CLI Commands

With this command, we can save changes on the switch or router. It means that data is copied from the running config file to the startup config file. Therefore, when the device (router / switch) starts again, all previous configurations can be read and set up in the memory.

Sw1# copy running-config startup-config

Deleting information on switch or router

As demonstrated below, we can use a few commands to remove data from a router or switch. Both commands below erase information from the device start-up configuration file.

Sw1# erase startup-config

Sw1# erase nvram

If we want to delete information from both configuration files: start-up and running at the same time, we need to use the command below.

Sw1#write erase

# delete vlan.dat

MOTD Banner

A banner MOTD, or Message of the Day, is a message that is displayed to users when they first connect to a Cisco device. MOTD banners are typically used to display important information to users, such as security warnings, legal notices, system updates, and contact information for the network administrator.

R1> enable

R1# configure terminal

R1(config)# banner motd X Welcome to local host X

R1(config)# exit

R1# show banner

Login Banner

To verify that the login banner has been configured correctly, disconnect from the switch and reconnect. The login banner should be displayed before you are prompted to enter your username and password.

Switch> enable

Switch# configure terminal

Switch(config)# banner login # Unauthorized access is prohibited! #

Switch(config)# exit

Key differences between login and MODT banners on Cisco devices are stated in the table.

Change Host Name

Assigning a hostname that will allow us to quickly identify that device in the future is a good practice.

R1>enable

R1#configure terminal

R1(config)#hostname cisco

Configure Interface

Configure interface is a basic but essential operation on each device, like a multilayer switch (L3) or router. Remember, switch L2 will support only virtual interfaces for management purposes. More about interface configurations for switches and routers, see in the labs.

R1> enable

R1 #configure terminal

R1(config) #interface fastEthernet 0/0

R1(config-if) #ip address 196.168.1.1 255.255.255.5

R1(config-if) #no shutdown

R1(config) #exit

We can configure DHCP service on the interface instead of static IP address.

Switch-1(config)# interface fa0/1

Switch-1(config-if)# ip address dhcp

Switch-1(config-if)# no shutdown

Checking DHCP leased IP addresses and default gateway IP addresses.

Switch-1# show dhcp lease

Switch-1# show ip default-gateway

Interface parameters

There are more interface features, like speed, description, and type of connection (mode).

Switch-2(config)# interface FastEthernet 0/1

Switch-2(config-if)# duplex full

Switch-2(config-if)# speed 100

Switch-2(config-if)# description Scanner on ground floor, room 116, set speed to 100/full

Switch-2(config-if)# exit

(config-if)# duples {auto|full|half}

(config-if)# speed {auto|10|100|1000}

(config-if)# description <write here description>

Interface range

Multiple interfaces can be simultaneously configured. There is no problem. We can set interface range and apply the same settings to the bulk of interfaces with the same commands, eliminating repetition.

(config)# interface range fa0/10 - 20

(config-if)# description end user connect here

Add a default gateway to the interfaces if required:

(config)# ip default-gateway 192.168.1.254

R1# show protocols

Delete interface or set to default

We can delete the configure interface or setup it to the default setting.

R1(config)#no interface g0/1

R1(config)#default interface g0/1

VLAN and interfaces

Add Interface to the switch on the selected VLAN. Below (second script), the VLAN interface is set up to a dynamic IP address.

(config)# interface vlan 1

(config-if)# ip address 192.168.1.100 255.255.255.0

(config-if)# no shut

(config)# ip default-gateway 192.168.1.254

(config)# interface vlan 1

(config-if)# ip address dhcp

(config-if)# no shut

Interface status

Using those commands, you can check the interface status (description, status, speed, mode, type of connection, etc.). Each shown command is for the specific check in troubleshooting.

# show ip interface brief

# show interfaces status

# show interfaces f0/1

# show interfaces f0/1 status

# show interfaces f0/1 counters

# show running-config interface f0/2

To verify the interface with VLAN and default gateway IP address, we can use the following commands:

# show interface vlan 1

# show ip default-gateway

# show ip interface brief | include Vlan

To show some settings of speed, duplex are visible in the running-config file.

# show running-config interface interface fa0/1

Sub-interfaces

We can set up a router or multilayer switch with sub-interfaces. This is very beneficial when we consider some VLAN configuration, like Router on a Stick (ROAS). The first four lines in this paragraph show how to create the sub-interface with native VLAN 1. The second part of the script (lines 5-6) presents the same results, but the sub-interface is assigned a different subnet and VLAN.

Lab presenting ROAS configuration you can find here.

R1(config)#interface g0/1.1

R1(config-subif)#encapsulation dot1Q 1 native

R1(config-subif)#ip address 192.168.1.254 255.255.255.0

R1(config-subif)#end

R1(config-subif)#encapsulation dot1Q 2 native

R1(config-subif)#ip address 192.168.10.254 255.255.255.0

R1(config-subif)#end

Create VLAN

In this short script, we see how to create a VLAN and add a name to it. The name of the VLAN is important to quickly understand the topology of the network. Lines 3,4,5 assign VLAN to the interfaces and configure them to access mode.

(config)# vlan 2

(config-vlan)# name Fred-vlan

(config)# interface range fa 0/13 - 20

(config-if)# switchport access vlan 2

(config-if)# switchport mode access

Check VLAN

We should check if the created VLAN is properly configured on the device. There are few commands to help us.

# show vlans

# show vlan brief

# show vlan id 2

VLAN and Voice configuration

This example shows how we create configuration for voice service. Firstly, we need to create VLANs 10 and 11. Next, we assign them to access switches with dedicated LANs for voice and data.

(config)# vlan 10

(config-vlan)# vlan 11

(config-vlan)# interface range fa0/1 - 4

(config-if)# switchport mode access

(config-if)# switchport access vlan 10

(config-if)# switchport voice vlan 11

Trunk Mode

A trunk configuration of port is an essential part of an effective VLAN. In the example below, VLANs from 10 up to 20 are allowed on the interface.

switchport trunk allowed vlan <vlan-list>

Access-1(config-if)#switchport trunk allowed vlan 10-20

Access-1(config-if)#

On Cisco switches, we can specify what tranking protocol must be used: dot1q, isl, or negotiate option. On the newer switches is only available dotq1, as isl is not supported.

(config-if)# switchport trunk encapsulation dot1q

We can verify interface with regard to selected trunk more using a few commands below.

# show interfaces gig 0/1 switchport

# show interfaces trunk

# show interface f0/4 trunk

VTP Configuration

VLAN Trunking Protocol automatically propagates VLANs between switches.

(config)# vtp mode ? Client | Server | Transparent

# show interfaces trunk

# show interfaces fa0/1 trunk

# show vtp status

# show interfaces g0/1 status

# show interfaces fa0/1 switchport

vtp mode {server | client | transparent | off}

Access Mode

Allow VLAN on switchport configured to access mode, usually for the end user.

Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan <vlan-id>

Trunking and access operation modes on the ports and interactions between them.

Secure device with passwords

Create plain text password for the enable mode

We can use a plain text password to protect access in enable mode. However, this password is unchanged and stored inside the configuration file. Therefore, anyone accessing the configuration file can read the password.

R1> enable

R1# configure terminal

R1 (config)# enable password ccna

Create encrypted password (MD5) for the enabled mode

We can use an encrypted password to protect an access to enable mode. The encryption ensures that the password is not stored in the original format (Message Algorithm 5). This is a one-way hashing function where a password is converted to a hash.

R1>enable

R1#configure terminal

R1(config)#enable secret ccna

Console Password Login

Console line with configured password for secure access.

R1> enable

R1 #configure terminal

R1(config) #line console 0

R1(config-line) #password cisco

R1(config-line)#login

If you would like to use user credentials stored locally on the router, use the code below.

R1> enable

R1# configure terminal

R1(config)# line console 0

R1(config-line)# login local

R1(config-line)# exit

Telnet and SSH configuration

Virtual lines can be configured for remote connection of the telnet and/or SSH protocol. it is strongly recommended to use SSH protocol in the production environment.

R1> enable

R1# configure terminal

R1(config)# line vty 0 4

R1(config-line)# login

R1(config-line)# password cisco

R1(config-line)# end

Virtual line configuration when a local user is set up to login. We do not create passwords here, as all credentials are assigned from the local user.

R1> enable

R1# configure terminal

R1(config)# line vty 0 4

R1(config-line)# login local

R1(config-line)# end

SSH configuration (Required)

In the SSH configuration, it is required to create a domain with the generated RSA key. Select over 512 bits to generate key encryption. Additionally, to improve security, disable the telnet on the switch.

Sw1(config)# ip domain-name ccna.com

Sw1(config)# crypto key generate rsa

Show commands checking SSH protocol parameters on switch and router:

# show crypto key mypubkey rsa

# show ip ssh

# show ssh

Additionally, we can remove the password from the console line or virtual lines. This is advised when using a local user with a previously set password.

(config-line) no password

Select transport on data channel

Transport protocol to be selected as good practice. The default is ALL. There are available choices: NONE| Telnet | SSH | ALL

(config-line) transport ssh

SSH version

We need to be ensured that devices that communicate with each other are using the same protocol standard. Therefore it is worth checking the protocol version and setting up the proper one.

(config)# ip ssh version 2

Enable SSH on remote device

This is an example to enable SSH remote connection on a remote device like a PC.

C:\>ssh -l fred 192.168.1.202

Add user router and switch

We can add locally users to switch or router. It is a part of the telnet or SHH login part. This is required for SSH settings.

(config)# username USERNAME secret PASSWORD

(config)# username john password cisco

User privilege mode

We can set up a user privilege mode. It is handy for Telnet remote login in a lab environment. The second command will display active users with their privileges, if applicable. The third command shows how many users were connected to the device at the time the command was entered.

(config)# user <name> privilege 15

#show run | i user

# show line

Inactivity in console command line

This is the option when the user can be logging out when inactive. For example, in the configuration below, the user will be logged out after 15 minutes of inactivity on the command line. We can set up a time value. Also, we can make the user continuously active, entering value equal to 0.

R1>enable

R1#configure terminal

R1(config)#line console 0

R1(config-line)#exec-timeout 15 0

R1(config-line)#end

MAC Address Table

There are a few methods to check MAC table records by filtering by a specific feature (parameter). For example, the first command line shows all MAC address table addresses, and the second command displays only dynamically learnt addresses.

The third command shows only dynamically learnt records based on a specific MAC address, where the fourth command compares to a specific interface. Command from the fith line select all records linked to VLAN 5, where commands from line six show how long dynamically learnt MAC address stays in the MAC address table.

# show mac address-table

# show mac address-table dynamic

# show mac address-table dynamic address 0900.1111.1111

# show mac address-table dynamic interface fa 0/1

# show mac address-table dynamic vlan 5

# show mac address-table aging-time

We can clear MAC address table from the learnt records.

# clear mac address-table dynamic vlan 1

# clear mac address-table dynamic interface fa0/1

# clear mac address-table dynamic address 0200.1111.1111

Debugging and more ...

Debugging on Cisco switches and routers involves using the debug commands to monitor real-time system operations and gather detailed information about processes, protocols, and network events. It is primarily used for troubleshooting and diagnosing issues in a network. The commands below are self explanatory.

# no debug all

# undebug all

Restart switch or router

# reload

# history size <value-length>

# terminal history size <value-length>

# show history

Mistyping in the command line

This command disables the switch or router's feature that continually resolves hostnames into IP addresses. I prefer to disable this option in my lab in order to be more efficient and avoid waiting time when I mistype.

(config)# no ip domain-lookup

This is a good command for removing messaging from the device. I prefer to use this command in my laboratory. It's fun to see a message appear on the screen as you type. The final command in this paragraph (no logging console) will disable the notification on the screen. Personally, I will not do this to guarantee that essential signals are not overlooked, particularly during the troubleshooting phase.

(config-line)# logging synchronous

(config-line)# no logging console

Port Security

SW1# show port-security

SW1# show interfaces Fa0/13 status

LLDP and CPD

LLPD and CDP protocols enable Cisco devices (e.g., routers, switches, IP phones) to share information about themselves with directly connected neighbours.

(config)# cdp run

(config)# lldp run

# show cdp neighborns

# show lldp neighborns

# show lldp ne detail

# show cdp ne detail

# show cdp enty <DEVICE HOST NAME>

Spanning Tree VLAN

Sw(config)# spanning-tree mode {pvst | rapid-pvst| mst}

Sw(config)# spanning-tree [vlan vlan-number] root primary

Sw(config)# spanning-tree [vlan vlan-number] root secondary

Sw(config)# spanning-tree vlan vlan-id priority <number>

Sw(config)# spanning-tree [vlan vlan-number] cost cost

Sw(config)# spanning-tree [vlan vlan-number] port-priority priority

Sw(config)#

Core1(config)# spanning-tree vlan 1 root primary

Core1(config)# spanning-tree vlan <VLAN-Number> priority <Value>

# show spanning-tree

# show run | i span

# show spanning-tree vlan 20

SW1(config)# spanning-tree mode ?

mst Multiple spanning tree mode

pvst Per-Vlan spanning tree mode

rapid-pvst Per-Vlan rapid spanning tree mode

SW1(config)# spanning-tree vlan 1 priority <number 0-61440>

SW1# show spanning-tree vlan <number>

EtherChannels (Layer 2)

Required configuration for EtherChannel: speed, duplex, access or trunking state, allow VLAN for access or trunking ports, set native VLAN for trunking ports. The first two commands show how to enable channel group on the interface.

Sw(config)# channel-group channel-groupnumber mode {auto | desirable | active | passive | on}

Sw1(config)# interface fa 0/14

Sw1(config-if)# channel-group 1 mode on

When using command "show spanning-tree vlan" we can see that STP no longer exists and Port-Channel was established in EtherChannel configuration.

Sw1# show spanning-tree vlan <VLAN-number>

Sw1# show etherchannel 1 port-channel

Sw1# show etherchannel <Number> summary

Sw1# show etherchannel summary

Sw1# show etherchannel load-balance

Sw1# test etherchannel load-balance interface po1 mac <MAC-ADDRESS>

List of information can be withdrawn from the switch about Ether Channel.

Sw1# show etherchannel [channel-groupnumber] {brief | detail | port | portchannel | summary}

Routing Operation

R1# show ip route

R1# show protocols

R1# show ip arp

Static Routing

R1(config)# ip route prefix mask {ip-address | interface-type interface-number} [distance] [permanent]

R1(config)# ip route 172.16.2.0 255.255.255.0 S0/0/0

R1# show ip route static

B1# show ip route connected

R1# show ip route ip-address

R1# show ip route 192.168.20.12

R1(config)# ip route 172.16.2.0 255.255.255.0 S0/0/0 permanent

R1(config)# ip route 172.16.3.0 255.255.255.0 172.16.5.3 permanent

R1# show ip route [connected | static | ospf]

R1# show ip route ospf

R1# show arp

R1# show ip arp

R1# clear ip arp [ip-address]

B1# show ip interface brief | include 0/0

Enable IP Routing (Switch L3)

We can enable IP routing on switch layer 3.

SwL3(config)# [no] ip routing

R1# traceroute

R1# traceroute 172.16.2.101

R1# telnet 10.1.2.2

R1# ssh -l user 192.168.12.1

OSPF Protocol

Routing OSPF protocol commands:

R1(config)# router ospf process-id

network ip-address wildcardmask area area-id

R1(config)# router ospf 1

network 10.0.0.0 0.255.255.255 area 0

R1# show ip ospf

R1# show ip ospf neighbor

R1# show ip ospf database

R1# show ip ospf interface brief

R1# show ip ospf interface g0/0/0

R4# show ip route

R1# show ip protocols

R1(config)# router ospf 1

R1(config-router)# no network 10.0.0.0 0.255.255.255 area 0

OSPF directly set on the interface

We can set the OSPF protocol directly in the interface or sub-interface.

R1(config-router)# ip ospf process-id area area_number

R1(config-router)# interface g0/0.1

R1(config-subif)# ip ospf 1 area 0

R1(config-subif)# interface g0/0.2

R1(config-subif)# ip ospf 1 area 0

R1(config-subif)# interface g0/0/0

R1(config-if)# ip ospf 1 area 0

R1(config)# interface loopback number

maximum-paths number-ofpaths

Passive interface of OSPF

We can make passive interfaces and/or passive sub-interfaces on routers when using the OSPF protocol.

router ospf 1

passive-interface GigabitEthernet0/0.1

passive-interface GigabitEthernet0/0.2

router ospf 1

passive-interface default

no passive-interface GigabitEthernet0/0/0

no passive-interface GigabitEthernet0/1/0

no passive-interface GigabitEthernet0/2/0

passive-interface type number

passive-interface default

no passive-interface type number

default-information originate [always]

OSPF Metrics

A route with the best metric is selected by the OSPF protocol. Administrator can have influence and change the cost on interface to prefer route. There are three methods to change the metrics:

directly on the interface ip ospf cost <value>
change interface bandwidth settings
change OSPF reference bandwidth settings

R1(config-if)# ip ospf cost interface-cost

R1(config-if)# bandwidth bandwidth

R1(config)# interface g0/0/0

R1(config-if)# ip ospf cost 5

R1(config-if)# interface g0/1/0

R1(config-if)# ip ospf cost 6

R1(config-if)# end

R1# show ip ospf interface brief

R1(config)# interface g0/0

R1(config-if)# ip ospf priority 99

R1(config-if)# end

R1# show ip ospf interface g0/0 | include Priority

R1(config)# interface g0/0/0

R1(config-if)# ip ospf network point-to-point

R1(config-if)#

R5(config)# router ospf 1

R5(config-router)# shutdown

R5(config-router)# ^Z

ip ospf hello-interval seconds

ip ospf dead-interval number

passive-interface type number

ip ospf priority value

ip ospf network {broadcast |point-to-point}

IPv6 Routing

R1# show ipv6 interface GigabitEthernet 0/0

R1# show ipv6 interface brief

R1# show ipv6 route connected

R1# show ipv6 route static

R1# show ipv6 route 2001:db8:1111:2::22

R1# show ipv6 route [connected |local | static]

R1# show ipv6 route address

R1(config)# interface gigabitEthernet 0/0

R1(config-if)# ipv6 address 2001:1:1:1::1/64

R1(config-if)# ipv6 address 2001:1:1:2::99/128 anycast

R1(config-if)# ^Z

R1(config)# ipv6 route prefix/length nexthop-address

R1(config)# ipv6 route prefix/length outgoing-interface

R1(config)# ipv6 route prefix/length outgoing-interface next-hop-address

R1(config)# ipv6 route ::/0 {[next-hopaddress][outgoing-interface]}

ipv6 address autoconfig [default]

ipv6 unicast-routing

ipv6 address ipv6-address/ prefix-length [eui-64]

ipv6 address ipv6-address/ prefix-length [anycast]

R1(config)# ipv6 enable

R1(config)# ipv6 address dhcp

#show ipv6 route [connected][local]

#show ipv6 interface [type number]

#show ipv6 interface brief [type number]

R1# show ipv6 route local

R3# show ipv6 neighbors

Satatic IPv6 route

R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0

R2(config)# ipv6 route 2001:db8:1111:1::/64 s0/0/1

R1(config)# ipv6 route 2001:db8:1111:2::/64 2001:DB8:1111:4::2

R2(config)# ipv6 route 2001:db8:1111:1::/64 2001:db8:1111:4::1

R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 FE80::FF:FE00:2

R2(config)# ipv6 route 2001:db8:1111:1::/64 S0/0/1 FE80::FF:FE00:1

Access List

access-list {1-99 | 1300-1999} {permit | deny} matching-parameters

access-list access-list-number {deny | permit} source [source-wildcard]

access-list 1 permit 10.1.1.1

access-list 1 permit host 10.1.1.1

access-list 1 permit any

R3(config)# access-list 1 permit 10.1.1.1

R3(config)# access-list 1 deny 10.1.1.0 0.0.0.255

R3(config)# access-list 1 permit 10.0.0.0 0.255.255.255

R3(config)# interface S0/0/1

R3(config-if)# ip access-group 1 in

R3(config-if)# exit

R3# show running-config

R3# show ip access-lists

R2# show ip interface s0/0/1

R1# show running-config

access-list access-list-number {deny | permit} source [source-wildcard] [log]

access-list access-list-number remark text

ip access-group number {in | out}

show ip interface [type number]

show access-lists [access-list-number | access-list-name]

show ip access-lists [access-list-number | access-list-name]

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log | log-input]

access-list access-list-number {deny | permit} {tcp| udp} source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [log]

Router(config)# ip access-list extended office

Router(config-ext-nacl)# permit tcp host 10.1.1.2 eq www any

Router(config-ext-nacl)# deny udp host 10.1.1.1 10.1.2.0 0.0.0.255

Router(config-ext-nacl)# deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255

Router(config-ext-nacl)# deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255

Router(config-ext-nacl)# permit ip any any

Router(config-ext-nacl)# interface serial1

Router(config-if)# ip access-group office out

Router(config-if)# end

Router(config)# ip access-list extended office

Router(config-ext-nacl)# no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255

Router(config-ext-nacl)# ^Z

R1(config)# ip access-list standard 24

R1(config-std-nacl)# permit 10.1.1.0 0.0.0.255

R1(config-std-nacl)# permit 10.1.2.0 0.0.0.255

R1(config-std-nacl)# permit 10.1.3.0 0.0.0.255

R1(config-std-nacl)# do show ip access-lists 24

R1(config-std-nacl)# no 20

R1(config-std-nacl)# 5 deny 10.1.1.1

R1(config)# access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [log]

R1(config)# access-list access-list-number {deny | permit} tcp source source-wildcard [operator [port]] destination destinationwildcard [operator [port]] [log]

access-list access-list-number remark text

ip access-group {number | name [in | out]}

access-class number | name [in | out]

ip access-list {standard | extended} name

{deny | permit} source [source wildcard][log]{ deny | permit} protocol source sourcewildcard destination destination-wildcard [log]

{deny | permit} tcp source source-wildcard [operator [port]] destination destinationwildcard [operator [port]] [log]

show access-lists [access-list-number | access-list-name]

show ip access-lists [access-list-number | access-list-name]