CCNA Cheat Sheet

Set Trunk
Setting VLAN
Int VLAN 1
Name Student
Assign ports to VLAN
Int f0/6
Switchport mode access
Switchport access vlan 10
Set to trunk
Switchport dynamic desirable
DCE:
Int s0/0/1
Clock rate 64000/128000
Disable DNS lookup

R1(config)# no ip domain-lookup
Encrypt Router Passwords

Set length
R1(config)# security passwords min-length 10
enable secret password

R1(config)# enable algorithm-type scrypt secret cisco12345
Configure basic console, auxiliary port, and virtual access lines

R1(config)# line console 0
R1(config-line)# password ciscocon
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
R1(config)# line vty 0 4

R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# transport input telnet
R1(config-line)# login local
Banner MOTD
R1(config)# banner motd $Unauthorized access strictly prohibited!$
new user account with a secret password

R1(config)# username user01 algorithm-type scrypt secret user01pass
domain name
R1(config)# ip domain-name ccnasecurity.com
SSH
Configure a privileged user for login from the SSH client
R1(config)# username admin privilege 15 algorithm-type scrypt secret
cisco12345
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
R1(config)# crypto key zeroize rsa

R1(config)# crypto key generate rsa general-keys modulus 1024
R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2
SCP Server
Enable AAA on the router.
R1(config)# aaa new-model
R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)# ip scp server enable
Copy config
R1# copy running-config R1-Config
R3# copy scp: flash:
Address or name of remote host []? 10.1.1.1 (Des)
Source username [R3]? admin
Source filename []? R1-Config
Destination filename [R1-Config]? [Enter]
Password: cisco12345
R1# copy running-config startup-config
Configure Administrative Roles

R1# enable view
Password: cisco12345
R1(config)# parser view admin1
R1(config-view)# secret admin1pass
R1(config-view)# commands exec include all show
R1(config-view)# commands exec include all config terminal
R1(config-view)# commands exec include all debug
R1# show parser view
Secure IOS Image and Configuration Files

R1(config)# secure boot-image
R1(config)# secure boot-config
Configure SNMPv3 Security using an ACL

R1(config)# ip access-list standard PERMIT-SNMP
R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
R1(config)# snmp-server view SNMP-RO iso included
R1(config)# snmp-server group SNMP-G1 v3 priv read SNMP-RO access
PERMIT-SNMP
R1(config)# snmp-server user SNMP-Admin SNMP-G1 v3 auth sha Authpass
priv aes 128 Encrypass
NTP
Master：
R2(config)# ntp authentication-key 1 md5 NTPpassword
R2(config)# ntp trusted-key 1
R2(config)# ntp authenticate
R2(config)# ntp master 3
Client
R1(config)# ntp authentication-key 1 md5 NTPpassword
R1(config)# ntp trusted-key 1
R1(config)# ntp authenticate
R1(config)# ntp server 10.1.1.2
R1(config)# ntp update-calendar
Syslog
R1(config)# service timestamps log datetime msec
R1(config)# logging host 192.168.1.3
Securing the Control Plane

R1(config)# key chain NetAcad
R1(config-keychain)# key 1
R1(config-keychain-key)# key-string CCNASkeystring
R1(config-keychain-key)#cryptographic-algorithm hmac-sha-256
R1(config)# interface s0/0/0
R1(config-if)# ip ospf authentication key-chain NetAcad
Auto Security
R3# auto secure
Is this router connected to internet? [no]: yes
Enter the interface name that is facing the internet: Serial0/0/1
Enter the security banner {Put the banner between
k and k, where k is any character}:
# Unauthorized Access Prohibited #

Enter the new enable password: cisco67890
Confirm the enable password: cisco67890
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]: [Enter]
Configure CBAC Firewall feature? [yes/no]: no
Apply this configuration to running-config? [yes]: [Enter]
Configure Local Authentication Using AAA

R3(config)# username Admin01 privilege 15 algorithm-type scrypt
secret Admin01pass
R3(config)# aaa authentication login default local-case none
R3(config)# aaa authentication login TELNET_LINES local
R3(config-line)# login authentication TELNET_LINES
PC-C> telnet 192.168.3.1
Verify that the system clock and debug time stamps are
configured correctly
R3# clock set 14:15:00 26 December 2014
R3# show run | include timestamps
R3(config)# service timestamps debug datetime msec
R3(config)# exit
R3# copy running-config startup-config
debug to verify user access

R3# debug aaa authentication
Configure R1 AAA Services and Access the RADIUS Server
Using Cisco IOS

R1(config)# aaa authentication login default group radius none
R1(config)# radius server CCNAS
R1(config-radius-server)# address ipv4 192.168.1.3
R1(config-radius-server)# key WinRadius
R1(config-redius-server)# end
Create an authentication method list for Telnet
R1(config)# aaa authentication login TELNET_LINES group radius
R1(config-line)# login authentication TELNET_LINES
Create a Zone-Based Policy Firewall
Creating the security zones（3 zones）

R3(config)# zone security INSIDE（trust the INSIDE zone, we allow all the main
protocols）
R3(config)# zone security CONFROOM （not fully trust the CONFROOM zone, we must
limit what the server can send out to the Internet）
R3(config)# zone security INTERNET
Creating Security Policies

R3(config)# class-map type inspect match-any INSIDE_PROTOCOLS
R3(config-cmap)# match protocol tcp
R3(config-cmap)# match protocol udp
R3(config-cmap)# match protocol icmp
R3(config)# class-map type inspect match-any CONFROOM_PROTOCOLS
R3(config-cmap)# match protocol http
R3(config-cmap)# match protocol https
R3(config-cmap)# match protocol dns
R3(config)# policy-map type inspect INSIDE_TO_INTERNET

R3(config-pmap)# class type inspect INSIDE_PROTOCOLS
R3(config-pmap-c)# inspect
R3(config)# policy-map type inspect CONFROOM_TO_INTERNET
R3(config-pmap)# class type inspect CONFROOM_PROTOCOLS
R3(config-pmap-c)# inspect
Create the Zone Pair

INSIDE_TO_INTERNET: Allows traffic leaving the internal network towards the
Internet.
CONFROOM_TO_INTERNET: Allows Internet access from the ConfRoom network.
R3(config)# zone-pair security INSIDE_TO_INTERNET source INSIDE

destination INTERNET
R3(config)# zone-pair security CONFROOM_TO_INTERNET source CONFROOM
destination INTERNET
Applying Security Policies

R3(config)# zone-pair security INSIDE_TO_INTERNET
R3(config-sec-zone-pair)# service-policy type inspect
INSIDE_TO_INTERNET
R3(config)# zone-pair security CONFROOM_TO_INTERNET
R3(config-sec-zone-pair)# service-policy type inspect
CONFROOM_TO_INTERNET
R3#show zone-pair security

R3#show policy-map type inspect zone-pair
Assign Interfaces to the Proper Security Zones

R3(config)# interface g0/0
R3(config-if)# zone-member security CONFROOM
（Optional）Multiple Interfaces under the Same Zone

R3(config)# policy-map type inspect inside
R3(config-pmap)# class class-default
R3(config-pmap-c)# pass
R3(config)# zone-pair security INSIDE source INSIDE destination INSIDE
R3(config-sec-zone-pair)# service-policy type inspect inside
R3# show zone-pair security

Zone-pair name INSIDE_TO_INTERNET
Source-Zone INSIDE Destination-Zone INTERNET
service-policy INSIDE_TO_INTERNET
Zone-pair name CONFROOM_TO_INTERNET
Source-Zone CONFROOM Destination-Zone INTERNET
service-policy CONFROOM_TO_INTERNET
Zone-pair name INSIDE
Source-Zone INSIDE Destination-Zone INSIDE
service-policy inside
Securing Layer 2 Switches
Basic Switch Settings

S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
S1(config)# no ip domain-lookup
S1(config)# no ip http server
S1(config)# no ip http secure-server
Configure Secure Trunk & Access Ports
Set S1 priority to 0 so that it becomes the root switch.

S1(config)# spanning-tree vlan 1 priority 0
S1# show spanning-tree
S1(config)# interface f0/1

S1(config-if)# switchport mode trunk

S1# show interfaces trunk

Change the native VLAN for the trunk ports on S1 and S2
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# end

S2(config-if)# end
Prevent the use of DTP on S1 and S2

S1(config-if)# switchport nonegotiate

S2(config-if)# switchport nonegotiate
S1# show interfaces f0/1 switchport
Negotiation of Trunking: Off
S1# show run | begin 0/1
Disable trunking on S1 access ports

S1(config-if)# switchport mode access
Enable PortFast
enables them to become active more quickly

S1(config-if)# spanning-tree portfast

S2(config-if)# spanning-tree portfast
Enable BPDU guard

prevent rogue switches and spoofing on access ports
S1(config-if)# spanning-tree bpduguard enable
S1# show spanning-tree interface f0/6 detail
Enable root guard

enabled only on ports connecting to edge switches
S2(config)# interface g0/1
S2(config-if)# spanning-tree guard root
S2# show run | begin Gig
Enable Loop Guard

S2(config)# spanning-tree loopguard default
S2# show spanning-tree summary
Configure basic port security

must be configured as an access port to enable port security
S1(config-if)# shutdown
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security mac-address
xxxx.xxxx.xxxx(actual MAC address of the ROUTER G0/1 interface)
(You can also use the switchport port-security mac-address sticky
command to add all the secure MAC addresses that are dynamically
learned on a port (up to the maximum set) to the switch running
configuration.)
Verify port security(Not necessary)

R1(config)# interface G0/1
R1(config-if)# mac-address aaaa.bbbb.cccc
R1(config-if)# end
From the R1 CLI, ping PC-A
S1# show port-security
S1# show port-security address
R1(config-if)# no mac-address aaaa.bbbb.cccc

S1(config-if)# shutdown
S1(config-if)# no switchport port-security
S1(config-if)# no switchport port-security mac-address fc99.4775.c3e1
S1(config-if)# no switchport port-security
S1(config-if)# no switchport port-security mac-address fc99.4775.c3e1
Then Reconfigure S1
(Optional) Configure port security for VoIP

S2(config-if)# switchport mode access
S2(config-if)# switchport port-security
S2(config-if)# switchport port-security maximum 3
S2(config-if)# switchport port-security violation shutdown
S2(config-if)# switchport port-security aging time 120
Move active ports to a VLAN other than the default VLAN 1

S1(config)# vlan 20
S1(config-vlan)# name Users
S1(config-if-range)# switchport access vlan 20
Configure a port with the PVLAN Edge feature

S1(config-if)# switchport protected
S1(config-if)# interface f0/7
S1(config-if)# switchport protected
S1(config-if)# no shut
S1(config-if)# end
S1# show interfaces fa0/6 switchport
Configure DHCP Snooping

Set up DHCP on R1 for VLAN 1
R1(config)# ip dhcp pool CCNAS
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.4
Set up DHCP on R1 for VLAN 20
R1(config)# ip dhcp pool 20Users
R1(dhcp-config)# network 192.168.20.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.20.1
R1(config)# ip dhcp excluded-address 192.168.20.1
Configure Inter-VLAN Communication

R1(config-if)# shutdown
R1(config-if)# no ip address 192.168.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# int g0/1.1
R1(config-if)# encapsulation dot1q 1
R1(config-if)# ip address 192.168.1.1 255.255.255.0
Configure S1 interface f0/5 as a trunk port
S1(config)# int f0/5
Configure DHCP Snooping

S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping information option
S1(config)# ip dhcp snooping vlan 1,20
Limit the number of DHCP requests on an interface
S1(config-if)# ip dhcp snooping limit rate 10
S1(config-if)# exit
Identify the trusted interface
S1(config-if)# description connects to DHCP server
S1(config-if)# ip dhcp snooping trust
S1# show ip dhcp snooping
Configure Site-to-SiteVPN using CLI
Configure the OSPF

R1(config)# router ospf 101
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.3 area 0
Configure the EIGRP

R1(config)# router eigrp 100
R1(config-router)# network 10.0.0.0
R2(config)# router eigrp 100

R2(config-router)# network 10.0.0.0
R2(config-router)# network 192.168.0.0 0.0.255.255
R2(config)# ip route 10.1.5.0 255.255.255.0 10.4.4.2
R3(config)# ip route 0.0.0.0 0.0.0.0 10.4.4.1
Configure a Site-to-Site VPN

R1(config)# crypto isakmp enable
R3(config)# crypto isakmp enable

R1(config)# crypto isakmp policy 10
Configure the IKE Phase 1 ISAKMP policy

R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 14
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# end
R3(config-isakmp)# hash sha
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 14
R3(config-isakmp)# lifetime 3600
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# end
R1# show crypto isakmp policy
Configure pre-shared key

R1(config)# crypto isakmp key cisco123 address 10.2.2.1(Des S0/0/1)
Configure IPsec transform set and lifetime!!!

R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
tag 50, use an ESP transform with an AES 256 cipher with ESP and the SHA
hash function
R1(config)# crypto ipsec security-association lifetime seconds 1800
R3(config)# crypto ipsec security-association lifetime seconds 1800
can also change the IPsec security association lifetime from the default of
3600 seconds. On R1 and R3, set the IPsec security association lifetime to
30 minutes, or 1800 seconds
Define interesting traffic

R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255(source)
192.168.3.0 0.0.0.255(des)
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255
192.168.1.0 0.0.0.255
Create and apply a crypto map

Create the crypto map on R1, name it CMAP, and use 10 as the sequence
number. A message displays after the command is issued
R1(config)# crypto map CMAP 10 ipsec-isakmp
Use the match address <access-list> command to specify which access list
defines which traffic to encrypt
R1(config-crypto-map)# match address 101
Setting a peer IP or hostname is required. Set it to R3’s remote VPN
endpoint interface using the following command
R1(config-crypto-map)# set peer 10.2.2.1
Use the set transform-set <tag> command to hard code the transform set to be
used with this peer. Set the perfect forwarding secrecy type using the set
pfs <type> command, and modify the default IPsec security association life
time with the set security-association lifetime seconds <seconds> command
R1(config-crypto-map)# set pfs group14
R1(config-crypto-map)# set transform-set 50
R1(config-crypto-map)# set security-association lifetime seconds 900
Create a mirrored matching crypto map on R3

R3(config)# crypto map CMAP 10 ipsec-isakmp
R3(config-crypto-map)# match address 101
R3(config-crypto-map)# set peer 10.1.1.1
R3(config-crypto-map)# set pfs group14
R3(config-crypto-map)# set transform-set 50
R3(config-crypto-map)# set security-association lifetime seconds 900
R3(config-crypto-map)# exit
Apply the crypto map to interfaces

R1(config)# interface S0/0/0
R1(config-if)# crypto map CMAP
*Jan 28 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)# end
R3(config)# interface S0/0/1

R3(config-if)# crypto map CMAP
*Jan 28 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config)# end
Verify the Site-to-Site IPsec VPN Configuration

R1# show crypto ipsec transform-set
R1# show crypto map
Verify the IPsec VPN Operation
R1# show crypto isakmp sa
R1# show crypto ipsec sa

CCNA Cheat Sheet

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CCNA Cheat Sheet

Caricato da

Copyright:

Formati disponibili

Set Trunk

Disable DNS lookup

Encrypt Router Passwords

enable secret password

Configure basic console, auxiliary port, and virtual access lines

R1(config)# line vty 0 4

new user account with a secret password

R1(config)# crypto key zeroize rsa

Configure Administrative Roles

R1# show parser view

Secure IOS Image and Configuration Files

Configure SNMPv3 Security using an ACL

Securing the Control Plane

k and k, where k is any character}:

# Unauthorized Access Prohibited #

Configure Local Authentication Using AAA

debug to verify user access

Configure R1 AAA Services and Access the RADIUS Server

Using Cisco IOS

Create a Zone-Based Policy Firewall

Creating the security zones（3 zones）

Creating Security Policies

R3(config)# policy-map type inspect INSIDE_TO_INTERNET

Create the Zone Pair

R3(config)# zone-pair security INSIDE_TO_INTERNET source INSIDE

Applying Security Policies

R3#show zone-pair security

Assign Interfaces to the Proper Security Zones

（Optional）Multiple Interfaces under the Same Zone

R3# show zone-pair security

Securing Layer 2 Switches

Basic Switch Settings

Configure Secure Trunk & Access Ports

Set S1 priority to 0 so that it becomes the root switch.

S1(config)# interface f0/1

S2(config)# interface f0/1

S1# show interfaces trunk

S2(config)# interface f0/1

Prevent the use of DTP on S1 and S2

S2(config)# interface f0/1

S1# show run | begin 0/1

Disable trunking on S1 access ports

S1(config)# interface f0/5

S2(config)# interface f0/18

Enable BPDU guard

Enable root guard

Enable Loop Guard

Configure basic port security

Verify port security(Not necessary)

S1(config)# interface f0/5

(Optional) Configure port security for VoIP

Move active ports to a VLAN other than the default VLAN 1

Configure a port with the PVLAN Edge feature

S1# show interfaces fa0/6 switchport

Configure DHCP Snooping

Configure Inter-VLAN Communication

Configure DHCP Snooping

Configure Site-to-SiteVPN using CLI

Configure the OSPF

Configure the EIGRP

R2(config)# router eigrp 100

R3(config)# ip route 0.0.0.0 0.0.0.0 10.4.4.1

Configure a Site-to-Site VPN