Cisco IOS Quick Reference Original document by Will Richards, revised heavily by GT Ruocco

Freely redistributable in unmodified form. V1.3.0 5/11/2007

Unless otherwise noted, all commands are likely to work on switches as much as on routers.
Commands can be abbrieviated, such as "sh run" or "show run" instead of "show running-config" as long as they are not ambiguous.
Recommended book: CCNA Portable Command Guide by Scott Empson
Annoyances
(config)#line con 0 Step 1/2: Make the router or switch not interrupt your commands with informative notices.
(config-line)#logging sync Step 2/2: If you don't do this, you can always use CONTROL+R if your device interrupts.
(config-line)#exec-timeout 0 0 Console will never logout. Don't do this. Tremendous security risk.
(config)#[CONTROL+SHIFT+6] Same as Control+C/Break.

(config)#no ip domain-lookup Turns off DNS queries so that spelling mistakes will not cause lookups.

IOS Modes
Switch/Router>User Mode
Switch/Router#Privileged mode
Switch/Router(config)#Global configuration mode
Switch/Router(config-if)#Interface mode
Switch/Router(config-subif)#Subinterface mode
Switch/Router(config-line)#Line mode
Switch/Router(config-router)#Router configuration mode

Show Commands
#show ? Lists all show commands available
#show access-lists Show any access-lists
#show arp Displays arp table
Router#show clock Displays time set on device
Router#show controllers serial 0 Displays stats for interface hardware, clock rate, DCE or DTE
#show flash Displays information about Flash memory
#show history Displays history of commands used at this level
Router#show hosts Displays local host-to-IP address cache
#show interface serial 0 Displays statistics for a specific interface
#show interfaces Displays statistics for all interfaces
Router#show ip dhcp binding Displays all DHCP leases
Router#show ip dhcp server statistics DHCP statistics.
Router#debug ip dhcp server events Shows DHCP leases as they happen.
Router#show ip interface brief Displays a summary of all interfaces + IP address assigned
Router#show ip nat translations Displays NAT translations
Router#show ip route Displays contents of IP routing table
Router#show protocols Displays status of configured Layer 3 protocols
#show running-config Displays configuration currently running in RAM
#show startup-config Displays configuration saved in NVRAM
#show users Displays all users connected to device
Router#show vlans Displays current VLAN configuration
vtp--------> Showing VTP info is listed under View VTP Configuration later in this document.
#show version Displays software version

Debug information
(config)#no debug all or u all (short for undebug) Turns off all debugging.
(config)#terminal monitor Allows debug output to appear on telnets, default is only consoles.

Configure Commands
>en Enters "enable mode". Enable mode has privileged access.
#config t Router(config)#
(config)#hostname Office OPTIONAL: Change's router's hostname to Office. Required for PPP's PAP and CHAP.

Security Hardening If your not ahead of the threat, then your only reacting to it.
#no cdp run CDP unnecessarily reveals information about your Cisco device. Information leak.

#spanning-tree portfast bpduguard Portfast reduces waiting time, and BPDU Guard disables any port that sends STP CG p113
~Research the rootguard feature (it concerns STP).

#no ip http server Disables webserver that runs on all interfaces. Frees up resources and prevents attacks.

~Do not put any users in VLAN 1. Use VLAN 2, 10, or 11 as the first VLAN. VLAN 1 should not carry any data traffic.
#set port dot1q-all-tagged all enable
~Use '802.1q-all-tagged' mode (Begins tagging native VLAN packets), or if that is not possible, clear the native VLAN (VLAN 1) from all trunk links.

~Shutdown all unused ports and put them in an unused VLAN. Block unauthorized access through fundamental physical and logical barriers.

~Don't use VTP. A new switch with a higher VTP revision, or a simple admin mistake can wipe out the entire VTP domain across all switches.
 Use out-of-band management. Create a new VLAN, and do administration only through ports in this new VLAN.

Enable Password
(config)#enable password matrix Don't do this. Sets enable password (insecurely, use enable secret instead).
(config)#enable secret matrix Sets enable secret password. Password is now encrypted/encoded as seen in "show run".

Console Password Shows up as cleartext in show run

(config)#line con 0 Enters console-line mode
(config-line)#password matrix Sets console-line password
(config-line)#login Enables password checking at login

Setting Telnet Password Telnet password shows up as cleartext in 'show running-config'

config#enable secret matrix Both vty and enable password must be set to use telnet.
(config)#line vty 0 4 Enters vty mode for all five vty lines
(config-line)#password matrix Sets vty password to Will
(config-line)#login Enables password checking at login

Blocking Telnet using ACL's CCNA Self-Study, Interconnecting Cisco Network Device p228
Router(config)#access-list 101 deny tcp any 192.168.0.0 0.0.255.255 eq 23
Router(config)#access-list 101 permit ip any any Blocks telnet packets from any network heading to our network.
Router(config)#int fa0/0
Router(config)#ip access-group 101 in Applies telnet firewall inbound on external FastEthernet 0/0 interface.

Auxiliary Password Not necessary, this is locked if no password is set

(config)#line aux 0 Enters auxiliary line mode
(config-line)#password matrix Sets auxiliary line mode pass to Will

Create Management IP for Switch

Switch(config)ip default-gateway 192.168.1.1 Not always required, but good practice.
Switch(config)#int vlan 1 Moves to virtual interface VLAN 1.
Switch(config-if)#ip address 192.168.1.2 255.255.255.0 Sets IP address.
Switch(config-if)#no shut Brings up interface.

Assign Static IP to Router's Ethernet Interface

Router(config-if)#int fa0/0 Moves to Fast/Ethernet 0/0 interface mode
Router(config-if)#ip address 192.168.5.1 255.255.255.0 Assigns address and subnet mask to the interface
Router(config-if)#no shut Brings up interface
Enable DHCP on Router's Ethernet Interface
Router(config)#int fa0/0 Moves to Fast/Ethernet 0/0 interface mode
Router(config-line)#ip address dhcp IP address will be obtained via DHCP
Router(config-line)#no shut Brings up interface

Assign Static IP to Router's Serial Interface

Router(config)#int s0/1/0 Moves to interface serial 0/1/0 mode
Router(config-if)#ip address 192.168.15.1 255.255.255.0 Assigns address and subnet mask to the interface
Router(config-if)#no shut Turns interface on

Configure Default Route

Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 Send all packets destined for networks not in my routing table to 192.168.102.5
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent Above route will disappear if link goes down. Permanent saves it forever.
Router(config)#ip route 0.0.0.0 0.0.0.0 s0/0 Send all packets destined for networks not in my routing table out serial 0/0 interface

Configure DHCP Server This is easier using Cisco Device Manager, put your router IP into a web browser;
CCNA Portable Command Guide p197 leave the username blank, and the password is your enable password.
Router(config)#no service dhcp Turns DHCP service off (default is on)
Router(config)#service dhcp Turns DHCP service on
Router(config)#ip dhcp pool public Creates a DHCP pool called 'public'
Router(dhcp-config)#network 172.16.0.0 255.255.0.0 Range of addresses to be leased
Router(dhcp-config)#default-router 172.16.0.1 Network's router address.
Router(dhcp-config)#dns-server 172.17.0.1 DNS server address.
Router(dhcp-config)#netbios-name-server 172…… NetBIOS server
Router(dhcp-config)#domain-name futon.invalid Defines the "domain name" for the client.
Router(dhcp-config)#lease 0 8 1 Lease time is 0 days, 8 hours, and 1 minute.
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 172.16.0.1 Range of addresses that will not be given out. You may or may not need to exclude router
172.16.0.99 addresses.
Router(config)#ip dhcp pool admin.network Creates a DHCP pool called 'admin.network'
Router(dhcp-config)#network 172.18.0.0 255.255.0.0 Range of addresses to be leased
Router(dhcp-config)#default-router 172.18.0.1 Network's router address.
Router(dhcp-config)#dns-server 172.17.0.1 DNS server address.
Router(dhcp-config)#lease infinity

Configuring NAT Overload (PAT) This makes NAT'ed networks invisible, otherwise you must run a routing protocol.
Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255 Using wildcard mask, defines network addresses the router will perform NAT for.
Router(config)#access-list 1 permit 192.168.4.0 0.0.0.255 Using wildcard mask, defines network addresses the router will perform NAT for.
Router(config)#ip nat inside source list 1 int eth0/0 overload Allows IPs in access-list 1 to NAT onto overloaded WAN interface eth0/0
Router(config)#int fa0/0 Goto interface FastEthernet 0/0
Router(config-if)#ip nat outside Define this as the outside
Router(config-if)#exit Go back to global config.
Router(config)#int fa0/1 Goto interface FastEthernet 0/1
Router(config-if)#ip nat inside Define this as the inside
Router(config-if)#exit Go back to global config.

Enable RIP Distance vector routing protocol.

Router(config)#router rip
Router(config)#version 2
Router(config-router)#no auto-summary
Router(config-router)#network 192.168.1.0
Router(config-router)#network 192.168.2.0
Enables RIP as a routing protocol
OPTIONAL: Switches to RIP-2
OPTIONAL: RIP-2 summarizes networks into classful nets. Turns this off.
Network number of the 1st network your router is attached to.
Network number of the 2nd network your router is attached to.

Enable OSPF Link-state routing protocol.

Router(config)#router ospf 100 100 is the process ID of the routing process on your router. Do not confuse with area ID.
OSPF will use the wildcard mask to determine which interfaces to advertise. All routers
Router(config)#network 192.168.1.0 0.0.0.255 area 0 must use same area number.

EIGRP Commands This is a proprietary routing protocol made by Cisco.

Router(config)#router eigrp 102 Turns on the EIGRP process. 102 is the AS number
Router(config-router)#network 192.168.10.0 Specifies which network to advertise in EIGRP
Router(config-router)#no eigrp 102 Disables routing protocol for AS 102

Saving Configurations
#copy run start Saves the running-config to local NVRAM (automatic on a 1900-series switch)
#erase start Deletes the startup-config file from NVRAM
#reload Reboot the router or switch.

TFTP Libre/Free Software TFTP server: PumpKIN ---> http://kin.klever.net/pumpkin/

#copy startup tftp Copies startup-config to TFTP server. It will ask you for the address.
#copy running tftp Copies running-config to TFTP server. It will ask you for the address.
#copy tftp startup Copies config from TFTP to startup. Now 'reload'.
#copy tftp running Do not do this. It will merely merge with, not overwrite your existing running-config.
VTP Configuration
Default VTP mode is server mode. If you are adding a switch to an existing VTP domain, you should first set it to VTP client mode, then wait for
it to receive the latest VTP update. After it has been updated by the existing VTP domain, change it to a VTP client or back to VTP server mode.
1900 Series Switch
(config)#vtp client Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
(config)#vtp server Sync, forward, VLAN modification allowed.
(config)#vtp transparent Forwards any received VTP, but does not send. Can make independent VLAN names.
(config)#vtp domain MESH Sets name of VTP management domain to MESH
(config)#vtp password matrix Sets VTP password to matrix

2900 Series Switch

#vlan database
(vlan)#vtp client Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
(vlan)#vtp server Sync, forward, VLAN modification allowed.
(vlan)#vtp transparent Forwards any received VTP, but does not send. Can make independent VLAN names.
(vlan)#vtp domain MESH
(vlan)#vtp password matrix
(vlan)#vtp v2-mode Incompatible with v1 VTP devices. Supports Token-Ring VLANs.
(vlan)#vtp pruning This can reduce trunk bandwidth usage for trunk lines that needn't carry certain VLANs.
(vlan)#exit

2950 Series Switch

#config t
(config)#vtp mode client Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
(config)#vtp mode server Sync, forward, VLAN modification allowed.
(config)#vtp mode transparent Forwards any received VTP, but does not send. Can make independent VLAN names.
(config)#vtp domain MESH
(config)#vtp password matrix
(config)#vtp v2-mode Incompatible with v1 VTP devices. Supports Token-Ring VLANs.
(config)#vtp pruning This can reduce trunk bandwidth usage for trunk lines that needn't carry certain VLANs.

View VTP Configuration

1900 Series Switch
#show vtp Displays all VTP information.

2900/2950 Series Switch

 #show vtp status Displays VTP domain status
#show vtp counters Displays VTP statistics

VLAN Creation CCNA Portable Command Guide p116

1900 Series Switch
#config t
(config)#vlan 2 name Engineering
(config)#vlan 3 name Marketing
(config)#exit Using control+Z will discard your changes.

2900 Series Switch

#vlan database
(vlan)#vlan 2 name Engineering
(vlan)#vlan 3 name Marketing
(vlan)#exit Using control+Z will discard your changes.

2950 Series Switch The “New Way”

#config t
(config)#vlan 2
(config-vlan)#name Engineering
(config-vlan)#exit
(config)#vlan 3
(config-vlan)#name Marketing
(config-vlan)#exit Using control+Z will discard your changes.

Assigning Ports to VLANs

1900 Series Switch
#config t
(config)#int e0/2
(config-if)#vlan static 2
(config-if)#int e0/3
(config-if)#vlan static 3
(config-if)#exit

2900/2950 Series Switch

#config t
(config)#int fa0/2
 (config-if)#switchport mode access
(config-if)#switchport access vlan 2
(config-if)#int fa0/3
(config-if)#switchport mode access
(config-if)#switchport access vlan 3
(config-if)#exit

Assigning Multiple Ports Using the range Command 2950 Switch Only
2950Switch(config)#int range fa0/13 - 24 There is a space before and after the hyphen
2950Switch(config)#switchport mode access Sets all ports to access mode (for connecting to a desktop)
2950Switch(config)#switchport access vlan 2 Assigns all ports to VLAN 2

Verify Trunking CCNA Portable Command Guide p126

2900/2950Switch#show int fa0/1 switchport Shows the status of this interface including trunking information
2900/2950Switch#show interface trunk

Inter-VLAN Communication: Router-on-a-Stick CCNA Portable Command Guide p129

1900-series switches, and the 1721 and 1760 series routers only support Cisco's proprietary ISL trunking.
On IOS releases earlier than 12.1(3)T, you must configure VLAN 1 on the physical interface. Only later releases can put VLAN 1 on a logical int.
Router(config)#int fa0/1 Enters interface mode for interface FastEthernet0/1
Router(config-if)#no shut Brings up the interface
Router(config-if)#int fa0/1.1 Creates a .1 subinterface on fa0/1 (can be any number from 0 to 4 billion)
Router(config-if)#encapsulation dot1q 10 Assives VLAN 10 to this subinterface (and designates trunking protocol)
Router(config-if)#ip address 192.168.10.1 255.255.255.0 Assigns an IP address to the subinterface
Router(config-if)#int fa0/1.2 Creates a .2 subinterface on fa0/1
Router(config-if)#encapsulation dot1q 11 Assigns VLAN 11 to this subinterface (and designates trunking protocol)
Router(config-if)#ip address 192.168.11.1 255.255.255.0 Assigns an IP address to the subinterface
Router(config-if)#[CONTROL+Z] Exits

Password Recovery
The procedure for this is device dependent, some instructions are provided in the CCNA Portable Command Guideon page 157
 ISDN Info
ISDN BRI Configuring
router(config)#isdn switch-type basic-ni1
router(config)#int bri 0
router(config-ifg)#isdn switch-type basic-ni1

ISDN BRI Configuring: Setting SPIDs

router(config)#interface bri 0/0/0
router(config-if)#ip address 192.168.12.1 255.255.255.0
router(config-if)#isdn spid1 904.555120110101 5551201
router(config-if)#isdn spid2 904.555120120101 5551202

#show isdn status

#show idsn active

Page 9
 ISDN Info

Global switch type

Interface switch type can be different than global.

Assigns ip address to interface

Assigns SPID 1
Assigns SPID 2

Page 10