Show Menu

Cisco CLI - Security Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Remote Access Security [ssh]

S1# show ip ssh
verifies SSH is available and displays existing setup
S1# configure terminal
user exec mode
S1(con­fig)# ip domain­-name
configures DNS
S1(con­fig)# crypto key generate rsa
Enables SSH and generates a RSA key pair
S1(config)# crypto key seroize rsa
disables SSH
Cisco will prompt you for a key name
Cisco will prompt you for modulus size
[cisco's recomm­ended size]
S1(con­fig)# line vty 0 15
move into vty config for all ports
S1(con­fig­-line)# login local
allow local logins not AAA Server **
*Cisco's Authen­tic­ation Author­ization & Accounting Server
S1(con­fig­-line)# transport input ssh
S1(con­fig­-line)# user admin password H0u$3M0u$3
sets local admin login pw
S1(con­fig)# show ip ssh *
verify ssh settings
Optional ssh config
- ip ssh version 2
- ip ssh authen­tic­ati­on-­retries 5
- ip ssh time-out 60
- end
- show ip ssh

Show Commands

show version
IOS Version, Memory etc.
show mac addres­s-table
Displays the MAC Address Table
show ip route
Displays the routing table
show ip interface
show interface g0/0
Displays the interface status, MAC, IP, etc.
show ip interface brief
show running config­uration

Show Commands

show ip interface brief
Gigabi­tEt­her­net0/0 unassigned YES NVRAM admini­str­atively down down

'Do' - in front of a command will run the command at any level i.e. mydevice (config)# do show ip interface brief -OR- mydevice (config)# do reload

Port Security


Interface Security


Error Messages

% Invalid input detected at '^' marker
You are at the wrong level to run command
% Incomplete command
[command brings a null response]
This is not a bad command, there is just no results to display

Tips & Tricks

Your CLI command fails
- are you in the right mode | level
- are you on the right device

Other Misc Commands

mydevice (config)# sdm pre dual def
used if switch won't take IPv6 address
help commands
Oh crap, stop! (Cancels whatever it's currently doing
mydevice (config)# enable secret abc123
Sets secret password to abc123