Complete CCNA CLI Reference Guide -

Expanded with Every Detail and Variation

1. Network Fundamentals

1.1 Routers
Router Configuration Modes & Navigation:networkwalks+2

bash
Router> enable # User EXEC to
Privileged EXEC
Router# configure terminal # Enter global
configuration
Router(config)# exit # Back to privileged
EXEC
Router(config)# end # Direct to
privileged EXEC
Router# disable # Back to user EXEC
Router> ? # Show available
commands
Router# show ? # Show all show
commands

# Hostname and Banner Configuration

Router(config)# hostname R1 # Set hostname
Router(config)# banner motd #Authorized Access Only# # Message of the
day
Router(config)# banner login #Login Required# # Login banner
Router(config)# banner exec #Welcome# # EXEC banner

# Password Configuration Variations

Router(config)# enable password cisco123 # Plaintext enable
password
Router(config)# enable secret cisco123 # Encrypted enable
password (preferred)
Router(config)# service password-encryption # Encrypt all
passwords
Router(config)# no service password-encryption # Disable password
encryption

Interface Configuration - All Variations:networkacademy

bash
# Basic Interface Configuration
Router(config)# interface GigabitEthernet0/0 # Enter interface
config
Router(config)# interface Gi0/0 # Abbreviated form
Router(config)# interface g0/0 # Short form
Router(config)# interface range gi0/0-1 # Configure multiple
interfaces

Router(config-if)# ip address 192.168.1.1 255.255.255.0 # Static IP

Router(config-if)# ip address 10.1.1.1 255.255.255.0 secondary #
Secondary IP
Router(config-if)# ip address dhcp # DHCP client
Router(config-if)# ip address negotiated # PPP negotiated
address

# Interface Status Commands

Router(config-if)# no shutdown # Enable interface
Router(config-if)# shutdown # Disable interface
Router(config-if)# description "LAN Interface" # Interface
description

# Speed and Duplex Settings

Router(config-if)# speed 10 # 10 Mbps
Router(config-if)# speed 100 # 100 Mbps
Router(config-if)# speed 1000 # 1 Gbps
Router(config-if)# speed auto # Auto negotiate
Router(config-if)# duplex half # Half duplex
Router(config-if)# duplex full # Full duplex
Router(config-if)# duplex auto # Auto negotiate
# Bandwidth and Delay (affects routing metrics)
Router(config-if)# bandwidth 1544 # Bandwidth in Kbps
Router(config-if)# delay 100 # Delay in tens of
microseconds

# Clock Rate (DCE interfaces only)

Router(config-if)# clock rate 64000 # 64 Kbps
Router(config-if)# clock rate 128000 # 128 Kbps
Router(config-if)# clock rate 1544000 # T1 speed
Router(config-if)# clock rate 2048000 # E1 speed

Verification Commands - Complete Set:networkacademy

bash
# Configuration Verification
Router# show running-config # Current
configuration
Router# show startup-config # Saved configuration
Router# show running-config | section interface # Show only interface
config
Router# show running-config | include hostname # Show hostname line
only
Router# show running-config | exclude ! # Exclude comment
lines

# Interface Status Commands

Router# show interfaces # All interfaces
detailed
Router# show interface gi0/0 # Specific interface
Router# show ip interface brief # IP interface summary
Router# show interface description # Interface
descriptions
Router# show interface status # Interface status
summary

# System Information
Router# show version # IOS version and
hardware
Router# show clock # Current time/date
Router# show users # Current users
Router# show history # Command history
Router# show processes # Running processes
Router# show memory # Memory usage
Router# show flash # Flash memory contents

# Configuration Management
Router# copy running-config startup-config # Save configuration
Router# copy run start # Abbreviated save
Router# write memory # Alternative save
Router# write erase # Erase startup config
Router# erase startup-config # Erase startup config
Router# reload # Restart router
Router# reload in 5 # Reload in 5 minutes
Router# reload cancel # Cancel scheduled
reload

1.2 Layer 2 and Layer 3 Switches

Switch Modes and Basic Configuration:networkacademy

bash
# Switch Configuration Modes
Switch> enable # User to privileged
EXEC
Switch# configure terminal # Global configuration
mode
Switch(config)# hostname SW1 # Set hostname

# VLAN Database Configuration

Switch(config)# vlan 10 # Create VLAN 10
Switch(config-vlan)# name Users # Name the VLAN
Switch(config-vlan)# state active # VLAN state
(active/suspend)
Switch(config-vlan)# exit # Exit VLAN config

# Multiple VLAN Creation

Switch(config)# vlan 10,20,30 # Create multiple VLANs
Switch(config)# vlan 100-110 # Create VLAN range

Port Configuration - All Variations:

bash
# Access Port Configuration
Switch(config)# interface fastethernet 0/1 # Enter interface
Switch(config)# interface fa0/1 # Abbreviated
Switch(config)# interface f0/1 # Short form
Switch(config)# interface range f0/1-24 # Multiple ports

Switch(config-if)# switchport mode access # Static access port

Switch(config-if)# switchport access vlan 10 # Assign to VLAN 10
Switch(config-if)# switchport voice vlan 20 # Voice VLAN for IP
phones

# Trunk Port Configuration

Switch(config-if)# switchport mode trunk # Static trunk
Switch(config-if)# switchport trunk encapsulation dot1q # 802.1Q
(if required)
Switch(config-if)# switchport trunk allowed vlan 10,20,30 # Allowed
VLANs
Switch(config-if)# switchport trunk allowed vlan add 40 # Add VLAN
to trunk
Switch(config-if)# switchport trunk allowed vlan remove 30 # Remove
VLAN
Switch(config-if)# switchport trunk allowed vlan all # Allow all
VLANs
Switch(config-if)# switchport trunk allowed vlan none # Allow no
VLANs
Switch(config-if)# switchport trunk native vlan 99 # Native
VLAN

# Dynamic Trunking Protocol (DTP)

Switch(config-if)# switchport mode dynamic auto # Passive
DTP
Switch(config-if)# switchport mode dynamic desirable # Active
DTP
Switch(config-if)# switchport nonegotiate # Disable
DTP

# Port Security Configuration

Switch(config-if)# switchport port-security # Enable
port security
Switch(config-if)# switchport port-security maximum 1 # Max MAC
addresses
Switch(config-if)# switchport port-security mac-address sticky #
Sticky learning
Switch(config-if)# switchport port-security mac-address 0012.3456.789A
# Static MAC
Switch(config-if)# switchport port-security violation shutdown #
Violation action
Switch(config-if)# switchport port-security violation restrict #
Restrict violation
Switch(config-if)# switchport port-security violation protect #
Protect mode
Switch(config-if)# switchport port-security aging time 10 #
Aging timer
Switch(config-if)# switchport port-security aging type absolute #
Absolute aging
Switch(config-if)# switchport port-security aging type inactivity #
Inactivity aging

Layer 3 Switch Configuration:

bash
# Enable IP routing
Switch(config)# ip routing # Enable routing
capability

# VLAN Interface (SVI) Configuration

Switch(config)# interface vlan 10 # Create VLAN
interface
Switch(config-if)# ip address 192.168.10.1 255.255.255.0 # Assign IP
address
Switch(config-if)# no shutdown # Enable interface
Switch(config-if)# description "Users Gateway" # Description
# Routed Port Configuration (no switchport)
Switch(config)# interface gi0/1 # Enter interface
Switch(config-if)# no switchport # Make it a routed port
Switch(config-if)# ip address 10.1.1.1 255.255.255.0 # Assign IP
Switch(config-if)# no shutdown # Enable interface

Switch Verification Commands:networkacademy

bash
# VLAN Information
Switch# show vlan brief # VLAN summary
Switch# show vlan # Detailed VLAN info
Switch# show vlan id 10 # Specific VLAN
Switch# show vlan name Users # VLAN by name

# Interface Status
Switch# show interfaces status # Port status
Switch# show interfaces trunk # Trunk ports
Switch# show interfaces switchport # Switchport info
Switch# show interface f0/1 switchport # Specific port

# MAC Address Table

Switch# show mac address-table # MAC address table
Switch# show mac address-table dynamic # Dynamic entries only
Switch# show mac address-table static # Static entries only
Switch# show mac address-table vlan 10 # Specific VLAN
Switch# show mac address-table interface f0/1 # Specific interface
Switch# show mac address-table aging-time # Aging timer
Switch# clear mac address-table dynamic # Clear dynamic entries

# Port Security
Switch# show port-security # Port security summary
Switch# show port-security interface f0/1 # Specific port
Switch# show port-security address # Secure MAC addresses
1.3 Next-Generation Firewalls and IPS
Zone-Based Firewall Configuration:

bash
# Create Security Zones
Router(config)# zone security INSIDE # Internal zone
Router(config)# zone security OUTSIDE # External zone
Router(config)# zone security DMZ # DMZ zone

# Assign Interfaces to Zones

Router(config)# interface gi0/0 # Internal interface
Router(config-if)# zone-member security INSIDE # Assign to INSIDE zone
Router(config-if)# exit

Router(config)# interface gi0/1 # External interface

Router(config-if)# zone-member security OUTSIDE # Assign to OUTSIDE
zone

# Class Maps for Traffic Classification

Router(config)# class-map type inspect match-all HTTP_TRAFFIC
Router(config-cmap)# match protocol http # Match HTTP traffic
Router(config-cmap)# exit

Router(config)# class-map type inspect match-all HTTPS_TRAFFIC

Router(config-cmap)# match protocol https # Match HTTPS traffic
Router(config-cmap)# exit

Router(config)# class-map type inspect match-any WEB_TRAFFIC

Router(config-cmap)# match class-map HTTP_TRAFFIC # Include HTTP
Router(config-cmap)# match class-map HTTPS_TRAFFIC # Include HTTPS
Router(config-cmap)# exit

# Policy Maps for Actions

Router(config)# policy-map type inspect WEB_POLICY
Router(config-pmap)# class type inspect WEB_TRAFFIC
Router(config-pmap-c)# inspect # Inspect traffic
Router(config-pmap-c)# exit
Router(config-pmap)# class class-default
Router(config-pmap-c)# drop # Drop other traffic
Router(config-pmap-c)# exit

# Zone Pairs and Policies

Router(config)# zone-pair security IN_TO_OUT source INSIDE destination
OUTSIDE
Router(config-sec-zone-pair)# service-policy type inspect WEB_POLICY
Router(config-sec-zone-pair)# exit

# Self Zone Configuration (for management)

Router(config)# zone security SELF # Self zone
Router(config-sec-zone)# exit
Router(config)# zone-pair security INSIDE_TO_SELF source INSIDE
destination self
Router(config-sec-zone-pair)# service-policy type inspect SELF_POLICY

IPS Configuration:

bash
# Enable IPS
Router(config)# ip ips name IPS_RULE # Create IPS rule
Router(config)# ip ips config location flash:/ipsdir/ # IPS directory

# Signature Categories
Router(config)# ip ips signature-category # Enter signature
config
Router(config-ips-category)# category all # All categories
Router(config-ips-category-action)# retired true # Retired signatures
Router(config-ips-category-action)# exit

# Apply IPS to Interface

Router(config)# interface gi0/0
Router(config-if)# ip ips IPS_RULE in # Apply inbound
Router(config-if)# ip ips IPS_RULE out # Apply outbound

# IPS Monitoring
Router# show ip ips all # Show all IPS info
Router# show ip ips interfaces # IPS-enabled
interfaces
Router# show ip ips signatures # Active signatures
Router# show ip ips statistics # IPS statistics

1.4 Access Points and Controllers

Autonomous AP Configuration:

bash
# Basic AP Setup
AP> enable
AP# configure terminal
AP(config)# hostname AP1 # Set hostname
AP(config)# enable secret cisco123 # Enable password

# Radio Interface Configuration

AP(config)# interface dot11radio 0 # 2.4GHz radio
AP(config-if)# ssid CORPORATE # Network name
AP(config-if)# authentication open # Open authentication
AP(config-if)# authentication key-management wpa version 2 # WPA2
AP(config-if)# wpa-psk ascii 0 SecurePassword123 # Pre-shared key
AP(config-if)# channel 6 # Channel assignment
AP(config-if)# power local maximum # Maximum power
AP(config-if)# no shutdown # Enable radio

AP(config)# interface dot11radio 1 # 5GHz radio

AP(config-if)# ssid CORPORATE_5G # 5GHz network
AP(config-if)# channel 36 # 5GHz channel
AP(config-if)# no shutdown # Enable radio

# VLAN Configuration
AP(config)# interface dot11radio 0.10 # Subinterface
AP(config-subif)# encapsulation dot1q 10 # VLAN 10
AP(config-subif)# bridge-group 10 # Bridge group

# Security Modes
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption
AP(config-if)# encryption mode ciphers tkip # TKIP encryption
AP(config-if)# encryption mode ciphers aes-ccmp tkip # Both
# WPA3 Configuration (newer APs)
AP(config-if)# authentication key-management wpa3 # WPA3
AP(config-if)# authentication key-management sae # SAE (WPA3-
Personal)

WLC (Wireless LAN Controller) Configuration:

bash
# Basic WLC Setup
(Cisco Controller) > config network ssh enable # Enable SSH
(Cisco Controller) > config network telnet disable # Disable Telnet
(Cisco Controller) > config network http disable # Disable HTTP
(Cisco Controller) > config network https enable # Enable HTTPS

# WLAN Creation and Configuration

(Cisco Controller) > config wlan create 1 CORPORATE # Create WLAN ID
1
(Cisco Controller) > config wlan ssid CORPORATE 1 # Set SSID
(Cisco Controller) > config wlan security wpa2 enable 1 # Enable WPA2
(Cisco Controller) > config wlan security wpa2 ciphers aes enable 1 #
AES cipher
(Cisco Controller) > config wlan security wpa2 akm psk enable 1 #
PSK
(Cisco Controller) > config wlan security wpa2 akm psk set-key ascii
SecurePass123 1

# WPA3 Configuration
(Cisco Controller) > config wlan security wpa3 enable 1 #
Enable WPA3
(Cisco Controller) > config wlan security wpa3 sae enable 1 # SAE
key mgmt
(Cisco Controller) > config wlan security pmf required 1 # PMF
required

# AP Management
(Cisco Controller) > config ap name Office-AP-01 001122334455 # Name
AP by MAC
(Cisco Controller) > config ap location "Building A Floor 1" Office-
AP-01
(Cisco Controller) > config ap country US Office-AP-01 #
Country code
(Cisco Controller) > config ap mode local Office-AP-01 # Local
mode
(Cisco Controller) > config ap mode flexconnect Office-AP-01 #
FlexConnect mode

# Show Commands
(Cisco Controller) > show ap summary # AP summary
(Cisco Controller) > show wlan summary # WLAN summary
(Cisco Controller) > show client summary # Client summary
(Cisco Controller) > show interface summary # Interface summary

1.5 Endpoints and Servers

Windows Network Configuration:

text
# IP Configuration
ipconfig # Basic IP info
ipconfig /all # Detailed IP info
ipconfig /release # Release DHCP lease
ipconfig /renew # Renew DHCP lease
ipconfig /flushdns # Flush DNS cache
ipconfig /displaydns # Display DNS cache
ipconfig /registerdns # Register DNS

# Network Connectivity Testing

ping 8.8.8.8 # Ping Google DNS
ping -t 8.8.8.8 # Continuous ping
tracert 8.8.8.8 # Trace route
pathping 8.8.8.8 # Path ping (combines
ping/tracert)
telnet 192.168.1.1 23 # Test telnet
connectivity

# Network Information
arp -a # ARP table
netstat -an # Network connections
netstat -rn # Routing table
nslookup google.com # DNS lookup
route print # Routing table

# Static IP Configuration
netsh interface ip set address "Local Area Connection" static
192.168.1.100 255.255.255.0 192.168.1.1
netsh interface ip set dns "Local Area Connection" static 8.8.8.8

Linux Network Configuration:

bash
# Interface Information
ip addr show # Show IP addresses
ip a # Abbreviated form
ip link show # Show interface status
ip route show # Show routing table
ip r # Abbreviated form

# Legacy Commands (still widely used)

ifconfig # Interface
configuration
ifconfig eth0 # Specific interface
route -n # Routing table
netstat -rn # Routing table

# Network Manager (modern distributions)

nmcli device status # Device status
nmcli connection show # Show connections
nmcli con add con-name "Static" ifname eth0 type ethernet
nmcli con mod "Static" ipv4.addresses 192.168.1.100/24
nmcli con mod "Static" ipv4.gateway 192.168.1.1
nmcli con mod "Static" ipv4.dns "8.8.8.8 8.8.4.4"
nmcli con mod "Static" ipv4.method manual
nmcli con up "Static" # Activate connection

# Network Testing
ping -c 4 8.8.8.8 # Ping 4 times
traceroute 8.8.8.8 # Trace route
dig google.com # DNS lookup
nslookup google.com # DNS lookup
ss -tuln # Socket statistics
netstat -tuln # Network statistics

# System Network Services

systemctl status NetworkManager # NetworkManager status
systemctl restart networking # Restart networking
service network restart # Legacy restart

1.6 Power over Ethernet (PoE)

PoE Configuration and Management:cisco

bash
# PoE Port Configuration
Switch(config)# interface fastethernet 0/1 # Enter interface
Switch(config-if)# power inline auto # Auto PoE detection
Switch(config-if)# power inline static # Force PoE on
Switch(config-if)# power inline never # Disable PoE
Switch(config-if)# power inline consumption 15500 # Set consumption
in mW

# PoE+ Configuration (802.3at)

Switch(config-if)# power inline auto max 30000 # Maximum 30W for PoE+
Switch(config-if)# power inline static max 30000 # Static with max
power

# Power Budget Management

Switch(config)# power inline allocation 15400 # Allocate power
globally

# PoE Monitoring and Verification

Switch# show power inline # All PoE status
Switch# show power inline fastethernet 0/1 # Specific port
Switch# show power inline consumption # Power consumption
Switch# show environment power # Power supply status
Switch# show power supplies # Power supply
information

# Debug Commands
Switch# debug power inline events # Debug PoE events
Switch# show power inline police # PoE policing info

1.7 Network Topologies

Two-Tier (Collapsed Core) Configuration:

bash
# Core/Distribution Switch Configuration
CoreSwitch(config)# spanning-tree mode rapid-pvst
CoreSwitch(config)# spanning-tree vlan 1-100 priority 4096 # Root
bridge
CoreSwitch(config)# ip routing # Enable Layer 3

# Access Layer Uplinks

AccessSwitch(config)# interface range gi0/23-24
AccessSwitch(config-if-range)# channel-group 1 mode active
AccessSwitch(config)# interface port-channel 1
AccessSwitch(config-if)# switchport mode trunk

Three-Tier Configuration:

bash
# Core Layer (Layer 3)
CoreSwitch(config)# ip routing
CoreSwitch(config)# interface vlan 10
CoreSwitch(config-if)# ip address 192.168.10.1 255.255.255.0

# Distribution Layer (Layer 3)

DistributionSwitch(config)# ip routing
DistributionSwitch(config)# spanning-tree vlan 10 priority 8192 #
Secondary root
# Access Layer (Layer 2)
AccessSwitch(config)# spanning-tree portfast default
AccessSwitch(config)# spanning-tree bpduguard default

Spine-Leaf Architecture:

bash
# Spine Switch Configuration (BGP/OSPF)
SpineSwitch(config)# router bgp 65001
SpineSwitch(config-router)# neighbor 10.0.1.1 remote-as 65002
SpineSwitch(config-router)# neighbor 10.0.1.1 update-source loopback 0

# Leaf Switch Configuration

LeafSwitch(config)# interface ethernet 1/1-4 # Spine uplinks
LeafSwitch(config-if-range)# no switchport # Layer 3 ports
LeafSwitch(config-if-range)# ip address 10.0.1.1/30

WAN Configuration Examples:

bash
# Serial WAN Interface
Router(config)# interface serial 0/0/0
Router(config-if)# ip address 203.0.113.1 255.255.255.252
Router(config-if)# encapsulation ppp # PPP encapsulation
Router(config-if)# clock rate 64000 # DCE clock rate
Router(config-if)# bandwidth 64 # Bandwidth for routing

# Frame Relay
Router(config-if)# encapsulation frame-relay # Frame Relay encap
Router(config-if)# frame-relay map ip 203.0.113.2 100 broadcast

# HDLC (Default)
Router(config-if)# encapsulation hdlc # HDLC encapsulation

# Ethernet WAN (Metro Ethernet)

Router(config)# interface gigabitethernet 0/1
Router(config-if)# ip address dhcp # DHCP from ISP
Router(config-if)# ip nat outside # NAT outside interface

1.8 Network Cable Types

Cable Type Configuration and Verification:

bash
# Copper Interface Configuration
Switch(config)# interface fastethernet 0/1 # 100BASE-TX
Switch(config-if)# speed 100 # Force 100 Mbps
Switch(config-if)# duplex full # Full duplex

Switch(config)# interface gigabitethernet 0/1 # 1000BASE-T

Switch(config-if)# speed 1000 # Gigabit speed
Switch(config-if)# duplex full # Full duplex

# Fiber Interface Configuration

Switch(config)# interface gigabitethernet 0/1 # SFP port
Switch(config-if)# media-type sfp # SFP media type
Switch(config-if)# speed 1000 # Gigabit over fiber

# 10 Gigabit Interfaces
Switch(config)# interface tengigabitethernet 0/1 # 10GbE interface
Switch(config-if)# speed 10000 # 10 Gbps

# Cable Testing and Verification

Switch# show interfaces gi0/1 status # Interface status
Switch# show interfaces gi0/1 transceiver detail # SFP details
Switch# test cable-diagnostics tdr interface gi0/1 # Cable
diagnostics
Switch# show cable-diagnostics tdr interface gi0/1 # TDR results

# Media Type and Distance Information

Switch# show interface gi0/1 capabilities # Interface
capabilities
Switch# show inventory # Hardware inventory
1.9 Interface and Cable Issues
Troubleshooting Interface Problems:networkacademy

bash
# Interface Statistics and Errors
Switch# show interfaces gi0/1 # Detailed interface
info
Switch# show interfaces gi0/1 | include error # Show only errors
Switch# show interfaces gi0/1 | include collision # Show collisions
Switch# show interfaces counters errors # Error counters
Switch# show interfaces counters # All counters

# Common Error Types and Solutions

# CRC Errors - usually physical layer issues
# Input Errors - frame check sequence errors
# Output Errors - interface output problems
# Collisions - half-duplex or duplex mismatch

# Clear Interface Counters

Switch# clear counters # Clear all counters
Switch# clear counters gi0/1 # Clear specific
interface

# Speed and Duplex Mismatch Resolution

Switch(config)# interface gi0/1
Switch(config-if)# speed 1000 # Force gigabit
Switch(config-if)# duplex full # Force full duplex
Switch(config-if)# no speed # Auto negotiate speed
Switch(config-if)# no duplex # Auto negotiate duplex

# Interface Reset and Recovery

Switch(config-if)# shutdown # Shut down interface
Switch(config-if)# no shutdown # Bring up interface

# Monitoring Interface Status Changes

Switch# debug interface # Debug interface
events
Switch# show logging | include %LINK # Link state changes

1.10 TCP vs UDP

Protocol Analysis and Configuration:

bash
# Show Protocol Statistics
Router# show ip traffic # IP protocol
statistics
Router# show tcp brief # TCP connections
Router# show udp brief # UDP connections
Router# show sockets # Socket information

# Access List Examples for TCP vs UDP

Router(config)# access-list 100 permit tcp any any eq 80 # HTTP
(TCP)
Router(config)# access-list 100 permit tcp any any eq 443 # HTTPS
(TCP)
Router(config)# access-list 100 permit tcp any any eq 23 # Telnet
(TCP)
Router(config)# access-list 100 permit tcp any any eq 22 # SSH
(TCP)
Router(config)# access-list 100 permit tcp any any eq 21 # FTP
(TCP)
Router(config)# access-list 100 permit tcp any any eq 25 # SMTP
(TCP)

Router(config)# access-list 100 permit udp any any eq 53 # DNS

(UDP)
Router(config)# access-list 100 permit udp any any eq 69 # TFTP
(UDP)
Router(config)# access-list 100 permit udp any any eq 161 # SNMP
(UDP)
Router(config)# access-list 100 permit udp any any eq 123 # NTP
(UDP)
Router(config)# access-list 100 permit udp any any eq 67 # DHCP
Server (UDP)
Router(config)# access-list 100 permit udp any any eq 68 # DHCP
Client (UDP)

# Named ACL with Protocol Specifics

Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# permit tcp any any established #
Established TCP

# Quality of Service (QoS) for TCP vs UDP

Router(config)# class-map match-all REAL_TIME_UDP
Router(config-cmap)# match protocol udp
Router(config-cmap)# match ip dscp ef # Voice
traffic

Router(config)# class-map match-all BULK_TCP

Router(config-cmap)# match protocol tcp
Router(config-cmap)# match ip dscp af11 # Bulk data

1.11 IPv4 Addressing and Subnetting

IPv4 Configuration - All Scenarios:

bash
# Basic IPv4 Configuration
Router(config)# interface gi0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0 # /24
network
Router(config-if)# ip address 10.1.1.1 255.255.255.128 # /25
network
Router(config-if)# ip address 172.16.1.1 255.255.254.0 # /23
network
Router(config-if)# ip address 203.0.113.1 255.255.255.252 # /30
network

# Secondary IP Addresses
Router(config-if)# ip address 192.168.2.1 255.255.255.0 secondary
Router(config-if)# ip address 192.168.3.1 255.255.255.0 secondary

# Subnet Mask Variations

Router(config-if)# ip address 192.168.1.1 255.255.255.0 # /24 =
254 hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.128 # /25 =
126 hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.192 # /26 =
62 hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.224 # /27 =
30 hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.240 # /28 =
14 hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.248 # /29 = 6
hosts
Router(config-if)# ip address 192.168.1.1 255.255.255.252 # /30 = 2
hosts

# DHCP Client Configuration

Router(config-if)# ip address dhcp # DHCP
client

# Unnumbered Interface (uses another interface's IP)

Router(config-if)# ip unnumbered gi0/1 # Borrow
IP from gi0/1

# Verification Commands
Router# show ip interface brief # IP interface summary
Router# show ip interface gi0/0 # Detailed IP interface
info
Router# show ip arp # ARP table
Router# ping 192.168.1.100 # Test connectivity
Router# traceroute 192.168.1.100 # Trace path

1.12 Private IPv4 Addressing

Private IP Address Ranges and Configuration:
bash
# Class A Private Range: 10.0.0.0/8 (10.0.0.0 to 10.255.255.255)
Router(config-if)# ip address 10.0.0.1 255.0.0.0 # /8
network
Router(config-if)# ip address 10.1.1.1 255.255.255.0 # /24
subnet
Router(config-if)# ip address 10.10.10.1 255.255.255.0 # /24
subnet

# Class B Private Range: 172.16.0.0/12 (172.16.0.0 to 172.31.255.255)

Router(config-if)# ip address 172.16.0.1 255.255.0.0 # /16
network
Router(config-if)# ip address 172.16.1.1 255.255.255.0 # /24
subnet
Router(config-if)# ip address 172.20.1.1 255.255.255.0 # /24
subnet

# Class C Private Range: 192.168.0.0/16 (192.168.0.0 to

192.168.255.255)
Router(config-if)# ip address 192.168.1.1 255.255.255.0 # /24
network
Router(config-if)# ip address 192.168.100.1 255.255.255.0 # /24
network

# RFC 3927 Link-Local Range: 169.254.0.0/16 (Automatic Private IP)

# This is assigned automatically when DHCP fails

# Loopback Range: 127.0.0.0/8 (127.0.0.1 to 127.255.255.255)

Router(config)# interface loopback 0
Router(config-if)# ip address 127.0.0.1 255.255.255.0 # Loopback
interface

# Verification of Private Addresses

Router# show ip interface brief | exclude unassigned # Show
assigned IPs
Router# show ip route connected #
Connected networks
1.13 IPv6 Addressing and Prefix Types
IPv6 Configuration - All Address Types:

bash
# Enable IPv6 Routing
Router(config)# ipv6 unicast-routing # Enable IPv6 routing
globally

# Global Unicast Addresses (2000::/3)

Router(config)# interface gi0/0
Router(config-if)# ipv6 address 2001:db8:1::1/64 # Manual
assignment
Router(config-if)# ipv6 address 2001:db8:1::/64 eui-64 # EUI-64
format
Router(config-if)# ipv6 address autoconfig # SLAAC

# Link-Local Addresses (fe80::/10)

Router(config-if)# ipv6 enable # Auto
link-local
Router(config-if)# ipv6 address fe80::1 link-local # Manual
link-local

# Unique Local Addresses (fc00::/7)

Router(config-if)# ipv6 address fc00:1:1::1/64 # Unique
local
Router(config-if)# ipv6 address fd00:1:1::1/64 # Unique
local (L=1)

# Anycast Addresses (same as unicast, assigned to multiple interfaces)

Router(config-if)# ipv6 address 2001:db8:1::100/64 anycast

# Multicast Configuration (ff00::/8)

Router(config-if)# ipv6 mld join-group ff02::2 # Join
multicast group

# IPv6 Address Verification

Router# show ipv6 interface brief # IPv6
interface summary
Router# show ipv6 interface gi0/0 #
Detailed IPv6 info
Router# show ipv6 neighbors # IPv6
neighbor table
Router# show ipv6 route # IPv6
routing table

# IPv6 Connectivity Testing

Router# ping ipv6 2001:db8:1::2 # IPv6
ping
Router# traceroute ipv6 2001:db8:1::2 # IPv6
traceroute

# DHCPv6 Configuration
Router(config)# ipv6 dhcp pool POOL1 # Create
DHCP pool
Router(dhcp-config)# address prefix 2001:db8:1::/64 lifetime infinite
infinite
Router(dhcp-config)# dns-server 2001:4860:4860::8888
Router(config)# interface gi0/0
Router(config-if)# ipv6 dhcp server POOL1 # Assign
pool to interface

# Stateless Address Autoconfiguration (SLAAC)

Router(config)# interface gi0/0
Router(config-if)# ipv6 nd prefix 2001:db8:1::/64 #
Advertise prefix
Router(config-if)# ipv6 nd ra suppress #
Suppress RA (if needed)

1.14 IP Parameter Verification on Client OS

See Section 1.5 for detailed OS-specific commands

1.15 Wireless Fundamentals

Wireless Configuration - Complete Setup:
bash
# 2.4 GHz Configuration
AP(config)# interface dot11radio 0 # 2.4GHz radio
AP(config-if)# ssid CORPORATE_24 # SSID for 2.4GHz
AP(config-if)# channel 1 # Channel 1, 6, or 11
AP(config-if)# power local maximum # Max power
AP(config-if)# antenna gain 0 # Antenna gain

# 5 GHz Configuration
AP(config)# interface dot11radio 1 # 5GHz radio
AP(config-if)# ssid CORPORATE_5G # SSID for 5GHz
AP(config-if)# channel 36 # 5GHz channel
AP(config-if)# channel width 80 # 80MHz channel width

# Channel Width Options

AP(config-if)# channel width 20 # 20MHz (legacy)
AP(config-if)# channel width 40 # 40MHz (802.11n)
AP(config-if)# channel width 80 # 80MHz (802.11ac)
AP(config-if)# channel width 160 # 160MHz (802.11ac
wave 2)

# Security Configuration - WEP (Legacy, not recommended)

AP(config-if)# encryption key 1 size 128bit
1234567890123456789012345678 transmit-key
AP(config-if)# encryption mode wep mandatory

# WPA/WPA2 Personal Configuration

AP(config-if)# authentication open
AP(config-if)# authentication key-management wpa version 2
AP(config-if)# wpa-psk ascii 0 SecurePassword123
AP(config-if)# encryption mode ciphers aes-ccmp

# WPA2 Enterprise Configuration

AP(config-if)# authentication key-management wpa version 2
AP(config-if)# dot1x authentication-server host 192.168.1.100
AP(config-if)# dot1x authentication-server port 1812
AP(config-if)# dot1x authentication-server key SharedSecret

# WPA3 Configuration (SAE)

AP(config-if)# authentication key-management wpa3
AP(config-if)# authentication key-management sae
AP(config-if)# wpa3-sae password SecureWPA3Pass

# Guest Network Configuration

AP(config)# interface dot11radio 0.1 # Guest subinterface
AP(config-subif)# encapsulation dot1q 100 # Guest VLAN
AP(config-subif)# ssid GUEST_NETWORK # Guest SSID
AP(config-subif)# no authentication # Open guest network

# Wireless Monitoring Commands

AP# show dot11 associations # Associated clients
AP# show controllers dot11radio 0 # Radio controller
info
AP# show interface dot11radio 0 # Radio interface
stats
AP# show dot11 statistics # Wireless statistics

1.16 Virtualization Basics

VRF (Virtual Routing and Forwarding):

bash
# VRF Definition
Router(config)# vrf definition CUSTOMER_A # Create VRF
Router(config-vrf)# rd 100:1 # Route distinguisher
Router(config-vrf)# route-target export 100:1 # Export route target
Router(config-vrf)# route-target import 100:1 # Import route target
Router(config-vrf)# description "Customer A VRF" # Description
Router(config-vrf)# exit

# Assign Interface to VRF

Router(config)# interface gi0/0
Router(config-if)# vrf forwarding CUSTOMER_A # Assign to VRF
Router(config-if)# ip address 10.1.1.1 255.255.255.0 # IP in VRF
context

# VRF Routing
Router(config)# router ospf 1 vrf CUSTOMER_A # OSPF in VRF
Router(config-router)# network 10.1.1.0 0.0.0.255 area 0

# Static Routes in VRF

Router(config)# ip route vrf CUSTOMER_A 192.168.1.0 255.255.255.0
10.1.1.2

# VRF Verification
Router# show vrf # Show all VRFs
Router# show ip route vrf CUSTOMER_A # VRF routing table
Router# ping vrf CUSTOMER_A 10.1.1.2 # Ping in VRF context
Router# traceroute vrf CUSTOMER_A 192.168.1.1 # Traceroute in VRF

# Global Routing Table vs VRF

Router# show ip route # Global table
Router# show ip route vrf CUSTOMER_A # VRF table

Container Networking (Docker Example):

bash
# Docker Network Commands
$ docker network create --driver bridge mynetwork # Create bridge
network
$ docker network create --driver host hostnet # Host networking
$ docker network create --driver none isolated # No networking

# Container with Custom Network

$ docker run -d --name web1 --network mynetwork nginx
$ docker run -d --name web2 --network mynetwork apache

# Network Inspection
$ docker network ls # List networks
$ docker network inspect mynetwork # Inspect network
$ docker exec web1 ip addr show # Container IP info
1.17 Switching Concepts
MAC Address Table Management:

bash
# MAC Address Learning and Aging
Switch(config)# mac address-table aging-time 300 # 5 minutes
aging
Switch(config)# mac address-table aging-time 0 # Disable aging

# Static MAC Address Entries

Switch(config)# mac address-table static 0012.3456.789A vlan 10
interface gi0/1
Switch(config)# mac address-table static 0012.3456.789B vlan 20
interface gi0/2

# Clear MAC Address Table

Switch# clear mac address-table dynamic # Clear dynamic
entries
Switch# clear mac address-table dynamic interface gi0/1 # Clear
specific interface
Switch# clear mac address-table dynamic vlan 10 # Clear specific
VLAN

# MAC Address Table Verification

Switch# show mac address-table # All entries
Switch# show mac address-table dynamic # Dynamic
entries only
Switch# show mac address-table static # Static entries
only
Switch# show mac address-table interface gi0/1 # Specific
interface
Switch# show mac address-table vlan 10 # Specific VLAN
Switch# show mac address-table address 0012.3456.789A # Specific MAC
Switch# show mac address-table count # Entry count

# Frame Switching Process Verification

Switch# debug sw-vlan packets # Debug VLAN
switching
Switch# show platform forwarding # Hardware
forwarding

2. Network Access

2.1 VLAN Configuration

Complete VLAN Configuration:

bash
# VLAN Creation - Multiple Methods
Switch(config)# vlan 10 # Create single
VLAN
Switch(config-vlan)# name Users # Name the VLAN
Switch(config-vlan)# state active # VLAN state
Switch(config-vlan)# exit

Switch(config)# vlan 10,20,30 # Multiple VLANs

Switch(config)# vlan 100-110 # VLAN range

# Extended VLAN Range (1006-4094)

Switch(config)# vtp mode transparent # Required for
extended VLANs
Switch(config)# vlan 2000 # Extended VLAN
Switch(config-vlan)# name "Extended_VLAN"

# Access Port Configuration - All Variations

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access # Static access
Switch(config-if)# switchport access vlan 10 # Assign to VLAN
10

# Voice VLAN Configuration

Switch(config-if)# switchport voice vlan 20 # Voice VLAN
Switch(config-if)# switchport voice vlan dot1p # Use 802.1p
priority
Switch(config-if)# switchport voice vlan untagged # Untagged voice
Switch(config-if)# switchport voice vlan none # Disable voice
VLAN

# Default VLAN Configuration

Switch(config-if)# switchport access vlan 1 # Default VLAN
(explicit)
# Note: VLAN 1 is the default and cannot be deleted

# VLAN Interface (SVI) Configuration

Switch(config)# interface vlan 10 # VLAN interface
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# description "Users Gateway" # Description
Switch(config-if)# no shutdown # Enable SVI

# VLAN Verification Commands

Switch# show vlan brief # VLAN summary
Switch# show vlan # Detailed VLAN
info
Switch# show vlan id 10 # Specific VLAN
Switch# show vlan name Users # VLAN by name
Switch# show interfaces vlan 10 # SVI interface
Switch# show ip interface brief # IP interface
status

# VLAN Troubleshooting
Switch# show interfaces switchport # All switchport
info
Switch# show interfaces fa0/1 switchport # Specific port
Switch# show vlan dynamic # Dynamic VLANs
(VMPS)

2.2 VLAN Trunking

802.1Q Trunking - Complete Configuration:

bash
# Basic Trunk Configuration
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk # Static trunk
Switch(config-if)# switchport trunk encapsulation dot1q # 802.1Q (if
needed)

# Allowed VLANs Management

Switch(config-if)# switchport trunk allowed vlan 10,20,30 # Specific
VLANs
Switch(config-if)# switchport trunk allowed vlan all # All VLANs
(default)
Switch(config-if)# switchport trunk allowed vlan none # No VLANs
Switch(config-if)# switchport trunk allowed vlan add 40 # Add VLAN
to list
Switch(config-if)# switchport trunk allowed vlan remove 30 # Remove
VLAN
Switch(config-if)# switchport trunk allowed vlan except 999 # All
except 999

# Native VLAN Configuration

Switch(config-if)# switchport trunk native vlan 99 # Set native
VLAN
Switch(config-if)# switchport trunk native vlan tag # Tag native
VLAN

# Pruning Configuration
Switch(config-if)# switchport trunk pruning vlan 10,20 # Pruning
eligible

# Dynamic Trunking Protocol (DTP)

Switch(config-if)# switchport mode dynamic desirable # Active DTP
Switch(config-if)# switchport mode dynamic auto # Passive
DTP
Switch(config-if)# switchport nonegotiate # Disable
DTP

# Trunk Verification
Switch# show interfaces trunk # All trunk
ports
Switch# show interfaces gi0/1 trunk # Specific
trunk
Switch# show interfaces gi0/1 switchport # Detailed
switchport info
Switch# show dtp interface gi0/1 # DTP status

# VTP (VLAN Trunking Protocol) Configuration

Switch(config)# vtp mode server # VTP server
Switch(config)# vtp mode client # VTP client
Switch(config)# vtp mode transparent # VTP
transparent
Switch(config)# vtp mode off # Disable VTP
Switch(config)# vtp domain COMPANY # VTP domain
Switch(config)# vtp password secret123 # VTP
password
Switch(config)# vtp version 2 # VTP version

# VTP Verification
Switch# show vtp status # VTP status
Switch# show vtp counters # VTP
counters
Switch# show vtp password # VTP
password status

2.3 Layer 2 Discovery Protocols

CDP (Cisco Discovery Protocol):

bash
# Global CDP Configuration
Switch(config)# cdp run # Enable CDP
globally
Switch(config)# no cdp run # Disable CDP
globally
Switch(config)# cdp timer 60 # CDP timer
(seconds)
Switch(config)# cdp holdtime 180 # CDP hold
time
Switch(config)# cdp advertise-v2 # Advertise
CDPv2
# Interface-Level CDP Configuration
Switch(config)# interface gi0/1
Switch(config-if)# cdp enable # Enable on
interface
Switch(config-if)# no cdp enable # Disable on
interface

# CDP Verification Commands

Switch# show cdp # CDP global
info
Switch# show cdp neighbors # CDP
neighbors
Switch# show cdp neighbors detail # Detailed
neighbor info
Switch# show cdp interface # CDP-enabled
interfaces
Switch# show cdp interface gi0/1 # Specific
interface
Switch# show cdp entry * # All
neighbor details
Switch# show cdp entry R1 # Specific
neighbor
Switch# show cdp traffic # CDP traffic
statistics

# Clear CDP Table

Switch# clear cdp table # Clear CDP
neighbor table
Switch# clear cdp counters # Clear CDP
counters

LLDP (Link Layer Discovery Protocol):

bash
# Global LLDP Configuration
Switch(config)# lldp run # Enable LLDP
globally
Switch(config)# lldp timer 30 # LLDP timer
Switch(config)# lldp holdtime 120 # LLDP hold
time
Switch(config)# lldp reinit 2 #
Reinitialize delay

# Interface-Level LLDP Configuration

Switch(config)# interface gi0/1
Switch(config-if)# lldp transmit # Enable
transmit
Switch(config-if)# lldp receive # Enable
receive
Switch(config-if)# no lldp transmit # Disable
transmit
Switch(config-if)# no lldp receive # Disable
receive

# LLDP TLV Configuration

Switch(config)# lldp tlv-select system-name # System name
TLV
Switch(config)# lldp tlv-select system-description # System
description
Switch(config)# lldp tlv-select port-description # Port
description

# LLDP Verification Commands

Switch# show lldp # LLDP global
status
Switch# show lldp neighbors # LLDP
neighbors
Switch# show lldp neighbors detail # Detailed
info
Switch# show lldp interface # LLDP
interfaces
Switch# show lldp interface gi0/1 # Specific
interface
Switch# show lldp traffic # LLDP
statistics
Switch# show lldp local-device # Local
device info
# Clear LLDP Information
Switch# clear lldp table # Clear
neighbor table
Switch# clear lldp counters # Clear
counters

2.4 EtherChannel Configuration

EtherChannel - All Protocol Variations:

bash
# Static EtherChannel (Manual - no negotiation)
Switch(config)# interface range gi0/1-2
Switch(config-if-range)# channel-group 1 mode on # Static mode
Switch(config-if-range)# exit

# LACP (Link Aggregation Control Protocol) - IEEE 802.3ad

Switch(config)# interface range gi0/1-2
Switch(config-if-range)# channel-group 1 mode active # LACP active
Switch(config-if-range)# lacp port-priority 128 # Port
priority
Switch(config-if-range)# exit

Switch(config)# interface range gi0/3-4

Switch(config-if-range)# channel-group 2 mode passive # LACP
passive

# PAgP (Port Aggregation Protocol) - Cisco proprietary

Switch(config)# interface range gi0/5-6
Switch(config-if-range)# channel-group 3 mode desirable # PAgP
desirable
Switch(config-if-range)# pagp port-priority 128 # Port
priority

Switch(config)# interface range gi0/7-8

Switch(config-if-range)# channel-group 4 mode auto # PAgP auto
# Port-Channel Interface Configuration
Switch(config)# interface port-channel 1
Switch(config-if)# description "Uplink to Core" # Description
Switch(config-if)# switchport mode trunk # Trunk mode
Switch(config-if)# switchport trunk allowed vlan 10,20,30 # Allowed
VLANs

# Layer 3 EtherChannel
Switch(config)# interface range gi0/9-10
Switch(config-if-range)# no switchport # Layer 3
ports
Switch(config-if-range)# channel-group 5 mode active
Switch(config)# interface port-channel 5
Switch(config-if)# ip address 10.1.1.1 255.255.255.0 # Layer 3 IP

# Load Balancing Configuration

Switch(config)# port-channel load-balance src-mac # Source MAC
Switch(config)# port-channel load-balance dst-mac # Destination
MAC
Switch(config)# port-channel load-balance src-dst-mac # Source-
destination MAC
Switch(config)# port-channel load-balance src-ip # Source IP
Switch(config)# port-channel load-balance dst-ip # Destination
IP
Switch(config)# port-channel load-balance src-dst-ip # Source-
destination IP
Switch(config)# port-channel load-balance src-port # Source port
Switch(config)# port-channel load-balance dst-port # Destination
port
Switch(config)# port-channel load-balance src-dst-port # Source-
destination port

# EtherChannel Verification
Switch# show etherchannel summary #
EtherChannel summary
Switch# show etherchannel detail # Detailed
info
Switch# show etherchannel load-balance # Load
balancing
Switch# show etherchannel port-channel # Port-
channel info
Switch# show interfaces port-channel 1 # Specific
channel
Switch# show lacp neighbor # LACP
neighbors
Switch# show lacp counters # LACP
counters
Switch# show pagp neighbor # PAgP
neighbors
Switch# show pagp counters # PAgP
counters

# EtherChannel Troubleshooting
Switch# test etherchannel load-balance interface port-channel 1 mac
0012.3456.789A 0012.3456.789B
Switch# debug etherchannel # Debug
EtherChannel
Switch# debug lacp # Debug LACP
Switch# debug pagp # Debug PAgP

2.5 Rapid PVST+ Spanning Tree Protocol

STP Configuration - Complete Implementation:

bash
# STP Mode Configuration
Switch(config)# spanning-tree mode pvst # PVST+
Switch(config)# spanning-tree mode rapid-pvst # Rapid PVST+
(default)
Switch(config)# spanning-tree mode mstp # Multiple
STP

# Root Bridge Configuration Methods

Switch(config)# spanning-tree vlan 1 priority 4096 # Set
priority (multiples of 4096)
Switch(config)# spanning-tree vlan 1 priority 0 # Highest
priority
Switch(config)# spanning-tree vlan 1 root primary # Make
primary root
Switch(config)# spanning-tree vlan 1 root secondary # Make
secondary root

# Per-VLAN Root Configuration

Switch(config)# spanning-tree vlan 10 priority 4096 # VLAN 10
root
Switch(config)# spanning-tree vlan 20 priority 8192 # VLAN 20
secondary
Switch(config)# spanning-tree vlan 1-100 priority 4096 # Multiple
VLANs

# Interface STP Configuration

Switch(config)# interface gi0/1
Switch(config-if)# spanning-tree port-priority 128 # Port
priority (0-240)
Switch(config-if)# spanning-tree cost 4 # Path cost
Switch(config-if)# spanning-tree vlan 10 port-priority 64 # Per-VLAN
priority
Switch(config-if)# spanning-tree vlan 10 cost 19 # Per-VLAN
cost

# STP Timers (usually not modified)

Switch(config)# spanning-tree vlan 1 hello-time 2 # Hello timer
(1-10 sec)
Switch(config)# spanning-tree vlan 1 forward-delay 15 # Forward
delay (4-30 sec)
Switch(config)# spanning-tree vlan 1 max-age 20 # Max age (6-
40 sec)

# Disable STP on Specific VLANs

Switch(config)# no spanning-tree vlan 999 # Disable STP
on VLAN 999

# STP Verification Commands

Switch# show spanning-tree # All STP
info
Switch# show spanning-tree summary # STP summary
Switch# show spanning-tree brief # Brief STP
info
Switch# show spanning-tree vlan 10 # Specific
VLAN
Switch# show spanning-tree interface gi0/1 # Specific
interface
Switch# show spanning-tree root # Root bridge
info
Switch# show spanning-tree bridge # Bridge info
Switch# show spanning-tree pathcost method # Path cost
method

# STP Troubleshooting
Switch# debug spanning-tree events # Debug STP
events
Switch# clear spanning-tree detected-protocols # Clear
detected protocols

2.6 PortFast, Root Bridge Election, Port States

PortFast and BPDU Guard Configuration:

bash
# PortFast Configuration - Interface Level
Switch(config)# interface fastethernet 0/1
Switch(config-if)# spanning-tree portfast # Enable
PortFast
Switch(config-if)# spanning-tree portfast trunk # PortFast on
trunk (rare)
Switch(config-if)# no spanning-tree portfast # Disable
PortFast

# PortFast Configuration - Global Default

Switch(config)# spanning-tree portfast default # Default for
access ports
Switch(config)# spanning-tree portfast edge default # Edge port
default
# BPDU Guard Configuration
Switch(config-if)# spanning-tree bpduguard enable # Enable BPDU
Guard
Switch(config-if)# spanning-tree bpduguard disable # Disable
BPDU Guard
Switch(config)# spanning-tree portfast bpduguard default # Global BPDU
Guard

# BPDU Filter Configuration

Switch(config-if)# spanning-tree bpdufilter enable # Enable BPDU
Filter
Switch(config)# spanning-tree portfast bpdufilter default # Global
BPDU Filter

# Root Guard Configuration

Switch(config-if)# spanning-tree guard root # Enable Root
Guard
Switch(config-if)# no spanning-tree guard # Disable
guard

# Loop Guard Configuration

Switch(config-if)# spanning-tree guard loop # Enable Loop
Guard
Switch(config)# spanning-tree loopguard default # Global Loop
Guard

# UplinkFast and BackboneFast (Legacy)

Switch(config)# spanning-tree uplinkfast # UplinkFast
Switch(config)# spanning-tree backbonefast #
BackboneFast

# Port State Verification

Switch# show spanning-tree interface gi0/1 detail # Detailed
port info
Switch# show spanning-tree inconsistentports #
Inconsistent ports
Switch# show spanning-tree portfast # PortFast
status
# STP Port States:
# Disabled - Administratively down
# Blocking - Receiving BPDUs, not forwarding
# Listening - Building topology database
# Learning - Learning MAC addresses
# Forwarding - Forwarding frames
# Broken - Inconsistent state

# Clear STP Errors

Switch# clear spanning-tree detected-protocols interface gi0/1

2.7 Wireless Networks: WLAN Architecture, AP Modes

Access Point Modes and Configuration:

bash
# AP Mode Configuration (WLC)
(Cisco Controller) > config ap mode local AP-01 # Local mode
(Cisco Controller) > config ap mode flexconnect AP-01 # FlexConnect
mode
(Cisco Controller) > config ap mode monitor AP-01 # Monitor
mode
(Cisco Controller) > config ap mode rogue-detector AP-01 # Rogue
detector
(Cisco Controller) > config ap mode sniffer AP-01 # Sniffer
mode
(Cisco Controller) > config ap mode bridge AP-01 # Bridge mode

# FlexConnect Configuration
(Cisco Controller) > config flexconnect group create BRANCH1 # Create
group
(Cisco Controller) > config ap flexconnect group BRANCH1 AP-01 #
Assign AP
(Cisco Controller) > config flexconnect group BRANCH1 vlan add 10 10
# Add VLAN

# Mesh Configuration
(Cisco Controller) > config ap mode mesh AP-01 # Mesh mode
(Cisco Controller) > config mesh parent preferred AP-01 AP-02 # Set
parent

# Office Extend Configuration

(Cisco Controller) > config ap mode oeap AP-01 # Office
Extend AP

# Show AP Information
(Cisco Controller) > show ap config general AP-01 # AP
configuration
(Cisco Controller) > show ap status # All AP
status
(Cisco Controller) > show ap summary # AP summary

2.8 Wireless LAN Infrastructure and Management

WLC Infrastructure Setup:

bash
# Basic WLC Network Configuration
(Cisco Controller) > config network ssh enable # Enable SSH
(Cisco Controller) > config network telnet disable # Disable
Telnet
(Cisco Controller) > config network http disable # Disable
HTTP
(Cisco Controller) > config network https enable # Enable
HTTPS

# Management Interface Configuration

(Cisco Controller) > config interface create management # Create
interface
(Cisco Controller) > config interface address management 192.168.1.100
255.255.255.0 192.168.1.1
(Cisco Controller) > config interface dhcp management primary
192.168.1.1

# WLAN Configuration
(Cisco Controller) > config wlan create 1 CORPORATE # Create WLAN
(Cisco Controller) > config wlan ssid CORPORATE 1 # Set SSID
(Cisco Controller) > config wlan interface 1 management # Assign
interface
(Cisco Controller) > config wlan broadcast-ssid enable 1 # Broadcast
SSID
(Cisco Controller) > config wlan enable 1 # Enable WLAN

# RF Management
(Cisco Controller) > config 802.11b disable network # Disable
2.4GHz
(Cisco Controller) > config 802.11a disable network # Disable
5GHz
(Cisco Controller) > config 802.11b channel global auto # Auto
channel
(Cisco Controller) > config 802.11b txPower global auto # Auto power

# Show WLC Information

(Cisco Controller) > show wlan summary # WLAN
summary
(Cisco Controller) > show ap summary # AP summary
(Cisco Controller) > show client summary # Client
summary
(Cisco Controller) > show interface summary # Interface
summary

2.9 Wireless Management Access Protocols

Management Protocol Configuration:

bash
# SSH Configuration
(Cisco Controller) > config network ssh enable # Enable SSH
(Cisco Controller) > config network ssh version 2 # SSH version
2

# HTTPS Configuration
(Cisco Controller) > config network https enable # Enable
HTTPS
(Cisco Controller) > config network https port 443 # HTTPS port

# SNMP Configuration
(Cisco Controller) > config network snmp version v2c enable # SNMPv2c
(Cisco Controller) > config network snmp community create public ro #
Read-only
(Cisco Controller) > config network snmp trapreceiver create
192.168.1.200 public

# Management Access Lists

(Cisco Controller) > config mgmtuser add admin admin123 read-write #
Add user
(Cisco Controller) > config mgmtuser password admin newpass123 #
Change password

# Show Management Configuration

(Cisco Controller) > show mgmtuser # Management
users
(Cisco Controller) > show network summary # Network
summary

3. IP Connectivity

3.1 Routing Protocols Overview

Static Routing - Complete Configuration:

bash
# Basic Static Routes
Router(config)# ip route 192.168.10.0 255.255.255.0 10.1.1.2 #
Next-hop
Router(config)# ip route 192.168.20.0 255.255.255.0 gi0/1 #
Exit interface
Router(config)# ip route 192.168.30.0 255.255.255.0 gi0/1 10.1.1.2 #
Fully specified

# Default Routes
Router(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 #
Default route
Router(config)# ip route 0.0.0.0 0.0.0.0 gi0/1 #
Default via interface

# Administrative Distance
Router(config)# ip route 192.168.10.0 255.255.255.0 10.1.1.2 100 # AD
100
Router(config)# ip route 192.168.10.0 255.255.255.0 10.1.1.3 200 #
Floating static

# Host Routes (/32)

Router(config)# ip route 192.168.1.100 255.255.255.255 10.1.1.2 #
Host route

# Null Route (Black Hole)

Router(config)# ip route 192.168.100.0 255.255.255.0 null0 #
Null route

# Static Route Verification

Router# show ip route static # Static
routes only
Router# show ip route # All routes
Router# show ip route 192.168.10.0 # Specific
route
Router# show running-config | include ip route # Static route
config

OSPF Configuration - Single Area:

bash
# Basic OSPF Configuration
Router(config)# router ospf 1 # OSPF process
1
Router(config-router)# router-id 1.1.1.1 # Router ID
Router(config-router)# network 10.1.1.0 0.0.0.255 area 0 # Network
statement
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 # Another
network
# Passive Interfaces
Router(config-router)# passive-interface default # All
interfaces passive
Router(config-router)# no passive-interface gi0/1 # Remove
passive

# Interface-Level OSPF
Router(config)# interface gi0/0
Router(config-if)# ip ospf 1 area 0 # Enable OSPF
directly

# OSPF Interface Parameters

Router(config-if)# ip ospf hello-interval 10 # Hello timer
Router(config-if)# ip ospf dead-interval 40 # Dead timer
Router(config-if)# ip ospf priority 100 # DR/BDR
priority
Router(config-if)# ip ospf cost 10 # Interface
cost
Router(config-if)# ip ospf network point-to-point # Network type

# OSPF Areas
Router(config-router)# area 0 range 192.168.0.0 255.255.0.0 # Area
summarization

# OSPF Verification
Router# show ip ospf # OSPF process
info
Router# show ip ospf neighbor # OSPF
neighbors
Router# show ip ospf interface # OSPF
interfaces
Router# show ip ospf database # Link-state
database
Router# show ip route ospf # OSPF routes

EIGRP Configuration:

bash
# Basic EIGRP Configuration
Router(config)# router eigrp 100 # EIGRP AS 100
Router(config-router)# network 10.0.0.0 0.255.255.255 # Classful
network
Router(config-router)# network 192.168.1.0 0.0.0.255 # Subnet mask
Router(config-router)# no auto-summary # Disable auto-
summary

# EIGRP Router ID
Router(config-router)# eigrp router-id 2.2.2.2 # Set router ID

# Passive Interfaces
Router(config-router)# passive-interface default # All passive
Router(config-router)# no passive-interface gi0/1 # Enable on
interface

# EIGRP Metrics and Load Balancing

Router(config-router)# metric weights 0 1 0 1 0 0 # K values
Router(config-router)# maximum-paths 6 # Max equal
paths
Router(config-router)# variance 2 # Unequal load
balancing

# Interface EIGRP Parameters

Router(config)# interface gi0/0
Router(config-if)# ip hello-interval eigrp 100 5 # Hello
interval
Router(config-if)# ip hold-time eigrp 100 15 # Hold time
Router(config-if)# bandwidth 1544 # Bandwidth
(affects metric)
Router(config-if)# delay 100 # Delay
(affects metric)

# EIGRP Verification
Router# show ip eigrp neighbors # EIGRP
neighbors
Router# show ip eigrp topology # Topology
table
Router# show ip eigrp interfaces # EIGRP
interfaces
Router# show ip route eigrp # EIGRP routes
Router# show ip protocols # Routing
protocols

3.2 Router Forwarding Decision Process

Routing Decision Verification:

bash
# Routing Table Analysis
Router# show ip route # Complete
routing table
Router# show ip route 192.168.10.5 # Specific
destination
Router# show ip route longer-prefixes 192.168.10.0/24 # More specific
routes
Router# show ip route summary # Routing
summary

# Administrative Distance Values

Router# show ip protocols # AD values by
protocol
# Connected: 0, Static: 1, EIGRP: 90, OSPF: 110, RIP: 120, External
EIGRP: 170

# Route Selection Process

Router# show ip cef 192.168.10.5 # CEF forwarding
info
Router# show adjacency detail # Adjacency
table

# Troubleshooting Routing Decisions

Router# debug ip routing # Debug routing
changes
Router# debug ip packet detail # Debug packet
forwarding
3.3 Static Route Configuration and Verification
Advanced Static Routing:

bash
# Recursive Static Routes
Router(config)# ip route 10.10.10.0 255.255.255.0 192.168.1.1 #
Next-hop IP

# Directly Attached Static Routes

Router(config)# ip route 10.20.20.0 255.255.255.0 gi0/1 #
Exit interface

# Fully Specified Static Routes

Router(config)# ip route 10.30.30.0 255.255.255.0 gi0/1 192.168.1.1

# Floating Static Routes (Backup)

Router(config)# ip route 10.40.40.0 255.255.255.0 192.168.1.1 1 #
Primary
Router(config)# ip route 10.40.40.0 255.255.255.0 192.168.2.1 200 #
Backup

# Load Balancing with Equal Cost Static Routes

Router(config)# ip route 10.50.50.0 255.255.255.0 192.168.1.1
Router(config)# ip route 10.50.50.0 255.255.255.0 192.168.2.1 #
Load balance

# Static Route Verification and Troubleshooting

Router# show ip route static # Static routes
Router# ping 10.10.10.1 source gi0/0 # Source-
specific ping
Router# traceroute 10.10.10.1 # Trace path
Router# show ip cef 10.10.10.1 # CEF entry

# Remove Static Routes

Router(config)# no ip route 10.10.10.0 255.255.255.0 192.168.1.1
3.4 OSPF Single Area Configuration
Complete OSPF Single-Area Setup:

bash
# OSPF Process Configuration
Router(config)# router ospf 1
Router(config-router)# router-id 1.1.1.1 # Manual router
ID
Router(config-router)# log-adjacency-changes # Log neighbor
changes
Router(config-router)# auto-cost reference-bandwidth 10000 #
Reference BW

# Network Advertisements
Router(config-router)# network 10.1.1.0 0.0.0.255 area 0
Router(config-router)# network 192.168.1.1 0.0.0.0 area 0 # Host
route

# Default Route Origination

Router(config-router)# default-information originate # Advertise
default
Router(config-router)# default-information originate always # Always
advertise

# Interface-Specific OSPF Configuration

Router(config)# interface gi0/0
Router(config-if)# ip ospf hello-interval 10 # Hello timer
(1-65535)
Router(config-if)# ip ospf dead-interval 40 # Dead timer
(1-65535)
Router(config-if)# ip ospf priority 100 # DR priority
(0-255)
Router(config-if)# ip ospf cost 64 # Interface
cost (1-65535)
Router(config-if)# ip ospf network point-to-point # Network type
Router(config-if)# ip ospf network broadcast # Broadcast
network
Router(config-if)# ip ospf network non-broadcast # NBMA network
# Authentication Configuration
Router(config-router)# area 0 authentication # Simple auth
Router(config-router)# area 0 authentication message-digest # MD5
auth
Router(config-if)# ip ospf authentication-key cisco123 # Simple
password
Router(config-if)# ip ospf message-digest-key 1 md5 cisco123 # MD5
key

# OSPF Verification Commands

Router# show ip ospf # OSPF process
info
Router# show ip ospf neighbor # Neighbor
relationships
Router# show ip ospf neighbor detail # Detailed
neighbor info
Router# show ip ospf interface # OSPF
interfaces
Router# show ip ospf interface brief # Brief
interface info
Router# show ip ospf database # Link-state
database
Router# show ip ospf border-routers # ABR/ASBR info
Router# show ip ospf virtual-links # Virtual links

# OSPF Troubleshooting
Router# debug ip ospf hello # Debug hello
packets
Router# debug ip ospf adj # Debug
adjacency
Router# clear ip ospf process # Clear OSPF
process

3.5 First Hop Redundancy Protocols (HSRP/VRRP/GLBP)

HSRP (Hot Standby Router Protocol) Configuration:
bash
# Basic HSRP Configuration
Router(config)# interface gi0/0
Router(config-if)# standby 1 ip 192.168.1.1 # Virtual IP
Router(config-if)# standby 1 priority 110 # Priority (0-
255)
Router(config-if)# standby 1 preempt # Enable
preemption
Router(config-if)# standby 1 preempt delay minimum 60 # Preemption
delay

# Advanced HSRP Configuration

Router(config-if)# standby 1 timers 3 10 # Hello/hold
timers
Router(config-if)# standby 1 authentication text cisco123 #
Authentication
Router(config-if)# standby 1 track gi0/1 20 # Object
tracking
Router(config-if)# standby 1 name HSRP_GROUP1 # Group name

# HSRPv2 Configuration
Router(config-if)# standby version 2 # HSRPv2
Router(config-if)# standby 1 ip 192.168.1.1
Router(config-if)# standby 1 priority 110
Router(config-if)# standby 1 preempt

# HSRP Verification
Router# show standby # All HSRP
groups
Router# show standby brief # Brief HSRP
info
Router# show standby interface gi0/0 # Specific
interface
Router# debug standby # Debug HSRP

VRRP (Virtual Router Redundancy Protocol) Configuration:

bash
# Basic VRRP Configuration
Router(config)# interface gi0/0
Router(config-if)# vrrp 1 ip 192.168.1.1 # Virtual IP
Router(config-if)# vrrp 1 priority 120 # Priority (1-
254)
Router(config-if)# vrrp 1 preempt # Enable
preemption
Router(config-if)# vrrp 1 preempt delay minimum 60 # Preemption
delay

# Advanced VRRP Configuration

Router(config-if)# vrrp 1 timers advertise 1 # Advertisement
interval
Router(config-if)# vrrp 1 timers learn # Learn timers
Router(config-if)# vrrp 1 authentication text cisco123 #
Authentication
Router(config-if)# vrrp 1 track 1 decrement 20 # Object
tracking

# VRRP Verification
Router# show vrrp # All VRRP
groups
Router# show vrrp brief # Brief VRRP
info
Router# show vrrp interface gi0/0 # Specific
interface
Router# debug vrrp # Debug VRRP

GLBP (Gateway Load Balancing Protocol) Configuration:

bash
# Basic GLBP Configuration
Router(config)# interface gi0/0
Router(config-if)# glbp 1 ip 192.168.1.1 # Virtual IP
Router(config-if)# glbp 1 priority 120 # Priority
Router(config-if)# glbp 1 preempt # Enable
preemption
Router(config-if)# glbp 1 load-balancing round-robin # Load
balancing method
# Load Balancing Options
Router(config-if)# glbp 1 load-balancing host-dependent # Host-
dependent
Router(config-if)# glbp 1 load-balancing weighted # Weighted

# Advanced GLBP Configuration

Router(config-if)# glbp 1 timers 3 10 # Hello/hold
timers
Router(config-if)# glbp 1 authentication text cisco123 #
Authentication
Router(config-if)# glbp 1 weighting 100 lower 80 upper 100 #
Weighting

# GLBP Verification
Router# show glbp # All GLBP
groups
Router# show glbp brief # Brief GLBP
info
Router# debug glbp # Debug GLBP

4. IP Services

4.1 NAT Configuration and Verification

Static NAT Configuration:study-ccna

bash
# Basic Static NAT
Router(config)# interface gi0/0
Router(config-if)# ip nat inside # Inside
interface

Router(config)# interface gi0/1

Router(config-if)# ip nat outside # Outside
interface
# One-to-One Static NAT Mapping
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10
Router(config)# ip nat inside source static 192.168.1.11 203.0.113.11

# Static NAT with Port Translation

Router(config)# ip nat inside source static tcp 192.168.1.10 80
203.0.113.10 8080
Router(config)# ip nat inside source static udp 192.168.1.11 53
203.0.113.11 5353

Dynamic NAT Configuration:study-ccna

bash
# Access List for Inside Sources
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit 192.168.2.0 0.0.0.255

# NAT Pool Creation

Router(config)# ip nat pool POOL1 203.0.113.10 203.0.113.20 netmask
255.255.255.0
Router(config)# ip nat pool POOL2 203.0.113.30 203.0.113.40 prefix-
length 24

# Dynamic NAT Mapping

Router(config)# ip nat inside source list 1 pool POOL1

PAT (Port Address Translation) Configuration:

bash
# PAT with Interface Overload
Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255
Router(config)# ip nat inside source list 1 interface gi0/1 overload

# PAT with Pool Overload

Router(config)# ip nat pool POOL1 203.0.113.10 203.0.113.15 netmask
255.255.255.0
Router(config)# ip nat inside source list 1 pool POOL1 overload
# Named ACL with PAT
Router(config)# ip access-list standard INSIDE_HOSTS
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit 192.168.2.0 0.0.0.255
Router(config)# ip nat inside source list INSIDE_HOSTS interface gi0/1
overload

NAT Verification and Troubleshooting:

bash
# NAT Status and Statistics
Router# show ip nat translations # Active
translations
Router# show ip nat translations verbose # Verbose
translations
Router# show ip nat statistics # NAT
statistics
Router# show ip nat pool # NAT pools

# Clear NAT Translations

Router# clear ip nat translation * # Clear all
translations
Router# clear ip nat translation inside 192.168.1.10 # Clear
specific host
Router# clear ip nat translation protocol tcp inside 192.168.1.10 80

# NAT Debugging
Router# debug ip nat # Debug NAT
translations
Router# debug ip nat detailed # Detailed NAT
debug

4.2 NTP Configuration and Verification

NTP Client Configuration:

bash
# Basic NTP Client Configuration
Router(config)# ntp server 129.6.15.28 # NIST time
server
Router(config)# ntp server 216.239.35.0 # Google time
server
Router(config)# ntp server pool.ntp.org # NTP pool

# NTP Server with Preference

Router(config)# ntp server 192.168.1.100 prefer # Preferred
server
Router(config)# ntp server 192.168.1.101 version 4 # NTP version

# Source Interface for NTP

Router(config)# ntp source gi0/0 # Source
interface
Router(config)# ntp source loopback 0 # Source
loopback

# NTP Update Calendar

Router(config)# ntp update-calendar # Sync hardware
clock

NTP Server Configuration:

bash
# Configure Router as NTP Server
Router(config)# ntp master 3 # Stratum 3
server
Router(config)# ntp master # Default
stratum 8

# External Reference Clock

Router(config)# ntp server 129.6.15.28 # Upstream
server
Router(config)# ntp master 4 # Local stratum

NTP Authentication:
bash
# NTP Authentication Configuration
Router(config)# ntp authenticate # Enable
authentication
Router(config)# ntp authentication-key 1 md5 NTPkey123 #
Authentication key
Router(config)# ntp trusted-key 1 # Trusted key
Router(config)# ntp server 192.168.1.100 key 1 # Server with
key

# Access Control
Router(config)# ntp access-group peer 10 # Peer access
list
Router(config)# ntp access-group serve 20 # Serve access
list
Router(config)# ntp access-group query-only 30 # Query-only
access

NTP Verification:scribd

bash
# NTP Status Commands
Router# show ntp status # NTP status
Router# show ntp associations # NTP
associations
Router# show ntp associations detail # Detailed
associations
Router# show clock # System clock
Router# show calendar # Hardware
calendar

# NTP Troubleshooting
Router# debug ntp packet # Debug NTP
packets
Router# debug ntp sync # Debug NTP
sync
Router# ntp clear drift # Clear drift
file
4.3 SNMP Functionality
SNMPv1/v2c Configuration:scribd

bash
# Basic SNMP Configuration
Router(config)# snmp-server community public ro # Read-only
community
Router(config)# snmp-server community private rw # Read-write
community
Router(config)# snmp-server community monitor ro 10 # With ACL

# System Information
Router(config)# snmp-server contact admin@company.com # Contact info
Router(config)# snmp-server location "Data Center 1" # Location
Router(config)# snmp-server chassis-id 12345 # Chassis ID

# SNMP Traps
Router(config)# snmp-server enable traps # Enable all
traps
Router(config)# snmp-server enable traps snmp linkdown linkup #
Specific traps
Router(config)# snmp-server host 192.168.1.200 version 2c public #
Trap destination

SNMPv3 Configuration:

bash
# SNMPv3 Groups
Router(config)# snmp-server group ADMINS v3 auth # Auth group
Router(config)# snmp-server group OPERATORS v3 noauth # No auth group
Router(config)# snmp-server group MONITORS v3 priv # Privacy group

# SNMPv3 Users
Router(config)# snmp-server user admin ADMINS v3 auth sha AuthPass123
Router(config)# snmp-server user admin ADMINS v3 auth sha AuthPass123
priv aes 128 PrivPass456
Router(config)# snmp-server user monitor MONITORS v3 auth md5
MonitorPass

# SNMPv3 Views
Router(config)# snmp-server view READONLY iso included # Read-only
view
Router(config)# snmp-server view READONLY cisco.2 excluded # Exclude
Cisco MIB

# Apply Views to Groups

Router(config)# snmp-server group OPERATORS v3 auth read READONLY

SNMP Verification:

bash
# SNMP Status Commands
Router# show snmp # SNMP status
Router# show snmp community # SNMP
communities
Router# show snmp user # SNMP users
Router# show snmp group # SNMP groups
Router# show snmp host # SNMP hosts

# SNMP Testing
Router# snmpwalk -v2c -c public localhost 1.3.6.1.2.1.1 # SNMP walk

4.4 Syslog Features and Management

Syslog Configuration:

bash
# Basic Syslog Configuration
Router(config)# logging 192.168.1.200 # Syslog server
Router(config)# logging host 192.168.1.201 # Additional
server

# Logging Levels (0=Emergency to 7=Debug)

Router(config)# logging trap emergencies # Level 0
Router(config)# logging trap alerts # Level 1
Router(config)# logging trap critical # Level 2
Router(config)# logging trap errors # Level 3
Router(config)# logging trap warnings # Level 4
Router(config)# logging trap notifications # Level 5
Router(config)# logging trap informational # Level 6
Router(config)# logging trap debugging # Level 7

# Source Interface
Router(config)# logging source-interface gi0/0 # Source
interface
Router(config)# logging source-interface loopback 0 # Source
loopback

# Facility Configuration
Router(config)# logging facility local0 # Facility
local0
Router(config)# logging facility local7 # Facility
local7

# Buffer Logging
Router(config)# logging buffered 8192 # Buffer size
Router(config)# logging buffered warnings # Buffer level
Router(config)# logging buffered 16384 informational # Size and level

# Console and Terminal Logging

Router(config)# logging console warnings # Console level
Router(config)# logging monitor informational # Terminal level
Router(config)# terminal monitor # Enable
terminal logging

# Additional Syslog Features

Router(config)# logging synchronous # Synchronous
logging
Router(config)# logging timestamps # Add timestamps
Router(config)# service timestamps log datetime msec # Millisecond
timestamps
Router(config)# service sequence-numbers # Sequence
numbers

Syslog Verification:

bash
# Show Logging Information
Router# show logging # All logging
info
Router# show logging summary # Logging
summary
Router# show logging history # Historical
logs
Router# show logging onboard # Onboard
logging

# Clear Logs
Router# clear logging # Clear log
buffer
Router# clear logging onboard # Clear onboard
logs

4.5 DHCP Client, Server, and Relay Configuration

DHCP Server Configuration:

bash
# Basic DHCP Pool Configuration
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.50
Router(config)# ip dhcp excluded-address 192.168.1.200 192.168.1.254

Router(config)# ip dhcp pool LAN # Create DHCP

pool
Router(dhcp-config)# network 192.168.1.0 255.255.255.0 # Network to
serve
Router(dhcp-config)# default-router 192.168.1.1 # Default
gateway
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4 # DNS servers
Router(dhcp-config)# domain-name company.local # Domain name
Router(dhcp-config)# lease 7 # Lease time in
days
Router(dhcp-config)# lease 0 2 30 # 2 hours 30
minutes

# Advanced DHCP Options

Router(dhcp-config)# bootfile bootimage.bin # Boot file
Router(dhcp-config)# next-server 192.168.1.100 # TFTP server
Router(dhcp-config)# option 150 ip 192.168.1.100 # TFTP server
option
Router(dhcp-config)# netbios-name-server 192.168.1.50 # WINS server
Router(dhcp-config)# netbios-node-type h-node # NetBIOS node
type

# Static DHCP Reservations

Router(config)# ip dhcp pool PRINTER1
Router(dhcp-config)# host 192.168.1.100 255.255.255.0
Router(dhcp-config)# client-identifier 01aa.bbcc.ddee.ff
Router(dhcp-config)# default-router 192.168.1.1

DHCP Client Configuration:

bash
# Interface DHCP Client
Router(config)# interface gi0/1
Router(config-if)# ip address dhcp # DHCP client
Router(config-if)# ip dhcp client class-id "ROUTER" # Class
identifier
Router(config-if)# ip dhcp client hostname R1 # Client
hostname

DHCP Relay Configuration:

bash
# DHCP Helper Address (Relay)
Router(config)# interface gi0/0
Router(config-if)# ip helper-address 192.168.100.10 # DHCP server
Router(config-if)# ip helper-address 192.168.100.11 # Backup server
# DHCP Relay Information
Router(config)# ip dhcp relay information option # Option 82
Router(config)# ip dhcp relay information policy keep # Keep relay
info

DHCP Verification:

bash
# DHCP Server Verification
Router# show ip dhcp pool # DHCP pools
Router# show ip dhcp pool LAN # Specific pool
Router# show ip dhcp binding # DHCP bindings
Router# show ip dhcp conflict # IP conflicts
Router# show ip dhcp database # DHCP database

# DHCP Statistics
Router# show ip dhcp server statistics # Server
statistics
Router# debug ip dhcp server packet # Debug DHCP
packets
Router# debug ip dhcp server events # Debug DHCP
events

# Clear DHCP Information

Router# clear ip dhcp binding * # Clear all
bindings
Router# clear ip dhcp binding 192.168.1.100 # Clear specific
binding
Router# clear ip dhcp conflict * # Clear
conflicts

4.6 QoS Forwarding and Per-Hop Behavior

QoS Classification and Marking:

bash
# Class Maps - Traffic Classification
Router(config)# class-map match-all VOICE_TRAFFIC
Router(config-cmap)# match ip dscp ef # Expedited
forwarding
Router(config-cmap)# match protocol rtp audio # RTP audio

Router(config)# class-map match-any VIDEO_TRAFFIC

Router(config-cmap)# match ip dscp af41 # Assured
forwarding
Router(config-cmap)# match protocol rtcp # RTCP protocol

Router(config)# class-map match-all BUSINESS_CRITICAL

Router(config-cmap)# match access-group 100 # ACL-based
matching
Router(config-cmap)# match ip precedence 3 # IP precedence

# Extended ACL for Classification

Router(config)# access-list 100 permit tcp any any eq 443 # HTTPS
Router(config)# access-list 100 permit tcp any any eq 80 # HTTP

Policy Maps - QoS Actions:

bash
# Policy Map Configuration
Router(config)# policy-map QOS_POLICY
Router(config-pmap)# class VOICE_TRAFFIC
Router(config-pmap-c)# priority percent 20 # Priority queue
Router(config-pmap-c)# set ip dscp ef # Mark DSCP

Router(config-pmap)# class VIDEO_TRAFFIC

Router(config-pmap-c)# bandwidth percent 30 # Guaranteed
bandwidth
Router(config-pmap-c)# set ip precedence 4 # Mark
precedence

Router(config-pmap)# class BUSINESS_CRITICAL

Router(config-pmap-c)# bandwidth remaining percent 40 # Remaining
bandwidth
Router(config-pmap-c)# fair-queue # Fair queuing
Router(config-pmap)# class class-default
Router(config-pmap-c)# bandwidth remaining percent 10 # Default class
Router(config-pmap-c)# random-detect # WRED

Traffic Shaping and Policing:

bash
# Traffic Shaping
Router(config)# policy-map SHAPING_POLICY
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 1000000 # 1 Mbps shaping
Router(config-pmap-c)# shape peak 1500000 # Peak rate

# Traffic Policing
Router(config)# policy-map POLICING_POLICY
Router(config-pmap)# class BUSINESS_CRITICAL
Router(config-pmap-c)# police 2000000 4000 conform-action transmit
exceed-action drop

# Hierarchical QoS
Router(config)# policy-map CHILD_POLICY
Router(config-pmap)# class VOICE_TRAFFIC
Router(config-pmap-c)# priority percent 50

Router(config)# policy-map PARENT_POLICY

Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 10000000
Router(config-pmap-c)# service-policy CHILD_POLICY

Apply QoS Policies:

bash
# Apply Policy to Interface
Router(config)# interface gi0/0
Router(config-if)# service-policy input INPUT_POLICY # Inbound
policy
Router(config-if)# service-policy output OUTPUT_POLICY # Outbound
policy

# QoS on Subinterfaces
Router(config)# interface gi0/0.10
Router(config-subif)# service-policy output VLAN10_POLICY

# QoS Verification
Router# show policy-map # Show policy
maps
Router# show policy-map interface gi0/0 # Interface
policy
Router# show class-map # Show class
maps
Router# show queueing interface gi0/0 # Queueing info

4.7 Remote Access (SSH Configuration)

SSH Server Configuration:mkto.cisco

bash
# Prerequisites for SSH
Router(config)# hostname R1 # Hostname
required
Router(config)# ip domain-name company.com # Domain name
required

# Generate RSA Keys

Router(config)# crypto key generate rsa # Generate keys
Router(config)# crypto key generate rsa modulus 2048 # Specific
modulus
Router(config)# crypto key generate rsa general-keys label SSH_KEYS
modulus 2048

# SSH Configuration
Router(config)# ip ssh version 2 # SSH version 2
Router(config)# ip ssh time-out 60 # Session
timeout
Router(config)# ip ssh authentication-retries 3 # Auth retries
# User Accounts
Router(config)# username admin privilege 15 secret Admin123 # Admin
user
Router(config)# username user1 privilege 1 password User123 #
Limited user
Router(config)# username netadmin secret NetPass123 # Network
admin

# VTY Line Configuration

Router(config)# line vty 0 4 # VTY lines 0-4
Router(config-line)# login local # Local
authentication
Router(config-line)# transport input ssh # SSH only
Router(config-line)# transport input ssh telnet # SSH and Telnet
Router(config-line)# exec-timeout 10 0 # Session
timeout
Router(config-line)# access-class 20 in # Access control

Advanced SSH Configuration:thetcpstack.wordpress+1

bash
# SSH Authentication Methods
Router(config)# ip ssh server algorithm authentication password
publickey
Router(config)# ip ssh server algorithm kex diffie-hellman-group14-
sha1

# SSH Public Key Authentication

Router(config)# ip ssh pubkey-chain
Router(config-ssh-pubkey-chain)# username admin
Router(config-ssh-pubkey-user)# key-string
Router(config-ssh-pubkey-user-string)#
AAAAB3NzaC1yc2EAAAADAQABAAABAQDmyYLt...
Router(config-ssh-pubkey-user-string)# exit

# SSH Client Configuration

Router(config)# ip ssh client algorithm encryption aes128-ctr aes256-
ctr

SSH Verification and Troubleshooting:

bash
# SSH Status Commands
Router# show ssh # Active SSH
sessions
Router# show ip ssh # SSH
configuration
Router# show crypto key mypubkey rsa # RSA public key
Router# show users # Active users

# SSH Client Commands

Router# ssh -l admin 192.168.1.100 # SSH client
Router# ssh -v 2 admin@192.168.1.100 # SSH version 2

# SSH Debugging
Router# debug ip ssh # Debug SSH
Router# terminal monitor # Show debug on
terminal

4.8 TFTP and FTP Server Functions

TFTP Operations:

bash
# Copy Configuration Files
Router# copy running-config tftp://192.168.1.100/router-config.cfg
Router# copy startup-config tftp://192.168.1.100/startup-config.cfg
Router# copy tftp://192.168.1.100/router-config.cfg running-config
Router# copy tftp://192.168.1.100/router-config.cfg startup-config

# Copy IOS Images

Router# copy flash:c2900-universalk9-mz.SPA.157-3.M5.bin
tftp://192.168.1.100/
Router# copy tftp://192.168.1.100/c2900-universalk9-mz.SPA.157-
3.M5.bin flash:
# TFTP Server Configuration (on router)
Router(config)# tftp-server flash:c2900-universalk9-mz.SPA.157-
3.M5.bin
Router(config)# tftp-server flash:config-backup.cfg

# Archive Configuration
Router(config)# archive
Router(config-archive)# path tftp://192.168.1.100/archive-config
Router(config-archive)# write-memory

FTP Operations:

bash
# FTP Client Configuration
Router(config)# ip ftp username ftpuser # FTP username
Router(config)# ip ftp password ftppass # FTP password
Router(config)# ip ftp passive # Passive FTP
mode
Router(config)# ip ftp source-interface gi0/0 # Source
interface

# Copy Files via FTP

Router# copy running-config ftp://192.168.1.100/router-config.cfg
Router# copy ftp://ftpuser:ftppass@192.168.1.100/ios-image.bin flash:
Router# copy startup-config ftp://192.168.1.100/startup-backup.cfg

# Verify File Operations

Router# show file systems # Available file
systems
Router# dir flash: # Flash
directory
Router# show flash # Flash contents
Router# delete flash:old-config.cfg # Delete file
Router# verify /md5 flash:ios-image.bin # Verify file
integrity
5. Security Fundamentals

5.1-5.2 Security Concepts and Program Elements

Security Threats and Mitigation Strategies:

• Physical Security: Locks, badges, cameras, environmental controls

• Social Engineering: User awareness training, policies
• Malware: Antivirus, application whitelisting, sandboxing
• DoS/DDoS: Rate limiting, traffic filtering, redundancy
• Data Breach: Encryption, access controls, monitoring

5.3 Device Access Control

Password Policies and Management:examguides

bash
# Strong Password Configuration
Router(config)# enable secret 9 $9$xyz123abc... # Type 9 password
hash
Router(config)# username admin secret 0 ComplexPass123! # Complex
password

# Password Security Features

Router(config)# security passwords min-length 8 # Minimum length
Router(config)# security authentication failure rate 3 log # Failed
attempts
Router(config)# login block-for 60 attempts 3 within 60 # Account
lockout

# Line Configuration Security

Router(config)# line console 0
Router(config-line)# password ConsolePass123 # Console
password
Router(config-line)# login # Enable login
Router(config-line)# exec-timeout 5 0 # 5-minute
timeout
Router(config-line)# logging synchronous # Sync logging
Router(config)# line vty 0 4
Router(config-line)# password VtyPass123 # VTY password
Router(config-line)# login local # Local
authentication
Router(config-line)# transport input ssh # SSH only
Router(config-line)# access-class 10 in # Access control
Router(config-line)# exec-timeout 10 0 # 10-minute
timeout

# Privilege Levels
Router(config)# privilege exec level 5 show running-config # Custom
privilege
Router(config)# username helpdesk privilege 5 secret Help123 # Level
5 user
Router(config)# enable secret level 5 Level5Pass # Level 5 enable

5.4 Access Control Lists (ACLs)

Standard ACLs:

bash
# Numbered Standard ACL (1-99, 1300-1999)
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255 #
Permit network
Router(config)# access-list 10 permit host 192.168.2.100 #
Permit host
Router(config)# access-list 10 permit any #
Permit any
Router(config)# access-list 10 deny 192.168.3.0 0.0.0.255 # Deny
network
# Implicit deny any at the end

# Named Standard ACL

Router(config)# ip access-list standard ALLOW_MANAGEMENT
Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255 #
Management network
Router(config-std-nacl)# permit host 10.1.1.100 # Admin
host
Router(config-std-nacl)# deny any log # Log
denied traffic

Extended ACLs:

bash
# Numbered Extended ACL (100-199, 2000-2699)
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
eq 80
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
eq 443
Router(config)# access-list 100 permit udp any any eq 53 # DNS
Router(config)# access-list 100 permit icmp any any # ICMP
Router(config)# access-list 100 deny tcp any any eq 23 #
Block Telnet
Router(config)# access-list 100 permit tcp any any established #
Return traffic

# Named Extended ACL

Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq 80
Router(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 any eq 443
Router(config-ext-nacl)# permit tcp any eq 80 10.1.1.0 0.0.0.255
established
Router(config-ext-nacl)# permit tcp any eq 443 10.1.1.0 0.0.0.255
established

# Time-Based ACLs
Router(config)# time-range BUSINESS_HOURS
Router(config-time-range)# periodic weekdays 08:00 to 18:00
Router(config)# access-list 120 permit tcp any any eq 80 time-range
BUSINESS_HOURS

# Apply ACLs to Interfaces

Router(config)# interface gi0/0
Router(config-if)# ip access-group 100 in # Inbound ACL
Router(config-if)# ip access-group 10 out # Outbound ACL
# Apply ACLs to VTY Lines
Router(config)# line vty 0 4
Router(config-line)# access-class ALLOW_MANAGEMENT in # Restrict VTY
access

ACL Verification and Troubleshooting:

bash
# Show ACL Information
Router# show access-lists # All ACLs
Router# show access-lists 100 # Specific ACL
Router# show ip access-lists # IP ACLs only
Router# show ip interface gi0/0 # Interface ACLs

# ACL Statistics and Hit Counts

Router# show access-lists 100 # Shows hit
counts
Router# clear access-list counters 100 # Clear counters

# ACL Debugging
Router# debug ip packet detail # Debug IP
packets
Router# debug ip packet 100 # Debug specific
ACL

5.5 Layer 2 Security Features

DHCP Snooping Configuration:

bash
# Enable DHCP Snooping Globally
Switch(config)# ip dhcp snooping # Enable
globally
Switch(config)# ip dhcp snooping vlan 10,20,30 # Enable on
VLANs

# Configure Trusted Interfaces

Switch(config)# interface gi0/1
Switch(config-if)# ip dhcp snooping trust # Trusted
interface

# Rate Limiting
Switch(config)# interface gi0/2
Switch(config-if)# ip dhcp snooping limit rate 15 # 15
packets/second

# DHCP Option 82
Switch(config)# ip dhcp snooping information option # Enable option
82
Switch(config)# ip dhcp snooping information policy keep # Keep
existing

# Verify DHCP Snooping

Switch# show ip dhcp snooping # Global status
Switch# show ip dhcp snooping binding # Binding table
Switch# show ip dhcp snooping statistics # Statistics

Dynamic ARP Inspection (DAI):

bash
# Enable DAI on VLANs
Switch(config)# ip arp inspection vlan 10,20,30 # Enable on
VLANs

# Configure Trusted Interfaces

Switch(config)# interface gi0/1
Switch(config-if)# ip arp inspection trust # Trusted
interface

# Rate Limiting for DAI

Switch(config)# interface gi0/2
Switch(config-if)# ip arp inspection limit rate 15 # 15
packets/second

# Additional Validation
Switch(config)# ip arp inspection validate src-mac # Source MAC
validation
Switch(config)# ip arp inspection validate dst-mac # Destination
MAC validation
Switch(config)# ip arp inspection validate ip # IP address
validation

# Static ARP ACLs

Switch(config)# arp access-list ARP_ACL
Switch(config-arp-nacl)# permit ip host 192.168.1.10 mac host
0012.3456.789a
Switch(config)# ip arp inspection filter ARP_ACL vlan 10

# Verify DAI
Switch# show ip arp inspection # DAI status
Switch# show ip arp inspection statistics # Statistics
Switch# show ip arp inspection interfaces # Interface
status

Port Security Configuration:

bash
# Basic Port Security
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access # Must be access
port
Switch(config-if)# switchport port-security # Enable port
security
Switch(config-if)# switchport port-security maximum 2 # Max MAC
addresses

# MAC Address Learning

Switch(config-if)# switchport port-security mac-address sticky #
Sticky learning
Switch(config-if)# switchport port-security mac-address 0012.3456.789a
# Static MAC

# Violation Actions
Switch(config-if)# switchport port-security violation shutdown #
Shutdown (default)
Switch(config-if)# switchport port-security violation restrict #
Restrict
Switch(config-if)# switchport port-security violation protect #
Protect

# Aging Configuration
Switch(config-if)# switchport port-security aging time 10 # 10
minutes
Switch(config-if)# switchport port-security aging type absolute #
Absolute aging
Switch(config-if)# switchport port-security aging type inactivity #
Inactivity aging

# Verify Port Security

Switch# show port-security # Global status
Switch# show port-security interface fa0/1 # Specific
interface
Switch# show port-security address # Secure
addresses

# Clear Port Security

Switch# clear port-security all # Clear all
Switch# clear port-security configured # Clear
configured addresses

5.6 AAA (Authentication, Authorization, Accounting)

Local AAA Configuration:examguides

bash
# Enable AAA
Router(config)# aaa new-model # Enable AAA

# Local Authentication
Router(config)# aaa authentication login default local # Default
login
Router(config)# aaa authentication login CONSOLE line # Console
method
Router(config)# aaa authentication enable default local # Enable
authentication

# Local Authorization
Router(config)# aaa authorization exec default local # EXEC
authorization
Router(config)# aaa authorization commands 15 default local # Command
authorization

# Local Accounting
Router(config)# aaa accounting exec default start-stop local # EXEC
accounting
Router(config)# aaa accounting commands 15 default start-stop local #
Command accounting

# Apply AAA to Lines

Router(config)# line console 0
Router(config-line)# login authentication CONSOLE # Use CONSOLE
method
Router(config)# line vty 0 4
Router(config-line)# login authentication default # Use default
method

RADIUS AAA Configuration:

bash
# RADIUS Server Configuration
Router(config)# radius server RADIUS1 # Define server
Router(config-radius-server)# address ipv4 192.168.1.200 auth-port
1812 acct-port 1813
Router(config-radius-server)# key RadiusSecret123 # Shared secret
Router(config-radius-server)# timeout 5 # Timeout
Router(config-radius-server)# retransmit 3 # Retransmit
count

# RADIUS Authentication
Router(config)# aaa authentication login default group radius local
Router(config)# aaa authentication enable default group radius enable

# RADIUS Authorization
Router(config)# aaa authorization exec default group radius local
Router(config)# aaa authorization commands 15 default group radius
local

# RADIUS Accounting
Router(config)# aaa accounting exec default start-stop group radius
Router(config)# aaa accounting commands 15 default start-stop group
radius

TACACS+ AAA Configuration:

bash
# TACACS+ Server Configuration
Router(config)# tacacs server TACACS1 # Define server
Router(config-server-tacacs)# address ipv4 192.168.1.201
Router(config-server-tacacs)# key TacacsSecret123 # Shared secret
Router(config-server-tacacs)# port 49 # TACACS+ port
Router(config-server-tacacs)# timeout 10 # Timeout

# TACACS+ Authentication
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authentication enable default group tacacs+ enable

# TACACS+ Authorization
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# aaa authorization commands 15 default group tacacs+
local

# TACACS+ Accounting
Router(config)# aaa accounting exec default start-stop group tacacs+
Router(config)# aaa accounting commands 15 default start-stop group
tacacs+

# Verify AAA
Router# show aaa sessions # Active
sessions
Router# show radius statistics # RADIUS
statistics
Router# show tacacs # TACACS+
statistics

5.7 IPsec VPNs (Site-to-Site, Remote Access)

Site-to-Site IPsec VPN Configuration:mkto.cisco

bash
# Phase 1 - IKE Policy
Router(config)# crypto isakmp policy 10 # IKE policy 10
Router(config-isakmp)# encryption aes 256 # AES 256
encryption
Router(config-isakmp)# hash sha256 # SHA-256 hash
Router(config-isakmp)# authentication pre-share # Pre-shared key
Router(config-isakmp)# group 14 # DH group 14
Router(config-isakmp)# lifetime 86400 # 24 hours

# Pre-shared Key
Router(config)# crypto isakmp key VPNSecretKey123 address
203.0.113.100
Router(config)# crypto isakmp key VPNSecretKey123 hostname peer-
router.com

# Phase 2 - IPsec Transform Set

Router(config)# crypto ipsec transform-set ESP-AES256-SHA256 esp-aes
256 esp-sha256-hmac
Router(config-crypto-trans)# mode tunnel # Tunnel mode

# Interesting Traffic ACL

Router(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255
192.168.2.0 0.0.0.255
Router(config)# access-list 110 permit ip 192.168.2.0 0.0.0.255
192.168.1.0 0.0.0.255

# Crypto Map Configuration

Router(config)# crypto map SITE_TO_SITE 10 ipsec-isakmp
Router(config-crypto-map)# set peer 203.0.113.100 # Remote peer
Router(config-crypto-map)# set transform-set ESP-AES256-SHA256
Router(config-crypto-map)# match address 110 # Interesting
traffic
Router(config-crypto-map)# set pfs group14 # Perfect
Forward Secrecy

# Apply to Interface
Router(config)# interface gi0/1
Router(config-if)# crypto map SITE_TO_SITE

Advanced IPsec Features:

bash
# IKEv2 Configuration
Router(config)# crypto ikev2 proposal IKEv2_PROPOSAL
Router(config-ikev2-proposal)# encryption aes-cbc-256
Router(config-ikev2-proposal)# integrity sha256
Router(config-ikev2-proposal)# group 14

Router(config)# crypto ikev2 policy IKEv2_POLICY

Router(config-ikev2-policy)# proposal IKEv2_PROPOSAL

# Dead Peer Detection

Router(config)# crypto isakmp keepalive 10 3 # DPD
configuration

# NAT Traversal
Router(config)# crypto isakmp nat traversal 20 # NAT-T support

# Redundancy
Router(config)# crypto map SITE_TO_SITE 20 ipsec-isakmp
Router(config-crypto-map)# set peer 203.0.113.101 # Backup peer
Router(config-crypto-map)# set transform-set ESP-AES256-SHA256
Router(config-crypto-map)# match address 110

IPsec Verification and Troubleshooting:

bash
# IPsec Status Commands
Router# show crypto isakmp sa # IKE SAs
Router# show crypto ipsec sa # IPsec SAs
Router# show crypto map # Crypto map
config
Router# show crypto session # Active
sessions

# IPsec Statistics
Router# show crypto engine connections active # Active
connections
Router# show crypto ipsec transform-set # Transform sets
Router# show crypto isakmp policy # IKE policies

# IPsec Troubleshooting
Router# debug crypto isakmp # Debug IKE
Router# debug crypto ipsec # Debug IPsec
Router# clear crypto session # Clear sessions
Router# clear crypto sa # Clear SAs

5.8 Wireless Security Protocols (WPA/WPA2/WPA3)

WPA2-Personal Configuration:

bash
# WPA2-PSK Configuration
AP(config)# interface dot11radio 0 # 2.4GHz radio
AP(config-if)# ssid SECURE_NETWORK # SSID
AP(config-if)# authentication open # Open
authentication
AP(config-if)# authentication key-management wpa version 2 # WPA2
AP(config-if)# wpa-psk ascii 0 SecurePassword123 # Pre-shared key
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption
AP(config-if)# no shutdown # Enable radio

# WPA2 Mixed Mode (TKIP + AES)

AP(config-if)# encryption mode ciphers aes-ccmp tkip # Both ciphers

WPA2-Enterprise Configuration:tutorialsweb
bash
# WPA2-Enterprise (802.1X)
AP(config-if)# authentication key-management wpa version 2
AP(config-if)# dot1x authentication-server host 192.168.1.100 port
1812
AP(config-if)# dot1x authentication-server shared-secret RadiusKey123
AP(config-if)# dot1x accounting-server host 192.168.1.100 port 1813
AP(config-if)# encryption mode ciphers aes-ccmp # AES only

# Advanced 802.1X Features

AP(config-if)# dot1x timeout tx-period 30 # EAP timeout
AP(config-if)# dot1x max-reauth-req 2 # Max reauth
requests

WPA3 Configuration:

bash
# WPA3-Personal (SAE)
AP(config-if)# authentication key-management wpa3 # WPA3
AP(config-if)# authentication key-management sae # SAE method
AP(config-if)# wpa3-sae password SecureWPA3Pass # WPA3 password
AP(config-if)# encryption mode ciphers aes-ccmp # AES required

# WPA3-Enterprise
AP(config-if)# authentication key-management wpa3 # WPA3 enterprise
AP(config-if)# dot1x authentication-server host 192.168.1.100
AP(config-if)# encryption mode ciphers aes-ccmp # AES encryption

# WPA3 Transition Mode (WPA2/WPA3)

AP(config-if)# authentication key-management wpa version 2 # WPA2
AP(config-if)# authentication key-management wpa3 # WPA3
AP(config-if)# wpa-psk ascii 0 TransitionPassword # WPA2 password
AP(config-if)# wpa3-sae password TransitionPassword # WPA3 password

Wireless Security Verification:

bash
# Show Wireless Security Status
AP# show dot11 associations # Associated
clients
AP# show controllers dot11radio 0 # Radio controller
AP# show interface dot11radio 0 # Radio interface
AP# show dot11 statistics # Wireless
statistics

# WLC Verification Commands

(Cisco Controller) > show wlan security 1 # WLAN security
(Cisco Controller) > show client summary # Client summary
(Cisco Controller) > show ap summary # AP summary

6. Automation and Programmability

6.1 Impact of Network Automation

Network Automation Benefits:

• Consistency: Eliminates human error in repetitive tasks

• Speed: Rapid deployment and configuration changes
• Scale: Manage thousands of devices efficiently
• Compliance: Ensure policy adherence across infrastructure
• Documentation: Automatic configuration tracking

6.2 Traditional vs Controller-Based Networking

Traditional Management:

bash
# CLI-based configuration (traditional)
Router# configure terminal
Router(config)# interface gi0/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown

# SNMP monitoring (traditional)

Router(config)# snmp-server community public ro
Router(config)# snmp-server host 192.168.100.10 version 2c public

Controller-Based Management:

• Centralized policy definition

• Template-based configuration
• Intent-based networking
• Automated compliance checking

6.3 Software-Defined Networking (SDN) Architecture

SDN Components:

• Application Layer: Network applications and services

• Control Layer: SDN controller (centralized brain)
• Infrastructure Layer: Network devices (switches, routers)
• APIs: Northbound and southbound interfaces

6.4 Device Management Comparison

CLI vs DNA Center:

• CLI: Manual, device-by-device configuration

• DNA Center: Centralized, policy-driven, automated

6.5 REST APIs (CRUD, HTTP Verbs, Data Encoding)

REST API Basics:networkjourney

bash
# Enable RESTCONF on Cisco Device
Router(config)# restconf # Enable RESTCONF
Router(config)# ip http server # Enable HTTP
Router(config)# ip http secure-server # Enable HTTPS
Router(config)# ip http authentication local # Local
authentication
# Create API User
Router(config)# username apiuser privilege 15 secret ApiPassword123

HTTP Methods (CRUD Operations):itexamanswers

• GET: Read/Retrieve data (Read)

• POST: Create new resources (Create)
• PUT: Update/Replace entire resource (Update)
• PATCH: Partial update (Update)
• DELETE: Remove resources (Delete)

Data Encoding Examples:

json
# JSON Example - Interface Configuration
{
"ietf-interfaces:interface": {
"name": "GigabitEthernet1",
"description": "Configured via REST API",
"type": "iana-if-type:ethernetCsmacd",
"enabled": true,
"ietf-ip:ipv4": {
"address": [
{
"ip": "192.168.1.1",
"netmask": "255.255.255.0"
}
]
}
}
}

REST API Examples:

python
# Python REST API Example
import requests
import json

# API Endpoint
url = "https://192.168.1.1/restconf/data/ietf-interfaces:interfaces"
headers = {
'Content-Type': 'application/yang-data+json',
'Accept': 'application/yang-data+json'
}

# GET Request - Retrieve Interface Information

response = requests.get(url, auth=('admin', 'password'),
headers=headers, verify=False)
print(response.json())

# POST Request - Create New Interface Configuration

interface_config = {
"ietf-interfaces:interface": {
"name": "GigabitEthernet2",
"description": "API Created Interface",
"type": "iana-if-type:ethernetCsmacd",
"enabled": True
}
}

response = requests.post(url, data=json.dumps(interface_config),

auth=('admin', 'password'), headers=headers,
verify=False)

6.6 Configuration Management Tools

Ansible Configuration Management:

text
# Ansible Playbook Example
---
- name: Configure Cisco Router Interface
hosts: routers
gather_facts: no
 tasks:
- name: Configure GigabitEthernet0/1
ios_config:
lines:
- ip address 192.168.1.1 255.255.255.0
- description Configured by Ansible
- no shutdown
parents: interface GigabitEthernet0/1
save_when: changed

- name: Configure OSPF

ios_config:
lines:
- network 192.168.1.0 0.0.0.255 area 0
- router-id 1.1.1.1
parents: router ospf 1
save_when: changed

- name: Verify Interface Status

ios_command:
commands:
- show ip interface brief
- show ip route ospf
register: output

- name: Display Output

debug:
msg: "{{ output.stdout_lines }}"

Ansible Inventory File:

text
[routers]
router1 ansible_host=192.168.1.10 ansible_user=admin
ansible_password=admin123 ansible_network_os=ios
router2 ansible_host=192.168.1.11 ansible_user=admin
ansible_password=admin123 ansible_network_os=ios

[switches]
switch1 ansible_host=192.168.1.20 ansible_user=admin
ansible_password=admin123 ansible_network_os=ios

Puppet Configuration Management:

puppet
# Puppet Manifest Example
node 'router1.company.com' {
cisco_interface { 'GigabitEthernet0/1':
ensure => present,
description => 'Configured by Puppet',
ipv4 => '192.168.1.1/24',
shutdown => false,
}

cisco_ospf_instance { '1':
ensure => present,
router_id => '1.1.1.1',
}

cisco_ospf_area { '1 0':

ensure => present,
}
}

Chef Configuration Management:

ruby
# Chef Recipe Example
cisco_interface 'GigabitEthernet0/1' do
description 'Configured by Chef'
ipv4_address '192.168.1.1'
ipv4_netmask_length 24
shutdown false
action :create
end

cisco_ospf 'Sample' do
 router_id '1.1.1.1'
action :create
end

6.7 JSON Data Structure Basics

JSON Syntax and Structure:itexamanswers

json
{
"network-device": {
"hostname": "Router1",
"management-ip": "192.168.100.10",
"interfaces": [
{
"name": "GigabitEthernet0/0",
"ip-address": "192.168.1.1",
"subnet-mask": "255.255.255.0",
"description": "LAN Interface",
"status": "up"
},
{
"name": "GigabitEthernet0/1",
"ip-address": "10.1.1.1",
"subnet-mask": "255.255.255.0",
"description": "WAN Interface",
"status": "up"
}
],
"routing": {
"protocol": "OSPF",
"process-id": 1,
"router-id": "1.1.1.1",
"networks": [
{
"network": "192.168.1.0",
"wildcard": "0.0.0.255",
"area": 0
 },
{
"network": "10.1.1.0",
"wildcard": "0.0.0.255",
"area": 0
}
]
},
"vlans": [
{
"id": 10,
"name": "Users",
"status": "active"
},
{
"id": 20,
"name": "Servers",
"status": "active"
}
]
}
}

JSON Data Types:

• String: Text data in quotes ("example")

• Number: Numeric values (123, 45.67)
• Boolean: true or false
• Array: Ordered listyoutube+1networkwalks
• Object: Key-value pairs {"key": "value"}
• null: Null value

This comprehensive CCNA CLI reference covers every topic with detailed command
variations, explanations, and real-world examples. Each section includes verification
commands, troubleshooting steps, and best practices to ensure complete understanding
and practical application.
1. https://networkwalks.com/new-ccna-200-301/
2. https://networklessons.com/cisco/ccna-routing-switching-icnd1-100-
105/introduction-cisco-ios-cli-command-line-interface
3. https://www.9tut.com/cisco-command-line-interface-cli
4. https://www.networkacademy.io/ccna/ethernet/vlan-trunking
5. https://www.cisco.com/c/en/us/td/docs/net_mgmt/epn_manager/8_0_GA/user/gu
ide/bk_cepnm_8_0_user_and_administrator_guide_ga/bk_CiscoEPNManager_8_0_
UserAndAdministratorGuide_appendix_0100000.html
6. https://study-ccna.com/dynamic-nat/
7. https://www.scribd.com/document/523476861/CCNA-IP-Services
8. https://mkto.cisco.com/rs/564-WHV-323/images/ccna-security-command-
guide.pdf
9. https://thetcpstack.wordpress.com/ccna/section-4-0-ip-services/
10. https://www.examguides.com/CCNA/cisco-ccna-77.htm
11. https://www.tutorialsweb.com/networking/cisco/security-fundamentals/security-
fundamentals-12.htm
12. https://networkjourney.com/rest-api-basics-for-cisco-devices-automate-smarter-
not-harder-ccnp-enterprise/
13. https://itexamanswers.net/14-7-2-module-quiz-network-automation-answers.html
14. https://www.youtube.com/watch?v=xOqwxluUCc8
15. https://www.youtube.com/watch?v=2p7-MluKAgE
16. https://networklessons.com/cisco/ccna-200-301
17. https://subnettingpractice.com/ccna_commands.html
18. https://www.youtube.com/watch?v=W0MGLKxHk9M
19. https://www.youtube.com/watch?v=IYbtai7Nu2g
20. https://www.cbtnuggets.com/blog/technology/networking/network-device-
management-access-methods-to-know-for-ccna
21. https://www.youtube.com/watch?v=mMLF0n29fCg
22. https://networklessons.com/cisco/ccnp-encor-350-401/how-to-configure-static-
route-on-cisco-ios-router
23. https://www.scribd.com/document/837076875/Cisco-CCNA-Security-Commands
24. https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/8606-redist.html
25. https://ccnapracticallabs.com/how-to-redistribute-rip-ospf-eigrp-static-routes/
26. https://www.slideshare.net/slideshow/5-ip-security-aaa-and-acl/236608147
27. https://www.learncisco.net/courses/icnd-1/ip-routing-technologies/static-
routing.html
28. https://www.networkacademy.io/ccna/network-services/modular-qos-cli-mqc
29. https://itexamanswers.net/module-8-quiz-access-control-lists-answers-network-
security.html
30. https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-
guide/b_cg810/wlan_security.html
31. https://www.learncisco.net/courses/icnd-2/vlans-and-spanning-tree/trunk-
operations.html
32. https://www.tutorialsweb.com/networking/cisco/automation-
programmability/automation-programmability-4.htm
33. https://www.youtube.com/watch?v=tcyR3P9PsUA
34. https://networklessons.com/cisco/ccna-200-301/introduction-to-rest-api
35. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-
reference/wpa3-dg.html
36. https://www.slideshare.net/slideshow/ccna-lab-4configuring-etherchannels-and-
optimizing-spanning-tree-protocol-on-switch-52843690/52843690
37. https://www.certificationkits.com/spanning-tree-protocol-ccna/