Today I will be adding some show commands... Although these are well known to myself and many others, I just feel it will be nice to have them available online for reference before they get lost among the sea of ever growing piles of notes!
sw1#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/1 notconnect 1 auto auto 10/100BaseTX
Fa0/2 notconnect 1 auto auto 10/100BaseTX
_______________
sw1#sh spanning-tree mst config
Name []
Revision 0 Instances configured 1
Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
_______________
r2#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 drop Null0 (default route handler entry)
0.0.0.0/32 receive
1.1.1.1/32 192.168.1.1 FastEthernet0/0
2.2.2.2/32 receive
192.168.1.0/24 attached FastEthernet0/0
192.168.1.0/32 receive
192.168.1.1/32 192.168.1.1 FastEthernet0/0
192.168.1.2/32 receive
192.168.1.255/32 receive
224.0.0.0/4 drop
224.0.0.0/24 receive
255.255.255.255/32 receive
_______________
r2#sh ip route | inc FastEthernet0/0
O 1.1.1.1 [110/2] via 192.168.1.1, 00:04:17, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
_______________
sw1#sh interfaces fa 0/19 switchport
Name: Fa0/19
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
_______________
sw1#sh spanning-tree blockedports
Name Blocked Interfaces List
-------------------- ------------------------------------
Number of blocked ports (segments) in the system : 0
_______________
sw1#sh mls qos inter fa 0/24 queueing
FastEthernet0/24
QoS is disabled. When QoS is enabled, following settings will be applied
Egress Priority Queue : disabled
Shaped queue weights (absolute) : 25 0 0 0
Shared queue weights : 25 25 25 25
The port bandwidth limit : 100 (Operational Bandwidth:100.0)
The port is mapped to qset : 1
_______________
r1#sh ip proto
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 1.1.1.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
2.2.2.2 110 00:09:06
1.1.1.1 110 00:10:05
Distance: (default is 110)
_______________
show ip eigrp 1 topology X.X.X.X
_______________
Switch#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 5 0 0 1 6
---------------------- -------- --------- -------- ---------- ----------
1 vlan 5 0 0 1 6
_______________
sw1#sh spanning-tree summary
Switch is in mst mode (IEEE Standard)
Root bridge for: MST0
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short (Operational value is long)
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
MST0 0 0 0 8 8
---------------------- -------- --------- -------- ---------- ----------
1 mst 0 0 0 8 8
_______________
sw1#sh spanning-tree summary
Switch is in rapid-pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
UplinkFast is disabled
BackboneFast is disabled
Configured Pathcost method used is short
Name Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001 7 0 0 1 8
---------------------- -------- --------- -------- ---------- ----------
1 vlan 7 0 0 1 8
_______________
r1#sh ip ospf | inc ID
Routing Process "ospf 1" with ID 1.1.1.1
_______________
r1#sh frame-relay pvc 102
PVC Statistics for interface Serial0/1/0 (Frame Relay DTE)
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = INACTIVE, INTERFACE = Serial0/1/0.1
input pkts 321 output pkts 225 in bytes 109716
out bytes 70324 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 220 out bcast bytes 69804
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 04:22:51, last time pvc status changed 00:20:21
_______________
r1#show traffic-shape ser 0/1/0.1
Interface Se0/1/0.1
Access Target Byte Sustain Excess Interval Increment Adapt
VC List Rate Limit bits/int bits/int (ms) (bytes) Active
102 56000 875 7000 0 125 875 -
_______________
r2#sh ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 2.2.2.2
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Reference bandwidth unit is 100 mbps
Routing Information Sources:
Gateway Distance Last Update
1.1.1.1 110 00:27:47
Distance: (default is 110)
Routing Protocol is "eigrp 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
EIGRP NSF-aware route hold timer is 240s
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
2.2.2.2/32
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
Distance: internal 90 external 170
_______________
r2#sh ip eigrp inter detail
IP-EIGRP interfaces for process 1
Xmit Queue Mean Pacing Time Multicast Pending
Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes
Fa0/0 0 0/0 0 0/1 0 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is not set
Use multicast
Lo0 0 0/0 0 0/1 0 0
Hello interval is 5 sec
Next xmit serial <none>
Un/reliable mcasts: 0/0 Un/reliable ucasts: 0/0
Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 0
Retransmissions sent: 0 Out-of-sequence rcvd: 0
Authentication mode is not set
Use multicast
_______________
r1#sh key chain
Key-chain oer:
key 1 -- text "cisco"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
_______________
r1#sh ipv inter fa 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::1
No Virtual link-local address(es):
Global unicast address(es):
2001:1::1, subnet is 2001:1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
_______________
show policy-map interface serial 0/1/0
_______________
r1#sh ip interface
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
FastEthernet0/1 is administratively down, line protocol is down
Internet protocol processing disabled
Serial0/1/0 is up, line protocol is up
Internet protocol processing disabled
Serial0/1/0.1 is down, line protocol is down
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
_______________
r1#sh ip rpf event
Last 15 triggered multicast RPF check events
RPF backoff delay: 500 msec
RPF maximum delay: 5 sec
DATE/TIME BACKOFF PROTOCOL EVENT RPF CHANGES
Jan 1 00:00:00.000 500 msec Connected Route UP 0
_______________
r1#sh ip rpf 1.1.1.1
RPF information for ? (1.1.1.1) failed, no route exists
Saturday, September 25, 2010
Wednesday, September 22, 2010
Lab Notes - Misc 9.22.2010
Well I am trying to catch up to my ever growing stack of notes that I have made so I will just be adding stuff without any real thought of organization. I will note that since I have gotten my own real hardware, things have become much easier to learn as I am able to stop and start when I like and be able to do all of the required tasks!
________________________
UDLD Note:
UDLD - Uses layer a 2 protocol to echo frames between the switches in which it is configured on to verify the ability to Tx / Rx.
Note: On the lab, should they ask "Provide Link Integrity" they are looking for UDLD.
________________________
DAI Note & Small Configuration:
DAI - Dynamic Arp Inspection
Here is a small snippet on how to configure DAI:
arp access-list oscar
permit ip 172.16.1.10 0.0.0.0 mac 1111.2222.2222 0.0.0
SW1(config)#ip arp inspection
SW1(config)#ip arp inspection filter oscar vlan 500 static
SW1(config)#ip arp inspection validate src-mac ip
Here is a show command to verify results:
SW1(config)#do sh ip arp ins vla 500
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
500 Enabled Active oscar Yes
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
500 Deny Deny Off
________________________
PBR Note & Small Configuration:
If your lab should mention that it is looking for a next-hop of last resort, it is probably looking for PBR (Policy Based Routing)
Here is an example:
Route-Map Out_R4
set ip default next-hop 172.16.1.1
ip local policy Out_R4
Note: If there is not a longer match in the router's RIB, then this can be used as a way to provide next hop redundancy.
________________________
Spanning-Tree Note:
When trying to manipulate the path when there are multiple connections to multiple switches, "Cost" is evaluated before Priority. Just remember that "Priority" is used on the Root Switch and "Cost" is used on the Non-Root Switch.
________________________
BGP Note:
When you are configuring BGP and using Advertise Maps / Non-Exist Maps, you must use an ACL (Do not use Prefix-List) to match your routes.
________________________
OSPF Note:
If you have multiple ABR routers and these routers connect to NSSA's, then the router with the highest router-id will do the Type7-5 translations.
________________________
IPv6 Redistribution:
Redistribution for IPv6 is different that IPv4 because you have to specifically redistribute connected, even if there part of the IGP.
______
Split Horizon for IPv6 is enabled / disabled under the ipv6 router command:
#ipv6 router rip oscar
#no split-horizon
Keep in mind that when you are working with IPv6 that you will be leaving off the "ip" portion as that is considered IPv4.
________________________
BVI - Bridged Virtual Interfaces
If you are using the same BVI on "one" interface, remember there might be an issue with split-horizon. Keep that in mind if only one router on the subnet is getting routes and the other is not.
________________________
________________________
UDLD Note:
UDLD - Uses layer a 2 protocol to echo frames between the switches in which it is configured on to verify the ability to Tx / Rx.
Note: On the lab, should they ask "Provide Link Integrity" they are looking for UDLD.
________________________
DAI Note & Small Configuration:
DAI - Dynamic Arp Inspection
Here is a small snippet on how to configure DAI:
arp access-list oscar
permit ip 172.16.1.10 0.0.0.0 mac 1111.2222.2222 0.0.0
SW1(config)#ip arp inspection
SW1(config)#ip arp inspection filter oscar vlan 500 static
SW1(config)#ip arp inspection validate src-mac ip
Here is a show command to verify results:
SW1(config)#do sh ip arp ins vla 500
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
500 Enabled Active oscar Yes
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
500 Deny Deny Off
________________________
PBR Note & Small Configuration:
If your lab should mention that it is looking for a next-hop of last resort, it is probably looking for PBR (Policy Based Routing)
Here is an example:
Route-Map Out_R4
set ip default next-hop 172.16.1.1
ip local policy Out_R4
Note: If there is not a longer match in the router's RIB, then this can be used as a way to provide next hop redundancy.
________________________
Spanning-Tree Note:
When trying to manipulate the path when there are multiple connections to multiple switches, "Cost" is evaluated before Priority. Just remember that "Priority" is used on the Root Switch and "Cost" is used on the Non-Root Switch.
________________________
BGP Note:
When you are configuring BGP and using Advertise Maps / Non-Exist Maps, you must use an ACL (Do not use Prefix-List) to match your routes.
________________________
OSPF Note:
If you have multiple ABR routers and these routers connect to NSSA's, then the router with the highest router-id will do the Type7-5 translations.
________________________
IPv6 Redistribution:
Redistribution for IPv6 is different that IPv4 because you have to specifically redistribute connected, even if there part of the IGP.
______
Split Horizon for IPv6 is enabled / disabled under the ipv6 router command:
#ipv6 router rip oscar
#no split-horizon
Keep in mind that when you are working with IPv6 that you will be leaving off the "ip" portion as that is considered IPv4.
________________________
BVI - Bridged Virtual Interfaces
If you are using the same BVI on "one" interface, remember there might be an issue with split-horizon. Keep that in mind if only one router on the subnet is getting routes and the other is not.
________________________
Tuesday, September 21, 2010
Switchport Port-Security
Learned something new yesterday about switchports and port-security. When you have a switchport that is doing Data / Voice, the switch will only see one MAC address such as the phone but we all know that the computer that plugs into the phone has a mac but not directly connected.
The switch will consider that (2) mac-address's but will only have one connected, hopefully you got that. I will put a sample configuration on here!
interface fastethernet 0/10
intf#switchport port-security
(You can add port-security to every port on the switch but until you actually turn it on then it is useless.)
intf#switchport port-security maximum <# of mac-address's>
intf#switchport port-security mac-address sticky
The switch will consider that (2) mac-address's but will only have one connected, hopefully you got that. I will put a sample configuration on here!
interface fastethernet 0/10
intf#switchport port-security
(You can add port-security to every port on the switch but until you actually turn it on then it is useless.)
intf#switchport port-security maximum <# of mac-address's>
intf#switchport port-security mac-address sticky
IRDP
Here is a configuration of IRDP that I had done yesterday. It's not often that you will use this let alone remember how to do it when the time comes so I figured I would just post a working configuration.
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 172.16.30.3 255.255.255.128
ip irdp
ip irdp multicast
ip irdp maxadvertinterval 20
ip irdp minadvertinterval 20
ip irdp holdtime 60
ip irdp preference 100
interface Vlan50
ip address 172.16.30.10 255.255.255.128
ip irdp
!
ip classless
ip http server
ip http secure-server
ip gdp irdp multicast
ip gdp irdp
!
sw3(config)#do sh ip route
Gateway Using Interval Priority Interface
172.16.30.3 IRDP 23 100 Vlan50
Default gateway is 172.16.30.3
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
sw3(config)#
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 172.16.30.3 255.255.255.128
ip irdp
ip irdp multicast
ip irdp maxadvertinterval 20
ip irdp minadvertinterval 20
ip irdp holdtime 60
ip irdp preference 100
interface Vlan50
ip address 172.16.30.10 255.255.255.128
ip irdp
!
ip classless
ip http server
ip http secure-server
ip gdp irdp multicast
ip gdp irdp
!
sw3(config)#do sh ip route
Gateway Using Interval Priority Interface
172.16.30.3 IRDP 23 100 Vlan50
Default gateway is 172.16.30.3
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
sw3(config)#
Lab Notes - Misc
Today I will be adding a little to my blog... I come across so many good things and have mounds of notes but nothing searchable! So I figured I would start to document and should any of this help anyone than great!
IP is a routed protocol. A routed protocol is a packet that carries data. It is different from a routing protocol in that the latter updates routers to let them know which path a packet should traverse.
If you are ever asked to configure a DHCP pool on the lab, make sure you look to see if there are any next hop redundancy protocols as this will dictate your Default Gateway unless otherwise noted on the lab.
When you configure Frame-Relay and are using FR map statements, you only need one per interface.
For Example:
interface Serial 0/1/0
encapsulation frame-relay
frame-relay map ip x.x.x.x 101 broadcast
frame-relay map ip x.x.x.x 102
Once there is a broadcast, then you are all set.
If you are configuring frame-relay and are able to use inverse arp, all you need to do go under the interface wether its Physical or sub interface and use the:
frame-relay interface DLCI XXX command and you are good to go.
VTP Pruning
Global Config Mode: vtp pruning
You can also go under an interface that is trunking and add / remove VLANs but remember this can only be done when the switch is a server.
To mitigate and enforce the ROOT switch placement, Cisco recommends:
intf# spanning-tree guard root
CDP ( Cisco Discovery Protocol )
Can show CDP neighbors but can also detect: Duplex Mismatches / Native VLAN Mismatches / VTP Domain Mismatches.
_______
NTP:
R1 is the NTP master, R2 is getting it's time from R1 and SW2 is getting its time from R2 and using authentication. <Relevant configuration below>
SW2#
access-list 17 permit 160.60.26.2
!
ntp authentication-key 1 md5 1306141B0E 7
ntp authenticate
ntp trusted-key 1
ntp access-group peer 17
ntp peer 160.60.26.2 key 1
R2#
ntp authentication-key 1 md5 0508050624 7
ntp server 160.60.123.1
________
If using a Hub and Spoke topology and Multicast Sparse Mode, you can use "NBMA mode" to resolve the issue of sending out MC in which MC traffic was received.
IP is a routed protocol. A routed protocol is a packet that carries data. It is different from a routing protocol in that the latter updates routers to let them know which path a packet should traverse.
If you are ever asked to configure a DHCP pool on the lab, make sure you look to see if there are any next hop redundancy protocols as this will dictate your Default Gateway unless otherwise noted on the lab.
When you configure Frame-Relay and are using FR map statements, you only need one per interface.
For Example:
interface Serial 0/1/0
encapsulation frame-relay
frame-relay map ip x.x.x.x 101 broadcast
frame-relay map ip x.x.x.x 102
Once there is a broadcast, then you are all set.
If you are configuring frame-relay and are able to use inverse arp, all you need to do go under the interface wether its Physical or sub interface and use the:
frame-relay interface DLCI XXX command and you are good to go.
VTP Pruning
Global Config Mode: vtp pruning
You can also go under an interface that is trunking and add / remove VLANs but remember this can only be done when the switch is a server.
To mitigate and enforce the ROOT switch placement, Cisco recommends:
intf# spanning-tree guard root
CDP ( Cisco Discovery Protocol )
Can show CDP neighbors but can also detect: Duplex Mismatches / Native VLAN Mismatches / VTP Domain Mismatches.
_______
NTP:
R1 is the NTP master, R2 is getting it's time from R1 and SW2 is getting its time from R2 and using authentication. <Relevant configuration below>
SW2#
access-list 17 permit 160.60.26.2
!
ntp authentication-key 1 md5 1306141B0E 7
ntp authenticate
ntp trusted-key 1
ntp access-group peer 17
ntp peer 160.60.26.2 key 1
R2#
ntp authentication-key 1 md5 0508050624 7
ntp server 160.60.123.1
________
If using a Hub and Spoke topology and Multicast Sparse Mode, you can use "NBMA mode" to resolve the issue of sending out MC in which MC traffic was received.
Subscribe to:
Posts (Atom)