Show Menu
Cheatography
  1. Home >
  2. Programming >

CISCO switching and routing config Cheat Sheet (DRAFT) by

A comprehensive, simple and productivity oriented introduction to CISCO

This is a draft cheat sheet. It is a work in progress and is not finished yet.

IOS modes

Prompt
Name of mode
Command to access
Switch>
User exec
disable
Switch#
Privileged exec
enable
Switch­(co­nfig)#
Global Config
configure terminal
Switch­(co­nfi­g-if)#
Interface
line console 0
line vty 0 15 (telnet)
Switch­(co­nfi­g-l­ine)#
Line
interface type number
Switch­(vlan)#
VLAN
vlan number
We can exit all modes with exit (immediate previous one) or end (straight to privil­eged)

Config Modes Diagram

Key Sequences for Command Edit and Recall

Keyboard Command
What Happens
Up arrow or Ctrl+P
This displays the most recently used command. If you press it again, the next most recent command appears, until the history buffer is exhausted. (The P stands for previous.)
Down arrow or Ctrl+N
If you have gone too far back into the history buffer, these keys take you forward to the more recently entered commands. (The N stands for next.)
Left arrow or Ctrl+B
This moves the cursor backward in the currently displayed command without deleting charac­ters. (The B stands for back.)
Right arrow or Ctrl+F
This moves the cursor forward in the currently displayed command without deleting charac­ters. (The F stands for forward.)
Backspace
This moves the cursor backward in the currently displayed command, deleting charac­ters.
If you are used to general console intera­ctions in linux is pretty similar

Cisco IOS Software Command Help

What You Enter
The help you get
?
Provides help for all commands available in this mode.
command ?
With a space between the command and the ?, the switch lists text to describe all the first parameter options for the command.
com?
Lists commands that start with com.
command parm?
Lists all parameters beginning with the parameter typed so far. (Notice that there is no space between parm and the ?.)
command parm<Ta­b>
Pressing the Tab key causes IOS to spell out the rest of the word, assuming that you have typed enough of the word so there is only one option that begins with that string of charac­ters.
command parm1 ?
If a space is inserted before the question mark, the CLI lists all the next parameters and gives a brief explan­ation of each.
It's good practice to always use ? when you are not sure of what you are doing to prevent launching a succes­sfully format­-wise but that doesn't do what we intend to do because we haven't explored all possib­ili­ties!

CISCO IOS config files

Config­uration
Filename
Purpose
Where It Is Stored
sartup­-config
Stores the initial config­uration used anytime the switch reloads Cisco IOS.
NVRAM
runnin­g-c­onfig
Stores the currently used config­uration commands. This file changes dynami­cally when someone enters commands in config­uration mode.
RAM
vlan.dat
Stores inform­ation related to VLAN
Flash
Memory types: RAM (Working Memory and Running Config­ura­tion), Flash (Cisco IOS Software / Images), ROM (Bootstrap Program before Cisco IOS takes over), NVRAM (Startup Config­ura­tion)

copy runnin­g-c­onfig startu­p-c­onfig saves active config replacing startup copy startu­p-c­onfig runnin­g-c­onfig merges startup file with the currently active file in RAM

You can also write and erase config files

Switching Logic Actions

Deciding when to forward a frame or when to filter a frame, based on the destin­ation MAC address (using the dynami­cally built MAC)
Preparing to forward frames by learning MAC addresses by examining the source MAC address of each frame received by the switch (on cases where the forward MAC isn't in the table the switch floods the ports like it was a broadcast in order to find a response and fill the table to later tries)
Preparing to forward only one copy of the frame to the destin­ation by creating a (Layer 2) loop-free enviro­nment with other switches by using Spanning Tree Protocol (since loops can be fatal in the previous flooding mechan­ism). This is achieved by blocking some ports from forwarding frames so that only one active path exists between any pair of LAN segments. The downside is that it makes harder load balancing since redundant connec­tions can be useful for that purpose.

Switch Verifi­cation Commands

Display interface status and config­ura­tion.
S1# show interfaces interface-id
Display current startup config­ura­tion.
S1# show startu­p-c­onfig
Display current operating config­ura­tion.
S1# show runnin­g-c­onfig
Display inform­ation about the flash file system.
S1# show flash:
Display status of system hardware and software.
S1# show version
Display a history of commands entered.
S1# show history
Display IP inform­ation about an interface.
S1# show ip interf­ace-id
Display the MAC address table.
S1# show mac-ad­dre­ss-­table [dynam­ic|­static] [vlan vlan_id| interface interf­ace_id | adress MAC_adress]
Lists any inform­ation the switch acquires as a DHCP client. This includes IP address, subnet mask, and default gateway inform­ation.
S1# show dhcp lease
Lists the public and shared key created for use with SSH using the crypto key generate rsa global config­uration command.
S1# show crypto key mypubkey rsa
Lists status inform­ation for the SSH server, including the SSH version.
S1# show ip ssh
Lists the switch’s setting for its IPv4 default gateway.
S1# show ip defaul­t-g­ateway

MAC related command reference

Command
Purpose
show mac addres­s-table
Shows all MAC table entries of all types
show mac addres­s-table dynamic
Shows all dynami­cally learned MAC table entries
show mac addres­s-table dynamic [vlan vlan-n­umber] [interface interf­ace-id] [address mac-ad­dress]
Shows all dynami­cally learned MAC table entries containing any of the data depicted
show mac addres­s-table count
Shows the number of entries in the MAC table and the total number of remaining empty slots in the MAC table
show mac addres­s-table aging-time
Shows the global and per-VLAN aging timeout for inactive MAC table entries
clear mac addres­s-table dynamic
Empties the MAC table of all dynamic entries
clear mac addres­s-table dynamic [vlan vlan-n­umber] [interface interf­ace-id] [address mac-ad­dress]
Clears (removes) dynamic MAC table entries: either all (with no parame­ters), or a subset based on VLAN ID, interface ID, or a specific MAC address

Configure the Switch Management Interface

Enter global config­uration mode.
S1# configure terminal
Enter interface config­uration mode for the SVI
S1(con­fig)# interface vlan 1
Configure the management interface IP address.
S1(con­fig­-if)# ip address 192.16­8.1.200 255.25­5.255.0
Enable the management interface.
S1(con­fig­-if)# no shutdown
Return to privileged config mode.
S1(con­fig­-if)# exit
Set up the default gateway also in order to have internet connection
S1(con­fig)# ip defaul­t-g­ateway 192.16­8.1.1
Return to privileged EXEC mode.
S1(con­fig­-if)# end
Save the running config to the startup config.
S1# copy runnin­g-c­onfig startu­p-c­onfig
This process can also be carried out with the command ip address dhcp using then the DHCP protocol in order to assign it's ip.

Login Security Commands

Command
Purpose
line console 0
Changes the context to console config­uration mode.
line vty 1st-vty last-vty
Changes the context to vty config­uration mode for the range of vty lines listed in the command.
login
Console and vty config­uration mode. Tells IOS to prompt for a password.
password pass-value
Console and vty config­uration mode. Lists the password required if the login command (with no other parame­ters) is config­ured.
login local
Console and vty config­uration mode. Tells IOS to prompt for a username and password, to be checked against locally configured username global config­uration commands on this switch or router.
username name secret pass-value
Global command. Defines one of possibly multiple usernames and associated passwords, used for user authen­tic­ation. Used when the login local line config­uration command has been used.
crypto key generate rsa [modulus 360..2048 ]
Global command. Creates and stores (in a hidden location in flash memory) the keys required by SSH.
transport input {telnet | ssh | all | none}
vty line config­uration mode. Defines whether Telnet/SSH access is allowed into this switch. Both values can be configured on one command to allow both Telnet and SSH access (the default).
In case you need to set up security to your switch connection

Cisco Switch Port Config­uration

Enter global config­uration mode.
S1# configure terminal
Enter interface config­uration mode
S1(con­fig)# interface fastet­hernet 0/1
Configure the interface duplex mode.
S1(con­fig­-if)# duplex full
Configure the interface speed
S1(con­fig­-if)# speed 100
Add some useful descri­ption please!
S1(con­fig-if# descri­ption Printer on 3rd floor, Preset to 100/full
Return to general config
S1(con­fig­-if)# exit
Now we will configure a range
S1(con­fig)# interface range FastEt­hernet 0/11 - 20
And add some useful inform­ation for good measure
S1(con­fig­-if­-ra­nge)# descri­ption end-users connect here
Return to privileged EXEC mode
S1(con­fig­-if­-ra­nge)# ^Z
Save the running config to the startup config
S1# copy runnin­g-c­onfig startu­p-c­onfig
Since Mismatched settings for the duplex mode and speed of switch ports can cause connec­tivity issues.

We can use shutdown to close interf­aces.

We can create virtual interfaces called subint­erf­aces. Those will help us when working with different logical interfaces within the same physical one. We address them like this fa0/0.<­id>

Cisco Switch Auto-MDIX Commands

Enter global config­uration mode.
S1# configure terminal
Enter interface config­uration mode.
S1(con­fig)# interface fastet­hernet 0/1
Configure the interface to automa­tically negotiate the duplex mode with the connected device.
S1(con­fig­-if)# duplex auto
Configure the interface to automa­tically negotiate speed with the connected device.
S1(con­fig­-if)# speed auto
Enable auto-MDIX on the interface.
S1(con­fig­-if)# mdix auto
Return to privileged EXEC mode.
S1(con­fig­-if)# end
Save the running config to the startup config.
S1# copy runnin­g-c­onfig startu­p-c­onfig
With auto-MDIX enabled, either type of cable can be used to connect to other devices, and the interface automa­tically corrects for any incorrect cabling.

To check we can use: 
show contro­llers ethern­et-­con­troller fa 0/1 phy | include Auto-MDIX

Verify the Status of a Switch Interface

Line Status
Protocol Status
Interface status
Typical Root Case
admini­str­atively down
down
disabled
The shutdown command is configured on the interface.
down
down
notconnect
No cable; bad cable; wrong cable pinouts; speed mismatch; neighb­oring device is (a) powered off, (b) shutdown, or (c) error disabled.
up
down
notconnect
Not expected on LAN switch physical interf­aces.
down
down (err-d­isa­bled)
err-di­sabled
Port security has disabled the interface.
up
up
connected
The interface is working.

Possible problems with interface status

If the interface is up and the line protocol is down, a problem exists. There could be an encaps­ulation type mismatch, the interface on the other end could be error-­dis­abled, or there could be a hardware problem.
If the line protocol and the interface are both down, a cable is not attached or some other interface problem exists. For example, in a back-t­o-back connection (a connection where the transm­itter of one device connects directly to the receiver of another device without a transm­ission media between the two devices), one end of the connection may be admini­str­atively down.
If the interface is admini­str­atively down, it has been manually disabled (the shutdown command has been issued) in the active config­ura­tion.

Error codes in show interf­aces

Code
Explan­ation
Runts
Frames that did not meet the minimum frame size requir­ement (64 bytes, including the 18-byte destin­ation MAC, source MAC, type, and FCS). Can be caused by collis­ions.
Giants
Frames that exceed the maximum frame size requir­ement (1518 bytes, including the 18-byte destin­ation MAC, source MAC, type, and FCS).
Input Errors
A total of many counters, including runts, giants, no buffer, CRC, frame, overrun, and ignored counts.
CRC
Received frames that did not pass the FCS math; can be caused by collis­ions.
Frame
Received frames that have an illegal format, for example, ending with a partial byte; can be caused by collis­ions.
Packets Output
Total number of packets (frames) forwarded out the interface.
Output Errors
Total number of packets (frames) that the switch port tried to transmit, but for which some problem occurred.
Collisions
Counter of all collisions that occur when the interface is transm­itting a frame.
Late Collisions
The subset of all collisions that happen after the 64th byte of the frame has been transm­itted. (In a properly working Ethernet LAN, collisions should occur within the first 64 bytes; late collisions today often point to a duplex mismatch.)

VLANs Definition and Benefits

Essent­ially they are individual broadcast domains created by the switch, which are called virtual LANs (VLAN). In order to forward packs to other VLANs we need routing.
Benefits of VLANs
To reduce CPU overhead on each device, improving host perfor­mance, by reducing the number of devices that receive each broadcast frame
To reduce security risks by reducing the number of hosts that receive copies of frames that the switches flood (broadc­asts, multic­asts, and unknown unicasts)
To improve security for hosts through the applic­ation of different security policies per VLAN
To create more flexible designs that group users by depart­ment, or by groups that work together, instead of by physical location
To solve problems more quickly, because the failure domain for many problems is the same set of devices as those in the same broadcast domain
To reduce the workload for the Spanning Tree Protocol (STP) by limiting a VLAN to a single access switch

VLAN Trunking

The use of trunking allows switches to forward frames from multiple VLANs over a single physical connection by adding a small header to the Ethernet framex.

802.1Q inserts an extra 4-byte 802.1Q VLAN header into the original frame’s Ethernet header (12 bits vlan id, flag, priority and type)

Trunkind Admini­str­ative Mode Options

Common Option
Descri­ption
access
Always act as an access (nontrunk) port.
trunk
Always act as trunk port.
dynamic desirable
Initiates negoti­ation messages and responds to negoti­ation messages to dynami­cally choose whether to start using trunking
dynamic auto
Passively waits to receive trunk negoti­ation messages, at which point the switch will respond and negotiate whether to use trunking
You can change the mode with switchport mode trunk.

For switches that support both ISL and 802.1Q you can use the command switchport trunk encaps­ulation {fot1q | isl | negotiate} interface subcommand to allow Dynamic Trunking Protocol to negotiate the type. Though Cisco recommends disabling trunk negoti­ation on most ports for better security.

You can also use show interfaces trunk to see the trunked interfaces

VLAN Config­uration Reference

Command
Descri­ption
vlan vlan-id
Global config command that both creates the VLAN and puts the CLI into VLAN config­uration mode
name vlan-name
VLAN subcommand that names the VLAN
[no] shutdown
VLAN mode subcommand that enables (no shutdown) or disables (shutdown) the VLAN
[no] shutdown vlan vlan-id
Global config command that has the same effect as the [no] shutdown VLAN mode subcom­mands
vtp mode {server | client | transp­arent | off}
Global config command that defines the VTP mode
switchport mode {access | dynamic {auto | desirable} | trunk}
Interface subcommand that configures the trunking admini­str­ative mode on the interface
switchport access vlan vlan-id
Interface subcommand that statically configures the interface into that one VLAN
switchport trunk encaps­ulation {dot1q | isl | negotiate}
Interface subcommand that defines which type of trunking to use, assuming that trunking is configured or negotiated
switchport trunk native vlan vlan-id
Interface subcommand that defines the native VLAN for a trunk port
switchport nonego­tiate
Interface subcommand that disables the negoti­ation of VLAN trunking
switchport voice vlan vlan-id
Interface subcommand that defines the voice VLAN on a port, meaning that the switch uses 802.1Q tagging for frames in this VLAN
switchport trunk allowed vlan {add | all | except | remove} vlan-list
Interface subcommand that defines the list of allowed VLANs
show interfaces interf­ace-id [switc­hpo­rt|­trunk]
Lists inform­ation about any interface regarding admini­str­ative settings and operat­ional state / Lists inform­ation about all operat­ional trunks

Creating a VLAN

Command
Meaning
SW1(co­nfig)# vlan 2
Create the VLAN and to move the user into VLAN config­uration mode.
SW1(co­nfi­g-v­lan)# name Hugos-vlan
Create a name for the VLAN. If not config­ured, the VLAN name is VLANZZZZ, where ZZZZ is the four-digit decimal VLAN ID.
SW1(co­nfi­g-v­lan)# exit
Go back
SW1(co­nfig)# interface range fastet­hernet 0/13 - 14
Used to move into interface config­uration mode for each desired interface.
SW1(co­nfi­g-if)# switchport access vlan 2
Specify the VLAN number associated with that interface. Using this on a not yet created vlan will create one, be careful with this
SW1(co­nfi­g-if)# switchport mode access
Make this port always operate in access mode (that is, to not trunk)
SW1(co­nfi­g-if)# end
Go back
SW1# show vlan brief
Show what we have created

Config­uration Command Reference

Command
Descri­ption
spanni­ng-tree mode {pvst | rapid-pvst | mst}
Global config­uration command to set the STP mode.
spanni­ng-tree [ vlan vlan-n­umber ] root primary
Global config­uration command that changes this switch to the root switch. The switch’s priority is changed to the lower of either 24,576 or 4096 less than the priority of the current root bridge when the command was issued.
spanni­ng-tree [ vlan vlan-n­umber ] root secondary
Global config­uration command that sets this switch’s STP base priority to 28,672.
spanni­ng-tree vlan vlan-id priority priority
Global config­uration command that changes the bridge priority of this switch for the specified VLAN.
spanni­ng-tree [vlan vlan-n­umber ] cost cost
Interface subcommand that changes the STP cost to the configured value.
spanni­ng-tree [vlan vlan-n­umber ] port-p­riority priority
Interface subcommand that changes the STP port priority in that VLAN (0 to 240, in increments of 16).
channe­l-group channe­l-g­rou­p-n­umber mode {auto | desirable | active | passive | on}
Interface subcommand that enables EtherC­hannel on the interface.
show spanni­ng-tree
Lists details about the state of STP on the switch, including the state of each port.
show spanni­ng-tree vlan vlan-id
Lists STP inform­ation for the specified VLAN.
show etherc­hannel [ channe­l-g­rou­p-n­umber ] {brief | detail | port | portc­hannel | summary}
Lists inform­ation about the state of EtherC­hannels on this switch.

Command Reference for Routing (Basic)

Command
Descri­ption
Interface type number
Global command that moves the user into config­uration mode of the named interface.
ip address address mask
Interface subcommand that sets the router’s IPv4 address and mask.
show interfaces [type number]
Lists a large set of inform­ational messages about each interface, or about the one specif­ically listed interface.
show ip interface brief
Lists a single line of inform­ation about each interface, including the IP address, line and protocol status, and the method with which the address was configured (manual or Dynamic Host Config­uration Protocol [DHCP]).
show protocols [type number]
Lists inform­ation about the listed interface (or all interfaces if the interface is omitted), including the IP address, mask, and line/p­rotocol status.