Common Cisco commands and settings

Enable name lookup

SW1(config)# ip domain-lookup
SW1(config)# ip name-server YOUR.DNS.SERVER.IP
SW1(config)# ip domain name yourDomainName.com

Disable name lookup

SW1(config)# no ip domain-lookup

Give DNS domain name

SW1(config)# ip domain-name example.com

Increase SSH session timeout (e.g. 720 mins = 30 hours and 0 sec)

SW252(config)# line vty 0 4
SW252(config-line)# exec-timeout 720 0

Change History buffer & logging behavior

SW1(config)# line vty 0 4
SW1(config-line)# history size 15
SW1(config-line)# logging synchronous

Prevents breaking your line output especially when typing

SW252(config)# line vty 0 4
SW252(config-line)# logging synchronous

Change hostname

Switch(config)# hostname SW123

Set password (in clear text)

SW1(config)# enable password cisco

Set password (MD5 hash)

SW1(config)# enable secret cisco

Secure console

SW1(config)# line con 0
SW1(config-line)# password cisco
SW1(config-line)# login

Secure terminal lines

SW1(config)# line vty 0 4
SW1(config-line)# password cisco
SW1(config-line)# login

Encrypt password in config

SW1(config)# service password-encryption

Add banners

SW1(config)# banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
UNAUTHORIZED ACCESS IS PROHIBITED 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
$

Give VLAN 192 an IP address

SW1(config)# interface vlan 192
SW1(config-if)# ip address 192.168.1.x 255.255.255.0

Delete vlan 192

SW1(config)# no vlan 192

Set default gateway

SW1(config)# ip default-gateway 192.168.1.1

Save config

SW1# copy running-config startup-config
or
SW1# wr

Set Description, speed, duplex

SW1(config)# interface fastEthernet 0/1
SW1(config-if)# description FIREWALL
SW1(config-if)# speed auto
SW1(config-if-range)# duplex full

Show RAM, NVRAM, flash, IOS

SW1# show version

Shows current configuration file stored in DRAM

SW1# show running-config

Show configuration in NVRAM used at boot process

SW1# show startup-config

Show commands currently held in the history buffer.

SW1# show history

Shows the public encryption key used for SSH

SW1# show crypto key mypubkey rsa

If interface is configured to get IP address via a dhcp server

SW1# show dhcp lease

Access port and enable security

SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 192
SW1(config-if)# switchport port-security

Auxiliary VLAN for cisco IP phones

SW1(config-if) #switchport access vlan 192
SW1(config-if) #switchport voice vlan 10

Trunk

SW1(config)# interface fastEthernet 0/1
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan add 192

VTP (transparent mode is used when deactivating VTP)

SW1(config)# vtp mode server
SW1(config)# vtp domain YourDomain.com
SW1(config)# vtp password cisco
SW1(config)# vtp version 2

VTP pruning only works on VTP servers

SW1(config)# vtp pruning

Checklist for VLAN & VTP

SW1# show interfaces trunk
SW1# show vlan
SW1# show vlan brief
SW1# show vlan id 192
SW1# show vlan summary
SW1# show vtp status
SW1# show vtp password

STP (hard code root bridge)

SW1(config)# spanning-tree vlan 192 root primary
SW1(config)# spanning-tree vlan 192 root secondary
SW1(config)# spanning-tree vlan 192 priority 8192

Change STP mode

SW1(config)# spanning-tree mode rapid-pvst

Change STP port cost

SW1(config-if)#spanning-tree vlan 192 cost 25

Portfast and BPDU guard (for end user only)

SW1(config-if)# spanning-tree portfast
SW1(config-if)# spanning-tree bpduguard enable

BPDU guard globally

SW1(config)# spanning-tree portfast bpduguard default

BPDU filter globally (when loop is detected, Portfast is disabled & re-enables STP)

SW1(config)# spanning-tree portfast bpdufilter default

BPDU filter on interface (when loop is detected, STP is disabled & PortFast continues)

SW1(config-if)# spanning-tree bpdufilter enable

Interfaces into an etherchannel

SW1(config-if)# channel-group 1 mode on

Checklist for STP

SW1# show spanning-tree
SW1# show spanning-tree summary totals
SW1# show spanning-tree interface fa0/2
SW1# show spanning-tree vlan 192
SW1# show spanning-tree vlan 192 root
SW1# show spanning-tree vlan 192 bridge
SW1# show etherchannel 1
SW1# debug spanning-tree events

Set maximum number of allowed MAC addresses

SW1(config-if)# switchport port-security maximum 1

Define action to take when violation occurs [protect,restrict,shutdown]

SW1(config-if)# switchport port-security violation shutdown

Sticky. Dynamically learn MAC

SW1(config-if)#switchport port-security mac-address sticky

Checklist for port security

SW1# show mac-address-table
SW1# show port-security
SW1# show port-security interface fa0/5

Create VLAN

SW1(config)# vlan 10
SW1(config-vlan)# name SALES

CDP (enables globally on a switch)

SW1(config)# cdp run

CDP (disable on a given interface)

SW1(config-if)# no cdp enable

Checklist for CDP

SW1# show cdp
SW1# show cdp interface fa0/2
SW1# show cdp neighbors
SW1# show cdp neighbors detail
SW1# show cdp entry *
SW1# show cdp entry SW2

MSTP

SW1(config)# spanning-tree mode mst
SW1(config)# spanning-tree mst configuration
SW1(config-mst)# revision 1
SW1(config-mst)# name CCNP
SW1(config-mst)# instance 1 vlan 10,20
SW1(config-mst)# instance 2 vlan 30,40
SW1(config-mst)# exit
SW1# show spanning-tree mst

MSTP (Switch A)

SW1(config)# spanning-tree mst 1 root primary
SW1(config)# spanning-tree mst 2 root secondary

MSTP (Switch B)

SW222(config)# spanning-tree mst 2 root primary
SW222(config)# spanning-tree mst 1 root secondary

Basic commands

SW1# show ip interface brief
SW1# show interface vlan 1
SW1# show interfaces description
SW1# show interfaces status

When using non-Cisco SFP

SW1(config)# service unsupported-transceiver
SW1(config)# no errdisable detect cause gbic-invalid

Recover from error in 30 secs

SW1(config)# errdisable recovery interval 30

Enable IP source guard with source IP and MAC filtering

SW(config)# ip source binding xxxx.xxxx.xxxx vlan 192 192.168.32.3 interface gi1/0/13

Disable Service Configuration Error Messages

%Error opening tftp://255.255.255.255/network config

R(config)#no service config
R#copy running-config startup-config

If router is getting IP from DHCP but wish to remove default route provided

R(config-if)# no ip dhcp client request router

One way direction for ACL

ip access-list extended VLAN_139
permit tcp any 10.123.3.0 0.0.0.255 established
permit icmp any 10.123.3.0 0.0.0.255 echo-reply
deny ip any 10.123.3.0 0.0.0.63
deny ip any 10.123.3.0 0.0.0.255
deny icmp any 10.123.3.0 0.0.0.255
permit ip any any log

Allow Traceroute (Linux, Cisco, Windows)

permit icmp any any
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply

Console login password

R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login

Enable password (unencrypted in config)

R1(config)#enable password cisco

Enable secret password (encrypted in config and takes precedence)

R1(config)#enable secret cisco

Encrypt all passwords in config

R1(config)#service password-encryption

Redistribute

router eigrp 1234
 network 1.1.1.1 0.0.0.0
 network 12.0.0.0
 network 13.0.0.0
 redistribute ospf 1 metric 1000000 1 255 1 1500 route-map RM-OSPF->EIGRP
router ospf 1
 redistribute eigrp 1234 metric-type 1 subnets route-map RM-EIGRP->OSPF
 network 1.1.1.1 0.0.0.0 area 0
 network 157.157.157.0 0.0.0.255 area 0

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top