Important Cisco IOS commands needed to pass the CCNA exam (plus a few other practical ones,

marked with FYI).

Author: Herbert Haas, Version: 0x01. Get the latest version from http://www.perihel.at/dcom

Basic IOS Commands

Initial Commands
! Enter enable mode (in Unix terms: gain root access)
# enable
! Check IOS version, HW resources, and configuration register
# show version
! Enter global config mode for nearly all configuration commands
! that affect the router or switch as a whole. The short form is:
# conf t
! Set session timeout (in minutes and seconds; 0 0 means never
! time out). As example for the console port:
(config)# line console 0
(config-line)# exec-timeout 0 0
! Disable syslog interferences:
(config)# line console 0
(config-line)# logging synchronous
! If you hate syslog messages on the console:
(config)# no logging console
! If you even want syslog on the vtys
(config)# terminal monitor
! It is recommended to use a login banner:
(config)# banner login %
***********************************
* Go away every move is logged! *
*********************************** %
! Disable DNS lookups
(config)# no ip domain-lookup
! Configure local usernames and passwords
(config)# username wolfgang password aMaDeUs
! The same with type-5 (MD-5) passwords
(config)# username carl secret p.EmAnUeL99
! Encrypt passwords in running config
! Note: weak type-7 algorithm, can be cracked!!!
! Prefer secret passwords, using type-5 (MD-5) algorithm
(config)# service password-encryption

! Save configuration (new and old style; old style is more safe)
# copy run start
# write mem
! If serial interfaces are available, check DTE/DCE
# show controllers
! Configure bandwidth (= used for metric calculation)
! and clock rate (=physical data rate; only on DCE)
(config-if)# bandwidth 64
(config-if)# clock rate 64000
! date and time (use ? for parameters)
# clock ...
! Enable timestamps in syslog and debug messages:
(config)# service timestamps log datetime
(config)# service timestamps debug datetime

CDP
! Which neighbors have been detected?
# show cdp neighbors [detail]
! Examine detailed neighbour parameters (* means all neighbors)
! (E. g. all IP addresses of neighbors interfaces seen)
# show cdp entry *
! Verify statistics and parameters about CDP itself
# show cdp interface

Switching Commands
Basics
! VLAN 1 always exists and is also used as management VLAN. For
! example the switchs own IP address must be in VLAN 1.
! Additionally you might provide a default gateway to reach other
! networks.
(config)# interface vlan 1
(config-if)# ip address 10.1.1.1 255.255.0.0
(config)# ip default-gateway 10.1.9.9
! Lets examine the bridging table
# show mac-address-table
! FYI: Change the switching mode:
(config)# switching-mode {store-and-forward| fragment-free}
! Enter a static mac address in the table (remains only in RAM but
! does not age)

(config)# mac-address-table static 000C.1111.2222 vlan 1 interface

fastethernet 0/2

Port Security
! port must not be in dynamic or trunk mode
(config-if)# switchport mode access
! enable port security (necessary)
(config-if)# switchport port-security
! specify max number of secure MAC addresses
! these are dynamically learned
(config-if)# switchport port-security maximum 5
! optionally specify some secure MAC addresses manually
(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
! specify violation measures (shutdown is often a default and
! the only mode which shuts down the port, also SNMP trap is
! generated)
(config-if)# switchport port-security violation {shutdown |
protect | restrict}
! FYI: sticky learning addresses are copied in running-config
! (then can be explicitly saved via copy run start)
(config-if)# switchport port-security mac-address sticky
! Verify port-security settings (is it enabled?)
# show port security address interface fa0/1
! Verify various counters per port (MaxAddr, CurrAddr, violations)
! and actions
# show port security
! Which MAC addresses have been learned/configured for security?
!(also their ages)
# show port security address

Spanning Tree
! Since STP configures automatically, verification commands are
! most important
# show spanning-tree
! FYI: Enable (or disable with no) a particular STP
(config)# [no] spanning-tree vlan 200
! FYI: Change the default priority (for the BID)
(config)# spanning-tree vlan 200 priority 500

! FYI: Disable STP on access ports where only hosts reside

! (omit listening state)
(config-if)# spanning tree portfast

VLANS
! First create
! Note: vlan 1
! ports reside
(config)# vlan
(config-vlan)#

some VLANs on this switch

is always preconfigured (name default) and all
in VLAN 1 initially. A name is optionally.
2
name Engineers

! Then assign some ports to each VLAN

(config-if)# switchport access vlan 2
! Configure VLAN trunks on inter-switch connections
! (Alternatively, mode dynamic auto or dynamic desirable will
! negotiate trunk or no trunk with neighbor switch.)
! If required change default encapsulation type (e. g. on Cat4000)
(config-if)# switchport mode trunk
(config-if)# switchport trunk encapsulation isl
! Check configured VLANs
# show vlan
!
!
#
#

Check trunks: switchport shows operational details, trunk

shows similar information but also active and allowed vlans.
show interfaces fa0/11 switchport
show interfaces fa0/11 trunk

! Optionally utilize the VTP service to administrate many VLANs

! more easily. Per default, switches are in vtp server mode (this
! is a good idea in most cases). It is important to put all
! switches in the same VTP domain, otherwise they wont
! synchronize.
(config)# vtp {server | client | transparent}
(config)# vtp domain Lumpi
! If VTP is used there are also some optional commands. Pruning
! allows switches to block traffic for specific VLANs when they
! have no ports in these VLANs (this is a good idea to reduce
! unwanted broadcast traffic in the network).
(config)# vtp pruning
(config)# vtp password mySecret
! Check VTP configuration
# show vtp status

Routing Commands
Basics
! Quickly check whether all interfaces are up
# show ip interfaces brief
! Verify detailed information about any IP routing protocol
# show ip protocol
!
!
#
#

For any link-state or hybrid routing protocol, check whether

adjacencies could be established
show ip eigrp neighbors
show ip ospf neighbors

! For any link-state or hybrid routing protocol, check the

! topology database
# show ip ospf database
! Observe routing updates and events
# debug ip igrp transactions
# debug ip rip events

Router on a Stick
! It is recommended to configure duplex and speed manually because
! Ethernet capabilities autonegotiation falls back to half duplex
! mode when the other side is configured manually but VLAN
! trunking demands for full duplex !!!
! Since dot1Q does not tag VLAN 1 the corresponding IP address can
! be specified at the physical interface level. Only subinterfaces
! support the encapsulation command. When ISL trunking is used ALL
! IP addresses (for each VLAN) must be configured at subinterface
! level (because also VLAN 1 is tagged).
(config)# interface fa 0/0
(config-if)# ip address 10.1.9.9 255.255.0.0
(config-if)# duplex full
(config-if)# speed 100
(config-if)# interface fa 0/0.2
(config-subif)# encapsulation dot1Q 2
(config-subif)# ip address 10.2.9.9 255.255.0.0
(config-subif)# interface fa 0/0.3
(config-subif)# encapsulation dot1Q 3
(config-subif)# ip address 10.3.9.9 255.255.0.0
....

RIP
! The configuration scheme is always the same with each routing
! protocol: 1) Enable routing process and 2) include local
! interfaces via the network command.
(config)# router rip
(config-router)# network 10.0.0.0

(config-router)# network 172.16.0.0

! Upon discontiguous subnetting, RIP version 2 is needed. But also
! dont forget to disable auto-summarization (RIPv2 is backwards
! compatible to RIPv1 and does summarization per default).
(config-router)# version 2
(config-router)# no auto-summary

IGRP
! Same scheme as with any other routing protocol, but...
! You must specify an AS number (only significant for IGRP)
(config)# router igrp 100
(config-router)# network 172.16.0.0
! Optionally allow load balancing by configuring a variance
! parameter (worst metric must be less or equal variance times
! best_metric)
! Note #1: fast switched and CEF routers will perform session! based load balancing.
! Note #2: Per default, equal cost load balancing is configured
(config-router)# variance 3
! Optionally follow the least cost routing paradigm
(config-router)# traffic-share min

EIGRP
! As with IGRP you must specify an AS-Number for each process
! EIGRP uses the same compound-metric but left-shifted 8 bits.
! Wildcard or subnet masks are optional
(config)# router eigrp 100
(config-router)# network 10.0.0.0
(config-router)# network 192.168.1.0 0.0.0.255
! show commands as usual: neighbors, topology, etc.

OSPF
! Upon configuring the router process a process number must be
! specified. This number has only local significance and is not
! carried in routing traffic.
! The network command must contain a wildcard mask and the area
! ID. It is recommended to specify interface per interface to
! prevent unwanted interfaces from being included.
! Note: OSPF is VERY complex For the CCNA only a simple single! area configuration is required.
(config)# router ospf 100
(config-router)# network 10.1.1.1 0.0.0.0 area 0
(config-router)# network 10.1.2.1 0.0.0.0 area 0
! show commands as usual: neighbors, topology, etc.

Access Lists
!
!
!
!
!
!
!
!
!

Basic Rules for all ACLs:

1) ACL is executed top-down
2) ACL exits as soon as an entry matches
3) Therefore place most specific statements first
4) Use wildcard mask instead of subnet masks (=complement)
5) Optional keyword any means 0.0.0.0 255.255.255.255
6) Optional keyword host means wildcard mask 0.0.0.0
7) Three choices: standard, extended, and named ACLs
8) Three actions: permit | deny | remark

! Standard ACL (1-99 and 1300-1999, only SA is checked)

! Default wildcard mask is 0.0.0.0
(config)# access-list 1 permit 192.168.10.1 0.0.0.0
(config)# access-list 1 deny any
! Extended ACL (100-199 and 2000-2699, all can be checked)
! Parameter order is: protocol SA SA_wildcard [operator S-port]
! DA DA_wildcard [operator D-port] [established] [log]
! Keyword established verifies ACK=0
! Keyword log enables a hit count for this entry
(config)# access-list 102 deny tcp 1.1.1.0 0.0.0.255 any eq 21
(config)# access-list 102 permit ip any any
! Named ACL: Also deleting of entries possible!
(config)# ip access-list extended myACL1
(config-ext-nacl)# permit 192.168.10.0 0.0.0.255
! FYI: Newer IOS (since 12.2) also allows resequencing and
! inserting entries with sequence numbers. First parameter is
! start value, second parameter step value.
(config)# ip access-list extended 102 resequence 10 10
(config-ext-nacl)# 5 permit tcp 1.1.1.1 0.0.0.0 20.0.0.0
0.255.255.255 eq http
! Attach ACL
! Note: Only
(config-if)#
(config-if)#

on interface (same command for all types of ACLs)

one ACL per interface per direction (per protocol)
ip access-group 1 in
ip access-group 102 out

! keyword remark (for both numbered and named ACLs)

(config-std-nacl)# remark Paranoid Perimeter Solution
(config-std-nacl)# remark Filter anything except Emule
! Attach ACL on vtys (normal ACLs dont check locally originated
! traffic)
(config)# line vty 0 4
(config-line)# access-class 1 in
! Verifcation of ACL various possibilities:
# show access-list
# show ip access-list

# show access-list 102

! Check if ACLs are set on an interface
# show ip interface fa0/1
! Clear interface (log) counters
# clear counters
! Watch all packets that are matched by ACL 101
# debug ip packet 101
!
!
!
!
!

Changing ACLs:
1) Define new ACL in global config mode
2) On interface simply use access-group command with new ACL
there is no need to remove the old one with no access-group
(its immediately changed)

! Delete entries and resequence the ACL

(config-ext-nacl)# no 5
(config)# ip access-list resequence MY_ACL_OUT 10 20

NAT and PAT

! Any NAT/PAT configuration requires specifying which interface is
! inside and which is outside
(config-ig)# ip nat {inside|outside}
! Simple static translation
(config)# ip nat inside source static 10.0.0.1 2.2.2.2
! Dynamic translation using a pool of inside global addresses
! Also specify allowed traffic via an ACL
(config)# ip nat pool myPool 2.0.0.1 2.0.0.5 netmask 255.0.0.0
(config)# access-list 1 permit 10.0.0.0 0.0.0.255
(config)# ip nat inside source list 1 pool myPool
! Now with overloading (PAT). Usually an address pool is not
! needed because the port number space is large enough. Therefore
! a single address, usually the routers outside interface is
! enough.
(config)# ip nat inside source list 1 interface s0 overload
! Verify translation table, check statistics (misses!)
# show ip nat translations
# show ip nat statistics
!
!
!
!
#

Using the debug command you can observe how packets are
translated. Two output parameters which are often not explained:
[32434] ... the IP identification number
NAT* ... packets are fast switched (never the 1st of a packet)
debug ip nat

PAP and CHAP Authentication

! Unidirectional PAP Host configuration
Host(config)# int serial 0
Host(config-if)# ip address 10.1.1.1 255.255.255.0
Host(config-if)# encapsulation ppp
Host(config-if)# ppp authentication pap calin
Host(config-if)# ppp pap sent-username PAPUSER password CiScO
! Unidirectional PAP Server configuration
Server(config)# username PAPUSER password CiScO
Server(config)# int serial 0
Server(config-if)# ip address 10.2.2.2 255.255.255.0
Server(config-if)# encapsulation ppp
Server(config-if)# ppp authentication pap
! Standard CHAP authentication: each host uses its hostname as
! username to login to the other side
! Configuration for Host LEFT:
(config)# hostname LEFT
LEFT(config)# username RIGHT password SAME
LEFT(config)# int serial 0
LEFT(config-if)# ip address 10.1.1.1 255.255.255.0
LEFT(config-if)# encapsulation ppp
LEFT(config-if)# ppp authentication chap
! Configuration for Host RIGHT:
(config)# hostname RIGHT
RIGHT(config)# username LEFT password SAME
RIGHT(config)# int serial 0
RIGHT(config)# ip address 10.2.2.2 255.255.255.0
RIGHT(config)# encapsulation ppp
RIGHT(config)# ppp authenticaion chap

Frame Relay
! Rules :
! * P2P subinterfaces have their own subnets and therefore
!
resolve split horizon issues
! * Each multipoint sub-if has its own IP subnet (incl all DLCIs)
! * Multipoint sub-if are NBMA and cannot resolve split horizon
! * LMI is always enabled DLCIs learned by SP
! * Router must be rebooted when sub-if type is changed
!
(Better migrate to another sub-if => no outage)
! * If sub-if used, dont assign an IP address to physical
!
interface (routing problems)!!!
! Practically usable DLCI range: 16 992 (assigned by SP)
(config-if)# encapsulation frame-relay
! LMI is always enabled (autodetection)

! Cisco supports three LMI standards:

! "Cisco" uses DLCI 1023
! ANSI T1.617 or Annex D (USA) uses DLCI 0
! ITU-T Q.933 or Annex A (Europe) uses DLCI 0
(config)# frame-relay lmi-type [ansi | cisco | q933a]
! Inverse arp alternative: statical mapping
! keyword broadcast allows broadcast services
! Not needed on P2P sub-interfaces but recommended (stable)
(config-sub-if)# frame-relay map ip 20.2.2.2 110 broadcast
! Define sub-if DLCI (router learns DLCIs by LMI but doesnt know
! which sub-if should be assigned which DLCI (per default all
! DLCIs are assigned to physical interface).
! This command also enabled inverse-arp on multipoint sub-if
! which is required when the frame-relay map ip command is not
! used.
(config-subif)# frame-relay interface-dlci 120
! Check encapsulation and LMI type
# show interfaces s0
!
!
!
#

Active state: L2 and L3 ok

Inactive state: remote router cannot reach its switch
Deleted state: local router connectivity problems (LMI not seen)
show frame-relay pvc 100

! Check encapsulation and LMI Type

# show interfaces s0
! Check static and dynamic mapping
# show frame-relay map
! Check LMI statistics
# show frame-relay lmi
! Reset the mapping table (delete information learned by inverse
! arp)
# clear frame-relay-inarp

ISDN
! PRI Configuration
! First define which timeslots should be used by the PRI-group
! Then configure the switch-type on the D channel: the interface
! with timeslot 15 (in Europe)
! Optionally specify framing and coding type.
! It is recommended to disable periodic protocols such as CDP.
(config)#controller E1 3/0
(config-controller)# framing crc4
(config-controller)# linecode hdb3
(config-controller)# pri-group timeslots 1-31

(config-controller)#interface Serial3/0:15
(config-if)# isdn switch-type primary-net5
(config-if)# no cdp enable
! Legacy DDR Spoke
! 1) Create static route (avoid periodic routing updates)
! 2) Define interesting traffic (dialer-list command)
! 3) Assign remote IP, telephone number, and remote name to an
!
interface (dialer-map command)
! 4) Bind interesting traffic to this interface (dialer-group
!
command)
! 5) Optional parameters: idle-timeout, load-threshold, ...
(config)# ip route 10.100.0.0 255.255.0.0 10.5.0.2
(config)# ip route 10.200.0.0 255.255.0.0 10.5.0.2
(config)# dialer-list 1 protocol ip permit
(config)# hostname myRouter
(config)# isdn switch-type basic-5ess
(config)# username otherRouter password cisco
(config)# interface BRI0
(config-if)# ip address 10.5.0.1 255.255.255.0
(config-if)# encapsulation ppp
(config-if)# dialer idle-timeout 180
(config-if)# dialer map ip 10.5.0.2 name otherRouter 080031415
(config-if)# dialer-group 1
(config-if)# ppp authentication chap
! The above configuration allows any IP packet to open the ISDN
! session. Better configure an ACL this way:
(config)# dialer-list 1 protocol ip list 101
(config)# access-list 101 deny tcp any any eq telnet
(config)# access-list 101 permit ip any any
! DDR with Dialer Profiles
! Goal: Support various different spoke-profiles and dynamically
! select interfaces from a pool. This is practical for hub devices
! which must terminate multiple session on the same physical
! interface.
! Concept:
!
1) Define profiles in dialer interfaces (instead of a
!
physical interface as before) and assign them to a dialer
!
pool.
!
2) Assign one or multiple physical interfaces to this pool
! So each dialer profile looks similar as the following:
(config)# interface dialer1
(config-if)# ip address 10.5.0.2 255.255.255.0
(config-if)# encapsulation ppp
(config-if)# dialer remote-name SomeRouter777
(config-if)# dialer string 141421356
(config-if)# dialer idle-timer 180
(config-if)# dialer pool 1
(config-if)# dialer-group 1
(config-if)# ppp authentication chap

! For simplicity we omit details already described above such as

! CHAP details or the specification of interesting traffic etc.
(config)# interface bri0
(config-if)# dialer pool-member 1