Cisco IOS Quick Reference

Original document by Will Richards, revised heavily by GT Ruocco

Freely redistributable in unmodified form.

V1.3.0 5/11/2007

Unless otherwise noted, all commands are likely to work on switches as much as on routers.
Commands can be abbrieviated, such as "sh run" or "show run" instead of "show running-config" as long as they are not ambiguous.
Recommended book: CCNA Portable Command Guide by Scott Empson
Annoyances
(config)#line con 0
(config-line)#logging sync
(config-line)#exec-timeout 0 0
(config)#[CONTROL+SHIFT+6]

Step 1/2: Make the router or switch not interrupt your commands with informative notices.
Step 2/2: If you don't do this, you can always use CONTROL+R if your device interrupts.
Console will never logout. Don't do this. Tremendous security risk.
Same as Control+C/Break.

(config)#no ip domain-lookup

Turns off DNS queries so that spelling mistakes will not cause lookups.

IOS Modes
Switch/Router>User Mode
Switch/Router#Privileged mode
Switch/Router(config)#Global configuration mode
Switch/Router(config-if)#Interface mode
Switch/Router(config-subif)#Subinterface mode
Switch/Router(config-line)#Line mode
Switch/Router(config-router)#Router configuration mode
Show Commands
#show ?
#show access-lists
#show arp
Router#show clock
Router#show controllers serial 0
#show flash
#show history
Router#show hosts
#show interface serial 0
#show interfaces
Router#show ip dhcp binding
Router#show ip dhcp server statistics

Lists all show commands available

Show any access-lists
Displays arp table
Displays time set on device
Displays stats for interface hardware, clock rate, DCE or DTE
Displays information about Flash memory
Displays history of commands used at this level
Displays local host-to-IP address cache
Displays statistics for a specific interface
Displays statistics for all interfaces
Displays all DHCP leases
DHCP statistics.

Router#debug ip dhcp server events

Router#show ip interface brief
Router#show ip nat translations
Router#show ip route
Router#show protocols
#show running-config
#show startup-config
#show users
Router#show vlans
vtp-------->
#show version

Shows DHCP leases as they happen.

Displays a summary of all interfaces + IP address assigned
Displays NAT translations
Displays contents of IP routing table
Displays status of configured Layer 3 protocols
Displays configuration currently running in RAM
Displays configuration saved in NVRAM
Displays all users connected to device
Displays current VLAN configuration
Showing VTP info is listed under View VTP Configuration later in this document.
Displays software version

Debug information
(config)#no debug all or u all (short for undebug)
(config)#terminal monitor

Turns off all debugging.

Allows debug output to appear on telnets, default is only consoles.

Configure Commands
>en
#config t
(config)#hostname Office

Enters "enable mode". Enable mode has privileged access.

Router(config)#
OPTIONAL: Change's router's hostname to Office. Required for PPP's PAP and CHAP.

Security Hardening
#no cdp run

If your not ahead of the threat, then your only reacting to it.
CDP unnecessarily reveals information about your Cisco device. Information leak.

#spanning-tree portfast bpduguard

~Research the rootguard feature (it concerns STP).

Portfast reduces waiting time, and BPDU Guard disables any port that sends STP CG p113

#no ip http server

Disables webserver that runs on all interfaces. Frees up resources and prevents attacks.

~Do not put any users in VLAN 1. Use VLAN 2, 10, or 11 as the first VLAN. VLAN 1 should not carry any data traffic.
#set port dot1q-all-tagged all enable
~Use '802.1q-all-tagged' mode (Begins tagging native VLAN packets), or if that is not possible, clear the native VLAN (VLAN 1) from all trunk links.
~Shutdown all unused ports and put them in an unused VLAN. Block unauthorized access through fundamental physical and logical barriers.
~Don't use VTP. A new switch with a higher VTP revision, or a simple admin mistake can wipe out the entire VTP domain across all switches.

Use out-of-band management. Create a new VLAN, and do administration only through ports in this new VLAN.
Enable Password
(config)#enable password matrix
(config)#enable secret matrix

Don't do this. Sets enable password (insecurely, use enable secret instead).
Sets enable secret password. Password is now encrypted/encoded as seen in "show run".

Console Password
(config)#line con 0
(config-line)#password matrix
(config-line)#login

Shows up as cleartext in show run

Enters console-line mode
Sets console-line password
Enables password checking at login

Setting Telnet Password

config#enable secret matrix
(config)#line vty 0 4
(config-line)#password matrix
(config-line)#login

Telnet password shows up as cleartext in 'show running-config'

Both vty and enable password must be set to use telnet.
Enters vty mode for all five vty lines
Sets vty password to Will
Enables password checking at login

CCNA Self-Study, Interconnecting Cisco Network Device p228

Blocking Telnet using ACL's
Router(config)#access-list 101 deny tcp any 192.168.0.0 0.0.255.255 eq 23
Router(config)#access-list 101 permit ip any any
Blocks telnet packets from any network heading to our network.
Router(config)#int fa0/0
Router(config)#ip access-group 101 in
Applies telnet firewall inbound on external FastEthernet 0/0 interface.
Auxiliary Password
(config)#line aux 0
(config-line)#password matrix

Not necessary, this is locked if no password is set

Enters auxiliary line mode
Sets auxiliary line mode pass to Will

Create Management IP for Switch

Switch(config)ip default-gateway 192.168.1.1
Switch(config)#int vlan 1
Switch(config-if)#ip address 192.168.1.2 255.255.255.0
Switch(config-if)#no shut

Not always required, but good practice.

Moves to virtual interface VLAN 1.
Sets IP address.
Brings up interface.

Assign Static IP to Router's Ethernet Interface

Router(config-if)#int fa0/0
Router(config-if)#ip address 192.168.5.1 255.255.255.0
Router(config-if)#no shut

Moves to Fast/Ethernet 0/0 interface mode

Assigns address and subnet mask to the interface
Brings up interface

Enable DHCP on Router's Ethernet Interface

Router(config)#int fa0/0
Router(config-line)#ip address dhcp
Router(config-line)#no shut

Moves to Fast/Ethernet 0/0 interface mode

IP address will be obtained via DHCP
Brings up interface

Assign Static IP to Router's Serial Interface

Router(config)#int s0/1/0
Router(config-if)#ip address 192.168.15.1 255.255.255.0
Router(config-if)#no shut

Moves to interface serial 0/1/0 mode

Assigns address and subnet mask to the interface
Turns interface on

Configure Default Route

Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
Send all packets destined for networks not in my routing table to 192.168.102.5
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 permanent Above route will disappear if link goes down. Permanent saves it forever.
Router(config)#ip route 0.0.0.0 0.0.0.0 s0/0
Send all packets destined for networks not in my routing table out serial 0/0 interface
Configure DHCP Server
CCNA Portable Command Guide p197
Router(config)#no service dhcp
Router(config)#service dhcp
Router(config)#ip dhcp pool public
Router(dhcp-config)#network 172.16.0.0 255.255.0.0
Router(dhcp-config)#default-router 172.16.0.1
Router(dhcp-config)#dns-server 172.17.0.1
Router(dhcp-config)#netbios-name-server 172
Router(dhcp-config)#domain-name futon.invalid
Router(dhcp-config)#lease 0 8 1
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 172.16.0.1
172.16.0.99
Router(config)#ip dhcp pool admin.network
Router(dhcp-config)#network 172.18.0.0 255.255.0.0
Router(dhcp-config)#default-router 172.18.0.1
Router(dhcp-config)#dns-server 172.17.0.1
Router(dhcp-config)#lease infinity

This is easier using Cisco Device Manager, put your router IP into a web browser;
leave the username blank, and the password is your enable password.
Turns DHCP service off (default is on)
Turns DHCP service on
Creates a DHCP pool called 'public'
Range of addresses to be leased
Network's router address.
DNS server address.
NetBIOS server
Defines the "domain name" for the client.
Lease time is 0 days, 8 hours, and 1 minute.

Configuring NAT Overload (PAT)

This makes NAT'ed networks invisible, otherwise you must run a routing protocol.

Range of addresses that will not be given out. You may or may not need to exclude router
addresses.
Creates a DHCP pool called 'admin.network'
Range of addresses to be leased
Network's router address.
DNS server address.

Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255

Router(config)#access-list 1 permit 192.168.4.0 0.0.0.255
Router(config)#ip nat inside source list 1 int eth0/0 overload
Router(config)#int fa0/0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#int fa0/1
Router(config-if)#ip nat inside
Router(config-if)#exit

Using wildcard mask, defines network addresses the router will perform NAT for.
Using wildcard mask, defines network addresses the router will perform NAT for.
Allows IPs in access-list 1 to NAT onto overloaded WAN interface eth0/0
Goto interface FastEthernet 0/0
Define this as the outside
Go back to global config.
Goto interface FastEthernet 0/1
Define this as the inside
Go back to global config.

Enable RIP
Router(config)#router rip
Router(config)#version 2
Router(config-router)#no auto-summary
Router(config-router)#network 192.168.1.0
Router(config-router)#network 192.168.2.0

Distance vector routing protocol.

Enables RIP as a routing protocol
OPTIONAL: Switches to RIP-2
OPTIONAL: RIP-2 summarizes networks into classful nets. Turns this off.
Network number of the 1st network your router is attached to.
Network number of the 2nd network your router is attached to.

Enable OSPF
Router(config)#router ospf 100
Router(config)#network 192.168.1.0 0.0.0.255 area 0

Link-state routing protocol.

100 is the process ID of the routing process on your router. Do not confuse with area ID.
OSPF will use the wildcard mask to determine which interfaces to advertise. All routers
must use same area number.

EIGRP Commands
Router(config)#router eigrp 102
Router(config-router)#network 192.168.10.0
Router(config-router)#no eigrp 102

This is a proprietary routing protocol made by Cisco.

Turns on the EIGRP process. 102 is the AS number
Specifies which network to advertise in EIGRP
Disables routing protocol for AS 102

Saving Configurations
#copy run start
#erase start
#reload

Saves the running-config to local NVRAM (automatic on a 1900-series switch)

Deletes the startup-config file from NVRAM
Reboot the router or switch.

TFTP
#copy startup tftp
#copy running tftp
#copy tftp startup
#copy tftp running

Libre/Free Software TFTP server: PumpKIN ---> http://kin.klever.net/pumpkin/

Copies startup-config to TFTP server. It will ask you for the address.
Copies running-config to TFTP server. It will ask you for the address.
Copies config from TFTP to startup. Now 'reload'.
Do not do this. It will merely merge with, not overwrite your existing running-config.

VTP Configuration
Default VTP mode is server mode. If you are adding a switch to an existing VTP domain, you should first set it to VTP client mode, then wait for
it to receive the latest VTP update. After it has been updated by the existing VTP domain, change it to a VTP client or back to VTP server mode.
1900 Series Switch
(config)#vtp client
Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
(config)#vtp server
Sync, forward, VLAN modification allowed.
(config)#vtp transparent
Forwards any received VTP, but does not send. Can make independent VLAN names.
(config)#vtp domain MESH
Sets name of VTP management domain to MESH
(config)#vtp password matrix
Sets VTP password to matrix
2900 Series Switch
#vlan database
(vlan)#vtp client
(vlan)#vtp server
(vlan)#vtp transparent
(vlan)#vtp domain MESH
(vlan)#vtp password matrix
(vlan)#vtp v2-mode
(vlan)#vtp pruning
(vlan)#exit
2950 Series Switch
#config t
(config)#vtp mode client
(config)#vtp mode server
(config)#vtp mode transparent
(config)#vtp domain MESH
(config)#vtp password matrix
(config)#vtp v2-mode
(config)#vtp pruning
View VTP Configuration
1900 Series Switch
#show vtp
2900/2950 Series Switch

Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
Sync, forward, VLAN modification allowed.
Forwards any received VTP, but does not send. Can make independent VLAN names.

Incompatible with v1 VTP devices. Supports Token-Ring VLANs.

This can reduce trunk bandwidth usage for trunk lines that needn't carry certain VLANs.

Sync, forward, but no VLAN modification allowed. Loses VLAN names at poweroff.
Sync, forward, VLAN modification allowed.
Forwards any received VTP, but does not send. Can make independent VLAN names.

Incompatible with v1 VTP devices. Supports Token-Ring VLANs.

This can reduce trunk bandwidth usage for trunk lines that needn't carry certain VLANs.

Displays all VTP information.

#show vtp status

#show vtp counters
VLAN Creation
1900 Series Switch
#config t
(config)#vlan 2 name Engineering
(config)#vlan 3 name Marketing
(config)#exit
2900 Series Switch
#vlan database
(vlan)#vlan 2 name Engineering
(vlan)#vlan 3 name Marketing
(vlan)#exit
2950 Series Switch
#config t
(config)#vlan 2
(config-vlan)#name Engineering
(config-vlan)#exit
(config)#vlan 3
(config-vlan)#name Marketing
(config-vlan)#exit
Assigning Ports to VLANs
1900 Series Switch
#config t
(config)#int e0/2
(config-if)#vlan static 2
(config-if)#int e0/3
(config-if)#vlan static 3
(config-if)#exit
2900/2950 Series Switch
#config t
(config)#int fa0/2

Displays VTP domain status

Displays VTP statistics
CCNA Portable Command Guide p116

Using control+Z will discard your changes.

Using control+Z will discard your changes.

The New Way

Using control+Z will discard your changes.

(config-if)#switchport mode access

(config-if)#switchport access vlan 2
(config-if)#int fa0/3
(config-if)#switchport mode access
(config-if)#switchport access vlan 3
(config-if)#exit
Assigning Multiple Ports Using the range Command
2950Switch(config)#int range fa0/13 - 24
2950Switch(config)#switchport mode access
2950Switch(config)#switchport access vlan 2

2950 Switch Only

There is a space before and after the hyphen
Sets all ports to access mode (for connecting to a desktop)
Assigns all ports to VLAN 2

Verify Trunking
2900/2950Switch#show int fa0/1 switchport
2900/2950Switch#show interface trunk

CCNA Portable Command Guide p126

Shows the status of this interface including trunking information

CCNA Portable Command Guide p129

Inter-VLAN Communication: Router-on-a-Stick
1900-series switches, and the 1721 and 1760 series routers only support Cisco's proprietary ISL trunking.
On IOS releases earlier than 12.1(3)T, you must configure VLAN 1 on the physical interface. Only later releases can put VLAN 1 on a logical int.
Router(config)#int fa0/1
Enters interface mode for interface FastEthernet0/1
Router(config-if)#no shut
Brings up the interface
Router(config-if)#int fa0/1.1
Creates a .1 subinterface on fa0/1 (can be any number from 0 to 4 billion)
Router(config-if)#encapsulation dot1q 10
Assives VLAN 10 to this subinterface (and designates trunking protocol)
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Assigns an IP address to the subinterface
Router(config-if)#int fa0/1.2
Creates a .2 subinterface on fa0/1
Router(config-if)#encapsulation dot1q 11
Assigns VLAN 11 to this subinterface (and designates trunking protocol)
Router(config-if)#ip address 192.168.11.1 255.255.255.0
Assigns an IP address to the subinterface
Router(config-if)#[CONTROL+Z]
Exits
Password Recovery
The procedure for this is device dependent, some instructions are provided in the CCNA Portable Command Guideon page 157

ISDN Info
ISDN BRI Configuring
router(config)#isdn switch-type basic-ni1
router(config)#int bri 0
router(config-ifg)#isdn switch-type basic-ni1
ISDN BRI Configuring: Setting SPIDs
router(config)#interface bri 0/0/0
router(config-if)#ip address 192.168.12.1 255.255.255.0
router(config-if)#isdn spid1 904.555120110101 5551201
router(config-if)#isdn spid2 904.555120120101 5551202
#show isdn status
#show idsn active

Page 9

ISDN Info
Global switch type
Interface switch type can be different than global.

Assigns ip address to interface

Assigns SPID 1
Assigns SPID 2

Page 10