Cisco Commands: Difference between revisions
| Line 229: | Line 229: | ||
=== Enable Interface === | === Enable Interface === | ||
no shutdown | |||
no shutdown | |||
=== Assign IPv4 Address === | === Assign IPv4 Address === | ||
ip address 192.168.0.1 255.255.255.0 | |||
ip address 192.168.0.1 255.255.255.0 | |||
=== Assign IPv4 Default Gateway === | |||
ip default-gateway 192.168.0.254 | |||
---- | ---- | ||
Revision as of 00:15, 20 February 2026
Cisco IOS Command Reference
A quick-reference guide for common Cisco IOS commands on switches and routers.
Device & System Information
Show MAC Address Table
show mac address-table
Show OS and Device Version
show version
Show Logged-in Users
show users
Show Files
dir dir nvram:
Configuration Files
Show Configurations
show running-config show startup-config
Show Interface Config
show run interface g0/0
Filter Running Config (grep-like)
show run | include {searchterm}
show run | exclude {searchterm}
show run | begin {searchterm}
show run | section {section-name}
Save Running Config
copy running-config startup-config copy run start wr
User Privileges & Security
Enter Privileged Mode ("elevate to root")
enable
Set Encrypted Enable Password
enable secret ThisisaSecret
Encrypt Plaintext Passwords (Weak Encryption)
You can decrypt these with publicly available tools like https://keydecryptor.com/decryption-tools/cisco7
service password-encryption
Interface & Network Status
Interface IP Summary
show ip interface brief show ipv6 interface brief
Interface IP Summary (filtered to only interfaces with IPs)
show ip interface brief | exclude unassigned
VLAN & Switching
Show VLANs
show vlan brief
Show Interface VLAN Details
show interface g0/1 switchport
Show Trunk Interfaces
show int trunk
Clear Tables
clear mac address-table clear arp-cache
Telnet & Remote Access
Connect via Telnet
connect {DeviceName}
Show Hosts & Sessions
show hosts show sessions
Disconnect Session
disconnect {DeviceName}
Suspend Active Session
Ctrl+Shift+6, then x
SSH Configuration
Basic SSH Setup
ip domain-name cisco.com crypto key generate rsa ip ssh version 2
Remove RSA Keys
crypto key zeroize rsa
Create Local User
username admin secret ccna
Set Default Gateway
ip default-gateway 192.168.10.1
Enable SSH on VTY Lines
line vty 0 15 transport input ssh login local exit
Global Configuration Mode
Enter Global Config
configure terminal
Disable DNS Lookup on Typos
no ip domain-lookup
Set MOTD Banner
banner motd MESSAGEHERE
Set Hostname
hostname HOSTNAME
Line Configuration
Console Line
line con 0 password itsasecret login
VTY Lines
line vty 0 15 password itsasecret login
Interface Configuration
Interface Selection
interface vlan 1 interface fa0/1 interface range fa0/2-3 interface range fa0/2-3,g0/1
Enable Interface
no shutdown
Assign IPv4 Address
ip address 192.168.0.1 255.255.255.0
Assign IPv4 Default Gateway
ip default-gateway 192.168.0.254
VLAN Configuration
Create / Configure VLAN
vlan 10 name MyAwesomeVlan
Access / Trunk Switchport Configuration
Access Port
Configures the interface as an access port and assigns it to VLAN 10.
switchport mode access switchport access vlan 10
Trunk Port
Configures the interface as a trunk port using 802.1Q encapsulation.
switchport trunk encapsulation dot1q switchport mode trunk
Trunk Allowed VLANs
Specifies which VLANs are allowed to traverse the trunk link.
switchport trunk allowed vlan 10,20,33,99
Trunk Native VLANs
Sets the native VLAN for untagged traffic on the trunk.
switchport trunk native vlan 99
Trunk Nonegotiate
Disables DTP (Dynamic Trunking Protocol) negotiation on the trunk interface.
switchport nonegotiate
IPv6 Interface Configuration
Assign IPv6 Address
ipv6 address 2001:DB8:CAFE:1::1/64
Assign Link-Local Address
ipv6 address fe80::1 link-local
Remove IPv6 Addresses
no ipv6 address 2001:DB8:CAFE:1::1/64 no ipv6 address
IPv6 ND Other-Config Flag
Set the "Other Configuration" flag in IPv6 Neighbor Discovery (ND) messages. - When enabled, it signals to IPv6 hosts that they should obtain additional configuration information (such as DNS server addresses) via DHCPv6, even if they have a stateless autoconfigured address.
ipv6 nd other-config-flag
DHCP
Configure a DHCP Server on a Cisco Router
Assigns IP addresses automatically to clients on a network.
ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! Exclude addresses that should not be assigned dynamically ip dhcp pool LAN_POOL network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 8.8.4.4 lease 7
- excluded-address: Prevents certain IPs from being assigned (like static IPs for servers or routers).
- network: Defines the subnet for DHCP clients.
- default-router: Sets the gateway IP for clients.
- dns-server: Specifies DNS servers for clients.
- lease: Duration the IP is valid (in days).
Configure DHCP Relay (IP Helper)
Forwards DHCP requests from clients to a remote DHCP server.
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.2.100
- ip helper-address: IP of the DHCP server to forward requests to.
- Needed when the server is on a different subnet.
Verify DHCP Status
show ip dhcp binding ! Shows assigned IP addresses show ip dhcp pool ! Shows pool usage and statistics show running-config ! Check DHCP configuration
Best Practices
- Exclude static IP addresses from DHCP pools.
- Use DHCP relay when clients and server are on different subnets.
- Monitor DHCP bindings to prevent IP conflicts.
Spanning Tree
Enable PortFast on an interface
Use PortFast on edge/access ports that connect to end devices.
interface GigabitEthernet0/1 spanning-tree portfast
Enable PortFast globally
Enables PortFast on all access ports.
spanning-tree portfast default
Enable PortFast on a trunk (use with caution)
Only use when the trunk connects to a single end device (not another switch).
interface GigabitEthernet0/1 spanning-tree portfast trunk
Verify PortFast status
show spanning-tree interface GigabitEthernet0/1 detail
Disable PortFast on an interface
interface GigabitEthernet0/1 no spanning-tree portfast
Best Practice: Enable BPDU Guard with PortFast
Shuts down the port if a BPDU is received, protecting against loops.
Per interface:
interface GigabitEthernet0/1 spanning-tree portfast spanning-tree bpduguard enable
Globally:
spanning-tree portfast default spanning-tree bpduguard default
Notes
- Do not enable PortFast on ports connected to other switches
- Recommended for access/edge ports
- Incorrect use can cause Layer 2 loops
DHCP Snooping
Enable DHCP Snooping globally
Enable DHCP Snooping for the switch.
ip dhcp snooping
Enable DHCP Snooping on a VLAN
DHCP Snooping only operates on specified VLANs.
ip dhcp snooping vlan 10 ip dhcp snooping vlan 20
Configure trusted interfaces
Mark uplinks or ports connected to legitimate DHCP servers as trusted.
interface GigabitEthernet0/1 ip dhcp snooping trust
Untrusted interfaces (default)
Access ports are untrusted by default. DHCP server responses are blocked.
interface GigabitEthernet0/2 no ip dhcp snooping trust
Configure DHCP Snooping rate limiting
Protect against DHCP starvation attacks. Limits to 15 DHCP packets per second, will mark port as violating otherwise.
interface GigabitEthernet0/2 ip dhcp snooping limit rate 15
Verify DHCP Snooping status
show ip dhcp snooping show ip dhcp snooping binding
Disable DHCP Snooping
no ip dhcp snooping no ip dhcp snooping vlan 10
Notes
- Only trusted ports can send DHCP server messages
- Access ports should remain untrusted
- Commonly used with Dynamic ARP Inspection and IP Source Guard
- Requires correct VLAN configuration to function properly
Dynamic ARP Inspection (DAI)
Enable DAI globally
Dynamic ARP Inspection requires DHCP Snooping to be enabled.
ip arp inspection
Enable DAI on a VLAN
Specify which VLANs should be protected.
ip arp inspection vlan 10 ip arp inspection vlan 20
Configure trusted interfaces
Trust uplinks and ports connected to other switches or routers.
interface GigabitEthernet0/1 ip arp inspection trust
Untrusted interfaces (default)
Access ports are untrusted by default. Invalid ARP packets are dropped.
interface GigabitEthernet0/2 no ip arp inspection trust
Configure ARP rate limiting
Protect against ARP flooding attacks.
interface GigabitEthernet0/2 ip arp inspection limit rate 15
Verify DAI status
show ip arp inspection show ip arp inspection vlan show ip arp inspection interfaces
Disable DAI
no ip arp inspection no ip arp inspection vlan 10
Notes
- Requires DHCP Snooping to build the ARP binding table
- Only trusted ports can send unlimited ARP replies
- Access ports should remain untrusted
- Commonly deployed with PortFast + BPDU Guard
Port Security
Activate Port Security on an interface
The port cannot be a dynamic port:
switchport mode access
Enable Port Security
switchport port-security
Set the maximum number of mac addresses that can be used on that port
switchport port-security maximum 1
Whitelist a specific mac address
switchport port-security mac-address 0001.6311.E7BC
Enable sticky mode to automatically learn mac addresses
switchport port-security mac-address sticky
Port Security Violation Modes
Protect
Silently drops packets from unknown MAC addresses while keeping the port up and generating no alerts.
switchport port-security violation protect
Restrict
Drops packets from unknown MAC addresses and logs the violation while incrementing the security counter.
switchport port-security violation restrict
Shutdown
Immediately disables the port when an unknown MAC address is detected, placing it into an error-disabled state.
switchport port-security violation shutdown
Port Security Aging
Enable static aging on an interface
switchport port-security aging static
Enable timed aging on an interface (5 minutes)
switchport port-security aging time 5
Routing
Routing is the process of forwarding packets between different networks using routing tables and routing protocols.
Enable IP Routing (Layer 3 Switch)
Required on multilayer switches to allow routing between VLANs.
ip routing
Enable IPv6 Routing (Routers)
ipv6 unicast-routing
Static Routing
Configure a Static Route
Manually define a path to a remote network.
ip route 192.168.2.0 255.255.255.0 192.168.1.1
Format:
ip route <destination-network> <subnet-mask> <next-hop-ip>
Configure a Default Route
Route used when no specific route matches the destination.
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Dynamic Routing
Dynamic routing protocols automatically exchange routing information between routers.
Configure RIP v2
Uses hop count as metric (maximum 15 hops).
router rip version 2 no auto-summary network 192.168.1.0
Configure EIGRP
Uses bandwidth and delay as composite metric.
router eigrp 100 no auto-summary network 192.168.1.0 0.0.0.255
Configure OSPF
Link-state protocol using cost as metric.
router ospf 1 network 192.168.1.0 0.0.0.255 area 0
Route Summarization
Route summarization (aggregation) reduces routing table size by advertising one route that represents multiple networks.
Example networks:
192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
Can be summarized as:
192.168.0.0/22
Configure Manual Summarization (EIGRP)
Applied on the outgoing interface.
interface GigabitEthernet0/0 ip summary-address eigrp 100 192.168.0.0 255.255.252.0
Configure Manual Summarization (OSPF ABR)
Configured under the OSPF process (on an ABR).
router ospf 1 area 0 range 192.168.0.0 255.255.252.0
Administrative Distance
Determines which route is preferred when multiple routes to the same destination exist.
Common values:
Connected – 0 Static – 1 EIGRP – 90 OSPF – 110 RIP – 120
Show Routing Information
View Routing Table
show ip route
View Specific Route
show ip route 192.168.1.0
View Routing Protocol Information
show ip protocols
