Essential commands for Cisco IOS routers and switches.
IOS Command Modes
Cisco IOS uses a hierarchical command structure with different modes:
- User EXEC Mode (
Router>) - Limited read-only access - Privileged EXEC Mode (
Router#) - Full read access, some commands - Global Configuration Mode (
Router(config)#) - Device-wide configuration - Interface Configuration Mode (
Router(config-if)#) - Interface-specific settings - Line Configuration Mode (
Router(config-line)#) - Console/VTY line settings - Router Configuration Mode (
Router(config-router)#) - Routing protocol settings
Mode Transitions
# User EXEC → Privileged EXEC
Router> enable
Router#
# Privileged EXEC → User EXEC
Router# disable
Router>
# Privileged EXEC → Global Configuration
Router# configure terminal
Router(config)#
# Global Config → Interface Config
Router(config)# interface GigabitEthernet0/0
Router(config-if)#
# Global Config → Line Config
Router(config)# line console 0
Router(config-line)#
# Global Config → Router Config
Router(config)# router ospf 1
Router(config-router)#
# Exit current mode (go back one level)
Router(config-if)# exit
Router(config)#
# Exit to privileged EXEC (from any config mode)
Router(config-if)# end
Router#
# Alternative: Ctrl+Z (from any config mode to privileged EXEC)
Router(config-if)# [Ctrl+Z]
Router#
Command Help
# Show available commands
?
# Show command syntax
command ?
# Complete partial command
Tab
# Show command history
show history
# Recall previous command
Up arrow or Ctrl+P
# Recall next command
Down arrow or Ctrl+N
Basic Configuration
Hostname and Banner
# MODE: Global Configuration (config)#
# Set hostname
hostname ROUTER1
# Set login banner
banner login "Authorized Access Only"
# Set message of the day
banner motd "System Maintenance Tonight"
# Set exec banner
banner exec "Welcome to ROUTER1"
Passwords and Security
# MODE: Global Configuration (config)#
# Set enable password (plaintext)
enable password mypassword
# Set enable secret (encrypted)
enable secret mysecret
# Encrypt all passwords
service password-encryption
# MODE: Line Configuration (config-line)#
# Set console password
line console 0
password console123
login
# Set VTY password (telnet/ssh)
line vty 0 4
password telnet123
login
# Require local authentication
line vty 0 4
login local
# MODE: Global Configuration (config)#
# Create local user
username admin privilege 15 secret adminpass
# MODE: Line Configuration (config-line)#
# Set console timeout (minutes seconds)
line console 0
exec-timeout 5 0
# Disable timeout
exec-timeout 0 0
Show Commands
System Information
# MODE: Privileged EXEC #
# Show version and system info
show version
# Show running configuration
show running-config
# Show startup configuration
show startup-config
# Show interfaces status
show ip interface brief
# Show detailed interface info
show interfaces
# Show specific interface
show interfaces GigabitEthernet0/0
# Show interface statistics
show interfaces statistics
# Show CDP neighbors
show cdp neighbors
# Show detailed CDP info
show cdp neighbors detail
# Show MAC address table
show mac address-table
# Show ARP table
show arp
# Show system clock
show clock
# Show processes
show processes
# Show memory usage
show memory
# Show flash contents
show flash
# Show inventory
show inventory
Routing Information
# Show routing table
show ip route
# Show specific route
show ip route 192.168.1.0
# Show routing protocols
show ip protocols
# Show OSPF neighbors
show ip ospf neighbor
# Show OSPF database
show ip ospf database
# Show EIGRP neighbors
show ip eigrp neighbors
# Show EIGRP topology
show ip eigrp topology
# Show BGP summary
show ip bgp summary
# Show BGP neighbors
show ip bgp neighbors
VLAN and Trunking
# Show VLAN information
show vlan brief
# Show detailed VLAN info
show vlan
# Show trunk ports
show interfaces trunk
# Show spanning tree
show spanning-tree
# Show VTP status
show vtp status
Interface Configuration
Basic Interface Setup
# MODE: Global Configuration (config)#
# Enter interface configuration mode first
interface GigabitEthernet0/0
# Now in Interface Configuration (config-if)#
# Set IP address
ip address 192.168.1.1 255.255.255.0
# Enable DHCP on interface
ip address dhcp
# Set description
description Link to ISP
# Enable interface
no shutdown
# Disable interface
shutdown
# Set speed
speed 100
# Set duplex
duplex full
# Configure as access port
switchport mode access
switchport access vlan 10
# Configure as trunk
switchport mode trunk
switchport trunk allowed vlan 10,20,30
Subinterfaces (Router on a Stick)
# Create subinterface
interface GigabitEthernet0/0.10
# Enable 802.1Q encapsulation
encapsulation dot1Q 10
# Set IP for VLAN 10
ip address 192.168.10.1 255.255.255.0
Loopback Interface
# Create loopback
interface Loopback0
ip address 1.1.1.1 255.255.255.255
VLAN Configuration
Creating and Managing VLANs
# MODE: Global Configuration (config)#
# Create VLAN
vlan 10
name SALES
# Delete VLAN
no vlan 10
# Assign interface to VLAN
interface FastEthernet0/1
switchport mode access
switchport access vlan 10
# Set native VLAN on trunk
interface GigabitEthernet0/1
switchport trunk native vlan 99
# Allow specific VLANs on trunk
switchport trunk allowed vlan 10,20,30
# Allow all VLANs except
switchport trunk allowed vlan remove 50
VTP Configuration
# Set VTP mode
vtp mode server
vtp mode client
vtp mode transparent
# Set VTP domain
vtp domain COMPANY
# Set VTP password
vtp password secret123
# Set VTP version
vtp version 2
Routing Configuration
Static Routes
# MODE: Global Configuration (config)#
# Create static route
ip route 192.168.2.0 255.255.255.0 10.1.1.2
# Default route
ip route 0.0.0.0 0.0.0.0 10.1.1.1
# Floating static route (backup)
ip route 192.168.2.0 255.255.255.0 10.1.1.3 10
# Delete static route
no ip route 192.168.2.0 255.255.255.0 10.1.1.2
RIP
# Enable RIP
router rip
# Specify version 2
version 2
# Add network
network 192.168.1.0
# Disable auto-summary
no auto-summary
# Set passive interface
passive-interface GigabitEthernet0/0
OSPF
# Enable OSPF
router ospf 1
# Set router ID
router-id 1.1.1.1
# Add network to area
network 192.168.1.0 0.0.0.255 area 0
# Set passive interface
passive-interface GigabitEthernet0/0
# Set reference bandwidth (for correct cost calculation)
auto-cost reference-bandwidth 10000
# Configure interface cost
interface GigabitEthernet0/0
ip ospf cost 10
# Configure interface priority
ip ospf priority 100
EIGRP
# Enable EIGRP
router eigrp 100
# Add network
network 192.168.1.0 0.0.0.255
# Disable auto-summary
no auto-summary
# Set passive interface
passive-interface GigabitEthernet0/0
# Configure bandwidth for metric calculation
interface Serial0/0/0
bandwidth 1544
Access Control Lists (ACL)
Standard ACL
# Create standard ACL
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
# Named standard ACL
ip access-list standard ALLOW_SALES
permit 192.168.10.0 0.0.0.255
deny any
# Apply to interface (inbound)
interface GigabitEthernet0/0
ip access-group 10 in
# Apply to interface (outbound)
ip access-group 10 out
Extended ACL
# Create extended ACL
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any
# Named extended ACL
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
deny ip any any
# Apply to interface
interface GigabitEthernet0/1
ip access-group WEB_TRAFFIC in
Remove ACL
# Remove ACL
no access-list 10
# Remove from interface
interface GigabitEthernet0/0
no ip access-group 10 in
NAT Configuration
Static NAT
# Configure static NAT
ip nat inside source static 192.168.1.10 203.0.113.10
# Mark inside interface
interface GigabitEthernet0/0
ip nat inside
# Mark outside interface
interface GigabitEthernet0/1
ip nat outside
Dynamic NAT
# Define inside pool
ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
# Define ACL for inside addresses
access-list 1 permit 192.168.1.0 0.0.0.255
# Configure NAT
ip nat inside source list 1 pool PUBLIC_POOL
# Mark interfaces
interface GigabitEthernet0/0
ip nat inside
interface GigabitEthernet0/1
ip nat outside
PAT (NAT Overload)
# Configure PAT with pool
ip nat inside source list 1 pool PUBLIC_POOL overload
# Configure PAT with interface
ip nat inside source list 1 interface GigabitEthernet0/1 overload
# Show NAT translations
show ip nat translations
# Show NAT statistics
show ip nat statistics
# Clear NAT translations
clear ip nat translation *
DHCP Configuration
DHCP Server
# Create DHCP pool
ip dhcp pool LAN_POOL
# Set network
network 192.168.1.0 255.255.255.0
# Set default gateway
default-router 192.168.1.1
# Set DNS server
dns-server 8.8.8.8 8.8.4.4
# Set domain name
domain-name example.com
# Set lease time (days hours minutes)
lease 7 0 0
# Exclude addresses from DHCP
ip dhcp excluded-address 192.168.1.1 192.168.1.10
# Show DHCP bindings
show ip dhcp binding
# Show DHCP statistics
show ip dhcp statistics
DHCP Relay
# Configure interface as DHCP relay
interface GigabitEthernet0/0
ip helper-address 192.168.2.10
SSH Configuration
Enable SSH
# Set hostname
hostname ROUTER1
# Set domain name
ip domain-name example.com
# Generate RSA keys
crypto key generate rsa modulus 2048
# Enable SSH version 2
ip ssh version 2
# Set SSH timeout
ip ssh time-out 60
# Set SSH authentication retries
ip ssh authentication-retries 3
# Configure VTY lines for SSH
line vty 0 4
transport input ssh
login local
# Create user account
username admin privilege 15 secret adminpass
Spanning Tree Protocol
STP Configuration
# Set spanning tree mode
spanning-tree mode rapid-pvst
# Set bridge priority (lower = better)
spanning-tree vlan 1 priority 4096
# Set root bridge
spanning-tree vlan 1 root primary
# Set secondary root
spanning-tree vlan 1 root secondary
# Enable PortFast
interface FastEthernet0/1
spanning-tree portfast
# Enable BPDU guard
spanning-tree bpduguard enable
# Show spanning tree
show spanning-tree
# Show spanning tree for VLAN
show spanning-tree vlan 10
EtherChannel
Create EtherChannel
# Configure interfaces
interface range GigabitEthernet0/1 - 2
# Set channel group (LACP)
channel-group 1 mode active
# Set channel group (PAgP)
channel-group 1 mode desirable
# Set channel group (static)
channel-group 1 mode on
# Configure port-channel interface
interface Port-channel1
switchport mode trunk
# Show EtherChannel
show etherchannel summary
# Show port-channel
show interfaces port-channel 1
Configuration Management
Save and Backup
# Save running config to startup config
copy running-config startup-config
# Shorter version
write memory
# Even shorter
wr
# Copy config to TFTP
copy running-config tftp:
# Copy from TFTP to running
copy tftp: running-config
# Copy from TFTP to startup
copy tftp: startup-config
# Erase startup config
erase startup-config
# Reload device
reload
# Reload without saving
reload
# Reload at specific time
reload at 23:00
# Reload in X minutes
reload in 30
# Cancel pending reload
reload cancel
Configuration Archive
# Configure archive
archive
path tftp://192.168.1.100/configs/$h-
maximum 14
time-period 1440
# Create archive manually
archive config
VPN Configuration
Site-to-Site IPsec VPN
# MODE: Global Configuration (config)#
# Phase 1 - ISAKMP Policy
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
# Set pre-shared key
crypto isakmp key MySecretKey address 203.0.113.10
# Phase 2 - IPsec Transform Set
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
mode tunnel
# Create crypto ACL (interesting traffic)
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
# Create crypto map
crypto map MYMAP 10 ipsec-isakmp
set peer 203.0.113.10
set transform-set MYSET
match address 100
set pfs group14
# Apply crypto map to interface
interface GigabitEthernet0/1
crypto map MYMAP
# Show VPN status
show crypto isakmp sa
show crypto ipsec sa
show crypto session
GRE over IPsec
# MODE: Global Configuration (config)#
# Create tunnel interface
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 203.0.113.10
tunnel mode gre ip
# Protect GRE tunnel with IPsec
crypto ipsec profile IPSEC-PROFILE
set transform-set MYSET
set pfs group14
interface Tunnel0
tunnel protection ipsec profile IPSEC-PROFILE
Remote Access VPN (Easy VPN Server)
# MODE: Global Configuration (config)#
# Create ISAKMP policy
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 14
# Configure client group
crypto isakmp client configuration group REMOTE-USERS
key RemotePassword
pool VPN-POOL
dns 8.8.8.8 8.8.4.4
domain example.com
# Create address pool
ip local pool VPN-POOL 192.168.100.1 192.168.100.254
# Configure IPsec
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
# Create dynamic crypto map
crypto dynamic-map DYNMAP 10
set transform-set MYSET
# Apply to crypto map
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
# Apply to interface
interface GigabitEthernet0/1
crypto map CLIENTMAP
SD-WAN Configuration
Cisco SD-WAN (Viptela)
# MODE: Global Configuration (config)#
# Configure system settings
system
system-ip 1.1.1.1
site-id 1
organization-name MyCompany
vbond 203.0.113.100
# Configure VPN 0 (transport)
vpn 0
interface ge0/0
ip address 203.0.113.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
# Configure VPN 512 (management)
vpn 512
interface eth0
ip address 192.168.1.1/24
no shutdown
# Configure VPN 1 (LAN)
vpn 1
interface ge0/1
ip address 192.168.10.1/24
no shutdown
# Configure routing in VPN 1
router ospf
area 0
interface ge0/1
# Show SD-WAN status
show sdwan control connections
show sdwan bfd sessions
show sdwan policy
show sdwan ipsec local-sa
show sdwan ipsec outbound-connections
Application-Aware Routing
# Configure SLA class
policy
sla-class VIDEO
loss 1
latency 150
jitter 30
sla-class VOICE
loss 1
latency 100
jitter 20
# Apply policies
apply-policy
site-list BRANCH-SITES
vpn-list SERVICE-VPN
data-policy ROUTING-POLICY
# Show application-aware routing
show app-route stats
show app-route sla-class
Performance Routing (PfR/PIRO)
# MODE: Global Configuration (config)#
# Enable PfR master controller
key chain PFR-KEY
key 1
key-string MyKey
pfr master
border 10.1.1.1 key-chain PFR-KEY
border 10.2.2.1 key-chain PFR-KEY
policy-rules VOICE-POLICY
# Configure on border router
pfr border
master 10.0.0.1 key-chain PFR-KEY
interface GigabitEthernet0/0 external
interface GigabitEthernet0/1 internal
# Show PfR status
show pfr master
show pfr border
show pfr master prefix
show pfr master traffic-classes
Troubleshooting
Debug Commands
# Enable debug
debug ip routing
debug ip ospf events
debug eigrp packets
# Disable specific debug
no debug ip routing
# Disable all debug
undebug all
# Show active debugs
show debugging
Ping and Traceroute
# Ping
ping 192.168.1.1
# Extended ping
ping
# Traceroute
traceroute 192.168.1.1
# Extended traceroute
traceroute
Interface Troubleshooting
# Show interface errors
show interfaces GigabitEthernet0/0 | include error
# Clear interface counters
clear counters GigabitEthernet0/0
# Show interface description
show interfaces description
# Show running config for interface
show running-config interface GigabitEthernet0/0
System Maintenance
Software Management
# Show flash contents
show flash:
# Delete file from flash
delete flash:old-config.cfg
# Format flash (careful!)
format flash:
# Copy IOS to flash from TFTP
copy tftp: flash:
# Set boot system image
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
# Show boot configuration
show boot
Time and NTP
# Set clock manually
clock set 14:30:00 10 November 2025
# Configure NTP server
ntp server pool.ntp.org
# Show NTP status
show ntp status
# Show NTP associations
show ntp associations
# Set timezone
clock timezone EST -5
# Enable daylight saving
clock summer-time EDT recurring
Logging
# Enable logging
logging on
# Send logs to syslog server
logging host 192.168.1.100
# Set logging level
logging trap informational
# Log to console
logging console
# Log to buffer
logging buffered 8192
# Show logs
show logging
# Clear logs
clear logging
Port Security
Configure Port Security
# Enable port security
interface FastEthernet0/1
switchport mode access
switchport port-security
# Set maximum MAC addresses
switchport port-security maximum 2
# Set violation action
switchport port-security violation shutdown
switchport port-security violation restrict
switchport port-security violation protect
# Set sticky MAC learning
switchport port-security mac-address sticky
# Manually add secure MAC
switchport port-security mac-address 1234.5678.9abc
# Show port security
show port-security
# Show port security for interface
show port-security interface FastEthernet0/1
# Show secure MAC addresses
show port-security address