Professional Documents
Culture Documents
Unless otherwise noted, all commands are likely to work on switches as much as on routers.
Commands can be abbrieviated, such as "sh run" or "show run" instead of "show running-config" as long as they are not ambiguous.
Recommended book: CCNA Portable Command Guide by Scott Empson
Annoyances
(config)#line con 0 Step 1/2: Make the router or switch not interrupt your commands with informative notices.
(config-line)#logging sync Step 2/2: If you don't do this, you can always use CONTROL+R if your device interrupts.
(config-line)#exec-timeout 0 0 Console will never logout. Don't do this. Tremendous security risk.
(config)#[CONTROL+SHIFT+6] Same as Control+C/Break.
(config)#no ip domain-lookup Turns off DNS queries so that spelling mistakes will not cause lookups.
IOS Modes
Switch/Router>User Mode
Switch/Router#Privileged mode
Switch/Router(config)#Global configuration mode
Switch/Router(config-if)#Interface mode
Switch/Router(config-subif)#Subinterface mode
Switch/Router(config-line)#Line mode
Switch/Router(config-router)#Router configuration mode
Show Commands
#show ? Lists all show commands available
#show access-lists Show any access-lists
#show arp Displays arp table
Router#show clock Displays time set on device
Router#show controllers serial 0 Displays stats for interface hardware, clock rate, DCE or DTE
#show flash Displays information about Flash memory
#show history Displays history of commands used at this level
Router#show hosts Displays local host-to-IP address cache
#show interface serial 0 Displays statistics for a specific interface
#show interfaces Displays statistics for all interfaces
Router#show ip dhcp binding Displays all DHCP leases
Router#show ip dhcp server statistics DHCP statistics.
Router#debug ip dhcp server events Shows DHCP leases as they happen.
Router#show ip interface brief Displays a summary of all interfaces + IP address assigned
Router#show ip nat translations Displays NAT translations
Router#show ip route Displays contents of IP routing table
Router#show protocols Displays status of configured Layer 3 protocols
#show running-config Displays configuration currently running in RAM
#show startup-config Displays configuration saved in NVRAM
#show users Displays all users connected to device
Router#show vlans Displays current VLAN configuration
vtp--------> Showing VTP info is listed under View VTP Configuration later in this document.
#show version Displays software version
Debug information
(config)#no debug all or u all (short for undebug) Turns off all debugging.
(config)#terminal monitor Allows debug output to appear on telnets, default is only consoles.
Configure Commands
>en Enters "enable mode". Enable mode has privileged access.
#config t Router(config)#
(config)#hostname Office OPTIONAL: Change's router's hostname to Office. Required for PPP's PAP and CHAP.
Security Hardening If your not ahead of the threat, then your only reacting to it.
#no cdp run CDP unnecessarily reveals information about your Cisco device. Information leak.
#spanning-tree portfast bpduguard Portfast reduces waiting time, and BPDU Guard disables any port that sends STP CG p113
~Research the rootguard feature (it concerns STP).
#no ip http server Disables webserver that runs on all interfaces. Frees up resources and prevents attacks.
~Do not put any users in VLAN 1. Use VLAN 2, 10, or 11 as the first VLAN. VLAN 1 should not carry any data traffic.
#set port dot1q-all-tagged all enable
~Use '802.1q-all-tagged' mode (Begins tagging native VLAN packets), or if that is not possible, clear the native VLAN (VLAN 1) from all trunk links.
~Shutdown all unused ports and put them in an unused VLAN. Block unauthorized access through fundamental physical and logical barriers.
~Don't use VTP. A new switch with a higher VTP revision, or a simple admin mistake can wipe out the entire VTP domain across all switches.
Use out-of-band management. Create a new VLAN, and do administration only through ports in this new VLAN.
Enable Password
(config)#enable password matrix Don't do this. Sets enable password (insecurely, use enable secret instead).
(config)#enable secret matrix Sets enable secret password. Password is now encrypted/encoded as seen in "show run".
Blocking Telnet using ACL's CCNA Self-Study, Interconnecting Cisco Network Device p228
Router(config)#access-list 101 deny tcp any 192.168.0.0 0.0.255.255 eq 23
Router(config)#access-list 101 permit ip any any Blocks telnet packets from any network heading to our network.
Router(config)#int fa0/0
Router(config)#ip access-group 101 in Applies telnet firewall inbound on external FastEthernet 0/0 interface.
Configure DHCP Server This is easier using Cisco Device Manager, put your router IP into a web browser;
CCNA Portable Command Guide p197 leave the username blank, and the password is your enable password.
Router(config)#no service dhcp Turns DHCP service off (default is on)
Router(config)#service dhcp Turns DHCP service on
Router(config)#ip dhcp pool public Creates a DHCP pool called 'public'
Router(dhcp-config)#network 172.16.0.0 255.255.0.0 Range of addresses to be leased
Router(dhcp-config)#default-router 172.16.0.1 Network's router address.
Router(dhcp-config)#dns-server 172.17.0.1 DNS server address.
Router(dhcp-config)#netbios-name-server 172…… NetBIOS server
Router(dhcp-config)#domain-name futon.invalid Defines the "domain name" for the client.
Router(dhcp-config)#lease 0 8 1 Lease time is 0 days, 8 hours, and 1 minute.
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 172.16.0.1 Range of addresses that will not be given out. You may or may not need to exclude router
172.16.0.99 addresses.
Router(config)#ip dhcp pool admin.network Creates a DHCP pool called 'admin.network'
Router(dhcp-config)#network 172.18.0.0 255.255.0.0 Range of addresses to be leased
Router(dhcp-config)#default-router 172.18.0.1 Network's router address.
Router(dhcp-config)#dns-server 172.17.0.1 DNS server address.
Router(dhcp-config)#lease infinity
Configuring NAT Overload (PAT) This makes NAT'ed networks invisible, otherwise you must run a routing protocol.
Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255 Using wildcard mask, defines network addresses the router will perform NAT for.
Router(config)#access-list 1 permit 192.168.4.0 0.0.0.255 Using wildcard mask, defines network addresses the router will perform NAT for.
Router(config)#ip nat inside source list 1 int eth0/0 overload Allows IPs in access-list 1 to NAT onto overloaded WAN interface eth0/0
Router(config)#int fa0/0 Goto interface FastEthernet 0/0
Router(config-if)#ip nat outside Define this as the outside
Router(config-if)#exit Go back to global config.
Router(config)#int fa0/1 Goto interface FastEthernet 0/1
Router(config-if)#ip nat inside Define this as the inside
Router(config-if)#exit Go back to global config.
Saving Configurations
#copy run start Saves the running-config to local NVRAM (automatic on a 1900-series switch)
#erase start Deletes the startup-config file from NVRAM
#reload Reboot the router or switch.
Assigning Multiple Ports Using the range Command 2950 Switch Only
2950Switch(config)#int range fa0/13 - 24 There is a space before and after the hyphen
2950Switch(config)#switchport mode access Sets all ports to access mode (for connecting to a desktop)
2950Switch(config)#switchport access vlan 2 Assigns all ports to VLAN 2
Password Recovery
The procedure for this is device dependent, some instructions are provided in the CCNA Portable Command Guideon page 157
ISDN Info
ISDN BRI Configuring
router(config)#isdn switch-type basic-ni1
router(config)#int bri 0
router(config-ifg)#isdn switch-type basic-ni1
Page 9
ISDN Info
Page 10