[CCNA] Cisco Commands Cheat Sheet #4

Continuing our Cisco Commands Cheat Sheet for CCNA students, this is our 4th post.

Access Control Lists:

Standard ACL: 1 – 99 and 1300 – 1999

  • Use a remark to describe the ACL (Optional):
R1(config)# access-list 1 remark ACL TO DENY ACCESS FROM SALES VLAN
  • Create the ACL, keeping the following in mind:
    • ACL uses first-match logic.
    • There is an implicit deny anyat the end of the ACL.
R1(config)# access-list 2 deny 192.168.1.77
R1(config)# access-list 2 deny 192.168.1.64 0.0.0.31
R1(config)# access-list 2 permit 10.1.0.0 0.0.255.255
R1(config)# access-list 2 deny 10.0.0.0 0.255.255.255
R1(config)# access-list 2 permit any
  • Enable the ACL on the chosen router interface in the correct direction (in or out):
R1(config-if)# ip access-group 2 out
  • Using standard ACL to limit telnet and SSH access to a router:

Create the ACL that defines the permitted telnet clients:

R1(config)# access-list 99 remark ALLOWED TELNET CLIENTS
R1(config)# access-list 99 permit 192.168.1.128 0.0.0.15

Apply the ACL inbound the vty lines

R1(config)# line vty 0 4
R1(config-line)# access-class 99 in

Extended ACL: 100 – 199 and 2000 – 2699

  • Extended ACL should be placed as close as possible to the source of the packet.
  • Extended ACL matches packets based on source & des.IP addresses, protocol, source & des. Port numbers andother criteria as well
R1(config)# access-list 101 remark MY_ACCESS_LIST
R1(config)# access-list 101 deny iphost 10.1.1.1 host 10.2.2.2
R1(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 23
R1(config)# access-list 101 deny icmp 10.1.1.1 0.0.0.0 any
R1(config)# access-list 101 deny tcphost 10.1.1.0 host 10.0.0.1 eq 80
R1(config)# access-list 101 deny udphost 10.1.1.7 eq 53 any
R1(config)# access-list 101 permit ip any any
R1(config)# interface fastEthernet 0/0
R1(config-if)# ip access-group 101 in

Named ACL:

  • Named ACLs use names to identify ACLs rather than numbers, and commands that permit or deny traffic are written in a sub mode called named ACL mode (nacl).
  • Named ACL enables the editing of the ACL (deleting or inserting statements) by sequencing statements of the ACL.
  • Named standard ACL:
R1(config)# ip access-list standard MY_STANDARD_ACL
R1(config-std-nacl)# permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)# deny 10.2.2.2
R1(config-std-nacl)# permit any
R1(config)# interface fastEthernet 0/1
R1(config-if)# ip access-group MY_STANDARD_ACL out
  • Named extended ACL:
R1(config)# ip access-list extended MY_EXTENDED_ACL
R1(config-ext-nacl)# deny icmp 10.1.1.1 0.0.0.0 any
R1(config-ext-nacl)# deny tcphost 10.1.1.0 host 10.0.0.1 eq 80
R1(config-ext-nacl)# permit ip any any
R1(config)# interface fastEthernet 0/1
R1(config-if)# ip access-group MY_EXTENDED_ACL in
  • Editing ACL using sequence numbers:
R1(config)# ip access-list extended MY_EXTENDED_ACL
R1(config-ext-nacl)# no 20    ! Deletes the statement of sequence number 20
R1(config)# ip access-list standard 99
R1(config-std-nacl)# 5 deny 1.1.1.1    ! inserts a statement with sequence 5

Verifying ACLs:

  • Shows all ACLs configured on a router with counters at the end of each statement:
R1# show access-lists
! OR
R1# show ip access-list
  • Shows only the specified ACL:
R1# show ip access-list 101
  • Includes a reference to the ACLs enabled on that interface either in or out:
R1# show ip interface f0/0

DHCP Server

  • Define a DHCP pool and give it a name:
R1(config)# ip dhcp pool MY_POOL
  • Define network and mask to use in this pool and the default gateway:
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
  • Define one or more DNS server (OPTIONAL):
R1(dhcp-config)# dns-server 213.131.65.20 8.8.8.8
  • Confine the lease time (OPTIONAL):
R1(dhcp-config)lease 2    ! Days
  • Define one or more scopes of excluded (reserved) addresses (OPTIONAL):
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.100
R1(config)# ip dhcp excluded-address 192.168.1.200 192.168.1.254

DHCP Verification and Troubleshooting:

  • Shows the status of the specified pool and the leased addresses from that pool:
R1# show ip dhcp pool POOL_1
  • Shows all the leased ip addresses from all configured DHCP pools:
R1# show ip dhcp binding
  • Shows any conflicts that occurred:
R1# show ip dhcp conflict

Enjoy !

Advertisements

Tagged: , , , ,

3 thoughts on “[CCNA] Cisco Commands Cheat Sheet #4

  1. […] Cisco Commands Cheat Sheet #4 […]

  2. […] Cisco Commands Cheat Sheet #4 […]

  3. […] Cisco Commands Cheat Sheet #4 […]

Leave a Reply :

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: