Cisco Notes
Notes created from CCNA preparation material and personal experience with Cisco devices.
1. Access & Management
Physical Connection (Console)
You need a USB-to-serial adapter or a serial cable to connect to the console port of a Cisco device.
Using screen:
screen /dev/ttyUSB0 9600
Using minicom:
minicom -D /dev/ttyUSB0 -b 9600
Using Telnet/SSH:
telnet <ip_address>
ssh -l <username> <ip_address>
Enable Console Authentication
configure terminal
line console 0
login local
exit
exit
Enable VTY (Virtual Terminal) Authentication
configure terminal
line vty 0 15
login local
transport input telnet # If login local is not working
transport input ssh # If login local is not working
exit
exit
Configure SSH Server
configure terminal
ip domain-name <domain_name>
crypto key generate rsa
1024 # Key size in bits
aaa new-model
ip ssh authentication-retries 3
ip ssh time-out 60
exit
User & Password Management
Create/Delete Users
configure terminal
username <username> password <password> # Plain text password
username <username> secret <password> # MD5 hashed password
no username <username> # Delete user
exit
Create Users with Privilege Levels
configure terminal
username noc_view privilege 1 secret <password> # Basic user mode
username net_ops privilege 5 secret <password> # Limited operations
username net_admin privilege 15 secret <password> # Full admin
exit
Default user EXEC level is 1. Privilege level 15 is full privileged EXEC access.
Secure Passwords
configure terminal
enable secret <password> # Set privileged exec password
service password-encryption # Encrypt all plain text passwords
exit
Authentication Levels & Permissions (AAA)
Use AAA when possible for centralized and more granular authentication/authorization.
Enable AAA with Local Database
configure terminal
aaa new-model
aaa authentication login default local
aaa authorization exec default local if-authenticated
exit
This enforces local-user login and applies user privilege after authentication.
External AAA Servers (RADIUS / TACACS+)
Configure the device to use external servers for authentication, falling back to other methods (like the local database) if the primary server is unreachable.
RADIUS Configuration
configure terminal
aaa new-model
# Try RADIUS first, then fall back to local database
aaa authentication login default group radius local
# Define RADIUS server and shared secret key
radius-server host <ip_address>
radius-server key <secret_key>
exit
TACACS+ Configuration
configure terminal
aaa new-model
# Try TACACS+ first, then RADIUS, then local database
aaa authentication login default group tacacs+ group radius local
# Define TACACS+ server and shared secret key
tacacs-server host <ip_address>
tacacs-server key <secret_key>
exit
Privilege Levels (0-15)
- 0: Very limited commands (e.g., disable, enable, logout)
- 1: User EXEC (default after login)
- 15: Full privileged EXEC
- 2-14: Custom levels for restricted operator roles
Assign Commands to Custom Privilege Levels
configure terminal
privilege exec level 5 show running-config
privilege exec level 5 show startup-config
privilege exec level 5 show ip interface brief
exit
With this, a user at level 5 can run selected diagnostic commands without full admin access.
Command Authorization by Privilege Level
configure terminal
aaa authorization commands 15 default local
exit
This can enforce command checks for level-15 commands using the configured method list.
Configure Enable Password for Specific Levels
configure terminal
enable secret level 5 <password_for_level_5>
enable secret level 15 <password_for_level_15>
exit
Users can move between levels with enable <level> when permitted.
Restrict Remote Access by User Type (Example)
configure terminal
line vty 0 15
login local
transport input ssh
exit
exit
Pair this with local users at different privilege levels to control remote admin rights.
Verification
show running-config | section username
show privilege
show aaa methods
Role-Based CLI Views (Fine-Grained Permissions)
For stricter command-level control than classic privilege levels.
configure terminal
aaa new-model
aaa authentication login default local
enable view
parser view NOC-READONLY
secret <view_password>
commands exec include show ip interface brief
commands exec include show version
commands exec include show running-config
exit
username noc_view view NOC-READONLY secret <password>
exit
This allows a read-only role with only explicitly allowed commands.
System Administration
Global Setup
enable
configure terminal
hostname <new_hostname> # Set the hostname
no ip domain-lookup # Disable DNS lookup to prevent typos acting as domain lookups
exit
Saving Configuration
write
# or
copy running-config startup-config
Clock & NTP
# Set the clock manually (Privileged EXEC)
clock set HH:MM:SS DAY MONTH YEAR
# Example: clock set 14:30:00 14 November 2025
# Configure NTP
configure terminal
ntp server <ip> # Sync time from this server
ntp master # Act as authoritative time source
exit
# Verification
show clock
show ntp status
show ntp associations
Syslog Configuration
configure terminal
logging host <ip>
logging trap <message_level>
# Levels: 0=emerg, 1=alert, 2=crit, 3=err, 4=warn, 5=notif, 6=info, 7=debug
# Add timestamps with millisecond precision
service timestamps log datetime msec
exit
show logging
2. Interface Configuration
IPv4 Configuration
View Interfaces
show ip interface brief
Configure Router Interface
configure terminal
interface <interface_name>
description <description>
ip address <ip_address> <subnet_mask>
no shutdown
exit
exit
Configure Switch Interface (SVI)
configure terminal
interface vlan 1
description <description>
ip address <ip_address> <subnet_mask>
ip default-gateway <gateway_ip>
no shutdown
exit
exit
Remove IP Address
configure terminal
interface <interface_name>
no ip address
exit
IPv6 Configuration
Enable IPv6 Routing
configure terminal
ipv6 unicast-routing
exit
Configure Interface
configure terminal
interface <interface_name>
ipv6 address <ipv6_address>/<prefix_length>
no shutdown
exit
exit
Configure Interface (EUI-64)
configure terminal
interface <interface_name>
ipv6 address <ipv6_network>/<prefix_length> eui-64
no shutdown
exit
exit
3. Switching (Layer 2)
VLANs & Trunking
Basic Commands
show vlan brief
Create VLANs
configure terminal
vlan <vlan_id>
name <vlan_name>
exit
Access Port
configure terminal
interface <interface_name>
switchport mode access
switchport access vlan <vlan_id>
exit
Range of Ports
configure terminal
interface range <interface_range> # e.g., fa0/3-4
switchport mode access
switchport access vlan <vlan_id>
exit
Trunk Port
configure terminal
interface <interface_name>
switchport trunk encapsulation dot1q # Often required on Layer 3 switches
switchport mode trunk
switchport trunk allowed vlan <vlan_list> # Optional e.g., 5,7
exit
# Verify
show interfaces trunk
VTP (VLAN Trunk Protocol)
Synchronizes VLAN databases across switches over trunk links.
Modes: Server (create/modify/delete VLANs), Client (receives only), Transparent (forwards but doesn't apply).
Configuration
configure terminal
vtp domain <domain_name>
vtp mode <server/client/transparent>
vtp password <password>
vtp version <1/2/3>
exit
Verification
show vtp status
show vtp counters
show vtp password
Reset VTP Revision Number
To prevent an unwanted switch from overwriting the VLAN database, set it to transparent and back to client/server, or delete vlan.dat.
# Method 1: Mode toggle
configure terminal
vtp mode transparent
vtp mode client
exit
# Method 2: Delete VLAN database (privileged EXEC)
delete flash:vlan.dat
reload
MAC Address Table
show mac address-table
clear mac address-table dynamic
Spanning Tree Protocol (STP)
Verification
show spanning-tree
show spanning-tree vlan <vlan_id>
Root Bridge Configuration
configure terminal
# Primary Root (Subtracts 2 × 4096 from default priority)
spanning-tree vlan <vlan_id> root primary
# Secondary Root (Subtracts 1 × 4096 from default priority)
spanning-tree vlan <vlan_id> root secondary
# Manual Priority (Must be multiple of 4096)
spanning-tree vlan <vlan_id> priority <priority_value>
exit
PortFast & BPDU Guard
configure terminal
interface fa0/10
spanning-tree portfast
spanning-tree bpduguard enable
exit
exit
EtherChannel (Port-Channel)
Configuration Modes
PAgP (Cisco): desirable (active) / auto (passive)
LACP (Open): active / passive
configure terminal
interface range fa0/1-3
channel-group 1 mode <desirable/auto/active/passive>
exit
interface port-channel 1
switchport mode trunk
exit
exit
# Verify
show interface port-channel 1
show etherchannel summary
Port Security
configure terminal
interface <interface_name>
switchport mode access
switchport port-security
# Max MACs (default 1)
switchport port-security maximum <number>
# Violation mode (shutdown, protect, restrict)
switchport port-security violation shutdown
# Learn MACs dynamically (sticky)
switchport port-security mac-address sticky
exit
exit
# Verify
show port-security interface <interface_name>
# Reset interface after violation
configure terminal
interface <interface_name>
shutdown
no shutdown
exit
4. Routing (Layer 3)
Basic Routing Commands
show ip route
Static Routing
Static Route
configure terminal
ip route <network> <mask> <next_hop_ip_or_interface> [AD]
# Example: ip route 192.168.1.0 255.255.255.0 192.168.30.1
Default Static Route
configure terminal
ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
Inter-VLAN Routing
Router-on-a-Stick (ROAS)
configure terminal
interface <interface_name>.<vlan_id>
encapsulation dot1q <vlan_id>
ip address <ip_address> <subnet_mask>
exit
# Don't forget to enable physical interface
interface <interface_name>
no shutdown
exit
exit
Layer 3 Switch
configure terminal
ip routing # Enable routing globally
# Routed Port (Physical L3 interface)
interface <interface_name>
no switchport
ip address <ip_address> <subnet_mask>
exit
# SVI (Virtual L3 interface for VLAN)
interface vlan <vlan_id>
ip address <ip_address> <subnet_mask>
exit
# Trunk on switch side
interface <interface_name>
switchport trunk encapsulation dot1q
switchport mode trunk
exit
exit
RIPv2
configure terminal
router rip
version 2
network <network_address>
default-information originate # Propagate default route
exit
exit
OSPF
Basic Configuration
configure terminal
router ospf 1
# Explicit ID (recommended)
router-id 1.1.1.1
# Network advertisements
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 1
exit
# Loopback for stability
interface loopback 1
ip address 192.168.3.1 255.255.255.255
exit
exit
# Verify
show ip ospf neighbor
show ip ospf database
OSPF Default Route Propagation
configure terminal
router ospf 1
default-information originate
exit
exit
OSPF Authentication (MD5)
configure terminal
router ospf 1
# Enable MD5 authentication for the area
area 0 authentication message-digest
exit
# Configure the key on the interface
interface <interface_name>
ip ospf message-digest-key 1 md5 <password>
exit
exit
Virtual Link (Connecting OSPF Areas)
configure terminal
router ospf 1
# Frontier router (ABR) configuration
area 1 virtual-link router_id_of_frontier_router
exit
exit
EIGRP
Basic Configuration
configure terminal
router eigrp <as_number>
# Explicit Router ID (recommended)
eigrp router-id 1.1.1.1
# Advertise networks
network <network_address> <wildcard_mask>
# Example: network 192.168.1.0 0.0.0.255
# Disable auto-summary (recommended for classless routing)
no auto-summary
# Passive interface (stop sending hellos on LAN-only links)
passive-interface <interface_name>
exit
exit
# Verify
show ip eigrp neighbors
show ip eigrp topology
show ip route eigrp
Authentication
configure terminal
# Create key chain
key chain <chain_name>
key 1
key-string <password>
exit
exit
# Apply to interface
interface <interface_name>
ip authentication mode eigrp <as_number> md5
ip authentication key-chain eigrp <as_number> <chain_name>
exit
exit
Redistribution
Redistribute Static Routes into EIGRP
configure terminal
router eigrp <as_number>
redistribute static
exit
exit
Redistribute OSPF into EIGRP
configure terminal
router eigrp <as_number>
redistribute ospf <ospf_process_id> metric <bandwidth> <delay> <reliability> <load> <mtu>
# Example: redistribute ospf 1 metric 10000 100 255 1 1500
exit
exit
Redistribute EIGRP into OSPF
configure terminal
router ospf <ospf_process_id>
redistribute eigrp <as_number> subnets
exit
exit
Redistribute RIP into EIGRP
configure terminal
router eigrp <as_number>
redistribute rip metric <bandwidth> <delay> <reliability> <load> <mtu>
# Example: redistribute rip metric 10000 100 255 1 1500
exit
exit
Redistribute Default Route
configure terminal
router eigrp <as_number>
redistribute static
exit
ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
exit
Scenario: Multi-Router RIP Config (R1-R2-R3)
Example corrected configs for a 3-router chain.
R1 (Edge 1)
interface Fa0/0
ip address 192.168.1.254 255.255.255.0
interface Se0/0/0
ip address 192.168.2.1 255.255.255.0
router rip
version 2
network 192.168.1.0
network 192.168.2.0
R2 (Middle)
interface Se0/0/0
ip address 192.168.2.2 255.255.255.0
interface Se0/0/1
ip address 192.168.3.1 255.255.255.0
router rip
version 2
network 192.168.2.0
network 192.168.3.0
R3 (Edge 2)
interface Fa0/0
ip address 192.168.4.254 255.255.255.0
interface Se0/0/1
ip address 192.168.3.2 255.255.255.0
router rip
version 2
network 192.168.3.0
network 192.168.4.0
BGP
Basic BGP Setup
BGP is used between autonomous systems. Use iBGP for peers inside the same AS and eBGP for peers in different ASes.
Setup Instructions
- Assign reachable IP addresses to the interfaces used for peering.
- Add loopbacks if you want stable router IDs or loopback-based peering.
- Make sure routes you want to advertise already exist in the routing table before using
networkstatements. - Use
next-hop-selffor iBGP neighbors when needed so internal peers can reach the advertised next hop. - If peering over loopbacks, configure
update-source loopbackand, for eBGP,ebgp-multihopif required. - Verify with
show ip bgp summaryandshow ip bgp neighbors.
Generic BGP Template
configure terminal
router bgp <local_as>
bgp router-id <router_id>
neighbor <peer_ip> remote-as <peer_as>
neighbor <peer_ip> update-source loopback1
# For iBGP peers, advertise the next hop from this router if needed
neighbor <ibgp_peer_ip> next-hop-self
# Advertise only prefixes that already exist in the routing table
network <prefix> mask <subnet_mask>
network <prefix> mask <subnet_mask>
exit
exit
Common BGP Notes
show ip bgp summary
show ip bgp
show ip bgp neighbors
show ip route bgp
network statements do not create routes by themselves. The prefix must already be present in the routing table for BGP to advertise it.
If you need a quick lab pattern, use one AS for internal routers and a second AS for the edge router or upstream peer.
Policy-Based Routing (PBR)
Used to override the routing table and direct traffic based on specific policies (e.g., source IP, destination IP, protocol).
configure terminal
# 1. Create an ACL to match the interesting traffic
access-list 105 permit ip host 192.168.13.1 host 4.4.4.4
# 2. Create a route-map to set the next-hop for matching traffic
route-map <map_name> permit 10
match ip address 105
set ip next-hop 192.168.35.2
exit
# 3. Apply the route-map to the incoming interface
interface <interface_name>
ip policy route-map <map_name>
exit
exit
# Verify
show route-map
show ip policy
5. Network Services
DHCP (Dynamic Host Configuration Protocol)
DHCP Server (Pool)
configure terminal
# Exclude addresses first
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool <name>
network <network_address> <subnet_mask>
default-router <gateway_ip>
dns-server <dns_server_ip>
exit
exit
DHCP Client
Used when the router interface needs to get an IP from an ISP/WAN.
configure terminal
interface Fa0/0
ip address dhcp
no shutdown
exit
exit
DHCP Helper (Relay)
Forward DHCP broadcasts from LAN to a server on a different subnet.
configure terminal
interface Fa0/0
ip helper-address <dhcp_server_ip>
exit
exit
DHCP Verification
show ip dhcp binding
clear ip dhcp binding <ip_address>
DHCP Snooping (Security)
Prevents rogue DHCP servers. Trusted ports = Uplinks/Servers. Untrusted = Clients.
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 1
# Trust uplink to legitimate DHCP server
interface Fa0/0
ip dhcp snooping trust
exit
# Optional: Database for binding persistence
# ip dhcp snooping database flash:dhcp_snoop.db
exit
# Verify
show ip dhcp snooping
show ip dhcp snooping binding
NAT (Network Address Translation)
Interface Roles
interface <wan_interface>
ip nat outside
interface <lan_interface>
ip nat inside
PAT (Overload)
# 1. Create ACL matching traffic to translate (multiple statements allowed)
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
# 2. Apply NAT Overload
ip nat inside source list 1 interface <wan_interface> overload
Verify NAT
show ip nat translations
show ip nat statistics
ACLs (Access Control Lists)
Standard ACL (1-99)
Filters based on Source IP only.
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny host 10.1.1.1
Extended ACL (100-199)
Filters based on Protocol, Source, Destination, and Port.
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.1.1.5 eq 80
access-list 100 deny ip any any
Apply to Interface
interface <interface_name>
ip access-group <acl_number> <in/out>
Verify ACLs
show access-lists
HSRP (Redundancy)
Active Router (Higher Priority)
interface Fa0/0
standby 10 ip 192.168.1.100
standby 10 priority 200
standby 10 preempt
Standby Router
interface Fa0/0
standby 10 ip 192.168.1.100
standby 10 priority 100
Verify: show standby
6. Miscellaneous & Lab Tools
Simple Python HTTP Server
Serves files from the current directory.
sudo python3 -m http.server 80
Dnsmasq (Simple DNS Server)
no-resolv
no-poll
listen-address=127.0.0.1
listen-address=192.168.50.100
address=/cisco.com/192.168.50.225
Cisco Packet Tracer Servers
Service Setup
DNS: Create A records (IPs) and MX records (Email).
Email: Enable SMTP/POP3, set domain, create users.
HTTP: Edit index.html.
FTP: Create users with permissions (R/W/D/L).
FTP Client Commands (PC)
ftp <server_ip>
dir # List files
put <filename> # Upload
get <filename> # Download
quit
7. Recent Lab Topics
IOS Image Backup and Recovery via TFTP
Backup IOS from Router Flash to TFTP Server
enable
show ip interface brief
dir flash:
# Copy image from flash to TFTP server
copy flash: tftp:
# Source filename: <ios_image.bin>
# Address or name of remote host: <tftp_server_ip>
Recover IOS from ROMMON with TFTP
Use this when the IOS image is missing/corrupted and router boots to ROMMON.
# In ROMMON mode
IP_ADDRESS=<router_ip>
IP_SUBNET_MASK=<mask>
DEFAULT_GATEWAY=<gateway_ip>
TFTP_SERVER=<tftp_server_ip>
TFTP_FILE=<ios_image.bin>
tftpdnld
After transfer completes, set boot variable (if needed) and reload.
Password Recovery (Config Register Workflow)
This process bypasses startup-config so local credentials can be recovered.
# 1) Break boot sequence and enter ROMMON
confreg 0x2142
reset
# 2) After boot, ignore startup-config and enter privileged mode
enable
copy startup-config running-config
# 3) Set new credentials and restore normal boot register
configure terminal
username <username> secret <new_password>
enable secret <new_enable_secret>
config-register 0x2102
exit
write
reload
Verification:
show version | include register
show running-config | section username
PPP Authentication (PAP and CHAP)
PAP
PAP uses a two-way handshake and sends credentials in clear text.
# R1
configure terminal
hostname R1
username R2 password <peer_password>
interface Se0/0/0
encapsulation ppp
ip address 192.168.1.254 255.255.255.0
ppp authentication pap
ppp pap sent-username R1 password <local_password>
no shutdown
exit
exit
# R2
configure terminal
hostname R2
username R1 password <peer_password>
interface Se0/0/0
encapsulation ppp
ip address 192.168.1.253 255.255.255.0
ppp authentication pap
ppp pap sent-username R2 password <local_password>
no shutdown
exit
exit
CHAP
CHAP is preferred over PAP because it uses challenge-response.
# R1
configure terminal
hostname R1
username R2 password <shared_secret>
interface Se0/0/0
encapsulation ppp
ip address 192.168.1.254 255.255.255.0
ppp authentication chap
no shutdown
exit
exit
# R2
configure terminal
hostname R2
username R1 password <shared_secret>
interface Se0/0/0
encapsulation ppp
ip address 192.168.1.253 255.255.255.0
ppp authentication chap
no shutdown
exit
exit
Verification:
show interfaces serial 0/0/0
show ppp all
VTP Client/Server Lab Pattern
Server Switch (Creates VLANs)
configure terminal
hostname S2
vtp domain cisco
vtp mode server
vlan 10
name vlanA
exit
vlan 20
name vlanB
exit
interface Fa0/1
switchport trunk encapsulation dot1q
switchport mode trunk
no shutdown
exit
exit
Client Switch (Learns VLANs)
configure terminal
hostname S1
vtp domain cisco
vtp mode client
interface Fa0/3
switchport trunk encapsulation dot1q
switchport mode trunk
exit
interface Fa0/1
switchport mode access
switchport access vlan 10
exit
interface Fa0/2
switchport mode access
switchport access vlan 20
exit
exit
Verification:
show vtp status
show vlan brief
show interfaces trunk
NAT Overload with OSPF Default Advertisement
Useful when an edge router performs PAT and injects default route to OSPF.
configure terminal
access-list 1 permit 192.168.20.0 0.0.0.255
interface Gi0/0
ip address 192.168.4.3 255.255.255.0
ip nat inside
no shutdown
exit
interface Gi0/1
ip address 192.168.2.11 255.255.255.0
ip nat outside
no shutdown
exit
ip nat inside source list 1 interface Gi0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.254
router ospf 1
router-id 3.3.3.3
network 192.168.4.0 0.0.0.255 area 0
default-information originate
exit
exit
Verification:
show ip nat translations
show ip route ospf
show ip ospf database external
Cisco CME Basic VoIP Lab (RIP + DHCP Option 150)
Core pieces: routed connectivity, DHCP voice pool, telephony-service, ephone-dn, and dial-peers.
# Routing and voice DHCP (example for Site A)
configure terminal
interface Fa0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
exit
interface Fa0/1
ip address 192.168.1.254 255.255.255.0
no shutdown
exit
router rip
version 2
network 192.168.1.0
network 192.168.2.0
exit
ip dhcp pool VOIP_A
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
option 150 ip 192.168.1.254
exit
exit
# CME and dial-peer (example for Site A)
configure terminal
telephony-service
max-dn 5
max-ephones 5
ip source-address 192.168.1.254 port 2000
auto assign 1 to 5
exit
ephone-dn 1
number 54001
exit
ephone-dn 2
number 54002
exit
dial-peer voice 1 voip
destination-pattern 6400.
session target ipv4:192.168.2.2
exit
exit
Switch access ports for IP phones:
configure terminal
interface range Fa0/1-3
switchport mode access
switchport voice vlan 1
exit
exit
Verification:
show ip dhcp binding
show ephone registered
show dial-peer voice summary