After a Cisco ICND1 refresher course (I did my CCNA
back in 2005), a refresher of Cisco IOS commands.
Implementing the Initial Switch Configuration
enable
– enters privileged EXEC mode.
configure
terminal – enters global configuration mode.
hostname name – configures a
hostname to the device.
interface
interface
slot/number – enters interface configuration mode for the specified
interface.
ip
address
ip_address subnet_mask – configures an IP address with the specified
subnet mask.
description
name-string
– an interface configuration command to describe or name an interface.
no
shutdown – brings up the interface. Uses this command in
interface configuration mode. To shutdown the interface, use this command
without the no in front.
ip
default-gateway
ip_address – set the default gateway of the switch.
show
running-config – a privileged EXEC command to display the list of
configuration commands that modify the default configuration of the system.
show
interface status – displays the interface line status
Implementing the Initial Router Configuration
enable
– enters privileged EXEC mode.
configure
terminal – enters global configuration mode.
hostname name – configures a
hostname to the device.
interface
interface
slot/number – enters interface configuration mode for the specified
interface.
ip
address
ip_address subnet_mask – configures an IP address with the specified
subnet mask.
description
name-string
– an interface configuration command to describe or name an interface.
no
shutdown – brings up the interface. Uses this command in
interface configuration mode. To shutdown the interface, use this command
without the no in front.
show
running-config interface interface slot/number – privileged EXEC command to display
the running configuration for a specific interface.
show
interface status – displays the interface line status
show
ip interface
[type number] – displays the usability status of interfaces that are
configured for IP.
Implementing Static Routing
enable
– enters privileged EXEC mode.
configure
terminal – enters global configuration mode.
interface
interface
slot/number – enters interface configuration mode for the specified
interface.
ip
address
ip_address subnet_mask – configures an IP address with the specified
subnet mask.
no
shutdown – brings up the interface. Uses this command in
interface configuration mode. To shutdown the interface, use this command
without the no in front.
ip
route
network-number network-mask {ip-address | interface} – sets as static
route in the IP routing table.
Implementing Basic Numbered and Named ACLs
ip
access-list {standard|extended} {access-list-name|access-list-number} – used
in global configuration mode to define an IP access list by name or number.
permit source [source-wildcard]
– used in ACL configuration mode to set conditions to allow a packed to pass
a named IP ACL. To remove a permit condition from an ACL, use the no
form of this command.
deny source [source-wildcard]
– used in ACL configuration mode to set conditions in a named IP ACL that
will deny packets. To remove a deny condition from an ACL, use the no
form of this command.
ping
{hostname|system-address}
[source source-address] – used in privileged EXEC mode to
diagnose basic network connectivity.
Implementing PAT
ip
address dhcp – used in interface configuration mode to acquire an
IP address on an interface via DHCP
ip
access-list {standard|extended} {access-list-name|access-list-number} – used
in global configuration mode to define an IP access list by name or number.
permit source [source-wildcard]
– used in ACL configuration mode to set conditions to allow a packed to pass
a named IP ACL. To remove a permit condition from an ACL, use the no
form of this command.
ip
nat [inside|outside] – used in interface configuration mode to
designate that traffic originating from or destined for the interface is
subject to NAT.
ip
nat inside source {list {access-list-number|access-list-name}} interface type number [overload]
– used in global configuration mode to establish dynamic source translation.
Use of the list keyword enables you to use an ACL to identify the traffic that
will be subject to NAT. The overload option enables the route to use one global
address for many local addresses.
ip
nat inside source static local-ip global-ip – used in global configuration mode to
establish a static translation between an inside local address and an inside
global address.
Troubleshooting VLANs and Trunks
vlan
– creates VLAN and enters VLAN configuration mode for further definitions.
name
– assigns a name to the VLAN. The length of the name can be from 1 to 32
characters.
switchport
access vlan – sets the VLAN that the interface belongs to.
switchport
trunk encapsulation dot1q – specifies 802.1Q encapsulation on the
trunk link.
switchport
mode trunk – puts the interface into permanent trunking mode and
negotiates to convert the link into a trunk link.
switchport
access – assigns this port to a VLAN.
show
vlan – displays VLAN information.
show
vlan brief – displays VLAN information in brief.
show
interfaces trunk – displays the trunk information on the switch.
ping
– to diagnose basic network connectivity.
Implement Multiple VLANs and Basic Routing Between
the VLANs
enable
– enters privileged EXEC mode.
configure
terminal – enters global configuration mode.
interface
interface
slot/number – enters interface configuration mode for the specified
interface.
ip
address
ip_address subnet_mask – configures an IP address with the specified
subnet mask.
vlan
– creates VLAN and enters VLAN configuration mode for further definitions.
switchport
mode
{access|trunk} – configures the VLAN membership of a port. The access
port is set to access unconditionally and operates as a nontrunking, single
VLAN interface that sends and receives nonencapsulated (nontagged) frames. An
access port can be assigned to only one VLAN. The trunk port sends and receives
encapsulated (tagged) frames that identify the VLAN of origination. A trunk is
a point-to-point link between two switches or between a switch and a router.
switchport
trunk
{encapsulation {dot1q}} – the command sets the trunk characteristics
when the interface is in trunking mode. Sets the encapsulation format on the
trunk port to IEEE 802.1Q. With this format, the switch supports simultaneous
tagged and untagged traffic on a port.
encapsulation
dot1q vlan-id
– to define the matching criteria to map 802.1Q frames ingress on an
interface to the appropriate service instance, uses the encapsulation dot1q
command in interface configuration mode.
show
vlan – displays VLAN information.
Implementing a DHCP Server in a Cisco IOS Device
ip
dhcp pool name
– used in global configuration mode to configure a DHCP address pool on a
DHCP server and enter DHCP pool configuration mode.
domain-name domain – used in DHCP
pool configuration mode to specify the domain name for a DHCP client.
network
network-number
[mask] – used in DHCP pool configuration mode to configure the
network number and mask for a DHCP address pool primary or secondary subnet on
a Cisco IOS DHCP server.
ip
dhcp excluded-address ip-address [last-ip-address] – used in global configuration
mode to specify IP addresses that a DHCP server should not assign to DHCP
clients.
ip
helper-address
address – used in interface configuration mode to enable forwarding
of UDP broadcasts, including BOOTP, that are received on an interface.
default-router address [address2 ... address8]
– used in DHCP pool configuration mode to specify the default router list
for a DHCP client.
Implementing RIPv2
ip
route prefix
mask – uses the ip route command in global configuration mode to configure
static routes. Prefix denotes IP route prefix for the destination and mask denotes
prefix mask for the destination.
router
rip – enables a RIP routing process which places you in router
configuration mode.
network ip-address – associates
a network with a RIP routing process.
version
2 – configures the software to receive and send only RIPv2
packets.
no
auto-summary – disables automatic summarization.
default-information
originate – generates a default route into RIP and uses the
default-information originate command in router configuration mode.
passive-interface interface – specifying
an interface name sets only this interface to passive RIP mode. In passive mode,
RIP routing updates are accepted by, but not sent out of the specified
interface.
show
ip rip database – displays the contents of the RIP routing
database.
Securing Device Administrative Access
line
console 0 – changes the context to console configuration mode.
line
vty 1st-vty
2nd-vty – changes the context to vty configuration mode for the range
of vty lines listed in the command.
login
– enables console and vty configuration mode; tells Cisco IOS Software to
prompt for a password.
login local – enables console
and vty configuration mode; tells Cisco IOS Software to prompt for a username
and password to be changed against locally configured username global
configuration commands on this switch or router.
password pass-value – enables console
and vty configuration mode; lists the password that is required if the login
command (with no other parameters) is configured.
username name password pass-value
– enables the global command; defines one of possible multiple usernames and
associated passwords that are used for user authentication. It is used when the
login local line configuration command has been used.
enable
– a user in user mode can gain access to enable mode by using the enable
command.
enable
password
actual-password – if the enable password actual-password global
configuration command is used, it defines the password that is required when
using the enable EXEC command.
enable
secret
pass-value – enables the global command, sets the switch password
that is required for any user to reach enable mode.
service
password-encryption – the service password-encryption global
configuration command directs Cisco IOS Software to encrypt the passwords, CHAP
secrets, and similar data that are saved in its configuration file.
ip
domain-name
name – configures a DNS domain name with the ip domain-name name
global configuration command.
crypto key generate rsa – enables the global command;
creates and stores (in a hidden location in flash memory) the keys that are
required by SSH.
transport
input {telnet|ssh}
– used in vty line configuration mode; defines whether telnet or SSH access,
or both, is allowed into this switch. Both values can be configured on one
command to allow both Telnet and SSH access (the default.)
access-list access-list-number {deny|permit}
source [source-wildcard] – to define a standard IP access list,
uses the standard version of the access-list command in global configuration
mode.
access-class
– restricts incoming and outgoing connections between a particular vty (into
a Cisco device) and the address in an access list.
Implementing Device Hardening
ntp
server
ip-address – used in global configuration mode to allow the software
clock to be synchronized by an NTP time server.
ntp
peer ip-address
– used in global configuration mode to configure the software clock to synchronize
a peer or to be synchronized by a peer.
interface
type number
– used in global configuration mode to enter configuration mode for an
interface.
shutdown
– used in interface configuration mode to shut down the interface.
vlan
{vlan-id|vlan-range}
– used in global configuration mode to add a VLAN and enter configuration
mode for the VLAN.
name name – used in VLAN configuration
mode to name a VLAN.
switchport
access vlan
vlan-id – used in interface configuration mode to assign the
interface to a VLAN.
switchport
port-security – used in interface configuration mode to enable
port security on the interface.
switchport
port-security maximum maximum – used in interface configuration mode to set the
maximum number of secure MAC addresses on the port.
switchport
port-security mac-address {mac-addr|{sticky [mac-addr]}} – used in interface
configuration mode to add a MAC address to the list of secure MAC addresses.
The sticky option configures the MAC addresses as sticky on the interface.
switchport
port-security violation {shutdown|restrict|protect} – used in
interface configuration mode to set the action to be taken when a security violation
is detected.
Configuring System Message Logging
logging ip address – configures
the IP address of the host that will receive the system logging (syslog)
messages.
logging
trap level
– to limit messages that are logged to the syslog servers based on severity,
use the logging trap command in global configuration mode. The number or name
of the desired severity level is which messages should be logged.
show
logging – displays the state of system logging (syslog) and the
contents of the standard system logging buffer. Use the show logging command in
privileged EXEC mode.
Implement IPv6 Static Routing
ipv6
unicast-routing – used in global configuration mode to enable the
forwarding of IPv6 unicast datagrams.
ipv6
address
{ipv6-address/prefix-length | prefix-name sub-bits/prefix-length} – used
in interface configuration mode to configure an IPv6 address based on an IPv6
general prefix and to enable IPv6 processing on an interface.
show
ipv6 route – used in user EXEC or privileged EXEC mode to display
the current contents of the IPv6 routing table.
ipv6
route ipv6-prefix/prefix-length
ipv6-address – used in global configuration mode to create static
IPv6 routes. To remove a previously configured static route, use the no form of
this command.
ipv6
address autoconfig [default] – used in interface configuration
mode to enable automatic configuration of IPv6 addresses using stateless
autoconfiguration on an interface and to enable IPv6 processing on the
interface. To remove the address from the interface, use the no form of this
command.
