Commands To Move Between These Six Modes:
Command Mode Description
enable U Moves from User to Privileged mode.
logout U Exit User mode.
configure <terminal> P Moves from Privileged to Configure mode.
disable P Exit user mode.
Interface <interface description> G Enter interface configuration mode.
vlan vlan-id G Moves to configure vlan mode.
Vlan database P Enter vlan database from Privilege mode.
line G Enter line from Global configuration mode.
exit
G, R, L, V return to previous mode.
end
2. Fundamentals — Basic Configuration
The following are the fundamental Cisco IOS commands. These commands give you the necessary
base to move to more advanced and specific commands.
Command Mode Description
show version U,P Display information about IOS and router.
show interfaces U,P Display physical attributes of the router’s interfaces.
show ip route U,P Display the current state of the routing table.
show access-lists P Display current configured ACLs and their contents.
show ip interface brief P Displays a summary of the status for each interface.
show running-config P Display the current configuration.
show startup-config P Display the configuration at startup.
enable U Acces Privilege mode
config terminal P Access Configuration mode.
interface <int> G Enter interface configuration.
ip address <ip address> <mask> I Assign an IP address to the specified interface.
shutdown
I Turn off or turn on an interface. Use both to reset.
no shutdown
description <name-string> I Set a description to the interface.
Displays the usability status of the protocols for the
show ip interface <type number> U,P
interfaces.
show running-config interface Displays the running configuration for a specific
P
interface <slot/number> interface.
hostname <name> G Set a hostname for the Cisco device.
enable secret <password> G Set an “enable” secret password.
copy running-config startup-config P Saves the current (running) configuration in the startup
configuration into the NVRAM. The command saves
the configuration so when the device reloads, it loads
the latest configuration file.
It saves (overwrites) the startup configuration into the
copy startup-config running-config P
running configuration.
It copies a file (or set of files) from a location to
copy from-location to-location P
another location.
Delete the current startup configuration files. The
erase nvram G
command returns the device to its factory default.
Reboot the device. The NVRAM will take the latest
reload G
configuration.
erase startup-config Erase the NVRAM filesystem. The command achieves
G
the similar outcome as “erase nvram”
3. Network Access
This section covers all popular Cisco’s network access protocols. From how to configure and verify
VLANs, trunks, to Layer 2 discovery protocols like CDP and LLDP. We’ll also cover simple
Etherchannel, Rapid PVST+ Spanning Tree Protocol configuration.
Command Mode Description
cdp run
The “cdp run” command enables Cisco Discovery
P
no cdp run Protocol. The “no cdp run” disables it.
show cdp P Display global information for CDP.
show cdp neighbors P Display all CDP neighbors.
lldp run
The “lldp run” command enables the LLDP Protocol.
P
no lldp run The “no lldp run” disables it.
show lldp P Displays global information for LLDP
show lldp neighbors P Show all LLDP neighbors.
show mac address-table P Display all the MAC address entries in a table.
A global configuration command that configures the
spanning-tree mode rapid-pvst G
device for Rapid Per VLAN Spanning Tree protocol.
spanning-tree vlan <1-4094>
G Manually set the bridge priority per vlan.
priority <0-61440>
spanning-tree vlan <1-4094> root
G Make the switch the root of the SP.
primary
no spanning-tree vlan <1-4094> G Disable SP on the specific VLAN.
show spanning-tree summary P Show a summary of all SP instances and ports.
Show detailed information of each port in the
show spanning-tree detail P
spanning-tree process.
Lists each VLAN and all interfaces assigned to that
show vlan P
VLAN. The output does not include trunks.
show vlan brief P Displays vlan information in brief
Display configuration settings about all the switch port
show interfaces switchport P
interfaces.
Display information about the operational trunks along
show interfaces trunk P
with their VLANs.
Enter VLAN configuration mode and create a VLAN
vlan <1-4094> G
with an associated number ID.
Within the VLAN configuration mode, assign a name
name <name> V
to the VLAN
In the interface configuration mode, the command
switchport mode access I
assigns the interface link type as an access link.
switchport access vlan <> I Assign this interface to specific VLAN.
interface range < > Access interface range configuration mode from
I – range
Interface Configuration.
Assign the Etherchannel. Set the interface range to a
channel-group <number> I – range
channel group.
Remove VLAN assignment from interface. It returns to
no switchport access vlan <> I
default VLAN 1
show vtp status P Display all vtp status
vtp mode <server | client | In the global configuration mode, set the device as
G
transparent> server, client, or transparent vtp mode.
An interface configuration mode. Set the interface link
switchport mode trunk I
type as a trunk link.
switchport trunk native vlan <>
I Set native VLAN to a specific number.
switchport trunk allowed vlan <> I Allow specific VLANs on this trunk.
switchport trunk encapsulation
I Sets the 802.1Q encapsulation on the trunk link.
dot1q
4. IP Connectivity
This section includes some of the most simple yet useful ip connectivity IOS commands. From
displaying a routing table, creating static, to default route. We also include dynamic routes with OSPF.
Command Mode Description
Show ip route P Show the routing table.
Show ip route ospf P Show routes created by the OSPF protocol.
ip default-gateway <ip_address> G Set the default gateway for the router.
ip route <network> <mask> <next
G Create a new static route
hop>
no ip route <network> <mask>
G Remove a specific static route.
<next hop>
ip route 0.0.0.0 0.0.0.0 <nex thop> G Configure a default route
Enable OSPF with an ID. The command will
router ospf <process ID> G
open the router configuration mode.
show ip ospf interface P Display all the active OSPF interfaces
5. IP Services
This section shows the common commands for configuring NAT, DHCP, and DNS services. It also
includes simple and useful SNMP and Syslog commands for monitoring and logging.
Command Mode Description
Specific whether the interface is the inside or outside
ip nat <inside | outside> I
of NAT.
Configure dynamic NAT. It instructs the router to
ip nat inside source <ACL No.> translate all addresses identified by the ACL on the
G
<pool | static IP> <overload> pool. To configure Port Address Translation (PAT) use
the “overload” at the end.
ip nat inside source static <local Create a static NAT from inside (local IP) to outside
G
IP> <global IP> (global IP)
ip nat outside source static <ACL Create a static NAT from outside (ACL) to inside (IP
G
No.> <pool | static IP> pool)
Configure the time by synchronizing it from an NTP
ntp peer <ip-address> G
server.
ip dhcp excluded-address <first-ip- The IP addresses that the DHCP server should not
G
address> <last-ip-address> assign to the DHCP client.
Enters the DHCP pool configuration mode and creates
ip dhcp pool <name> G
a new DHCP pool.
Inside the DHCP configuration mode. Define the
network <network ID> <mask> G – DHCP
address pool for the DHCP server.
Set the default gateway IP address for the DHCP
default-router <IP address> G – DHCP
clients.
dns-server <IP address> G – DHCP Set the DNS server IP address for the DHCP clients.
Turns an interface into a DHCP bridge. The interface
ip helper-address <ip address> I
redirects DHCP broadcast packets to a specific IP.
show ip dhcp pool P Display information about the DHCP pool
Display information about all the current DHCP
show ip dhcp binding P
bindings.
ip dns server G Enable DNS service.
ip domain-lookup G Enable domain lookup service. DNS client
ip name-server <IP address |
G Set a public DNS server.
domain name>
snmp-server community
G Enable SNMP Read-Only public community strings.
<community-string> ro
snmp-server community
G Enable SNMP Read-Only private community strings.
<community-string> rw
snmp-server host <ip-address>
G Specific the hosts to receive the SNMP traps
version <community-string>
logging <ip address> G Determines the Syslog server to send log messages.
logging trap level G Limit Syslog messages based on severity level
Shows the state logging (syslog). Shows the errors,
show logging P events, and host addresses. It also shows SNMP
configuration and activity.
Enables debug and system’s error messages for the
terminal monitor P
current terminal.
sh ip ssh P Verify SSH access into the device.
6. Security
In this section, we include the most basic AAA configuration commands for Cisco IOS. We’ll also
include basic standard and extended ACLs and port security configuration commands.
Command Mode Description
Set an “enable” secret password. Enable secret
enable secret <password> G
passwords are hashed via the MD5 algorithm.
A global configuration command to access the virtual
terminal configuration. VTY is a virtual port used to
line vty 0 4 G
access the device via SSH and Telnet. 0 4 to allow five
simultaneous virtual connections
line console 0 A global configuration command to access the console
G
configuration.
Once in line mode, set a password for those remote
password <password> L
sessions with the “password” command.
The authentication uses only locally configured
Login local
credentials.
username <username> privilege Require a username with a specific password. Also
G
<level> secret <password> configure different levels of privilege.
Makes the device encrypt all passwords saved on the
service password-encryption G
configuration file.
Generate a set of RSA key pairs for your device. These
crypto key generate rsa G
keys may be used for remote access via SSH.
access-list G Defined a numbered ACL
ip access-list G Defined an IPv4 ACL.
access-list access-list-number
<deny | permit}> source <source> G Create a standard ACL.
[log]
access-list access-list-number
<deny | permit}> protocol <> source
<source [ports]>destination G Create an extended ACL.
<destination [ports]> [Options]
ip access-class <access-list-name> L A line configuration command mode. It restricts
<in | out> incoming and outgoing connections to a particular vty
line. Use “no” to remove the restriction.
no ip access-group <access-list-
name> <in | out>
show ip access-list P Show all IPv4 ACLs
From the interface configuration mode, this command
assigns the interface link type as an access link.
switchport mode access I
switchport port-security I enable dynamic port security on the specific interface.
switchport port-security maximum Specify the maximum number of secure MAC
I
<max value> addresses on the specific interface.
switchport port-security mac- Force a specific mac-address to the interface. Also use
address <mac-address | sticky I the “sticky” option to make the interface remember the
[mac-address]> first mac-address connected to the interface.
switchport port-security violation
Define the action to be taken when a violation is
<shutdown | restrict | protect> I
detected on the port.
show port security P Display the port security configuration on each interface.
7. Troubleshooting Commands
In the final section of this cheat sheet we’ll include basic troubleshooting commands. We already
included some of these commands on previous sections, but they are also very useful when it comes
to troubleshooting.
Command Mode Description
ping <target IP | hostname> Diagnose connectivity with
<repeat Count [5]> <source [IP | P extended ping. Check reachability,
interface] RRTs, and packet loss.
Use traceroute to diagnose
traceroute <target IP |
P connectivity on a hop by hop
hostname><source [IP | interface]
basis.
Use Telnet to check for listening
telnet P ports (1 to 65535) on a remote
device.
Use this command to discover the
physical attributes; find duplex,
show interface P link types, and speed mismatches.
Both ends must match. Also use
this command to find errors.
Set the speed of an interface. Or
speed <10 | 100 | 1000 | auto> I
configure it as auto.
duplex <auto | full | half> I Set the interface duplex.
This command searches across
show interface | include
P all interfaces and outputs the ones
fastethernet | input errors
that include input errors.
show ip interface P Use this command to discover the
status for all the protocols on that
interface.
shutdown
Interface configuration mode.
I
no shutdown Restart an interface
This command is useful for
show ip route P determining the route of ip
packets.
Discover basic information about
show cdp neighbors P neighboring Cisco’s routers and
switches
Display the contents of the mac-
show mac address-table P
address table.
Show vlan
Find vlan status and interfaces
P
Show vlan brief assigned to the vlans.
Use this command to discover the
show vtp status P
current VTP mode of the device.
Check the allowed VLANs on both
show interfaces trunk P
ends of the trunk.
If Netflow is enabled, this
show ip flow top-talkers P command is very useful to
troubleshoot top talkers.