Cisco Commands

Cheat Sheet
Introduction
Cisco IOS is the backbone software that powers many of Cisco’s network devices. For professionals working with
these systems, knowing the right commands is crucial.

This article provides a Cisco commands cheat sheet, outlining the most common Cisco IOS commands for
configuring, securing and troubleshooting Cisco network equipment. It includes the list of Cisco switch commands,
a Cisco router commands list and Cisco network commands. Being familiar with the basic Cisco console commands
will aid network administrators in managing Cisco devices efficiently and in line with best practices.

The commands are organized into the following groups:

▪ Mode control commands

▪ Basic configuration commands
▪ Troubleshooting commands
▪ Routing and VLAN commands
▪ DHCP commands
▪ Security commands
▪ Monitoring and logging commands

Command Modes

Cisco IOS has several command modes that fall into further categories such as operational and configuration.
Each mode serves a slightly unique purpose. For instance, Setup Mode provides the user with an interactive menu
guide the user to create an initial configuration file for the device.

The key most common modes are the following:

▪ User exec mode — This mode is the mode you land in when you first log onto a Cisco device. It provides
limited access to commands and configuration settings. For instance, this mode enables you to view status
using certain show commands but does not enable you to view or edit configurations.

▪ Privileged exec mode — This mode provides access to all commands, enabling more detailed examination
and control of the device’s operation and configuration.
▪ Global Configuration mode: Global configuration commands apply to features that affect the device as
a whole. While Exec and Privileged Exec are read only modes, Global Configuration mode gives the user
writable access to modify the active configuration file. To use Global Configuration mode, you first need to
enter Privileged EXEC Mode and then execute the configure terminal command although numerous shortcuts
are accepted such as config t. Global Configuration mode can be further divided into the following command
modes, which permit you to configure different components:

• Interface configuration mode

• Subinterface configuration mode
• Router configuration mode
• Line configuration mode

Mode Control Commands

Command Description

Enable Moves a user from user exec mode into Privileged EXEC mode. Privileged exec
mode is indicated by the # symbol in the command prompt.

configure terminal Logs the user into Global Configuration mode

interface fastethernet/number Enters interface configuration mode for the specified fast ethernet interface
Basic Configuration Commands List
Command Description

reload Reboots the Cisco switch or router

hostname name Sets a host name to the current Cisco network device

copy from-location to-location Copies files from one file location to another

copy running-config startup-config Replaces the startup config with the active config when the Cisco network
device initializes

copy startup-config running-config Merges the startup config with the currently active config in RAM

write erase Deletes the startup config

erase startup-config

ip address ip-address mask Assigns the specified IP address and subnet mask

shutdown Shuts the interface down (shutdown) or brings it up (no shutdown)

no shutdown

ip default-gateway ip_address Sets the default gateway on the Cisco device

show running-config Displays the current configuration of the device

show startup-config Displays the saved configuration stored in the device’s NVRAM, which will be
loaded when the device starts up

description string Assigns the specified description to an interface

show running-config interface Displays the running configuration for the specified interface
interface slot/number

show ip interface [type number] Displays the status of a network interface as well as a detailed listing of its IP
configurations and related characteristics.

ip name-server serverip-1 serverip-2 Sets the IP address of or more DNS servers that the device can use to resolve
hostnames to IP addresses.
Troubleshooting Cisco Commands List
Command Description

ping {hostname | system-address} Used to diagnose basic network connectivity

[source source-address]

speed {10 | 100 | 1000 | auto} Either configures the transmission speed of a network interface to the
specified value in megabits per second (Mbps), or enables automatic speed
detection for the port

duplex {auto | full | half} Sets duplex to half, full or auto

cdp run Enables or disables Cisco Discovery Protocol (CDP) for the device
no cdp run

show mac address-table Displays the MAC address table

show cdp Shows whether CDP is enabled globally

show cdp neighbors[detail] Lists summary (or detailed) information about each neighbor connected to
the device

show interfaces Displays detailed information about interface status, settings and counters

show interface status Displays the interface line status

show interfaces switchport Displays many configuration settings and current operational status, including
VLAN trunking details

show interfaces trunk Lists information about the currently operational trunks and the VLANs
supported by those trunks

show vlan Lists each VLAN and all interfaces assigned to that VLAN but does not include
show vlan brief trunks

show vtp status Lists the current VLAN Trunk Protocol (VTP) status, including the current mode
Routing and VLAN Commands
Command Description

show ip route Displays the current state of the IP routing of all known routes that are either
statically configured or learned dynamically through a routing protocol

ip route network-number network- Sets a static route in the IP routing table

mask {ip-address | interface}

router rip Enables a Routing Information Protocol (RIP) routing process, which places
you in router configuration mode

network ip-address Associates a network with a RIP routing process

version 2 Configures the software to receive and send only RIP version 2 packets

no auto-summary Disables automatic summarization

default-information originate Generates a default route into RIP

passive-interface interface Sets the specified interface to passive RIP mode, which means RIP routing
updates are accepted by, but not sent out of, the interface

show ip rip database Displays the contents of the RIP routing database

ip nat [inside | outside] Configure Network Address Translation (NAT), which allows private IP
addresses on a local network to be translated into public IP addresses before
being sent over the internet

ip nat inside source {list{access-list- Establishes dynamic source translation. Use of the “list” keyword enables you
number | access-list-name}} interface to use an ACL to identify the traffic that will be subject to NAT. The “overload”
type number[overload] option enables the router to use one global address for many local addresses.

ip nat inside source static local-ip Establishes a static translation between an inside local address and an inside
global-ip global address

vlan Creates a VLAN and enters VLAN configuration mode for further definitions
Command
switchport access vlan
switchport trunk encapsulation
dot1q
switchport access
vlan vlan-id [name vlan-name]
switchport mode { access | trunk }
switchport trunk {encapsulation {
dot1q }
encapsulation dot1q vlan-id
show spanning-tree
Description
Sets the VLAN that the interface belongs to
Specifies 802.1Q encapsulation on the trunk link
Configures a specific Ethernet port on a switch to operate in access mode to
accommodate an end device such as a computer, server or printer. The port
must then be assigned to a single VLAN.
Configures a specific VLAN name (1 to 32 characters)
Configures the VLAN membership mode of a port.
▪ The access port is set to access unconditionally and operates as a non-
trunking, single VLAN interface that sends and receives non-encapsulated
(non-tagged) frames. An access port can be assigned to only one VLAN.
▪ The trunk port sends and receives encapsulated (tagged) frames that
identify the VLAN of origination. A trunk is a point-to-point link between
two switches or between a switch and a router.
Sets the trunk characteristics when the interface is in trunking mode. In this mode,
the switch supports simultaneous tagged and untagged traffic on a port.
Defines the matching criteria to map 802.1Q frames ingress on an interface to
the appropriate service instance
Provides detailed information about the Spanning Tree protocol for all VLANs
DHCP Commands
Command Description

ip address dhcp Acquires an IP address on an interface via DHCP

ip dhcp pool name Used to configure a DHCP address pool on a DHCP server and enter DHCP
pool configuration mode

domain-name domain Specifies the domain name for a DHCP client

network network-number [mask] Configures the network number and mask for a DHCP address pool primary
or secondary subnet on a Cisco IOS DHCP server

ip dhcp excluded-address ip-address Specifies IP addresses that a DHCP server should not assign to DHCP clients
[last-ip-address]

ip helper-address address Enables forwarding of UDP broadcasts, including BOOTP, received on an

interface

default-router address[address2 ... Specifies the default routers for a DHCP client
address8]
DHCP Commands
Command Description

Password pass-value Lists the password that is required if the login command (with no other
parameters) is configured

username name password pass- Defines one of possibly multiple user names and associated passwords used
value for user authentication. It is used when the login local line configuration
command has been used.

enable password pass-value Defines the password required when using the enable command

enable secret pass-value Sets the password required for any user to enter enable mode

service password-encryption Directs the Cisco IOS software to encrypt the passwords, CHAP secrets and
similar data saved in its configuration file

ip domain-name name Configures a DNS domain name

crypto key generate rsa Creates and stores (in a hidden location in flash memory) the keys that are
required by SSH

transport input {telnet | ssh} Defines whether Telnet or SSH access is allowed into this switch. Both values
can be specified in a single command to allow both Telnet and SSH access
(default settings).

access-list access-list-number {deny Defines a standard IP access list

| permit} source [source-wildcard]
[log]

access-class Restricts incoming and outgoing connections between a particular VTY (into a
basic Cisco device) and the addresses in an access list

ip access-list {standard | extended} Defines an IP access list by name or number

{access-list-name | access-list-
number}
Command Description

permit source [source-wildcard] Allows a packet to pass a named IP ACL. To remove a permit condition from
an ACL, use the “no” form of this command.

deny source [source-wildcard] Used to set conditions in a named IP ACL that will deny packets. To remove a
deny condition from an ACL, use the “no” form of this command.

ntp peer <ip-address> Configures the software clock to synchronize a peer or to be synchronized by
a peer

switchport port-security Enables port security on the interface

switchport port-security maximum Sets the maximum number of secure MAC addresses on the port
maximum

switchport port-security mac-address Adds a MAC address to the list of secure MAC addresses. The “sticky” option
{mac-addr | {sticky [mac-addr]}} configures the MAC addresses as sticky on the interface.

show port security [interface Sets the action to be taken when a security violation is detected
interface-id]

show port security [interface Displays information about security options configured on the interface
interface-id]
Monitoring and Logging Commands
Command Description

logging ip address Configures the IP address of the host that will receive the system logging
(syslog) messages

logging trap level Used to limit messages that are logged to the syslog servers based on severity.
Specify the number or name of the desired severity level at which messages
should be logged.

show logging Displays the state of system logging (syslog) and the contents of the standard
system logging buffer

terminal monitor Sends a copy of all syslog messages, including debug messages, to the Telnet
or SSH user who issues this command
Simplify Monitoring
of Cisco Devices
with Netwrix Auditor for Network Devices

Get detailed audit information on configuration

changes.

Track successful and failed VPN logon attempts.

Stay on top of each attempt to log in directly to

a Cisco device.

Continuously monitor devices for hardware

malfunctions.

Detect scanning threats before attackers take

control of the entire network infrastructure.

Download Free 20-Day Trial

About Netwrix
Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security
professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect,
respond to and recover from attacks, limiting their impact. More than 13,500 organizations worldwide rely on
Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors:
data, identity and infrastructure.

For more information, visit www.netwrix.com

Next Steps

Free Trial — Set up Netwrix software in your own test environment: netwrix.com/freetrial

In-Browser Demo — Take an interactive product demo in your browser: netwrix.com/browser_demo

Live Demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

6160 Warren Parkway, Suite 1-949-407-5125 Spain: +34 911 982608

100 Frisco, TX, US 75034 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
Switzerland: +41 43 508 3472
5 New Street Square, London +44 (0) 203 588 3023 France: +33 9 75 18 11 19 netwrix.com/social
EC4A 3TW Germany: +49 711 899 89 187
Hong Kong: +852 5808 1306
Italy: +39 02 947 53539