Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

Introduction

Cisco IOS is the backbone software that powers many of Cisco’s network devices. For professionals working with these systems, knowing the right commands is crucial. 

This article provides a Cisco commands cheat sheet, outlining the most common Cisco IOS commands for configuring, securing and troubleshooting Cisco network equipment. It includes the list of Cisco switch commands, a Cisco router commands list and Cisco network commands. Being familiar with the basic Cisco console commands will aid network administrators in managing Cisco devices efficiently and in line with best practices.

Router(config)#hostname SB_R1 
SB_R1(config)#enable secret cisco 

Commands on line con 0
SB_R1(config)#line con 0 
SB_R1(config-line)#password cisco 
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous 
SB_R1(config-line)#exec-timeout 30 0 
SB_R1(config-line)#exit

Commands for vty 0 4 
SB_R1(config)#line vty 0 4
SB_R1(config-line)#password cisco
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous 
SB_R1(config-line)#exec-timeout 30 0 
SB_R1(config-line)#exit 

Commands for aux 
SB_R1(config)#line aux 0
SB_R1(config-line)#password cisco
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous 
SB_R1(config-line)#exec-timeout 30 0 
SB_R1(config-line)#exit 

Banner Command
SB_R1(config)#banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
UNAUTHORIZED ACCESS IS PROHIBITED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$

Other commands
SB_R1(config)#alias exec c configure terminal 
SB_R1(config)#alias exec s show ip interface brief 
SB_R1(config)#alias exec sr show running-config 
SB_R1(config)#no ip domain-lookup 
SB_R1(config)#service password-encryption 
SB_R1(config)#ip domain-name www.thenetworkdna.com 
SB_R1(config)#username admin password cisco 
SB_R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024 
SB_R1(config)#ip ssh version 2 
SB_R1(config)#line vty 0 4
SB_R1(config-line)#login local
SB_R1(config-line)#transport input telnet ssh

Configuring router interfaces
SB_R1(config)#interface fastEthernet 0/2
SB_R1(config-if)#description LAN downlink
SB_R1(config-if)#ip address 192.168.1.1 255.255.255.0 
SB_R1(config-if)#no shutdown
SB_R1(config-if)#exit 
SB_R1(config)#interface serial 1/0/1
SB_R1(config-if)#description WAN uplink
SB_R1(config-if)#ip address 10.1.1.1 255.255.255.252
SB_R1(config-if)#clock rate 128000
SB_R1(config-if) no shut

 Inter-VLAN routing: Configuring Router-On-Stick 
SB_R1(config)#interface fastEthernet 0/2
SB_R1(config-if)#no shutdown
SB_R1(config)# interface fastEthernet 0/2.50
SB_R1(config-subif)# encapsulation dot1q 50
SB_R1(config-subif)#ip address 192.168.1.1 255.255.255.0
SB_R1(config-subif)# interface fastEthernet 0/2.60
SB_R1(config-subif)# encapsulation dot1q 60
SB_R1(config-subif)#ip address 192.168.2.1 255.255.255.0

RIPv2 Configuration
SB_R1(config)#router rip 
SB_R1(config-router)#version 2
SB_R1(config-router)#network 172.16.0.0 
SB_R1(config-router)#no auto summary
SB_R1(config-router)#passive-interface serial 0/1

RIPv2 show commands for Verification
SB_R1#show ip protocols
SB_R1#show ip route
SB_R1#show ip route rip
SB_R1#show ip route 172.16.1.1

OSPF Configuration
SB_R1(config)#router ospf 10 (process ID)
SB_R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
SB_R1(config-router)#network 172.16.8.0 0.0.7.255 area 0
SB_R1(config-router)#network 192.168.1.254 0.0.0.0 area 1

Loopback configurations
SB_R1(config)#interface loopback 0
SB_R1(config-if)#ip address 1.1.1.1 255.255.255.255

Change Hello and Dead intervals per interface
SB_R1(config-if)#ip ospf hello-interval 2
SB_R1(config-if)#ip ospf dead-interval 6

Changing interface cost, bandwidth & reference-bandwidth 
SB_R1(config-if)#ip ospf cost 55
SB_R1(config-if)#bandwidth 128 (Kbps)
SB_R1(config-router)#auto-cost reference-bandwidth 1000 (Mbps)

Disabling OSPF on a certain interface
SB_R1(config-router)#passive-interface serial 0/1
SB_R1(config-if)#ip ospf authentication null
SB_R1(config-if)#ip ospf authentication
SB_R1(config-if)#ip ospf authentication-key cisco
SB_R1(config-if)#ip ospf authentication message-digest
SB_R1(config-if)#ip ospf message-digest-key 1 md5 cisco

Configure maximum equal-cost paths
SB_R1(config-router)#maximum paths 6

OSPF verification
SB_R1#show ip protocols
SB_R1#show ip route
SB_R1#show ip route ospf
SB_R1#show ip ospf neighbors
SB_R1#show ip ospf database
SB_R1#show ip ospf interfaces serial 0/1

EIGRP Configuration
SB_R1(config)#router eigrp 100
SB_R1(config-router)#network 10.0.0.0
SB_R1(config-router)#network 172.16.0.0 0.0.3.255
SB_R1(config-router)#network 192.168.1.1 0.0.0.0
SB_R1(config-router)#network 0.0.0.0 255.255.255.255

Disable auto summarization
SB_R1(config-router)#no autosummary

Disable EIGRP on a specific interface
SB_R1(config-router)#passive-interface serial 0/1

Configure load balancing parameters
SB_R1(config-router)#maximum-paths 6
SB_R1(config-router)#variance 4

Change interface Hello and Hold timers
SB_R1(config-if)#ip hello-interval eigrp 100 3
SB_R1(config-if)#ip hold-time eigrp 100 10

Influencing metric calculations by tuning BW and delay of the interface
SB_R1(config-if)#bandwidth 265 (kbps)
SB_R1(config-if)#delay 120 (tens of microseconds)

EIGRP Authentication
SB_R1(config)#key chain NDNA_KEYS
SB_R1(config-keychain)#key 1
SB_R1(config-keychain-key)#key-string NDNA
SB_R1(config-keychain-key)#send-lifetime [start time] [end time] 
SB_R1(config-keychain-key)#accept-lifetime [start time] [end time]
SB_R1(config-if)#ip authentication mode eigrp 100 md5
SB_R1(config-if)#ip authentication key-chain eigrp 100 NDNA_KEYS

EIGRP Verification
SB_R1#show ip route eigrp
SB_R1#show ip eigrp neighbors
SB_R1#show ip eigrp topology
SB_R1#show ip eigrp interfaces
SB_R1#show ip eigrp traffic

The commands are organized into the following groups:

  • Mode control commands
  • Basic configuration commands
  • Troubleshooting commands
  • Routing and VLAN commands
  • DHCP commands
  • Security commands
  • Monitoring and logging commands

Command Modes

Cisco IOS has several command modes that fall into further categories such as operational and configuration. Each mode serves a slightly unique purpose. For instance, Setup Mode provides the user with an interactive menu guide the user to create an initial configuration file for the device. 

The key most common modes are the following: 

  • User exec mode — This mode is the mode you land in when you first log onto a Cisco device. It provides limited access to commands and configuration settings. For instance, this mode enables you to view status using certain show commands but does not enable you to view or edit configurations.
  • Privileged exec mode — This mode provides access to all commands, enabling more detailed examination and control of the device’s operation and configuration.
  • Global Configuration mode: Global configuration commands apply to features that affect the device as a whole. While Exec and Privileged Exec are read-only modes, Global Configuration mode gives the user writable access to modify the active configuration file. To use Global Configuration mode, you first need to enter Privileged EXEC Mode and then execute the configure terminal command although numerous shortcuts are accepted such as config t. Global Configuration mode can be further divided into the following command modes, which permit you to configure different components:
    • Interface configuration mode
    • Subinterface configuration mode
    • Router configuration mode
    • Line configuration mode
Mode Control Commands
Command Description
enableMoves a user from user exec mode into Privileged EXEC mode. Privileged exec mode is indicated by the # symbol in the command prompt. 
configure terminalLogs the user into Global Configuration mode
interface fastethernet/numberEnters interface configuration mode for the specified fast ethernet interface
 
Basic Configuration Commands List
reloadReboots the Cisco switch or router 
hostname nameSets a host name to the current Cisco network device
copy from-location to-locationCopies files from one file location to another
copy running-config startup-configReplaces the startup config with the active config when  the Cisco network device initializes
copy startup-config running-configMerges the startup config with the currently active config in RAM
write erase 
erase startup-config
Deletes the startup config
ip address ip-address maskAssigns the specified IP address and subnet mask
shutdown
no shutdown
Shuts the interface down (shutdown) or brings it up (no shutdown) 
ip default-gateway ip_addressSets the default gateway on the Cisco device
show running-configDisplays the current configuration of the device
show startup-configDisplays the saved configuration stored in the device’s NVRAM, which will be loaded when the device starts up
description stringAssigns the specified description to an interface
show running-config interface interface slot/numberDisplays the running configuration for the specified interface
show ip interface [type number]Displays the status of a network interface as well as a detailed listing of its IP configurations and related characteristics.
ip name-server serverip-1 serverip-2Sets the IP address of or more DNS servers that the device can use to resolve hostnames to IP addresses.
 
Troubleshooting Cisco Commands List
ping {hostname | system-address} [source source-address]Used to diagnose basic network connectivity
speed {10 | 100 | 1000 | auto}Either configures the transmission speed of a network interface to the specified value in megabits per second (Mbps), or enables automatic speed detection for the port
duplex {auto | full | half}Sets duplex to half, full or auto
cdp run
no cdp run
Enables or disables Cisco Discovery Protocol (CDP) for the device
show mac address-tableDisplays the MAC address table
show cdpShows whether CDP is enabled globally
show cdp neighbors[detail]Lists summary (or detailed) information about each neighbor connected to the device
show interfacesDisplays detailed information about interface status, settings and counters
show interface statusDisplays the interface line status
show interfaces switchportDisplays many configuration settings and current operational status, including VLAN trunking details
show interfaces trunkLists information about the currently operational trunks and the VLANs supported by those trunks
show vlan
show vlan brief
Lists each VLAN and all interfaces assigned to that VLAN but does not include trunks
show vtp statusLists the current VLAN Trunk Protocol (VTP) status, including the current mode
 
Routing and VLAN Commands
show ip routeDisplays the current state of the IP routing of all known routes that are either statically configured or learned dynamically through a routing protocol
ip route network-number network-mask {ip-address | interface}Sets a static route in the IP routing table
router ripEnables a Routing Information Protocol (RIP) routing process, which places you in router configuration mode
network ip-addressAssociates a network with a RIP routing process
version 2Configures the software to receive and send only RIP version 2 packets
no auto-summaryDisables automatic summarization
default-information originateGenerates a default route into RIP
passive-interface interfaceSets the specified interface to passive RIP mode, which means RIP routing updates are accepted by, but not sent out of, the interface
show ip rip databaseDisplays the contents of the RIP routing database
ip nat [inside | outside]Configure Network Address Translation (NAT), which allows private IP addresses on a local network to be translated into public IP addresses before being sent over the internet
ip nat inside source {list{access-list-number | access-list-name}} interface type number[overload]Establishes dynamic source translation. Use of the “list” keyword enables you to use an ACL to identify the traffic that will be subject to NAT. The “overload” option enables the router to use one global address for many local addresses.
ip nat inside source static local-ip global-ipEstablishes a static translation between an inside local address and an inside global address
vlanCreates a VLAN and enters VLAN configuration mode for further definitions
switchport access vlanSets the VLAN that the interface belongs to.
switchport trunk encapsulation dot1qSpecifies 802.1Q encapsulation on the trunk link.
switchport accessConfigures a specific Ethernet port on a switch to operate in access mode to accommodate an end device such as a computer, server or printer. The port must then be assigned to a single VLAN.
vlan vlan-id [name vlan-name]Configures a specific VLAN name (1 to 32 characters)
switchport mode { access | trunk }Configures the VLAN membership mode of a port. The access port is set to access unconditionally and operates as a non-trunking, single VLAN interface that sends and receives non-encapsulated (non-tagged) frames. An access port can be assigned to only one VLAN. The trunk port sends and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a point-to-point link between two switches or between a switch and a router.
switchport trunk {encapsulation { dot1q }Sets the trunk characteristics when the interface is in trunking mode. In this mode, the switch supports simultaneous tagged and untagged traffic on a port.
encapsulation dot1q vlan-idDefines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance
show spanning-treeProvides detailed information about the Spanning Tree protocol for all VLANs
 
DHCP Commands
ip address dhcpAcquires an IP address on an interface via DHCP
ip dhcp pool nameUsed to configure a DHCP address pool on a DHCP server and enter DHCP pool configuration mode
domain-name domainSpecifies the domain name for a DHCP client
network network-number [mask]Configures the network number and mask for a DHCP address pool primary or secondary subnet on a Cisco IOS DHCP server
ip dhcp excluded-address ip-address [last-ip-address]Specifies IP addresses that a DHCP server should not assign to DHCP clients
ip helper-address addressEnables forwarding of UDP broadcasts, including BOOTP, received on an interface
default-router address[address2 … address8]Specifies the default routers for a DHCP client
 
Security Commands
password pass-valueLists the password that is required if the login command (with no other parameters) is configured
username name password pass-valueDefines one of possibly multiple user names and associated passwords used for user authentication. It is used when the login local line configuration command has been used
enable password pass-valueDefines the password required when using the enable command
enable secret pass-valueSets the password required for any user to enter enable mode
service password-encryptionDirects the Cisco IOS software to encrypt the passwords, CHAP secrets and similar data saved in its configuration file
ip domain-name nameConfigures a DNS domain name 
crypto key generate rsaCreates and stores (in a hidden location in flash memory) the keys that are required by SSH
transport input {telnet | ssh}Defines whether Telnet or SSH access is allowed into this switch. Both values can be specified in a single command to allow both Telnet and SSH access (default settings)
access-list access-list-number {deny | permit} source [source-wildcard] [log]Defines a standard IP access list
access-classRestricts incoming and outgoing connections between a particular VTY (into a basic Cisco device) and the addresses in an access list
ip access-list {standard | extended} {access-list-name | access-list-number}Defines an IP access list by name or number
permit source [source-wildcard]Allows a packet to pass a named IP ACL. To remove a permit condition from an ACL, use the “no” form of this command.
deny source [source-wildcard]Used to set conditions in a named IP ACL that will deny packets. To remove a deny condition from an ACL, use the “no” form of this command.
ntp peer <ip-address>Configures the software clock to synchronize a peer or to be synchronized by a peer
switchport port-securityEnables port security on the interface
switchport port-security maximum maximumSets the maximum number of secure MAC addresses on the port
switchport port-security mac-address {mac-addr | {sticky [mac-addr]}} 
 
Adds a MAC address to the list of secure MAC addresses. The “sticky” option configures the MAC addresses as sticky on the interface
switchport port-security violation {shutdown | restrict | protect}Sets the action to be taken when a security violation is detected
show port security [interface interface-id]Displays information about security options configured on the interface
 
Monitoring and Logging Commands
logging ip addressConfigures the IP address of the host that will receive the system logging (syslog) messages
logging trap levelUsed to limit messages that are logged to the syslog servers based on severity. Specify the number or name of the desired severity level at which messages should be logged
show loggingDisplays the state of system logging (syslog) and the contents of the standard system logging buffer
terminal monitorSends a copy of all syslog messages, including debug messages, to the Telnet or SSH user who issues this command