Introduction
Cisco IOS is the backbone software that powers many of Cisco’s network devices. For professionals working with these systems, knowing the right commands is crucial.
This article provides a Cisco commands cheat sheet, outlining the most common Cisco IOS commands for configuring, securing and troubleshooting Cisco network equipment. It includes the list of Cisco switch commands, a Cisco router commands list and Cisco network commands. Being familiar with the basic Cisco console commands will aid network administrators in managing Cisco devices efficiently and in line with best practices.
Router(config)#hostname SB_R1
SB_R1(config)#enable secret cisco
Commands on line con 0
SB_R1(config)#line con 0
SB_R1(config-line)#password cisco
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous
SB_R1(config-line)#exec-timeout 30 0
SB_R1(config-line)#exit
Commands for vty 0 4
SB_R1(config)#line vty 0 4
SB_R1(config-line)#password cisco
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous
SB_R1(config-line)#exec-timeout 30 0
SB_R1(config-line)#exit
Commands for aux
SB_R1(config)#line aux 0
SB_R1(config-line)#password cisco
SB_R1(config-line)#login
SB_R1(config-line)#logging synchronous
SB_R1(config-line)#exec-timeout 30 0
SB_R1(config-line)#exit
Banner Command
SB_R1(config)#banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
UNAUTHORIZED ACCESS IS PROHIBITED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$
Other commands
SB_R1(config)#alias exec c configure terminal
SB_R1(config)#alias exec s show ip interface brief
SB_R1(config)#alias exec sr show running-config
SB_R1(config)#no ip domain-lookup
SB_R1(config)#service password-encryption
SB_R1(config)#ip domain-name www.thenetworkdna.com
SB_R1(config)#username admin password cisco
SB_R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
SB_R1(config)#ip ssh version 2
SB_R1(config)#line vty 0 4
SB_R1(config-line)#login local
SB_R1(config-line)#transport input telnet ssh
Configuring router interfaces
SB_R1(config)#interface fastEthernet 0/2
SB_R1(config-if)#description LAN downlink
SB_R1(config-if)#ip address 192.168.1.1 255.255.255.0
SB_R1(config-if)#no shutdown
SB_R1(config-if)#exit
SB_R1(config)#interface serial 1/0/1
SB_R1(config-if)#description WAN uplink
SB_R1(config-if)#ip address 10.1.1.1 255.255.255.252
SB_R1(config-if)#clock rate 128000
SB_R1(config-if) no shut
Inter-VLAN routing: Configuring Router-On-Stick
SB_R1(config)#interface fastEthernet 0/2
SB_R1(config-if)#no shutdown
SB_R1(config)# interface fastEthernet 0/2.50
SB_R1(config-subif)# encapsulation dot1q 50
SB_R1(config-subif)#ip address 192.168.1.1 255.255.255.0
SB_R1(config-subif)# interface fastEthernet 0/2.60
SB_R1(config-subif)# encapsulation dot1q 60
SB_R1(config-subif)#ip address 192.168.2.1 255.255.255.0
RIPv2 Configuration
SB_R1(config)#router rip
SB_R1(config-router)#version 2
SB_R1(config-router)#network 172.16.0.0
SB_R1(config-router)#no auto summary
SB_R1(config-router)#passive-interface serial 0/1
RIPv2 show commands for Verification
SB_R1#show ip protocols
SB_R1#show ip route
SB_R1#show ip route rip
SB_R1#show ip route 172.16.1.1
OSPF Configuration
SB_R1(config)#router ospf 10 (process ID)
SB_R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
SB_R1(config-router)#network 172.16.8.0 0.0.7.255 area 0
SB_R1(config-router)#network 192.168.1.254 0.0.0.0 area 1
Loopback configurations
SB_R1(config)#interface loopback 0
SB_R1(config-if)#ip address 1.1.1.1 255.255.255.255
Change Hello and Dead intervals per interface
SB_R1(config-if)#ip ospf hello-interval 2
SB_R1(config-if)#ip ospf dead-interval 6
Changing interface cost, bandwidth & reference-bandwidth
SB_R1(config-if)#ip ospf cost 55
SB_R1(config-if)#bandwidth 128 (Kbps)
SB_R1(config-router)#auto-cost reference-bandwidth 1000 (Mbps)
Disabling OSPF on a certain interface
SB_R1(config-router)#passive-interface serial 0/1
SB_R1(config-if)#ip ospf authentication null
SB_R1(config-if)#ip ospf authentication
SB_R1(config-if)#ip ospf authentication-key cisco
SB_R1(config-if)#ip ospf authentication message-digest
SB_R1(config-if)#ip ospf message-digest-key 1 md5 cisco
Configure maximum equal-cost paths
SB_R1(config-router)#maximum paths 6
OSPF verification
SB_R1#show ip protocols
SB_R1#show ip route
SB_R1#show ip route ospf
SB_R1#show ip ospf neighbors
SB_R1#show ip ospf database
SB_R1#show ip ospf interfaces serial 0/1
EIGRP Configuration
SB_R1(config)#router eigrp 100
SB_R1(config-router)#network 10.0.0.0
SB_R1(config-router)#network 172.16.0.0 0.0.3.255
SB_R1(config-router)#network 192.168.1.1 0.0.0.0
SB_R1(config-router)#network 0.0.0.0 255.255.255.255
Disable auto summarization
SB_R1(config-router)#no autosummary
Disable EIGRP on a specific interface
SB_R1(config-router)#passive-interface serial 0/1
Configure load balancing parameters
SB_R1(config-router)#maximum-paths 6
SB_R1(config-router)#variance 4
Change interface Hello and Hold timers
SB_R1(config-if)#ip hello-interval eigrp 100 3
SB_R1(config-if)#ip hold-time eigrp 100 10
Influencing metric calculations by tuning BW and delay of the interface
SB_R1(config-if)#bandwidth 265 (kbps)
SB_R1(config-if)#delay 120 (tens of microseconds)
EIGRP Authentication
SB_R1(config)#key chain NDNA_KEYS
SB_R1(config-keychain)#key 1
SB_R1(config-keychain-key)#key-string NDNA
SB_R1(config-keychain-key)#send-lifetime [start time] [end time]
SB_R1(config-keychain-key)#accept-lifetime [start time] [end time]
SB_R1(config-if)#ip authentication mode eigrp 100 md5
SB_R1(config-if)#ip authentication key-chain eigrp 100 NDNA_KEYS
EIGRP Verification
SB_R1#show ip route eigrp
SB_R1#show ip eigrp neighbors
SB_R1#show ip eigrp topology
SB_R1#show ip eigrp interfaces
SB_R1#show ip eigrp traffic
The commands are organized into the following groups:
- Mode control commands
- Basic configuration commands
- Troubleshooting commands
- Routing and VLAN commands
- DHCP commands
- Security commands
- Monitoring and logging commands
Command Modes
Cisco IOS has several command modes that fall into further categories such as operational and configuration. Each mode serves a slightly unique purpose. For instance, Setup Mode provides the user with an interactive menu guide the user to create an initial configuration file for the device.
The key most common modes are the following:
- User exec mode — This mode is the mode you land in when you first log onto a Cisco device. It provides limited access to commands and configuration settings. For instance, this mode enables you to view status using certain show commands but does not enable you to view or edit configurations.
- Privileged exec mode — This mode provides access to all commands, enabling more detailed examination and control of the device’s operation and configuration.
- Global Configuration mode: Global configuration commands apply to features that affect the device as a whole. While Exec and Privileged Exec are read-only modes, Global Configuration mode gives the user writable access to modify the active configuration file. To use Global Configuration mode, you first need to enter Privileged EXEC Mode and then execute the configure terminal command although numerous shortcuts are accepted such as config t. Global Configuration mode can be further divided into the following command modes, which permit you to configure different components:
- Interface configuration mode
- Subinterface configuration mode
- Router configuration mode
- Line configuration mode
Mode Control Commands | |
Command | Description |
enable | Moves a user from user exec mode into Privileged EXEC mode. Privileged exec mode is indicated by the # symbol in the command prompt. |
configure terminal | Logs the user into Global Configuration mode |
interface fastethernet/number | Enters interface configuration mode for the specified fast ethernet interface |
Basic Configuration Commands List | |
reload | Reboots the Cisco switch or router |
hostname name | Sets a host name to the current Cisco network device |
copy from-location to-location | Copies files from one file location to another |
copy running-config startup-config | Replaces the startup config with the active config when the Cisco network device initializes |
copy startup-config running-config | Merges the startup config with the currently active config in RAM |
write erase erase startup-config | Deletes the startup config |
ip address ip-address mask | Assigns the specified IP address and subnet mask |
shutdown no shutdown | Shuts the interface down (shutdown) or brings it up (no shutdown) |
ip default-gateway ip_address | Sets the default gateway on the Cisco device |
show running-config | Displays the current configuration of the device |
show startup-config | Displays the saved configuration stored in the device’s NVRAM, which will be loaded when the device starts up |
description string | Assigns the specified description to an interface |
show running-config interface interface slot/number | Displays the running configuration for the specified interface |
show ip interface [type number] | Displays the status of a network interface as well as a detailed listing of its IP configurations and related characteristics. |
ip name-server serverip-1 serverip-2 | Sets the IP address of or more DNS servers that the device can use to resolve hostnames to IP addresses. |
Troubleshooting Cisco Commands List | |
ping {hostname | system-address} [source source-address] | Used to diagnose basic network connectivity |
speed {10 | 100 | 1000 | auto} | Either configures the transmission speed of a network interface to the specified value in megabits per second (Mbps), or enables automatic speed detection for the port |
duplex {auto | full | half} | Sets duplex to half, full or auto |
cdp run no cdp run | Enables or disables Cisco Discovery Protocol (CDP) for the device |
show mac address-table | Displays the MAC address table |
show cdp | Shows whether CDP is enabled globally |
show cdp neighbors[detail] | Lists summary (or detailed) information about each neighbor connected to the device |
show interfaces | Displays detailed information about interface status, settings and counters |
show interface status | Displays the interface line status |
show interfaces switchport | Displays many configuration settings and current operational status, including VLAN trunking details |
show interfaces trunk | Lists information about the currently operational trunks and the VLANs supported by those trunks |
show vlan show vlan brief | Lists each VLAN and all interfaces assigned to that VLAN but does not include trunks |
show vtp status | Lists the current VLAN Trunk Protocol (VTP) status, including the current mode |
Routing and VLAN Commands | |
show ip route | Displays the current state of the IP routing of all known routes that are either statically configured or learned dynamically through a routing protocol |
ip route network-number network-mask {ip-address | interface} | Sets a static route in the IP routing table |
router rip | Enables a Routing Information Protocol (RIP) routing process, which places you in router configuration mode |
network ip-address | Associates a network with a RIP routing process |
version 2 | Configures the software to receive and send only RIP version 2 packets |
no auto-summary | Disables automatic summarization |
default-information originate | Generates a default route into RIP |
passive-interface interface | Sets the specified interface to passive RIP mode, which means RIP routing updates are accepted by, but not sent out of, the interface |
show ip rip database | Displays the contents of the RIP routing database |
ip nat [inside | outside] | Configure Network Address Translation (NAT), which allows private IP addresses on a local network to be translated into public IP addresses before being sent over the internet |
ip nat inside source {list{access-list-number | access-list-name}} interface type number[overload] | Establishes dynamic source translation. Use of the “list” keyword enables you to use an ACL to identify the traffic that will be subject to NAT. The “overload” option enables the router to use one global address for many local addresses. |
ip nat inside source static local-ip global-ip | Establishes a static translation between an inside local address and an inside global address |
vlan | Creates a VLAN and enters VLAN configuration mode for further definitions |
switchport access vlan | Sets the VLAN that the interface belongs to. |
switchport trunk encapsulation dot1q | Specifies 802.1Q encapsulation on the trunk link. |
switchport access | Configures a specific Ethernet port on a switch to operate in access mode to accommodate an end device such as a computer, server or printer. The port must then be assigned to a single VLAN. |
vlan vlan-id [name vlan-name] | Configures a specific VLAN name (1 to 32 characters) |
switchport mode { access | trunk } | Configures the VLAN membership mode of a port. The access port is set to access unconditionally and operates as a non-trunking, single VLAN interface that sends and receives non-encapsulated (non-tagged) frames. An access port can be assigned to only one VLAN. The trunk port sends and receives encapsulated (tagged) frames that identify the VLAN of origination. A trunk is a point-to-point link between two switches or between a switch and a router. |
switchport trunk {encapsulation { dot1q } | Sets the trunk characteristics when the interface is in trunking mode. In this mode, the switch supports simultaneous tagged and untagged traffic on a port. |
encapsulation dot1q vlan-id | Defines the matching criteria to map 802.1Q frames ingress on an interface to the appropriate service instance |
show spanning-tree | Provides detailed information about the Spanning Tree protocol for all VLANs |
DHCP Commands | |
ip address dhcp | Acquires an IP address on an interface via DHCP |
ip dhcp pool name | Used to configure a DHCP address pool on a DHCP server and enter DHCP pool configuration mode |
domain-name domain | Specifies the domain name for a DHCP client |
network network-number [mask] | Configures the network number and mask for a DHCP address pool primary or secondary subnet on a Cisco IOS DHCP server |
ip dhcp excluded-address ip-address [last-ip-address] | Specifies IP addresses that a DHCP server should not assign to DHCP clients |
ip helper-address address | Enables forwarding of UDP broadcasts, including BOOTP, received on an interface |
default-router address[address2 … address8] | Specifies the default routers for a DHCP client |
Security Commands | |
password pass-value | Lists the password that is required if the login command (with no other parameters) is configured |
username name password pass-value | Defines one of possibly multiple user names and associated passwords used for user authentication. It is used when the login local line configuration command has been used |
enable password pass-value | Defines the password required when using the enable command |
enable secret pass-value | Sets the password required for any user to enter enable mode |
service password-encryption | Directs the Cisco IOS software to encrypt the passwords, CHAP secrets and similar data saved in its configuration file |
ip domain-name name | Configures a DNS domain name |
crypto key generate rsa | Creates and stores (in a hidden location in flash memory) the keys that are required by SSH |
transport input {telnet | ssh} | Defines whether Telnet or SSH access is allowed into this switch. Both values can be specified in a single command to allow both Telnet and SSH access (default settings) |
access-list access-list-number {deny | permit} source [source-wildcard] [log] | Defines a standard IP access list |
access-class | Restricts incoming and outgoing connections between a particular VTY (into a basic Cisco device) and the addresses in an access list |
ip access-list {standard | extended} {access-list-name | access-list-number} | Defines an IP access list by name or number |
permit source [source-wildcard] | Allows a packet to pass a named IP ACL. To remove a permit condition from an ACL, use the “no” form of this command. |
deny source [source-wildcard] | Used to set conditions in a named IP ACL that will deny packets. To remove a deny condition from an ACL, use the “no” form of this command. |
ntp peer <ip-address> | Configures the software clock to synchronize a peer or to be synchronized by a peer |
switchport port-security | Enables port security on the interface |
switchport port-security maximum maximum | Sets the maximum number of secure MAC addresses on the port |
switchport port-security mac-address {mac-addr | {sticky [mac-addr]}} | Adds a MAC address to the list of secure MAC addresses. The “sticky” option configures the MAC addresses as sticky on the interface |
switchport port-security violation {shutdown | restrict | protect} | Sets the action to be taken when a security violation is detected |
show port security [interface interface-id] | Displays information about security options configured on the interface |
Monitoring and Logging Commands | |
logging ip address | Configures the IP address of the host that will receive the system logging (syslog) messages |
logging trap level | Used to limit messages that are logged to the syslog servers based on severity. Specify the number or name of the desired severity level at which messages should be logged |
show logging | Displays the state of system logging (syslog) and the contents of the standard system logging buffer |
terminal monitor | Sends a copy of all syslog messages, including debug messages, to the Telnet or SSH user who issues this command |