Netwrix Auditor 
Netwrix Enterprise Auditor 
Netwrix Data Classification 
Netwrix GroupID 
Netwrix Privilege Secure 
Netwrix Endpoint Protector 
Essential Cisco Command Cheat Sheet for Device Configuration
Introduction
The Cisco IOS (Internetwork Operating System) provides admins with the means to manage and configure Cisco devices. While Cisco's command structure is proprietary, it exemplifies fundamental concepts in network device management that are applicable across various vendors. Similar command-line interfaces (CLIs) and configuration principles can be found in systems from other major networking companies like Aruba, Juniper and Broadcom, allowing network professionals to apply their skills across different platforms with some adaptation.
This article provides a cheat sheet that you can use as a quick command guide for managing and configuring Cisco network devices. Screenshots are provides to show some commands step by step in action; they were taken using a console connection to the router or switch.
Overview of Command-Line Interface (CLI) Structure
Command Modes
The Cisco IOS command-line interface (CLI) is structured hierarchically with the following command modes:
- User EXEC mode — This is the default mode when logging into a Cisco device. It offers limited access, allowing only basic monitoring commands and restricting the ability to make configuration changes. It is identifiable by a prompt ending with >.
- Privileged EXEC mode — This elevated mode grants access to all show commands and system-level operations. It provides complete visibility into the system but no configuration access. It also enables users to perform device diagnostics and file management tasks. This mode is denoted by a prompt ending with #.
- Global Configuration mode — This highly privileged mode allows you to make system-wide configuration changes and provides access to various sub modes for specific configurations, such as interface settings. In this mode, the prompt includes (config)#.
Moving Between Command Modes
When you first log into a Cisco router or switch, you will be in User EXEC mode. Use the following commands to switch to more privileged modes:
- enable — Used to access Privileged Exec mode
- config terminal (or simply config t) — Used to access Global Configuration mode
These commands are shown in the screenshot below:
Global Configuration mode can be further divided into several sub-modes that permit you to configure different components. Here are those sub-modes and the commands to access them:
| Interface Configuration mode | interface [interface-type] [interface-number] |
| Subinterface Configuration mode | interface [interface-type] [interface-number].[subinterface-number] |
| Router Configuration mode | router [routing-protocol] |
| Line Configuration mode | line [line-type] [line-number] |
Now that you know the commands to move to the higher privileged modes, here are the commands to work your way back out of them.
- exit — Used to move back one level in the configuration mode hierarchy. The following screenshot shows the admin returning to Privileged Exec mode:
- end — Used to immediately return to Privileged EXEC mode from any configuration mode. This is useful for quickly exiting nested configuration levels.
Displaying System Configuration
After logging onto a Cisco device, you probably want to view its basic system settings. This is easily done by typing show running-config or simply show run. This command displays the active configuration stored in the device's memory.
Notice in the screenshot below that we first tried the command while in User Exec mode, where it failed due to insufficient privileges. The screenshot shows only a portion of the running config.
Other commands related to configuration include the following:
| show startup-config | Displays the saved configuration stored in the device's NVRAM, which will be loaded when the device starts up |
| copy running-config startup-config | Replaces the startup config with the active config when the Cisco network device initializes |
| copy startup-config running-config | Merges the startup config with the currently active config in RAM |
| write erase erase startup-config | Deletes the startup config |
Shortcuts and Command History
Here are a few additional commands for quick navigation:
- Ctrl+Z — Use this key combination at any time to instantly exit any configuration mode and return to Privileged EXEC mode
- Tab key — Use this key to auto-complete partial commands or show possible completion options.
- Up & down arrow keys — Use these keys to cycle through previous commands.
- show history — Use this command to display the command history buffer.
Device Setup and Basic Configuration
Renaming a Device
The running config displayed in the earlier screenshot showed router as the hostname. This is the default name for a Cisco router, just as switch is the default name for a Cisco switch. The device’s name appears in the command prompt.
Use the hostname command to change a device’s name. Select a unique name for each device to ensure easy identification within the network. In the example below, we changed the router’s name to NorthOfficeRouter. Notice how the new name is a part of the final prompt.
Assigning an IP Address
You will also want to assign an IP address to the device to remotely manage it. Choose the interface you want to assign the IP address to and complete the following steps:
- Enter Interface Configuration mode:
interface <interface-name>
- Assign an IP address and subnet mask:
ip address <IP-address>
- Enable the interface:
no shutdown
Here is what this procedure looks like in the Cisco IOS. Note that config-if indicates that you are in Interface Configuration sub-mode.
Configuring Passwords
Because we logged onto a new device, we didn’t have to enter a password. Here are the commands for enabling passwords to enhance security:
| enable password <pass-value> | Defines the password required when using the enable command |
| enable secret <pass-value> | Sets the password required for any user to enter enable mode and encrypts it |
| service password-encryption | Directs the Cisco IOS software to encrypt the passwords, CHAP secrets and similar data saved in its configuration file |
Configuring Banners
There are also a variety of banners you can configure:
- Message of the day (motd) banner:
banner motd #Unauthorized access prohibited#
- Login banner:
banner login #Please enter your credentials#
- Exec banner:
banner exec #Welcome to the network#
Switch Configuration
Switches serve a different purpose than routers and therefore utilize different commands. Here are some key concepts to understand:
- Switchport mode — The switchport mode determines how the port handles VLAN traffic. The three main modes are access mode, trunk mode and dynamic mode.
- Duplex speed — Duplex settings determine whether the port can send and receive data simultaneously. You can assign half, full or auto. Auto allows the switch to negotiate the duplex setting with the connected device.
- Speed — This setting determines the port's data transmission rate. Depending on the switch's capabilities, the speed can be set to 10 Mbps, 100 Mbps, 1000 Mbps (1 Gbps) or auto.
VLAN Configuration
VLAN configuration is a crucial aspect of network segmentation and management. In Global Configuration mode, you can use the following commands:
| vlan <vlan-id> | Creates a VLAN |
| Vlan <vlan-name> | Assigns a name to the VLAN |
| vlan switchport access vlan <vlan-id> | Sets the VLAN that the interface belongs to |
| no vlan <vlan-id> | Deletes a VLAN |
| show vlan | Display the VLAN configuration |
The screenshot below shows the commands for basic port configuration:
Spanning Tree Protocol (STP) Commands
Spanning Tree Protocol is a feature of Cisco switches that can help prevent network loops. STP is enabled by default on Cisco switches for all VLANs. You can modify STP settings globally for the entire switch, or apply specific configurations to individual interfaces or VLANs for fine-tuned control over the STP behavior across different parts of your network. The command is as follows:
spanning-tree mode rapid-pvst
Configuring Trunk Ports
Ports that need to carry multiple VLAN traffic need to be trunked. You first need to trunk the port and then assign the VLANs. Here are the commands:
switchport trunk native vlan <vlan-id>
Configuring trunk ports on Cisco switches involves using the switchport trunk and switchport trunk allowed vlan commands. Here are more details on these commands:
| switchport trunk native vlan <vlan-id> | Enables trunk mode for the port and sets the native VLAN for untagged traffic on the trunk |
| switchport trunk allowed vlan <vlan-id> | Adds the specified VLANs to the current list |
| switchport trunk allowed vlan remove <vlan-id> | Removes the specified VLANs from the allowed list |
The screenshot below shows these VLAN commands in action:
Networking Fundamentals
IP Addressing and Subnetting
The following commands are used for IP addressing and subnetting:
| ip address <ip-value> <bnet-value> | Assigns an IP and subnet mask |
| show ip interface <interface-number> | Displays the status of a network interface as well as a detailed listing of its IP configurations and related characteristics |
| show ip interface brief | Provides a concise summary of the IP interface status and configuration |
| ip address <ip-value> <subnet-value> secondary | Assigns a secondary IP address |
| no ip address | Removes an IP address |
The screenshot below shows the output from the show ip interface brief command:
Configuring Routing Protocols
You can use the following commands to configure routing protocols:
| ip route <network-number> <network-mask> {<ip-address> | <exit-interface>} | Sets a static route in the IP routing table |
| ip route 0.0.0.0 0.0.0.0 {next-hop-ip | exit-interface} | Configures a default route |
| no ip route {network} {mask} {next-hop-ip | exit-interface} | Removes a route |
| router rip | Enables a Routing Information Protocol (RIP) routing process, which places you in Router Configuration mode |
| no auto-summary | Disables automatic summarization |
| version 2 | Configures the software to receive and send only RIP version 2 packets |
| network ip-address | Associates a network with a RIP routing process |
| passive-interface interface | Sets the specified interface to passive RIP mode, which means RIP routing updates are accepted by, but not sent out of, the interface |
| show ip rip database | Displays the contents of the RIP routing database |
| default-information originate | Generates a default route into RIP |
The screenshot below shows the configuration of one static route and the configuration of a default route for all other networks:
Configuring Network Address Translation (NAT)
Use the following commands to configure NAT, which allows private IP addresses on a local network to be translated into public IP addresses before being sent over the internet:
| ip nat [inside | outside] | Specifies whether the NAT operation is applied to traffic entering or leaving the router’s network |
| ip nat inside source {list{access-list-number | access-list-name}} interface type number[overload] | Establishes dynamic source translation. Use the list keyword to specify an ACL to identify the traffic that will be subject to NAT. The overload option enables the router to use one global address for many local addresses. |
| ip nat inside source static local-ip global-ip | Establishes a static translation between an inside local address and an inside global address |
Troubleshooting and Diagnostics
Below are commands to help you troubleshoot and perform basic diagnostics:
| ping {hostname | system-address} [source source-address] | Reveals basic network connectivity |
| traceroute {hostname | system-address} [source source-address] | Traces the route that packets take to reach a destination |
| show interfaces | Displays detailed information about interface status, settings and counters |
| show ip route | Shows the routing table of the device. |
| show interface status | Displays the interface line status |
| show interfaces trunk | Lists information about the currently operational trunks and the VLANs supported by those trunks |
| show version | Displays information about the IOS version, uptime and hardware configuration |
| show running-config | Displays the current active configuration on the device |
| show tech-support | Generates a comprehensive report of the device's configuration and status (useful for advanced troubleshooting) |
| show cdp | Shows whether CDP is enabled globally |
| show cdp neighbors [detail] | Lists summary (or detailed) information about each neighbor connected to the device |
| cdp run no cdp run | Enables or disables Cisco Discovery Protocol (CDP) for the device |
| show mac address-table | Displays the MAC address table |
| show vtp status | Lists the current VLAN Trunk Protocol (VTP) status, including the current mode |
Security Configuration
You can configure access lists to restrict and allow traffic to and from your Cisco device. Use the following commands:
| password <pass-value> | Lists the password that is required if the login command (with no other parameters) is configured |
| username name password <pass-value> | Defines one of possibly multiple user names and associated passwords used for user authentication. It is used when the login local line configuration command has been used. |
| enable password <pass-value> | Defines the password required when using the enable command |
| enable secret <pass-value> | Sets the password required for any user to enter enable mode |
| service password-encryption | Directs the Cisco IOS software to encrypt the passwords, CHAP secrets and similar data saved in its configuration file |
| ip access-list {standard | extended} {acl-name | acl-number | Creates a standard or extended ACL |
| permit source <source-wildcar> | Adds permit rules for a Standard ACL |
| deny source <source-wildcard> | Adds deny rules for an Extended ACL |
| ip access-group {acl-name | acl-number} {in | out} | Applies an ACL to an interface |
| show access-lists [acl-name | acl-number] | Displays ACL configuration |
| no ip access-list {standard | extended} {acl-name | acl-number} | Removes an ACL |
| ip domain-name name | Configures a DNS domain name |
| crypto key generate rsa | Creates and stores (in a hidden location in flash memory) the keys that are required by SSH |
| transport input {telnet | ssh} | Defines whether Telnet or SSH access is allowed into this switch. Both values can be specified in a single command to allow both Telnet and SSH access, which are the default settings. |
| ntp peer <ip-address> | Configures the software clock to synchronize a peer or to be synchronized by a peer |
The screenshot below shows commands for an extended ACL:
Configuring SSH and Remote Access
Use the following commands to configure SSH and remote access:
| hostname <name> | Sets a hostname (if not already configured) |
| ip domain-name [domain-name] | Configures an IP domain name |
| crypto key generate rsa | Generates an RSA key pair for SSH |
| ip ssh version 2 | Configures SSH version 2 |
| username [username] privilege [level] secret [password] | Creates a local user account |
Router(config)# line vty [line-range] Router(config-line)# transport input ssh Router(config-line)# login local | Configures VTY lines for SSH access |
The screenshot below shows the generation of the RSA keys:
Implementing Port Security
Use the following commands to implement port security:
| switchport port-security | Enables port security on the interface |
| switchport port-security maximum <number> | Sets the maximum number of secure MAC addresses on the port |
| switchport port-security mac-address {mac-addr | {sticky [mac-addr]}} | Adds a MAC address to the list of secure MAC addresses and optionally configures them as sticky on the interface |
| switchport port-security violation {shutdown | restrict | protect} | Sets the action to be taken when a security violation is detected |
| show port security [interface interface-id] | Displays information about security options configured on the interface |
The screenshot below shows the process of configuring port security on a switch port.
Managing User Accounts
You can use the following commands to manage user accounts:
| username <username> privilege <level> secret <password> | Creates a local user account |
| show users | Displays current user sessions |
| no username <username> | Removes a user account |
| security passwords min-length <length> | Sets password complexity requirements |
DHCP Configuration
Use the following commands to configure DHCP:
| ip address dhcp | Acquires an IP address on an interface via DHCP |
| ip dhcp pool <pool-name> | Configures a DHCP address pool on a DHCP server and enters DHCP Pool Configuration mode |
| domain-name <domain> | Specifies the domain name for a DHCP client |
| network network-number [mask] | Configures the network number and mask for a DHCP address pool primary or secondary subnet on a Cisco IOS DHCP server |
| ip dhcp excluded-address ip-address [last-ip-address] | Specifies IP addresses that a DHCP server should not assign to DHCP clients |
| ip helper-address address | Enables forwarding of UDP broadcasts, including BOOTP, received on an interface |
| default-router address[address2 ... address8] | Specifies the default gateway for a DHCP client |
The screenshot below shows a basic DHCP configuration on a Cisco router:
Monitoring and Logging
The following commands are useful for monitoring and logging:
| logging on | Enables logging globally |
| logging host {ip-address | hostname} | Configures logging to a syslog server |
| logging trap level | Sets the logging severity level |
| terminal monitor | Sends a copy of all syslog messages, including debug messages, to the Telnet or SSH user who issues this command |
| snmp-server community <community-string> [RO|RW] | Enables SNMP |
| snmp-server location <location-string> | Configures the SNMP server location |
| snmp-server enable traps | Enables SNMP traps |
Backup, Restore and Upgrade
Use the following commands are for backup, restores and upgrades:
| copy running-config startup-config | Saves the running configuration to startup configuration |
| copy running-config tftp | Copies the running configuration to a TFTP server |
| copy startup-config tftp | Copies the startup configuration to a TFTP server |
| copy tftp: running-config | Copies the configuration from a TFTP server to the device |
| copy running-config flash:<file name> | Copies the configuration to flash |
| copy {ftp: flash:} | Copies a new IOS image to the device using TFTP or FTP |
The screenshot below shows the running config being backed up to the startup config.
Configuring Authentication, Authorization and Accounting
The following commands are used to configure authentication, authorization and accounting (AAA):
| aaa new-model | Enables AAA |
| radius-server host {ip-address | hostname} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] | Configures the RADIUS server |
| radius-server key {0 string | 7 string | string} | Sets the RADIUS key |
| aaa authentication login {default | list-name} method1 | Configures AAA authentication |
| aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 | Configures AAA authorization |
| aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1 | Configures AAA accounting |
Common Use Cases
A common use case for Cisco switches is network segmentation and quality control through VLANs. By creating separate VLANs for wireless, phones, cameras and printers, you segment and can prioritize different traffic types (e.g., prioritizing voice over printing).
Cisco routers also enable network segmentation using standard or extended access control lists. These can restrict traffic from specific sources or limit certain traffic types entering or exiting router segments.
Here is a step-by-step guide for configuring a Cisco router for a network segment:
- Configure the router hostname and enable a secret password.
- Assign IP addresses to the router interfaces.
- Either configure static routing information or configure a routing protocol to route traffic for the attached network segments.
- Configure DHCP to distribute IP address and other DHCP options to clients that connect to the network.
- Configure ACLs to shore up security and restrict incoming and outgoing traffic.
- Configure NAT for internet access.
- Enable logging.
- Save the configuration.
Common Problem Scenarios and Troubleshooting Tips
Here are some common issues for Cisco routers and switches and tips for resolving them:
Scenario: Devices unable to communicate across VLANs or subnets
- Check VLAN configurations and trunking on switches.
- Verify the IP addresses and subnet masks.
- Check the routing table and ensure routes exist.
- Test connectivity with ping and traceroute.
- Verify that ACLs are not blocking traffic.
Scenario: Interface is down or flapping
- Check physical connections and cable integrity.
- Verify the interface configuration with show interface.
- Shut down and re-enable the interface.
- Test different speed and duplex settings.
Scenario: Unauthorized access attempts or suspicious traffic
- Review logs and use show logging.
- Check ACL configurations and hit counts.
- Verify AAA and TACACS+ settings.
- Implement port security on switches.
Bonus Tips
The following tips can help you manage your Cisco devices more efficiently:
- If you aren’t familiar with Cisco IOS, be sure to take advantage of the context-sensitive help — simply type ? at any point in a command to get suggestions and available
- Save time with command shortcuts and tab completion. For example, type sh run instead of show running-config.
- Use the up and down arrows (or Ctrl+P and Ctrl+N) to quickly access recent commands.
- If you don’t have access to a Cisco router, there are multiple Cisco device simulators available for download that will allow you to practice and become familiar with the commands.
Always make security a top priority:
- Limit who can access your Cisco devices.
- Ensure that all accounts use encrypted long passwords.
- Enforce the principle of least privilege when assigning roles.
- Create access control lists to restrict different traffic origins and types.
- Enable logging and use a third-party monitoring solution to get alerted if your configurations are altered, either accidentally or maliciously.
Related best practices