This chapter covers the essential Cisco IOS router show commands that every network technician must know for the N10-009 exam. These commands are the primary tools for verifying configuration, monitoring performance, and troubleshooting network issues. Approximately 10-15% of exam questions involve interpreting show command output to diagnose problems, making this a critical skill for passing the exam and real-world network management.
Jump to a section
Imagine you are a doctor diagnosing a patient. You have a stethoscope, a blood pressure cuff, and an ECG monitor. Each tool gives you specific information: the stethoscope lets you hear heart and lung sounds, the cuff measures blood pressure, and the ECG shows electrical activity. You don't randomly use all tools at once; you start with the stethoscope to check for basic issues, then use the ECG if you suspect a rhythm problem. Similarly, a network engineer uses 'show' commands like diagnostic tools. 'show ip interface brief' is like the stethoscope—it gives a quick status of all interfaces (up/down, IP addresses). 'show ip route' is like the ECG—it reveals the routing table, showing how the router decides where to send packets. 'show running-config' is like the patient's medical history—it shows the current configuration, including static routes and ACLs. Just as a doctor interprets each tool's output in context, an engineer must interpret each show command's output to diagnose network issues. Misinterpreting a command is like misreading a heart monitor—it leads to wrong treatment. The N10-009 exam tests your ability to select the right show command for a given symptom, just as a doctor selects the right diagnostic tool.
What Are Router Show Commands and Why They Exist
Router show commands are EXEC mode commands (user or privileged) that display operational data from the router's various subsystems. They are read-only and do not change the configuration. The primary purpose is to verify that the router is functioning as intended, to monitor performance, and to gather data for troubleshooting. Unlike debug commands, show commands do not impose significant CPU overhead, so they are safe to use in production.
How Show Commands Work Internally
When you issue a show command, the IOS kernel retrieves data from the appropriate data structures in memory. For example:
- show running-config reads from the running configuration stored in RAM.
- show ip route reads the Routing Information Base (RIB) stored in RAM.
- show interfaces reads interface counters and status registers directly from the interface hardware via driver calls.
The output is formatted by the IOS and sent to the console or VTY session. The data is dynamic; counters increment in real-time, and routing tables update as protocols converge.
Key Components, Values, Defaults, and Timers
Interface Status: The output of show interfaces includes:
Line protocol status: up/down/administratively down.
Hardware address (MAC).
Internet address (IP).
MTU (default 1500 bytes).
Bandwidth (default varies by interface type, e.g., 100000 Kbps for FastEthernet).
Reliability (255/255).
Load (1/255).
Input/output errors, CRC errors, collisions.
Routing Table: show ip route displays:
Codes: C (connected), S (static), O (OSPF), D (EIGRP), etc.
Administrative distance (e.g., OSPF=110, EIGRP=90/170, static=1).
Metric (e.g., OSPF cost, EIGRP composite metric).
Next-hop IP and outgoing interface.
ARP Table: show ip arp shows IP-to-MAC mappings with age (default 4 hours for dynamic entries).
CDP Neighbors: show cdp neighbors displays directly connected Cisco devices with platform, capabilities, and holdtime (default 180 seconds).
Configuration and Verification Commands
show running-config – displays current configuration in RAM.
show startup-config – displays configuration in NVRAM.
show ip interface brief – summary of all interfaces with IP and status.
show ip route [ospf | eigrp | static | connected] – filtered routing table.
show interfaces [interface] – detailed statistics for an interface.
show vlan brief – VLAN database (on switches).
show cdp neighbors detail – detailed CDP info including IP address.
show ip protocols – routing protocol parameters.
show ip ospf neighbor – OSPF neighbor adjacencies.
show ip eigrp neighbors – EIGRP neighbor table.
show ip arp – ARP cache.
show mac address-table – MAC address table (on switches).
show port-security – port security settings.
show access-lists – configured ACLs and hit counts.
show logging – syslog buffer.
show processes cpu – CPU utilization per process.
show memory – memory statistics.
show version – IOS version, uptime, hardware.
show flash – flash memory contents.
show ip interface – detailed IP-related interface info.
show ip bgp summary – BGP neighbor summary.
show ip mroute – multicast routing table.
show ip nat translations – NAT translation table.
show ipv6 interface – IPv6 interface configuration.
show ipv6 route – IPv6 routing table.
How Show Commands Interact with Related Technologies
SNMP: Show commands provide the same data that SNMP agents report via MIBs. For example, show interfaces counters correspond to ifInOctets, ifOutErrors, etc.
Syslog: Show commands can be used to verify syslog configuration (show logging).
NetFlow: show ip cache flow displays NetFlow statistics.
QoS: show policy-map interface shows QoS policy statistics.
ACLs: show access-lists shows hit counts, which indicate how many packets matched each ACE.
VLANs: show vlan and show interfaces trunk are essential for VLAN troubleshooting.
STP: show spanning-tree displays STP state for each VLAN.
EtherChannel: show etherchannel summary shows bundle status.
HSRP/VRRP/GLBP: show standby or show vrrp or show glbp displays first-hop redundancy status.
Exam-Relevant Details
The show ip interface brief command is often the first command used to verify interface connectivity. The output includes Interface, IP-Address, OK?, Method, Status, Protocol. 'Status' refers to Layer 1 (cable, signal), 'Protocol' refers to Layer 2 (keepalives, encapsulation).
The show interfaces command includes the 'reliability' and 'load' values as fractions of 255. These are 5-minute exponentially weighted averages.
The show ip route command uses codes: 'C' for directly connected, 'S' for static, 'O' for OSPF, 'D' for EIGRP, 'B' for BGP, etc. The administrative distance is shown in brackets, e.g., [110/20] where 110 is AD and 20 is metric.
The show running-config command is used to verify that configuration changes have been applied. The show startup-config shows what will be loaded on next reload.
The show cdp neighbors command reveals only Cisco devices; non-Cisco devices will not appear. The holdtime is 180 seconds by default, and CDP is enabled globally and per interface.
The show ip arp command shows dynamic entries that age out after 4 hours by default. The 'Type' column indicates ARPA (Ethernet) or SNAP.
The show vlan command (on switches) displays VLAN membership and ports. The show interfaces trunk shows trunking status and allowed VLANs.
The show mac address-table command shows MAC addresses learned on each port. The 'Type' can be DYNAMIC, STATIC, or SECURE.
The show port-security command displays port security settings and violations.
The show access-lists command shows the number of matches for each line; if a line has zero matches, it may be incorrectly placed or not needed.
The show processes cpu command shows CPU utilization; 'show processes cpu history' shows a bar graph of CPU usage over time.
The show memory command shows free and used memory; 'show memory allocating-process' shows memory usage per process.
The show version command shows the IOS version, uptime, and reason for last reload (e.g., power-on, reload command, crash).
The show flash command shows the contents of flash memory, including IOS image filename and size.
The show ip ospf neighbor command shows neighbor state (FULL/2WAY/DROTHER/etc.), address, interface, and dead timer (default 40 seconds for broadcast networks).
The show ip eigrp neighbors command shows hold time (default 15 seconds) and queue count.
The show ip bgp summary command shows BGP state (Idle, Connect, Active, OpenSent, OpenConfirm, Established).
The show ip nat translations command shows inside local, inside global, outside local, outside global addresses.
The show ipv6 route command uses codes like 'C', 'L' (local), 'O', etc.
The show ip protocols command shows routing protocol timers (e.g., OSPF hello 10, dead 40).
The show ip interface command shows ACL applied inbound/outbound, helper addresses, and multicast groups.
Common Pitfalls
Forgetting to use the | include or | exclude pipe modifiers to filter output. The exam expects you to parse large outputs.
Confusing 'Status' and 'Protocol' fields in show ip interface brief. Status is Layer 1, Protocol is Layer 2.
Assuming show running-config shows all defaults; it only shows non-default values.
Misinterpreting the 'age' in show ip arp; the timer resets on each packet received.
Using show interfaces without specifying an interface on a router with many interfaces; output can be overwhelming.
Not using show ip route with a specific prefix to verify routing for a particular destination.
Overlooking show cdp neighbors for non-Cisco devices; it will not show them.
Thinking show mac address-table shows all MACs; dynamic entries age out after 300 seconds (default).
Forgetting that show port-security shows violations; a high violation count indicates security issues.
Ignoring 'hit counts' in show access-lists; zero hits may mean the ACL is not in the path.
Misreading CPU utilization; high CPU is not always bad; it depends on the process.
Not checking show memory when experiencing performance issues; memory leaks can cause failures.
Assuming show version shows the configuration register; it does, but the config register is also shown in show running-config.
Confusing show flash with show boot; show flash shows files, show boot shows boot variables.
Not using show ip ospf neighbor to verify OSPF adjacency; a neighbor stuck in INIT or EXSTART indicates a problem.
Not using show ip eigrp neighbors to verify EIGRP adjacency; a neighbor stuck in PENDING indicates a problem.
Not using show ip bgp summary to verify BGP peering; a state other than Established indicates a problem.
Not using show ip nat translations to verify NAT; if no translations, NAT may not be triggered.
Not using show ipv6 route to verify IPv6 routing; IPv6 routes are separate from IPv4.
Not using show ip protocols to verify routing protocol configuration; timers and networks must match.
Not using show ip interface to verify ACL application; an ACL may be applied to the wrong interface or direction.
Command Output Examples
show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down downshow ip route
Codes: C - connected, S - static, O - OSPF, D - EIGRP, B - BGP
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0
O 10.0.1.0/24 [110/20] via 192.168.1.2, 00:00:15, GigabitEthernet0/0show interfaces GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is Gigabit Ethernet, address is aabb.ccdd.0001 (bia aabb.ccdd.0001)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is RJ45
input errors 0, CRC 0, frame 0, overrun 0, ignored 0
output errors 0, collisions 0, interface resets 0Identify the Problem
Begin by gathering symptoms. For example, users cannot reach a server at 10.0.1.100. Determine the scope: all users, or just those on a specific subnet? Check if the router itself can ping the server. Use `ping 10.0.1.100` from the router. If successful, the issue is beyond the router. If not, proceed to verify interface status with `show ip interface brief`. Look for interfaces that are down or have protocol down. Note any error counters.
Verify Interface Connectivity
Use `show interfaces` for the relevant interface. Check for input/output errors, CRC errors, collisions, and interface resets. High error rates indicate physical layer issues (bad cable, duplex mismatch). Verify duplex and speed settings match the connected device. If the interface is administratively down, use `no shutdown` in interface configuration mode. If protocol is down, check for keepalive issues or encapsulation mismatch.
Check the Routing Table
Use `show ip route 10.0.1.100` to see if the router has a route to the destination. If no route appears, check the routing protocol status. Use `show ip protocols` to verify that the routing protocol is enabled on the correct networks. Use `show ip ospf neighbor` or `show ip eigrp neighbors` to verify adjacencies. If a static route is missing, add it. If the route exists but points to the wrong next hop, correct it.
Examine ARP and Layer 2
If the route exists but still no connectivity, check ARP. Use `show ip arp` to see if the router has the MAC address of the next-hop. If incomplete, the router cannot resolve Layer 2. Check the directly connected interface's VLAN membership (on switches) with `show vlan`. Ensure the port is in the correct VLAN. If using trunking, verify trunk status with `show interfaces trunk`.
Check Access Lists and NAT
Use `show ip interface` to see if any ACL is applied inbound or outbound on the interface. Use `show access-lists` to see hit counts; if the ACL is blocking traffic, hits will increment. For NAT, use `show ip nat translations` to see if translations exist. If not, verify NAT configuration with `show running-config | include nat`. Ensure the correct interfaces are defined as inside and outside.
Scenario 1: Troubleshooting WAN Link Failure
A company has a branch office connected via a T1 serial link to the main office. Users at the branch report that they cannot access the corporate ERP system at 10.10.10.50. The network engineer starts by pinging the default gateway (branch router's LAN interface) from a workstation – it fails. Then the engineer SSHes into the branch router and runs show ip interface brief. The serial interface (Serial0/0/0) shows 'up' but 'protocol down'. This indicates a Layer 2 problem. The engineer checks show interfaces Serial0/0/0 and sees 'Serial0/0/0 is up, line protocol is down'. Also, 'HDLC encapsulation' is shown. The engineer suspects encapsulation mismatch, as the main office router uses PPP. After correcting encapsulation to PPP on both ends, the protocol comes up. This is a classic troubleshooting scenario: always check Layer 1 first, then Layer 2.
Scenario 2: OSPF Route Not Installed
A new subnet 172.16.10.0/24 is added behind a remote router running OSPF. After configuration, the core router does not have a route to this subnet. The engineer uses show ip route ospf on the core router – no route. Then show ip ospf neighbor shows the remote router as FULL. So adjacency is fine. Next, show ip ospf database shows the Type 1 LSA from the remote router, but the prefix is missing. The engineer checks the remote router's show running-config | section router ospf and notices that the network 172.16.10.0 0.0.0.255 area 0 statement is missing. After adding it, the route appears. This illustrates that show ip route and show ip ospf neighbor are necessary but not sufficient; you must also verify the OSPF configuration.
Scenario 3: ACL Blocking Traffic
A web server at 192.168.1.10 is unreachable from the internet. The engineer checks the router's show ip interface brief – the outside interface is up. show ip route shows a default route to the ISP. show ip interface outside reveals an inbound ACL named BLOCK. show access-lists BLOCK shows that the ACL has a deny statement for tcp any host 192.168.1.10 eq 80. The hit count on that line is high. The engineer removes the deny statement and adds a permit. This is a common scenario: ACLs can silently drop traffic, and show access-lists with hit counts is the best way to identify the problem.
Scale and Performance Considerations
In large networks with hundreds of routers, show commands can impact performance if used excessively. For example, show running-config on a router with a large configuration can take seconds and spike CPU. Use show running-config | section to limit output. Also, show ip route on a router with a full BGP table (800k+ routes) can take significant time; use show ip route bgp to filter. In production, use show commands judiciously and consider using SNMP or NetFlow for continuous monitoring.
What the N10-009 Exam Tests
Objective 5.6 (Given a scenario, use appropriate network software tools and commands) specifically tests your ability to select and interpret the output of show commands. The exam expects you to know the purpose of each command and be able to read the output to identify issues like interface errors, missing routes, ACL blocks, and neighbor adjacency problems.
Most Common Wrong Answers and Why
Using `show running-config` to verify interface status: Candidates often think this is the fastest way to see interface configuration, but it does not show operational status. The correct command is show ip interface brief or show interfaces.
Confusing `show ip route` with `show ip protocols`: They think both show routing table; actually show ip protocols shows routing protocol configuration, not the table.
Thinking `show cdp neighbors` shows all connected devices: It only shows Cisco devices; non-Cisco devices are invisible.
Using `show mac address-table` to find IP address: The MAC table shows only MAC addresses, not IPs. Use show ip arp to map IP to MAC.
Believing `show interfaces` shows only Layer 1 status: It shows both Layer 1 (line status) and Layer 2 (line protocol) and Layer 3 (IP address).
Specific Numbers and Values on the Exam
Default CDP holdtime: 180 seconds.
Default ARP timeout: 4 hours (14400 seconds).
OSPF hello/dead intervals: 10/40 seconds on broadcast.
EIGRP hold time: 15 seconds.
Default MTU: 1500 bytes.
Administrative distances: OSPF=110, EIGRP=90 (internal), 170 (external), RIP=120, static=1, connected=0.
MAC address table aging time: 300 seconds (default for dynamic entries).
Port security violation modes: protect, restrict, shutdown.
Access-list implicit deny any at the end.
Edge Cases and Exceptions
A route with administrative distance 0 (connected) is always preferred over any other route.
show ip route does not show routes that are in the routing table but are not reachable (e.g., due to recursive lookup failure).
show ip interface brief shows 'administratively down' when the interface is shut down with the shutdown command.
show interfaces counters include 'input errors' which can be caused by CRC errors, frame errors, or overrun.
show ip arp may show 'Incomplete' for an IP that cannot be resolved via ARP.
show cdp neighbors does not show neighbors if CDP is disabled globally or on the interface.
show vlan on a router may not exist; VLAN commands are switch-specific.
show ip nat translations may be empty if no traffic has triggered NAT.
How to Eliminate Wrong Answers
If the question asks about interface status, look for commands that start with 'show interfaces' or 'show ip interface'.
If the question is about routing, consider show ip route or show ip protocols.
If the question involves neighbor discovery, think show cdp neighbors (Cisco) or show lldp neighbors (vendor-neutral).
If the question is about ACLs, the answer is show access-lists.
If the question is about NAT, the answer is show ip nat translations.
Use the underlying mechanism: show commands read from operational data structures, not configuration files (except show running-config).
Use `show ip interface brief` as the first command to check interface status (Layer 1 and Layer 2).
Use `show interfaces [interface]` to view detailed errors and statistics for troubleshooting physical issues.
Use `show ip route [prefix]` to verify the routing table entry for a specific destination.
Use `show ip protocols` to verify routing protocol configuration and timers.
Use `show cdp neighbors` to discover directly connected Cisco devices.
Use `show ip arp` to map IP addresses to MAC addresses in the router's ARP cache.
Use `show access-lists` to check ACL hit counts and identify which lines are matching traffic.
Use `show ip nat translations` to verify NAT entries and troubleshoot NAT issues.
Use `show running-config` to view the current configuration (non-defaults).
Use `show version` to check IOS version, uptime, and reason for last reload.
Use `show processes cpu` and `show memory` to diagnose performance issues.
Pipe modifiers (| include, | exclude, | section) are essential for filtering show command output.
These come up on the exam all the time. Here's how to tell them apart.
show interfaces
Provides detailed statistics including errors, MTU, bandwidth, load, reliability.
Shows both Layer 1 (line status) and Layer 2 (line protocol) status.
Can be filtered to a specific interface (e.g., show interfaces GigabitEthernet0/0).
Output is verbose; may be overwhelming for a quick check.
Useful for troubleshooting physical and data link layer issues.
show ip interface brief
Provides a one-line summary per interface: Interface, IP-Address, OK?, Method, Status, Protocol.
Quickly identifies which interfaces are up/down or administratively down.
Cannot be filtered to a single interface; always shows all interfaces.
Does not show errors or statistics.
Best first command to check overall interface connectivity.
Mistake
The show running-config command displays the current operational state of all interfaces.
Correct
show running-config shows the configuration stored in RAM, not the operational state. For interface status (up/down), use show interfaces or show ip interface brief.
Mistake
show ip route displays all routes including default routes, but the default route is always shown as 0.0.0.0/0.
Correct
Yes, the default route is shown as 0.0.0.0/0, but it may be learned via a routing protocol (e.g., OSPF) or configured as a static route. The code will be 'S*' for static default or 'O*' for OSPF default.
Mistake
show cdp neighbors shows all directly connected devices, regardless of vendor.
Correct
CDP is Cisco proprietary. It only shows Cisco devices. For multi-vendor environments, use LLDP (show lldp neighbors).
Mistake
show interfaces shows only Layer 1 and Layer 2 information, not IP addresses.
Correct
show interfaces does show the IP address if configured, along with MTU, bandwidth, and other Layer 3 details. However, for a quick summary, use show ip interface brief.
Mistake
The show ip arp command shows the MAC address of all devices in the network.
Correct
show ip arp only shows the ARP cache of the router, which contains entries for devices the router has communicated with. It does not show all devices on the network.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
show running-config displays the current configuration running in RAM. Any changes you make are immediately reflected here. show startup-config displays the configuration stored in NVRAM, which is loaded on boot. To save changes, you must use 'copy running-config startup-config' or 'write memory'. The exam often tests that 'show running-config' shows the active config, while 'show startup-config' shows what will be used after a reload.
Status refers to Layer 1 (physical layer). It can be 'up' (cable connected and carrier detect), 'down' (no cable or bad cable), or 'administratively down' (interface shut down with the 'shutdown' command). Protocol refers to Layer 2 (data link). It is 'up' if keepalives are being received successfully. If Status is up but Protocol is down, there is a Layer 2 issue like encapsulation mismatch or no keepalive.
Administrative distance (AD) is a trustworthiness value. 110 is the default AD for OSPF routes. Lower AD is preferred. So if there are multiple routes to the same network, the one with the lowest AD is installed in the routing table. For example, a static route (AD=1) would be preferred over an OSPF route (AD=110). The exam expects you to know default AD values for common protocols.
CDP (Cisco Discovery Protocol) is a Layer 2 protocol that runs on Cisco devices. 'show cdp neighbors' displays directly connected Cisco devices, including device ID, local interface, holdtime (default 180 seconds), capability, platform, and port ID. The holdtime is the time the router will wait to receive a CDP advertisement before considering the neighbor down. CDP is enabled by default but can be disabled globally or per interface.
The 'show access-lists' command displays each access control entry (ACE) with a hit count. The hit count increments each time a packet matches that line. If you suspect an ACL is blocking traffic, check the hit count on the deny lines. If the hit count is incrementing, that line is matching traffic. Also, check the order; the first match is applied. If you have a permit any at the end, traffic not matching earlier lines will be permitted. The implicit deny any at the end will not show hit counts.
'show ip arp' displays the ARP cache of the router, mapping IP addresses to MAC addresses for hosts on directly connected networks. Dynamic entries age out after 4 hours (14400 seconds) by default. The timer resets each time a packet is sent to that IP. If an entry shows 'Incomplete', the router sent an ARP request but did not receive a reply. This can happen if the host is down or there is a VLAN mismatch.
Use 'show ip route <destination-ip>' to see if there is a route to that specific destination. If multiple routes exist, the router uses the one with the lowest administrative distance and metric. The output shows the next-hop IP and outgoing interface. If no route is displayed, the router does not have a path. You can also use 'traceroute' from the router to see the actual path packets take.
You've just covered Router Show Commands — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?