WAN data link protocols (HDLC, Frame Relay)

R1(config-if)#>encapsulation [ppp | hdlc]
R1(config)#username remote_hostname password xxx
R1(config-if)#ppp authentication [ppp | chap]
R1(config-if)#ppp pap sent-username this_hostname password xxx

R1(config)#frame-relay switching
R1(config)#interface s0/0/0
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay intf-type dce
R1(config-if)#frame-relay route 102 interface s0/0/1 201
R1(config-if)#no shutdown
R1(config)#interface s0/0/1
R1(config-if)#clock rate 64000
R1(config-if)#encapsulation frame-relay
R1(config-if)#frame-relay intf-type dce
R1(config-if)#frame-relay route 201 interface s0/0/0 102

R1#clear frame-relay inarp
R1#show frame-relay map
R1#debug frame-relay lmi
R1#show frame-relay pvc [102] [dlci]
R1#show frame-relay lmi
R1(config-if)#encapsulation frame-relay
R1(config-if)#no frame-relay inverse-arp
R1(config-if)#frame-relay map ip 10.1.1.2 101 [broadcast cisco]
-> frame-relay map protocol protocol-address dlci [broadcast] [ietf] [cisco]
-> broadcast enable dynamic routing protocol over virtual circuit
R1(config-if)#interface s0/0/0.102 [multipoint | point-to-point]
-> if all routes belong to the same subnet, use multipoint.
R1(config-subif)#ip address a.a.a.a m.m.m.m
R1(config-subif)#bandwidth 64
R1(config-subif)#frame-replay interface-dlci 102

Wan Connection Technologies

Leased Line	Charge by distance, capacity	up to 45 Mb/s (E3/T3)	permanent fixed capacity
Basic telephone	distance, time	33-56 kb/s	dialed, slow connection
ISDN	distance, time	64 or 128 kbps up to 2 Mbps, PRI	dialed, slow connection
X.25	volume	up to 48 kbps	switched fixed capacity
ATM	capacity	up to 155 Mbps	permanent variable capacity
Frame Relay	capacity	tup to 45 Mbps	permanent variable capacity
DSL	monthly subscription	up to 3 Mbps	always on shared Internet
Metro Ethernet	monthly subscription	up to 500 Mbps	limited geographic scope

WAN Cable Connectors

The DTE/DCE interface uses following Physical layer protocols:
EIA/TIA-232: up to 64 kb/s on a 25-pin D-connector over short distances.
EIA/TIA-449/530: faster (up to 2 Mb/s) version of EIA/TIA-232. A 36-pin D-connector and is capable of longer cable runs. Also known as RS422 and RS-423.
EIA/TIA-612/613: High-Speed Serial Interface (HSSI) protocol. Up to 52 Mb/s on a 60-pin D-connector.
V.35: the ITU-T standard for synchronous communications between a network access device and a packet network. Up to 2.048 Mb/s on a 34-pin rectangular connector.
X.21: an ITU-T standard for synchronous digital communications. A 15-pin D-connector.

security related CLI, ACL

(config)#auto secure
Configure IP Access-List

port security
(config-if)#switchport port-security
-> enable switchport security, and applied all the default values.
(config-if)#switchport port-security maximum 1
-> allow only 1 mac address
(config-if)#switchport port-security mac-address sticky
-> only use the first learned MAC address
(config-if)#switchport port-security violation [protect | restrict | shutdown]
-> default: shutdown
-> protect: only allow traffic from the secure port and drop packets from other MAC
-> restrict: alert admin

#debug ip packet detail access-list-num

(config)#access-list 102 permit udp any any eq rip
-> permit Routing Information Protocol (RIP):
(config)#access-list 102 permit igrp any any
-> permit Interior Gateway Routing Protocol (IGRP):
(config)#access-list 102 permit eigrp any any
-> permit Enhanced IGRP (EIGRP):
(config)#access-list 102 permit ospf any any
->allow Open Shortest Path First (OSPF):
(config)#access-list 102 permit tcp any any eq 179
->permit Border Gateway Protocol (BGP):

Configure SSH:
(config)#ip domain-name mydomain.com
(config)#crypto key generate rsa
(config)#ip ssh version 2
(config)#ip ssh time-out 120
(config)#ip ssh authentication-retries 3
(config)#line vty 0 15
(config-ine)#transport input SSH
-> ssh only, disable telnet

DHCP snooping:
(config)#ip dhcp snooping [vlan number 99]
(config-if)#ip dhcp snooping trust
(config)#ip dhcp snooping limit rate 10

(config)#no ip http server

(config)#access-list my_list_num permit my_ip_address
(config)#access-list my_list_num deny any
(config)#line vty 0 4
(config-line)#access-list my_access_list_num in
(config-line)#exec-timeout 5 0
-> line times out 5 minutes + 0 seconds
(config-line)#privilege level 12
-> level 15 (1111) is highest.
(config)#ip http access-class my_access_list_num
>> allows only my_ip_address to access vty lines.
(config)#access-list 123 ip permit host my_manager_ip host current_router_hostname
(config)#access-list 123 deny ip any any
>> encrypt traffic to the manage station, not encrypt (deny) traffic to all other IPs.
(config)#crypto ipsec transform-set my_transform_name ah-md5-hmac esp-des
(config)#crypto map my_map policy_id ipsec-isakmp
(config-crypto-map)#set peer manage_ip
(config-crypto-map)#set transform-set my_transform_name
(config-crypto-map)#match address 123
(config)#int s0/1
(config-if)#crypto map my_map

(config)#ip http authentication [enable | local | tacacs | aaa]

(config)#crypto isakmp policy policy_num
>> create a security policy #
(config-isakmp)#authentication pre-share


(config)#username jdoe privilege 5 [password joes_passwd]
(config)#privilege exec level 2 clear line
(config)#privilege exec level 10 telnet
(config)#privilege exec level 10 debug
(config)#privilege exec level 15 show access-lists
(config)#privilege exec level 15 show logging
--> only level 15 can see logging
==> enable moves up level to 15
#disable 2
--> move down to level 2

AAA - authentication, authorization, accounting
(config)#aaa new-model
(config)#aaa authentication login default local
(config)#line vty 0 4
(config-line)#login authentication default
(config)#tacacs-server host x.x.x.x
(config)#tacacs-server key my_tkey
--> apply default aaa authentication to each telnet line
(config)#aaa authentication login default group tacacs+ local
--> use tacacs+ server first, if unreachable, use local login password
(config)#aaa authentication enable default group tacacs+ enable
(config)#ip http authentication aaa
(config)#aaa authorization exec default group tacacs+ if-authenticated
(config)#aaa authorization commands 15 default group tacacs+ if-authenticated
--> allow authenticated users to run any command at their current level
(config)#radius-server host y.y.y.y
(config)#radius-server key my_rkey
(config)#aaa authentication loging default group radius local
(config)#aaa authentication enable default group radius enable
(config)#line con 0
(config-line)#login authentication default
(config)#kerberos local-realm my_kserver.com
(config)#kerberos server my_kserver.com my_k_ip
(config)#kerberos srvtab remote my_k_ip srvtab-filename
(config)#kerberos credentials forward
(config)#aaa authentication login default krb5 local
(config)#line vty 0 4
(config-line)#login authentication default

(config)#key chain myKeyName
(config-keychain)#key 1
(config-keychain)#key-string xxx
(config)#interface s0/0/0
(config-if)#ip authentication mode eigrp 1 md5
(config-if)#ip authentication key-chain eigrp 1 myKeyName

(config)#interface s0/0/1
(config-if)#ip ospf message-digest-key 1 md5 mykey
(config-if)#ip ospf authentication message-digest
(config)#router ospf autonomous_num
(config-router)#area 0 authentication message-digest

(config)#access-list 16 permit x.y.0.0 0.0.255.255
(config)#access-list 16 deny any
(config)#interface s0/0
(config-if)#ip access-group 16 out
(config-if)#no ip redirects
(config-if)#no ip directed-broadcast
(config-if)#no ip mask-reply
(config-if)#no ip unreachables
(config-if)#no ip proxy-arp
(config-if)#no cdp enable
(config-if)#ip verify unicast reverse-path
(config-if)#ntp disable
(config-if)#ip access-group 101 in
(config-if)#ip access-group 102 out

(config)#ntp authenticate
(config)#ntp authentication-key 12 md5 mykey
(config)#ntp trusted-key 12
(config)#ntp server x.x.y.y key 12

(config)#logging console
(config)#logging on
(config)#logging buffered 32000
--> 32000 byte logging buffer
(config)#logging trap debugging
(config)#logging x.y.z.b
--> output syslog to a network device.