.11n only mode
AP(config-if)# 802.11n amsdu # A-MSDU aggregation

# Radio Quality and Performance

AP(config-if)# station-role root # Root mode
AP(config-if)# distance 0 # Maximum distance
AP(config-if)# packet retries 64 drop-packet # Retry limit
AP(config-if)# speed basic-1.0 2.0 5.5 11.0 # Basic rates
AP(config-if)# speed throughput 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 # Supported
rates

Security Configuration - Complete Implementation:

bash
# Open Security (No encryption - for testing only)
AP(config-if)# encryption mode ciphers none # No encryption
AP(config-if)# authentication open # Open authentication
# WEP Security (Legacy - Not recommended)
AP(config-if)# encryption key 1 size 128bit 1234567890123456789012345678 transmit-key
AP(config-if)# encryption mode wep mandatory # WEP encryption required
AP(config-if)# authentication shared-key # Shared key authentication

# WPA2-Personal Configuration
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption
AP(config-if)# authentication open # Open authentication
AP(config-if)# authentication key-management wpa version 2 # WPA2
AP(config-if)# wpa-psk ascii 0 SecurePassword123 # Pre-shared key
AP(config-if)# wpa-psk ascii 1 BackupPassword456 # Additional PSK

# WPA2-Enterprise Configuration (802.1X)

AP(config-if)# authentication key-management wpa version 2
AP(config-if)# dot1x authentication-server host 192.168.1.100 # RADIUS server
AP(config-if)# dot1x authentication-server port 1812 # Auth port
AP(config-if)# dot1x authentication-server key SharedSecret123 # Shared secret
AP(config-if)# dot1x accounting-server host 192.168.1.100 # Accounting server
AP(config-if)# dot1x accounting-server port 1813 # Accounting port
AP(config-if)# dot1x accounting-server key AccountingKey123 # Accounting key

# WPA3-Personal Configuration (SAE)

AP(config-if)# authentication key-management wpa3 # WPA3
AP(config-if)# authentication key-management sae # SAE key management
AP(config-if)# wpa3-sae password WPA3SecurePass123 # WPA3 password
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption required

# WPA3-Enterprise Configuration
AP(config-if)# authentication key-management wpa3 # WPA3 enterprise
AP(config-if)# dot1x authentication-server host 192.168.1.100
AP(config-if)# dot1x authentication-server key WPA3RadiusKey
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption

# Mixed Mode Configuration (WPA2/WPA3)

AP(config-if)# authentication key-management wpa version 2 # WPA2
AP(config-if)# authentication key-management wpa3 # WPA3
AP(config-if)# wpa-psk ascii 0 MixedPassword123 # WPA2 password
AP(config-if)# wpa3-sae password MixedPassword123 # WPA3 password

VLAN and Bridge Configuration:

bash
# Multiple SSID Configuration with VLANs
AP(config)# interface dot11radio 0.10 # Subinterface for VLAN
AP(config-subif)# encapsulation dot1q 10 # VLAN 10 tagging
AP(config-subif)# ssid Users_VLAN10 # SSID for VLAN 10
AP(config-subif)# bridge-group 10 # Bridge group 10
AP(config-subif)# exit

AP(config)# interface dot11radio 0.20 # Guest VLAN

AP(config-subif)# encapsulation dot1q 20 # VLAN 20 tagging
AP(config-subif)# ssid Guest_Network # Guest SSID
AP(config-subif)# bridge-group 20 # Bridge group 20
AP(config-subif)# exit

# Bridge Group Configuration

AP(config)# bridge 1 protocol ieee # Bridge protocol
AP(config)# bridge 1 priority 32768 # Bridge priority
AP(config)# bridge 1 hello-time 2 # Hello time
AP(config)# bridge 1 forward-delay 15 # Forward delay
AP(config)# bridge 1 max-age 20 # Max age

# Ethernet Interface Bridge Assignment

AP(config)# interface fastethernet 0 # Ethernet interface
AP(config-if)# bridge-group 1 # Assign to bridge group
AP(config-if)# bridge-group 1 spanning-disabled # Disable STP on edge port
AP(config-if)# no shutdown
AP(config-if)# exit

Wireless LAN Controller (WLC) Configuration:

bash
# Initial WLC Setup
(Cisco Controller) > configure network interface management
IP Address: 192.168.1.100
Netmask: 255.255.255.0
Gateway: 192.168.1.1
DHCP Server: 192.168.1.1

# System Configuration
(Cisco Controller) > config system name WLC-01
(Cisco Controller) > config system location "Data Center"
(Cisco Controller) > config system contact "admin@company.com"
(Cisco Controller) > config time manual 04/15/2024 14:30:00

# NTP Configuration
(Cisco Controller) > config time ntp server 1 pool.ntp.org
(Cisco Controller) > config time ntp server 2 time.google.com
(Cisco Controller) > config time ntp interval 3600
# Management Access Configuration
(Cisco Controller) > config network ssh enable # Enable SSH
(Cisco Controller) > config network telnet disable # Disable Telnet
(Cisco Controller) > config network http disable # Disable HTTP
(Cisco Controller) > config network https enable # Enable HTTPS
(Cisco Controller) > config network https port 443 # HTTPS port

# User Management
(Cisco Controller) > config mgmtuser add admin admin123 read-write # Add admin user
(Cisco Controller) > config mgmtuser add operator oper123 read-only # Read-only user
(Cisco Controller) > config mgmtuser password admin NewPass123 # Change password

# RADIUS Server Configuration

(Cisco Controller) > config radius auth add 1 192.168.1.200 1812 RadiusKey123
(Cisco Controller) > config radius auth timeout 1 5
(Cisco Controller) > config radius auth retransmit 1 3
(Cisco Controller) > config radius acct add 1 192.168.1.200 1813 AcctKey123

WLAN Configuration on Controller:

bash
# Create and Configure WLAN
(Cisco Controller) > config wlan create 1 Corporate-WiFi # Create WLAN ID 1
(Cisco Controller) > config wlan ssid Corporate-WiFi 1 # Set SSID
(Cisco Controller) > config wlan broadcast-ssid enable 1 # Broadcast SSID
(Cisco Controller) > config wlan interface 1 management # Assign interface

# Security Configuration
(Cisco Controller) > config wlan security wpa2 enable 1 # Enable WPA2
(Cisco Controller) > config wlan security wpa2 ciphers aes enable 1 # AES cipher
(Cisco Controller) > config wlan security wpa2 akm psk enable 1 # PSK
authentication
(Cisco Controller) > config wlan security wpa2 akm psk set-key ascii SecurePass123 1

# WPA3 Configuration
(Cisco Controller) > config wlan security wpa3 enable 1 # Enable WPA3
(Cisco Controller) > config wlan security wpa3 sae enable 1 # SAE authentication
(Cisco Controller) > config wlan security pmf required 1 # PMF required for
WPA3

# Enterprise Security (802.1X)

(Cisco Controller) > config wlan security wpa2 akm 802.1x enable 1
(Cisco Controller) > config wlan radius_server auth add 1 1 # Add RADIUS server
# Advanced WLAN Settings
(Cisco Controller) > config wlan qos 1 platinum # QoS profile
(Cisco Controller) > config wlan session-timeout 1 1800 # 30-minute timeout
(Cisco Controller) > config wlan usertimeout 1 300 # 5-minute user timeout
(Cisco Controller) > config wlan maxclients 1 50 # Max 50 clients
(Cisco Controller) > config wlan load-balance allow enable 1 # Load balancing

# Enable WLAN
(Cisco Controller) > config wlan enable 1 # Enable WLAN

# Guest WLAN Configuration

(Cisco Controller) > config wlan create 2 Guest-Network # Guest WLAN
(Cisco Controller) > config wlan security wpa2 akm psk enable 2
(Cisco Controller) > config wlan security wpa2 akm psk set-key ascii GuestPass123 2
(Cisco Controller) > config wlan interface 2 guest # Guest interface
(Cisco Controller) > config wlan exclusionlist 2 60 # Block on failure
(Cisco Controller) > config wlan enable 2

Access Point Management:

bash
# AP Discovery and Naming
(Cisco Controller) > show ap join stats summary # AP join statistics
(Cisco Controller) > config ap name Office-AP-01 00:1a:2b:3c:4d:5e # Name by MAC
(Cisco Controller) > config ap location "Building A Floor 1" Office-AP-01
(Cisco Controller) > config ap country US Office-AP-01 # Country code

# AP Mode Configuration
(Cisco Controller) > config ap mode local Office-AP-01 # Local mode (default)
(Cisco Controller) > config ap mode flexconnect Office-AP-01 # FlexConnect mode
(Cisco Controller) > config ap mode monitor Office-AP-01 # Monitor/sniffer mode
(Cisco Controller) > config ap mode rogue-detector Office-AP-01 # Rogue detection

# FlexConnect Configuration
(Cisco Controller) > config flexconnect group create Branch1 # Create group
(Cisco Controller) > config ap flexconnect group Branch1 Office-AP-01 # Assign AP
(Cisco Controller) > config flexconnect group Branch1 vlan add 10 10 # Add VLAN
mapping
(Cisco Controller) > config flexconnect group Branch1 radius server auth primary
192.168.1.200

# AP Radio Management
(Cisco Controller) > config 802.11b disable network # Disable 2.4GHz
globally
(Cisco Controller) > config 802.11a disable network # Disable 5GHz globally
(Cisco Controller) > config 802.11b enable Office-AP-01 # Enable 2.4GHz on AP
(Cisco Controller) > config 802.11a enable Office-AP-01 # Enable 5GHz on AP

# Channel and Power Management

(Cisco Controller) > config 802.11b channel global auto # Auto channel
assignment
(Cisco Controller) > config 802.11b txPower global auto # Auto power control
(Cisco Controller) > config advanced 802.11b channel add 1 6 11 # Allowed channels
(Cisco Controller) > config ap 802.11b txpower Office-AP-01 3 # Set power level

# AP Monitoring and Troubleshooting

(Cisco Controller) > config ap crash-file get-crash-file Office-AP-01 # Get crash
file
(Cisco Controller) > config ap core-dump enable Office-AP-01 # Enable core
dump
(Cisco Controller) > config ap logging syslog level info Office-AP-01 # Logging
level

Comprehensive Verification Commands:

bash
# WLC System Information
(Cisco Controller) > show sysinfo # System information
(Cisco Controller) > show inventory # Hardware inventory
(Cisco Controller) > show boot # Boot information
(Cisco Controller) > show time # Current time
(Cisco Controller) > show network summary # Network configuration

# WLAN and Client Information

(Cisco Controller) > show wlan summary # All WLANs
(Cisco Controller) > show client summary # All clients
(Cisco Controller) > show client detail <mac> # Client details
(Cisco Controller) > show client statistics <mac> # Client statistics

# AP Information
(Cisco Controller) > show ap summary # All APs summary
(Cisco Controller) > show ap config general Office-AP-01 # AP configuration
(Cisco Controller) > show ap status Office-AP-01 # AP status
(Cisco Controller) > show ap stats Office-AP-01 # AP statistics
(Cisco Controller) > show ap inventory Office-AP-01 # AP inventory

# RF and Coverage Information

(Cisco Controller) > show 802.11a summary # 5GHz radio summary
(Cisco Controller) > show 802.11b summary # 2.4GHz radio summary
(Cisco Controller) > show ap channel Office-AP-01 # AP channel assignment
(Cisco Controller) > show ap txpower Office-AP-01 # AP power levels
(Cisco Controller) > show mesh neigh summary # Mesh neighbors

# Security and Authentication

(Cisco Controller) > show radius summary # RADIUS servers
(Cisco Controller) > show security summary # Security settings
(Cisco Controller) > show auth-list # Authentication list
(Cisco Controller) > show exclusionlist # Excluded clients

# Autonomous AP Verification
AP# show interfaces dot11radio 0 # Radio 0 status
AP# show interfaces dot11radio 1 # Radio 1 status
AP# show dot11 associations # Associated clients
AP# show controllers dot11radio 0 # Radio controller info
AP# show bridge # Bridge information
AP# show version # AP software version

1.5 Endpoints and Servers - Network Configuration

Windows Network Configuration - Complete Reference:

bash
# Basic Network Information
C:\> ipconfig # Basic IP configuration
C:\> ipconfig /all # Detailed configuration
C:\> ipconfig /? | more # Help information

# IP Address Management
C:\> ipconfig /release # Release DHCP lease
C:\> ipconfig /renew # Renew DHCP lease
C:\> ipconfig /release "Local Area Connection" # Release specific adapter
C:\> ipconfig /renew "Local Area Connection" # Renew specific adapter

# DNS Operations
C:\> ipconfig /flushdns # Clear DNS resolver cache
C:\> ipconfig /displaydns # Display DNS resolver cache
C:\> ipconfig /displaydns | findstr "Record Name" # Find specific records
C:\> ipconfig /registerdns # Register DNS names
C:\> nslookup google.com # DNS lookup
C:\> nslookup google.com 8.8.8.8 # Query specific DNS server

# Connectivity Testing
C:\> ping 8.8.8.8 # Basic ping test
C:\> ping -t 8.8.8.8 # Continuous ping
C:\> ping -n 20 8.8.8.8 # Ping 20 times
C:\> ping -l 1472 8.8.8.8 # Large packet ping
C:\> ping -4 google.com # Force IPv4
C:\> ping -6 google.com # Force IPv6
C:\> pathping 8.8.8.8 # Combined ping/tracert

# Network Tracing
C:\> tracert 8.8.8.8 # Trace route
C:\> tracert -h 15 8.8.8.8 # Max 15 hops
C:\> tracert -w 5000 8.8.8.8 # 5-second timeout

# ARP Operations
C:\> arp -a # Display ARP table
C:\> arp -d # Clear ARP cache
C:\> arp -s 192.168.1.1 00-11-22-33-44-55 # Add static ARP entry

# Network Statistics
C:\> netstat -an # All connections and ports
C:\> netstat -rn # Routing table
C:\> netstat -e # Ethernet statistics
C:\> netstat -s # Protocol statistics
C:\> netstat -b # Show binaries using connections
C:\> netstat -o # Show process IDs

# Route Management
C:\> route print # Display routing table
C:\> route add 192.168.2.0 mask 255.255.255.0 192.168.1.1 # Add route
C:\> route delete 192.168.2.0 # Delete route
C:\> route -p add 0.0.0.0 mask 0.0.0.0 192.168.1.1 # Persistent default route

# Static IP Configuration (Command Line)

C:\> netsh interface ip set address "Local Area Connection" static 192.168.1.100
255.255.255.0 192.168.1.1
C:\> netsh interface ip set dns "Local Area Connection" static 8.8.8.8
C:\> netsh interface ip add dns "Local Area Connection" 8.8.4.4 index=2

# DHCP Configuration
C:\> netsh interface ip set address "Local Area Connection" dhcp
C:\> netsh interface ip set dns "Local Area Connection" dhcp

# Interface Management
C:\> netsh interface show interface # Show interfaces
C:\> netsh interface ip show config # IP configuration
C:\> netsh wlan show interface # Wireless interfaces
C:\> netsh wlan show profiles # Wireless profiles
Linux Network Configuration - Comprehensive Guide:

bash
# Modern IP Command Suite
$ ip addr show # Show all IP addresses
$ ip a # Abbreviated form
$ ip addr show eth0 # Specific interface
$ ip -4 addr show # IPv4 addresses only
$ ip -6 addr show # IPv6 addresses only
$ ip addr add 192.168.1.100/24 dev eth0 # Add IP address
$ ip addr del 192.168.1.100/24 dev eth0 # Remove IP address

# Link (Interface) Management

$ ip link show # Show all interfaces
$ ip link show eth0 # Specific interface
$ ip link set eth0 up # Bring interface up
$ ip link set eth0 down # Bring interface down
$ ip link set eth0 mtu 1500 # Set MTU size

# Routing Table Management

$ ip route show # Show routing table
$ ip r # Abbreviated form
$ ip route get 8.8.8.8 # Show route to destination
$ ip route add 192.168.2.0/24 via 192.168.1.1 # Add route
$ ip route del 192.168.2.0/24 # Delete route
$ ip route add default via 192.168.1.1 # Add default route

# Neighbor (ARP) Table

$ ip neigh show # Show ARP table
$ ip neigh add 192.168.1.1 lladdr 00:11:22:33:44:55 dev eth0 # Add static ARP
$ ip neigh del 192.168.1.1 dev eth0 # Delete ARP entry
$ ip neigh flush all # Clear ARP cache

# Legacy Commands (still widely used)

$ ifconfig # Interface configuration
$ ifconfig eth0 # Specific interface
$ ifconfig eth0 192.168.1.100 netmask 255.255.255.0 # Set IP
$ ifconfig eth0 up # Bring up interface
$ ifconfig eth0 down # Bring down interface

$ route -n # Numeric routing table

$ route add -net 192.168.2.0/24 gw 192.168.1.1 # Add route
$ route del -net 192.168.2.0/24 # Delete route

$ arp -a # Show ARP table

$ arp -d 192.168.1.1 # Delete ARP entry
# NetworkManager (Desktop distributions)
$ nmcli device status # Device status
$ nmcli connection show # Show connections
$ nmcli con add con-name "Static" ifname eth0 type ethernet
$ nmcli con mod "Static" ipv4.addresses 192.168.1.100/24
$ nmcli con mod "Static" ipv4.gateway 192.168.1.1
$ nmcli con mod "Static" ipv4.dns "8.8.8.8,8.8.4.4"
$ nmcli con mod "Static" ipv4.method manual
$ nmcli con up "Static" # Activate connection
$ nmcli con down "Static" # Deactivate connection
$ nmcli device wifi list # List WiFi networks
$ nmcli device wifi connect "SSID" password "password"

# systemd-networkd Configuration (Server distributions)

$ sudo systemctl status systemd-networkd # Service status
$ sudo networkctl status # Network status
$ sudo networkctl list # List interfaces

# Configuration file: /etc/systemd/network/eth0.network

[Match]
Name=eth0

[Network]
DHCP=yes
# OR for static:
Address=192.168.1.100/24
Gateway=192.168.1.1
DNS=8.8.8.8
DNS=8.8.4.4

# Network Testing and Troubleshooting

$ ping -c 4 8.8.8.8 # Ping 4 times
$ ping6 -c 4 2001:4860:4860::8888 # IPv6 ping
$ traceroute 8.8.8.8 # Trace route
$ tracepath 8.8.8.8 # Alternative traceroute
$ mtr 8.8.8.8 # Continuous traceroute

# DNS Tools
$ dig google.com # DNS lookup
$ dig @8.8.8.8 google.com # Query specific server
$ dig google.com MX # MX records
$ dig -x 8.8.8.8 # Reverse DNS
$ nslookup google.com # Alternative DNS tool
$ host google.com # Simple DNS lookup
# Network Statistics and Connections
$ ss -tuln # Socket statistics (modern)
$ ss -tuln | grep :22 # SSH connections
$ netstat -tuln # Network statistics (legacy)
$ netstat -i # Interface statistics
$ netstat -r # Routing table

# Bandwidth and Performance Testing

$ iperf3 -c server_ip # Bandwidth test client
$ iperf3 -s # Bandwidth test server
$ wget -O /dev/null http://speedtest.com/file # HTTP download test
$ curl -o /dev/null -s -w "%{speed_download}\n" http://speedtest.com/file

# Network Services Management

$ sudo systemctl status NetworkManager # NetworkManager status
$ sudo systemctl restart networking # Restart networking (Debian/Ubuntu)
$ sudo systemctl restart network # Restart network (RedHat/CentOS)
$ sudo service network restart # Legacy service command

macOS Network Configuration:

bash
# Interface Information
$ ifconfig # Interface configuration
$ ifconfig en0 # Specific interface (usually WiFi)
$ ifconfig en1 # Ethernet interface
$ networksetup -listallhardwareports # List all network ports

# IP Configuration
$ sudo ifconfig en0 inet 192.168.1.100 netmask 255.255.255.0 # Set static IP
$ sudo route add default 192.168.1.1 # Add default route
$ sudo route delete default # Remove default route

# DNS Configuration
$ scutil --dns # Show DNS configuration
$ sudo networksetup -setdnsservers "Wi-Fi" 8.8.8.8 8.8.4.4 # Set DNS servers
$ sudo networksetup -setdnsservers "Wi-Fi" "Empty" # Use DHCP DNS

# Network Testing
$ ping -c 4 8.8.8.8 # Ping test
$ traceroute 8.8.8.8 # Trace route
$ dig google.com # DNS lookup
$ nslookup google.com # Alternative DNS lookup

# WiFi Management
$ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/a
irport -s # Scan WiFi
$ sudo networksetup -setairportpower en0 off # Turn off WiFi
$ sudo networksetup -setairportpower en0 on # Turn on WiFi
$ networksetup -getairportnetwork en0 # Current WiFi network

2. Network Access

2.1 Port Channel Status and Verification - Complete Implementation

EtherChannel bundles multiple physical links into a single logical link for increased bandwidth and
redundancy. This section covers all protocols and comprehensive troubleshooting.

Port Channel Status Between Switches - All Types:

Manual (On) Configuration:

bash
# Switch 1 Configuration
Switch1(config)# interface range gi0/1-2
Switch1(config-if-range)# channel-group 1 mode on # Manual mode
Switch1(config-if-range)# description "Manual EtherChannel to SW2"
Switch1(config-if-range)# exit

Switch1(config)# interface port-channel 1

Switch1(config-if)# description "EtherChannel to SW2 - Manual"
Switch1(config-if)# switchport mode trunk # Configure as trunk
Switch1(config-if)# switchport trunk allowed vlan all
Switch1(config-if)# switchport trunk native vlan 99
Switch1(config-if)# no shutdown
Switch1(config-if)# exit

# Switch 2 Configuration (identical)

Switch2(config)# interface range gi0/1-2
Switch2(config-if-range)# channel-group 1 mode on
Switch2(config-if-range)# description "Manual EtherChannel to SW1"
Switch2(config-if-range)# exit

Switch2(config)# interface port-channel 1

Switch2(config-if)# description "EtherChannel to SW1 - Manual"
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk allowed vlan all
Switch2(config-if)# switchport trunk native vlan 99
Switch2(config-if)# no shutdown
LACP (IEEE 802.3ad) Configuration:

bash
# Switch 1 Configuration
Switch1(config)# interface range gi0/3-4
Switch1(config-if-range)# channel-group 2 mode active # LACP active
Switch1(config-if-range)# lacp port-priority 128 # Port priority
Switch1(config-if-range)# lacp timeout short # LACP timeout
Switch1(config-if-range)# exit

Switch1(config)# interface port-channel 2

Switch1(config-if)# description "LACP EtherChannel to SW2"
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# lacp max-bundle 4 # Maximum links
Switch1(config-if)# lacp min-links 1 # Minimum links
Switch1(config-if)# exit

# Switch 2 Configuration
Switch2(config)# interface range gi0/3-4
Switch2(config-if-range)# channel-group 2 mode passive # LACP passive
Switch2(config-if-range)# lacp port-priority 128
Switch2(config-if-range)# exit

Switch2(config)# interface port-channel 2

Switch2(config-if)# description "LACP EtherChannel to SW1"
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# lacp max-bundle 4
Switch2(config-if)# lacp min-links 1

# LACP System Priority (optional)

Switch1(config)# lacp system-priority 32768 # Lower = higher priority
Switch2(config)# lacp system-priority 32769 # Default priority

PAgP (Cisco Proprietary) Configuration:itnetworkingskills.wordpress+1

bash
# Switch 1 Configuration
Switch1(config)# interface range gi0/5-6
Switch1(config-if-range)# channel-group 3 mode desirable # PAgP desirable
Switch1(config-if-range)# pagp port-priority 128 # Port priority
Switch1(config-if-range)# exit

Switch1(config)# interface port-channel 3

Switch1(config-if)# description "PAgP EtherChannel to SW2"
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# exit

# Switch 2 Configuration
Switch2(config)# interface range gi0/5-6
Switch2(config-if-range)# channel-group 3 mode auto # PAgP auto
Switch2(config-if-range)# pagp port-priority 128
Switch2(config-if-range)# exit

Switch2(config)# interface port-channel 3

Switch2(config-if)# description "PAgP EtherChannel to SW1"
Switch2(config-if)# switchport mode trunk

Layer 3 EtherChannel Configuration:

bash
# Switch 1 Configuration
Switch1(config)# interface range gi0/7-8
Switch1(config-if-range)# no switchport # Layer 3 ports
Switch1(config-if-range)# channel-group 4 mode active # LACP active
Switch1(config-if-range)# exit

Switch1(config)# interface port-channel 4

Switch1(config-if)# no switchport # Layer 3 port-channel
Switch1(config-if)# ip address 10.1.1.1 255.255.255.0 # IP address
Switch1(config-if)# description "L3 EtherChannel to SW2"
Switch1(config-if)# no shutdown
Switch1(config-if)# exit

# Switch 2 Configuration
Switch2(config)# interface range gi0/7-8
Switch2(config-if-range)# no switchport
Switch2(config-if-range)# channel-group 4 mode passive
Switch2(config-if-range)# exit

Switch2(config)# interface port-channel 4

Switch2(config-if)# no switchport
Switch2(config-if)# ip address 10.1.1.2 255.255.255.0
Switch2(config-if)# description "L3 EtherChannel to SW1"
Switch2(config-if)# no shutdown

Comprehensive EtherChannel Verification Commands:

bash
# Basic EtherChannel Status
Switch# show etherchannel summary # Quick overview
Switch# show etherchannel detail # Detailed information
Switch# show etherchannel port-channel # Port-channel details
Switch# show etherchannel load-balance # Load balancing method

# Protocol-Specific Verification
Switch# show lacp neighbor # LACP neighbors
Switch# show lacp neighbor detail # Detailed LACP info
Switch# show lacp counters # LACP packet counters
Switch# show lacp sys-id # LACP system ID

Switch# show pagp neighbor # PAgP neighbors

Switch# show pagp neighbor detail # Detailed PAgP info
Switch# show pagp counters # PAgP packet counters

# Interface-Specific Information
Switch# show interfaces port-channel 1 # Port-channel interface
Switch# show interfaces gi0/1 etherchannel # Member interface details
Switch# show etherchannel 1 port-channel # Specific channel group

# Troubleshooting Commands
Switch# show etherchannel 1 summary # Channel group 1 summary
Switch# show etherchannel port # All member ports
Switch# show interfaces status | include Po # Port-channel status
Switch# show spanning-tree interface port-channel 1 # STP on port-channel

# Debug Commands (use carefully)

Switch# debug etherchannel # General debugging
Switch# debug lacp # LACP debugging
Switch# debug pagp # PAgP debugging
Switch# undebug all # Turn off debugging

# Clear Commands
Switch# clear lacp counters # Clear LACP counters
Switch# clear pagp counters # Clear PAgP counters
Switch# clear etherchannel # Clear EtherChannel info

EtherChannel Status Flags Explanation:

bash
# Port-Channel Status Flags
# D - EtherChannel is down
# U - EtherChannel is up and in use
# P - Port is bundled in the port-channel
# S - Layer 2 EtherChannel (switching)
# R - Layer 3 EtherChannel (routing)
# H - Hot-standby (LACP only)
# I - Individual port (not bundled)
# s - Port is suspended
# M - Not in use, minimum links not met
# f - Failed to allocate aggregator
# w - Waiting to be aggregated
# d - Default port

# Example Output Interpretation:

# Po1(SU) - Port-channel 1 is Layer 2, Up, and in Use
# Gi0/1(P) - GigabitEthernet0/1 is bundled and active
# Gi0/2(s) - GigabitEthernet0/2 is suspended
# Po2(RU) - Port-channel 2 is Layer 3, Up, and in Use

Load Balancing Configuration:

bash
# Global Load Balancing Methods
Switch(config)# port-channel load-balance src-mac # Source MAC
Switch(config)# port-channel load-balance dst-mac # Destination MAC
Switch(config)# port-channel load-balance src-dst-mac # Source and destination MAC
Switch(config)# port-channel load-balance src-ip # Source IP
Switch(config)# port-channel load-balance dst-ip # Destination IP
Switch(config)# port-channel load-balance src-dst-ip # Source and destination IP
Switch(config)# port-channel load-balance src-port # Source port
Switch(config)# port-channel load-balance dst-port # Destination port
Switch(config)# port-channel load-balance src-dst-port # Source and destination port

# Verify Load Balancing

Switch# show etherchannel load-balance # Current method
Switch# test etherchannel load-balance interface port-channel 1 mac 0012.3456.789A
0012.3456.789B
Switch# test etherchannel load-balance interface port-channel 1 ip 192.168.1.10
192.168.2.10

EtherChannel Troubleshooting Scenarios:

bash
# Common Issues and Solutions

# 1. Mismatched Configurations
# Problem: Different modes on each end
# Solution: Ensure compatible modes
Switch# show etherchannel summary
# Look for (I) individual flags instead of (P) bundled

# 2. STP Issues
# Problem: Port-channel blocked by STP
Switch# show spanning-tree interface port-channel 1
# Solution: Check spanning tree configuration

# 3. VLAN Mismatch
# Problem: Different VLAN configurations on member ports
Switch# show interfaces trunk
Switch# show vlan brief
# Solution: Ensure all member ports have same trunk config

# 4. Speed/Duplex Mismatch
# Problem: Member ports with different speeds
Switch# show interfaces status
# Solution: Configure all member ports with same speed/duplex

# 5. Protocol Mismatch
# Problem: LACP on one end, PAgP on other
Switch# show lacp neighbor
Switch# show pagp neighbor
# Solution: Use compatible protocols on both ends

# Recovery Commands
Switch# clear etherchannel 1
Switch(config)# interface port-channel 1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Port-Channel (EtherChannel) Connectivity Table

(For Cisco IOS Switches: PAgP, LACP, and "On" modes)

Switch 1 Protocol Port-Channel

Switch 2 Mode Notes
Mode Negotiated Status
None
on on Bundles Forms EtherChannel unconditionally
("Force")
desirable "On" does not negotiate, requires both
on None No Bundle
(PAgP) ends
on auto (PAgP) None No Bundle See above
on active (LACP) None No Bundle See above
 on passive (LACP) None No Bundle See above
desirable desirable
PAgP Bundles Both ends negotiate, channel forms
(PAgP) (PAgP)
desirable
auto (PAgP) PAgP Bundles Only one desirable required
(PAgP)
auto
auto (PAgP) PAgP No Bundle Both ends passive—no channel
(PAgP)
active
active (LACP) LACP Bundles Both actively initiate, channel forms
(LACP)
active
passive (LACP) LACP Bundles Only one active required
(LACP)
passive
passive (LACP) LACP No Bundle Both ends passive—no channel
(LACP)
desirable
active (LACP) None No Bundle Protocols must match
(PAgP)
active
auto (PAgP) None No Bundle Protocols must match
(LACP)
Bundles on "on"
on any other mode None Channel only forms if both sides “on”
side only

Legend:

• "on": No protocol, forces channel formation, no negotiation.

• "desirable"/"auto": PAgP (Cisco-proprietary protocol).
• "active"/"passive": LACP (802.3ad standard).
• Bundle: Port-Channel is formed; interfaces aggregate bandwidth.
• No Bundle: No aggregation; links operate individually.

Key Guidelines:

• Both sides must use the SAME protocol (LACP or PAgP) and compatible modes for
automatic negotiation.
• "on" mode should only be used when both sides are set to "on".
• "auto" and "passive" are both passive and will NOT form a bundle with each
other.
• LACP is generally preferred for multi-vendor compatibility.
2.2 Spanning Tree Protocol (STP) - Deep Dive Explanation

STP prevents loops in Layer 2 networks while providing redundancy. Understanding the complete process is
crucial for network stability.

STP Deep Dive - Complete Process:geeksforgeeks+2

Step 1: Root Bridge Election Process

bash
# Bridge ID Components
# Bridge Priority (2 bytes) + MAC Address (6 bytes) = 8 bytes total
# Default Priority: 32768 (can be modified in increments of 4096)

# Priority Configuration
Switch(config)# spanning-tree vlan 1 priority 4096 # Higher priority (lower
value)
Switch(config)# spanning-tree vlan 1 priority 8192 # Lower priority
Switch(config)# spanning-tree vlan 1 priority 0 # Highest priority (root)
Switch(config)# spanning-tree vlan 1 priority 65536 # Invalid (not multiple of
4096)

# Alternative Root Configuration

Switch(config)# spanning-tree vlan 1 root primary # Automatic primary root
Switch(config)# spanning-tree vlan 1 root secondary # Automatic secondary root

# Verify Bridge ID
Switch# show spanning-tree vlan 1 # Show STP for VLAN 1
Switch# show spanning-tree root # Show root bridge info
Switch# show spanning-tree summary # STP summary

Bridge Protocol Data Unit (BPDU) Structure:

bash
# BPDU Fields:
# - Root Bridge ID (which switch is the root)
# - Sender Bridge ID (who sent this BPDU)
# - Root Path Cost (cost to reach root bridge)
# - Timer values (Hello, Max Age, Forward Delay)

# BPDU Transmission
Switch(config)# spanning-tree vlan 1 hello-time 2 # Hello interval (1-10 sec)
Switch(config)# spanning-tree vlan 1 max-age 20 # Max age (6-40 sec)
Switch(config)# spanning-tree vlan 1 forward-delay 15 # Forward delay (4-30 sec)
# View BPDU Information
Switch# show spanning-tree interface gi0/1 detail # Detailed interface info
Switch# debug spanning-tree bpdu # Debug BPDUs (careful!)

Step 2: Root Port Election (Non-Root Bridges)

bash
# Root Port Election Criteria (in order):
# 1. Lowest path cost to root bridge
# 2. Lowest sender bridge ID
# 3. Lowest sender port ID (priority + port number)

# Path Cost Configuration

Switch(config)# interface gi0/1
Switch(config-if)# spanning-tree cost 4 # Set path cost
Switch(config-if)# spanning-tree vlan 10 cost 10 # Per-VLAN cost

# Default Path Costs:

# 10 Mbps = 100
# 100 Mbps = 19
# 1 Gbps = 4
# 10 Gbps = 2

# Port Priority Configuration

Switch(config-if)# spanning-tree port-priority 128 # Port priority (0-240)
Switch(config-if)# spanning-tree vlan 10 port-priority 64 # Per-VLAN priority

# Verify Root Port Selection

Switch# show spanning-tree # Overall STP status
Switch# show spanning-tree interface gi0/1 # Specific interface
Switch# show spanning-tree root # Root bridge information

Step 3: Designated Port Election

bash
# Designated Port Election on each Segment:
# 1. Lowest path cost to root bridge
# 2. Lowest bridge ID of sender
# 3. Lowest port ID of sender

# Example Network Analysis:

# Segment between SW1 and SW2
# SW1 advertises cost 0 (directly connected to root)
# SW2 advertises cost 4 (one hop from root)
# SW1's port becomes designated port
# SW2's port becomes alternate port (blocking)

# Force Designated Port

Switch(config)# interface gi0/1
Switch(config-if)# spanning-tree port-priority 0 # Highest priority

# Alternative Port (Blocking State)

# - Receives superior BPDUs but doesn't forward
# - Can become active if primary path fails
# - Maintains MAC address learning disabled

STP Port States and Transitions:

bash
# Port States:
# 1. Disabled - Administratively down or failed
# 2. Blocking - Receives BPDUs, doesn't forward data, doesn't learn MACs
# 3. Listening - Processes BPDUs, doesn't forward data, doesn't learn MACs
# 4. Learning - Processes BPDUs, doesn't forward data, learns MACs
# 5. Forwarding - Fully functional, forwards data and learns MACs

# State Transition Times:

# Blocking → Listening: 0 seconds (immediate)
# Listening → Learning: Forward Delay (15 seconds default)
# Learning → Forwarding: Forward Delay (15 seconds default)
# Total convergence time: 30 seconds (without enhancements)

# Monitor Port State Changes

Switch# show spanning-tree interface gi0/1 # Current state
Switch# debug spanning-tree events # Debug state changes
Switch# show logging | include SPANNING-TREE # STP log messages

Rapid Spanning Tree Protocol (RSTP) - 802.1w:

bash
# RSTP Improvements:
# - Faster convergence (sub-second)
# - Backward compatible with STP
# - Enhanced port roles and states

# RSTP Port Roles:

# - Root Port: Best path to root bridge
# - Designated Port: Forwarding port on segment
# - Alternate Port: Backup to root port
# - Backup Port: Backup to designated port
# - Disabled Port: Administratively disabled

# RSTP Port States (simplified):

# - Discarding: Combines Disabled, Blocking, and Listening
# - Learning: Same as STP Learning
# - Forwarding: Same as STP Forwarding

# Enable RSTP
Switch(config)# spanning-tree mode rapid-pvst # Enable Rapid PVST+
Switch# show spanning-tree summary # Verify mode

# RSTP Edge Ports (equivalent to PortFast)

Switch(config)# interface gi0/1
Switch(config-if)# spanning-tree portfast # Edge port
Switch(config-if)# spanning-tree link-type point-to-point # P2P link type

# RSTP Proposal/Agreement Process

# 1. Designated port sends proposal
# 2. Receiving port immediately blocks all non-edge ports
# 3. Receiving port sends agreement
# 4. Designated port immediately transitions to forwarding

STP Enhancements and Features:pynetlabs

bash
# PortFast - Immediate Forwarding for End Devices
Switch(config)# interface gi0/1
Switch(config-if)# spanning-tree portfast # Enable PortFast
Switch(config-if)# spanning-tree portfast trunk # PortFast for trunk (rare)

Switch(config)# spanning-tree portfast default # Global PortFast

Switch(config)# spanning-tree portfast bpduguard default # Global BPDU Guard

# BPDU Guard - Disables Port if BPDU Received

Switch(config-if)# spanning-tree bpduguard enable # Enable BPDU Guard
Switch(config-if)# spanning-tree bpduguard disable # Disable BPDU Guard

# BPDU Filter - Stops Sending/Receiving BPDUs

Switch(config-if)# spanning-tree bpdufilter enable # Enable BPDU Filter
Switch(config)# spanning-tree portfast bpdufilter default # Global setting

# Root Guard - Prevents Inferior Switches from Becoming Root

Switch(config-if)# spanning-tree guard root # Enable Root Guard

# Loop Guard - Detects Unidirectional Link Failure

Switch(config-if)# spanning-tree guard loop # Enable Loop Guard
Switch(config)# spanning-tree loopguard default # Global Loop Guard

# UplinkFast - Faster Root Port Recovery (Legacy)

Switch(config)# spanning-tree uplinkfast # Enable UplinkFast

# BackboneFast - Faster Convergence on Indirect Failures (Legacy)

Switch(config)# spanning-tree backbonefast # Enable BackboneFast

Per-VLAN Spanning Tree Plus (PVST+):

bash
# PVST+ Features:
# - Separate STP instance per VLAN
# - Load balancing across VLANs
# - Different root bridges per VLAN

# Configure Different Root Bridges per VLAN

Switch1(config)# spanning-tree vlan 10 priority 4096 # Root for VLAN 10
Switch1(config)# spanning-tree vlan 20 priority 8192 # Secondary for VLAN 20

Switch2(config)# spanning-tree vlan 10 priority 8192 # Secondary for VLAN 10

Switch2(config)# spanning-tree vlan 20 priority 4096 # Root for VLAN 20

# Load Balancing Example:

# VLAN 10 traffic uses Switch1 as primary path
# VLAN 20 traffic uses Switch2 as primary path
# This utilizes both uplinks instead of having one blocked

# Verify PVST+ Configuration

Switch# show spanning-tree vlan 10 # VLAN 10 STP
Switch# show spanning-tree vlan 20 # VLAN 20 STP
Switch# show spanning-tree summary # All VLANs summary

STP Troubleshooting - Complete Guide:

bash
# Common STP Issues:

# 1. Root Bridge Election Problems

Switch# show spanning-tree root # Verify root bridge
Switch# show spanning-tree bridge # Local bridge info
# Solution: Check priorities and Bridge IDs

# 2. Convergence Issues (Slow or No Convergence)

Switch# show spanning-tree inconsistentports # Inconsistent ports
Switch# show interfaces status err-disabled # Error-disabled ports
# Solution: Check for duplex mismatches, bad cables, BPDU issues

# 3. Loops Despite STP

Switch# show spanning-tree blockedports # Blocked ports
Switch# show spanning-tree interface gi0/1 detail # Port details
# Solution: Verify STP is enabled, check for unidirectional links

# 4. BPDU Guard Violations

Switch# show errdisable recovery # Recovery settings
Switch# show interfaces status | include err-disabled # Error-disabled ports
Switch(config)# errdisable recovery cause bpduguard # Auto recovery
Switch(config)# errdisable recovery interval 60 # Recovery timer

# Recovery Commands
Switch# clear spanning-tree detected-protocols # Clear protocols
Switch(config)# interface gi0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown # Reset port

# Advanced Troubleshooting
Switch# debug spanning-tree events # Debug events
Switch# debug spanning-tree root # Debug root election
Switch# debug spanning-tree backbonefast # Debug BackboneFast
Switch# show spanning-tree pathcost method # Path cost method

# STP Optimization
Switch(config)# spanning-tree extend system-id # Include VLAN in Bridge ID
Switch(config)# spanning-tree vlan 1-100 priority 8192 # Bulk priority setting

Multiple Spanning Tree Protocol (MSTP) - 802.1s:

bash
# MSTP allows grouping VLANs into instances
# Reduces STP overhead compared to PVST+
# Industry standard (not Cisco proprietary)

Switch(config)# spanning-tree mode mstp # Enable MSTP

# MST Configuration
Switch(config)# spanning-tree mst configuration
Switch(config-mst)# name REGION1 # Region name
Switch(config-mst)# revision 1 # Configuration revision
Switch(config-mst)# instance 1 vlan 10-20 # Map VLANs to instance
Switch(config-mst)# instance 2 vlan 30-40 # Another instance
Switch(config-mst)# exit

# MST Instance Priority

Switch(config)# spanning-tree mst 1 priority 4096 # Instance 1 priority
Switch(config)# spanning-tree mst 2 priority 8192 # Instance 2 priority

# MST Verification
Switch# show spanning-tree mst configuration # MST config
Switch# show spanning-tree mst # MST status
Switch# show spanning-tree mst 1 # Specific instance

2.3 All Routing Protocols - Complete Configuration Guide

This section covers all major routing protocols with detailed configuration steps and explanations.

Static Routing - Complete Implementation:learncisco

bash
# Basic Static Route Concepts:
# - Manually configured routes
# - No automatic updates
# - Administrative Distance: 1
# - Used for stub networks, default routes, and specific routing requirements

# Static Route Configuration Methods:

# 1. Next-Hop IP Address
Router(config)# ip route 192.168.10.0 255.255.255.0 10.1.1.2
Router(config)# ip route 172.16.0.0 255.240.0.0 10.1.1.2 # Summary route

# 2. Exit Interface (Point-to-Point links)

Router(config)# ip route 192.168.20.0 255.255.255.0 Serial0/0/0
Router(config)# ip route 10.10.0.0 255.255.0.0 GigabitEthernet0/1

# 3. Fully Specified Route (Interface + Next-hop)

Router(config)# ip route 192.168.30.0 255.255.255.0 GigabitEthernet0/1 10.1.1.2
Router(config)# ip route 172.20.0.0 255.255.0.0 Serial0/0/0 10.2.2.2
# Default Route Configuration
Router(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 # Next-hop default
Router(config)# ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 # Interface default
Router(config)# ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 10.1.1.1 # Fully
specified

# Administrative Distance Manipulation

Router(config)# ip route 192.168.40.0 255.255.255.0 10.1.1.2 100 # Primary route
(AD 100)
Router(config)# ip route 192.168.40.0 255.255.255.0 10.1.1.3 200 # Floating static
(AD 200)

# Load Balancing with Static Routes

Router(config)# ip route 192.168.50.0 255.255.255.0 10.1.1.2 # First path
Router(config)# ip route 192.168.50.0 255.255.255.0 10.1.1.3 # Second path
(equal cost)
Router(config)# maximum-paths 4 # Up to 4 equal
paths

# Host Routes (/32)

Router(config)# ip route 192.168.1.100 255.255.255.255 10.1.1.2 # Specific host
Router(config)# ip route 8.8.8.8 255.255.255.255 10.1.1.1 # DNS server route

# Null Route (Black Hole)

Router(config)# ip route 192.168.100.0 255.255.255.0 null0 # Drop traffic
Router(config)# ip route 10.99.0.0 255.255.0.0 null0 # Prevent loops

# IPv6 Static Routes

Router(config)# ipv6 unicast-routing # Enable IPv6
routing
Router(config)# ipv6 route 2001:db8:1::/64 2001:db8::1 # IPv6 static
route
Router(config)# ipv6 route ::/0 2001:db8::1 # IPv6 default
route

# Static Route Verification

Router# show ip route static # Static routes only
Router# show ip route # All routes
Router# show ip route 192.168.10.0 # Specific network
Router# show running-config | include ip route # Static route configuration
Router# ping 192.168.10.1 source gi0/0 # Test connectivity
Router# traceroute 192.168.10.1 # Verify path

RIP (Routing Information Protocol) - Complete Configuration:

bash
# RIP Characteristics:
# - Distance Vector Protocol
# - Uses hop count as metric (max 15 hops)
# - Updates every 30 seconds
# - Administrative Distance: 120
# - Supports RIPv1 (classful) and RIPv2 (classless)

# RIPv2 Configuration (Recommended)

Router(config)# router rip
Router(config-router)# version 2 # Enable RIPv2
Router(config-router)# network 10.0.0.0 # Advertise classful networks
Router(config-router)# network 192.168.1.0 # Local networks
Router(config-router)# no auto-summary # Disable auto-summarization
Router(config-router)# passive-interface default # Make all interfaces passive
Router(config-router)# no passive-interface gi0/1 # Enable RIP on specific
interface

# RIP Timers (Default values)

Router(config-router)# timers basic 30 180 180 240 # Update, Invalid, Hold, Flush

# RIP Authentication (RIPv2 only)

Router(config)# interface gi0/1
Router(config-if)# ip rip authentication mode md5 # MD5 authentication
Router(config-if)# ip rip authentication key-chain RIP_KEYS

Router(config)# key chain RIP_KEYS

Router(config-keychain)# key 1
Router(config-keychain-key)# key-string cisco123
Router(config-keychain-key)# accept-lifetime 00:00:00 Jan 1 2024 infinite
Router(config-keychain-key)# send-lifetime 00:00:00 Jan 1 2024 infinite

# Default Route Injection

Router(config-router)# default-information originate # Advertise default route

# Route Filtering
Router(config-router)# distribute-list 1 out gi0/1 # Filter outbound updates
Router(config)# access-list 1 deny 192.168.10.0 0.0.0.255
Router(config)# access-list 1 permit any

# RIP Verification
Router# show ip rip database # RIP database
Router# show ip protocols # RIP configuration
Router# debug ip rip # RIP debugging
EIGRP (Enhanced Interior Gateway Routing Protocol) - Detailed Configuration:catchpoint

bash
# EIGRP Characteristics:
# - Advanced Distance Vector (Hybrid)
# - DUAL algorithm prevents loops
# - Fast convergence (sub-second)
# - Supports VLSM and CIDR
# - Administrative Distance: Internal 90, External 170
# - Multicast updates (224.0.0.10)

# Basic EIGRP Configuration

Router(config)# router eigrp 100 # AS number (must match)
Router(config-router)# network 10.0.0.0 0.255.255.255 # Classful with wildcard
Router(config-router)# network 192.168.1.0 0.0.0.255 # Subnet with wildcard
Router(config-router)# no auto-summary # Disable auto-summarization

# EIGRP Router ID
Router(config-router)# eigrp router-id 1.1.1.1 # Manual Router ID
Router(config-router)# eigrp log-neighbor-changes # Log neighbor state changes

# Passive Interfaces
Router(config-router)# passive-interface default # All interfaces passive
Router(config-router)# no passive-interface gi0/1 # Enable EIGRP on interface

# Interface-Level EIGRP Configuration

Router(config)# interface gi0/1
Router(config-if)# ip hello-interval eigrp 100 5 # Hello interval (default 5)
Router(config-if)# ip hold-time eigrp 100 15 # Hold time (default 15)
Router(config-if)# bandwidth 1544 # Affects metric calculation
Router(config-if)# delay 100 # Delay in tens of microseconds
Router(config-if)# ip summary-address eigrp 100 192.168.0.0 255.255.0.0 # Manual
summary

# EIGRP Metric Tuning

Router(config-router)# metric weights 0 1 0 1 0 0 # K values (K1-K6)
# K1 = Bandwidth, K2 = Load, K3 = Delay, K4 = Reliability, K5 = MTU
# Default: K1=1, K3=1, others=0

# Load Balancing
Router(config-router)# maximum-paths 4 # Equal-cost paths (1-32)
Router(config-router)# variance 2 # Unequal-cost load balancing
# Variance allows paths up to 2x the best metric

# EIGRP Authentication
Router(config)# interface gi0/1
Router(config-if)# ip authentication mode eigrp 100 md5
Router(config-if)# ip authentication key-chain eigrp 100 EIGRP_KEYS

Router(config)# key chain EIGRP_KEYS

Router(config-keychain)# key 1
Router(config-keychain-key)# key-string cisco123

# Stub Configuration (for spoke sites)

Router(config-router)# eigrp stub connected summary # Advertise connected and summary
only
Router(config-router)# eigrp stub receive-only # Don't advertise any routes

# Default Route Distribution

Router(config-router)# redistribute static # Redistribute static routes
Router(config)# ip route 0.0.0.0 0.0.0.0 gi0/2 # Create default route

# EIGRP Verification
Router# show ip eigrp neighbors # EIGRP neighbors
Router# show ip eigrp neighbors detail # Detailed neighbor info
Router# show ip eigrp topology # Topology table
Router# show ip eigrp topology all-links # All topology entries
Router# show ip eigrp interfaces # EIGRP-enabled interfaces
Router# show ip eigrp interfaces detail gi0/1 # Detailed interface info
Router# show ip eigrp traffic # EIGRP packet statistics

# EIGRP Troubleshooting
Router# debug eigrp packets # EIGRP packet debugging
Router# debug ip eigrp neighbor # Neighbor debugging
Router# show logging | include EIGRP # EIGRP log messages

OSPF (Open Shortest Path First) - Comprehensive Configuration:

bash
# OSPF Characteristics:
# - Link State Protocol
# - Shortest Path First (Dijkstra) algorithm
# - Fast convergence
# - Hierarchical design with areas
# - Administrative Distance: 110
# - Multicast updates (224.0.0.5 and 224.0.0.6)

# Single Area OSPF Configuration

Router(config)# router ospf 1 # Process ID (locally
significant)
Router(config-router)# router-id 1.1.1.1 # Manual Router ID (recommended)
Router(config-router)# network 10.1.1.0 0.0.0.255 area 0 # Area 0 (backbone)
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 # Additional network
Router(config-router)# passive-interface default # All interfaces passive
Router(config-router)# no passive-interface gi0/1 # Enable OSPF on interface

# Alternative Interface Configuration Method

Router(config)# interface gi0/1
Router(config-if)# ip ospf 1 area 0 # Enable OSPF directly

# OSPF Area Configuration (Multi-Area)

Router(config-router)# network 10.1.1.0 0.0.0.255 area 0 # Backbone area
Router(config-router)# network 192.168.1.0 0.0.0.255 area 1 # Regular area
Router(config-router)# network 192.168.2.0 0.0.0.255 area 2 # Another area

# Interface-Level OSPF Parameters

Router(config)# interface gi0/1
Router(config-if)# ip ospf hello-interval 10 # Hello timer (1-65535 seconds)
Router(config-if)# ip ospf dead-interval 40 # Dead timer (1-65535 seconds)
Router(config-if)# ip ospf priority 100 # DR/BDR priority (0-255)
Router(config-if)# ip ospf cost 64 # Interface cost (1-65535)
Router(config-if)# ip ospf network point-to-point # Network type
Router(config-if)# ip ospf network broadcast # Broadcast network (default
Ethernet)
Router(config-if)# ip ospf network non-broadcast # NBMA network

# OSPF Cost Calculation and Reference Bandwidth

Router(config-router)# auto-cost reference-bandwidth 10000 # 10 Gbps reference

# Default Route Generation

Router(config-router)# default-information originate # Conditional default
Router(config-router)# default-information originate always # Always advertise
default
Router(config-router)# default-information originate metric 10 # Set metric

# OSPF Authentication
# Interface Authentication
Router(config)# interface gi0/1
Router(config-if)# ip ospf authentication # Simple password
Router(config-if)# ip ospf authentication-key cisco123

Router(config-if)# ip ospf authentication message-digest # MD5 authentication

Router(config-if)# ip ospf message-digest-key 1 md5 cisco123

# Area Authentication
Router(config-router)# area 0 authentication # Simple authentication for area
Router(config-router)# area 0 authentication message-digest # MD5 for area

# OSPF Area Types

Router(config-router)# area 1 stub # Stub area (no external LSAs)
Router(config-router)# area 1 stub no-summary # Totally stubby area
Router(config-router)# area 2 nssa # Not-So-Stubby Area
Router(config-router)# area 2 nssa no-summary # Totally NSSA

# Area Range (Summarization)

Router(config-router)# area 1 range 192.168.0.0 255.255.0.0 # ABR summarization

# OSPF Virtual Links (to connect non-contiguous areas to backbone)

Router(config-router)# area 1 virtual-link 2.2.2.2 # Through area 1 to router
2.2.2.2

# OSPF Verification Commands

Router# show ip ospf # OSPF process information
Router# show ip ospf neighbor # OSPF neighbors
Router# show ip ospf neighbor detail # Detailed neighbor information
Router# show ip ospf interface # OSPF interfaces
Router# show ip ospf interface gi0/1 # Specific interface
Router# show ip ospf database # Link-state database
Router# show ip ospf database router # Router LSAs
Router# show ip ospf database network # Network LSAs
Router# show ip ospf database external # External LSAs
Router# show ip ospf border-routers # ABRs and ASBRs
Router# show ip ospf virtual-links # Virtual link status

# OSPF Troubleshooting
Router# debug ip ospf hello # Debug hello packets
Router# debug ip ospf adj # Debug adjacency formation
Router# debug ip ospf lsa-generation # Debug LSA generation
Router# clear ip ospf process # Clear OSPF process (restarts)

BGP (Border Gateway Protocol) - Complete Configuration:

bash
# BGP Characteristics:
# - Path Vector Protocol
# - Policy-based routing
# - Used between Autonomous Systems (Inter-AS)
# - Administrative Distance: eBGP 20, iBGP 200
# - TCP port 179

# Basic BGP Configuration

Router(config)# router bgp 65001 # AS number
Router(config-router)# bgp router-id 1.1.1.1 # BGP Router ID
Router(config-router)# neighbor 192.168.1.2 remote-as 65002 # eBGP neighbor
Router(config-router)# neighbor 10.1.1.2 remote-as 65001 # iBGP neighbor

# Network Advertisement
Router(config-router)# network 192.168.1.0 mask 255.255.255.0 # Advertise network
Router(config-router)# redistribute connected # Redistribute connected routes
Router(config-router)# redistribute static # Redistribute static routes

# iBGP Configuration (Internal BGP)

Router(config-router)# neighbor 10.1.1.2 remote-as 65001 # Same AS number
Router(config-router)# neighbor 10.1.1.2 update-source loopback0 # Source interface
Router(config-router)# neighbor 10.1.1.2 next-hop-self # Set next-hop to self

# BGP Route Reflector (to avoid iBGP full mesh)

Router(config-router)# neighbor 10.1.1.2 route-reflector-client

# BGP Confederation (alternative to route reflector)

Router(config-router)# bgp confederation identifier 65000 # Main AS
Router(config-router)# bgp confederation peers 65001 65002 # Sub-AS peers

# BGP Path Attributes

Router(config-router)# neighbor 192.168.1.2 weight 200 # Weight (Cisco-
specific)
Router(config-router)# bgp default local-preference 150 # Local Preference

# Route Maps for Policy Control

Router(config)# route-map SET_LOCAL_PREF permit 10
Router(config-route-map)# set local-preference 200
Router(config)# router bgp 65001
Router(config-router)# neighbor 192.168.1.2 route-map SET_LOCAL_PREF in

# AS Path Manipulation
Router(config)# route-map PREPEND permit 10
Router(config-route-map)# set as-path prepend 65001 65001 # Prepend AS
Router(config-router)# neighbor 192.168.1.2 route-map PREPEND out

# BGP Communities
Router(config-router)# neighbor 192.168.1.2 send-community # Send community
attribute
Router(config)# route-map SET_COMMUNITY permit 10
Router(config-route-map)# set community 65001:100

# BGP Verification
Router# show ip bgp # BGP table
Router# show ip bgp summary # BGP neighbor summary
Router# show ip bgp neighbors # Detailed neighbor info
Router# show ip bgp neighbors 192.168.1.2 advertised-routes # Advertised routes
Router# show ip bgp neighbors 192.168.1.2 received-routes # Received routes
Router# show ip bgp 192.168.1.0 # Specific route details

# BGP Troubleshooting
Router# debug ip bgp # BGP debugging
Router# debug ip bgp updates # BGP update messages
Router# clear ip bgp * # Clear all BGP sessions
Router# clear ip bgp 192.168.1.2 # Clear specific neighbor

IS-IS (Intermediate System to Intermediate System):

bash
# IS-IS Characteristics:
# - Link State Protocol
# - OSI protocol adapted for IP
# - Two levels: L1 (intra-area), L2 (inter-area)
# - Administrative Distance: 115

# IS-IS Configuration
Router(config)# router isis AREA1 # IS-IS process name
Router(config-router)# net 49.0001.1921.6800.1001.00 # NET address
Router(config-router)# is-type level-2-only # Router type
Router(config-router)# metric-style wide # Wide metrics

Router(config)# interface gi0/1

Router(config-if)# ip router isis AREA1 # Enable IS-IS
Router(config-if)# isis circuit-type level-2-only # Circuit type
Router(config-if)# isis metric 10 # Interface metric

# IS-IS Verification
Router# show isis neighbors # IS-IS neighbors
Router# show isis database # IS-IS database
Router# show isis topology # IS-IS topology

Routing Protocol Comparison and Selection:

bash
# Protocol Selection Criteria:

# Network Size:
# - Small (< 50 routers): Static, RIP, EIGRP
# - Medium (50-500 routers): EIGRP, OSPF
# - Large (500+ routers): OSPF, IS-IS, BGP

# Convergence Speed:
# - Fastest: EIGRP (sub-second)
# - Fast: OSPF (seconds)
# - Slow: RIP (minutes)

# Vendor Support:
# - Cisco-specific: EIGRP (though now open standard)
# - Multi-vendor: OSPF, RIP, BGP, IS-IS

# Administrative Distances:
# Connected: 0
# Static: 1
# EIGRP Internal: 90
# OSPF: 110
# IS-IS: 115
# RIP: 120
# EIGRP External: 170
# iBGP: 200

# Protocol Verification Summary

Router# show ip protocols # All routing protocols
Router# show ip route # Routing table
Router# show ip route summary # Route count by protocol

2.4 Port Security - Advanced Configuration and Explanation

Port security restricts network access by controlling which MAC addresses can connect to switch ports,
providing Layer 2 security against unauthorized access.

Port Security Deep Dive:huawei+2

Port Security Concepts and Operation:

bash
# Port Security Features:
# - Limits MAC addresses per port
# - Learns MAC addresses dynamically or statically
# - Provides violation actions when limits exceeded
# - Supports aging to allow MAC address changes
# - Works only on access ports (not trunk ports)
# Prerequisites for Port Security
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access # Must be access port
Switch(config-if)# switchport access vlan 10 # Assign to VLAN (optional)

Comprehensive Port Security Configuration:

bash
# Enable Port Security
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport port-security # Enable port security

# Maximum MAC Addresses Configuration

Switch(config-if)# switchport port-security maximum 1 # Default: 1 address
Switch(config-if)# switchport port-security maximum 5 # Allow up to 5 MACs
Switch(config-if)# switchport port-security maximum 10 # Up to 10 MACs

# MAC Address Learning Methods

Switch(config-if)# switchport port-security mac-address sticky # Sticky learning
Switch(config-if)# switchport port-security mac-address 0012.3456.789a # Static MAC
Switch(config-if)# switchport port-security mac-address sticky 0023.4567.890b #
Sticky specific MAC

# Multiple MAC Address Configuration

Switch(config-if)# switchport port-security mac-address 0012.3456.789a
Switch(config-if)# switchport port-security mac-address 0023.4567.890b
Switch(config-if)# switchport port-security mac-address 0034.5678.901c
Switch(config-if)# switchport port-security maximum 3 # Match number of static MACs

Violation Actions - Detailed Explanation:

bash
# Violation Actions determine what happens when security is violated:

# 1. Shutdown (Default) - Port goes to err-disabled state

Switch(config-if)# switchport port-security violation shutdown
# - Drops all traffic
# - Sends SNMP trap
# - Generates syslog message
# - Port LED turns orange
# - Requires manual intervention to recover

# 2. Restrict - Drops violating traffic but keeps port up

Switch(config-if)# switchport port-security violation restrict
# - Drops packets from violating source
# - Increments violation counter
# - Sends SNMP trap
# - Generates syslog message
# - Allows traffic from authorized MACs

# 3. Protect - Drops violating traffic silently

Switch(config-if)# switchport port-security violation protect
# - Drops packets from violating source
# - No logging or notification
# - No violation counter increment
# - Allows traffic from authorized MACs

# Example Scenarios:
# Office Environment: Use shutdown (most secure)
# Conference Room: Use restrict (allows legitimate disconnects/reconnects)
# Public Area: Use protect (prevent log flooding)

MAC Address Aging Configuration:

bash
# Aging allows MAC addresses to be removed after inactivity
# Useful for shared ports or temporary connections

# Enable Aging
Switch(config-if)# switchport port-security aging time 10 # 10 minutes
Switch(config-if)# switchport port-security aging time 1440 # 24 hours
Switch(config-if)# switchport port-security aging time 0 # Disable aging

# Aging Types
Switch(config-if)# switchport port-security aging type absolute # Absolute timer
Switch(config-if)# switchport port-security aging type inactivity # Inactivity
timer

# Absolute Aging:
# - MAC addresses age out after specified time regardless of activity
# - Timer starts when MAC is learned
# - Good for temporary access (guest users)

# Inactivity Aging:
# - MAC addresses age out only if inactive for specified time
# - Timer resets on each frame from that MAC
# - Good for workstations that may go idle

# Static MAC Aging Control

Switch(config-if)# switchport port-security aging static # Age static entries
Switch(config-if)# no switchport port-security aging static # Don't age static
entries

Advanced Port Security Features:cisco

bash
# Voice VLAN Considerations
Switch(config-if)# switchport access vlan 10 # Data VLAN
Switch(config-if)# switchport voice vlan 20 # Voice VLAN
Switch(config-if)# switchport port-security maximum 3 # PC + Phone + Phone's PC
Switch(config-if)# switchport port-security mac-address sticky

# Port Security with EtherChannel

# Note: Port security cannot be configured on EtherChannel port-channel interface
# Must be configured on individual member ports before adding to channel-group
Switch(config)# interface gi0/1
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# channel-group 1 mode active # Add to EtherChannel after

# Port Security on Switch Stacks

# Secure MAC addresses are synchronized across stack members
# When stack member leaves, its secure MACs are removed
# When new member joins, it downloads secure MAC table

# SNMP Integration
Switch(config)# snmp-server enable traps port-security # Enable SNMP traps
Switch(config)# snmp-server host 192.168.1.100 version 2c public port-security

Comprehensive Verification Commands:cisco

bash
# Port Security Status
Switch# show port-security # Global port security status
Switch# show port-security interface fa0/1 # Specific interface
Switch# show port-security address # All secure addresses
Switch# show port-security address interface fa0/1 # Interface secure addresses

# Detailed Interface Information

Switch# show port-security interface fa0/1 address # Addresses on interface
Switch# show interfaces fa0/1 switchport # Switchport configuration
Switch# show running-config interface fa0/1 # Interface configuration
# Violation Information
Switch# show port-security # Shows violation counts
Switch# show interfaces status err-disabled # Error-disabled ports
Switch# show errdisable recovery # Recovery configuration

# MAC Address Table Integration

Switch# show mac address-table secure # Secure MAC addresses
Switch# show mac address-table interface fa0/1 # Interface MAC table
Switch# show mac address-table dynamic # Dynamic MAC entries

Port Security Troubleshooting Guide:

bash
# Common Port Security Issues:

# 1. Port Goes to err-disabled State

Switch# show interfaces status | include err-disabled
Switch# show port-security interface fa0/1
# Causes: Violation occurred with shutdown action
# Solution: Clear violation and re-enable port
Switch(config)# interface fa0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

# 2. Automatic Recovery Configuration

Switch(config)# errdisable recovery cause psecure-violation # Enable auto-recovery
Switch(config)# errdisable recovery interval 300 # Recovery timer
(seconds)
Switch# show errdisable recovery # Verify configuration

# 3. MAC Address Not Learning

Switch# show port-security interface fa0/1
Switch# show mac address-table interface fa0/1
# Causes: Maximum already reached, aging not configured properly
# Solutions: Increase maximum, configure aging, clear aged MACs

# 4. Voice VLAN Issues

# Problem: IP phone and PC both need access
# Solution: Increase maximum and consider voice VLAN
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport voice vlan 100

# 5. Sticky MAC Addresses Not Saved

Switch# show running-config interface fa0/1
Switch# copy running-config startup-config # Save configuration
# Note: Sticky MACs are only saved when configuration is saved

# Clear Commands
Switch# clear port-security all # Clear all port security
Switch# clear port-security configured # Clear configured addresses
Switch# clear port-security dynamic interface fa0/1 # Clear dynamic on interface
Switch# clear port-security sticky interface fa0/1 # Clear sticky on interface

# Debug Commands (use carefully)

Switch# debug port-security # Debug port security events
Switch# debug sw-vlan notification mac # Debug MAC notifications
Switch# undebug all # Turn off debugging

Port Security Best Practices:networklessons

bash
# Configuration Templates:

# Template 1: Standard User Port

Switch(config)# interface range fa0/1-24
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security maximum 2
Switch(config-if-range)# switchport port-security mac-address sticky
Switch(config-if-range)# switchport port-security violation restrict
Switch(config-if-range)# switchport port-security aging time 60
Switch(config-if-range)# switchport port-security aging type inactivity

# Template 2: IP Phone Ports

Switch(config)# interface range fa0/1-24
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10 # Data VLAN
Switch(config-if-range)# switchport voice vlan 100 # Voice VLAN
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security maximum 3
Switch(config-if-range)# switchport port-security mac-address sticky
Switch(config-if-range)# switchport port-security violation restrict

# Template 3: High-Security Environment

Switch(config)# interface range fa0/1-12
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security maximum 1
Switch(config-if-range)# switchport port-security mac-address sticky
Switch(config-if-range)# switchport port-security violation shutdown
Switch(config-if-range)# switchport port-security aging time 0 # No aging

# Template 4: Guest/Conference Room Ports

Switch(config)# interface range fa0/13-16
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 200 # Guest VLAN
Switch(config-if-range)# switchport port-security
Switch(config-if-range)# switchport port-security maximum 5
Switch(config-if-range)# switchport port-security violation restrict
Switch(config-if-range)# switchport port-security aging time 30
Switch(config-if-range)# switchport port-security aging type absolute

# Global Configuration
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 600 # 10-minute recovery
Switch(config)# snmp-server enable traps port-security # SNMP notifications

Port Security Integration with Other Features:

bash
# Port Security with 802.1X
# Both can coexist - 802.1X provides user authentication
# Port security provides MAC address control
Switch(config)# interface fa0/1
Switch(config-if)# dot1x pae authenticator
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2

# Port Security with DHCP Snooping

# Complementary security features
Switch(config)# ip dhcp snooping
Switch(config)# interface fa0/1
Switch(config-if)# switchport port-security
Switch(config-if)# ip dhcp snooping limit rate 10

# Port Security with Dynamic ARP Inspection

Switch(config)# ip arp inspection vlan 10
Switch(config)# interface fa0/1
Switch(config-if)# switchport port-security
Switch(config-if)# ip arp inspection trust # If connecting to trusted
device
2.5 Access Control Lists (ACLs) - Advanced Configuration

ACLs provide packet filtering capabilities to control network traffic flow and implement security policies.

Access Control List Fundamentals:

ACL Processing Logic:

bash
# ACL Processing Rules:
# 1. Processed top-down (first match wins)
# 2. Implicit deny at the end of every ACL
# 3. Applied inbound or outbound on interfaces
# 4. Numbered or named ACLs supported
# 5. Standard ACLs: Source IP only
# 6. Extended ACLs: Source, destination, protocol, ports

# ACL Best Practices:

# - Place extended ACLs close to source
# - Place standard ACLs close to destination
# - Use descriptive names for named ACLs
# - Document ACL purposes
# - Test thoroughly before implementation

Standard Access Control Lists:

bash
# Standard ACL Characteristics:
# - Numbers 1-99 and 1300-1999
# - Filter based on source IP address only
# - Less granular control
# - Lower processing overhead

# Numbered Standard ACL

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 # Permit network
Router(config)# access-list 10 permit host 192.168.1.100 # Permit specific
host
Router(config)# access-list 10 permit 192.168.1.50 0.0.0.0 # Alternative host
syntax
Router(config)# access-list 10 deny 192.168.2.0 0.0.0.255 # Deny network
Router(config)# access-list 10 permit any # Permit all others
# Note: Implicit deny any at the end

# Named Standard ACL

Router(config)# ip access-list standard MANAGEMENT_ACCESS
Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255 # Management network
Router(config-std-nacl)# permit host 10.1.1.100 # Admin workstation
Router(config-std-nacl)# deny any log # Deny and log others
Router(config-std-nacl)# exit

# Apply Standard ACL to Interface

Router(config)# interface gi0/1
Router(config-if)# ip access-group 10 out # Outbound filtering
Router(config-if)# ip access-group MANAGEMENT_ACCESS in # Inbound filtering

# Apply to VTY Lines (Restrict Telnet/SSH access)

Router(config)# line vty 0 4
Router(config-line)# access-class 10 in # VTY access control

Extended Access Control Lists:okta+2

bash
# Extended ACL Characteristics:
# - Numbers 100-199 and 2000-2699
# - Filter based on multiple criteria:
# * Source and destination IP addresses
# * Protocol type (TCP, UDP, ICMP, etc.)
# * Source and destination port numbers
# * TCP flags, ICMP types, etc.

# Numbered Extended ACL Examples

Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 #
HTTP
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443 #
HTTPS
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 21 # FTP
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22 # SSH
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 23 #
Telnet
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 25 #
SMTP
Router(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 53 # DNS
Router(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 67 #
DHCP (server)
Router(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 any eq 68 #
DHCP (client)
Router(config)# access-list 100 permit icmp any any #
ICMP (all)
Router(config)# access-list 100 permit tcp any any established #
Return traffic
Router(config)# access-list 100 deny ip any any log #
Deny and log all others
# Named Extended ACL (Recommended)
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# remark Allow HTTP and HTTPS from LAN to Internet
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# remark Allow return traffic
Router(config-ext-nacl)# permit tcp any 192.168.1.0 0.0.0.255 established
Router(config-ext-nacl)# remark Block Facebook
Router(config-ext-nacl)# deny tcp any host 31.13.64.35 eq 443
Router(config-ext-nacl)# remark Allow DNS
Router(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq 53
Router(config-ext-nacl)# remark Allow ICMP
Router(config-ext-nacl)# permit icmp 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)# remark Deny and log everything else
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit

# Port Range Specifications

Router(config-ext-nacl)# permit tcp any any range 20 21 # FTP data and
control
Router(config-ext-nacl)# permit tcp any any range 1024 65535 # Unprivileged ports
Router(config-ext-nacl)# permit udp any any lt 1024 # Well-known UDP ports
Router(config-ext-nacl)# permit tcp any any gt 1023 # High ports

# Advanced Extended ACL Examples

Router(config)# ip access-list extended ADVANCED_FILTERING
Router(config-ext-nacl)# remark Block Telnet but allow SSH
Router(config-ext-nacl)# deny tcp any any eq 23
Router(config-ext-nacl)# permit tcp any any eq 22
Router(config-ext-nacl)# remark Allow specific ICMP types
Router(config-ext-nacl)# permit icmp any any echo-reply # Ping replies
Router(config-ext-nacl)# permit icmp any any unreachable # Destination
unreachable
Router(config-ext-nacl)# permit icmp any any time-exceeded # Time exceeded
Router(config-ext-nacl)# deny icmp any any # Block other ICMP
Router(config-ext-nacl)# remark Allow specific host to any service
Router(config-ext-nacl)# permit ip host 192.168.1.100 any
Router(config-ext-nacl)# exit

Time-Based Access Control Lists:geeksforgeeks

bash
# Time-based ACLs allow filtering based on time of day and day of week
# Useful for business hour restrictions, maintenance windows, etc.
# Define Time Range
Router(config)# time-range BUSINESS_HOURS
Router(config-time-range)# periodic weekdays 08:00 to 18:00 # Monday-Friday 8AM-
6PM
Router(config-time-range)# exit

Router(config)# time-range MAINTENANCE_WINDOW

Router(config-time-range)# periodic Sunday 02:00 to 06:00 # Sunday 2AM-6AM
Router(config-time-range)# exit

Router(config)# time-range WEEKEND

Router(config-time-range)# periodic Saturday Sunday 00:00 to 23:59
Router(config-time-range)# exit

Router(config)# time-range HOLIDAY_SHUTDOWN

Router(config-time-range)# absolute start 00:00 25 December 2024 end 23:59 1 January
2025
Router(config-time-range)# exit

# Apply Time Range to ACL

Router(config)# ip access-list extended TIME_BASED_ACCESS
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 80 time-range
BUSINESS_HOURS
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq 443 time-range
BUSINESS_HOURS
Router(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 any eq 80 time-range WEEKEND
Router(config-ext-nacl)# deny tcp 192.168.1.0 0.0.0.255 any eq 443 time-range WEEKEND
Router(config-ext-nacl)# permit tcp any any eq 22 # SSH always allowed
Router(config-ext-nacl)# deny ip any any time-range HOLIDAY_SHUTDOWN log
Router(config-ext-nacl)# permit ip any any # Default permit
Router(config-ext-nacl)# exit

# Verify Time Ranges

Router# show time-range # All time ranges
Router# show time-range BUSINESS_HOURS # Specific time range
Router# show clock # Current time

Object Groups for ACL Simplification:

bash
# Network Object Groups
Router(config)# object-group network INTERNAL_NETWORKS
Router(config-network-group)# 192.168.1.0 255.255.255.0
Router(config-network-group)# 192.168.2.0 255.255.255.0
Router(config-network-group)# 10.1.1.0 255.255.255.0
Router(config-network-group)# exit

Router(config)# object-group network WEB_SERVERS

Router(config-network-group)# host 192.168.100.10
Router(config-network-group)# host 192.168.100.11
Router(config-network-group)# host 192.168.100.12
Router(config-network-group)# exit

# Service Object Groups

Router(config)# object-group service WEB_SERVICES
Router(config-service-group)# tcp eq 80
Router(config-service-group)# tcp eq 443
Router(config-service-group)# tcp eq 8080
Router(config-service-group)# exit

Router(config)# object-group service MAIL_SERVICES

Router(config-service-group)# tcp eq 25 # SMTP
Router(config-service-group)# tcp eq 110 # POP3
Router(config-service-group)# tcp eq 143 # IMAP
Router(config-service-group)# tcp eq 993 # IMAPS
Router(config-service-group)# tcp eq 995 # POP3S
Router(config-service-group)# exit

# Use Object Groups in ACLs

Router(config)# ip access-list extended OBJECT_GROUP_ACL
Router(config-ext-nacl)# permit object-group WEB_SERVICES object-group
INTERNAL_NETWORKS object-group WEB_SERVERS
Router(config-ext-nacl)# permit object-group MAIL_SERVICES object-group
INTERNAL_NETWORKS any
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit

Comprehensive ACL Verification and Management:

bash
# Display ACLs
Router# show access-lists # All ACLs
Router# show access-lists 100 # Specific numbered ACL
Router# show ip access-lists # IP ACLs only
Router# show ip access-lists WEB_TRAFFIC # Specific named ACL

# ACL Statistics and Hit Counts

Router# show access-lists 100 # Shows hit counts
Router# show ip access-lists WEB_TRAFFIC # Named ACL with statistics
# Interface ACL Assignment
Router# show ip interface gi0/1 | include access # Interface ACL assignment
Router# show running-config interface gi0/1 # Interface configuration

# Clear ACL Statistics

Router# clear access-list counters # Clear all counters
Router# clear access-list counters 100 # Clear specific ACL counters
Router# clear access-list counters WEB_TRAFFIC # Clear named ACL counters

# ACL Debugging (use carefully in production)

Router# debug ip packet 100 # Debug packets matching ACL
100
Router# debug ip packet detail # Detailed packet debugging
Router# undebug all # Turn off debugging

# Logging ACL Matches

Router(config)# logging buffered 8192 # Configure log buffer
Router(config)# logging console warnings # Console logging level
Router# show logging | include LIST # View ACL logs
Router# clear logging # Clear log buffer

ACL Troubleshooting Guide:

bash
# Common ACL Issues and Solutions:

# 1. Traffic Not Matching ACL Entries

Router# show access-lists 100 # Check hit counts
Router# show ip interface gi0/1 # Verify ACL application
Router# debug ip packet 100 detail # Debug packet processing

# 2. ACL Applied in Wrong Direction

Router# show running-config interface gi0/1
# Remember: Extended ACLs typically applied inbound close to source
# Standard ACLs typically applied outbound close to destination

# 3. Implicit Deny Blocking Traffic

Router(config)# ip access-list extended TEST_ACL
Router(config-ext-nacl)# 15 permit icmp any any # Insert statement at line 15
Router(config-ext-nacl)# exit

# 4. Incorrect Wildcard Masks

# Subnet mask 255.255.255.0 = Wildcard mask 0.0.0.255
# Subnet mask 255.255.255.252 = Wildcard mask 0.0.0.3
# Host = wildcard mask 0.0.0.0 or use "host" keyword

# 5. ACL Order Issues (First Match Wins)

Router(config)# ip access-list extended REORDER_ACL
Router(config-ext-nacl)# no 10 # Remove line 10
Router(config-ext-nacl)# 5 permit tcp host 192.168.1.100 any # Insert before general
rule
Router(config-ext-nacl)# exit

# ACL Optimization Tips

Router# show access-lists 100 | include \( # Show hit counts
# Place most frequently matched rules at top
# Remove unused ACL entries
# Combine similar rules where possible

Advanced ACL Features:

bash
# Reflexive ACLs (Session-based filtering)
Router(config)# ip access-list extended OUTBOUND
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any reflect TCP_TRAFFIC
Router(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any reflect UDP_TRAFFIC
Router(config-ext-nacl)# exit

Router(config)# ip access-list extended INBOUND

Router(config-ext-nacl)# evaluate TCP_TRAFFIC # Allow return traffic
Router(config-ext-nacl)# evaluate UDP_TRAFFIC # Allow return traffic
Router(config-ext-nacl)# deny ip any any log # Block everything else
Router(config-ext-nacl)# exit

# Dynamic ACLs (Lock and Key)

Router(config)# username user1 password cisco123
Router(config)# access-list 101 dynamic TEMP_ACCESS timeout 10 permit ip any any
Router(config)# access-list 101 permit tcp any host 192.168.1.1 eq telnet
Router(config)# access-list 101 deny ip any any

Router(config)# line vty 0 4

Router(config-line)# login local
Router(config-line)# autocommand access-enable host timeout 10

# Context-Based Access Control (CBAC) - Legacy

Router(config)# ip inspect name FIREWALL tcp timeout 300
Router(config)# ip inspect name FIREWALL udp timeout 60
Router(config)# interface gi0/1
Router(config-if)# ip inspect FIREWALL out # Inspect outbound traffic

2.6 Site-to-Site VPN - In-Depth Configuration

Overview

Site-to-Site VPNs connect two remote networks securely over an untrusted network
(typically the Internet) by creating an encrypted “tunnel.”

Components:

• IKE Phase 1: Establishes secure, authenticated channel (ISAKMP SA).

• IKE Phase 2: Negotiates IPSec parameters (SA) to encrypt data.
• Encryption & Authentication: Choose secure algorithms and keys.
• Interesting Traffic: Defined by ACLs to determine traffic encrypted.
• Crypto Map: Links policies and binds to interface.

Step 1: Initial Setup

Set Hostname and Domain Name

bash
Router(config)# hostname HQ-Router
HQ-Router(config)# ip domain-name company.com

Domain name is mandatory for generating crypto keys.

Step 2: Generate RSA Keys for IKE (SSH and ISAKMP)

bash
HQ-Router(config)# crypto key generate rsa modulus 2048

Generate RSA keys for secure IKE negotiation.

Step 3: Enable ISAKMP and Configure Phase 1 Policies

bash
HQ-Router(config)# crypto isakmp policy 10
HQ-Router(config-isakmp)# authentication pre-share
HQ-Router(config-isakmp)# encryption aes 256
HQ-Router(config-isakmp)# hash sha256
HQ-Router(config-isakmp)# group 14
HQ-Router(config-isakmp)# lifetime 86400
HQ-Router(config-isakmp)# exit

• Authentication: Choose pre-shared key or certificates.

• Encryption: AES-256 preferred for strong encryption.
• Hash: SHA256 for data integrity.
• Group: DH Group 14 (2048-bit) for key exchange.
• Lifetime: How long SA is valid (seconds).

Step 4: Configure Pre-shared Key for Peers

bash
HQ-Router(config)# crypto isakmp key YourPreSharedKey address 203.0.113.10

Replace 203.0.113.10 with remote peer IP.

Step 5: Configure IPSec Transform Set (Phase 2)

bash
HQ-Router(config)# crypto ipsec transform-set TS esp-aes esp-sha256
HQ-Router(config-ipsec)# mode tunnel
HQ-Router(config-ipsec)# exit

Defines encryption (AES) and integrity algorithm (SHA-256) for data.

Step 6: Define Interesting Traffic with Access List

bash
HQ-Router(config)# access-list 110 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
HQ-Router(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Define the networks to be encrypted and exempt others.

Step 7: Create and Apply Crypto Map

bash
HQ-Router(config)# crypto map VPN-MAP 10 ipsec-isakmp
HQ-Router(config-crypto-map)# set peer 203.0.113.10
HQ-Router(config-crypto-map)# set transform-set TS
HQ-Router(config-crypto-map)# match address 110
HQ-Router(config-crypto-map)# set pfs group14
HQ-Router(config-crypto-map)# exit

• Peer: Remote VPN gateway IP.

• Transform-set: Reference phase 2 settings.
• Match address: Reference ACL defining “interesting” traffic.
• PFS: Perfect Forward Secrecy, optional but recommended.

Step 8: Bind Crypto Map to the Interface

bash
HQ-Router(config)# interface GigabitEthernet0/0
HQ-Router(config-if)# crypto map VPN-MAP
HQ-Router(config-if)# ip address 198.51.100.1 255.255.255.252
HQ-Router(config-if)# no shutdown

• Interface facing internet.

Step 9: Configure Remote VPN Gateway (Mirror Configuration)

Repeat above steps on remote router (replace IP addresses accordingly).

Step 10: Verify VPN Status and Debug

bash
HQ-Router# show crypto isakmp sa
# Displays Phase 1 (IKE) Security Associations

HQ-Router# show crypto ipsec sa

# Displays Phase 2 (IPSec) Security Associations including packets
encrypted/decrypted.

HQ-Router# show crypto map

# Shows crypto map binding and configuration.

HQ-Router# ping 192.168.1.1 source 10.1.1.1

# Test connectivity through VPN tunnel.

HQ-Router# debug crypto isakmp

HQ-Router# debug crypto ipsec
# Use for detailed troubleshooting (use cautiously).

Additional Security

• Use strong shared keys and rotate regularly.

• Place tunnels behind firewalls.
• Enable logging and monitor logs for anomalies.
• Use NAT traversal if there is NAT device between peers.

DHCP – Dynamic Host Configuration Protocol: Detailed Configuration and Options

DHCP Server Overview:

• Automates IP address assignment.

• Provides additional parameters: subnet mask, default gateway, DNS servers,
lease duration, domain name, TFTP servers, etc.
• Supports reservation/static binding for specific MAC addresses.
• Can provide options like NTP servers, WINS servers, boot filename.

Basic Cisco DHCP Server Configuration:

bash
# Exclude addresses (reserved/not assigned dynamically)
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10

# Define DHCP pool

Router(config)# ip dhcp pool LAN_POOL
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
Router(dhcp-config)# lease 7 # lease duration in days
Router(dhcp-config)# domain-name company.local
Router(dhcp-config)# exit

Advanced DHCP Pool Options:

bash
# Define Bootfile and Next Server (common in PXE boot environments)
Router(dhcp-config)# bootfile filename.bin
Router(dhcp-config)# next-server 192.168.1.254

# Configure DHCP option 150 (common for Cisco IP Phone TFTP server)
Router(dhcp-config)# option 150 ip 192.168.1.100

# Configure class or vendor-specific options

Router(dhcp-config)# class cisco-phone
Router(class)# match vendor-class Cisco-Phone
Router(class)# next-server 192.168.1.100
Router(class)# option 150 ip 192.168.1.100

Static DHCP Bindings:

bash
# Bind specific IP to MAC address
Router(config)# ip dhcp pool PRINTER
Router(dhcp-config)# host 192.168.1.100 255.255.255.0
Router(dhcp-config)# client-identifier 0100.1111.2222.3333
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# exit

DHCP Relay (Helper) Configuration:

bash
# Enable DHCP relay on non-DHCP server interfaces
Router(config)# interface vlan 20
Router(config-if)# ip helper-address 192.168.1.254
Router(config-if)# exit

Relay forwards broadcast DHCP requests to DHCP servers.

Verification and Troubleshooting:

bash
show ip dhcp binding # Displays current leases
show ip dhcp pool # Pool statistics and usage
show ip dhcp conflict # Lease conflicts
debug dhcp detail # DHCP packet debug

clear ip dhcp binding * # Clear all leases

clear ip dhcp conflict # Clear conflicts

DNS – Domain Name System: Detailed Configuration

DNS server Basics:

• Maps domain names to IP addresses.

• Operates via zones (authoritative areas).
• Supports recursive resolutions, caching.
• Zones: Primary (master), Secondary (slave).
• Supports forwarders for external queries.

Common BIND DNS Server Configuration Concepts:

• Zone files: Hold domain data.

• Forward zone: Maps names to IPs.
• Reverse zone: Maps IPs to names.
• Caching: Improves query speed.
• Forwarders: Sends unresolved queries to upstream servers.

Primary Zone Configuration (named.conf example):

bash
zone "example.com" {
type master;
file "/etc/named/example.com.zone";
allow-update { none; };
};

Secondary Zone Configuration:

bash
zone "example.com" {
type slave;
masters { 192.168.1.1; };
file "/var/named/slaves/example.com.zone";
};

Zone File Example:

bash
$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. (
2023080101 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)

IN NS ns1.example.com.
IN NS ns2.example.com.

ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
www IN A 192.168.1.20
ftp IN CNAME www

Forwarder Configuration in named.conf:

bash
options {
forwarders {
8.8.8.8;
8.8.4.4;
};
};

Windows DNS server settings:

• Zones configured via GUI or PowerShell.

• Supports Active Directory integration.
 • Supports dynamic updates.

DNS Troubleshooting:

bash
show hosts # Check hostname resolution (Cisco)
nslookup example.com # Query domain
dig example.com # Advanced queries (Linux)

show dns cache # On Windows DNS

ipconfig /flushdns # Flush DNS client cache (Windows)

debug ip dns # Cisco DNS debugging

First Hop Redundancy Protocols (FHRP) - Detailed Configuration

Problem: Single point of failure when hosts use only one default gateway.
Solution: Multiple routers share a virtual IP address as the default gateway.

HSRP (Hot Standby Router Protocol) - Cisco Proprietary

Characteristics:

• Active/Standby model (one router forwards, others standby)

• Virtual IP address shared between routers
• Preemption allows higher priority router to take over
• Hello messages every 3 seconds, hold time 10 seconds
• Uses multicast 224.0.0.2 and UDP port 1985

bash
# Primary Router Configuration
Router1(config)# interface GigabitEthernet0/1
Router1(config-if)# ip address 192.168.1.2 255.255.255.0
Router1(config-if)# standby 1 ip 192.168.1.1 # Virtual IP
Router1(config-if)# standby 1 priority 110 # Higher priority
(default 100)
Router1(config-if)# standby 1 preempt # Take over when
available
Router1(config-if)# standby 1 preempt delay minimum 60 # Wait 60 seconds
before preempting
Router1(config-if)# standby 1 timers 1 3 # Hello 1 sec, hold 3
sec
Router1(config-if)# standby 1 authentication text cisco123 # Authentication
Router1(config-if)# standby 1 track GigabitEthernet0/0 20 # Track interface,
decrement priority by 20

# Secondary Router Configuration

Router2(config)# interface GigabitEthernet0/1
Router2(config-if)# ip address 192.168.1.3 255.255.255.0
Router2(config-if)# standby 1 ip 192.168.1.1 # Same virtual IP
Router2(config-if)# standby 1 priority 90 # Lower priority
Router2(config-if)# standby 1 preempt
Router2(config-if)# standby 1 timers 1 3
Router2(config-if)# standby 1 authentication text cisco123

# Advanced HSRP Features

Router1(config-if)# standby 1 name HSRP_GROUP1 # Group name
Router1(config-if)# standby version 2 # HSRPv2 (supports
IPv6)
Router1(config-if)# standby 1 mac-address 0000.0c07.ac01 # Custom MAC address

# Verification Commands
Router# show standby # All HSRP groups
Router# show standby brief # Brief status
Router# show standby GigabitEthernet0/1 # Specific interface
Router# debug standby # HSRP debugging
Router# show track # Object tracking
status

VRRP (Virtual Router Redundancy Protocol) - Industry Standard

Characteristics:

• Master/Backup model (RFC 3768)

• Priority range 1-254 (255 reserved for owner)
• Advertisement interval 1 second (default)
• Uses multicast 224.0.0.18

bash
# Master Router Configuration
Router1(config)# interface GigabitEthernet0/1
Router1(config-if)# ip address 192.168.1.2 255.255.255.0
Router1(config-if)# vrrp 1 ip 192.168.1.1 # Virtual IP
Router1(config-if)# vrrp 1 priority 120 # Higher priority
Router1(config-if)# vrrp 1 preempt # Enable preemption
Router1(config-if)# vrrp 1 preempt delay minimum 60 # Preemption delay
Router1(config-if)# vrrp 1 timers advertise 1 # Advertisement
interval
Router1(config-if)# vrrp 1 timers learn # Learn timers from
master
Router1(config-if)# vrrp 1 authentication text cisco123 # Authentication
Router1(config-if)# vrrp 1 track 1 decrement 30 # Object tracking

# Backup Router Configuration

Router2(config)# interface GigabitEthernet0/1
Router2(config-if)# ip address 192.168.1.3 255.255.255.0
Router2(config-if)# vrrp 1 ip 192.168.1.1 # Same virtual IP
Router2(config-if)# vrrp 1 priority 100 # Lower priority
(default)
Router2(config-if)# vrrp 1 timers advertise 1
Router2(config-if)# vrrp 1 authentication text cisco123

# VRRP Object Tracking

Router1(config)# track 1 interface GigabitEthernet0/0 line-protocol
Router1(config-track)# exit

# Verification Commands
Router# show vrrp # All VRRP groups
Router# show vrrp brief # Brief status
Router# show vrrp interface GigabitEthernet0/1 # Specific interface
Router# debug vrrp # VRRP debugging

GLBP (Gateway Load Balancing Protocol) - Cisco Proprietary

Characteristics:

• Provides load balancing (not just redundancy)

• One AVG (Active Virtual Gateway) and multiple AVFs (Active Virtual Forwarders)
• Each router can forward traffic simultaneously
• Uses different virtual MAC addresses for load balancing

bash
# Router 1 Configuration
Router1(config)# interface GigabitEthernet0/1
Router1(config-if)# ip address 192.168.1.2 255.255.255.0
Router1(config-if)# glbp 1 ip 192.168.1.1 # Virtual IP
Router1(config-if)# glbp 1 priority 120 # AVG priority
Router1(config-if)# glbp 1 preempt # Enable preemption
Router1(config-if)# glbp 1 preempt delay minimum 60 # Preemption delay
Router1(config-if)# glbp 1 timers 3 10 # Hello 3 sec, hold
10 sec
Router1(config-if)# glbp 1 load-balancing round-robin # Load balancing
method
Router1(config-if)# glbp 1 authentication text cisco123 # Authentication

# Router 2 Configuration
Router2(config)# interface GigabitEthernet0/1
Router2(config-if)# ip address 192.168.1.3 255.255.255.0
Router2(config-if)# glbp 1 ip 192.168.1.1 # Same virtual IP
Router2(config-if)# glbp 1 priority 100 # Lower priority
Router2(config-if)# glbp 1 timers 3 10
Router2(config-if)# glbp 1 load-balancing round-robin
Router2(config-if)# glbp 1 authentication text cisco123

# Load Balancing Options

Router1(config-if)# glbp 1 load-balancing host-dependent # Per-host basis
Router1(config-if)# glbp 1 load-balancing weighted # Weighted
distribution

# Weighting and Tracking

Router1(config-if)# glbp 1 weighting 100 lower 80 upper 100 # Weight thresholds
Router1(config-if)# glbp 1 weighting track 1 decrement 20 # Track object

# Verification Commands
Router# show glbp # All GLBP groups
Router# show glbp brief # Brief status
Router# show glbp GigabitEthernet0/1 # Specific interface
Router# debug glbp # GLBP debugging

NAT (Network Address Translation) - Complete Implementation

Static NAT (One-to-One Mapping)

Use Case: Servers that need consistent external IP addresses.

bash
# Configure Inside and Outside Interfaces
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat inside # Internal network
interface
Router(config-if)# exit

Router(config)# interface GigabitEthernet0/1

Router(config-if)# ip nat outside # External network
interface
Router(config-if)# exit
# Static NAT Mappings
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10 # Web server
Router(config)# ip nat inside source static 192.168.1.11 203.0.113.11 # Mail
server
Router(config)# ip nat inside source static 192.168.1.12 203.0.113.12 # Database
server

# Port-Specific Static NAT

Router(config)# ip nat inside source static tcp 192.168.1.10 80 203.0.113.10 8080
Router(config)# ip nat inside source static udp 192.168.1.11 53 203.0.113.11 5353

# Verification Commands
Router# show ip nat translations # Active translations
Router# show ip nat translations verbose # Detailed
translations
Router# show ip nat statistics # NAT statistics
Router# clear ip nat translation * # Clear all
translations

Dynamic NAT (Pool-Based Translation)

Use Case: Multiple internal hosts sharing a pool of external IP addresses.

bash
# Define Internal Hosts (Access List)
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 # Allow entire subnet
Router(config)# access-list 1 permit 192.168.2.0 0.0.0.255 # Allow another subnet
Router(config)# access-list 1 deny any # Explicit deny

# Create NAT Pool

Router(config)# ip nat pool NATPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
Router(config)# ip nat pool NATPOOL2 203.0.113.30 203.0.113.40 prefix-length 24

# Map Access List to Pool

Router(config)# ip nat inside source list 1 pool NATPOOL # Dynamic NAT

# Advanced Pool Configuration

Router(config)# ip nat pool NATPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
type rotary
Router(config)# ip nat pool NATPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
accounting NAT_ACCOUNTING

# Verification Commands
Router# show ip nat pool # NAT pools
Router# show ip nat translations # Active translations
Router# show ip nat statistics # Pool utilization

PAT (Port Address Translation) - NAT Overload

Use Case: Many internal hosts sharing one or few external IP addresses.

bash
# PAT with Interface Overload (Most Common)
Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255 # All private networks
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

# PAT with Pool Overload

Router(config)# ip nat pool PATPOOL 203.0.113.10 203.0.113.15 netmask 255.255.255.0
Router(config)# ip nat inside source list 1 pool PATPOOL overload

# Named Access List for PAT

Router(config)# ip access-list standard INSIDE_HOSTS
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit 192.168.2.0 0.0.0.255
Router(config-std-nacl)# permit 10.1.1.0 0.0.0.255
Router(config-std-nacl)# exit
Router(config)# ip nat inside source list INSIDE_HOSTS interface GigabitEthernet0/1
overload

# Port Forwarding (Static PAT)

Router(config)# ip nat inside source static tcp 192.168.1.10 80 interface
GigabitEthernet0/1 8080
Router(config)# ip nat inside source static udp 192.168.1.11 53 interface
GigabitEthernet0/1 53

# Advanced PAT Features

Router(config)# ip nat translation timeout 300 # Translation timeout
Router(config)# ip nat translation tcp-timeout 3600 # TCP timeout
Router(config)# ip nat translation udp-timeout 300 # UDP timeout
Router(config)# ip nat translation dns-timeout 60 # DNS timeout
Router(config)# ip nat translation icmp-timeout 60 # ICMP timeout

NAT Troubleshooting and Verification

bash
# Comprehensive Verification
Router# show ip nat translations # All active
translations
Router# show ip nat translations inside 192.168.1.10 # Specific inside host
Router# show ip nat translations outside 203.0.113.10 # Specific outside
address
Router# show ip nat statistics # NAT statistics and
hits
Router# show running-config | include nat # NAT configuration

# Clear NAT Translations

Router# clear ip nat translation * # Clear all
Router# clear ip nat translation inside 192.168.1.10 # Clear specific
inside
Router# clear ip nat translation outside 203.0.113.10 # Clear specific
outside
Router# clear ip nat translation protocol tcp inside 192.168.1.10 80

# NAT Debugging
Router# debug ip nat # Basic NAT debugging
Router# debug ip nat detailed # Detailed NAT
debugging
Router# undebug all # Turn off debugging

# NAT Table Monitoring

Router# show ip nat translations verbose # Verbose translation
table
Router# show ip nat statistics # Hit counts and
misses

NTP (Network Time Protocol) - Time Synchronization

Importance: Accurate timestamps for logs, certificates, authentication, troubleshooting.

Basic NTP Configuration

bash
# Configure NTP Client
Router(config)# ntp server 129.6.15.28 # NIST time server
Router(config)# ntp server pool.ntp.org # NTP pool
Router(config)# ntp server 216.239.35.0 prefer # Google (preferred)
Router(config)# ntp server 192.168.1.100 version 4 # Local NTP server
with version

# Set Source Interface

Router(config)# ntp source GigabitEthernet0/0 # Source interface for
NTP
Router(config)# ntp source Loopback0 # Loopback interface

# Configure Router as NTP Server

Router(config)# ntp master 3 # Stratum 3 server
Router(config)# ntp master # Default stratum 8

# Update Hardware Calendar

Router(config)# ntp update-calendar # Sync hardware clock
Router(config)# calendar set 14:30:00 15 April 2024 # Manual time setting

NTP Authentication

bash
# Enable NTP Authentication
Router(config)# ntp authenticate # Enable
authentication
Router(config)# ntp authentication-key 1 md5 NTPSecretKey123 # Authentication key
Router(config)# ntp authentication-key 2 md5 AnotherKey456 # Multiple keys
Router(config)# ntp trusted-key 1 # Mark key as trusted
Router(config)# ntp trusted-key 2 # Additional trusted
key

# Apply Authentication to Servers

Router(config)# ntp server 192.168.1.100 key 1 # Server with key 1
Router(config)# ntp server 192.168.1.101 key 2 # Server with key 2

NTP Access Control

bash
# Create Access Lists for NTP
Router(config)# access-list 10 permit 192.168.100.0 0.0.0.255 # Management network
Router(config)# access-list 20 permit 192.168.1.0 0.0.0.255 # LAN network
Router(config)# access-list 30 permit any # Allow all for query

# Apply Access Control

Router(config)# ntp access-group peer 10 # Peer access
Router(config)# ntp access-group serve 20 # Serve time to LAN
Router(config)# ntp access-group query-only 30 # Query-only access

# Disable NTP on Specific Interfaces

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ntp disable # Disable NTP on
interface

NTP Verification and Troubleshooting

bash
# NTP Status Commands
Router# show ntp status # NTP synchronization
status
Router# show ntp associations # NTP server
associations
Router# show ntp associations detail # Detailed
association info
Router# show clock # Current system time
Router# show calendar # Hardware calendar

# NTP Statistics
Router# show ntp statistics # NTP packet
statistics
Router# show ntp statistics peer # Per-peer statistics

# NTP Debugging
Router# debug ntp packet # NTP packet
debugging
Router# debug ntp sync # NTP synchronization
debugging
Router# debug ntp adjust # Clock adjustment
debugging
Router# undebug all # Turn off debugging

# Clear NTP Statistics

Router# clear ntp statistics # Clear NTP
statistics
Router# ntp clear drift # Clear drift
compensation

SNMP (Simple Network Management Protocol) - Network Monitoring

SNMPv2c Configuration

bash
# Basic SNMPv2c Configuration
Router(config)# snmp-server community public ro # Read-only community
Router(config)# snmp-server community private rw # Read-write community
Router(config)# snmp-server community monitor ro 10 # Community with ACL

# System Information
Router(config)# snmp-server contact "admin@company.com" # Contact information
Router(config)# snmp-server location "Data Center Rack 1" # Physical location
Router(config)# snmp-server chassis-id "Router-HQ-01" # Chassis identifier

# SNMP Traps Configuration

Router(config)# snmp-server enable traps # Enable all traps
Router(config)# snmp-server enable traps snmp linkdown linkup # Specific trap types
Router(config)# snmp-server enable traps config # Configuration change
traps
Router(config)# snmp-server enable traps entity # Entity MIB traps
Router(config)# snmp-server enable traps cpu threshold # CPU threshold traps

# Trap Destinations
Router(config)# snmp-server host 192.168.1.100 version 2c public # Trap receiver
Router(config)# snmp-server host 192.168.1.101 version 2c monitor # Another
receiver
Router(config)# snmp-server trap-source GigabitEthernet0/0 # Source
interface

# Access Control for SNMPv2c

Router(config)# access-list 10 permit 192.168.100.0 0.0.0.255 # Management
network
Router(config)# snmp-server community public ro 10 # Apply ACL

SNMPv3 Configuration (Enhanced Security)

bash
# SNMPv3 Groups (Security Levels)
Router(config)# snmp-server group ADMIN v3 auth # Authentication
required
Router(config)# snmp-server group MONITOR v3 noauth # No authentication
Router(config)# snmp-server group SECURE v3 priv # Authentication +
Privacy

# SNMPv3 Users
Router(config)# snmp-server user admin ADMIN v3 auth sha AdminAuth123
Router(config)# snmp-server user admin ADMIN v3 auth sha AdminAuth123 priv aes 128
AdminPriv456
Router(config)# snmp-server user monitor MONITOR v3 auth md5 MonitorAuth789
Router(config)# snmp-server user secure SECURE v3 auth sha SecureAuth123 priv des
SecurePriv456
# SNMPv3 Views (Restrict Access to Specific MIBs)
Router(config)# snmp-server view READONLY iso included # Full read access
Router(config)# snmp-server view READONLY cisco.2 excluded # Exclude Cisco
private MIB
Router(config)# snmp-server view SYSONLY system included # System MIB only

# Apply Views to Groups

Router(config)# snmp-server group MONITOR v3 auth read READONLY
Router(config)# snmp-server group ADMIN v3 auth read READONLY write READONLY

# SNMPv3 Trap Configuration

Router(config)# snmp-server host 192.168.1.100 version 3 auth admin
Router(config)# snmp-server host 192.168.1.101 version 3 priv secure

SNMP Verification and Troubleshooting

bash
# SNMP Status Commands
Router# show snmp # SNMP configuration
Router# show snmp community # Community strings
Router# show snmp user # SNMPv3 users
Router# show snmp group # SNMPv3 groups
Router# show snmp view # SNMPv3 views
Router# show snmp host # Trap destinations

# SNMP Statistics
Router# show snmp statistics # SNMP packet
statistics
Router# show snmp engineID # SNMP engine ID

# SNMP Testing
Router# snmpwalk -v2c -c public localhost 1.3.6.1.2.1.1 # Test SNMP walk
Router# snmpget -v3 -u admin -a SHA -A AdminAuth123 localhost 1.3.6.1.2.1.1.1.0

# SNMP Debugging
Router# debug snmp packet # SNMP packet
debugging
Router# debug snmp detail # Detailed SNMP
debugging
Router# undebug all # Turn off debugging
Syslog - System Logging and Monitoring

Syslog Severity Levels

Level Keyword Description

0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant
6 informational Informational messages
7 debugging Debug-level messages

Syslog Configuration

bash
# Basic Syslog Configuration
Router(config)# logging 192.168.1.200 # Syslog server
Router(config)# logging host 192.168.1.201 # Additional server
Router(config)# logging host 192.168.1.202 transport udp port 1514 # Custom port

# Logging Levels
Router(config)# logging trap emergencies # Level 0 - most
critical
Router(config)# logging trap alerts # Level 1
Router(config)# logging trap critical # Level 2
Router(config)# logging trap errors # Level 3
Router(config)# logging trap warnings # Level 4 (common)
Router(config)# logging trap notifications # Level 5
Router(config)# logging trap informational # Level 6 (verbose)
Router(config)# logging trap debugging # Level 7 (very
verbose)

# Facility Codes
Router(config)# logging facility local0 # Local facility 0
Router(config)# logging facility local7 # Local facility 7
Router(config)# logging facility mail # Mail facility

# Source Interface
Router(config)# logging source-interface GigabitEthernet0/0 # Source interface
Router(config)# logging source-interface Loopback0 # Loopback interface

# Local Logging Configuration

Router(config)# logging buffered 8192 # Buffer size (bytes)
Router(config)# logging buffered warnings # Buffer level
Router(config)# logging buffered 16384 informational # Size and level

# Console Logging
Router(config)# logging console warnings # Console level
Router(config)# logging console critical # Only critical to
console

# Terminal/VTY Logging
Router(config)# logging monitor informational # Monitor level
Router(config)# terminal monitor # Enable on current
session
Router(config)# logging synchronous # Synchronous console
logging

# Enhanced Logging Features

Router(config)# service timestamps log datetime msec # Millisecond
timestamps
Router(config)# service timestamps log datetime localtime # Local time
Router(config)# service timestamps debug datetime msec # Debug timestamps
Router(config)# service sequence-numbers # Sequence numbers
Router(config)# logging rate-limit 100 # Rate limiting
(messages/sec)

Advanced Syslog Features

bash
# Logging Discriminators (Filter Messages)
Router(config)# logging discriminator IMPORTANT mnemonics drops BADMAC
Router(config)# logging host 192.168.1.200 discriminator IMPORTANT

# Reliable Logging (TCP)

Router(config)# logging host 192.168.1.200 transport tcp port 1468
Router(config)# logging reliable # Enable reliable
logging

# Syslog Message Format

Router(config)# service timestamps log datetime msec show-timezone
Router(config)# logging origin-id hostname # Include hostname in
logs
Router(config)# logging userinfo # Include user
information

# Archive Logging
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-cfg)# logging enable # Log configuration
changes
Router(config-archive-log-cfg)# logging size 1000 # Archive size
Router(config-archive-log-cfg)# hidekeys # Hide sensitive
information

Syslog Verification and Management

bash
# Show Logging Information
Router# show logging # All logging
information
Router# show logging summary # Logging summary
Router# show logging history # Historical log
events
Router# show logging onboard # Onboard failure
logging

# Logging Statistics
Router# show logging statistics # Logging statistics
Router# show logging facilities # Available facilities

# Clear Logs
Router# clear logging # Clear log buffer
Router# clear logging onboard # Clear onboard logs

# Logging Debugging
Router# debug logging # Debug logging
process
Router# undebug all # Turn off debugging

# Test Logging
Router# send log "Test message from router" # Send test message

QoS (Quality of Service) - Traffic Management

QoS Overview

Purpose: Manage network traffic to ensure performance for critical applications.

QoS Tools:
 • Classification: Identify traffic types
• Marking: Set priority bits (DSCP, CoS)
• Shaping: Smooth traffic to prevent bursts
• Policing: Drop or mark excess traffic
• Queuing: Prioritize packet transmission

Classification and Marking

bash
# Class Maps for Classification
Router(config)# class-map match-all VOICE_TRAFFIC
Router(config-cmap)# match ip dscp ef # Expedited Forwarding
Router(config-cmap)# match protocol rtp audio # RTP audio protocol
Router(config-cmap)# exit

Router(config)# class-map match-any VIDEO_TRAFFIC

Router(config-cmap)# match ip dscp af41 # Assured Forwarding
41
Router(config-cmap)# match protocol rtcp # RTCP protocol
Router(config-cmap)# exit

Router(config)# class-map match-all BUSINESS_CRITICAL

Router(config-cmap)# match access-group 100 # ACL-based matching
Router(config-cmap)# match ip precedence 3 # IP precedence
Router(config-cmap)# exit

Router(config)# class-map match-all WEB_TRAFFIC

Router(config-cmap)# match protocol http # HTTP protocol
Router(config-cmap)# match protocol https # HTTPS protocol
Router(config-cmap)# exit

# Access List for Classification

Router(config)# access-list 100 permit tcp any any eq 443 # HTTPS
Router(config)# access-list 100 permit tcp any any eq 80 # HTTP
Router(config)# access-list 101 permit tcp any any eq 1521 # Oracle database
Router(config)# access-list 101 permit tcp any any eq 3389 # RDP

# NBAR (Network Based Application Recognition) Classification

Router(config)# class-map match-all STREAMING
Router(config-cmap)# match protocol youtube # YouTube traffic
Router(config-cmap)# match protocol netflix # Netflix traffic
Router(config-cmap)# exit
Policy Maps and Actions

bash
# Policy Map Configuration
Router(config)# policy-map QOS_POLICY
Router(config-pmap)# class VOICE_TRAFFIC
Router(config-pmap-c)# priority percent 20 # 20% priority queue
Router(config-pmap-c)# set ip dscp ef # Mark as EF
Router(config-pmap-c)# exit

Router(config-pmap)# class VIDEO_TRAFFIC

Router(config-pmap-c)# bandwidth percent 30 # 30% guaranteed
bandwidth
Router(config-pmap-c)# set ip dscp af41 # Mark as AF41
Router(config-pmap-c)# exit

Router(config-pmap)# class BUSINESS_CRITICAL

Router(config-pmap-c)# bandwidth remaining percent 40 # 40% of remaining
bandwidth
Router(config-pmap-c)# set ip precedence 4 # Set precedence
Router(config-pmap-c)# exit

Router(config-pmap)# class WEB_TRAFFIC

Router(config-pmap-c)# bandwidth remaining percent 30 # 30% of remaining
Router(config-pmap-c)# fair-queue # Fair queuing
Router(config-pmap-c)# exit

Router(config-pmap)# class class-default # Default class

Router(config-pmap-c)# bandwidth remaining percent 10 # 10% of remaining
Router(config-pmap-c)# random-detect # WRED
Router(config-pmap-c)# exit

Traffic Shaping

bash
# Shaping Policy Map
Router(config)# policy-map SHAPING_POLICY
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 1000000 # 1 Mbps average rate
Router(config-pmap-c)# shape peak 1500000 # 1.5 Mbps peak rate
Router(config-pmap-c)# service-policy QOS_POLICY # Nested policy
Router(config-pmap-c)# exit

# Percentage-based Shaping
Router(config)# policy-map PERCENTAGE_SHAPING
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average percent 80 # 80% of interface
bandwidth
Router(config-pmap-c)# exit

# Adaptive Shaping
Router(config)# policy-map ADAPTIVE_SHAPING
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape adaptive 2000000 # Adaptive shaping 2
Mbps
Router(config-pmap-c)# exit

Traffic Policing

bash
# Single-Rate Policing
Router(config)# policy-map POLICING_POLICY
Router(config-pmap)# class BUSINESS_CRITICAL
Router(config-pmap-c)# police 2000000 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit

# Two-Rate Policing
Router(config-pmap)# class WEB_TRAFFIC
Router(config-pmap-c)# police cir 1000000 bc 31250 pir 1500000 be 46875 conform-
action transmit exceed-action set-dscp-transmit af31 violate-action drop
Router(config-pmap-c)# exit

# Percentage-based Policing
Router(config-pmap)# class STREAMING
Router(config-pmap-c)# police percent 10 conform-action transmit exceed-action drop
Router(config-pmap-c)# exit

Hierarchical QoS

bash
# Child Policy Map
Router(config)# policy-map CHILD_POLICY
Router(config-pmap)# class VOICE_TRAFFIC
Router(config-pmap-c)# priority percent 50 # 50% priority
Router(config-pmap-c)# exit
Router(config-pmap)# class VIDEO_TRAFFIC
Router(config-pmap-c)# bandwidth remaining percent 60 # 60% of remaining
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# bandwidth remaining percent 40 # 40% of remaining
Router(config-pmap-c)# exit

# Parent Policy Map

Router(config)# policy-map PARENT_POLICY
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 10000000 # 10 Mbps total
Router(config-pmap-c)# service-policy CHILD_POLICY # Apply child policy
Router(config-pmap-c)# exit

QoS Application and Verification

bash
# Apply QoS Policy to Interface
Router(config)# interface GigabitEthernet0/1
Router(config-if)# service-policy input INPUT_POLICY # Inbound policy
Router(config-if)# service-policy output OUTPUT_POLICY # Outbound policy
Router(config-if)# exit

# QoS on Subinterfaces
Router(config)# interface GigabitEthernet0/1.10
Router(config-subif)# service-policy output VLAN10_POLICY
Router(config-subif)# exit

# Verification Commands
Router# show policy-map # All policy maps
Router# show policy-map QOS_POLICY # Specific policy map
Router# show policy-map interface GigabitEthernet0/1 # Interface policy
statistics
Router# show class-map # All class maps
Router# show queueing interface GigabitEthernet0/1 # Queueing information

# Advanced Verification
Router# show policy-map interface GigabitEthernet0/1 input # Input policy only
Router# show policy-map interface GigabitEthernet0/1 output # Output policy only
Router# show interfaces GigabitEthernet0/1 stats # Interface statistics

# Clear QoS Statistics

Router# clear counters GigabitEthernet0/1 # Clear interface
counters
Remote Access - SSH and Telnet Configuration

SSH (Secure Shell) Configuration

SSH Benefits: Encrypted communication, authentication, data integrity.

bash
# Prerequisites for SSH
Router(config)# hostname R1 # Hostname required
Router(config)# ip domain-name company.com # Domain name required

# Generate RSA Keys

Router(config)# crypto key generate rsa # Interactive key
generation
Router(config)# crypto key generate rsa modulus 2048 # 2048-bit key
Router(config)# crypto key generate rsa general-keys label SSH_KEYS modulus 4096

# SSH Version and Parameters

Router(config)# ip ssh version 2 # SSH version 2 only
Router(config)# ip ssh time-out 60 # Session timeout
(seconds)
Router(config)# ip ssh authentication-retries 3 # Maximum auth attempts
Router(config)# ip ssh logging events # Enable SSH logging

# User Account Configuration

Router(config)# username admin privilege 15 secret Admin@123 # Admin user
Router(config)# username user1 privilege 1 password User123 # Limited user
Router(config)# username netadmin secret NetAdmin456 # Network admin
Router(config)# username operator privilege 5 secret Oper789 # Operator level

# VTY Line Configuration for SSH

Router(config)# line vty 0 4 # VTY lines 0-4
Router(config-line)# login local # Use local users
Router(config-line)# transport input ssh # SSH only
Router(config-line)# exec-timeout 10 0 # 10-minute timeout
Router(config-line)# access-class 20 in # Apply access control
Router(config-line)# logging synchronous # Synchronous logging
Router(config-line)# history size 50 # Command history

# Additional VTY Lines (if needed)

Router(config)# line vty 5 15 # Additional VTY lines
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 5 0 # Shorter timeout

# SSH Access Control

Router(config)# access-list 20 permit 192.168.100.0 0.0.0.255 # Management network
Router(config)# access-list 20 permit host 10.1.1.100 # Admin workstation
Router(config)# access-list 20 deny any log # Deny and log others

Advanced SSH Configuration

bash
# SSH Algorithm Configuration
Router(config)# ip ssh server algorithm encryption aes128-ctr aes256-ctr
Router(config)# ip ssh server algorithm mac hmac-sha1 hmac-sha2-256
Router(config)# ip ssh server algorithm kex diffie-hellman-group14-sha1

# SSH Public Key Authentication

Router(config)# ip ssh pubkey-chain
Router(config-ssh-pubkey-chain)# username admin
Router(config-ssh-pubkey-user)# key-string
Router(config-ssh-pubkey-user-string)# ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDm...
Router(config-ssh-pubkey-user-string)# exit
Router(config-ssh-pubkey-user)# exit
Router(config-ssh-pubkey-chain)# exit

# SSH Client Configuration

Router(config)# ip ssh client algorithm encryption aes128-ctr aes256-ctr
Router(config)# ip ssh client algorithm mac hmac-sha2-256

Telnet Configuration (Less Secure)

bash
# Basic Telnet Configuration
Router(config)# line vty 0 4
Router(config-line)# password TelnetPass123 # VTY password
Router(config-line)# login # Enable password auth
Router(config-line)# transport input telnet # Telnet only
Router(config-line)# exec-timeout 5 0 # 5-minute timeout

# Telnet with Local Users

Router(config-line)# login local # Use local users
Router(config-line)# transport input telnet ssh # Both protocols

# Telnet Access Control

Router(config-line)# access-class 10 in # Apply ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 # Allow LAN only
Console Port Configuration

bash
# Console Port Security
Router(config)# line console 0
Router(config-line)# password ConsolePass123 # Console password
Router(config-line)# login # Enable
authentication
Router(config-line)# exec-timeout 15 0 # 15-minute timeout
Router(config-line)# logging synchronous # Synchronous logging
Router(config-line)# history size 50 # Command history
Router(config-line)# speed 115200 # Console speed
Router(config-line)# stopbits 1 # Stop bits
Router(config-line)# databits 8 # Data bits
Router(config-line)# parity none # No parity

Remote Access Verification and Troubleshooting

bash
# SSH Verification
Router# show ssh # Active SSH sessions
Router# show ip ssh # SSH configuration
Router# show crypto key mypubkey rsa # RSA public key
Router# show users # Current users
Router# show line # Line status

# User and Privilege Verification

Router# show privilege # Current privilege
level
Router# show users all # All user sessions

# VTY Line Verification

Router# show line vty 0 4 # VTY line status
Router# show running-config | section line vty # VTY configuration

# SSH Client Commands

Router# ssh -l admin 192.168.1.100 # SSH to device
Router# ssh -v 2 admin@192.168.1.100 # SSH version 2
Router# telnet 192.168.1.100 # Telnet to device

# Troubleshooting Commands
Router# debug ssh # SSH debugging
Router# debug telnet # Telnet debugging
Router# debug aaa authentication # Authentication
debugging
Router# undebug all # Turn off debugging

# Clear Sessions
Router# clear line vty 1 # Clear specific VTY
line
Router# disconnect ssh 192.168.1.100 # Disconnect SSH
session

Security Best Practices for Remote Access

bash
# Enhanced Security Configuration
Router(config)# security authentication failure rate 3 log # Failed attempt
logging
Router(config)# login block-for 300 attempts 3 within 60 # Account lockout
Router(config)# login quiet-mode access-class 99 # Quiet mode ACL

Router(config)# access-list 99 permit 192.168.100.0 0.0.0.255 # Emergency access

# Disable Unused Services

Router(config)# no ip http server # Disable HTTP
Router(config)# no ip http secure-server # Disable HTTPS
Router(config)# no cdp run # Disable CDP globally
Router(config)# no service tcp-small-servers # Disable small TCP
services
Router(config)# no service udp-small-servers # Disable small UDP
services

# Enable Security Features

Router(config)# service password-encryption # Encrypt passwords
Router(config)# security passwords min-length 8 # Minimum password
length
Router(config)# exec-timeout 10 0 # Global exec timeout
Router(config)# no ip source-route # Disable source
routing
Router(config)# no ip gratuitous-arps # Disable gratuitous
ARPs

Layer 2 Security

DHCP Snooping

Purpose: Prevents rogue DHCP servers and ensures only authorized DHCP messages pass through the
network.
How it works:

• DHCP messages tracked per-port.

• Trusted ports: Upstream (trusted DHCP servers).
• Untrusted ports: User/Access ports.
• Builds DHCP binding table mapping MAC, IP, VLAN, interface.

Configuration:

bash
# Enable DHCP snooping globally
Switch(config)# ip dhcp snooping

# Enable DHCP snooping on VLANs

Switch(config)# ip dhcp snooping vlan 10,20,30

# Configure trusted interfaces (where DHCP servers connect)

Switch(config)# interface GigabitEthernet1/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

# Configure rate limiting on untrusted interfaces (optional)

Switch(config)# interface GigabitEthernet1/24
Switch(config-if)# ip dhcp snooping limit rate 15
Switch(config-if)# exit

Verification:

bash
Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding
Switch# show ip dhcp snooping statistics
Switch# show ip dhcp snooping vlan 10

Dynamic ARP Inspection (DAI)

Purpose: Prevents ARP spoofing attacks by inspecting ARP packets against DHCP snooping database.

How it works:

• Validates ARP packets’ source MAC and IP against DHCP snooping table.
• Blocks invalid ARP packets.
• Trusted interfaces are those connected to switches/routers.
Configuration:

bash
# Enable DAI globally per VLAN
Switch(config)# ip arp inspection vlan 10,20

# Configure trusted interfaces

Switch(config)# interface GigabitEthernet1/1
Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

# Configure rate limiting on access ports (optional)

Switch(config)# interface GigabitEthernet1/24
Switch(config-if)# ip arp inspection limit rate 30
Switch(config-if)# exit

Verification:

bash
Switch# show ip arp inspection
Switch# show ip arp inspection statistics
Switch# show ip arp inspection interfaces
Switch# show ip arp inspection statistics vlan 10

Port Security

Purpose: Limits the number of MAC addresses on a switch port, preventing unauthorized devices.

Features:

• Max MAC addresses per port.

• Static MAC addresses (configured or learned via sticky).
• Violation actions: shutdown (err-disabled), restrict, protect.
• Aging on secure MAC addresses.

Configuration:

bash
# Basic port security on access port
Switch(config)# interface GigabitEthernet1/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# no shutdown

Violation Actions:

Action Description
shutdown Puts port in err-disabled state (default)
restrict Drops violating frames; increments violation count; sends alerts
protect Drops violating frames silently, no alerts

MAC Address Aging:

bash
Switch(config-if)# switchport port-security aging time 30
Switch(config-if)# switchport port-security aging type inactivity

Verification:

bash
Switch# show port-security interface GigabitEthernet1/1
Switch# show port-security
Switch# show port-security address
Switch# show errdisable recovery

AAA (Authentication, Authorization, Accounting)

AAA Overview

• Authentication: Verify user identity.

• Authorization: Define what user is allowed to do.
• Accounting: Track user activities.

Local AAA

Use Case: Small networks or fallback authentication.

bash
# Enable AAA
Router(config)# aaa new-model
# Define local user
Router(config)# username admin privilege 15 secret AdminPass123

# Authentication method list

Router(config)# aaa authentication login default local

# Authorization for exec shell

Router(config)# aaa authorization exec default local

# Accounting for exec commands

Router(config)# aaa accounting exec default start-stop local

# Line configuration
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# authorization exec default
Router(config-line)# accounting exec default
Router(config-line)# exit

RADIUS AAA

Use Case: Centralized authentication for large networks.

bash
# Define RADIUS Server
Router(config)# radius server RADIUS-SERVER
Router(config-radius-server)# address ipv4 192.168.100.10 auth-port 1812 acct-port
1813
Router(config-radius-server)# key RadiusSecret123
Router(config-radius-server)# exit

# Enable AAA
Router(config)# aaa new-model

# Define authentication methods list using RADIUS with fallback to local

Router(config)# aaa authentication login default group radius local

# Define authorization using RADIUS with local fallback

Router(config)# aaa authorization exec default group radius local

# Define accounting using RADIUS

Router(config)# aaa accounting exec default start-stop group radius
# Line configuration for VTY
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# authorization exec default
Router(config-line)# accounting exec default
Router(config-line)# exit

AAA Verification and Troubleshooting

bash
Router# show aaa users
Router# show aaa sessions
Router# show aaa servers
Router# show radius servers
Router# show accounting
Router# debug aaa authentication
Router# debug radius
Router# debug tacacs
Router# undebug all

Wireless Security Protocols: WPA, WPA2, WPA3

WPA (Wi-Fi Protected Access)

• Introduced as an interim solution to replace insecure WEP.

• Uses TKIP (Temporal Key Integrity Protocol), improvements over WEP but vulnerable by today’s
standards.
• Not recommended for new deployments.

Basic WPA configuration (Autonomous AP, TKIP/PSK):

bash
ap(config)# dot11 ssid HomeWPA
ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management wpa
ap(config-ssid)# wpa-psk ascii 0 MyWpaPass
ap(config-ssid)# exit

ap(config)# interface dot11radio 0

ap(config-if)# encryption mode ciphers tkip
ap(config-if)# ssid HomeWPA
ap(config-if)# no shutdown
WPA2 (Wi-Fi Protected Access II)

• Industry standard for many years.

• Uses AES-CCMP encryption (strong, secure).
• Supports Personal (PSK) and Enterprise (802.1X/EAP w/ RADIUS).
• Backward compatible with WPA (TKIP).
• PMF (Protected Management Frames) optional/protected (WPA2-Enterprise).

WPA2-PSK (Personal) — Pre-Shared Key

Standalone Autonomous AP Configuration:

bash
ap(config)# dot11 ssid OfficeWPA2
ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management wpa version 2
ap(config-ssid)# wpa-psk ascii 0 MySecurePass
ap(config-ssid)# exit

ap(config)# interface dot11radio 0

ap(config-if)# encryption mode ciphers aes-ccmp
ap(config-if)# ssid OfficeWPA2
ap(config-if)# no shutdown

WLC Example:

bash
(Cisco Controller)# config wlan security wpa2 enable 1
(Cisco Controller)# config wlan security wpa2 ciphers aes enable 1
(Cisco Controller)# config wlan security wpa2 akm psk enable 1
(Cisco Controller)# config wlan security wpa2 akm psk set-key ascii YourPSK 1

WPA2-Enterprise (802.1X, RADIUS/EAP)

• Requires RADIUS server; user/device credentials (username/password/digital certs).

• More secure than PSK.
• Often combined with VLAN assignment, dynamic policies.

Autonomous AP Example:

bash
ap(config)# aaa new-model
ap(config)# radius-server host 192.168.1.100 key radiuskey

ap(config)# dot11 ssid CorpEAP

ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management wpa version 2
ap(config-ssid)# accounting accounting-method
ap(config-ssid)# exit

ap(config)# interface dot11radio 0

ap(config-if)# encryption mode ciphers aes-ccmp
ap(config-if)# ssid CorpEAP
ap(config-if)# exit

ap(config)# interface dot11radio 0

ap(config-if)# ssid CorpEAP
ap(config-if)# no shutdown

WLC Example:

bash
(Cisco Controller)# config wlan security wpa2 enable 1
(Cisco Controller)# config wlan security wpa2 akm 802.1x enable 1
(Cisco Controller)# config wlan radius_server auth add 1 192.168.1.100 radiuskey
(Cisco Controller)# config wlan enable 1

WPA3 (Wi-Fi Protected Access 3)

• Latest and most secure wireless authentication standard.

• Introduces SAE (Simultaneous Authentication of Equals) for WPA3-Personal.
• WPA3-Enterprise uses 192-bit cryptographic strength, mandatory PMF.
• Enhanced protection against offline dictionary attacks, forward secrecy.

WPA3-Personal (SAE)

(Requires compatible hardware and firmware!)

Autonomous AP Example:

bash
ap(config)# dot11 ssid HomeWPA3
ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management sae
ap(config-ssid)# wpa3-sae password MyWPA3SuperSecret
ap(config-ssid)# exit

ap(config)# interface dot11radio 0

ap(config-if)# encryption mode ciphers aes-ccmp
ap(config-if)# ssid HomeWPA3
ap(config-if)# no shutdown

WPA3-Enterprise (192-bit security, 802.1X)

WLC Example:

bash
(Cisco Controller)# config wlan security wpa3 enable 2
(Cisco Controller)# config wlan security wpa3 akm 802.1x enable 2
(Cisco Controller)# config wlan security pmf required 2
# Add RADIUS server as usual for 802.1X authentication

CLI (Autonomous AP, if supported):

bash
ap(config)# dot11 ssid CorpWPA3
ap(config-ssid)# authentication open
ap(config-ssid)# authentication key-management sae
ap(config-ssid)# authentication key-management 802.1x
ap(config-ssid)# wpa3-sae password WPA3RADIUSSecret
ap(config-ssid)# exit

ap(config)# interface dot11radio 0

ap(config-if)# encryption mode ciphers aes-ccmp
ap(config-if)# ssid CorpWPA3
ap(config-if)# no shutdown

Mixed Mode (Transition) for WPA2/WPA3

• Allows both WPA2 (PSK) and WPA3 (SAE) clients to connect during migration.

Example:

bash
ap(config-ssid)# authentication key-management wpa version 2
ap(config-ssid)# authentication key-management sae
ap(config-ssid)# wpa-psk ascii 0 SharedTransitionKey
ap(config-ssid)# wpa3-sae password SharedTransitionKey

Best Practices:

• Always prefer WPA3 if devices support it.

• Use enterprise (802.1X) authentication for business environments.
• For PSK, use long, random passphrases.
• Enable PMF (Protected Management Frames), at least as "optional" for WPA2, "required" for WPA3.
• Disable legacy WPA/TKIP if not needed.
• Regularly update firmware and monitor for vulnerabilities.

Automation and Programmability in Networking – Detailed Overview

Introduction

Automation and programmability have become critical in modern network operations. They enable
consistent, rapid, and scalable network configurations, minimize human errors, and provide flexibility to
adapt networks dynamically.

Key Concepts

1. Automation

• Automates repetitive operational tasks (provisioning, configuration, monitoring).

• Tools: Ansible, Puppet, Chef, SaltStack.
• Scripts: Python, Shell scripting.
• Benefits: Speed, accuracy, compliance, reduced downtime.

2. Programmability

• Ability to control devices programmatically with APIs.

• Models: CLI, SNMP, REST API, NETCONF/YANG.
• Enables integration with orchestration platforms or custom workflows.
Network Automation Tools

Ansible (Agentless, YAML-based)

• Uses SSH to push configurations.

• Idempotent playbooks (run safely multiple times).
• Modules for networking devices (ios, nxos, eos).
• Example Playbook to configure an interface and OSPF:

text
- name: Configure router interface and OSPF
hosts: routers
gather_facts: no
connection: network_cli
tasks:
- name: Configure interface GigabitEthernet0/1
ios_config:
lines:
- description Configured by Ansible
- ip address 10.1.1.1 255.255.255.0
- no shutdown
parents: interface GigabitEthernet0/1

- name: Configure OSPF process 1

ios_config:
lines:
- router ospf 1
- network 10.1.1.0 0.0.0.255 area 0
- exit

Network Programmability via APIs

REST API Basics

• RESTful APIs use HTTP(S) methods (GET, POST, PUT, DELETE) to manage network device
configurations.
• Data formats: JSON, XML.
• Cisco devices support RESTCONF (REST over HTTP for network management).
• Example: GET interfaces info, POST to configure interface.

CRUD Operations

HTTP Method Operation Usage

 GET Retrieve data Get interface status
POST Create resources Add new VLAN
PUT Replace resource Replace interface config
PATCH Partial update Modify specific parameters
DELETE Remove resource Delete an access list

Sample RESTCONF Python Script

python
import requests
import json

url = "https://192.168.1.1/restconf/data/ietf-
interfaces:interfaces/interface=GigabitEthernet1"
headers = {
"Content-Type": "application/yang-data+json",
"Accept": "application/yang-data+json",
}

auth = ("admin", "password")

# Get interface info

response = requests.get(url, headers=headers, auth=auth, verify=False)
print(json.dumps(response.json(), indent=2))

Model-Driven Telemetry

• Network devices stream structured data to collectors.

• Allows real-time monitoring, analytics, and automated response.
• Uses protocols like gRPC, NETCONF, YANG models.

Configuration Management with Puppet and Chef

• Puppet and Chef use declarative languages and agents to enforce network configurations.
• Define desired state; agents ensure devices match the state.
• Used in large-scale, multi-vendor environments.
Cisco DNA Center and Automation

• Cisco’s platform integrating automation, assurance, and analytics.

• Provides APIs, SDKs for custom application development.
• Supports zero-touch provisioning, device onboarding, policy management.

Best Practices for Network Automation

• Start with repeatable, low-risk tasks.

• Use version control (Git) for scripts and playbooks.
• Test in lab environments before production deployment.
• Automate backups and rollbacks.
• Monitor automation outcomes with logging and alerts.
• Secure automation credentials and access.