Cisco IOS Cheat Sheet 2026: Complete Command Reference

November 10, 2025

Comprehensive Cisco IOS cheat sheet with 250+ commands for routers and switches. Includes OSPF, EIGRP, BGP, VLANs, ACLs, NAT, and troubleshooting.

On This Page

Cisco IOS is the operating system running on Cisco routers and switches worldwide. This comprehensive IOS cheat sheet provides quick reference for 250+ commands covering command modes, interface configuration, routing protocols (OSPF, EIGRP, BGP), VLANs, ACLs, NAT, spanning tree, and troubleshooting. Essential for network engineers working with Cisco platforms.

Quick Navigation: Command Modes | Basic Config | Interfaces | Routing | VLANs | ACLs | NAT

Quick Command Reference

TaskCommand
Enter privileged modeenable
Enter config modeconfigure terminal
Save configurationcopy running-config startup-config
Show interfacesshow ip interface brief
Show routing tableshow ip route
Show versionshow version
Show VLANsshow vlan brief
Show running configshow running-config
Reset to defaultserase startup-config then reload
Show interface statusshow interfaces status

Full command reference below ↓

IOS Command Modes

Cisco IOS uses a hierarchical command structure with different modes:

  • User EXEC Mode (Router>) - Limited read-only access
  • Privileged EXEC Mode (Router#) - Full read access, some commands
  • Global Configuration Mode (Router(config)#) - Device-wide configuration
  • Interface Configuration Mode (Router(config-if)#) - Interface-specific settings
  • Line Configuration Mode (Router(config-line)#) - Console/VTY line settings
  • Router Configuration Mode (Router(config-router)#) - Routing protocol settings

Mode Transitions

# User EXEC → Privileged EXEC
Router> enable
Router#

# Privileged EXEC → User EXEC
Router# disable
Router>

# Privileged EXEC → Global Configuration
Router# configure terminal
Router(config)#

# Global Config → Interface Config
Router(config)# interface GigabitEthernet0/0
Router(config-if)#

# Global Config → Line Config
Router(config)# line console 0
Router(config-line)#

# Global Config → Router Config
Router(config)# router ospf 1
Router(config-router)#

# Exit current mode (go back one level)
Router(config-if)# exit
Router(config)#

# Exit to privileged EXEC (from any config mode)
Router(config-if)# end
Router#

# Alternative: Ctrl+Z (from any config mode to privileged EXEC)
Router(config-if)# [Ctrl+Z]
Router#

Command Help

# Show available commands
?

# Show command syntax
command ?

# Complete partial command
Tab

# Show command history
show history

# Recall previous command
Up arrow or Ctrl+P

# Recall next command
Down arrow or Ctrl+N

Basic Configuration

Hostname and Banner

# MODE: Global Configuration (config)#

# Set hostname
hostname ROUTER1

# Set login banner
banner login "Authorized Access Only"

# Set message of the day
banner motd "System Maintenance Tonight"

# Set exec banner
banner exec "Welcome to ROUTER1"

Passwords and Security

# MODE: Global Configuration (config)#

# Set enable password (plaintext)
enable password mypassword

# Set enable secret (encrypted)
enable secret mysecret

# Encrypt all passwords
service password-encryption

# MODE: Line Configuration (config-line)#
# Set console password
line console 0
password console123
login

# Set VTY password (telnet/ssh)
line vty 0 4
password telnet123
login

# Require local authentication
line vty 0 4
login local

# MODE: Global Configuration (config)#
# Create local user
username admin privilege 15 secret adminpass

# MODE: Line Configuration (config-line)#
# Set console timeout (minutes seconds)
line console 0
exec-timeout 5 0

# Disable timeout
exec-timeout 0 0

Show Commands

System Information

# MODE: Privileged EXEC #

# Show version and system info
show version

# Show running configuration
show running-config

# Show startup configuration
show startup-config

# Show interfaces status
show ip interface brief

# Show detailed interface info
show interfaces

# Show specific interface
show interfaces GigabitEthernet0/0

# Show interface statistics
show interfaces statistics

# Show CDP neighbors
show cdp neighbors

# Show detailed CDP info
show cdp neighbors detail

# Show MAC address table
show mac address-table

# Show ARP table
show arp

# Show system clock
show clock

# Show processes
show processes

# Show memory usage
show memory

# Show flash contents
show flash

# Show inventory
show inventory

Routing Information

# Show routing table
show ip route

# Show specific route
show ip route 192.168.1.0

# Show routing protocols
show ip protocols

# Show OSPF neighbors
show ip ospf neighbor

# Show OSPF database
show ip ospf database

# Show EIGRP neighbors
show ip eigrp neighbors

# Show EIGRP topology
show ip eigrp topology

# Show BGP summary
show ip bgp summary

# Show BGP neighbors
show ip bgp neighbors

VLAN and Trunking

# Show VLAN information
show vlan brief

# Show detailed VLAN info
show vlan

# Show trunk ports
show interfaces trunk

# Show spanning tree
show spanning-tree

# Show VTP status
show vtp status

Interface Configuration

Basic Interface Setup

# MODE: Global Configuration (config)#
# Enter interface configuration mode first
interface GigabitEthernet0/0
# Now in Interface Configuration (config-if)#

# Set IP address
ip address 192.168.1.1 255.255.255.0

# Enable DHCP on interface
ip address dhcp

# Set description
description Link to ISP

# Enable interface
no shutdown

# Disable interface
shutdown

# Set speed
speed 100

# Set duplex
duplex full

# Configure as access port
switchport mode access
switchport access vlan 10

# Configure as trunk
switchport mode trunk
switchport trunk allowed vlan 10,20,30

Subinterfaces (Router on a Stick)

# Create subinterface
interface GigabitEthernet0/0.10

# Enable 802.1Q encapsulation
encapsulation dot1Q 10

# Set IP for VLAN 10
ip address 192.168.10.1 255.255.255.0

Loopback Interface

# Create loopback
interface Loopback0
ip address 1.1.1.1 255.255.255.255

VLAN Configuration

Creating and Managing VLANs

# MODE: Global Configuration (config)#

# Create VLAN
vlan 10
name SALES

# Delete VLAN
no vlan 10

# Assign interface to VLAN
interface FastEthernet0/1
switchport mode access
switchport access vlan 10

# Set native VLAN on trunk
interface GigabitEthernet0/1
switchport trunk native vlan 99

# Allow specific VLANs on trunk
switchport trunk allowed vlan 10,20,30

# Allow all VLANs except
switchport trunk allowed vlan remove 50

VTP Configuration

# Set VTP mode
vtp mode server
vtp mode client
vtp mode transparent

# Set VTP domain
vtp domain COMPANY

# Set VTP password
vtp password secret123

# Set VTP version
vtp version 2

Routing Configuration

Static Routes

# MODE: Global Configuration (config)#

# Create static route
ip route 192.168.2.0 255.255.255.0 10.1.1.2

# Default route
ip route 0.0.0.0 0.0.0.0 10.1.1.1

# Floating static route (backup)
ip route 192.168.2.0 255.255.255.0 10.1.1.3 10

# Delete static route
no ip route 192.168.2.0 255.255.255.0 10.1.1.2

RIP

# Enable RIP
router rip

# Specify version 2
version 2

# Add network
network 192.168.1.0

# Disable auto-summary
no auto-summary

# Set passive interface
passive-interface GigabitEthernet0/0

OSPF

# Enable OSPF
router ospf 1

# Set router ID
router-id 1.1.1.1

# Add network to area
network 192.168.1.0 0.0.0.255 area 0

# Set passive interface
passive-interface GigabitEthernet0/0

# Set reference bandwidth (for correct cost calculation)
auto-cost reference-bandwidth 10000

# Configure interface cost
interface GigabitEthernet0/0
ip ospf cost 10

# Configure interface priority
ip ospf priority 100

EIGRP

# Enable EIGRP
router eigrp 100

# Add network
network 192.168.1.0 0.0.0.255

# Disable auto-summary
no auto-summary

# Set passive interface
passive-interface GigabitEthernet0/0

# Configure bandwidth for metric calculation
interface Serial0/0/0
bandwidth 1544

Access Control Lists (ACL)

Standard ACL

# Create standard ACL
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any

# Named standard ACL
ip access-list standard ALLOW_SALES
permit 192.168.10.0 0.0.0.255
deny any

# Apply to interface (inbound)
interface GigabitEthernet0/0
ip access-group 10 in

# Apply to interface (outbound)
ip access-group 10 out

Extended ACL

# Create extended ACL
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any

# Named extended ACL
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
deny ip any any

# Apply to interface
interface GigabitEthernet0/1
ip access-group WEB_TRAFFIC in

Remove ACL

# Remove ACL
no access-list 10

# Remove from interface
interface GigabitEthernet0/0
no ip access-group 10 in

NAT Configuration

Static NAT

# Configure static NAT
ip nat inside source static 192.168.1.10 203.0.113.10

# Mark inside interface
interface GigabitEthernet0/0
ip nat inside

# Mark outside interface
interface GigabitEthernet0/1
ip nat outside

Dynamic NAT

# Define inside pool
ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

# Define ACL for inside addresses
access-list 1 permit 192.168.1.0 0.0.0.255

# Configure NAT
ip nat inside source list 1 pool PUBLIC_POOL

# Mark interfaces
interface GigabitEthernet0/0
ip nat inside

interface GigabitEthernet0/1
ip nat outside

PAT (NAT Overload)

# Configure PAT with pool
ip nat inside source list 1 pool PUBLIC_POOL overload

# Configure PAT with interface
ip nat inside source list 1 interface GigabitEthernet0/1 overload

# Show NAT translations
show ip nat translations

# Show NAT statistics
show ip nat statistics

# Clear NAT translations
clear ip nat translation *

DHCP Configuration

DHCP Server

# Create DHCP pool
ip dhcp pool LAN_POOL

# Set network
network 192.168.1.0 255.255.255.0

# Set default gateway
default-router 192.168.1.1

# Set DNS server
dns-server 8.8.8.8 8.8.4.4

# Set domain name
domain-name example.com

# Set lease time (days hours minutes)
lease 7 0 0

# Exclude addresses from DHCP
ip dhcp excluded-address 192.168.1.1 192.168.1.10

# Show DHCP bindings
show ip dhcp binding

# Show DHCP statistics
show ip dhcp statistics

DHCP Relay

# Configure interface as DHCP relay
interface GigabitEthernet0/0
ip helper-address 192.168.2.10

SSH Configuration

Enable SSH

# Set hostname
hostname ROUTER1

# Set domain name
ip domain-name example.com

# Generate RSA keys
crypto key generate rsa modulus 2048

# Enable SSH version 2
ip ssh version 2

# Set SSH timeout
ip ssh time-out 60

# Set SSH authentication retries
ip ssh authentication-retries 3

# Configure VTY lines for SSH
line vty 0 4
transport input ssh
login local

# Create user account
username admin privilege 15 secret adminpass

Spanning Tree Protocol

STP Configuration

# Set spanning tree mode
spanning-tree mode rapid-pvst

# Set bridge priority (lower = better)
spanning-tree vlan 1 priority 4096

# Set root bridge
spanning-tree vlan 1 root primary

# Set secondary root
spanning-tree vlan 1 root secondary

# Enable PortFast
interface FastEthernet0/1
spanning-tree portfast

# Enable BPDU guard
spanning-tree bpduguard enable

# Show spanning tree
show spanning-tree

# Show spanning tree for VLAN
show spanning-tree vlan 10

EtherChannel

Create EtherChannel

# Configure interfaces
interface range GigabitEthernet0/1 - 2

# Set channel group (LACP)
channel-group 1 mode active

# Set channel group (PAgP)
channel-group 1 mode desirable

# Set channel group (static)
channel-group 1 mode on

# Configure port-channel interface
interface Port-channel1
switchport mode trunk

# Show EtherChannel
show etherchannel summary

# Show port-channel
show interfaces port-channel 1

Configuration Management

Save and Backup

# Save running config to startup config
copy running-config startup-config

# Shorter version
write memory

# Even shorter
wr

# Copy config to TFTP
copy running-config tftp:

# Copy from TFTP to running
copy tftp: running-config

# Copy from TFTP to startup
copy tftp: startup-config

# Erase startup config
erase startup-config

# Reload device
reload

# Reload without saving
reload

# Reload at specific time
reload at 23:00

# Reload in X minutes
reload in 30

# Cancel pending reload
reload cancel

Configuration Archive

# Configure archive
archive
path tftp://192.168.1.100/configs/$h-
maximum 14
time-period 1440

# Create archive manually
archive config

VPN Configuration

Site-to-Site IPsec VPN

# MODE: Global Configuration (config)#

# Phase 1 - ISAKMP Policy
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800

# Set pre-shared key
crypto isakmp key MySecretKey address 203.0.113.10

# Phase 2 - IPsec Transform Set
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
mode tunnel

# Create crypto ACL (interesting traffic)
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

# Create crypto map
crypto map MYMAP 10 ipsec-isakmp
set peer 203.0.113.10
set transform-set MYSET
match address 100
set pfs group14

# Apply crypto map to interface
interface GigabitEthernet0/1
crypto map MYMAP

# Show VPN status
show crypto isakmp sa
show crypto ipsec sa
show crypto session

GRE over IPsec

# MODE: Global Configuration (config)#

# Create tunnel interface
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 203.0.113.10
tunnel mode gre ip

# Protect GRE tunnel with IPsec
crypto ipsec profile IPSEC-PROFILE
set transform-set MYSET
set pfs group14

interface Tunnel0
tunnel protection ipsec profile IPSEC-PROFILE

Remote Access VPN (Easy VPN Server)

# MODE: Global Configuration (config)#

# Create ISAKMP policy
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 14

# Configure client group
crypto isakmp client configuration group REMOTE-USERS
key RemotePassword
pool VPN-POOL
dns 8.8.8.8 8.8.4.4
domain example.com

# Create address pool
ip local pool VPN-POOL 192.168.100.1 192.168.100.254

# Configure IPsec
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac

# Create dynamic crypto map
crypto dynamic-map DYNMAP 10
set transform-set MYSET

# Apply to crypto map
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

# Apply to interface
interface GigabitEthernet0/1
crypto map CLIENTMAP

SD-WAN Configuration

Cisco SD-WAN (Viptela)

# MODE: Global Configuration (config)#

# Configure system settings
system
system-ip 1.1.1.1
site-id 1
organization-name MyCompany
vbond 203.0.113.100

# Configure VPN 0 (transport)
vpn 0
interface ge0/0
ip address 203.0.113.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all

# Configure VPN 512 (management)
vpn 512
interface eth0
ip address 192.168.1.1/24
no shutdown

# Configure VPN 1 (LAN)
vpn 1
interface ge0/1
ip address 192.168.10.1/24
no shutdown

# Configure routing in VPN 1
router ospf
area 0
interface ge0/1

# Show SD-WAN status
show sdwan control connections
show sdwan bfd sessions
show sdwan policy
show sdwan ipsec local-sa
show sdwan ipsec outbound-connections

Application-Aware Routing

# Configure SLA class
policy
sla-class VIDEO
loss 1
latency 150
jitter 30

sla-class VOICE
loss 1
latency 100
jitter 20

# Apply policies
apply-policy
site-list BRANCH-SITES
vpn-list SERVICE-VPN
data-policy ROUTING-POLICY

# Show application-aware routing
show app-route stats
show app-route sla-class

Performance Routing (PfR/PIRO)

# MODE: Global Configuration (config)#

# Enable PfR master controller
key chain PFR-KEY
key 1
key-string MyKey

pfr master
border 10.1.1.1 key-chain PFR-KEY
border 10.2.2.1 key-chain PFR-KEY
policy-rules VOICE-POLICY

# Configure on border router
pfr border
master 10.0.0.1 key-chain PFR-KEY
interface GigabitEthernet0/0 external
interface GigabitEthernet0/1 internal

# Show PfR status
show pfr master
show pfr border
show pfr master prefix
show pfr master traffic-classes

Troubleshooting

Debug Commands

# Enable debug
debug ip routing
debug ip ospf events
debug eigrp packets

# Disable specific debug
no debug ip routing

# Disable all debug
undebug all

# Show active debugs
show debugging

Ping and Traceroute

# Ping
ping 192.168.1.1

# Extended ping
ping

# Traceroute
traceroute 192.168.1.1

# Extended traceroute
traceroute

Interface Troubleshooting

# Show interface errors
show interfaces GigabitEthernet0/0 | include error

# Clear interface counters
clear counters GigabitEthernet0/0

# Show interface description
show interfaces description

# Show running config for interface
show running-config interface GigabitEthernet0/0

System Maintenance

Software Management

# Show flash contents
show flash:

# Delete file from flash
delete flash:old-config.cfg

# Format flash (careful!)
format flash:

# Copy IOS to flash from TFTP
copy tftp: flash:

# Set boot system image
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin

# Show boot configuration
show boot

Time and NTP

# Set clock manually
clock set 14:30:00 10 November 2025

# Configure NTP server
ntp server pool.ntp.org

# Show NTP status
show ntp status

# Show NTP associations
show ntp associations

# Set timezone
clock timezone EST -5

# Enable daylight saving
clock summer-time EDT recurring

Logging

# Enable logging
logging on

# Send logs to syslog server
logging host 192.168.1.100

# Set logging level
logging trap informational

# Log to console
logging console

# Log to buffer
logging buffered 8192

# Show logs
show logging

# Clear logs
clear logging

Port Security

Configure Port Security

# Enable port security
interface FastEthernet0/1
switchport mode access
switchport port-security

# Set maximum MAC addresses
switchport port-security maximum 2

# Set violation action
switchport port-security violation shutdown
switchport port-security violation restrict
switchport port-security violation protect

# Set sticky MAC learning
switchport port-security mac-address sticky

# Manually add secure MAC
switchport port-security mac-address 1234.5678.9abc

# Show port security
show port-security

# Show port security for interface
show port-security interface FastEthernet0/1

# Show secure MAC addresses
show port-security address

📥 Download & Print

Want a PDF version? This Cisco IOS cheat sheet is optimized for printing:

  1. Use your browser’s Print function (Ctrl/Cmd + P)
  2. Select “Save as PDF”
  3. Choose landscape orientation for best results

Stay Updated: Bookmark this page for the latest IOS commands and configurations.

Last Updated: March 8, 2026