Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

CCIE by Mind Map: CCIE
5.0 stars - 8 reviews range from 0 to 5

CCIE

Layer 2

LAN

Trunk Interfaces, Trunk Mode, Dynamic ?, Y, Change state conform request. Send DTP ?, Y, switchport mode dynamic desirable, Default mode, N, switchport mode dynamic auto, N, DON'T change state conform request. Send DTP ?, Y, switchport mode trunk, Not allowed if interface is in "Auto" encapsulation, N, switchport nonegotiate, Don't work:, auto - auto, auto - nonegotiate, desirable - nonegotiate, Trunk Encapsulation, Dynamic?, Y, switchport trunk encapsulation negotiate, Default mode, N, Proprietary?, Y, switchport trunk encapsulation isl, N, switchport trunk encapsulation dot1q

Etherchannel, Modes, Dynamic ?, Y, Cisco proprietary ?, Y (Cisco PAgP), Start negotiation ?, Y, mode desirable, N, mode auto, N (IEEE LACP), Start negotiation ?, Y, mode active, N, mode passive, N, mode on, Configuration, interface range <first-if> <last-if>, shutdown, [switchport | no switchport], channel-group <channel-number> mode [on | desirable | auto | active | passive], interface port-channel <channel-number>, switchport mode [access | trunk], ... other configurations ..., no shutdown, interface range <first-if> <last-if>, no shutdown

FlexLinks, Link level redundancy, Alternative to STP, Automatically disables STP, Configuration, interface <active-interface-L2>, switchport backup interface <backup-interface-L2>, switchport backup interface <backup-interface-L2> preemption mode [forced | bandwidth | off], Forced = Active transmit always, Bandwidth = Higher bandwidth wins, Off = No preemption, switchport backup interface <backup-interface-L2> preemption delay <msec>

Spanning Tree, STP (802.1d), Cisco PVSTP+, Port states, Disabled, Listening, Learning, Forwarding, Blocking, Rules, One root per topology, One Designated switch per segment, Root is always Designated, Redundant ports in backup, Port Roles, Root port, Port towards the root, Only one per switch, Designated Port, Port of the Designated switch, Only one per segment, Blocked Port, To prevent loop, One for each loop, BDPU Types, Configuration BPDU (C-BPDU), Generated by Root, Each switch regenerate, Topology change (TCN-BPDU), Send towards Root, Elections, Root bridge, New connected switch say: "I'm the Root", BPDU with Local ID = Root ID, If receives better Bridge ID, learn it., Lower priority or lower MAC, spanning-tree vlan <vlan-range> priority <priority-value>, spanning-tree vlan <vlan-range> root [primary | secondary], OR, Root port, Port with lowest path cost to the root, Path cost = Port cost + Port cost + ... + Port cost, (if)# spanning-tree [vlan <vlan-range>] cost <cost-value>, Bandwidth related, 10M = 100, 100M = 19, 1G = 4, OR, Designated port, Port with lowers path cost to the root, Tie: Lowest bridge-ID, Tie: Lowest port priority (received from neighbor), port priority = priority (received from neighbor && local port number), (if)# spanning-tree [vlan <vlan-range>] port-priority <priority-value>, All root bridge ports are Deisgnated ports, Influence Designated/Blocked interface, Configuring Root-side switch?, Y, port-priority, N, Path cost, Rapid STP (802.1w), Cisco RPVSTP, spanning-tree mode rapid-pvst, Standardize BackboneFast, UplinkFast, PortFast, Port states, Discarding, Learning, Forwarding, Blocking, Port Roles, Root, Designated, Alternate, Alternate path to root, Backup, Backup for an identical link, Disabled, No STP, Blocked, MST (802.1s), Automatically enables RSTP, Enable MST, spanning-tree mode mst, spanning-tree mst configuration, name <name>, revision <revision-number>, Create MST instances and map VLAN to instance, instance <id> vlan <vlan-range>, Define root, cost, priority, spanning-tree mst <instance> root [primary | secondary], spanning-tree mst <instance> port-priority <priority>, spanning-tree mst <instance> cost <cost>, Features, Can be enabled on PVST+, rapid PVST_ and MST, Port Fast, Bypass listening and learning states, spanning-tree portfast default, (if) spanning-tree portfast, BPDU Guard, spanning-tree portfast bpduguard default, Only enables on PortFast interfaces, (if) spanning-tree bpduguard enable, Enable BPDU Guard independent of PortFast, BPDU Filtering, spanning-tree portfast bpdufilter default, Only enables on PortFast interfaces, If interface receives BPDU, PortFast is disabled, so BPDU filter is also disabled, (if) spanning-tree bpdufilter enable, Enable BPDU Filter independent of PortFast, Root Guard, (if) spanning-tree guard root, Don't allow root election from this interface, Loop Guard, Avoid loops due to unidirectional links, spanning-tree loopguard default, (if) spanning-tree guard loop, Can be enabled on PVST+, Backbone Fast, spanning-tree backbonefast, Detect indirect failures (receives inferior BPDU), Bypass listening and learning states, Uplink Fast, spanning-tree uplinkfast, Detect direct failures, 1 to 5 seconds, Bypass listening and learning states

udld, modes, normal, Fiber optics only, aggressive, (if)# udld enable, (if)# udld port aggressive, Fiber and cooper interfaces, Puts interface in errdisable mode, Recovery, errdisable recovery cause udld, errdisable recovery interval <seconds>

WAN

PPP over Frame-relay, interface Virtual-Template <if>, ip unnumbered <interface>, encapsulation ppp, CHAP, ppp authentication chap, ppp chap username <usernameB>, ppp chap password <passwordB>, PAP, ppp authentication pap, ppp pap sent-username <usernameB> password <passwordB>, username <usernameA> password <passwordA>, interface <Serial>, encapsulation frame-relay, frame-relay interface-dlci <dlci> ppp Virtual-Template <if>, Multilink, interface Multilink, ppp multilink, ppp multilink group <num>, interface Virtual-Template, ppp multilink group <num>

IGP and PBR

EIGRP

Administrative Distance, router egirp <as>, distance <ad> <source-IP> <source-wildcard> <acl>, Don't match external prefixes, only internal, Set the neighbor, don't let any (0.0.0.0 255.255.255.255), distance eigrp <internal-ad> <external-ad>, Change all routes, can't be selective

Metric, BW-Metric = 10.000.000/interface-BW(kbps), Delay-Metric = sum [delays (tens of us)] * 256, Metric = BW-Metric + Delay-Metric

Load Balance, Proportional to metrics, Range = Variance multiplier, router eigrp <eigrp-as>, variance <multiplier>

Neighbors, passive-interface <interface>, Disable send and receive hellos on interface, Neighbors don't establish, neighbor <ip-addr> <interface>, Suppress multicast hellos on the interface, Send unicast hellos

RIP

Basic config, router rip, version 2, no auto-summary, passive default, network <classful-network>

Destination Format, Multicast, Default, 224.0.0.9, Unicast, neighbor <neighbor-ip>, passive-interface <interface>, Disable multicast, Still listen to updates, don't send, Broadcast, ip rip v2-broadcast

Filtering, Distribute List, distribute-list <acl> [in | out] <interface>, acl, deny = not send / not receive, permit = send / receive, Remember implicit deny any any, Offset List, offset-list <acl> [in | out] <additive-metric>, Metric 16 means invalid route, acl, permit = change, deny = don't change, Administrative Distance, distance <adm-distance> <source-ip> <source-wildcard> <acl>, Administrative Distance 255 means invalid route, source-ip = RIP Neighbor IP, acl, permit = set this <adm-distance>

Authentication, interface <if>, ip rip authentication key-chain <key-chain>, ip rip authentication mode [text | md5]

Default route, router rip, default-information originate, Conditional, Only send default route if there is a specific prefix in route table, router rip, default information originate route-map <condition-route-map>, route-map <condition-route-map>, match ip address <specific-prefix-acl>

Summarization, interface <if>, ip summary-address rip <summary-ip> <mask>

OSPF

Basic config, Router process, router ospf <process-id>, network <ip-address> <wildcard-mask> area <area-id>, Interface, interface <if>, ip ospf <process-id> area <area-id>

Network types, Elects DR/BDR ?, Y, Use multicast ?, Y, BROADCAST, N, NON-BROADCAST, Don't change the next-hop Generates Network LSA (DR router), N, Use multicast ?, Y, Collection of pt-to-pt ?, Y, POINT-TO-MULTIPOINT, N, POINT-TO-POINT, N, POINT-TO-MULTIPOINT NON-BROADCAST, Configuration, ip ospf network-type <type>, ip ospf priority <priority-value>, Higher priority wins DR election, Priority 0 don't allow to be DR; remove neighbor command., Default Types by interface, Frame-Relay, Physical, NON-BROADCAST, Multipoint sub-if, NON-BROADCAST, Point-to-point sub-if, POINT-TO-POINT, Ethernet, BROADCAST, Loopback, LOOPBACK, Always announce IP as /32, To announce the real mask change it to POINT-TO-POINT, Tunnel, POINT-TO-POINT

Area types, LSAs, Type 1, Router, Type 2, Network, DR, Type 3, Summary, ABR, Type 4, ASBR Summary, Route to the ASBR, Type 5, External, ASBR, Type 7, NSSA External, Derived from a Type 5, Totally Stub or Totally NSSA (5 -> 7), Stub or NSSA (5 -> 7), Stub, Stub, area <area-id> stub, Block type 5, Inject default route, All routers must be configured stub, No ASBR, No Virtual-Links, Totally Stub, area <area-id> stub no-summary, = Stub+, Block Type-3 LSA, Not-so-stubby (NSSA), area <area-id> nssa, = Stub, but, Allow ASBR, Turn Type-5 LSA in Type-7, Only in one ABR does the de-conversion (Type-7 to Type-5) (higher OSPF router-id), To disable Type-7 to Type-5 de-conversion, At the ASBR router:, summary-address <same-redistr-net> <mask> no-advertise, Still block Type 5 LSA generated from other areas, Default route NOT inserted, area <area-id> nssa defaul-information-orginate, Can be done on ASR or ASBR, some differences indeed:, NSSA ASBR can generate a default only when it has a default route in its routing table., The default route must be known through non-OSPF protocol, NSSA ABR can generate a default route with or without a default route in its own routing table., Not-so-stubby Totally Stub, area <area-id> nssa no-summary, = NSSA +, Block Type-3 LSA, Add default route, NSSA no-redistribution, area <area-id> nssa no-redistribution, Only use when the ASBR is an ABR too., Router can redistribute into standard area (Type-5), but do not redistribute inside NSSA area (Type-7), NSSA Suppress-FA, Two ABR's on one NSSA area (R2 and R3), Only the ABR with higher router-id does LSA-5 -> LSA-7 (R3), R4 (inside NSSA area) send updates for prefix X.X.X.X, R1 (outside NSSA area) receives only LSA-5 from R3., R1 is neighbor of R2 and R3, R4 = Forward Address inside the LSA, R1 learn X.X.X.X -> R4 (recursive; X.X.X.X -> load balance between R2 and R3), To force the traffic to R3:, area <nssa-area-id> nssa translate type-7 supress-fa, Forward address = 0.0.0.0; Forward to neighbor that sent the LSA (R3), To force the traffic to R2, area <nssa-area-id> nssa translate type-7 supress-fa, And set R2 OSPF router-id to a higher value, R2 receives the LSA-5 from R1, Routing is OK, next-hop = R4, R2 knows how to get to R4 (they're in the same area), Default, R2 have route type (O E1), Suppress, R2 preffer route type 7 (O N1), because E1 forward-address = 0.0.0.0, Anyway routing is fine, just the route type changes

Route types, In order of preference, O, Intra-area, O IA, Inter-area, O E1, Metric = External Cost + Internal Cost, O E2, Default when redistributing, Metric = External cost only; don't change through area, External routes

Summarization, Inter-area (ABR), area <area-id> range <summary-ip> <mask>, External (ASBR), summary-address <summary-ip> <mask>

Virtual-link, Required for areas not connected to area 0, area <not-area-0-id> virtual-link <dest-ospf-router-id>, Not allowed through stub areas

Filtering, Type-3 LSA filter, Only can be done on the ABR, router ospf <process-id>, area <area-id> filter-list <prefix-list> [in | out], in = filter in to the area (TO), out = filter out of the area (FROM), Prefix not allowed is implicit denied; Remember implicit deny, area range is blocked if ALL smaller prefixes are blocked, Prevent LSA from being installed on routing table, ip prefix-list <pl-filter> permit <net-to-be-filtered>, route-map <route-map-filter> deny 10, match ip address prefix <pl-filter>, route-map flter <route-map-filter> permit 20, router ospf <process>, distribute-list route-map <route-map-filter> in

Authentication, Enable and set type, Interface, Text, ip ospf authentication, MD5, ip ospf authentication message-digest, Area, router ospf <proc>, Text, area <area> authentication, MD5, area <area> authentication message-digest, Virtual-Link, Not necessary if already set on Area 0, Text, area <area-id> virtual-link <dest-router-id> authentication, MD5, area <area-id> virtual-link <dest-router-id> message-digest, Password, Text, (if) ip ospf authentication-key <string>, MD5, (if) ip ospf message-digest-key <key-id> md5 <string>, Virtual-link, Text, area <area-id> virtual-link <dest-router-id> message-digest-key <string>, MD5, area <area-id> virtual-link <dest-router-id> authentication-key <string>

MPLS, Sham-Link, Avoid routing outside MPLS Core, Created in PE routers, when backdoor link exists between two sites., area <area-id> sham-link <src-add> <dst-addr> cost <cost>, Use loopback interface for source/destination, Must belong to the VRF, Must not be advertised by OSPF, Must be advertised by BGP, show ip ospf sham-link, Domain-id, 8-byte value of BGP update that identify OSPF domain, Routes received from far-end CPE are classified as:, Same domain-id = O IA, Different domain-id = O Ex, router ospf <process-id>, domain-id <ip-address-format-id>, VRF-Lite, OSPF routes received by CPEs have the down-bit set, Down-bit don't let OSPF routes be re-learned bt BGP; Avoid loops, Don't let routes be installed on VRF either, To enable VRF use on CE:, router ospf <process-id>, capability vrf-lite

Administrative Distance, distance <ad> <source-IP> <source-wildcard> <acl>, It's not possible to change AD from only one neighbor, it must change for all neighbors for that process, distance ospf external <O-EX-distance> inter-area <O-IA-distance> intra-area <O-distance>

PBR

ip local policy route-map <map-name>, Local packets are not subject to PBR. Local policy fix this.

interface <if>, interface where the packet would pass by

ip policy route-map <map-name>

route-map <map-name>

match ip address <acl>

set ip next-hop <ip>

PFR/OER

Configuration guide, Master, Key chain, key chain <kc name>, key <x>, key-string <string>, Border, border <border IP> key-chain <kc name>, interface <intf> internal, interface <intf> external, Measure, mode monitor [passive|active], active:, active-probe [echo | jitter | tcp/udp connection], passive, Netflow, Learn, all, learn, delay, throughput, restrictive, learn, list seq 1 refname <learn-list>, traffic-class [acl | app l | prefix] filter <prefix-list>, delay, througput, Route, mode route [control | observe | metric], Control = change configuration, observe = no changes, Prefixes, policy-rules <oer-map>, ip prefix-list <plNAME> permit <ip-address>/y, This network will be added to the border router., oer-map <oer-map>, match [pfr learn | acl | prefix-list], set mode [probe | resolve], Border, Key chain, key chain <kc name>, key <x>, key-string <string>, Master, port <number>, local <interface to master>, master <master IP> key-chain <kc name>, NAT, route-map <rm #1>, match ip address <acl internal address>, route-map <rm #2>, match ip address <acl internal address>, ip nat inside source <rm #1> <outside intf #1> overload oer, ip nat inside source <rm #2> <outside intf #1> overload oer

1st hop redundancy

Cisco Proprietary?, Y, Load balance, Y, GLBP, UDP 3222, 224.0.0.102, Routers have two roles, AVG (active virtual gateway), Control MAC address distribuiton, glbp <group> priority, glbp <group> preempt, AVF (active virtual forwarder), Responsible for forwarding for that MAC address, glbp <group> weighting <weight> lower <stop-forward> upper <return-to-forward>, glbp <group> forward preempt, Load balance config, glbp group load-balancing [host-dependent | round-robin | weighted], N, HSRP, UDP 1985, 224.0.0.2, MAC address = 0000.0c07.acxx, xx = Group (in hex), N, VRRP, Proprietary Transport; 112, 224.0.0.18

Configuration, HSRP = standby, VRRP = vrrp, GLBP = glbp, standby <group> IP <ip-address>, standby <group> priority <priority-number>, Higher wins, standby <group> preempt, standby <group> track <track> decrement <priority-decrement>

BGP

Path attributes {Order of choice}

Must be know?, Y, Present in all updates?, Y, Well-know mandatory, {4} ORIGIN, In order of preference:, IGP, router bgp <as-number>, network <ip-address> mask y.y.y.y, EGP, INCOMPLETE, router bgp <as-number>, redistribute <igp>, {3} AS_PATH, Path selection, Loop avoidance, Confederation?, Y, Meaningful order?, Y, AS_CONFED_SEQUENCE, N, AS_CONFED_SET, N, Meaningful order?, Y, AS_SEQUENCE, N, AS_SET, NEXT_HOP, eBGP, IP address of advertising interface, iBGP, IP address of originating interface, neighbor <ip-address> next-hop-self, N, Well-know discretionary, {2} LOCAL_PREF, iBGP only, Higher wins, ATTOMIC_AGREGATE, States that summarization has been perform, N, Must forward?, Y, Optional transitive, AGGREGATOR, Who did the summary (IP and AS), COMMUNITY, tags, from 0 to 65535, Some well-know, NO_EXPORT, Not send to eBGP, NO_ADVERTISE, Not send to eBGP or iBGP, LOCAL_AS, or NO_EXPORT_SUBCONFED; Not send to eBGP or other confederations., N, Optional non-transitive, {5} MULTI_EXIT_DISC (MED), eBGP, Only compares routes from same AS, ORIGINATOR_ID, Route-reflector ID, CLUSTER_LIST, Route-reflector cluster ID; additive.

Local Info, {1} Weight, Local information to the router, never send in updates, Higher wins

Configuration

Basic, router bgp <as-number>, neighbor <ip-address> remote-as, no auto-summary, Synchronization?, Y, Redistribute BGP to IGP, router bgp <as-number>, redistribute <igp>, OSPF and BGP only sync if the BGP router-id and OSPF router-id matches, N, no synchronization, Peer-group, neighbor <pgNAME> peer-group, neighbor <pgNAME> ..., neighbor <ip-address> peer-group <pgNAME>, Direct connection?, N, neighbor <ip-address> update source <interface>, eBGP, neighbor <ip-address> ebgp-multihop, neighbor <ip-address> ttl-security, iBGP, Not fully-meshed?, Route-reflector-client, neighbor <ip-address> route-reflector-client, More than one RR?, bgp cluster-id, neighbor <ip-address> route-reflector-client, Must be reapplied, If RR receives from Non-client, send to Clients., If RR receives from Client, send to Clients and Non-clients., Confederation, router bgp <private-as>, bgp confederation id <public-as>, bgp confederation peers <other-private-as> <other-private-as> <other-private-as>, Only for who have eBGP Confederation sessions., NEXT_HOP is not changed inside confederation, Community, ip bgp-community new-format, neighbor <ip-address> send-community [standard | extended | both], iBGP to IGP redistribution, Disabled by default, To enable:, router bgp <as-number>, bgp redistribute internal

Inject routes, network, network <ip-address> mask y.y.y.y, network <ip-address> mask y.y.y.y backdoor, Set the AD to 200, to not overwrite IGP routes, default, neighbor <ip-address> default-originate, Don't need to have the default-route, Don't supress more specific, Summarization, aggregate-address, aggregate-address <aggregate> <mask> [summary-only] [as-set] [attribute-map <rmATTR>] [advertise-map <rmADV>] [suppress-map <rmSUPPRESS>], as-set, send AS_SEQUENCE (only aggregator AS) + AS_SET (all ASs from origin prefixes), attribute-map, Changes metric, community, origin, route-map <rmATTTR>, set [origin | metric | community], advertise-map, Says which prefix will have attributes copied to aggregate, route-map <rmADV>, match ip address <acl>, ip access-list standard <acl>, [permit | deny] <prefix-to-be-copied> <wildcard>, permit = copy attributes, deny = don't copy attibutes., supress-map, Send summary + some aggregates, route-map <rmSUPRESS>, match ip address prefix <plSUPRESS>, ip prefix-list <plSUPPRESS> permit <specific-prefix-supressed>/<netmask>, permit = do not sent (permit to suppress), summary-only, Send only the summary, = supress-map supressing all, Conditional, Injection, bgp inject-map <route-map-prefix-injected> exist-map <rm-condition> [copy-attributes], route-map <route-map-prefix-injected>, set ip address [<acl-injected-prefix> | prefix-list <pl-injected-prefix>], route-map <rm-condition>, match ip address <acl-learned-prefix>, Next-hop can be set at route-map, Used to recover a specific prefix that was lost by summarization, Advertising, bgp advertise-map <route-map-prefix-advertised> exist-map <rm-condition> non-exist-map <rm-condition>, route-map <route-map-prefix-advertised>, match ip add <acl-advertised-prefix>, route-map <rm-condition>, match ip add <acl-learned-prefix>

Control advertisement, neighbor <ip-address> distribute-list <acl-number> [out | in], neighbor <ip-address> filter-list <ip-as-path-acl-number> [out | in], neighbor <ip-address> route-map <rmBGP> [out | in], route-map <rmBGP>, match ip address <acl-number>, match as-path <ip-as-path-acl-number>, match community <community-list-number>, set local-preference, set metric, set as-path prepend, set community, Manipulate prefixes, Filter private ASs, neighbor <ip-address> remote-private-as, Change local AS, neighbor <ip-address> local-as, Change next-hop for all?, Y, neighbor <ip-address> next-hop-self, N, neighbor route-map <rm-name> [in | out], route-map <rm-name>, match ip address <acl-prefixes-changed>, set next-hop, Propagate prefix-list, Sender, ip prefix-list deny <specific-prefix>, ip prefix-list permit <all-others-prefixes>, neighbor <receiver> capability orf prefix-list send, Receiver, neighbor <sender> capability orf prefix-list receive, SET, Match

Syncronization, Disable syncronization, no synchronization

IPv6

Addressing

Loopback, ::1

empty, ::

Default route, ::/0

Link-Local, FE80::/64

Unique-local, FC00::/7

Global, 2000::/3

ICMPv6

Combines several IPv4 funtions: ICMPv4, IGMP and ARP

Configuration

ipv6 unicast-routing

Interface, ipv6 enable, Auto-generate link-local, even if the interface don't have IPv6 unique/global address, ipv6 address <ipv6-address>, ipv6 address <link-local-add> link-local, ipv6 address <prefix-only> eui-64

Routing, Static, ipv6 route <ipv6-network/length> <next-hop-address>, ipv6 route <ipv6-network/length> <next-hop-link-local-add> <exit-interface>, The routing process is automatically created when assigned to interface, RIP, interface <if>, ipv6 rip <process-name> enable, ipv6 rip <process-name> default-information originate, ipv6 router rip <process-name>, EIGRP, Uses FF02::A (all EIGRP routers), interface <if>, ipv6 eigrp <as-number>, ipv6 router eigrp <as-number>, OSPF, interface <if>, ipv6 ospf <process> area <area-number>, ipv6 router ospf <process>

Tunnels

Tunnels source and destination are always IPv4

Manual, Manual Tunnel, IPv6 -> IPv4::IPv6 -> IPv6, interface tunnel <if>, ipv6 address <ipv6>, tunnel source <ipv4>, tunnel destination <ipv4>, tunnel mode ipv6ip, IPv6 over GRE, IPv6 -> IPv4::GRE::IPv6 -> IPv6, Can carry non-IP packets, like IS-IS, interface tunnel <if>, ipv6 address <ipv6>, tunnel source <ipv4>, tunnel destination <ipv4>, tunnel mode gre ip

Automatic, 6to4, IPv6 -> IPv4::IPv6 -> IPv6, 2002:[IPv4-in-hex]::/48, interface tunnel <if>, ipv6 address 2002::[IPv4]::, tunnel source <ipv4>, tunnel mode ipv6ip 6to4, ipv6 route 2002::/16 tunnel<if>, Destination is extracted from the IPv6 data packet destination IP, No Multicast Support, ISATAP, IPv6 -> IPv4::IPv6 -> IPv6, [64-bit-prefix]:0000:5ef3:[IPv4-in-hex]/64, interface tunnel <if>, ipv6 address [64-bit-prefix]::/64 eui-64, tunnel source <ipv4>, no ipv6 nd suppress-ra, To permit discovery of tunnel destination, tunnel mode ipv6ip isatap, Destination is extracted from the IPv6 data packet destination IP, 6rd, 6rd utilises an SP's own IPv6 address prefix - avoids well-known prefix (2002::/16), CE, ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0, interface Dialer0, ip address dhcp ! (10.0.0.10), !, interface Tunnel0, tunnel source Dialer0, tunnel mode ipv6ip 6rd, tunnel 6rd ipv4 prefix-len 8, tunnel 6rd prefix 2001:db80::/28, tunnel 6rd br 10.0.0.1, ipv6 address DELEGATED_PREFIX ::/128 anycast, !, interface Ethernet0, ipv6 address DELEGATED_PREFIX ::/64 eui-64, !, ipv6 route 2001:db80::/28 Tunnel0, ipv6 route ::/0 Tunnel0 2001:db80:0:1000::, ipv6 route 2001:db80:0:A000::/52 Null0, BR, ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel0, interface Loopback0, ip address 10.0.0.1 255.255.255.0, !, interface Tunnel0, tunnel source Loopback0, tunnel mode ipv6ip 6rd, tunnel 6rd ipv4 prefix-len 8, tunnel 6rd prefix 2001:db80::/28, ipv6 address DELEGATED_PREFIX::/128 anycast, !, ipv6 route 2001:db80::/28 Tunnel0, ipv6 route 2001:db80:0:1000::/52 Null0, Dual Stack Lite, Dual stack endpoints, IPv6 Backbone, Based on Carrier Grade NAT

IPV6 NAT

NAT-PT, Interfaces, IPV6 side, interface <ipv6-interface>, ipv6 address <ipv6>, ipv6 enable, ipv6 nat, IPv4 side, interface <ipv4-interface>, ip add <ipv4-add>, ipv6 nat, Static NAT, ipv6 nat v4v6 source <ipv4-address> <ipv6-address>, ipv6 nat v6v4 source <ipv6-address> <ipv4-address>, Dynamic NAT, ipv6 nat v4v6 source list <acl-ipv4> pool <pool-ipv6>, ipv6 nat v6v4 source list <acl-ipv6> pool <pool-ipv4>, ipv6 nat prefix, Installs the connected prefix in the IPv6 routing table, ipv6 nat prefix <prefix-ipv6>

Multicast

PIM Mode

Dense Mode, Flood & Prune, ip pim dense-mode

Sparse Mode, Any Source Multicast (ASM), Uses RP, Shared -> Source Specific (*,G -> S.G), ip spt threshold [num | Infinity], ip multicast-routing, Static RP?, Y, ip pim sparse-mode, ip pim rp-address <ip-address> <aclMCASTGROUP>, ip access-list standard <aclMCASTGROUP>, permit <group-address> <mask>, N, Cisco Proprietary?, Y, Auto-RP, Creates two specific multicast groups for RP announce, Group router, ip pim autorp listener, Allow groups 224.0.0.39-40 be flooded, ip pim sparse-dense mode, Enable dense mode to allow other routers to find RP, RP router, ip pim send-rp announce <interface> scope <how-many-hops>, Uses 224.0.1.39, ip pim send-rp-discovery scope <how-many-hops>, Uses 224.0.1.40, OR, N, Bootstrap router (BSR), PIM v2 standard, Send messages to 224.0.0.13, with TTL=1, Message is replicated out all interfaces, so mcast tree is not required, RPF rules still apply, BSR Router must be in the right position, ip pim bsr-candidade <interface>, ip pim rp-candidate <interface>, Can be set on different routers, Use (S,G) ?, Y, Specific Source Multicast (SSM), No RP, IGMP v3, Only Shortest Path Tree (S,G), ip igmp version 3, ip pim ssm [default | <aclMCAST-GROUPS>], default = 232.x.x.x, N, Bi Directional (BiDir), Only Shared Path Tree (*,G), Virtual RP, On all PIM enabled routers, ip pim bidir-enable, Static, ip pim rp-address <ip-address> bidir, BSR, ip pim rp-candidate <if> bidir, Auto-RP, ip pim rp-announce <if> bidir

MSDP (Multicast source discovery protocol), Allow RPs to excahnge information about groups sources, ip msdp peer <ip-address>, ip msdp originator-id <loopback-if>, ip msdp mesh-group <group-name <neighbors-IP-address>, Used if there are more than two RP fully-meshed, to avoid loops

NBMA networks, RPF rules prevent traffic from spoke to hub to be replicated to other spokes, Use NBMA mode, Works only on Sparse Mode, ip pim nbma-mode, ip pim sparse-mode, Create tunnel between spokes and routers, interface tunnel <if-num>, ip pim sparse-mode, ip pim dense-mode, ip mroute <mcast-group> <mask> <dest-ip>, Put tunnel on IGP protocol, OR, Mind the RPF rules

IGMP

v1, Old, Slow leave

v2, Join to mcast group address, Fast leave, Querier

v3, Join to 224.0.0.22, Easy to Layer2 snooping, Source filter, Enable SSM

IGMP Snooping, ip igmp snooping <vlan> <interface connected to mcast router>

QoS

RSVP

Messages, PATH = ask for resources, RESV = Confirm resource reservation, RESV-CONF = Last confirmation, Order, Source send PATH, Destination send RESV, Destination send PATH, Source send RESV, Destination send RESV-CONF

Configuration, Interface, ip rsvp bandwidth <total> <flow>, LLQ, ip rsvp pq-profile <max-rate> <max-burst> <peak-to-avg-ratio-%>, fair-queue must be enabled., Frame-Relay, frame-relay fair-queue, fair-queue, Source, ip rsvp sender-host <ip-dest> <ip-src> [tcp | udp] <dst-port> <src-port> <bw> <peak>, The "-host" generates PATH msg; without it the router waits for traffic to send it., show ip rsvp sender, Destination, ip rsvp reservation-host <ip-dest> <ip-src> [tcp | udp] <dst-port> [ff | sw | wf] rate <bw> <peak>, The "-host" generates RESV msg; without it the router waits for traffic to send it., ff (fixed filter)= Only one source can use the reservation, se (shared explicit) = shared with some specified sources, wf (wildcast filter) = shared with any source, show ip rsvp reservation, show ip rsvp installed [detailed]

FRTS

Generic Traffic Shape, traffic-shape rate <bit-rate> <burst-size> <excess-burst-size>

Frame Relay Traffic Shapping, Config, Interface <if>, frame-relay trafic-shapping, DLCI only (optional), frame-relay interface-dlci <dlci>, frame-relay class <class-name>, map-class frame-relay <class-name>, frame-relay cir, frame-relay bc, frame-relay be, frame-relay mincir, frame-relay adaptative-shaping becn, TC, TC can be set only on DCE interface, For DTE, use BC and CIR to define: TC = CIR/BC, BC default = 1/8 CIR, so TC default = 125ms, TC range = 10ms to 125ms

Class-Based Traffic Shapping, Can be combined with MQC, Traffic classes, Configuration, interface <if-fr>, frame-relay interface-dlci <dlci>, (opcional), service-policy <policy-map-name>, Service-policy apply, All PVCs, interface, Sub interface, Single PVC, Map-class, Shape allowed only on class-default, policy-map <policy-map-name>, class <class-name>, shape, Policy-map shape, average <cir> <bc> <be>, peak <eir>, adapt becn, max-buffers, class-map <class-name>, match, Class-map match, frame-de, frame-dlci

MQC

interface <if>

service-policy [input | output] <policy-name>

policy-map <policy-name>

class <class-name>

set, ip precedence, ip dscp, cos

class-map <class-name>

match (qos, acl, mac)

match protocol, nbar

match any

Switch QoS (MLS)

mls qos behavior, no mls qos, QoS disabled, COS = 0, COS = 0, COS = 5, COS = 5, Untagged, Untagged, mls qos, QoS enabled, COS = 0, COS = 0, COS = 5, COS = 0, Untagged, Untagged, mls qos (if) mls qos trust cos, COS = 0, COS = 0, COS = 5, COS = 5, Untagged, Untagged, OR, (if) mls qos cos X, COS = X, mls qos (if) mls qos cos X override, COS = 0, COS = X, COS = 5, COS = X, Untagged, COS = X

Layer 2 to Layer 3 mapping, Inbound, cos-dscp map, Outbound, cos-dscp map, show mls qos map [dscp]

Port trust, (if) # mls qos trust [dscp | cos | ip-prec], if trust COS, DSCP is modified, based on COS-to-DSCP map, To avoid, use DSCP transparency, no mls qos rewrite ip dscp, Maps, COS = 0 to 7, IP Precendence = 0 to 7, DSCP = 0 to 63, COS-to-DSCP map, mls qos map cos-dscp [dscp(cos0) dscp(cos1) ... dscp (cos7)], IP Prec-to-DSCP map, mls qos map ip-prec-dscp [dscp(ipprec0) dscp(ipprec1) ... dscp(ipprec7)], DSCP-to-COS map, mls qos map dscp-cos (dscpA, dscpB ... dscpX) to (cos-number), DSCP to DSCP mapping (aka DSCP Mutation), Use to map received DSCP to a local trusted DSCP, mls qos map dscp-mutation <mutation-name> <in-dscp> to <out-dscp>

3560, SRR, sharing, Share bandwidth based on weight queue, shaping, Limit bandwidth, Two ingress queues, Only support SRR sharing, Normal, Threshold is a percentage of the queue. If the packet with CoS/DSCP arrives when its threshold is exceeded, frame is discarded., Each queue have 3 thresholds (1 and 2 are configurable. 3 is hardcoded to 100%. Each CoS/DSCP is assigned to one queue and one threshold within this queue., Queue 1, Threshold 1, Queue 1, Threshold 2, Queue 2, Threshold 1, Queue 2, Threshold 2, Set queue threshold, mls qos srr-queue input threshold [queue-id] [threshold%-1] [threshold%-2], queue-id = 1-2, Map DSCP/QoS to queue, mls qos srr-queue input cos-map [queue-id] threshold [threshold-id] [cosA cosB ... cos X], mls qos srr-queue input dscp-map [queue-id] threshold [threshold-id] [dscp A, dscp B ... dscp X], threshod-id = 1-3 (3 is predefined, full queue), Frequency for atteding each queue (in ratio), mls qos srr-queue input bandwidth [bw-weight-queue-1] [bw-weight-queue-2], Sum must be 100%, Set size of the buffers (in ratio), mls qos srr-queue input buffers [queue1-%] [queue2-%], Sum must be 100%, Expedite, mls qos srr-queue input priority-queue [bandwidth [bw-0 to 40]], Four egress gueues, Uses queue-set, Assign queue-set to interface, interface X/Y, queue-set [queue-set-id], queue-set-id = 1-2, Set queue-set threshold and buffers, mls qos queue-set output [queue-set-id] buffers [alloc-queue-%-1] [alloc-queue-%-2] [alloc-queue-%-3] [alloc-queue-%-4], mls qos queue-set output [queue-set-id] threshold [queue-id] [threshold-1] [threshold-2] [reserved-threshold] [maximum-threshold], queue-id = 1-4, Map DSCP/CoS to queue, mls qos srr-queue output cos-map [queue-id] threshold [threshold-id] [cos0 cos1... cos 7], mls qos srr-queue output dscp-map [queue-id] threshold [threshold-id] [dscp0 dscp1... dscp7], Set SRR shape or share to queue., (if) srr-queue bandwith share [weight1] [weight2] [weight3] [weight4], BW% = Weight / [sum(weight)], (if) srr-queue bandwidth shape [weight1] [weight2] [weight3] [weight4], Inverse weight, BW % = 1/Weight, If shape is set to queue 1, share is ignored, If shape 1 is set to priority, there is no bandwidth limit, Expedite (queue 1), (if) priority-queue out, If expedite is set, queue 1 is ignored by SRR, Limit bandwitch for interface, (if) srr-queue bandwidth limit [bw-percentage]

Use MQC to apply QoS to interface, inbound only, interface X/Y, service-policy input <pmQOS>, policy-map <pmQOS>, class <cmA>, trust [cos | dscp | ip-prec], set [dscp | ip-prec], police [rate-bps] [burst-byte] exceed-action [drop | policied-dscp-transmit], class-map cmA, match [acl | ip dscp | ip prec | input-interface], OR

Security

Switch security

Control DHCP packets, DHCP Snooping, Only allow DCHP responses from a trusted port, ip dhcp snooping [vlan [vlans]], DHCP server must be connected to a trusted port, ip dhcp snooping trust

Control frames based on source, Filter frames, IP Source Guard, Check if source MAC is know by the receiving port, Dynamic (based on DHCP Snooping), Based on IP only, (if) ip verify source, Based on IP and MAC, (if) ip verify source port-security, Static, ip source binding M.M.M vlan <vlans> <ip-address> interface <interface>, Dynamic, Based on DHCP Snooping, Filter ARP packets, ARP inspection, Check if ARP responses are valid, based on, DHCP snooping (Dynamic), Enable DHCP Snooping, ip arp inspection vlan [vlans], Static ARP ACL, arp access-list <aclARP>, permit ip host <ip-address> mac host M.M.M, ip arp inspection vlan [vlans] filter <aclARP>, Disable DAI on interface, (if) ip arp inspection trust, Must be used in trunk between switches, DHCP requests may not traverse this trunks, Host A and DHCP Server are connected to Switch 1, Host B is connected to Switch 2, Trunk between 1 and 2 don't see the ARP packet, Switch 2 drops the packet, Additional validation, ip arp inspection validate [src-mac | dst-mac | ip]

Filter specific frames, vlan filter <amVLAN> vlan-list <vlan-range>, vlan access-map <amVLAN>, Match, AND / OR, match ip address <aclIP>, ip access-list standard <aclIP>, permit <ip-addr> <wildcard>, match mac address <aclMAC>, mac access-list ext <aclMAC>, permit <mac-src> <mac-dst>, Action, [forward | drop]

Control VLAN/interface traffic, Port Blocking, Unknow destination MACs packets are forwarded to all ports. To prevent:, interface <blocked-if>, switchport block unicast, switchport block multicast, Port Security, Restric how many and which ones mac-address have access to an interface, interface <secured-if>, Enable Port Security, switchport port-security, Maximum mac-address learned, switchport port-security maximum <mac-add-qty> vlan [vlan-list], How to react, switchport port-security violation [protect | restrict | shutdown | shutdown vlan], Static MAC assignment, switchport port-security mac-address <static-mac-assign>, Learn MACs and don't forget on reload, switchport port-security mac-address sticky, Static MACS and don't forget on reload, switchport port-security mac-address sticky <sticky-mac-address>, Port protected, One protected port don't talk with another protected port, interface <protected-if>, switchport protected, Private VLANs, Port modes, Promoiscuous, Talk to every other port, Can serve one Primary VLAN, one Isolated VLAN and many Community VLANs., Isolated, Don't talk to other Isolated or Community, Talk to a Promiscuous, Community, Talk to other Community, Talk to Promiscuous, VLAN modes, Primary, Associated to Promiscuous ports, Secondary Isolated, Secondary Community, Configuration, VLANs, Promiscuous, vlan <primary>, private-vlan primary, Create secondaries VLANs, then:, vlan <primary>, private-vlan association add <secondary-isolated> <secondary-community>, Secondary, vlan <isolated>, private-vlan isolated, vlan <community 1>, private-vlan community, vlan <community 2>, private-vlan community, Ports, Promiscuous, interface <promiscuous>, switchport mode private-vlan promiscuous, switchport private-vlan mapping <primary-vlan> add <secondary-vlans-list>, Secondary, interface <isolated-or-community>, switchport mode private-vlan host, switchport mode private-vlan host-association <primary-vlan> [<isolated-vlan | <community-vlan>]

IP Options

Drop all packets with options marked, ip options drop

Ignore the option parameters, ip options ignore

IP Services

SPAN

Up to two source sessions

Up to 64 destination ports

Source port = Physical, Trunk, Routed, Voice

monitor session X source [interface | vlan] [rx | tx | both]

monitor session X filter vlan [range]

monitor session X destination [interface | remote vlan]

RSPAN, vlan Y, remote-span, monitor session X source [remote vlan] Z, monitor session X destination [interface], Destination switch, Intermediate switches

Source switches

Reflexive ACL

Config, interface <if-inside>, ip access-group <acl-in> in, ip access-list extended <acl-in>, evaluate <tcp-temp-name>, Traffic in only allowed after traffic out created this entry, ip access-group <acl-out> out, ip access-list extended <acl-out>, permit tcp any any reflect <tcp-temp-name>, Can be done one in each interface (in/out)

EEM

Event Detector, Monitors:, CLI Command, Events, Object track, SNMP Events, Syslog messages, Interface counters, Timers

Event Manager

Policy Director, Applet Policy, event manager applet <appNAME>, event <monitor>, application Application specific event, cli CLI event, counter Counter event, interface Interface event, ioswdsysmon IOS WDSysMon event, ipsla IPSLA Event, neighbor-discovery Neighbor Discovery event, nf NF Event, none Manually run policy event, oir OIR event, resource Resource event, routing Routing event, snmp SNMP event, snmp-notification SNMP Notification Event, snmp-object SNMP object event, syslog Syslog event, tag event tag identifier, timer Timer event, track Tracking object event, action x.x <action>, add Add, append Append to a variable, break Break out of a conditional loop, cli Execute a CLI command, cns-event Send a CNS event, comment add comment, context Save or retrieve context information, continue Continue to next loop iteration, counter Modify a counter value, decrement Decrement a variable, divide Divide, else else conditional, elseif elseif conditional, end end conditional block, exit Exit from applet run, force-switchover Force a software switchover, foreach foreach loop, gets get line of input from active tty, handle-error On error action, help Read/Set parser help buffer, if if conditional, increment Increment a variable, info Obtain system specific information, mail Send an e-mail, multiply Multiply, policy Run a pre-registered policy, publish-event Publish an application specific event, puts print data to active tty, regexp regular expression match, reload Reload system, set Set a variable, snmp-object-value Specify value for the SNMP get request, snmp-trap Send an SNMP trap, string string commands, subtract Subtract, syslog Log a syslog message, track Read/Set a tracking object, wait Wait for a specified amount of time, while while loop, action 1.0 cli command "cli command", action 1.1 mail server <server> from <from> to <to>, action 1.2 syslog message "message", TCL Policy, event manager enviroment <variable>, event manager directoy user policy <path>, event manager policy <filename>

WCCP

UDP Port 2048

Basic config, ip wccp version [1 | 2], Version 1 = 1 router, Cluster HTTP only, Version 2 = Multiple routers; Clusters, ip wccp web-cache, TCP Promiscuous mode, ip wccp 61, Client to Server traffic, ip wccp 62, Server to Client traffic, From which interfaces?, interface X/Y, Standard web service, ip wccp web-cache redirect [out | in], out = internet interface, in = client interface, TCP Promiscuous mode, ip wccp 61 redirect [out | in], ip wccp 62 redirect [out | in], All configs have same impact:, ETH: [61 in, 62 out], SER: [], ETH: [61 in], SER [62 in], ETH: [], SER [61 out, 62 in], Except:, ip wccp redirect exclude in, If the configuration is done only in the external interfaces, the web-cache interface must be excluded

Who will be redirected?, ip wccp web-cache redirect-list <acl>

To which web caches?, ip wccp web-cache group-list <acl>

Group web caches, ip wccp web-cache group-add <mcast-address> password <pw>

And if web cache is not available?, block, ip wccp mode closed, passthrough, ip wccp mode open

3560, sdm prefer extended, reload

IP SLA

Configuration, Probe, ip sla <oper-number>, [probe-type]<dest-IP> <dest-port> interval <interval>, udp-echo, udp-jitter, icmp-echo, icmp-jitter, etc..., frequency <seconds>, ip sla schedule <oper-number> life [forever | <seconds>] [start-time <time> | pending | now], show ip sla configuration <oper-number>, show ip sla statistics, Responder, ip sla, Enable temporary response based on control protocol, ip sla responder udp-echo ipaddress <ip-address> port <port>, Enable permanent response, Use if control protocol is disabled on source, Authentication, ip sla key-chain <key>

IP Traffic Export

Similar to SPAN on switches

Profile, ip traffic-export profile <profile-name> mode [capture | export], Capture = store in router flash, Export = Send, interface <export-interface>, mac-address <export-host>, incoming [access-list <acl> | sample on-in-every <number>], outgoing [access-list <acl> | sample on-in-every <number>], bidirectional

Apply, interface <monitored-interface>, ip traffic-export apply <profile-name> size <capture-buffer>

SNMP

Security Models, noAuth noPriv, Auth Priv, Auth noPriv

Config, v3, What?, snmp-server view <view-name> <mib> included, Which?, snmp-server group <group-name> [v3] priv read <view-name> write <view-name> access <acl>, Who?, snmp-server user <user-name> <group-name> v3 auth [sha | md5] priv [des |3des | aes] access <acl>, Traps, snmp-server enable traps snmp, snmp-server host <server-ip> traps version 3 [priv | auth | noauth] <user-name>, Engine, snmp-server engine-id remote <server-ip> abcd12345678, v1/v2, What?, snmp-server view <view-name> <mib> included, Community, snmp-server community <string> view <view> [ro | rw] <acl>

NetFlow

Flow =, Source IP, Dest IP, Source Port, Dest Port, Layer 3, ToS, Input Interface

Flows can be on, Collector, Local cache

Config, Basic, ip flow-export destination <collector-ip> <udp-port>, ip flow-export version 9, interface <if>, ip flow [ingress | egress], Aggregation cache, ip flow aggregation-cache [prefix | protocol | etc], Filter and sampling, Filter AND Sampling, interface <if>, service-policy input <pm-name>, policy-map <pm-name>, class <cm-name>, class-map <cm-name>, match access-group <acl>, netflow sampler <flowmap-name>, flow-sampler-map <flowmap-name>, mode random one-out-of <sample>, Sampling only, interface <if>, flow-sampler <flowmap-name>, flow-sampler-map <flowmap-name>, mode random one-out-of <sample>

NAT

Interfaces, interface <if-inside>, ip nat inside, interface <if-outside>, ip nat outside

Static or Dynamic?

Source or Destination?

ip nat [inside | outside] [source | destination] static <from> <to>, When the packet hit the [inside | outside] interface, Change the [source | destination], From <from>, To <to>, nat outside source = nat inside destination

ip nat pool <pool-name> <start-IP> <end-IP> [netmask | prefix-length]

access-list <acl-number> permit <source-address> <source-wildcard>

ip nat inside source list <acl-number> pool <pool-name> [overload]

Load balance, ip nat pool <pool-name> <start-IP> <end-IP> [netmask | prefix-length] type rotary, ip nat inside destination-list <acl-name> pool <pool-name>, Pool = real hosts, ACL = Virtual address

Select which IPs get translated., ip nat inside source static <from> <to> route-map <rm-name>

Stateful NAT, Use for asymmetrical routing and redundancy, With HSRP, ip nat inside source static <from> <to> redundancy <group-name>, standby <group> name <group-name>, Configuration, ip nat stateful <id>, Primary, primary <own-IP>, Secondary, backup <own-IP>, peer <other-router-IP>, mapping-id <map-id>, ip nat source static route-map <rm-name> pool <pool-name> mapping-id <map-id>

DHCP

RARP = Layer 2 header

BOOTP = Layer 3 header

DHCP = More options (lease time, extra fields, dynamic range)

DHCP Relay, interface <if>, interface that receives de DHCP request, ip helper-address <dhcp-server>

DHCP Server, Config, service dhcp, ip dhcp excluded-address <start-ip> <end-ip>, ip dhcp pool <pool-name>, Network, network <net> <mask>, Host, host <ip-address> <mask>, client-id <unique-id>, domain <domain-name>, dns-server <server-IP>, default-router <gw-ip>, lease [days [hours] [minutes] | infinite], Troubleshooting, clear ip dhcp dinding *, show ip dhcp binding, show dhcp lease, client

Lock and Key Security

Lock the traffic, interface <if-traffic>, ip access-group <acl> in, access-list <acl> permit <always-allowed-traffic>, access-list <acl> dynamic <temprary-acl-name> timeout <absolut-seconds> permit <temporary-traffic>

Telnet to enable, line vty 0, autocommand access-enable <host> timeout <inactivity-seconds>

NTP

Client/Server, Pull method, from client to server, Server, ntp master [stratum], Default stratum= 8, Access Control, Master sync itself using IP 127.127.7.1, ntp access-group peer <aclITSELF>, ip access-group standard <aclITSELF>, permit 127.127.7.1, ntp access-group serve-only <aclNTPCLIENTS>, Authentication, ntp authenticate, ntp authentication-key <key-id> md5 <key-string>, Client, ntp server <ip-address>, ntp access-group peer <aclSERVER>, Authentication, Authentication only happens from client to server., Server Auth, Client noAuth = OK, Server noAuth, Client Auth = Not OK, ntp authenticate, ntp authentication-key <key-id> md5 <key-string>, ntp trusted-key <key-id>, ntp server <ip-address> key <key-id>

Peer, Push/Pull method, ntp peer <ip-address>, ntp access-group peer <aclPEER>

UDP port 123

RMON

Configuration, Interface, rmon [native | promiscuous], rmon queuesize <size>, rmon alarm <number> <varable> <interval> [delta | absolute] rising-threshold <value> falling-threshold <value>, show rmon, show rmon alarms, show rmon events

Misc

Regular Expression

( ) Parenthesis, Grouping

| (pipe), OR expression

? (question mark), 0 or 1 occurrence of previous

* (asterisk), 0 or more occurrences of previous

+ (Plus sign), 1 or more occurrences of previous

\ (backslash), Escape special characters

[ ] (brackets), Any character from range

^ (Circumflex ), Start of line

$ (dollar sign), End of line

_ (underline), Can be replaced by comma (,), space ( ), start of line (^), end of line ($), rigt or left brace ({})

SSH

Configuration, Generate keys, crypto key generate rsa, Enable SSH server, ip ssh [version <version-number> | timeout <seconds> | authentication-retries <number>]

show crypto key mypubkey rsa

Bridge

Ethernet and Frame-Relay example, R5, interface Ethernet0/0.40, encapsulation dot1Q 40, ip address 145.11.25.5 255.255.255.0, R2, Global configuration, bridge irb, bridge 1 protocol ieee, bridge 1 route ip, Ethernet, interface Ethernet0/0.25, no ip address, encapsulation dot1Q 25, bridge-group 1, Serial FR, interface Serial1/0, no ip address, encapsulation frame-relay, frame-relay map bridge 203 broadcast, bridge-group 1, R3, interface Serial1/0, no ip address, encapsulation frame-relay, frame-relay map bridge 302 broadcast, bridge-group 1