Enable name lookup
SW1(config)# ip domain-lookup SW1(config)# ip name-server YOUR.DNS.SERVER.IP SW1(config)# ip domain name yourDomainName.com
Disable name lookup
SW1(config)# no ip domain-lookup
Give DNS domain name
SW1(config)# ip domain-name example.com
Increase SSH session timeout (e.g. 720 mins = 30 hours and 0 sec)
SW252(config)# line vty 0 4 SW252(config-line)# exec-timeout 720 0
Change History buffer & logging behavior
SW1(config)# line vty 0 4 SW1(config-line)# history size 15 SW1(config-line)# logging synchronous
Prevents breaking your line output especially when typing
SW252(config)# line vty 0 4 SW252(config-line)# logging synchronous
Change hostname
Switch(config)# hostname SW123
Set password (in clear text)
SW1(config)# enable password cisco
Set password (MD5 hash)
SW1(config)# enable secret cisco
Secure console
SW1(config)# line con 0 SW1(config-line)# password cisco SW1(config-line)# login
Secure terminal lines
SW1(config)# line vty 0 4 SW1(config-line)# password cisco SW1(config-line)# login
Encrypt password in config
SW1(config)# service password-encryption
Add banners
SW1(config)# banner motd $ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- UNAUTHORIZED ACCESS IS PROHIBITED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- $
Give VLAN 192 an IP address
SW1(config)# interface vlan 192 SW1(config-if)# ip address 192.168.1.x 255.255.255.0
Delete vlan 192
SW1(config)# no vlan 192
Set default gateway
SW1(config)# ip default-gateway 192.168.1.1
Save config
SW1# copy running-config startup-config or SW1# wr
Set Description, speed, duplex
SW1(config)# interface fastEthernet 0/1 SW1(config-if)# description FIREWALL SW1(config-if)# speed auto SW1(config-if-range)# duplex full
Show RAM, NVRAM, flash, IOS
SW1# show version
Shows current configuration file stored in DRAM
SW1# show running-config
Show configuration in NVRAM used at boot process
SW1# show startup-config
Show commands currently held in the history buffer.
SW1# show history
Shows the public encryption key used for SSH
SW1# show crypto key mypubkey rsa
If interface is configured to get IP address via a dhcp server
SW1# show dhcp lease
Access port and enable security
SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 192 SW1(config-if)# switchport port-security
Auxiliary VLAN for cisco IP phones
SW1(config-if) #switchport access vlan 192 SW1(config-if) #switchport voice vlan 10
Trunk
SW1(config)# interface fastEthernet 0/1 SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk SW1(config-if)# switchport trunk allowed vlan add 192
VTP (transparent mode is used when deactivating VTP)
SW1(config)# vtp mode server SW1(config)# vtp domain YourDomain.com SW1(config)# vtp password cisco SW1(config)# vtp version 2
VTP pruning only works on VTP servers
SW1(config)# vtp pruning
Checklist for VLAN & VTP
SW1# show interfaces trunk SW1# show vlan SW1# show vlan brief SW1# show vlan id 192 SW1# show vlan summary SW1# show vtp status SW1# show vtp password
STP (hard code root bridge)
SW1(config)# spanning-tree vlan 192 root primary SW1(config)# spanning-tree vlan 192 root secondary SW1(config)# spanning-tree vlan 192 priority 8192
Change STP mode
SW1(config)# spanning-tree mode rapid-pvst
Change STP port cost
SW1(config-if)#spanning-tree vlan 192 cost 25
Portfast and BPDU guard (for end user only)
SW1(config-if)# spanning-tree portfast SW1(config-if)# spanning-tree bpduguard enable
BPDU guard globally
SW1(config)# spanning-tree portfast bpduguard default
BPDU filter globally (when loop is detected, Portfast is disabled & re-enables STP)
SW1(config)# spanning-tree portfast bpdufilter default
BPDU filter on interface (when loop is detected, STP is disabled & PortFast continues)
SW1(config-if)# spanning-tree bpdufilter enable
Interfaces into an etherchannel
SW1(config-if)# channel-group 1 mode on
Checklist for STP
SW1# show spanning-tree SW1# show spanning-tree summary totals SW1# show spanning-tree interface fa0/2 SW1# show spanning-tree vlan 192 SW1# show spanning-tree vlan 192 root SW1# show spanning-tree vlan 192 bridge SW1# show etherchannel 1 SW1# debug spanning-tree events
Set maximum number of allowed MAC addresses
SW1(config-if)# switchport port-security maximum 1
Define action to take when violation occurs [protect,restrict,shutdown]
SW1(config-if)# switchport port-security violation shutdown
Sticky. Dynamically learn MAC
SW1(config-if)#switchport port-security mac-address sticky
Checklist for port security
SW1# show mac-address-table SW1# show port-security SW1# show port-security interface fa0/5
Create VLAN
SW1(config)# vlan 10 SW1(config-vlan)# name SALES
CDP (enables globally on a switch)
SW1(config)# cdp run
CDP (disable on a given interface)
SW1(config-if)# no cdp enable
Checklist for CDP
SW1# show cdp SW1# show cdp interface fa0/2 SW1# show cdp neighbors SW1# show cdp neighbors detail SW1# show cdp entry * SW1# show cdp entry SW2
MSTP
SW1(config)# spanning-tree mode mst SW1(config)# spanning-tree mst configuration SW1(config-mst)# revision 1 SW1(config-mst)# name CCNP SW1(config-mst)# instance 1 vlan 10,20 SW1(config-mst)# instance 2 vlan 30,40 SW1(config-mst)# exit SW1# show spanning-tree mst
MSTP (Switch A)
SW1(config)# spanning-tree mst 1 root primary SW1(config)# spanning-tree mst 2 root secondary
MSTP (Switch B)
SW222(config)# spanning-tree mst 2 root primary SW222(config)# spanning-tree mst 1 root secondary
Basic commands
SW1# show ip interface brief SW1# show interface vlan 1 SW1# show interfaces description SW1# show interfaces status
When using non-Cisco SFP
SW1(config)# service unsupported-transceiver SW1(config)# no errdisable detect cause gbic-invalid
Recover from error in 30 secs
SW1(config)# errdisable recovery interval 30
Enable IP source guard with source IP and MAC filtering
SW(config)# ip source binding xxxx.xxxx.xxxx vlan 192 192.168.32.3 interface gi1/0/13
Disable Service Configuration Error Messages
%Error opening tftp://255.255.255.255/network config
R(config)#no service config R#copy running-config startup-config
If router is getting IP from DHCP but wish to remove default route provided
R(config-if)# no ip dhcp client request router
One way direction for ACL
ip access-list extended VLAN_139 permit tcp any 10.123.3.0 0.0.0.255 established permit icmp any 10.123.3.0 0.0.0.255 echo-reply deny ip any 10.123.3.0 0.0.0.63 deny ip any 10.123.3.0 0.0.0.255 deny icmp any 10.123.3.0 0.0.0.255 permit ip any any log
Allow Traceroute (Linux, Cisco, Windows)
permit icmp any any
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
Console login password
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
Enable password (unencrypted in config)
R1(config)#enable password cisco
Enable secret password (encrypted in config and takes precedence)
R1(config)#enable secret cisco
Encrypt all passwords in config
R1(config)#service password-encryption
Redistribute
router eigrp 1234
network 1.1.1.1 0.0.0.0
network 12.0.0.0
network 13.0.0.0
redistribute ospf 1 metric 1000000 1 255 1 1500 route-map RM-OSPF->EIGRP
router ospf 1
redistribute eigrp 1234 metric-type 1 subnets route-map RM-EIGRP->OSPF
network 1.1.1.1 0.0.0.0 area 0
network 157.157.157.0 0.0.0.255 area 0