Cisco Commands: Difference between revisions

From Lucca's Wiki
Jump to navigationJump to search
← Older editNewer edit →
Line 91: Line 91:
show ip interface brief | exclude unassigned
show ip interface brief | exclude unassigned
</pre>
</pre>
=== Routing Table ===
<pre>
show ip route
</pre>
----
== VLAN & Switching ==
== VLAN & Switching ==


Revision as of 00:39, 18 February 2026

Cisco IOS Command Reference

A quick-reference guide for common Cisco IOS commands on switches and routers.

Device & System Information

Show MAC Address Table

show mac address-table

Show OS and Device Version

show version

Show Logged-in Users

show users

Show Files

dir
dir nvram:

Configuration Files

Show Configurations

show running-config
show startup-config

Show Interface Config

show run interface g0/0

Filter Running Config (grep-like)

show run | include {searchterm}
show run | begin {searchterm}
show run | section {section-name}

Save Running Config

copy running-config startup-config
copy run start
wr

User Privileges & Security

Enter Privileged Mode

enable

Set Encrypted Enable Password

enable secret ThisisaSecret

Encrypt Plaintext Passwords (Weak Encryption)

You can decrypt these with publicly available tools like https://keydecryptor.com/decryption-tools/cisco7 

service password-encryption

Interface & Network Status

Interface IP Summary

show ip interface brief
show ipv6 interface brief

Interface IP Summary (filtered to only interfaces with IPs)

show ip interface brief | exclude unassigned

VLAN & Switching

Show VLANs

show vlan brief

Show Interface VLAN Details

show interface g0/1 switchport

Show Trunk Interfaces

show int trunk

Clear Tables

clear mac address-table
clear arp-cache

Telnet & Remote Access

Connect via Telnet

connect {DeviceName}

Show Hosts & Sessions

show hosts
show sessions

Disconnect Session

disconnect {DeviceName}

Suspend Active Session

Ctrl+Shift+6, then x

SSH Configuration

Basic SSH Setup

ip domain-name cisco.com
crypto key generate rsa
ip ssh version 2

Remove RSA Keys

crypto key zeroize rsa

Create Local User

username admin secret ccna

Set Default Gateway

ip default-gateway 192.168.10.1

Enable SSH on VTY Lines

line vty 0 15
 transport input ssh
 login local
 exit

Global Configuration Mode

Enter Global Config

configure terminal

Disable DNS Lookup on Typos

no ip domain-lookup

Set MOTD Banner

banner motd MESSAGEHERE

Set Hostname

hostname HOSTNAME

Line Configuration

Console Line

line con 0
 password itsasecret
 login

VTY Lines

line vty 0 15
 password itsasecret
 login

Interface Configuration

Interface Selection

interface vlan 1
interface fa0/1
interface range fa0/2-3
interface range fa0/2-3,g0/1

Enable Interface

no shutdown

Assign IPv4 Address

ip address 192.168.0.1 255.255.255.0

VLAN Configuration

Create / Configure VLAN

vlan 10
 name MyAwesomeVlan

Switchport Configuration

Access Port

switchport mode access
switchport access vlan 10

Trunk Port

switchport trunk encapsulation dot1q
switchport mode trunk

Trunk Allowed VLANs

switchport trunk allowed vlan 10,20,33,99

Trunk Native VLANs

switchport trunk native vlan 99

IPv6 Interface Configuration

Assign IPv6 Address

ipv6 address 2001:DB8:CAFE:1::1/64

Assign Link-Local Address

ipv6 address fe80::1 link-local

Remove IPv6 Addresses

no ipv6 address 2001:DB8:CAFE:1::1/64
no ipv6 address

IPv6 ND Other-Config Flag

Set the "Other Configuration" flag in IPv6 Neighbor Discovery (ND) messages. - When enabled, it signals to IPv6 hosts that they should obtain additional configuration information (such as DNS server addresses) via DHCPv6, even if they have a stateless autoconfigured address. 

ipv6 nd other-config-flag

DHCP

Configure a DHCP Server on a Cisco Router

Assigns IP addresses automatically to clients on a network. 

ip dhcp excluded-address 192.168.1.1 192.168.1.10
! Exclude addresses that should not be assigned dynamically

ip dhcp pool LAN_POOL
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8 8.8.4.4
 lease 7
  • excluded-address: Prevents certain IPs from being assigned (like static IPs for servers or routers).
  • network: Defines the subnet for DHCP clients.
  • default-router: Sets the gateway IP for clients.
  • dns-server: Specifies DNS servers for clients.
  • lease: Duration the IP is valid (in days).

Configure DHCP Relay (IP Helper)

Forwards DHCP requests from clients to a remote DHCP server. 

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.2.100
  • ip helper-address: IP of the DHCP server to forward requests to.
  • Needed when the server is on a different subnet.

Verify DHCP Status

show ip dhcp binding      ! Shows assigned IP addresses
show ip dhcp pool         ! Shows pool usage and statistics
show running-config       ! Check DHCP configuration

Best Practices

  • Exclude static IP addresses from DHCP pools.
  • Use DHCP relay when clients and server are on different subnets.
  • Monitor DHCP bindings to prevent IP conflicts.


Spanning Tree

Enable PortFast on an interface

Use PortFast on edge/access ports that connect to end devices. 

interface GigabitEthernet0/1
 spanning-tree portfast

Enable PortFast globally

Enables PortFast on all access ports. 

spanning-tree portfast default

Enable PortFast on a trunk (use with caution)

Only use when the trunk connects to a single end device (not another switch). 

interface GigabitEthernet0/1
 spanning-tree portfast trunk

Verify PortFast status

show spanning-tree interface GigabitEthernet0/1 detail

Disable PortFast on an interface

interface GigabitEthernet0/1
 no spanning-tree portfast

Best Practice: Enable BPDU Guard with PortFast

Shuts down the port if a BPDU is received, protecting against loops.

Per interface: 

interface GigabitEthernet0/1
 spanning-tree portfast
 spanning-tree bpduguard enable

Globally: 

spanning-tree portfast default
spanning-tree bpduguard default

Notes

  • Do not enable PortFast on ports connected to other switches
  • Recommended for access/edge ports
  • Incorrect use can cause Layer 2 loops

DHCP Snooping

Enable DHCP Snooping globally

Enable DHCP Snooping for the switch. 

ip dhcp snooping

Enable DHCP Snooping on a VLAN

DHCP Snooping only operates on specified VLANs. 

ip dhcp snooping vlan 10
ip dhcp snooping vlan 20

Configure trusted interfaces

Mark uplinks or ports connected to legitimate DHCP servers as trusted. 

interface GigabitEthernet0/1
 ip dhcp snooping trust

Untrusted interfaces (default)

Access ports are untrusted by default. DHCP server responses are blocked. 

interface GigabitEthernet0/2
 no ip dhcp snooping trust

Configure DHCP Snooping rate limiting

Protect against DHCP starvation attacks. Limits to 15 DHCP packets per second, will mark port as violating otherwise. 

interface GigabitEthernet0/2
 ip dhcp snooping limit rate 15

Verify DHCP Snooping status

show ip dhcp snooping
show ip dhcp snooping binding

Disable DHCP Snooping

no ip dhcp snooping
no ip dhcp snooping vlan 10

Notes

  • Only trusted ports can send DHCP server messages
  • Access ports should remain untrusted
  • Commonly used with Dynamic ARP Inspection and IP Source Guard
  • Requires correct VLAN configuration to function properly

Dynamic ARP Inspection (DAI)

Enable DAI globally

Dynamic ARP Inspection requires DHCP Snooping to be enabled. 

ip arp inspection

Enable DAI on a VLAN

Specify which VLANs should be protected. 

ip arp inspection vlan 10
ip arp inspection vlan 20

Configure trusted interfaces

Trust uplinks and ports connected to other switches or routers. 

interface GigabitEthernet0/1
 ip arp inspection trust

Untrusted interfaces (default)

Access ports are untrusted by default. Invalid ARP packets are dropped. 

interface GigabitEthernet0/2
 no ip arp inspection trust

Configure ARP rate limiting

Protect against ARP flooding attacks. 

interface GigabitEthernet0/2
 ip arp inspection limit rate 15

Verify DAI status

show ip arp inspection
show ip arp inspection vlan
show ip arp inspection interfaces

Disable DAI

no ip arp inspection
no ip arp inspection vlan 10

Notes

  • Requires DHCP Snooping to build the ARP binding table
  • Only trusted ports can send unlimited ARP replies
  • Access ports should remain untrusted
  • Commonly deployed with PortFast + BPDU Guard

Port Security

Activate Port Security on an interface

The port cannot be a dynamic port: 

switchport mode access

Enable Port Security 

switchport port-security

Set the maximum number of mac addresses that can be used on that port

switchport port-security maximum 1

Whitelist a specific mac address

switchport port-security mac-address 0001.6311.E7BC

Enable sticky mode to automatically learn mac addresses

switchport port-security mac-address sticky

Port Security Violation Modes

Protect

Silently drops packets from unknown MAC addresses while keeping the port up and generating no alerts. 

switchport port-security violation protect

Restrict

Drops packets from unknown MAC addresses and logs the violation while incrementing the security counter. 

switchport port-security violation restrict

Shutdown

Immediately disables the port when an unknown MAC address is detected, placing it into an error-disabled state. 

switchport port-security violation shutdown

Port Security Aging

Enable static aging on an interface

switchport port-security aging static

Enable timed aging on an interface (5 minutes)

switchport port-security aging time 5

Routing

Routing is the process of forwarding packets between different networks using routing tables and routing protocols.

Enable IP Routing (Layer 3 Switch)

Required on multilayer switches to allow routing between VLANs. 

ip routing

Enable IPv6 Routing (Routers)

ipv6 unicast-routing

Static Routing

Configure a Static Route

Manually define a path to a remote network. 

ip route 192.168.2.0 255.255.255.0 192.168.1.1

Format: 

ip route <destination-network> <subnet-mask> <next-hop-ip>


Configure a Default Route

Route used when no specific route matches the destination. 

ip route 0.0.0.0 0.0.0.0 192.168.1.1


Dynamic Routing

Dynamic routing protocols automatically exchange routing information between routers.

Configure RIP v2

Uses hop count as metric (maximum 15 hops). 

router rip
 version 2
 no auto-summary
 network 192.168.1.0


Configure EIGRP

Uses bandwidth and delay as composite metric. 

router eigrp 100
 no auto-summary
 network 192.168.1.0 0.0.0.255


Configure OSPF

Link-state protocol using cost as metric. 

router ospf 1
 network 192.168.1.0 0.0.0.255 area 0


Route Summarization

Route summarization (aggregation) reduces routing table size by advertising one route that represents multiple networks.

Example networks: 

192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Can be summarized as: 

192.168.0.0/22


Configure Manual Summarization (EIGRP)

Applied on the outgoing interface. 

interface GigabitEthernet0/0
 ip summary-address eigrp 100 192.168.0.0 255.255.252.0


Configure Manual Summarization (OSPF ABR)

Configured under the OSPF process (on an ABR). 

router ospf 1
 area 0 range 192.168.0.0 255.255.252.0


Administrative Distance

Determines which route is preferred when multiple routes to the same destination exist.

Common values: 

Connected – 0
Static – 1
EIGRP – 90
OSPF – 110
RIP – 120


Show Routing Information

View Routing Table

show ip route


View Specific Route

show ip route 192.168.1.0


View Routing Protocol Information

show ip protocols

Configure Route Summarization (EIGRP Example)

Reduces routing table size by advertising a single summary route instead of multiple specific networks. 

interface GigabitEthernet0/0
ip summary-address eigrp 100 192.168.0.0 255.255.252.0

Replace **100** with your EIGRP AS number, and adjust the network address and subnet mask to match your summary range.

Retrieved from "https://readonlywiki.luccapirovano.com/index.php?title=Cisco_Commands&oldid=1084"