Cisco IOS Command Reference

clear ip route *

Clears all entries from the IP routing table, forcing the router to rebuild the routing table from active routing protocols and directly connected networks.

Privileged EXEC

ip default-gateway [ip]

Sets the default gateway for a Cisco switch that is not configured with IP routing, allowing it to forward management traffic to remote networks.

Global Config

ip route [net] [mask] [hop] [ad]

Configures a static route with an administrative distance to create a floating static route that serves as a backup when the primary dynamic route fails.

Global Config

ip route [network] [mask] [next-hop]

Configures a static route in the routing table to forward traffic to a specific destination network via a next-hop IP address or exit interface.

Global Config

ip route 0.0.0.0 0.0.0.0 [next-hop]

Configures a default route (gateway of last resort) on a Cisco router, directing all traffic with no specific route in the routing table to the specified next-hop IP address.

Global Config

show ip protocols

Displays the current state of all IP routing protocols running on the router, including timers, filters, and network advertisements.

Privileged EXEC

show ip route

Displays the current IP routing table on a Cisco router, used to verify routes, check next-hop addresses, and troubleshoot connectivity issues.

Privileged EXEC

show ip route summary

Displays a summary of the IP routing table, including route counts, protocols, and memory usage, used to quickly assess the routing table size and composition.

Privileged EXEC

area [id] authentication message-digest

Enables OSPF MD5 authentication on a specific area to ensure that only trusted routers participate in OSPF routing updates within that area.

Router Config

area [id] nssa

Configures an OSPF area as a Not-So-Stubby Area (NSSA), allowing external routes from outside the OSPF domain to be imported as Type 7 LSAs while still blocking most external routes from other areas.

Router Config

area [id] stub

Configures an OSPF area as a stub area to reduce the size of the LSDB by blocking Type 5 LSAs and requiring a default route from the ABR.

Router Config

auto-cost reference-bandwidth [mbps]

Sets the reference bandwidth used by OSPF to calculate the cost of an interface, overriding the default 100 Mbps reference, to ensure accurate metric calculation for higher-speed links.

Router Config

clear ip ospf process

Resets the OSPF process on the router, forcing it to re-establish all neighbor adjacencies and re-learn routes.

Privileged EXEC

default-information originate

The default-information originate command is used in OSPF router configuration mode to generate a default route (0.0.0.0/0) into the OSPF domain, typically when the router has a default route from another source like a static route or connected to an ISP.

Router Config

ip ospf authentication message-digest

Enables MD5 authentication for OSPF on an interface to ensure routing updates are authenticated and secure.

Interface Config

ip ospf cost [value]

Manually sets the OSPF cost (metric) on an interface, overriding the default cost derived from bandwidth, to influence path selection in OSPF routing.

Interface Config

ip ospf dead-interval [secs]

Sets the OSPF dead interval, which is the time a router waits to hear from a neighbor before declaring it down, used to tune OSPF convergence.

Interface Config

ip ospf hello-interval [secs]

Configures the interval (in seconds) between OSPF Hello packets on an interface, used to adjust neighbor discovery and dead timer detection.

Interface Config

ip ospf message-digest-key 1 md5 [key]

Configures OSPF MD5 authentication on an interface by defining a key ID and password to authenticate OSPF packets.

Interface Config

ip ospf priority [0-255]

Sets the OSPF priority on an interface to influence the Designated Router (DR) and Backup Designated Router (BDR) election process in a broadcast multi-access network.

Interface Config

maximum-paths [n]

Configures the maximum number of equal-cost paths that OSPF can install in the routing table for a single destination, enabling load balancing across multiple links.

Router Config

network [ip] [wildcard] area [area]

Enables OSPF on an interface by specifying the network prefix and wildcard mask, assigning it to a specific OSPF area.

Router Config

passive-interface [intf]

Configures an OSPF interface as passive, preventing it from sending OSPF hello packets and forming neighbor adjacencies, while still advertising the network.

Router Config

router ospf [process-id]

Enable OSPF routing on the router and enter OSPF router configuration mode for a specific process, allowing you to configure OSPF parameters such as network statements, router ID, and area assignments.

Global Config

router-id [ip]

The router-id command assigns a specific IP address as the OSPF router ID, overriding the default selection process, and is used to ensure a stable and predictable router identifier for OSPF operation.

Router Config

show ip ospf

Displays general information about OSPF routing process, including router ID, areas, and LSDB statistics, used to verify OSPF configuration and operational status.

Privileged EXEC

show ip ospf database

Displays the OSPF link-state database (LSDB) to verify OSPF adjacencies, check for missing or corrupt LSAs, and troubleshoot OSPF routing issues.

Privileged EXEC

show ip ospf interface

Displays OSPF interface parameters and status, used to verify OSPF configuration and troubleshoot neighbor relationships.

Privileged EXEC

show ip ospf neighbor

Displays OSPF neighbor information to verify adjacency formation and troubleshoot OSPF neighbor relationships.

Privileged EXEC

clear ip eigrp neighbors

This command immediately resets all EIGRP neighbor adjacencies, forcing the router to re-establish neighbor relationships and re-learn routes from all EIGRP neighbors.

Privileged EXEC

eigrp stub connected summary

Configures an EIGRP stub router to advertise only connected and summary routes, preventing it from being used as a transit router and reducing query scope.

Router Config

ip bandwidth-percent eigrp [as] [pct]

Configures the percentage of interface bandwidth that EIGRP can use for a specific autonomous system, limiting EIGRP traffic to prevent link saturation.

Interface Config

ip hello-interval eigrp [as] [secs]

Configures the EIGRP hello interval on an interface, overriding the default hello interval for the specified autonomous system.

Interface Config

ip hold-time eigrp [as] [secs]

Configures the EIGRP hold time (in seconds) for a specific EIGRP autonomous system on an interface, determining how long the router waits for a hello packet before declaring the neighbor down.

Interface Config

maximum-paths [n]

Configures the maximum number of equal-cost paths that EIGRP can use for load balancing to a destination network.

Router Config

network [ip] [wildcard]

Enables EIGRP on a network interface by specifying the directly connected network and optional wildcard mask to control which interfaces participate in EIGRP.

Router Config

no auto-summary

Disables automatic summarization of EIGRP routes at classful boundaries, allowing the router to advertise subnets without summarizing to the classful network address.

Router Config

passive-interface [intf]

Prevents an interface from sending EIGRP hello packets and forming neighbor adjacencies, while still allowing the router to advertise the subnet of that interface in EIGRP updates.

Router Config

router eigrp [as-number]

Enters EIGRP router configuration mode for a specific autonomous system number, allowing you to configure EIGRP routing protocol parameters.

Global Config

show ip eigrp interfaces

Displays detailed information about interfaces on which EIGRP is enabled, including neighbor status, pending routes, and interface statistics, used to verify EIGRP adjacency and interface participation.

Privileged EXEC

show ip eigrp neighbors

Displays the neighbor table for EIGRP, showing all directly connected EIGRP routers and their status, used to verify EIGRP adjacencies and troubleshoot neighbor relationships.

Privileged EXEC

show ip eigrp topology

Displays the EIGRP topology table, showing all learned routes and their feasible successors, used to verify EIGRP convergence and path selection.

Privileged EXEC

show ip eigrp traffic

Displays EIGRP packet statistics including sent/received counts for each packet type, used to verify EIGRP neighbor communication and troubleshoot packet loss or authentication issues.

Privileged EXEC

variance [multiplier]

The variance command allows EIGRP to load-balance across multiple routes with unequal costs by specifying a multiplier that defines the range of feasible successor metrics relative to the best successor metric.

Router Config

default-information originate

The default-information originate command injects a default route into a RIP routing domain, typically used to provide internet or WAN connectivity to downstream routers.

Router Config

network [classful-network]

Enables RIP routing on a classful network, causing the router to advertise and learn routes for that network via RIP updates.

Router Config

no auto-summary

Disables automatic summarization of routes at classful boundaries in RIP, allowing subnets to be advertised with their actual subnet masks.

Router Config

passive-interface [intf]

Prevents RIP updates from being sent out a specific interface while still allowing the interface to receive updates.

Router Config

router rip

Enters RIP router configuration mode to enable and configure the Routing Information Protocol (RIP) on a Cisco router.

Global Config

show ip rip database

Displays the RIP routing database, showing all learned RIP routes and their metrics, used to verify RIP routing updates and troubleshoot routing issues.

Privileged EXEC

version 2

Enables RIPv2 on the router, which supports classless routing, VLSM, and authentication, replacing the older RIPv1.

Router Config

clear ip bgp *

Resets all BGP sessions and clears the BGP routing table, forcing a complete re-advertisement and re-learning of all BGP routes from all neighbors.

Privileged EXEC

show ip bgp

Displays the BGP routing table, showing learned BGP routes and their attributes, used for troubleshooting BGP path selection and verifying route advertisement.

Privileged EXEC

show ip bgp neighbors

Displays detailed information about BGP neighbor sessions, including state, timers, and advertised/received prefixes, used to verify BGP peering and troubleshoot neighbor relationships.

Privileged EXEC

show ip bgp summary

Displays a summary of the BGP neighbor status and prefix counts, used to quickly verify BGP peering and routing table health.

Privileged EXEC

encapsulation dot1Q [vlan-id]

Configures IEEE 802.1Q VLAN encapsulation on a subinterface to enable trunking and route traffic for a specific VLAN.

Subinterface Config

encapsulation isl [vlan-id]

Enables ISL encapsulation on a subinterface for inter-VLAN routing on a router-on-a-stick configuration, assigning the subinterface to a specific VLAN.

Subinterface Config

name [vlan-name]

Assigns a name to a VLAN for identification and management purposes in VLAN configuration mode.

VLAN Config

show interfaces switchport

Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.

Privileged EXEC

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

Privileged EXEC

show vlan

Displays the current VLAN configuration on the switch, including VLAN IDs, names, status, and ports assigned to each VLAN, used to verify VLAN creation and port assignments.

Privileged EXEC

show vlan brief

Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.

Privileged EXEC

state active

Activates a VLAN that is currently suspended or administratively down, allowing it to forward traffic.

VLAN Config

switchport access vlan [vlan-id]

Assigns a specific VLAN to an access port, placing the port in that VLAN for untagged traffic.

Interface Config

switchport mode access

Configures a switch interface as an access port, placing it in a single VLAN and removing any trunking functionality.

Interface Config

switchport mode trunk

Configures a switch interface as a trunk port, allowing multiple VLANs to traverse the link using IEEE 802.1Q tagging.

Interface Config

switchport nonegotiate

Disables Dynamic Trunking Protocol (DTP) on a switch port, preventing it from sending or receiving DTP frames to negotiate trunking.

Interface Config

switchport trunk allowed vlan [list]

Restricts the VLANs that are allowed to traverse a trunk link on a Cisco switch, used to control which VLAN traffic is permitted on the trunk.

Interface Config

switchport trunk native vlan [id]

Configures the native VLAN for an 802.1Q trunk interface, specifying which VLAN's frames are sent untagged on the trunk.

Interface Config

switchport voice vlan [vlan-id]

Configures a switch port to carry voice traffic from an IP phone on a specific VLAN, separating voice and data traffic on the same physical port.

Interface Config

vlan [vlan-id]

Creates a VLAN on a Cisco switch and enters VLAN configuration mode to assign a name or other parameters.

Global Config

instance [id] vlan [range]

Creates or modifies an MST instance and maps VLANs to it, enabling per-instance spanning tree behavior in MSTP.

MST Config

name [region-name]

Configures the Multiple Spanning Tree (MST) region name, which is required to group switches into the same MST region for interoperable MSTP operation.

MST Config

revision [number]

Sets the revision number for the MST configuration, which is used to identify the MST region and must match on all switches in the same region.

MST Config

show spanning-tree

Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.

Privileged EXEC

show spanning-tree brief

Displays a summary of Spanning Tree Protocol (STP) information for all VLANs, showing the root bridge, port states, and roles in a compact format, used to quickly verify STP topology and identify blocked ports.

Privileged EXEC

show spanning-tree detail

Displays detailed Spanning Tree Protocol (STP) information for all VLANs or a specific VLAN, including port roles, states, timers, and bridge IDs, used for troubleshooting STP convergence and topology changes.

Privileged EXEC

show spanning-tree vlan [vlan-id]

Displays Spanning Tree Protocol (STP) information for a specific VLAN, including root bridge, port roles, and port states, used to verify STP topology and troubleshoot loops.

Privileged EXEC

spanning-tree bpdufilter enable

The spanning-tree bpdufilter enable command disables BPDU transmission and reception on a specific interface, effectively preventing the interface from participating in STP, and is used to secure edge ports or reduce unnecessary BPDU traffic.

Interface Config

spanning-tree bpduguard enable

Enables BPDU guard on an interface to protect against unauthorized switches by disabling the port if a BPDU is received, typically used on access ports to prevent bridge loops from rogue devices.

Interface Config

spanning-tree cost [value]

Sets the path cost for a specific interface in Spanning Tree Protocol (STP) calculations, overriding the default cost based on interface speed.

Interface Config

spanning-tree guard loop

Configures loop guard on a spanning-tree port to prevent alternate or root ports from becoming designated in the absence of BPDUs, protecting against unidirectional link failures.

Interface Config

spanning-tree guard root

Enables root guard on a switch port to prevent it from becoming a root port in the Spanning Tree Protocol, protecting against rogue switches that might try to become the root bridge.

Interface Config

spanning-tree mode [pvst|rapid-pvst|mst]

Configures the Spanning Tree Protocol (STP) mode on a Cisco switch to either Per-VLAN Spanning Tree (PVST+), Rapid PVST+, or Multiple Spanning Tree (MST) to prevent Layer 2 loops.

Global Config

spanning-tree pathcost method long

Configures the path cost calculation method for Spanning Tree Protocol (STP) to use 32-bit values (long) instead of the default 16-bit values (short), allowing support for higher-speed interfaces (10 Gbps and above).

Global Config

spanning-tree port-priority [value]

Sets the port priority value for a specific interface to influence which port becomes the root port in a Spanning Tree topology.

Interface Config

spanning-tree portfast

Enables PortFast on an interface to immediately transition from blocking to forwarding state, bypassing STP listening and learning phases, used on access ports connected to end devices to speed up convergence.

Interface Config

spanning-tree portfast bpduguard default

Globally enables BPDU guard on all PortFast-enabled ports, automatically err-disabling a port if it receives a BPDU, protecting the spanning-tree topology from unauthorized switches.

Global Config

spanning-tree portfast default

Globally enables PortFast on all access ports that are not configured with PortFast individually, allowing them to transition directly to forwarding state and skip listening/learning phases.

Global Config

spanning-tree vlan [id] priority [value]

Sets the bridge priority for a specific VLAN to influence the root bridge election in Spanning Tree Protocol (STP).

Global Config

spanning-tree vlan [id] root primary

This command configures a switch as the root bridge for a specific VLAN by setting its bridge priority to 24576 (or lower if another switch has a lower priority), ensuring it becomes the root bridge in the Spanning Tree Protocol (STP) topology.

Global Config

channel-group [id] mode [mode]

Assigns an interface to an EtherChannel bundle with a specified channel-group number and mode (active, passive, or desirable) to aggregate multiple physical links into a single logical link for redundancy and increased bandwidth.

Interface Config

channel-protocol [lacp|pagp]

Specifies the EtherChannel protocol (LACP or PAgP) to be used on an interface for link aggregation.

Interface Config

interface port-channel [id]

Creates or enters the configuration mode for an EtherChannel port-channel interface, used to bundle multiple physical Ethernet links into a single logical link for redundancy and increased bandwidth.

Global Config

lacp port-priority [value]

Sets the LACP port priority for an interface, which determines which ports become active in an LACP EtherChannel when the maximum number of allowed ports is reached.

Interface Config

lacp system-priority [value]

Sets the LACP system priority to determine which switch controls the EtherChannel bundle when negotiating with a peer.

Global Config

show etherchannel port

Displays detailed port-level information for all ports that are part of an EtherChannel bundle, including port state, aggregation protocol, and partner details.

Privileged EXEC

show etherchannel protocol

Displays the protocol (LACP or PAgP) used by each EtherChannel bundle, useful for verifying that all member ports are using the same negotiation protocol.

Privileged EXEC

show etherchannel summary

Displays the status and configuration of all EtherChannel interfaces on the switch, used to verify channel bundling, port membership, and protocol state.

Privileged EXEC

bandwidth [kbps]

Sets the bandwidth value (in kbps) on an interface for routing protocol metric calculations and QoS, overriding the default detected bandwidth.

Interface Config

clear counters

Resets interface counters (e.g., input/output errors, packets) to zero, typically used to clear statistics before monitoring or troubleshooting.

Privileged EXEC

delay [tens-of-us]

Sets the delay value (in tens of microseconds) for an interface, used by routing protocols like EIGRP to calculate metric.

Interface Config

description [text]

The 'description' command in interface configuration mode adds a text description to an interface to identify its purpose, connection, or other administrative information, aiding in documentation and troubleshooting.

Interface Config

duplex [full|half|auto]

Sets the duplex mode on a switch or router interface to full, half, or auto-negotiation.

Interface Config

interface [type] [number]

Enters interface configuration mode for a specific interface (e.g., GigabitEthernet0/1) to configure Layer 2 or Layer 3 parameters.

Global Config

interface loopback [number]

Creates a virtual loopback interface on a router, used for router ID selection, management reachability, and testing without physical hardware.

Global Config

interface range [type] [range]

Configures multiple interfaces of the same type simultaneously using a range or comma-separated list, enabling bulk configuration changes like VLAN assignment or port security.

Global Config

ip address [ip] [mask]

Assigns an IPv4 address and subnet mask to an interface, enabling IP communication on that interface.

Interface Config

ip address [ip] [mask] secondary

Assigns a secondary IP address to an interface, allowing the interface to be reachable on multiple subnets simultaneously.

Interface Config

mtu [bytes]

Sets the maximum transmission unit (MTU) size for an interface, controlling the largest packet that can be transmitted without fragmentation.

Interface Config

no shutdown

Enables an interface that has been administratively disabled, allowing it to forward traffic and participate in network operations.

Interface Config

show controllers

Displays detailed hardware and interface controller status information, used to diagnose physical layer issues such as cable faults, clocking problems, or interface errors.

Privileged EXEC

show interfaces

Displays detailed status and statistics for all interfaces or a specific interface, used to verify interface operational state, errors, and performance.

Privileged EXEC

show interfaces counters

Displays interface packet and byte counters for all interfaces or a specific interface, useful for monitoring traffic statistics and identifying errors or discards.

Privileged EXEC

show interfaces description

Displays a summary of all interfaces with their status, protocol, and description, useful for quickly verifying interface connectivity and administrative notes.

Privileged EXEC

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

Privileged EXEC

show ip interface

Displays the status and configuration of all IP interfaces on a Cisco router, including IP address, protocol status, and interface statistics, used for verifying interface IP configuration and troubleshooting connectivity issues.

Privileged EXEC

show ip interface brief

Displays a summary of all IP interfaces on the device, including their IP address, status, and protocol state, used for quick verification of interface configuration and connectivity.

Privileged EXEC

shutdown

Disables an interface, preventing it from sending or receiving traffic, typically used for administrative shutdown or troubleshooting.

Interface Config

speed [10|100|1000|auto]

Sets the speed of a Cisco switch or router interface to a specific value or auto-negotiation.

Interface Config

clear arp-cache

Clears the entire ARP cache on the device, forcing the router to dynamically re-learn all ARP entries, typically used to resolve connectivity issues caused by stale or incorrect ARP mappings.

Privileged EXEC

clear mac address-table dynamic

Clears all dynamically learned MAC address entries from the MAC address table, forcing the switch to relearn MAC addresses on interfaces.

Privileged EXEC

show ip arp

Displays the Address Resolution Protocol (ARP) cache, mapping IP addresses to MAC addresses on a router or switch, used to verify connectivity and troubleshoot Layer 2 issues.

Privileged EXEC

show mac address-table

Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.

Privileged EXEC

show mac address-table dynamic

Displays the dynamically learned MAC address table entries on a switch, used to verify which devices are learned on which ports and VLANs.

Privileged EXEC

crypto key generate rsa modulus [bits]

Generates an RSA key pair for SSH, encryption, or digital signatures on a Cisco IOS device, typically used to enable secure management access.

Global Config

enable password [password]

Sets a plaintext password for privileged EXEC access in global configuration mode, used when no enable secret is configured.

Global Config

enable secret [password]

Sets an encrypted password for privileged EXEC access, replacing the less secure 'enable password' command.

Global Config

errdisable recovery cause psecure-violation

Enables automatic recovery of ports that have been error-disabled due to port security violation (psecure-violation), allowing them to come back up after a specified timeout without manual intervention.

Global Config

errdisable recovery interval [secs]

Configures the time interval after which a port disabled due to an error-disabled condition will automatically be re-enabled.

Global Config

exec-timeout [min] [sec]

Sets the inactivity timeout for an EXEC session on a line, automatically logging out idle users to free up resources and enhance security.

Line Config

ip arp inspection trust

Configures a switch interface as a trusted port for Dynamic ARP Inspection (DAI), allowing all ARP packets to bypass validation.

Interface Config

ip arp inspection validate src-mac dst-mac ip

Enable validation of source MAC, destination MAC, and IP addresses in ARP packets to prevent ARP spoofing attacks on trusted ports.

Global Config

ip arp inspection vlan [id]

Enables Dynamic ARP Inspection (DAI) on specified VLANs to validate ARP packets and prevent ARP spoofing attacks.

Global Config

ip dhcp snooping

Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Global Config

ip dhcp snooping limit rate [pps]

Limits the rate of DHCP packets processed by DHCP snooping on an interface to prevent DHCP starvation attacks.

Interface Config

ip dhcp snooping trust

Configures an interface as a trusted port for DHCP snooping, allowing DHCP server responses to be forwarded through it.

Interface Config

ip dhcp snooping vlan [id]

Enables DHCP snooping on a specific VLAN to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Global Config

ip domain-name [domain]

Configures the default domain name appended to incomplete hostnames during DNS resolution, enabling the router to resolve unqualified names into fully qualified domain names.

Global Config

ip ssh version 2

Enables SSH version 2 on the router for secure remote management, replacing the less secure version 1.

Global Config

login block-for [secs] attempts [n] within [secs]

Configures the router to block login attempts from a source IP address after a specified number of failed attempts within a given time window, used to prevent brute-force attacks on VTY lines.

Global Config

login delay [secs]

Configures a delay in seconds before the next login attempt after a failed login, used to slow down brute-force attacks on the console or VTY lines.

Global Config

login local

Configures the line to require local username/password authentication using the local database, typically applied to console, vty, or aux lines for secure access.

Line Config

login on-failure log

Enables logging of failed login attempts to the syslog server for security monitoring and auditing.

Global Config

private-vlan [isolated|community|primary]

Configures a VLAN as a private VLAN, designating it as isolated, community, or primary to provide Layer 2 isolation between ports within the same VLAN.

VLAN Config

service password-encryption

Encrypts all plaintext passwords in the running configuration to prevent unauthorized viewing of password data.

Global Config

show ip arp inspection

Displays the Dynamic ARP Inspection (DAI) statistics and configuration status on a switch, used to verify DAI operation and troubleshoot ARP spoofing attacks.

Privileged EXEC

show ip dhcp snooping

Displays the DHCP snooping binding database and statistics, used to verify DHCP snooping operation and identify rogue DHCP servers or unauthorized clients.

Privileged EXEC

show ip dhcp snooping binding

Displays the DHCP snooping binding database, which maps client MAC addresses to leased IP addresses, VLANs, and interfaces, used to verify DHCP snooping entries and detect unauthorized DHCP activity.

Privileged EXEC

show ip ssh

Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.

Privileged EXEC

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

Privileged EXEC

show port-security address

Displays the secure MAC addresses configured on all switch ports or a specific interface, used to verify port security address learning and aging.

Privileged EXEC

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Privileged EXEC

show ssh

Displays the status and configuration of SSH server connections on a Cisco device, used to verify SSH sessions, authentication methods, and encryption settings.

Privileged EXEC

storm-control action shutdown

Configures the switch to shut down a port when a storm exceeds the configured threshold, preventing broadcast, multicast, or unicast storms from affecting network stability.

Interface Config

storm-control broadcast level [pct]

Configures broadcast storm control on a switch interface to limit the percentage of broadcast traffic, preventing network disruptions from excessive broadcasts.

Interface Config

switchport port-security

Enables port security on a switch interface to restrict input to a limited number of MAC addresses, preventing unauthorized devices from accessing the network.

Interface Config

switchport port-security mac-address [mac|sticky]

Configures a specific secure MAC address or enables sticky learning on a switchport for port security.

Interface Config

switchport port-security maximum [n]

Sets the maximum number of secure MAC addresses allowed on a switch port, limiting the number of devices that can connect through that port.

Interface Config

switchport port-security violation [protect|restrict|shutdown]

Configures the action a switch port takes when a security violation occurs, such as when the maximum MAC addresses is exceeded or an unauthorized MAC address attempts to communicate.

Interface Config

transport input all

Configures a VTY line to accept all supported protocols (Telnet, SSH, etc.) for incoming connections, typically used to allow remote management access.

Line Config

transport input ssh

Restricts incoming Telnet or SSH connections on a VTY line to only SSH, blocking unencrypted Telnet access for secure remote management.

Line Config

username [name] secret [password]

Creates a local user account with an encrypted password (using MD5 hashing) for authentication on Cisco IOS devices, typically used for SSH, console, or AUX access.

Global Config

vlan filter [access-map] vlan-list [id]

Applies a VLAN access-map to filter traffic in a specified VLAN list, controlling which packets are forwarded or dropped based on configured match clauses.

Global Config

access-class [acl] in

Restricts incoming or outgoing Telnet/SSH access to a router line (VTY, AUX, console) by applying an ACL that filters source IP addresses.

Line Config

access-list [1-99] permit|deny [source]

Creates a standard numbered access list (1-99) to permit or deny traffic based on source IP address, used to filter packets entering or leaving a router interface.

Global Config

access-list [100-199] permit|deny [proto] [src] [dst]

Configures an extended access list (100-199) to permit or deny traffic based on protocol, source, and destination, used for granular traffic filtering on Cisco routers.

Global Config

ip access-group [acl] [in|out]

Applies an access control list (ACL) to an interface to filter inbound or outbound traffic based on the ACL rules.

Interface Config

ip access-list extended [name]

Creates or enters an extended named access list to filter traffic based on source/destination IP, protocol, and port numbers, used for granular traffic control.

Global Config

ip access-list resequence [name] [start] [increment]

Resequences the sequence numbers of entries in a named IP access list to allow insertion of new entries between existing ones.

Global Config

ip access-list standard [name]

Creates or enters a standard named IP access list to filter traffic based on source IP address, used to permit or deny packets in a Cisco IOS network.

Global Config

ipv6 access-list [name]

Creates or enters IPv6 access list configuration mode to define a named IPv6 access control list for filtering IPv6 traffic based on source/destination addresses, ports, and protocols.

Global Config

ipv6 traffic-filter [name] [in|out]

Applies an IPv6 ACL to filter inbound or outbound traffic on an interface.

Interface Config

permit|deny [proto] [src] [dest] [eq port]

Configures an access control list (ACL) entry to permit or deny traffic based on protocol, source, destination, and optional port number.

ACL Config

remark [comment text]

Adds a descriptive comment to an access control entry (ACE) in an ACL to document its purpose, without affecting traffic filtering.

ACL Config

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

Privileged EXEC

show ip access-lists

Displays the contents of all current IP access lists or a specific access list, including the number of matches for each entry, used to verify and troubleshoot ACL configuration and traffic filtering.

Privileged EXEC

clear ip nat translation *

Clears all dynamic NAT translations from the translation table, forcing the router to rebuild translations for new traffic.

Privileged EXEC

ip nat inside

Designates an interface as the inside (private) interface for NAT translation, enabling the router to translate source IP addresses of packets leaving this interface.

Interface Config

ip nat inside source list [acl] interface [intf] overload

Configures dynamic NAT overload (PAT) to translate multiple inside private IP addresses to a single public IP address using the interface's IP, based on an access list.

Global Config

ip nat inside source list [acl] pool [name]

Configures dynamic NAT by translating inside local IP addresses to inside global addresses from a pool, based on an access list.

Global Config

ip nat inside source static [local-ip] [global-ip]

Configures static NAT to map a single inside local IP address to a single inside global IP address, allowing internal hosts to be reachable from external networks.

Global Config

ip nat outside

Marks an interface as the outside (public) side for NAT, enabling translation of source addresses for traffic leaving the inside network.

Interface Config

ip nat pool [name] [start-ip] [end-ip] netmask [mask]

Defines a pool of global IP addresses for dynamic NAT or PAT translation, used when translating multiple inside addresses to a range of outside addresses.

Global Config

show ip nat statistics

Displays statistics about NAT translations, including active translations, hit counts, and configuration parameters, used to verify NAT operation and troubleshoot translation issues.

Privileged EXEC

show ip nat translations

Displays the current active Network Address Translation (NAT) translations on the router, used to verify NAT operations and troubleshoot connectivity issues.

Privileged EXEC

default-router [ip]

Specifies the default gateway IP address to be assigned to DHCP clients in a DHCP pool configuration.

DHCP Pool Config

dns-server [ip]

Specifies the DNS server IP address(es) that will be assigned to DHCP clients on a specific DHCP pool.

DHCP Pool Config

domain-name [domain]

Assigns a domain name to DHCP clients, which is used for DNS resolution and device naming.

DHCP Pool Config

ip address dhcp

Configures a router interface to obtain an IP address dynamically from a DHCP server, typically used on LAN interfaces connecting to networks with DHCP services.

Interface Config

ip dhcp excluded-address [start] [end]

Excludes one or more IP addresses from the DHCP pool so they are not automatically assigned to clients, typically used for static assignments like servers or routers.

Global Config

ip dhcp pool [name]

Creates a DHCP pool and enters DHCP pool configuration mode, where you define the subnet, default gateway, DNS servers, and other DHCP options for assigning IP addresses to clients.

Global Config

ip helper-address [dhcp-server-ip]

Configures a DHCP relay agent on an interface to forward DHCP broadcast requests to a specific DHCP server IP address.

Interface Config

lease [days] [hours] [mins]

Sets the DHCP lease duration for addresses assigned from a DHCP pool, controlling how long a client can use an IP address before renewing.

DHCP Pool Config

network [ip] [mask]

Defines the subnet or network number for the DHCP pool, specifying which IP addresses the DHCP server can assign to clients.

DHCP Pool Config

no ip dhcp conflict address [ip]

Use this command to clear a specific IP address from the DHCP conflict table, allowing the DHCP server to reassign that address to a client.

Global Config

show ip dhcp binding

Displays the current DHCP binding table, showing which IP addresses have been leased to clients, along with their MAC addresses, lease expiration, and type of binding.

Privileged EXEC

show ip dhcp conflict

Displays IP address conflicts detected by the DHCP server, helping administrators identify and resolve duplicate IP assignments on the network.

Privileged EXEC

show ip dhcp pool

Displays the configuration and utilization statistics of a DHCP pool, used to verify pool settings and address allocation status.

Privileged EXEC

show ip dhcp server statistics

Displays DHCP server statistics, including the number of messages sent and received, to monitor DHCP server performance and troubleshoot issues.

Privileged EXEC

aaa accounting exec default start-stop group tacacs+

Enables AAA accounting for all EXEC shell sessions (user login/logout) and sends accounting records to a TACACS+ server group for auditing or billing.

Global Config

aaa authentication login default group radius local

Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.

Global Config

aaa authorization exec default group tacacs+ local

Configures AAA authorization for EXEC sessions, using TACACS+ as the primary method and local authentication as fallback, to control user access to the CLI after authentication.

Global Config

aaa new-model

Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.

Global Config

address ipv4 [ip]

Configures the IPv4 address of a TACACS+ server for AAA authentication, authorization, and accounting.

TACACS Config

address ipv4 [ip] auth-port 1812

Configures the IPv4 address and authentication port for a RADIUS server, used to specify the server that handles AAA authentication requests.

RADIUS Config

key [shared-secret]

Configures the shared secret key used for RADIUS authentication and accounting between the Cisco device and the RADIUS server.

RADIUS Config

key [shared-secret]

Configures the shared secret key used for TACACS+ authentication between the Cisco device and the TACACS+ server.

TACACS Config

privilege exec level [0-15] [command]

Assigns a specific privilege level (0-15) to a Cisco IOS command, allowing granular control over which commands users at different privilege levels can execute.

Global Config

radius server [name]

Configures a RADIUS server entry with its IP address and authentication/accounting parameters for AAA services.

Global Config

show aaa servers

Displays the status and statistics of all configured AAA (Authentication, Authorization, and Accounting) servers, used to verify server reachability and authentication activity.

Privileged EXEC

show privilege

Displays the current privilege level of the user session, used to verify access rights and confirm the effective privilege level after authentication or privilege escalation.

Privileged EXEC

tacacs server [name]

Defines a TACACS+ server with a name and enters TACACS server configuration mode to set parameters like key, timeout, and port for AAA authentication.

Global Config

username [name] privilege [1-15]

Assigns a privilege level (1-15) to a local username, controlling command access for that user.

Global Config

authentication pre-share

Specifies the authentication method as pre-shared keys for an ISAKMP policy, used to authenticate IKE phase 1 peers in IPsec VPNs.

ISAKMP Policy Config

crypto ipsec transform-set [name] esp-aes esp-sha-hmac

Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.

Global Config

crypto isakmp key [key] address [peer]

Configures a pre-shared key for IKE (ISAKMP) authentication with a specific peer IP address, used to establish IPsec VPN tunnels.

Global Config

crypto isakmp policy [priority]

Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.

Global Config

crypto map [name]

The crypto map command in interface configuration mode applies a previously defined crypto map set to a router interface, enabling IPsec VPN encryption and decryption on that interface.

Interface Config

crypto map [name] [seq] ipsec-isakmp

Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.

Global Config

encryption [aes|3des|des]

Specifies the encryption algorithm to use for IPsec phase 1 (ISAKMP) proposals, ensuring confidentiality of key management traffic.

ISAKMP Policy Config

group [2|5|14]

Specifies the Diffie-Hellman (DH) group identifier for an ISAKMP policy, determining the key exchange strength and security level.

ISAKMP Policy Config

hash [sha|md5]

Specifies the hash algorithm (SHA or MD5) used for authentication in ISAKMP Phase 1 proposals to ensure data integrity and peer authentication.

ISAKMP Policy Config

interface tunnel [number]

Creates a tunnel interface for encapsulating traffic (e.g., GRE, IPsec) to connect remote networks over an untrusted intermediate network.

Global Config

match address [acl]

Associates an IP access list with a crypto map entry to define which traffic should be encrypted and sent over the VPN tunnel.

Crypto Map Config

set peer [ip]

Specifies the IP address of the remote VPN peer for an IPsec crypto map entry, defining the endpoint for the VPN tunnel.

Crypto Map Config

set transform-set [name]

Defines an IPsec transform set, which specifies the encryption and authentication algorithms used to protect VPN traffic, and is applied to a crypto map entry.

Crypto Map Config

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

Privileged EXEC

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Privileged EXEC

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Privileged EXEC

tunnel destination [ip]

Specifies the destination IP address for a tunnel interface, used to define the remote endpoint of a point-to-point VPN tunnel.

Interface Config

tunnel mode gre ip

Configures a tunnel interface to use Generic Routing Encapsulation (GRE) as the tunnel mode, enabling the transport of multiprotocol packets over an IP network.

Interface Config

tunnel source [intf|ip]

Specifies the source interface or IP address for a tunnel interface, used to define the tunnel's source address for VPN or overlay networks.

Interface Config

bandwidth [kbps|percent n]

The bandwidth command in policy-map class configuration mode allocates a minimum bandwidth guarantee (in kbps or as a percentage) to a specific traffic class during congestion, ensuring QoS for critical applications.

Policy-map Class Config

class [class-map-name]

The class command in policy-map configuration mode associates a traffic class (defined via class-map) with a set of QoS actions (like policing, shaping, or marking) within a service policy.

Policy-map Config

class-map match-all [name]

Creates a class map that matches packets based on multiple match criteria, requiring all conditions to be true (logical AND) for traffic classification in QoS policies.

Global Config

class-map match-any [name]

Creates a class map that matches traffic if any one of the specified match criteria is true, used to classify traffic for QoS policies.

Global Config

match access-group name [acl]

Matches packets against a named or numbered access list to classify traffic for QoS policy application.

Class-map Config

match dscp [value]

Matches packets based on the DSCP value in the IP header for classification in a class map.

Class-map Config

match protocol [http|ftp|voip]

Matches packets based on the application protocol (HTTP, FTP, or VoIP) in a class map for QoS classification.

Class-map Config

mls qos

Enables QoS globally on a Catalyst switch and enters MLS QoS configuration mode to configure trust settings, queueing, and policing.

Global Config

mls qos cos [value]

Sets the default CoS (Class of Service) value for incoming packets on an interface when the packet does not already carry a CoS marking, used to prioritize traffic at Layer 2.

Interface Config

mls qos trust [cos|dscp]

Sets the trust state on an interface to use either the CoS or DSCP value for QoS classification, enabling the switch to honor incoming QoS markings.

Interface Config

police rate [bps] burst [bytes]

Configures traffic policing on a class map to enforce a maximum bit rate and burst size, dropping or remarking packets that exceed the rate.

Policy-map Class Config

policy-map [name]

Creates or modifies a QoS policy-map that defines a set of class-maps and associated actions (e.g., bandwidth, priority, drop) to apply to traffic on Cisco IOS routers.

Global Config

priority [kbps|percent n]

Configures strict priority queuing for a class in a policy map, optionally specifying bandwidth in kbps or as a percentage of the interface bandwidth.

Policy-map Class Config

service-policy [input|output] [policy]

Applies a QoS policy map to an interface for inbound or outbound traffic classification, marking, policing, shaping, or queuing.

Interface Config

set dscp [value]

Sets the Differentiated Services Code Point (DSCP) value in the IP header for packets matching a class map in a policy map, used to mark traffic for QoS classification.

Policy-map Class Config

show class-map

Displays the configuration and match criteria of all class maps or a specific class map, used to verify QoS classification rules.

Privileged EXEC

show mls qos

Displays the QoS (Quality of Service) configuration and statistics on a Cisco switch, used to verify and troubleshoot QoS policies.

Privileged EXEC

show policy-map

Displays the configuration and statistics of all policy maps applied to interfaces, used to verify QoS policies and monitor traffic class counters.

Privileged EXEC

show policy-map interface

Displays the current QoS policy applied to an interface, including per-class statistics such as packets matched, bytes, and actions taken, used to verify and troubleshoot QoS configurations.

Privileged EXEC

show traffic-shape

Displays traffic shaping configuration and statistics for all interfaces or a specific interface, used to verify shaping parameters and monitor traffic conformance.

Privileged EXEC

ipv6 address [addr] link-local

Assigns a link-local IPv6 address to an interface, overriding the automatically generated EUI-64 address.

Interface Config

ipv6 address [prefix/64] eui-64

Configures an IPv6 address on an interface using the EUI-64 format, which automatically generates the interface ID from the MAC address, commonly used for stateless address autoconfiguration (SLAAC).

Interface Config

ipv6 address [prefix/len]

Assigns a global unicast or link-local IPv6 address to an interface, enabling IPv6 routing on that interface.

Interface Config

ipv6 enable

Enables IPv6 processing on an interface, allowing the interface to forward IPv6 traffic and participate in IPv6 routing protocols.

Interface Config

ipv6 route [prefix/len] [next-hop]

Configures a static IPv6 route in the global routing table, specifying the destination prefix and next-hop address or exit interface.

Global Config

ipv6 router ospf [pid]

Enables OSPFv3 routing process for IPv6 on a router and enters OSPF router configuration mode, used to configure OSPFv3 parameters.

Global Config

ipv6 unicast-routing

Enables IPv6 unicast routing on a Cisco router, allowing it to forward IPv6 packets and participate in IPv6 routing protocols.

Global Config

show ipv6 interface brief

Displays a summary of IPv6 interface status and addresses, useful for quickly verifying IPv6 configuration and interface operational state.

Privileged EXEC

show ipv6 neighbors

Displays the IPv6 neighbor discovery cache, showing the mapping of IPv6 addresses to MAC addresses on directly connected links, used to verify neighbor reachability and troubleshoot IPv6 connectivity.

Privileged EXEC

show ipv6 ospf

Displays general information about OSPFv3 (IPv6 OSPF) routing processes, including router ID, areas, and interfaces, used to verify OSPFv3 configuration and operation.

Privileged EXEC

show ipv6 route

Displays the IPv6 routing table on a Cisco router, showing all known IPv6 routes and their next-hop information for troubleshooting and verification of IPv6 routing.

Privileged EXEC

ap dot11 24ghz [setting]

Configures 2.4 GHz radio settings on a Cisco AP, used to enable/disable the radio or adjust parameters like channel and power.

Global Config

ap dot11 5ghz [setting]

Configures 5 GHz radio settings on a Cisco AP, such as channel, power, or client limit, to optimize wireless performance.

Global Config

no security wpa2

Disables WPA2 security on a WLAN, reverting to open or no security, typically used for troubleshooting or legacy device compatibility.

WLAN Config

security wpa2 psk set-key ascii [psk]

Configures the pre-shared key (PSK) for WPA2 personal authentication on a WLAN, used to set the passphrase that clients must provide to associate securely.

WLAN Config

show ap summary

Displays a summary of all connected access points, including their names, IP addresses, status, and model information, used to quickly verify AP connectivity and operational state.

Privileged EXEC

show controllers dot11Radio 0

Displays detailed hardware and firmware status of the 802.11 radio interface, used for troubleshooting wireless connectivity issues on Cisco access points and routers.

Privileged EXEC

show dot11 associations

Displays the list of wireless clients currently associated with a Cisco access point, including their MAC addresses, IP addresses, signal strength, and connection state, used for troubleshooting client connectivity and performance issues.

Privileged EXEC

show wireless client summary

Displays a summary of all wireless clients currently associated with the controller, including their MAC addresses, IP addresses, SSIDs, and connection status, used for quick client monitoring and troubleshooting.

Privileged EXEC

show wlan summary

Displays a summary of all WLANs configured on a Cisco wireless controller, used to quickly verify WLAN IDs, names, SSIDs, status, security settings, and interface bindings.

Privileged EXEC

wireless profile policy [name]

Creates or modifies a wireless policy profile, which defines client access policies (e.g., VLAN, QoS, ACLs) for a WLAN on a Cisco wireless LAN controller.

Global Config

wireless tag site [name]

Creates or modifies a site tag for wireless networks, used to group APs by physical location for policy and RF management.

Global Config

wlan [profile-name] [wlan-id] [ssid]

Creates or modifies a WLAN profile on a Cisco wireless LAN controller, associating it with a WLAN ID and SSID for wireless client access.

Global Config

cdp enable

Enables Cisco Discovery Protocol (CDP) on a specific interface to allow the device to advertise itself and discover neighboring Cisco devices.

Interface Config

cdp run

Enables Cisco Discovery Protocol (CDP) globally on the device to discover directly connected Cisco devices and gather information about them.

Global Config

lldp receive

Enables LLDP reception on an interface, allowing the device to receive LLDP advertisements from neighboring devices for network discovery and topology mapping.

Interface Config

lldp run

Globally enables Link Layer Discovery Protocol (LLDP) on the switch, allowing it to advertise and receive device information from directly connected LLDP-capable neighbors.

Global Config

lldp transmit

Enables LLDP transmission on an interface, allowing the device to advertise its identity and capabilities to neighboring LLDP-enabled devices.

Interface Config

no cdp run

Globally disables Cisco Discovery Protocol (CDP) on the router or switch to prevent device discovery and reduce unnecessary traffic.

Global Config

show cdp neighbors

Displays information about directly connected Cisco devices discovered via CDP, used to verify neighbor relationships and gather device details.

Privileged EXEC

show cdp neighbors detail

Displays detailed information about directly connected Cisco devices discovered via CDP, including IP addresses, IOS version, platform, and interface details, useful for verifying neighbor relationships and troubleshooting Layer 2 connectivity.

Privileged EXEC

show lldp neighbors

Displays information about directly connected LLDP-capable devices, including device ID, local interface, hold time, capability, and port ID, used to verify LLDP neighbor discovery and troubleshoot Layer 2 connectivity.

Privileged EXEC

show lldp neighbors detail

Displays detailed information about LLDP neighbors, including device capabilities, management addresses, and port descriptions, used for verifying Layer 2 topology and device discovery.

Privileged EXEC

archive log config

The 'archive log config' command enables logging of configuration changes on a Cisco IOS device, allowing administrators to track who made what changes and when for auditing and troubleshooting purposes.

Global Config

banner login # [message] #

Configures a message that displays before the username/password login prompt on a Cisco device, used for legal warnings or informational banners.

Global Config

banner motd # [message] #

The 'banner motd' command configures a Message of the Day (MOTD) banner that displays upon login to the router, used to display legal warnings, system information, or welcome messages.

Global Config

boot system flash [filename]

Specifies the IOS image file on flash memory to load at next system boot, overriding the default boot sequence.

Global Config

clear logging

Clears the logging buffer on a Cisco IOS device, removing all syslog messages stored in memory, typically used to reset the log for troubleshooting or to free up buffer space.

Privileged EXEC

clock set [hh:mm:ss] [day] [month] [year]

Sets the system clock on a Cisco IOS device from the privileged EXEC mode, used to manually configure the router's time when NTP is not available.

Privileged EXEC

copy flash: tftp:

Copies a file from the router's flash memory to a TFTP server, used for backing up IOS images or configuration files.

Privileged EXEC

copy running-config startup-config

Saves the current running configuration to the startup configuration file in NVRAM, ensuring changes persist after a router reload.

Privileged EXEC

copy running-config tftp:

Copies the current running configuration from RAM to a TFTP server for backup or distribution.

Privileged EXEC

copy startup-config running-config

Copies the saved startup configuration (startup-config) into the active running configuration (running-config), effectively restoring the device to the state saved in NVRAM without a reboot.

Privileged EXEC

copy tftp: flash:

Copies a file from a TFTP server to the router's flash memory, used to upgrade IOS images, restore configurations, or add files.

Privileged EXEC

delete [file]

Deletes a file from the device's flash memory or other storage, used to remove unwanted configuration files, IOS images, or other stored data.

Privileged EXEC

dir [flash:|nvram:|bootflash:]

Lists the contents of a specified file system (flash, nvram, or bootflash) on a Cisco IOS device, showing file names, sizes, dates, and available space.

Privileged EXEC

erase startup-config

Deletes the startup configuration file from NVRAM, causing the router to load with factory defaults on next reload.

Privileged EXEC

hostname [name]

Sets the hostname of the device, which is used to identify the router or switch in the CLI prompt and network management systems.

Global Config

line aux 0

Enters line configuration mode for the auxiliary (AUX) port, allowing configuration of console-like settings for remote out-of-band management via modem or terminal server.

Global Config

line console 0

Enters line configuration mode for the console port (line 0) to configure console access parameters such as password, timeout, and exec mode.

Global Config

line vty 0 4

Enters line configuration mode for virtual terminal (VTY) lines 0 through 4 to configure remote access settings like Telnet/SSH, ACLs, and timeout parameters.

Global Config

logging host [ip]

Configures the router to send syslog messages to a remote syslog server at the specified IP address for centralized logging and monitoring.

Global Config

logging synchronous

Prevents console and VTY line output from being interrupted by unsolicited system messages, ensuring that command output remains readable.

Line Config

logging trap [level]

Configures the severity level for syslog messages sent to a remote syslog server, filtering which messages are forwarded based on their severity.

Global Config

more [file]

Displays the contents of a file stored in the router's flash memory or other file systems, commonly used to view configuration files, logs, or text files.

Privileged EXEC

no ip domain-lookup

Disables DNS-based hostname resolution on a Cisco router or switch, preventing the device from attempting to resolve unrecognized commands as domain names.

Global Config

ntp master [stratum]

Configures the router to act as an NTP master server, providing time synchronization to other devices when no external NTP source is available.

Global Config

ntp server [ip]

Configures the router to synchronize its system clock with an NTP server, ensuring accurate time for logging, authentication, and network protocols.

Global Config

reload

The reload command reboots a Cisco IOS device, typically used to apply configuration changes or recover from a system issue.

Privileged EXEC

show boot

Displays the current boot settings, including the boot system commands and the startup configuration file location, used to verify or troubleshoot the router's boot process.

Privileged EXEC

show clock

Displays the current system date, time, timezone, and whether the time is synchronized via NTP or manually set, used to verify system time accuracy for logging, authentication, and scheduled tasks.

Privileged EXEC

show environment

Displays the environmental status of the device, including temperature, voltage, and fan status, to monitor hardware health and detect potential failures.

Privileged EXEC

show file systems

Displays a list of all file systems available on the Cisco IOS device, including their type, permissions, and usage statistics, used for verifying storage availability and managing files.

Privileged EXEC

show flash

Displays the contents and status of the flash memory, including files, their sizes, and available space, used to verify IOS images and configuration files.

Privileged EXEC

show inventory

Displays the hardware inventory of the device, including serial numbers and part numbers for all installed modules, used for asset management and verifying hardware components.

Privileged EXEC

show line

Displays line configuration and status information for console, auxiliary, and vty lines, used to verify line settings and monitor user connections.

Privileged EXEC

show logging

Displays the state of system logging (syslog) on the device, including buffer contents, logging configuration, and statistics, used for troubleshooting and monitoring system events.

Privileged EXEC

show memory statistics

Displays memory utilization statistics on the router, including total memory, used memory, free memory, and memory pool details, used to diagnose memory leaks or capacity issues.

Privileged EXEC

show module

Displays the status, model, serial numbers, and hardware/software versions of all modules installed in a modular Cisco switch or router, used for verifying hardware inventory and module health.

Privileged EXEC

show ntp associations

Displays the status of NTP associations configured on the device, used to verify NTP synchronization and identify time sources.

Privileged EXEC

show ntp status

Displays the current NTP synchronization status, including clock stratum, reference clock, and synchronization state, used to verify NTP operation and clock accuracy.

Privileged EXEC

show processes cpu

Displays CPU utilization statistics for all processes running on the Cisco IOS device, used to identify processes consuming excessive CPU and diagnose performance issues.

Privileged EXEC

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Privileged EXEC

show startup-config

Displays the saved configuration stored in NVRAM that loads on next device boot.

Privileged EXEC

show users

Displays active user sessions on the router, including line type, idle time, and remote IP addresses, useful for monitoring who is logged in and troubleshooting connectivity issues.

Privileged EXEC

show version

Displays system hardware and software information, including IOS version, uptime, memory, interfaces, and configuration register, used to verify device identity and software compatibility.

Privileged EXEC

snmp-server community [string] [ro|rw]

Configures an SNMP community string on a Cisco IOS device to allow SNMP access with read-only or read-write privileges for network monitoring and management.

Global Config

snmp-server contact [text]

Sets the SNMP system contact information for the device, used to identify the responsible person or team for network management.

Global Config

snmp-server enable traps

Enables SNMP trap notifications on the device, allowing it to send alerts to an SNMP manager for specified events.

Global Config

snmp-server host [ip] [string]

Configures the SNMP server to send SNMP notifications (traps or informs) to a specified host, using a community string for authentication.

Global Config

snmp-server location [text]

Sets a descriptive location string for the SNMP agent, used to identify the physical location of the device in network management systems.

Global Config

write erase

Erases the startup configuration from NVRAM, resetting the device to factory defaults on next reload.

Privileged EXEC

write memory

Saves the current running configuration to the startup configuration in NVRAM, ensuring changes persist after a reload.

Privileged EXEC

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

Privileged EXEC

ping [ip] source [intf] repeat [n]

The extended ping command allows you to specify the source interface and repeat count to test connectivity from a specific interface with a custom number of echo requests.

Privileged EXEC

ssh -l [username] [ip]

Establishes an encrypted SSH connection from a Cisco IOS device to a remote host for secure remote management.

Privileged EXEC

telnet [ip]

The telnet command establishes an unencrypted remote terminal session to another network device using the Telnet protocol, typically for remote management and troubleshooting.

Privileged EXEC

traceroute [ip]

Traces the route packets take from the source device to a destination IP address, showing each hop along the path, used to diagnose network path issues and latency.

Privileged EXEC

traceroute [ip] source [intf]

Traces the route packets take to a destination IP address, using a specified source interface for the outgoing probes, to test path connectivity and identify routing issues.

Privileged EXEC

debug aaa authentication

Use this command to enable real-time debugging of AAA authentication events to troubleshoot login failures or misconfigurations.

Privileged EXEC

debug arp

Enables debugging of ARP (Address Resolution Protocol) packets to troubleshoot IP-to-MAC address resolution issues on a Cisco router or switch.

Privileged EXEC

debug crypto ipsec

Use this command to enable real-time debugging of IPsec security association (SA) negotiations and packet processing, typically for troubleshooting VPN connectivity issues.

Privileged EXEC

debug crypto isakmp

Enables debugging of ISAKMP (Internet Security Association and Key Management Protocol) packets to troubleshoot IKE phase 1 issues in IPsec VPNs.

Privileged EXEC

debug ip bgp

Enables debugging of BGP events and updates to troubleshoot BGP neighbor relationships and route advertisement issues.

Privileged EXEC

debug ip bgp updates

Use this command to monitor BGP update messages in real-time for troubleshooting route advertisement and withdrawal issues.

Privileged EXEC

debug ip dhcp server events

Use this command to monitor DHCP server events in real time, such as address assignments, renewals, and conflicts, for troubleshooting DHCP operation on a Cisco IOS router acting as a DHCP server.

Privileged EXEC

debug ip eigrp

This command enables real-time debugging of EIGRP packets and events on a Cisco router, used to troubleshoot EIGRP neighbor relationships, route exchanges, and metric calculations.

Privileged EXEC

debug ip eigrp summary

Use this command to display a summary of EIGRP neighbor adjacencies and route information, helping to quickly verify EIGRP operation and troubleshoot neighbor issues.

Privileged EXEC

debug ip nat

Use debug ip nat to monitor and troubleshoot NAT translations in real time on a Cisco router, displaying each packet's translation details as they occur.

Privileged EXEC

debug ip nat detailed

Use this command to enable detailed debugging of NAT translations, showing packet-by-packet translation details including inside/outside addresses and port numbers, typically for troubleshooting NAT issues.

Privileged EXEC

debug ip ospf adj

Use this command to debug OSPF adjacency events in real-time, helping to troubleshoot why OSPF neighbors are not forming or are flapping.

Privileged EXEC

debug ip ospf events

Enables real-time debugging of OSPF event messages to troubleshoot neighbor adjacency issues, route propagation problems, or OSPF state changes.

Privileged EXEC

debug ip rip

Enables real-time debugging of RIP routing updates to troubleshoot routing issues by displaying sent and received RIP updates.

Privileged EXEC

debug ip routing

Use debug ip routing to monitor real-time IP routing table updates and routing protocol events, helping troubleshoot route installation or removal issues.

Privileged EXEC

debug spanning-tree events

Enables debugging of Spanning Tree Protocol (STP) state transitions and topology change events to troubleshoot STP convergence issues.

Privileged EXEC

no debug all

Disables all active debug commands on the router to stop excessive console output and reduce CPU load, typically used after troubleshooting is complete.

Privileged EXEC

undebug all

Disables all active debug operations on the router, used to stop debugging output and reduce CPU load.

Privileged EXEC

action 1.0 cli command [cmd]

Defines an Embedded Event Manager (EEM) applet action that executes a specified Cisco IOS CLI command when the applet is triggered.

Applet Config

action 1.0 syslog msg [message]

Generates a syslog message from an Embedded Event Manager (EEM) applet, used to log custom events or debug information during automation.

Applet Config

event manager applet [name]

Creates or modifies an Embedded Event Manager (EEM) applet that triggers automated actions when a specified event occurs, enabling network automation and self-healing.

Global Config

event syslog pattern [pattern]

Defines an Embedded Event Manager (EEM) applet trigger that watches for syslog messages matching a specified pattern, enabling automated responses to network events.

Applet Config

ip http authentication local

Configures the HTTP server to use local username/password authentication for web-based management access, typically used with the IOS web GUI or REST API.

Global Config

ip http secure-server

Enables the HTTPS server on a Cisco IOS device to allow secure web-based management and API access using SSL/TLS.

Global Config

ip http server

Enables the HTTP server on a Cisco IOS device, allowing web-based management and access to the device's web interface for configuration and monitoring.

Global Config

netconf-yang

Enables NETCONF-YANG on the device, allowing programmatic configuration and state retrieval using YANG data models over SSH.

Global Config

restconf

Enables the RESTCONF API on the device, allowing external applications to manage and monitor the device using RESTful HTTP/HTTPS requests.

Global Config

show ip http server status

Displays the operational status and configuration of the HTTP server (web server) on the Cisco IOS device, used to verify if the web-based GUI or REST API is enabled and accessible.

Privileged EXEC

show restconf-yang capabilities

Displays the list of YANG data models and capabilities supported by the device's RESTCONF interface, used to verify RESTCONF compatibility and available modules for automation.

Privileged EXEC