Initial Setup Commands
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config)# | hostname <hostname> | Set hostname for the device. |
| R(config)# | no ip domain-lookup | Disable ip domain-lookup; no timeout when incorrect cmd typed. |
| R(config)# | banner motd $ <motd msg> $ | Set MOTD. Use $ to end the MOTD when multiple lines typed. |
| R(config)# | line console 0 | Prevents logging output from immediately interrupting console session. |
| R(config-line)# | logging synchronous | Prevents logging output from immediately interrupting console session. |
| R(config-line)# | password <pwd> | Sets an unsecure password for the console port. |
| R(config-line)# | login | Enable required console port login password. |
| R(config-line)# | no login | Disables login. |
| R(config)# | line vty 0 4 | Enter telnet/ssh config mode. |
| R(config-line)# | password <pwd> | Sets a password for telnet/ssh. |
| R(config-line)# | login | Enable required console port login password. |
| R(config)# | interface vlan1 | Enter VLAN1 interface config mode. |
| R(config-if)# | ip address <ip ad> <subnet mask> | Configure VLAN ip address and subnet. (used for telnet) |
| R(config-if)# | no shutdown | Manually enable the interface. |
| R(config)# | enable secret <pwd> | Enable a secure password for privileged mode. |
| R(config)# | service password-encryption | Manually encrypt passwords. |
| R# | copy running-config startup-config | Copies running config to startup config. Saves all changes. |
Secure Shell SSH Setup
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config)# | ip domain-name <any.com> | Set the domain name and hostname. |
| R(config)# | username <login> password <pwd> | Must set both username and pwd for SSH login. |
| R(config)# | crypto key generate RSA | The name for the keys will be: <login><any.com>; Choose the size of the key range in between 360, 4096. An average size is 1024. |
| R(config)# | ip ssh version 2 | Enable SSH v2 on device. |
| R(config)# | line console 0 | Enter Line Console 0 configuration. |
| R(config-line)# | password <pwd> | Set password for Line Console. |
| R(config)# | line vty 0 4 | Enter telnet/ssh config mode. |
| R(config-line)# | login local | Tell the lines to use the local database for login/password. |
| R(config-line)# | password <pwd> | Set password. |
| R(config-line)# | transport input ssh telnet | Configure access protocols. Allowing telnet is optional. |
| R# | show ip ssh | See SSH version and options. |
DHCP – Router Server Configuration / DHCP Snooping / DAI
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config-if)# | ip helper-address <ip> | Sets the address of the DHCP server, if there is one. |
| R(config)# | ip dhcp pool <pool-name> | Enables DHCP config mode; or creates an IP address pool. |
| R(dhcp-config)# | network <network> <subnet mask> | Enables a DHCP server for a particular network segment. |
| R(dhcp-config)# | default-router <ip ad> | Set IP address for the default router. |
| R(dhcp-config)# | domain-name <domain> | Specifies the domain name for a DHCP client. |
| R(config)# | ip dhcp excluded-address <1st ip> <last ip> | Configures a range of excluded addresses. |
| R# | show ip dhcp binding | Displays active DHCP-assigned IP addresses. |
| R# | show ip dhcp pool | Displays a basic summary of a configured DHCP pool. |
| S(config)# | ip dhcp snooping | Enable DHCP snooping. |
| S(config)# | ip dhcp snooping vlan <#> | Enable DHCP snooping on a VLAN interface. |
| S(config-if)# | ip dhcp snooping trust | Make interface a DHCP trusted interface. (server side port) |
| S(config-if)# | ip dhcp snooping limit rate <#> | Limit amount of DHCP msg’s that can be sent per second. If exceeds interface goes into errdisable state. |
| S(config)# | errdisable recovery cause dhcp-rate-limit | Turns on error recovery for DHCP Rate Limit. |
| S(config)# | errdisable recovery interval <seconds> | Sets how many seconds until interface is recovered. |
| S(config)# | no ip dhcp snooping information option | This must be set if switch is not the DHCP Relay Agent. |
| S# | show ip dhcp snooping | Show cmd for DHCP snooping configuration. |
| S(config)# | ip arp inspection vlan <vlan> | Turns DAI on switch for a specific VLAN. |
| S(config-if)# | ip arp inspection trust | Makes interface a trusted port for DAI. Usually same as DHCP Snooping. |
| S(config-if)# | ip arp inspection limit rate <#> | Limit ARP messages allowed to be sent per second. |
| S(config)# | errdisable recovery cause arp-inspection | Turns on error recovery for DAI. |
| S(config)# | errdisable recovery interval <seconds> | Sets how many seconds until interface is recovered. |
| S(config)# | ip arp inspection validate [dst-mac/src-mac/ip] | Adds DAI validation steps. |
| S# | show ip arp inspection | Show DAI configuration settings. |
| S# | show ip dhcp snooping binding | Show DHCP Binding table. |
| S# | show ip arp inspection statistics | Show DAI stats, dropped packets, total packets, etc. |
Switchport – Port Security
| Prompt / Mode | Command | Description |
|---|---|---|
| S(config-if)# | switchport mode <access / trunk> | Change switchport to access or trunk. |
| S(config-if)# | switchport port-security maximum 1 | Only allows 1 MAC Address on switchport. |
| S(config-if)# | switchport port-security mac-address <MAC> | Sets a specific Mac Address that can access the switchport. |
| S(config-if)# | switchport port-security mac-address sticky | Learns the Mac Address once it connects, first come first serve. |
| S(config-if)# | switchport port-security violation <protect, restrict, shutdown> | Sets the violation to take place when switchport security is compromised. |
| S(config-if)# | switchport port-security | Turns on switchport security. |
| S(config)# | errdisable recovery cause psecure-violation | Turns on error recovery for Port Security. |
| S(config)# | errdisable recovery interval <seconds> | Set how many seconds until interface is recovered. |
| S# | show errdisable recovery | View all errdisable recovery configuration. |
| S# | show port-security | Have an overview of all port-security enabled on the switch. |
| S# | show port-security int gi 0/0 | Show port security configuration for int gi0/0. |
ACLs Standard and Extended
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config)# | access-list <access list #> <permit | deny> <source> <source wildcard> | Add an access list entry to specified access list. |
| R(config)# | access-list <access list#> permit any any | Allow any command that did not match an ACL entry to permit. |
| R(config)# | access-list 101 <permit | deny> <protocol> <source ip> | Extended access list entry filtering by protocol (ip, tcp, udp, icmp, etc). Source/Dest IP both include wildcard masks. |
| R(config)# | access-list 101 <permit | deny> <protocol> <source ip> <operator> <source-port> <dest ip> <operator> <dest-port> | Extended access list entry with TCP and UDP Port Numbers enabled. Source/Dest IP both include wildcard masks. <operator> = eq, ne, lt, gt, range. |
| R(config-if)# | ip access-group <access list # | name> in | Set Access List active for traffic into port. |
| R(config-if)# | ip access-group <access list # | name> out | Set Access List active for traffic out of port. |
| R# | show ip access-lists | Shows all ACLs. |
| R(config)# | ip access-list <access list # | name> | Places user inside ACL config mode. |
| R(config-ext-nacl)# | 25 <permit | deny> <ACL entry> | Adds an entry to the ACL by numbered order. |
| R(config-ext-nacl)# | no 25 <permit | deny> <ACL entry> | Removes an entry from the ACL. |
OSPF Base Configuration
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config)# | router ospf <pid> | Turns on OSPF / Enter router config mode. R(config-router)# |
| R(config-router)# | router-id <rid> | Sets router ID. EX: 4.4.4.4 |
| R(config-router)# | network <ip ad> <wild card> area <area#> | Tells router to advertise a network in LSAs to other routers. |
| R(config-inf)# | ip ospf <pid> area <area#> | Same as the Network command but works by Interface. |
More OSPF Commands
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config-router)# | passive-interface <interface> | Makes an interface passive. Not sending/receiving Hellos. |
| R(config-router)# | passive-interface default | Makes all interfaces passive by default. |
| R(config-if)# | ip ospf cost <custom cost> | Sets a custom cost for an interface. |
| R(config-router)# | auto-cost reference bandwidth <speed> | Change the reference-bandwidth calculation. Sets in Mbps. |
| R(config-router)# | maximum-paths <#> | Sets a max # of paths in routing table for equal cost routes. |
| R# | clear ip ospf process | Restarts OSPF process. |
| R# | show ip protocols | Shows protocols currently running. |
OSPF Troubleshooting Commands…
| Prompt / Mode | Command | Description |
|---|---|---|
| R# | show run | sec ospf | Shows OSPF config in running-config file. |
| R# | show ip ospf | Shows OSPF configurations. |
| R# | show ip ospf neighbor / <#> | Shows all connected OSPF neighbors on router. |
| R# | show ip ospf interface / brief / <int> | See interface details, brief details, or particular interface details. |
| R# | debug ip ospf adj | Shows details of routers becoming neighbors when neighbor relationship becomes established. |
| R# | show ip ospf database | Shows database of all OSPF routers. |
NAT: Network Address Translation
| Prompt / Mode | Command | Description |
|---|---|---|
| R(config-if)# | ip nat <inside | outside> | Config port as ‘Inside or Outside NAT’ port. |
| R(config)# | ip nat inside source static <inside-local ip> <outside-local ip> | Set a static rule for NAT. |
| R(config)# | ip nat pool <pool name> <1st ip> <last ip> netmask <subnet-mask> | Defines a pool of inside global addresses for use by Dynamic NAT and names the pool to be access by interfaces requiring NAT. |
| R(config)# | ip nat inside source list <ACL> pool <pool name> | Configs Dynamic NAT with an ACL of IP addresses allowed to use NAT for inside global addresses. |
| R(config)# | ip nat inside source list <ACL> interface <int #> overload | Sets up Dynamic Overload NAT. Creates socket from inside local address and TCP/IP port #. |
| R# | show ip nat translations | Displays the NAT table. |
| R# | show ip nat statistics | List counters for packets and NAT tables entries, as well as basic config. |
NTP : Network Time Protocol
| Command | Description |
|---|---|
| clock timezone <time zone> <-+number> | Set the internal clock for the device. |
| clock summertime <name> recurring | Names a daylight savings time for timezone and tells IOS clock to adjust. |
| ntp server <address> | Set NTP server for device. |
| ntp master <stratum-level> | Set the device as the Master NTP Server and set stratum level of the device. |