Cisco Commands
Cisco IOS Command Reference
A quick-reference guide for common Cisco IOS commands on switches and routers.
Device & System Information
Show MAC Address Table
show mac address-table
Show OS and Device Version
show version
Show Logged-in Users
show users
Show Files
dir dir nvram:
Configuration Files
Show Configurations
show running-config show startup-config
Show Interface Config
show run interface g0/0
Filter Running Config (grep-like)
show run | include {searchterm}
show run | exclude {searchterm}
show run | begin {searchterm}
show run | section {section-name}
Save Running Config
copy running-config startup-config copy run start wr
User Privileges & Security
Enter Privileged Mode ("elevate to root")
enable
Set Encrypted Enable Password
enable secret ThisisaSecret
Encrypt Plaintext Passwords (Weak Encryption)
You can decrypt these with publicly available tools like https://keydecryptor.com/decryption-tools/cisco7
service password-encryption
Interface & Network Status
Interface IP Summary
show ip interface brief show ipv6 interface brief
Interface IP Summary (filtered to only interfaces with IPs)
show ip interface brief | exclude unassigned
VLAN & Switching
Show VLANs
show vlan brief
Show Interface VLAN Details
show interface g0/1 switchport
Show Trunk Interfaces
show int trunk
Clear Tables
clear mac address-table clear arp-cache
Telnet & Remote Access
Connect via Telnet
connect {DeviceName}
Show Hosts & Sessions
show hosts show sessions
Disconnect Session
disconnect {DeviceName}
Suspend Active Session
Ctrl+Shift+6, then x
SSH Configuration
Basic SSH Setup
ip domain-name cisco.com crypto key generate rsa ip ssh version 2
Remove RSA Keys
crypto key zeroize rsa
Create Local User
username admin secret ccna
Set Default Gateway (switch)
ip default-gateway 192.168.10.1
Enable SSH on VTY Lines
line vty 0 15 transport input ssh login local exit
Global Configuration Mode
Enter Global Config
configure terminal
Disable DNS Lookup on Typos
no ip domain-lookup
Set MOTD Banner
banner motd MESSAGEHERE
Set Hostname
hostname HOSTNAME
Line Configuration
Console Line
line con 0 password itsasecret login
VTY Lines
line vty 0 15 password itsasecret login
Interface Configuration
Interface Selection
interface vlan 1 interface fa0/1 interface range fa0/2-3 interface range fa0/2-3,g0/1
Enable Interface
no shutdown
Assign IPv4 Address
ip address 192.168.0.1 255.255.255.0
Assign IPv4 Default Gateway (Switch)
ip default-gateway 192.168.0.254
Interface IPv6 Configuration
Assign IPv6 Address
ipv6 address 2001:DB8:CAFE:1::1/64
Assign Link-Local Address
ipv6 address fe80::1 link-local
Remove IPv6 Addresses
no ipv6 address 2001:DB8:CAFE:1::1/64 no ipv6 address
IPv6 ND Other-Config Flag
Set the "Other Configuration" flag in IPv6 Neighbor Discovery (ND) messages. - When enabled, it signals to IPv6 hosts that they should obtain additional configuration information (such as DNS server addresses) via DHCPv6, even if they have a stateless autoconfigured address.
ipv6 nd other-config-flag
VLAN Configuration
Create / Configure VLAN
vlan 10 name MyAwesomeVlan
Access / Trunk Switchport Configuration
Access Port
Configures the interface as an access port and assigns it to VLAN 10.
switchport mode access switchport access vlan 10
Trunk Port
Configures the interface as a trunk port using 802.1Q encapsulation.
switchport trunk encapsulation dot1q switchport mode trunk
Trunk Allowed VLANs
Specifies which VLANs are allowed to traverse the trunk link.
switchport trunk allowed vlan 10,20,33,99
Trunk Native VLANs
Sets the native VLAN for untagged traffic on the trunk.
switchport trunk native vlan 99
Trunk Nonegotiate
Disables DTP (Dynamic Trunking Protocol) negotiation on the trunk interface.
switchport nonegotiate
EtherChannel Configuration
Create EtherChannel (LACP Active)
Configures interfaces to actively negotiate EtherChannel using LACP.
interface range g0/1 - 2 channel-group 1 mode active
Create EtherChannel (LACP Passive)
Configures interfaces to respond to LACP negotiation.
interface range g0/1 - 2 channel-group 1 mode passive
Create EtherChannel (On Mode)
Forces EtherChannel without negotiation protocol.
interface range g0/1 - 2 channel-group 1 mode on
Configure Port-Channel as Access Port
Applies access configuration to the logical Port-Channel interface.
interface port-channel 1 switchport mode access switchport access vlan 10
Configure Port-Channel as Trunk
Applies trunk configuration to the logical Port-Channel interface.
interface port-channel 1 switchport trunk encapsulation dot1q switchport mode trunk
Verify EtherChannel
Displays EtherChannel status and summary information.
show etherchannel summary
Verify Port-Channel Interface
Displays detailed information about the Port-Channel interface.
show interfaces port-channel 1
DHCP
Configure a DHCP Server on a Cisco Router
Assigns IP addresses automatically to clients on a network.
ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! Exclude addresses that should not be assigned dynamically ip dhcp pool LAN_POOL network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 8.8.4.4 lease 7
- excluded-address: Prevents certain IPs from being assigned (like static IPs for servers or routers).
- network: Defines the subnet for DHCP clients.
- default-router: Sets the gateway IP for clients.
- dns-server: Specifies DNS servers for clients.
- lease: Duration the IP is valid (in days).
Configure DHCP Relay (IP Helper)
Forwards DHCP requests from clients to a remote DHCP server.
interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.2.100
- ip helper-address: IP of the DHCP server to forward requests to.
- Needed when the server is on a different subnet.
Verify DHCP Status
show ip dhcp binding ! Shows assigned IP addresses show ip dhcp pool ! Shows pool usage and statistics show running-config ! Check DHCP configuration
Best Practices
- Exclude static IP addresses from DHCP pools.
- Use DHCP relay when clients and server are on different subnets.
- Monitor DHCP bindings to prevent IP conflicts.
Spanning Tree
Enable PortFast on an interface
Use PortFast on edge/access ports that connect to end devices.
interface GigabitEthernet0/1 spanning-tree portfast
Enable PortFast globally
Enables PortFast on all access ports.
spanning-tree portfast default
Enable PortFast on a trunk (use with caution)
Only use when the trunk connects to a single end device (not another switch).
interface GigabitEthernet0/1 spanning-tree portfast trunk
Verify PortFast status
show spanning-tree interface GigabitEthernet0/1 detail
Disable PortFast on an interface
interface GigabitEthernet0/1 no spanning-tree portfast
Best Practice: Enable BPDU Guard with PortFast
Shuts down the port if a BPDU is received, protecting against loops.
Per interface:
interface GigabitEthernet0/1 spanning-tree portfast spanning-tree bpduguard enable
Globally:
spanning-tree portfast default spanning-tree bpduguard default
Notes
- Do not enable PortFast on ports connected to other switches
- Recommended for access/edge ports
- Incorrect use can cause Layer 2 loops
DHCP Snooping
Enable DHCP Snooping globally
Enable DHCP Snooping for the switch.
ip dhcp snooping
Enable DHCP Snooping on a VLAN
DHCP Snooping only operates on specified VLANs.
ip dhcp snooping vlan 10 ip dhcp snooping vlan 20
Configure trusted interfaces
Mark uplinks or ports connected to legitimate DHCP servers as trusted.
interface GigabitEthernet0/1 ip dhcp snooping trust
Untrusted interfaces (default)
Access ports are untrusted by default. DHCP server responses are blocked.
interface GigabitEthernet0/2 no ip dhcp snooping trust
Configure DHCP Snooping rate limiting
Protect against DHCP starvation attacks. Limits to 15 DHCP packets per second, will mark port as violating otherwise.
interface GigabitEthernet0/2 ip dhcp snooping limit rate 15
Verify DHCP Snooping status
show ip dhcp snooping show ip dhcp snooping binding
Disable DHCP Snooping
no ip dhcp snooping no ip dhcp snooping vlan 10
Notes
- Only trusted ports can send DHCP server messages
- Access ports should remain untrusted
- Commonly used with Dynamic ARP Inspection and IP Source Guard
- Requires correct VLAN configuration to function properly
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets against a trusted database (typically built by DHCP Snooping) to prevent ARP spoofing and man-in-the-middle attacks. It intercepts ARP packets on untrusted ports, checks IP-to-MAC bindings, and drops invalid ones.
Enable DAI globally
Dynamic ARP Inspection requires DHCP Snooping to be enabled first (DAI uses the DHCP snooping binding table for validation).
ip arp inspection
Enable DAI on a VLAN
Specify which VLANs should be protected.
ip arp inspection vlan 10 ip arp inspection vlan 20 ip arp inspection vlan 10,20 (alternative: range)
Configure trusted interfaces
Trust uplinks and ports connected to other switches, routers, DHCP servers, or devices that should bypass DAI checks.
interface GigabitEthernet0/1 ip arp inspection trust
Trusted ports forward ARP packets without validation.
Untrusted interfaces (default)
Access ports are untrusted by default. Invalid ARP packets are dropped.
interface GigabitEthernet0/2 no ip arp inspection trust (optional; this is the default)
Configure ARP rate limiting
Protect against ARP flooding/DoS attacks. Default is 15 pps on untrusted ports (exceeding this can put the port in err-disable).
interface GigabitEthernet0/2 ip arp inspection limit rate 15 (example: 15 packets per second) ip arp inspection limit rate 100 burst interval 1 (optional: higher rate with burst)
Additional Validation Checks
By default, DAI validates only IP-to-MAC bindings from the DHCP snooping database. Enable extra checks (global config mode) to catch malformed ARP packets (highly recommended for stronger security).
ip arp inspection validate src-mac ip arp inspection validate src-mac dst-mac ip (common: enable all three)
Options:
- src-mac — Checks source MAC in Ethernet header vs. sender MAC in ARP body (for requests and replies).
- dst-mac — Checks destination MAC in Ethernet header vs. target MAC in ARP body (mainly for replies).
- ip — Checks for invalid/unexpected IP addresses (e.g., 0.0.0.0, 255.255.255.255, multicast IPs) in ARP body.
Each new ip arp inspection validate command overrides previous ones, so specify all desired options together.
To disable: no ip arp inspection validate [src-mac] [dst-mac] [ip]
Verify DAI status
show ip arp inspection show ip arp inspection vlan 10 show ip arp inspection interfaces show ip arp inspection statistics (shows drops, rate limit violations) show ip arp inspection log (logs of dropped packets)
Disable DAI
no ip arp inspection no ip arp inspection vlan 10
Notes
- Requires DHCP Snooping to build the ARP binding table (enable with
ip dhcp snooping+ip dhcp snooping vlan ...). - Only trusted ports can send unlimited ARP replies/packets (no validation or rate limiting).
- Access ports should remain untrusted to enforce checks.
- Commonly deployed with PortFast + BPDU Guard on access ports for loop/spanning-tree protection.
- For non-DHCP environments, use static ARP ACLs:
ip arp inspection filter arp-acl-name vlan 10. - Often combined with IP Source Guard (
ip verify source) on access ports to filter IP traffic based on the same bindings. - Rate limiting helps prevent DoS; monitor with
show ip arp inspection statisticsand considererrdisable recovery cause arp-inspectionfor automatic port recovery. - Additional validation (
src-mac,dst-mac,ip) catches MAC spoofing or malformed packets beyond basic binding checks—enable at leastsrc-macandipin most production setups. - DAI is ingress-only (checks incoming packets on untrusted ports).
Port Security
View status of port security on an interface
show port-security interface f0/1
Activate Port Security on an interface
The port cannot be a dynamic port:
switchport mode access
Enable Port Security
switchport port-security
Set the maximum number of mac addresses that can be used on that port
switchport port-security maximum 1
Whitelist a specific mac address
switchport port-security mac-address 0001.6311.E7BC
Enable sticky mode to automatically learn mac addresses
switchport port-security mac-address sticky
Port Security Violation Modes
Protect
Silently drops packets from unknown MAC addresses while keeping the port up and generating no alerts.
switchport port-security violation protect
Restrict
Drops packets from unknown MAC addresses and logs the violation while incrementing the security counter.
switchport port-security violation restrict
Shutdown
Immediately disables the port when an unknown MAC address is detected, placing it into an error-disabled state.
switchport port-security violation shutdown
Port Security Aging
Enable static aging on an interface
switchport port-security aging static
Enable timed aging on an interface (5 minutes)
switchport port-security aging time 5
Routing
Routing is the process of forwarding packets between different networks using routing tables and routing protocols.
Enable IP Routing (Layer 3 Switch)
Required on multilayer switches to allow routing between VLANs.
ip routing
Enable IPv6 Routing (Routers)
ipv6 unicast-routing
Static Routing
Configure a Static Route
Manually define a path to a remote network. Here's an example using default administrative distance values listed in the section below.
ip route 192.168.2.0 255.255.255.0 192.168.1.1
Manually define a path to a remote network. Here's an example manually defining the administrative distance
ip route 192.168.2.0 255.255.255.0 192.168.1.1 10
Format:
ip route <destination-network> <subnet-mask> <next-hop-ip> <administrative distance (optional)>
Configure a Default Route / Default Gateway
Route used when no specific route matches the destination.
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ipv6 route ::/0 2001:ABC:33:44::1
Administrative Distance
Determines which route is preferred when multiple routes to the same destination exist.
Common values:
Connected – 0 Static – 1 EIGRP – 90 OSPF – 110 RIP – 120
Chart pulled from https://en.wikipedia.org/wiki/Administrative_distance#Default_administrative_distances
| Routing protocol | Administrative distance |
|---|---|
| Directly connected interface | 0 (Only the interface itself has an administrative distance of 0, since a route cannot have a distance of less than 1.) |
| Static route | 1 |
| Dynamic Mobile Network Routing (DMNR) | 3 |
| EIGRP summary route | 5 |
| External BGP | 20 |
| EIGRP internal route | 90 |
| IGRP | 100 |
| Open Shortest Path First (OSPF) | 110 |
| Intermediate System to Intermediate System (IS-IS) | 115 |
| Routing Information Protocol (RIP) | 120 |
| Exterior Gateway Protocol (EGP) | 140 |
| On Demand Routing (ODR) | 160 |
| EIGRP external route | 170 |
| Internal BGP | 200 |
| Next Hop Resolution Protocol (NHRP) | 250 |
| Default static route learned via DHCP | 254 |
| Unknown and unused | 255 (An administrative distance of 255 causes the router to remove the route from the routing table and not use it.) |
Dynamic Routing
Dynamic routing protocols automatically exchange routing information between routers.
Configure RIP v2
Uses hop count as metric (maximum 15 hops).
router rip version 2 no auto-summary network 192.168.1.0
Configure EIGRP
Uses bandwidth and delay as composite metric.
router eigrp 100 no auto-summary network 192.168.1.0 0.0.0.255
Configure OSPF
Link-state protocol using cost as metric.
router ospf 1 network 192.168.1.0 0.0.0.255 area 0
Route Summarization
Route summarization (aggregation) reduces routing table size by advertising one route that represents multiple networks.
Example networks:
192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
Can be summarized as:
192.168.0.0/22
Configure Manual Summarization (EIGRP)
Applied on the outgoing interface.
interface GigabitEthernet0/0 ip summary-address eigrp 100 192.168.0.0 255.255.252.0
Configure Manual Summarization (OSPF ABR)
Configured under the OSPF process (on an ABR).
router ospf 1 area 0 range 192.168.0.0 255.255.252.0
Show Routing Information
View Routing Table
show ip route
View Specific Route
show ip route 192.168.1.0
View Routing Protocol Information
show ip protocols
