www.facebook.com/ahmedclipearth - www.clipearth.com

1

Cisco CLI command line for cisco Router

Command(s) Description

Router#clock set 14:45:05 June 18 2013 Set the Time of Day clock on the router.

Router>ping Basic ICMP ping function from within EXEC mode.

Router#ping {ip address} A more detailed ICMP ping from within Privileged EXEX

mode.

Router#traceroute {ip address} Performs a traceroute for a given IP address

Router#configure terminal Enters the Global Configuration Mode for higher level

configuration

Router(config)#hostname RouterName Sets the hostname of the router

Router(config)#ip route network-address

subnet-mask {next-hop IP or exit-interface}

Adds a static route the routing table. (Remember to add in

pairs to communicating router pair)

Router#copy running-config startup-config Copies the current configuration into the register, for

retrieval upon boot

Router(config)#line console 0 Router(config-

line)#logging synchronous

Overcomes line interruption from router prompts, whilst

typing commands.

CNTRL+SHIFT+6 Exit process

DHCP Configuration

Router(config)#ip dhcp pool {name} Create a DHCP Pool on the router.

Router(dhcp-config)#network {net address}

{submask} Set the network on which to act as a DHCP server.

Router(config)#ip dhcp excluded-address {start

IP} {end IP} Set a range of address to be excluded from the DHCP pool.

Router(dhcp-config)#dns-server {net address} Set the address of the DNS server to be issued to clients.

Router(dhcp-config)#default-router {netaddress} Set the default gateway to be issued to clients.

www.facebook.com/ahmedclipearth - www.clipearth.com

2

Router(config-if)#ip helper-address {network

address}

Set this on an intermediary router. Instructs router to

forward DHCP requests to a specified address.

Router#show ip dhcp binding Shows DHCP lease information.

Router#show ip dhcp pool Displays pool utilisation statistics.

NAT & PAT Configuration

Network Address Translation

Router(config)#ip nat inside source static {inside

local} {outside global}

Create a static NAT mapping between an inside local address

and an outside global address.

Router(config-if)#ip nat outside

Router(config-if)#ip nat inside

Router(config)#ip nat pool {name} {inside local}

{inside Global} netmask {submask} Create a NAT pool on the router.

Router(config)#ip nat inside source list {ACL

name} pool {pool name} Control NAT operations with an access control list.

Router(config)#ip nat inside source list {NAT}

pool {MY-NAT-POOL}

Specify a NAT pool to translate to hosts permitted by an

Access Control List.

Router#clear ip nat translation * Deletes all current dynamic NAT mappings.

Router#show ip nat translations Shows the active NAT mappings on the router.

Router#show ip nat statistics Shows various statistics associated with NAT.

NAT Overload / Port Address Translation

Router(config)#ip nat inside source list {ACL

name} interface {int name} overload

Configure NAT to work in overload mode on the specified

interface and apply an access control list. I.e. to a single

inside global IP address.

Security Configuration

Router(config)#no cdp run Disable Cisco Discovery Protocol functionality, for security

reasons.

Router(config-line)#exec-timeout {minutes}

[seconds]

Controls the amount of time a console or virtual session can

be idle before termination. Set to 00 for infinite, use only for

labs!

www.facebook.com/ahmedclipearth - www.clipearth.com

3

Router(config)# banner login & message & Create a login message. End this with a delimiting character

like # or &

Router(config)#banner motd & message Create a banner message. End with an &

Router(config)#no ip domain-lookup Prevents DNS look-up for lab setups

Router(config)#no enable password Removes the enable password, often used in favour of

enable secret password.

Router(config)#enable secret {password} Provides better security by encrypting an enable password.

It is separate to the line password!

Router(config)#service password-encryption Obscures the passwords within the config on the device.

Router(config)#line console 0 Router(config-

line)#password cisco Router(config-line)#login

Router(config-line)#exit

Configures the console password.

Router(config)#line vty 0 4 Router(config-

line)#password cisco Router(config-line)#login

Router(config-line)#exit

Configures the password for virtual terminal lines

Router(config-line)#no transport

inputRouter(config-line)#transport input {telnet

| ssh | etc}

Set the VTY lines to deny any input but the methods

specified.

Access Control Lists

One ACL per protocol, per direction, per

interface.

One very important thing to remember about ACLs is that an implicit deny all rule is placed at the end of all

ACL entries. So it is essential to make a statement for ALL intended communications, otherwise they will be

blocked.

All ACLs are parsed sequentially.

Standard ACLs

Router(config)#access-list {access-list-number}

{deny | permit} [remark] {source-IP | any}

[source-wildcard | any] [log]

Configure a Standard ACL that allows traffic to be

permitted or denied based upon the source IP address

only.Use the no prefix to remove the ACL.

www.facebook.com/ahmedclipearth - www.clipearth.com

4

Router(config)#ip access-list standard {name}

Router(config-std-nacl)#sequence-number

{permit | deny} [remark] {sourceIP} [source

wildcard] [log]

Configure a named Standard ACL for IP.

Extended ACLs

Router(config)#access-list {access-list-number}

{deny | permit} [remark] {protocol} {source}

{source-wildcard} [operand] [port port-

number/name] {destination} {destination-

wildcard} [operator operand] [port port-

number/name] [established]

Configure an Extended ACL that allows for much greater

granularity of control i.e. Protocols, Port#s, Source addresses

& Destination addresses. (Extended IP ACL numbers range

from 100 to 199), (Expanded IP ACLs range 2000 thru

2699).The optional (operand) is used to compare source

and destination ports. Possible values are: lt (less than), gt

(greater than), eq (equal to), neq (not equal to) and range

(inclusive range).The optional (established) keyword is for

TCP sessions and means that the rule will allow only TCP

communications that have the ACK bit set i.e. already

established. This rule could be used inbound, to prevent TCP

sessions being initiated from outside the network.

Router(config)#ip access-list extended {name}

Router(config-ext-nacl)#[sequence-number]

{permit | deny} [remark] {sourceIP} [source

wildcard] [log]

Router(config)#ip access-list extended {ACL

name} Router(config-extnacl)#permit ip

{network} {wildcard mask} any

Configure a named, Extended ACL for IP.

Router(config-if)#access-class {aclNumber} {in |

out} Apply a ACL to a specific interface.

R2(config-if)#ip access-group

Interface Configuration

Router#show interfaces {interface name} Displays details and the bandwidth of individual interfaces.

www.facebook.com/ahmedclipearth - www.clipearth.com

5

Router#show controllers [interface name] Displays hardware details of an interface. Useful for fault

finding serial connections.

Router#show ip interface brief Shows a condensed brief of link state and IP addresses of

attached interfaces & loopback(s)

Router(config)#interface [range] {interface ID} Enters the interface configuration mode for a given interface

or range of interfaces.

Router(config-if)#ip address {int ip address}

{subnet mask} Configure the ip address for a particular interface.

Router-on-a-stick

Router(config)#interface {interface-ID.xxxx}

Configures a logical sub-interface on a physical interface.

interfaceID.xxxx might be fa0/1.10 for FastEthernet 0/1

sub-interface#10.

Router(config-subif)#encapsulation {type} {vlan-

ID}

This is used in router-on-a-stick configurations. After

configuring a sub-interface as shown above, you must

specify the encapsulation method, such as dot1q or isl etc

Then specify the VLAN to which this sub-interface should

interact with.

Router(config-subif)#ip address {int ip address}

{subnet mask} Configure the ip address for a particular sub-interface.

WAN Link Technologies

Router(config-if)#encapsulation {type} Set the interface to use a specified protocol of encapsulation

e.g. hdlc, ppp, frame-relay etc

Point-to-Point Protocol

Router#debug ppp [packet | negotiation | error

| authentication | compression | cbcp]

Troubleshoot PPP, or use the options to troubleshoot PPP

sub-processes.

Router(config-if)#encapsulation ppp Set the interface to use PPP encapsulation method.

Router(config-if)#compress [predictor | stac]

Configure the router to use traffic compression. Optional

elements enable the use of different algorithms. Only use

with appropriate forms of traffic i.e. uncompressed.

www.facebook.com/ahmedclipearth - www.clipearth.com

6

Router(config-if)#ppp quality {%} Apply Link Quality Monitoring. Specify the LCP percentage

threshold for the link to become active.

Router(config-if)#ppp multilink Enable load balancing across multiple physical links.

PPP authentication

Router(config)#aaa new-model Enable AAA with this command.

R1(config)#aaa authentication ppp default local

none

Enable AAA authentication for PPP using the locally

configured credentials.

Router(config-if)#ppp authentication {chap |

chap pap | pap chap | pap} [if-needed] [list-

name | default ] [callin]

Configuration parameters for PPP authentication. CHAP PAP

performs CHAP before PAP.[if-needed] should not be

applied alongside of PAP or CHAP used with TACACS or

XTACACS (only compatible with asynchronous

interfaces).The list-name and default are only required for

AAA/TACACS+.[callin] option is used to specify

authentication on incoming calls only.

Router(config)#username {user} password

{cisco}

Sets a local username and password for use with PPP

authentication protocols.

Router(config)#ppp pap sent-username {user}

password {password}

Set a PAP username and password for use with PPP coms

leaving the local router.

Frame Relay

Router#show frame-relay lmi Show stats for the Frame Relay, Local Management

Interface.

Router#show frame-relay pvc Show details regarding established Permanent Virtual

Circuits on the local device.

Router#show frame-relay route Displays any Frame-Relay Layer2 routes through the device.

Router#show frame-relay map Display Frame-Relay mappings known to the local device.

Router(config-if)#frame-relay lmi-type [type] Specifiy the type of LMI to be used. Either [cisco | ansi |

q933a].

www.facebook.com/ahmedclipearth - www.clipearth.com

7

Router(config)#frame-relay switching This enables a router to perform Frame Relay switching

globally on the router, by using the DLCIs instead of IP.

Router(config-if)#frame-relay route {incoming

DLCI} interface {outgoing interface-name}

{outgoing DLCI}

Sets up a PVC on a Frame-Relay switch.

Router(config-if)#encapsulation frame-relay

[encapType]

Changes the data-link layer protocol to be used on the

interface. The type of encapsulation can be set to use the

IETF standard with the [ietf] option. Default is set to auto-

negotiate.

Router(config-if)#frame-relay intf-type {dce |

dte}

Frame Relay interface types are separate to physical

interface types i.e. a physical DTE device can be assigned as

a Frame Relay DCE device. Setting an interface type as DCE,

tells the router to send LMI keepalives and route statements

on the link. Note that a PVC cannot be established between

two frame-relay DTE devices.

Router(config-if)#frame-relay interface-dlci

{number}

Manually configure the DLCI for the interface. Can be within

the range of 16-991.

Router(config)#frame-relay map {L3protocol}

{protocol-address} {DLCI value} [broadcast] [ietf]

This creates a static mapping of a Layer3 protocol address to

a DLCI on the local device. Frame-Relay is an NBMA type of

network. However, using the broadcast option, L3 broadcast

traffic destined for the mapped network can be forwarded

over the link too. Note: for the local device to be able to ping

its own interface, a static map must be created for that local

interface too.

Router(config-if)#frame-relay inverse-arp

Inverse ARP can be used to dynamically discover devices at

each end of a Frame-Relay link. Although, due to reliability

issues with Inverse ARP, best practice is to statically map IPs

to DLCIs. Inverse ARP is enabled by default, append the [no]

prefix to disable.

Frame-Relay Sub-interfaces

www.facebook.com/ahmedclipearth - www.clipearth.com

8

Router(config)#interface

{PhyIntName}.{subNumber} {point-to-point |

multipoint}

Sets up a Frame-Relay sub-interface. Note that this can only

be performed once frame-relay encapsulation has been

configured on the physical interface.

Router(config-subif)#frame-relay interface-dlci

{number}

Manually configure the DLCI for the interface. Can be within

the range of 16-991.

Dynamic Routing Protocols

Router(config-if)#bandwidth {value}

Set the metric bandwidth of a link in kbps. This value is used

to calculate the cost of a route in some dynamic protocols.

Note: This does not alter the actual level 1 bandwidth.

Router#debug ip routing Used to show modifications being made to the routing table

in real-time.

Router#show ip protocols Use to verify the dynamic routing protocol in use.

Router(config)#router ? Show which versions of dynamic routing protocol the IOS

version will support

Router(config-router)#no auto-summary Prevents auto summarization occurring at major network

boundaries.

Router(config-router)#default-information

originate

Configure router to share static route information along with

dynamic updates.

RIPv1 & v2

Router(config)#router rip Enter RIP configuration state

Router(config-router)#passive-interface

interface name To prevent RIP updates being sent from a specific interface

Router#debug ip rip Show RIP updates as they are sent and received

Router(config)#router rip Router(config-

router)#network address of directly connected

classful network

Configure RIPv1 advertisements on a specific interface.

Router(config-router)#default-information

originate

Configure router to share static route information along with

dynamic updates.

RIPv2

www.facebook.com/ahmedclipearth - www.clipearth.com

9

Router(config)#router rip Router(config-

router)#version 2 Enter RIP configuration state & configure RIPv2.

EIGRP

Router(config)#router eigrp [A.S. number] Enables EIGRP functionality on the router and allows for

further configuration.

Router(config-router)#network network address Advertise the specified network address to others

Router#show ip eigrp topology Router#show ip

eigrp topology [network address]

Displays the EIGRP topology table on a specified router.

Including a [network address] Shows more detailed topology

for a specific network.

Router(config-if)#ip summary-address eigrp

[a.s.] [network] [mask]

Apply manual network summarization to a specific interface,

to be shared with other EIGRP neighbours.

Router(config)#router eigrp [a.s.] Router(config-

router)#redistribute static

This command will share the static route of the current

router, with other EIGRP neighbours.

OSPF

Router(config)#router ospf [process-ID] Enables OSPF dynamic routing protocol, and enters

configuration mode. Default process ID is 1.

Router(config-router)#network [network

address] [wildcard mask] area [area ID]

Configures a network to be advertised by OSPF. Use 0 area

ID for labs. This must be identical to all included OSPF

routers in the same area.

Router#show ip ospf Display detailed OSPF information. Such as process and

router ID

Router#show ip ospf interface Displays detailed information about OSPF interfaces

Router#show ip ospf neighbor Show a brief list of OSPF neighbors and which interface they

are connected to on the local router.

Router(config)#interface [OSPF interface]

Router(config-if)#ip ospf message-digest-key

[key #] md5 [key value] Router(config-if)#exit

Router(config)#router ospf [process ID]

Configures an interface for use with MD5 routing update

authentication. Note: The same key must be used for an

entire area!

www.facebook.com/ahmedclipearth - www.clipearth.com

10

Router(config-router)#area [area ID]

authentication message-digest

Router(config-router)#router-id [network

address]

Manually sets the router ID for the local router. (Will require

a reload if neigbours are present).

Router#clear ip ospf process This will erase and restart the current OSPF process.

Router(config-if)#ip ospf cost [calculated value] Manually set the cost of a link. The value is calculated by 108

bandwidth of link in bps

Router(config-router)#auto-cost reference-

bandwidth [value]

This can be used to simulate different connection speeds

between routers. This must be set the same for the whole

area. 10GigEthernet is 10000.

Router(config-if)#ip ospf hello-interval [seconds] Change the hello interval from the default value: (multi-

access is 10 seconds, or 30 seconds for NBMA segments).

Router(config-if)#ip ospf dead-interval [seconds] Change the dead interval from the default value: (40

seconds).

Router(config-if)#ip ospf priority [int value]

Change the priority of an OSPF interface. This can alter

eligibility for DR & BDR election. Range from 0-255, with

Zero as lowest. Setting Zero will stop the router from

participating in DR / BDR elections.

Lesser Used Commands

Router#debug {process-name] Debug a specific process. Such as ip routing Show IP routes

being learned instantaneously (Use sparingly)

Router#undebug all Stop ALL debugging

Router#undebug {process-name} Stop a debug of a specific process.

Router(config-if)#description R1 LAN Provides a description of the interface

Router#reload Reloads IOS from the NVRAM

Router(config)#no cdp run Disables the CDP functionality that is enabled as standard.

This improves security if not required.

www.facebook.com/ahmedclipearth - www.clipearth.com

11

Router(config-if)#no cdp enable This disables CDP advertisements ONLY on the selected

interface.

Router#show version Provides a description of the version of IOS loaded and the

memory register in use

Router#copy running-config tftp: Backup Configuration Settings TO a TFTP Server

Router#copy tftp: running-configAddress or

name of remote host []? xxx.xxx.xxx.xxxSource

filename []? backup_cfg_for_my_router

Copy configuration FROM a TFTP Server

Register Configuration

Router(config)#config-register [registerValue]

Set the configuration register to a value. Standard is usually

set to: 02102.Set to 02142 to disable the router from

saving configurations.

IOS v.11 Irregularities

Router(config)#subnet-zero Router(config)#ip

classless

This is a fix to the problem encountered when attempting to

use a classless mask such as /30 with IOS v.11.

www.facebook.com/ahmedclipearth - www.clipearth.com

12

Cisco CLI command line for cisco Switch Command Description

File Management Switch# show flash Displays details of the available IOS images.

Switch# dir {directory} Displays the content and size of a specified directory. E.g. flash is one such directory.

Switch# delete flash:{subdirectory/filename}

Deletes a specific file. Can delete all files within a directory/subdirectory when an asterisk * is used.

Switch# show boot Display the boot environment variables.

Switch(config)# boot system flash:{/c2960-lanbase-mz.122-25.SEE1.bin}

Set the switch to boot from a different IOS image.

Switch# write eraseSwitch# reload Restores the configuration of the Switch to default settings. Note: Does not erase VLAN configuration.

Switch# copy running-config startup-config Save the current configuration settings.

Switch# copy startup-config tftp Copy the current version of the startup configuration TO a TFTP server.

Switch# copy flash tftp Copy a file from the flash memory TO a TFTP server.

Switch# copy tftp flash Copy a file FROM a TFTP server to the flash memory.

Switch# rename flash:/{directory/filename} flash:/{directory/newfilename}

Renames a file held within the flash memory.

General Configuration Switch# terminal history Enables the terminal history feature.

Switch# terminal history size {value} Enter a value for the number of lines to recall under the terminal history feature. 0-256 lines.

Switch# terminal no history size Restores the history size to the default value of 10 lines.

Switch# terminal no history Disables the terminal history feature.

Switch(config)# ip default-gateway {IP-address}

Configures the default gateway for the switch.

Switch(config)# ip http authentication enable

Optional authentication for securing HTTP access.

Switch(config)# ip http server Enable HTTP server on the switch enables switch configuration via TCP/IP.

www.facebook.com/ahmedclipearth - www.clipearth.com

13

Security Configuration

Switch(config)# ip dhcp snooping Enable anti-DHCP spoofing measures on catalyst switches.

Switch(config)# ip dhcp snooping vlan number {number}

Enable DHCP snooping for specific VLANs.

Switch(config-if)# ip dhcp snooping trust Set ports as trusted DHCP ports.

Switch(config)# ip dhcp snooping limit rate {value}

Set an upper limit on the number of times an attacker can send bogus DHCP requests through an untrusted port.

Switch-port Security

Switch# show port-security interface {value} Display the details of port security settings for an interface.

Switch(config-if)# switchport port-security mac-address {MAC-address}

Sets a static port security rule for an interface.

Switch(config-if)# switchport port-security maximum {value}

Sets the maximum permissible number of secure addresses allowed on a port.

Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}

Define the course of remedial action to be taken by the switch if the maximum number of layer 2 addresses is reached on a port. Protect = drop | Restrict = drop, log, send SNMP trap, increment violation counter | Shutdown = set port to error-disabled state, log, send SNMP trap and increment violation counter.

Switch(config-if)# switchport port-security mac-address sticky

Enables sticky learning on a port. This will dynamically learn secure layer 2 addresses and add them to the running-config. Note that running-config must be saved after learning is complete!

SSH Configuration

Switch(config)# ip domain-name {domain-name}

Sets a host domain name for the switch, required for SSH.

Switch(config)# crypto key generate rsa Enables the SSH server on the switch and generates an RSA key pair. Recommended modulus length is 1024 bits.

Switch# ip ssh version [1 or 2] Set the version of SSH standard to run on the local SSH server. If option is left blank, the latest version will be selected.

Switch# ip ssh {timeout seconds} Set the time period for an SSH session to be established. Default is 120. Range is 0 120 seconds.

www.facebook.com/ahmedclipearth - www.clipearth.com

14

Switch# ip ssh {authentication-retries number}

Sets the number of times a client can re-authenticate within a 10 minute period. Range is 0 to 5 attempts.

Switch(config-line)#transport input {telnet | ssh | all}

Either accept just telnet or SSH or accept both.

Switch(config-line)#login local Use local usernames instead of AAA.

Switch(config)#username {username} password {Password}

Create a local set of credentials.

Interface Configuration

Switch(config)# interface range {interface prefix / number range}

Configure a group of interfaces e.g. fa0/1 5 for Fast Ethernet ports 1 thru 5.

Switch(config-if)# mdix auto

Permits the switch to use the MDIX automatic cable medium detection facility append no to disable the feature. (Command is not compatible with Catalyst 2950 or 3550).

Switch(config)# mac-address-table static {MAC address} vlan {vlan-id} interface {interface-id}

This creates a static mapping of a MAC to a specified port on the switch. Append no to remove.

Switch(config)# interface vlan {value} Enter the interface configuration mode for a VLAN of number.

Switch(config-if)# ip address {interface address} {subnet mask}

Configure a VLAN-interface IP address.

Switch(config-if)# switchport mode {type} Set the VLAN membership mode for a port access or trunk.

Switch(config-if)# switchport access vlan {number}

Assign a specific switch port to use a specified VLAN number.

Switch(config-if)# switchport trunk native vlan {native id}

Assign a specific VLAN to the switch port to be the NATIVE. This is necessary for untagged traffic on 802.1Q trunk ports.

Switch(config-if)# no switchport trunk native vlan

Reset the NATIVE VLAN back to the default of VLAN 1.

Dynamic Trunking Protocol Switch# show dtp [interface] Displays details of DTP configuration.

Switch(config-if)# switchport mode {type} Set the membership mode for a port access or trunk. This sets the port to ON if trunk mode is selected.

Switch(config-if)# switchport mode dynamic desirable

Sets the local switch port to advertise to the remote port that it would like to trunk. Will only trunk if remote port is set to ON, DESIRABLE or AUTO.

www.facebook.com/ahmedclipearth - www.clipearth.com

15

Spanning Tree Protocol

Switch(config-if)# spanning-tree cost {value} Manually set the cost of an interface for the STA to use in calculations. Between 1 and 200,000,000.

Switch(config)# spanning-tree vlan {vlan-id} root primary

Set the switch to be the lowest priority value on the network. Set to either 24576 or the next 4096 increment below the lowest already on the network.

Switch(config)# spanning-tree vlan {vlan-id} priority {value}

Allows the admin to manually set bridge priority for a specified VLAN. Used to setup load balancing between 0 and 65536 in increments of 4096. Default on Catalyst switches is 32768.

Switch(config-if)#spanning-tree portfast Enable PortFast feature on an access port to mitigate STP processes on that port. This will reduce the time taken for the link to come up.

Switch(config-vlan)# name {enter a name for the VLAN}.

Sets the name of a VLAN.

Switch(config-if)#switchport trunk native vlan {vlanNo.}

Specify the Native vlan for the Trunk.

Switch(config-if)# switchport trunk allowed vlan remove {vlanNo.}

Remove specific VLANs permitted on a trunk.

VTP

Switch(config)# vtp mode {server} Set the VTP mode for the device. Client, server or transparent. Be sure this is set first!

Switch(config)# vtp domain {name} Set the VTP domain name.

Switch(config)# vtp password {value} Set a password for the VTP domain.

Switch(config)# vtp pruning Enables VTP pruning, use on the VTP server only.

2900 Series (Legacy Commands) Switch# vlan database This accesses the VLAN database.

Switch(vlan)# vlan {id} [name] Assign an ASCI name to the VLAN.

Troubleshooting

Switch# show history Displays the terminal history if enabled (See general configuration).

Switch# show env {all} Shows the status of all hardware monitoring sensors on the device.

Switch# show interface [interface-id | vlan vlan-id | switchport]

Shows detailed information for specific interfaces, vlans or switch ports.

www.facebook.com/ahmedclipearth - www.clipearth.com

16

Switch# show interface trunk Shows detailed information about trunk ports in use on the switch.

Switch# show vlan [brief | id vlan-id | name vlan-name | summary]

Is used to display VLAN information for verification purposes.

Switch# show spanning-tree Displays details of the STP environment.

Switch# debug spanning-tree events Show notifications of STP events in real-time.

Switch# show ip ssh Shows the status of the SSH server on the switch.

Switch# show mac-address-table Displays the Media Access Control address table (CAM table) on the switch.