Cisco Commands: Difference between revisions

From Lucca's Wiki
Jump to navigationJump to search
← Older edit
 
(84 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<hr>
= Cisco IOS Command Reference =
====Commands for cisco IOS devices (switches, routers, etc)====
<hr>


====Enable ipv4 routing====
A quick-reference guide for common Cisco IOS commands on switches and routers.
This needs to be manually done sometimes on layer 3 switches
 
ip routing
----
 
== Device & System Information ==
 
=== Show MAC Address Table ===
<pre>
show mac address-table
</pre>
 
=== Show OS and Device Version ===
<pre>
show version
</pre>
 
=== Show Logged-in Users ===
<pre>
show users
</pre>
 
=== Show Files ===
<pre>
dir
dir nvram:
</pre>
 
----


====Enable ipv6 routing====
== Configuration Files ==
This needs to be done on routers to enable ipv6 functionality
ipv6 unicast-routing


=== Erase Configurations ===
erase startup-config
delete flash:vlan.dat


Show the entire mac address table (Lets you figure out what device is plugged into each switch port)
=== Show Configurations ===
show mac address-table
<pre>
show running-config
show startup-config
</pre>


Show OS and Device versions
=== Show Interface Config ===
show version
<pre>
show run interface g0/0
</pre>


Show logged in users
=== Filter Running Config (grep-like) ===
show users
<pre>
show run | include {searchterm}
show run | exclude {searchterm}
show run | begin {searchterm}
show run | section {section-name}
</pre>


List files in current directory
=== Save Running Config ===
dir
<pre>
copy running-config startup-config
copy run start
wr
</pre>


List files in nvram
----
dir nvram:


Copy command destinatons (we use running-config as an example source file)
== User Privileges & Security ==
copy running-config [[cisco copy destinations]]


Elevate to root user
=== Enter Privileged Mode ("elevate to root") ===
enable
<pre>
enable
</pre>


Add an encrypted password for the enable command
=== Set Encrypted Enable Password ===
enable secret ThisisaSecret
<pre>
enable secret ThisisaSecret
</pre>


Enter global configuration mode (You can use the <code>do</code> prefix to run regular commands from the config mode if you don't feel like running <code>exit</code> first)
=== Encrypt Plaintext Passwords (Weak Encryption)  ===
configure terminal
You can decrypt these with publicly available tools like https://keydecryptor.com/decryption-tools/cisco7
<pre>
service password-encryption
</pre>


Show startup config (the one stored in nvram for next boot)
----
show startup-config


Show running config (the one stored in ram and is currently in use)
== Interface & Network Status ==
show running-config


Show a specific interface's config in the running configuration.
=== Interface IP Summary ===
show run interface g0/0
<pre>
show ip interface brief
show ipv6 interface brief
</pre>


Filter through the running config (similar to grep on linux)
=== Interface IP Summary (filtered to only interfaces with IPs) ===
show run | include {searchterm}
<pre>
show run | begin {searchterm}
show ip interface brief | exclude unassigned
show run | section {section-name}
</pre>
== VLAN & Switching ==


Copy the in-use config to the startup config so that it will be used on the next boot. There are two ways to shorten it below
=== Show VLANs ===
copy running-config startup-config
<pre>
copy run start
show vlan brief
wr
</pre>


Apply weak encryption to all unencrypted passwords. This only changes what is displayed in the config file, any password typed through a network cable is still transmitted in plain text.
=== Show Interface VLAN Details ===
service password-encryption
<pre>
show interface g0/1 switchport
</pre>


Show IPv4 IP Address assigned to each interface
=== Show Trunk Interfaces ===
show ip interface brief
<pre>
show int trunk
</pre>


Show IPv6 IP Address assigned to each interface
=== Clear Tables ===
show ipv6 interface brief
<pre>
clear mac address-table
clear arp-cache
</pre>


Show all routes
----
show ip route


Show vlans and interfaces assigned to them
== Telnet & Remote Access ==
show vlan brief


Show VLAN and related information about an interface
=== Connect via Telnet ===
show interface g0/1 switchport
<pre>
connect {DeviceName}
</pre>


Show trunk interfaces
=== Show Hosts & Sessions ===
show int trunk
<pre>
show hosts
show sessions
</pre>


Clear mac address table (switches only)
=== Disconnect Session ===
clear mac address-table
<pre>
disconnect {DeviceName}
</pre>


Clear arp cache
=== Suspend Active Session ===
clear arp-cache
<pre>
<hr>
Ctrl+Shift+6, then x
</pre>


====Telnet/Remote Access Commands====
----
<hr>
Remote into a connected device using telnet
connect {Device Name}


Show a list of hosts to connect to
== SSH Configuration ==
show hosts


Show all connected telnet sessions
=== Basic SSH Setup ===
show sessions
<pre>
ip domain-name cisco.com
crypto key generate rsa
ip ssh version 2
</pre>


Disconnect a telnet session
=== Generate RSA Keys (1-liner) ===
  disconnect {Device Name}
  crypto key generate rsa general-keys modulus 1024


Suspend the active telnet connection (Keyboard Shortcut)
=== Remove RSA Keys ===
Ctrl+Shift+6 -> x
<pre>
crypto key zeroize rsa
</pre>


<hr>
=== Create Local User ===
====Global configuration commands====
<pre>
<hr>
username admin secret ccna
Disable default behavior of looking up unknown names/commands in DNS
</pre>
no ip domain-lookup


Set a banner message
=== Set Default Gateway (switch) ===
banner motd MESSAGEHERE
<pre>
ip default-gateway 192.168.10.1
</pre>


Assign a default gateway
=== Enable SSH on VTY Lines ===
  ip default-gateway 192.168.10.1
<pre>
line vty 0 15
transport input ssh
  login local
exit
</pre>


Change the machine's hostname (does not require a reboot)
----
hostname


Configure the console port (0)
== Global Configuration Mode ==
line con 0


Configure vty interfaces 0 through 15
=== Enter Global Config ===
line vty 0 15
<pre>
configure terminal
</pre>


Configure the interface "vlan 1"
=== Disable DNS Lookup on Typos ===
interface vlan 1
<pre>
no ip domain-lookup
</pre>


Configure the interface "fa0/1"
=== Set MOTD Banner ===
interface fa0/1
<pre>
banner motd MESSAGEHERE
</pre>


Configure the range of interfaces fa0/2 to fa0/3
=== Set Hostname ===
interface range fa0/2-3
<pre>
hostname HOSTNAME
</pre>


Enter vlan configuration mode
----
vlan 1


====Vlan Configuration Commands====
== Line Configuration ==
Set vlan name
name MyAwesomeVlan


====Console or VTY line configuration commands====
=== Console Line ===
Add a password to console port access
<pre>
line con 0
  password itsasecret
  password itsasecret
login
</pre>


Force users to enter the password to login
=== VTY Lines ===
<pre>
line vty 0 15
password itsasecret
  login
  login
</pre>
----
== Interface Configuration ==
=== Interface Selection ===
interface vlan 1
interface fa0/1
interface range fa0/2-3
interface range fa0/2-3,g0/1


<hr>
=== Enable Interface ===
====Interface configuration commands====
  no shutdown
<hr>
Set the interface to a specific vlan (Alt)
  encapsulation dot1q 10


Set the interface to a specific vlan
=== Assign IPv4 Address ===
  switchport mode access ! disable trunking, default is switchport mode auto
ip address 192.168.0.1 255.255.255.0
 
=== Assign IPv4 Default Gateway (Switch) ===
ip default-gateway 192.168.0.254
 
== Interface IPv6 Configuration ==
 
=== Assign IPv6 Address ===
<pre>
ipv6 address 2001:DB8:CAFE:1::1/64
</pre>
 
=== Assign Link-Local Address ===
<pre>
ipv6 address fe80::1 link-local
</pre>
 
=== Remove IPv6 Addresses ===
<pre>
no ipv6 address 2001:DB8:CAFE:1::1/64
no ipv6 address
</pre>
 
=== IPv6 ND Other-Config Flag ===
Set the "Other Configuration" flag in IPv6 Neighbor Discovery (ND) messages.
- When enabled, it signals to IPv6 hosts that they should obtain additional configuration information (such as DNS server addresses) via DHCPv6, even if they have a stateless autoconfigured address.
 
ipv6 nd other-config-flag
</pre>
 
----
 
== VLAN Configuration ==
 
=== Create / Configure VLAN ===
<pre>
vlan 10
name MyAwesomeVlan
</pre>
 
----
 
== Access / Trunk Switchport Configuration ==
 
=== Access Port ===
Configures the interface as an access port and assigns it to VLAN 10.
  switchport mode access
  switchport access vlan 10
  switchport access vlan 10


Set an interface to trunk mode
=== Trunk Port ===
  switchport trunk encapsulation dot1q ! switches off the legacy cisco trunking protocol, not needed on newer switches
Configures the interface as a trunk port using 802.1Q encapsulation.
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport mode trunk


Change allowed vlans on trunk interface
=== Trunk Allowed VLANs ===
Specifies which VLANs are allowed to traverse the trunk link.
  switchport trunk allowed vlan 10,20,33,99
  switchport trunk allowed vlan 10,20,33,99


Set native vlan on a trunk interface
=== Trunk Native VLANs ===
Sets the native VLAN for untagged traffic on the trunk.
  switchport trunk native vlan 99
  switchport trunk native vlan 99


Set an IPv4 address on the interface
=== Trunk Nonegotiate ===
  ip address 192.168.0.1 255.255.255.0
Disables DTP (Dynamic Trunking Protocol) negotiation on the trunk interface.
switchport nonegotiate
 
== EtherChannel Configuration ==
 
=== Create EtherChannel (LACP Active) ===
Configures interfaces to actively negotiate EtherChannel using LACP.
interface range g0/1 - 2
  channel-group 1 mode active
 
=== Create EtherChannel (LACP Passive) ===
Configures interfaces to respond to LACP negotiation.
interface range g0/1 - 2
  channel-group 1 mode passive
 
=== Create EtherChannel (On Mode) ===
Forces EtherChannel without negotiation protocol.
interface range g0/1 - 2
  channel-group 1 mode on
 
=== Configure Port-Channel as Access Port ===
Applies access configuration to the logical Port-Channel interface.
interface port-channel 1
  switchport mode access
  switchport access vlan 10
 
=== Configure Port-Channel as Trunk ===
Applies trunk configuration to the logical Port-Channel interface.
interface port-channel 1
  switchport trunk encapsulation dot1q
  switchport mode trunk
 
=== Verify EtherChannel ===
Displays EtherChannel status and summary information.
show etherchannel summary
 
=== Verify Port-Channel Interface ===
Displays detailed information about the Port-Channel interface.
show interfaces port-channel 1
 
 
== DHCP ==
 
=== Configure a DHCP Server on a Cisco Router ===
Assigns IP addresses automatically to clients on a network.
 
<pre>
ip dhcp excluded-address 192.168.1.1 192.168.1.10
! Exclude addresses that should not be assigned dynamically
 
ip dhcp pool LAN_POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
</pre>
 
* ''excluded-address'': Prevents certain IPs from being assigned (like static IPs for servers or routers). 
* ''network'': Defines the subnet for DHCP clients. 
* ''default-router'': Sets the gateway IP for clients. 
* ''dns-server'': Specifies DNS servers for clients. 
* ''lease'': Duration the IP is valid (in days). 
 
=== Configure DHCP Relay (IP Helper) ===
Forwards DHCP requests from clients to a remote DHCP server.
 
<pre>
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.2.100
</pre>
 
* ''ip helper-address'': IP of the DHCP server to forward requests to. 
* Needed when the server is on a different subnet. 
 
=== Verify DHCP Status ===
<pre>
show ip dhcp binding      ! Shows assigned IP addresses
show ip dhcp pool        ! Shows pool usage and statistics
show running-config      ! Check DHCP configuration
</pre>
 
=== Best Practices ===
* Exclude static IP addresses from DHCP pools. 
* Use ''DHCP relay'' when clients and server are on different subnets. 
* Monitor DHCP bindings to prevent IP conflicts.
 
== Spanning Tree ==
 
=== Enable PortFast on an interface ===
Use PortFast on edge/access ports that connect to end devices.
 
interface GigabitEthernet0/1
  spanning-tree portfast
 
=== Enable PortFast globally ===
Enables PortFast on all access ports.
 
spanning-tree portfast default
 
=== Enable PortFast on a trunk (use with caution) ===
Only use when the trunk connects to a single end device (not another switch).
 
interface GigabitEthernet0/1
  spanning-tree portfast trunk
 
=== Verify PortFast status ===
 
show spanning-tree interface GigabitEthernet0/1 detail
 
=== Disable PortFast on an interface ===
 
interface GigabitEthernet0/1
  no spanning-tree portfast
 
=== Best Practice: Enable BPDU Guard with PortFast ===
Shuts down the port if a BPDU is received, protecting against loops.
 
Per interface:
interface GigabitEthernet0/1
  spanning-tree portfast
  spanning-tree bpduguard enable
 
Globally:
spanning-tree portfast default
spanning-tree bpduguard default
 
=== Set the Root Bridge ===
The root bridge is the central switch in the spanning tree topology. It is chosen based on the lowest bridge priority. A lower priority value increases the likelihood of a switch becoming the root bridge.
 
Set priority to influence root bridge selection:
* The default priority value is **32768** for all switches.
* Priority is set in increments of **4096**, and this value is added to the VLAN ID (e.g., for VLAN 1, the default bridge priority would be 32768).
 
To influence the root bridge selection, change the priority value:
interface GigabitEthernet0/1
  spanning-tree vlan 1 priority 4096
  (Sets a lower priority value, increasing the likelihood of this switch becoming the root bridge for VLAN 1)
 
Set the root bridge for a specific VLAN:
* To make the current switch the root bridge:
spanning-tree vlan 1 root primary
  (This automatically sets the priority lower than the default value, typically to 24576, to ensure this switch becomes the root bridge)
 
* To make the current switch the backup root bridge:
spanning-tree vlan 1 root secondary
  (This sets the priority higher than the primary root, typically to 28672, making it the backup root bridge)
 
Alternatively, manually set the root bridge priority:
interface GigabitEthernet0/1
  spanning-tree vlan 1 priority 24576
  (Sets this switch with a higher priority, making it more likely to become the root bridge)
 
=== Verify Root Bridge ===
 
show spanning-tree vlan 1
(Shows the current root bridge and its priority, along with other STP details)
 
=== Notes ===
* Do '''not''' enable PortFast on ports connected to other switches (this can cause network loops).
* PortFast should only be used on access/edge ports that connect to end devices like PCs, printers, or phones.
* Incorrect use of PortFast can cause Layer 2 loops.
* The default priority value is **32768**, and it is adjusted in increments of **4096**.
* Lower priority values increase the likelihood of becoming the root bridge.
* The priority value combined with the MAC address (if priorities are equal) is used to determine the root bridge.
 
== DHCP Snooping ==
 
=== Enable DHCP Snooping globally ===
Enable DHCP Snooping for the switch.
 
ip dhcp snooping
 
=== Enable DHCP Snooping on a VLAN ===
DHCP Snooping only operates on specified VLANs.
 
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
 
=== Configure trusted interfaces ===
Mark uplinks or ports connected to legitimate DHCP servers as trusted.
 
interface GigabitEthernet0/1
  ip dhcp snooping trust
 
=== Untrusted interfaces (default) ===
Access ports are untrusted by default. DHCP server responses are blocked.
 
interface GigabitEthernet0/2
  no ip dhcp snooping trust
 
=== Configure DHCP Snooping rate limiting ===
Protect against DHCP starvation attacks. Limits to 15 DHCP packets per second, will mark port as violating otherwise.
 
interface GigabitEthernet0/2
  ip dhcp snooping limit rate 15
 
=== Verify DHCP Snooping status ===
 
show ip dhcp snooping
show ip dhcp snooping binding
 
=== Disable DHCP Snooping ===
 
no ip dhcp snooping
no ip dhcp snooping vlan 10
 
=== Notes ===
* Only trusted ports can send DHCP server messages
* Access ports should remain untrusted
* Commonly used with '''Dynamic ARP Inspection''' and '''IP Source Guard'''
* Requires correct VLAN configuration to function properly
 
== Dynamic ARP Inspection (DAI) ==
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets against a trusted database (typically built by DHCP Snooping) to prevent ARP spoofing and man-in-the-middle attacks. It intercepts ARP packets on untrusted ports, checks IP-to-MAC bindings, and drops invalid ones.
 
=== Enable DAI globally ===
Dynamic ARP Inspection requires DHCP Snooping to be enabled first (DAI uses the DHCP snooping binding table for validation).
 
ip arp inspection
 
=== Enable DAI on a VLAN ===
Specify which VLANs should be protected.
 
ip arp inspection vlan 10
ip arp inspection vlan 20
ip arp inspection vlan 10,20  (alternative: range)
 
=== Configure trusted interfaces ===
Trust uplinks and ports connected to other switches, routers, DHCP servers, or devices that should bypass DAI checks.
 
interface GigabitEthernet0/1
  ip arp inspection trust
 
Trusted ports forward ARP packets without validation.
 
=== Untrusted interfaces (default) ===
Access ports are untrusted by default. Invalid ARP packets are dropped.
 
interface GigabitEthernet0/2
  no ip arp inspection trust  (optional; this is the default)
 
=== Configure ARP rate limiting ===
Protect against ARP flooding/DoS attacks. Default is 15 pps on untrusted ports (exceeding this can put the port in err-disable).
 
interface GigabitEthernet0/2
  ip arp inspection limit rate 15  (example: 15 packets per second)
  ip arp inspection limit rate 100 burst interval 1  (optional: higher rate with burst)
 
=== Additional Validation Checks ===
By default, DAI validates only IP-to-MAC bindings from the DHCP snooping database. Enable extra checks (global config mode) to catch malformed ARP packets (highly recommended for stronger security).
 
ip arp inspection validate src-mac
ip arp inspection validate src-mac dst-mac ip  (common: enable all three)
 
Options:
* '''src-mac''' — Checks source MAC in Ethernet header vs. sender MAC in ARP body (for requests and replies).
* '''dst-mac''' — Checks destination MAC in Ethernet header vs. target MAC in ARP body (mainly for replies).
* '''ip''' — Checks for invalid/unexpected IP addresses (e.g., 0.0.0.0, 255.255.255.255, multicast IPs) in ARP body.
 
Each new <code>ip arp inspection validate</code> command '''overrides''' previous ones, so specify all desired options together.
 
To disable: <code>no ip arp inspection validate [src-mac] [dst-mac] [ip]</code>
 
=== Verify DAI status ===
show ip arp inspection
show ip arp inspection vlan 10
show ip arp inspection interfaces
show ip arp inspection statistics  (shows drops, rate limit violations)
show ip arp inspection log  (logs of dropped packets)
 
=== Disable DAI ===
no ip arp inspection
no ip arp inspection vlan 10
 
=== Notes ===
* Requires '''DHCP Snooping''' to build the ARP binding table (enable with <code>ip dhcp snooping</code> + <code>ip dhcp snooping vlan ...</code>).
* Only trusted ports can send unlimited ARP replies/packets (no validation or rate limiting).
* Access ports should remain '''untrusted''' to enforce checks.
* Commonly deployed with '''PortFast + BPDU Guard''' on access ports for loop/spanning-tree protection.
* For non-DHCP environments, use static ARP ACLs: <code>ip arp inspection filter arp-acl-name vlan 10</code>.
* Often combined with '''IP Source Guard''' (<code>ip verify source</code>) on access ports to filter IP traffic based on the same bindings.
* Rate limiting helps prevent DoS; monitor with <code>show ip arp inspection statistics</code> and consider <code>errdisable recovery cause arp-inspection</code> for automatic port recovery.
* Additional validation (<code>src-mac</code>, <code>dst-mac</code>, <code>ip</code>) catches MAC spoofing or malformed packets beyond basic binding checks—enable at least <code>src-mac</code> and <code>ip</code> in most production setups.
* DAI is ingress-only (checks incoming packets on untrusted ports).
 
== Port Security ==
 
=== View status of port security on an interface ===
show port-security interface f0/1
 
=== Activate Port Security on an interface ===
The port cannot be a dynamic port:
switchport mode access
Enable Port Security
switchport port-security
 
=== Set the maximum number of mac addresses that can be used on that port ===
switchport port-security maximum 1
 
=== Whitelist a specific mac address ===
switchport port-security mac-address 0001.6311.E7BC
 
=== Enable sticky mode to automatically learn mac addresses ===
switchport port-security mac-address sticky
 
=== Port Security Violation Modes ===
==== Protect ====
Silently drops packets from unknown MAC addresses while keeping the port up and generating no alerts.
switchport port-security violation protect
 
==== Restrict ====
Drops packets from unknown MAC addresses and logs the violation while incrementing the security counter.
switchport port-security violation restrict
 
==== Shutdown ====
Immediately disables the port when an unknown MAC address is detected, placing it into an error-disabled state.
switchport port-security violation shutdown
 
=== Port Security Aging ===
==== Enable static aging on an interface ====
switchport port-security aging static
 
==== Enable timed aging on an interface (5 minutes) ====
switchport port-security aging time 5
 
= Routing =
 
Routing is the process of forwarding packets between different networks using routing tables and routing protocols.
 
=== Enable IP Routing (Layer 3 Switch) ===
Required on multilayer switches to allow routing between VLANs.
 
ip routing
 
=== Enable IPv6 Routing (Routers) ===
 
ipv6 unicast-routing
 
== Static Routing ==
 
=== Configure a Static Route ===
Manually define a path to a remote network. Here's an example using the default administrative distance value.
 
ip route 192.168.2.0 255.255.255.0 192.168.1.1
 
Manually define a path to a remote network and specify the administrative distance.
 
ip route 192.168.2.0 255.255.255.0 192.168.1.1 10
 
Format:
 
ip route <destination-network> <subnet-mask> <next-hop-ip> <administrative-distance (optional)>
 
 
=== Configure a Fully Specified Static Route ===
A fully specified static route includes both the next-hop IP address and the exit interface. This is commonly used on multi-access networks.
 
Example:
 
  ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 192.168.1.1
 
You can also specify the administrative distance:
 
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 192.168.1.1 10
 
Format:
 
ip route <destination-network> <subnet-mask> <exit-interface> <next-hop-ip> <administrative-distance (optional)>
 
=== Configure a Default Route / Default Gateway ===
Route used when no specific route matches the destination.
 
ip route 0.0.0.0 0.0.0.0 192.168.1.1
 
ipv6 route ::/0 2001:ABC:33:44::1
 
== Administrative Distance ==
 
Determines which route is preferred when multiple routes to the same destination exist.
 
Common values:
Connected – 0
Static – 1
EIGRP – 90
OSPF – 110
RIP – 120
 
Chart pulled from https://en.wikipedia.org/wiki/Administrative_distance#Default_administrative_distances
{| class="wikitable" style="text-align:center"
! Routing protocol !! Administrative distance
|-
| Directly connected interface || 0 (Only the interface itself has an administrative distance of 0, since a route cannot have a distance of less than 1.)
|-
| Static route || 1
|-
| Dynamic Mobile Network Routing (DMNR) || 3
|-
| EIGRP summary route || 5
|-
| External BGP || 20
|-
| EIGRP internal route || 90
|-
| IGRP || 100
|-
| Open Shortest Path First (OSPF) || 110
|-
| Intermediate System to Intermediate System (IS-IS) || 115
|-
| Routing Information Protocol (RIP) || 120
|-
| Exterior Gateway Protocol (EGP) || 140
|-
| On Demand Routing (ODR) || 160
|-
| EIGRP external route || 170
|-
| Internal BGP || 200
|-
| Next Hop Resolution Protocol (NHRP) || 250
|-
| Default static route learned via DHCP || 254
|-
| Unknown and unused || 255 (An administrative distance of 255 causes the router to remove the route from the routing table and not use it.)
|}
 
== Dynamic Routing ==
 
Dynamic routing protocols automatically exchange routing information between routers.
 
=== Configure RIP v2 ===
Uses hop count as metric (maximum 15 hops).
 
router rip
  version 2
  no auto-summary
  network 192.168.1.0
 
 
=== Configure EIGRP ===
Uses bandwidth and delay as composite metric.
 
router eigrp 100
  no auto-summary
  network 192.168.1.0 0.0.0.255
 
 
=== Configure OSPF ===
Link-state protocol using cost as metric.
 
router ospf 1
  network 192.168.1.0 0.0.0.255 area 0
 
 
== Route Summarization ==
 
Route summarization (aggregation) reduces routing table size by advertising one route that represents multiple networks.
 
Example networks:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
 
Can be summarized as:
192.168.0.0/22
 
 
=== Configure Manual Summarization (EIGRP) ===
Applied on the outgoing interface.
 
interface GigabitEthernet0/0
  ip summary-address eigrp 100 192.168.0.0 255.255.252.0
 
 
=== Configure Manual Summarization (OSPF ABR) ===
Configured under the OSPF process (on an ABR).
 
router ospf 1
  area 0 range 192.168.0.0 255.255.252.0
 
 
== Show Routing Information ==
 
=== View Routing Table ===
 
show ip route


Change interface state to "up"
no shutdown


<hr>
=== View Specific Route ===


=====Ipv6 Interface Commands=====
  show ip route 192.168.1.0
<hr>
Set an IPv6 address on the interface
  ipv6 address 2001:DB8:CAFE:1::1/64


Set a link-local address on the interface
  ipv6 addr fe80::1 link-local


Remove an IPv6 address on the interface
=== View Routing Protocol Information ===
no ipv6 address 2001:DB8:CAFE:1::1/64


Remove all IPv6 addresses on the interface
  show ip protocols
  no ipv6 address

Latest revision as of 02:10, 25 February 2026

Cisco IOS Command Reference[edit]

A quick-reference guide for common Cisco IOS commands on switches and routers.

Device & System Information[edit]

Show MAC Address Table[edit]

show mac address-table

Show OS and Device Version[edit]

show version

Show Logged-in Users[edit]

show users

Show Files[edit]

dir
dir nvram:

Configuration Files[edit]

Erase Configurations[edit]

erase startup-config
delete flash:vlan.dat

Show Configurations[edit]

show running-config
show startup-config

Show Interface Config[edit]

show run interface g0/0

Filter Running Config (grep-like)[edit]

show run | include {searchterm}
show run | exclude {searchterm}
show run | begin {searchterm}
show run | section {section-name}

Save Running Config[edit]

copy running-config startup-config
copy run start
wr

User Privileges & Security[edit]

Enter Privileged Mode ("elevate to root")[edit]

enable

Set Encrypted Enable Password[edit]

enable secret ThisisaSecret

Encrypt Plaintext Passwords (Weak Encryption)[edit]

You can decrypt these with publicly available tools like https://keydecryptor.com/decryption-tools/cisco7 

service password-encryption

Interface & Network Status[edit]

Interface IP Summary[edit]

show ip interface brief
show ipv6 interface brief

Interface IP Summary (filtered to only interfaces with IPs)[edit]

show ip interface brief | exclude unassigned

VLAN & Switching[edit]

Show VLANs[edit]

show vlan brief

Show Interface VLAN Details[edit]

show interface g0/1 switchport

Show Trunk Interfaces[edit]

show int trunk

Clear Tables[edit]

clear mac address-table
clear arp-cache

Telnet & Remote Access[edit]

Connect via Telnet[edit]

connect {DeviceName}

Show Hosts & Sessions[edit]

show hosts
show sessions

Disconnect Session[edit]

disconnect {DeviceName}

Suspend Active Session[edit]

Ctrl+Shift+6, then x

SSH Configuration[edit]

Basic SSH Setup[edit]

ip domain-name cisco.com
crypto key generate rsa
ip ssh version 2

Generate RSA Keys (1-liner)[edit]

crypto key generate rsa general-keys modulus 1024

Remove RSA Keys[edit]

crypto key zeroize rsa

Create Local User[edit]

username admin secret ccna

Set Default Gateway (switch)[edit]

ip default-gateway 192.168.10.1

Enable SSH on VTY Lines[edit]

line vty 0 15
 transport input ssh
 login local
 exit

Global Configuration Mode[edit]

Enter Global Config[edit]

configure terminal

Disable DNS Lookup on Typos[edit]

no ip domain-lookup

Set MOTD Banner[edit]

banner motd MESSAGEHERE

Set Hostname[edit]

hostname HOSTNAME

Line Configuration[edit]

Console Line[edit]

line con 0
 password itsasecret
 login

VTY Lines[edit]

line vty 0 15
 password itsasecret
 login

Interface Configuration[edit]

Interface Selection[edit]

interface vlan 1
interface fa0/1
interface range fa0/2-3
interface range fa0/2-3,g0/1

Enable Interface[edit]

no shutdown

Assign IPv4 Address[edit]

ip address 192.168.0.1 255.255.255.0

Assign IPv4 Default Gateway (Switch)[edit]

ip default-gateway 192.168.0.254

Interface IPv6 Configuration[edit]

Assign IPv6 Address[edit]

ipv6 address 2001:DB8:CAFE:1::1/64

Assign Link-Local Address[edit]

ipv6 address fe80::1 link-local

Remove IPv6 Addresses[edit]

no ipv6 address 2001:DB8:CAFE:1::1/64
no ipv6 address

IPv6 ND Other-Config Flag[edit]

Set the "Other Configuration" flag in IPv6 Neighbor Discovery (ND) messages. - When enabled, it signals to IPv6 hosts that they should obtain additional configuration information (such as DNS server addresses) via DHCPv6, even if they have a stateless autoconfigured address. 

ipv6 nd other-config-flag

VLAN Configuration[edit]

Create / Configure VLAN[edit]

vlan 10
 name MyAwesomeVlan

Access / Trunk Switchport Configuration[edit]

Access Port[edit]

Configures the interface as an access port and assigns it to VLAN 10. 

switchport mode access
switchport access vlan 10

Trunk Port[edit]

Configures the interface as a trunk port using 802.1Q encapsulation. 

switchport trunk encapsulation dot1q
switchport mode trunk

Trunk Allowed VLANs[edit]

Specifies which VLANs are allowed to traverse the trunk link. 

switchport trunk allowed vlan 10,20,33,99

Trunk Native VLANs[edit]

Sets the native VLAN for untagged traffic on the trunk. 

switchport trunk native vlan 99

Trunk Nonegotiate[edit]

Disables DTP (Dynamic Trunking Protocol) negotiation on the trunk interface. 

switchport nonegotiate

EtherChannel Configuration[edit]

Create EtherChannel (LACP Active)[edit]

Configures interfaces to actively negotiate EtherChannel using LACP. 

interface range g0/1 - 2
 channel-group 1 mode active

Create EtherChannel (LACP Passive)[edit]

Configures interfaces to respond to LACP negotiation. 

interface range g0/1 - 2
 channel-group 1 mode passive

Create EtherChannel (On Mode)[edit]

Forces EtherChannel without negotiation protocol. 

interface range g0/1 - 2
 channel-group 1 mode on

Configure Port-Channel as Access Port[edit]

Applies access configuration to the logical Port-Channel interface. 

interface port-channel 1
 switchport mode access
 switchport access vlan 10

Configure Port-Channel as Trunk[edit]

Applies trunk configuration to the logical Port-Channel interface. 

interface port-channel 1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Verify EtherChannel[edit]

Displays EtherChannel status and summary information. 

show etherchannel summary

Verify Port-Channel Interface[edit]

Displays detailed information about the Port-Channel interface. 

show interfaces port-channel 1


DHCP[edit]

Configure a DHCP Server on a Cisco Router[edit]

Assigns IP addresses automatically to clients on a network. 

ip dhcp excluded-address 192.168.1.1 192.168.1.10
! Exclude addresses that should not be assigned dynamically

ip dhcp pool LAN_POOL
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8 8.8.4.4
 lease 7
  • excluded-address: Prevents certain IPs from being assigned (like static IPs for servers or routers).
  • network: Defines the subnet for DHCP clients.
  • default-router: Sets the gateway IP for clients.
  • dns-server: Specifies DNS servers for clients.
  • lease: Duration the IP is valid (in days).

Configure DHCP Relay (IP Helper)[edit]

Forwards DHCP requests from clients to a remote DHCP server. 

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.2.100
  • ip helper-address: IP of the DHCP server to forward requests to.
  • Needed when the server is on a different subnet.

Verify DHCP Status[edit]

show ip dhcp binding      ! Shows assigned IP addresses
show ip dhcp pool         ! Shows pool usage and statistics
show running-config       ! Check DHCP configuration

Best Practices[edit]

  • Exclude static IP addresses from DHCP pools.
  • Use DHCP relay when clients and server are on different subnets.
  • Monitor DHCP bindings to prevent IP conflicts.

Spanning Tree[edit]

Enable PortFast on an interface[edit]

Use PortFast on edge/access ports that connect to end devices. 

interface GigabitEthernet0/1
 spanning-tree portfast

Enable PortFast globally[edit]

Enables PortFast on all access ports. 

spanning-tree portfast default

Enable PortFast on a trunk (use with caution)[edit]

Only use when the trunk connects to a single end device (not another switch). 

interface GigabitEthernet0/1
 spanning-tree portfast trunk

Verify PortFast status[edit]

show spanning-tree interface GigabitEthernet0/1 detail

Disable PortFast on an interface[edit]

interface GigabitEthernet0/1
 no spanning-tree portfast

Best Practice: Enable BPDU Guard with PortFast[edit]

Shuts down the port if a BPDU is received, protecting against loops.

Per interface: 

interface GigabitEthernet0/1
 spanning-tree portfast
 spanning-tree bpduguard enable

Globally: 

spanning-tree portfast default
spanning-tree bpduguard default

Set the Root Bridge[edit]

The root bridge is the central switch in the spanning tree topology. It is chosen based on the lowest bridge priority. A lower priority value increases the likelihood of a switch becoming the root bridge.

Set priority to influence root bridge selection:

  • The default priority value is **32768** for all switches.
  • Priority is set in increments of **4096**, and this value is added to the VLAN ID (e.g., for VLAN 1, the default bridge priority would be 32768).

To influence the root bridge selection, change the priority value: 

interface GigabitEthernet0/1
 spanning-tree vlan 1 priority 4096
 (Sets a lower priority value, increasing the likelihood of this switch becoming the root bridge for VLAN 1)

Set the root bridge for a specific VLAN:

  • To make the current switch the root bridge:
spanning-tree vlan 1 root primary
 (This automatically sets the priority lower than the default value, typically to 24576, to ensure this switch becomes the root bridge)
  • To make the current switch the backup root bridge:
spanning-tree vlan 1 root secondary
 (This sets the priority higher than the primary root, typically to 28672, making it the backup root bridge)

Alternatively, manually set the root bridge priority: 

interface GigabitEthernet0/1
 spanning-tree vlan 1 priority 24576
 (Sets this switch with a higher priority, making it more likely to become the root bridge)

Verify Root Bridge[edit]

show spanning-tree vlan 1
(Shows the current root bridge and its priority, along with other STP details)

Notes[edit]

  • Do not enable PortFast on ports connected to other switches (this can cause network loops).
  • PortFast should only be used on access/edge ports that connect to end devices like PCs, printers, or phones.
  • Incorrect use of PortFast can cause Layer 2 loops.
  • The default priority value is **32768**, and it is adjusted in increments of **4096**.
  • Lower priority values increase the likelihood of becoming the root bridge.
  • The priority value combined with the MAC address (if priorities are equal) is used to determine the root bridge.

DHCP Snooping[edit]

Enable DHCP Snooping globally[edit]

Enable DHCP Snooping for the switch. 

ip dhcp snooping

Enable DHCP Snooping on a VLAN[edit]

DHCP Snooping only operates on specified VLANs. 

ip dhcp snooping vlan 10
ip dhcp snooping vlan 20

Configure trusted interfaces[edit]

Mark uplinks or ports connected to legitimate DHCP servers as trusted. 

interface GigabitEthernet0/1
 ip dhcp snooping trust

Untrusted interfaces (default)[edit]

Access ports are untrusted by default. DHCP server responses are blocked. 

interface GigabitEthernet0/2
 no ip dhcp snooping trust

Configure DHCP Snooping rate limiting[edit]

Protect against DHCP starvation attacks. Limits to 15 DHCP packets per second, will mark port as violating otherwise. 

interface GigabitEthernet0/2
 ip dhcp snooping limit rate 15

Verify DHCP Snooping status[edit]

show ip dhcp snooping
show ip dhcp snooping binding

Disable DHCP Snooping[edit]

no ip dhcp snooping
no ip dhcp snooping vlan 10

Notes[edit]

  • Only trusted ports can send DHCP server messages
  • Access ports should remain untrusted
  • Commonly used with Dynamic ARP Inspection and IP Source Guard
  • Requires correct VLAN configuration to function properly

Dynamic ARP Inspection (DAI)[edit]

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets against a trusted database (typically built by DHCP Snooping) to prevent ARP spoofing and man-in-the-middle attacks. It intercepts ARP packets on untrusted ports, checks IP-to-MAC bindings, and drops invalid ones.

Enable DAI globally[edit]

Dynamic ARP Inspection requires DHCP Snooping to be enabled first (DAI uses the DHCP snooping binding table for validation). 

ip arp inspection

Enable DAI on a VLAN[edit]

Specify which VLANs should be protected. 

ip arp inspection vlan 10
ip arp inspection vlan 20
ip arp inspection vlan 10,20   (alternative: range)

Configure trusted interfaces[edit]

Trust uplinks and ports connected to other switches, routers, DHCP servers, or devices that should bypass DAI checks. 

interface GigabitEthernet0/1
 ip arp inspection trust

Trusted ports forward ARP packets without validation.

Untrusted interfaces (default)[edit]

Access ports are untrusted by default. Invalid ARP packets are dropped. 

interface GigabitEthernet0/2
 no ip arp inspection trust   (optional; this is the default)

Configure ARP rate limiting[edit]

Protect against ARP flooding/DoS attacks. Default is 15 pps on untrusted ports (exceeding this can put the port in err-disable). 

interface GigabitEthernet0/2
 ip arp inspection limit rate 15   (example: 15 packets per second)
 ip arp inspection limit rate 100 burst interval 1   (optional: higher rate with burst)

Additional Validation Checks[edit]

By default, DAI validates only IP-to-MAC bindings from the DHCP snooping database. Enable extra checks (global config mode) to catch malformed ARP packets (highly recommended for stronger security). 

ip arp inspection validate src-mac
ip arp inspection validate src-mac dst-mac ip   (common: enable all three)

Options:

  • src-mac — Checks source MAC in Ethernet header vs. sender MAC in ARP body (for requests and replies).
  • dst-mac — Checks destination MAC in Ethernet header vs. target MAC in ARP body (mainly for replies).
  • ip — Checks for invalid/unexpected IP addresses (e.g., 0.0.0.0, 255.255.255.255, multicast IPs) in ARP body.

Each new ip arp inspection validate command overrides previous ones, so specify all desired options together.

To disable: no ip arp inspection validate [src-mac] [dst-mac] [ip]

Verify DAI status[edit]

show ip arp inspection
show ip arp inspection vlan 10
show ip arp inspection interfaces
show ip arp inspection statistics   (shows drops, rate limit violations)
show ip arp inspection log   (logs of dropped packets)

Disable DAI[edit]

no ip arp inspection
no ip arp inspection vlan 10

Notes[edit]

  • Requires DHCP Snooping to build the ARP binding table (enable with ip dhcp snooping + ip dhcp snooping vlan ...).
  • Only trusted ports can send unlimited ARP replies/packets (no validation or rate limiting).
  • Access ports should remain untrusted to enforce checks.
  • Commonly deployed with PortFast + BPDU Guard on access ports for loop/spanning-tree protection.
  • For non-DHCP environments, use static ARP ACLs: ip arp inspection filter arp-acl-name vlan 10.
  • Often combined with IP Source Guard (ip verify source) on access ports to filter IP traffic based on the same bindings.
  • Rate limiting helps prevent DoS; monitor with show ip arp inspection statistics and consider errdisable recovery cause arp-inspection for automatic port recovery.
  • Additional validation (src-mac, dst-mac, ip) catches MAC spoofing or malformed packets beyond basic binding checks—enable at least src-mac and ip in most production setups.
  • DAI is ingress-only (checks incoming packets on untrusted ports).

Port Security[edit]

View status of port security on an interface[edit]

show port-security interface f0/1

Activate Port Security on an interface[edit]

The port cannot be a dynamic port: 

switchport mode access

Enable Port Security 

switchport port-security

Set the maximum number of mac addresses that can be used on that port[edit]

switchport port-security maximum 1

Whitelist a specific mac address[edit]

switchport port-security mac-address 0001.6311.E7BC

Enable sticky mode to automatically learn mac addresses[edit]

switchport port-security mac-address sticky

Port Security Violation Modes[edit]

Protect[edit]

Silently drops packets from unknown MAC addresses while keeping the port up and generating no alerts. 

switchport port-security violation protect

Restrict[edit]

Drops packets from unknown MAC addresses and logs the violation while incrementing the security counter. 

switchport port-security violation restrict

Shutdown[edit]

Immediately disables the port when an unknown MAC address is detected, placing it into an error-disabled state. 

switchport port-security violation shutdown

Port Security Aging[edit]

Enable static aging on an interface[edit]

switchport port-security aging static

Enable timed aging on an interface (5 minutes)[edit]

switchport port-security aging time 5

Routing[edit]

Routing is the process of forwarding packets between different networks using routing tables and routing protocols.

Enable IP Routing (Layer 3 Switch)[edit]

Required on multilayer switches to allow routing between VLANs. 

ip routing

Enable IPv6 Routing (Routers)[edit]

ipv6 unicast-routing

Static Routing[edit]

Configure a Static Route[edit]

Manually define a path to a remote network. Here's an example using the default administrative distance value. 

ip route 192.168.2.0 255.255.255.0 192.168.1.1

Manually define a path to a remote network and specify the administrative distance. 

ip route 192.168.2.0 255.255.255.0 192.168.1.1 10

Format: 

ip route <destination-network> <subnet-mask> <next-hop-ip> <administrative-distance (optional)>


Configure a Fully Specified Static Route[edit]

A fully specified static route includes both the next-hop IP address and the exit interface. This is commonly used on multi-access networks.

Example: 

ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 192.168.1.1

You can also specify the administrative distance: 

ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0 192.168.1.1 10

Format: 

ip route <destination-network> <subnet-mask> <exit-interface> <next-hop-ip> <administrative-distance (optional)>

Configure a Default Route / Default Gateway[edit]

Route used when no specific route matches the destination. 

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ipv6 route ::/0 2001:ABC:33:44::1

Administrative Distance[edit]

Determines which route is preferred when multiple routes to the same destination exist.

Common values: 

Connected – 0
Static – 1
EIGRP – 90
OSPF – 110
RIP – 120

Chart pulled from https://en.wikipedia.org/wiki/Administrative_distance#Default_administrative_distances

Routing protocol Administrative distance
Directly connected interface 0 (Only the interface itself has an administrative distance of 0, since a route cannot have a distance of less than 1.)
Static route 1
Dynamic Mobile Network Routing (DMNR) 3
EIGRP summary route 5
External BGP 20
EIGRP internal route 90
IGRP 100
Open Shortest Path First (OSPF) 110
Intermediate System to Intermediate System (IS-IS) 115
Routing Information Protocol (RIP) 120
Exterior Gateway Protocol (EGP) 140
On Demand Routing (ODR) 160
EIGRP external route 170
Internal BGP 200
Next Hop Resolution Protocol (NHRP) 250
Default static route learned via DHCP 254
Unknown and unused 255 (An administrative distance of 255 causes the router to remove the route from the routing table and not use it.)

Dynamic Routing[edit]

Dynamic routing protocols automatically exchange routing information between routers.

Configure RIP v2[edit]

Uses hop count as metric (maximum 15 hops). 

router rip
 version 2
 no auto-summary
 network 192.168.1.0


Configure EIGRP[edit]

Uses bandwidth and delay as composite metric. 

router eigrp 100
 no auto-summary
 network 192.168.1.0 0.0.0.255


Configure OSPF[edit]

Link-state protocol using cost as metric. 

router ospf 1
 network 192.168.1.0 0.0.0.255 area 0


Route Summarization[edit]

Route summarization (aggregation) reduces routing table size by advertising one route that represents multiple networks.

Example networks: 

192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Can be summarized as: 

192.168.0.0/22


Configure Manual Summarization (EIGRP)[edit]

Applied on the outgoing interface. 

interface GigabitEthernet0/0
 ip summary-address eigrp 100 192.168.0.0 255.255.252.0


Configure Manual Summarization (OSPF ABR)[edit]

Configured under the OSPF process (on an ABR). 

router ospf 1
 area 0 range 192.168.0.0 255.255.252.0


Show Routing Information[edit]

View Routing Table[edit]

show ip route


View Specific Route[edit]

show ip route 192.168.1.0


View Routing Protocol Information[edit]

show ip protocols
Retrieved from "https://readonlywiki.luccapirovano.com/index.php?title=Cisco_Commands&oldid=1135"