Commands
Cisco IOS CLI reference · 68 commands
show ip interface briefDisplays a concise summary of all interfaces with their IP addresses, Layer 2 status, and Layer 3 protocol status. The most-used verification command on any Cisco router.
show ip interface briefRouter# show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.1.1 YES manual up up GigabitEthernet0/1 10.0.0.1 YES manual up up GigabitEthernet0/2 unassigned YES unset administratively down down
show interfacesDisplays detailed statistics for all interfaces or a specific interface, including input/output errors, CRC errors, bandwidth, duplex settings, and MAC address. Useful for diagnosing physical and data link layer problems.
show interfaces [interface-id]Router# show interfaces GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is iGbE, address is a8aa.aaaa.0001 (bia a8aa.aaaa.0001)
Internet address is 192.168.1.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
5 minute input rate 0 bits/sec, 0 packets/sec
0 input errors, 0 CRC, 0 frameshow arpDisplays the ARP table — the mapping of IP addresses to MAC addresses known to the device. Useful for verifying Layer 3-to-Layer 2 address resolution.
show arpRouter# show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.1 - a8aa.aaaa.0001 ARPA GigabitEthernet0/0 Internet 192.168.1.10 5 0050.56aa.0002 ARPA GigabitEthernet0/0
pingSends ICMP Echo Request packets to a destination and reports success or failure. A basic Layer 3 connectivity test. Extended ping allows specifying source interface, repeat count, and packet size.
ping <destination-ip> [repeat <count>] [size <bytes>] [source <interface>]Router# ping 10.0.0.1 repeat 5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
tracerouteSends packets with incrementally increasing TTL values to discover each hop on the path to a destination. Identifies where routing failures occur by showing which hop stops responding.
traceroute <destination-ip>Router# traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 1 192.168.1.254 1 msec 1 msec 1 msec 2 10.0.0.1 2 msec 2 msec 2 msec 3 203.0.113.1 15 msec 14 msec 15 msec
ip addressAssigns an IPv4 address and subnet mask to a router interface. Must be in interface configuration mode. Use `no ip address` to remove.
ip address <ip-address> <subnet-mask>Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# no shutdown
no shutdownBrings an interface out of administratively down state, activating it. Router interfaces default to shutdown; switch ports default to no shutdown. Nearly always the last command after configuring a new interface.
no shutdownRouter(config)# interface GigabitEthernet0/0 Router(config-if)# no shutdown %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
show versionDisplays IOS version, hardware model, serial number, uptime, memory, and configuration register. Used to confirm the IOS version running and how the device will boot.
show versionRouter# show version Cisco IOS Software, Version 15.2(4)M7, RELEASE SOFTWARE Router uptime is 5 days, 4 hours, 32 minutes cisco 2901 (revision 1.0) with 483328K/32768K bytes of memory Configuration register is 0x2102
show running-configDisplays the current active configuration in RAM. Pipe with `section` to filter to a specific config block (e.g., `| section ospf`). This is the primary way to review device configuration.
show running-config [| section <keyword>]Router# show running-config | section interface interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 no shutdown interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.0
copy running-config startup-configSaves the current running configuration from RAM to NVRAM (startup-config). If this is not done, all configuration changes are lost on the next reload. Equivalent to `write memory` or `wr`.
copy running-config startup-configRouter# copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]
show mac address-tableDisplays the MAC address table (CAM table) on a switch, showing which MAC addresses are associated with which VLANs and switch ports. Used to verify Layer 2 forwarding and troubleshoot connectivity.
show mac address-table [dynamic | static] [vlan <vlan-id>]Switch# show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0050.56aa.0001 DYNAMIC Gi0/1
20 a8bb.ccdd.0002 DYNAMIC Gi0/2vlanCreates a VLAN in the VLAN database and enters VLAN configuration mode. Follow with `name <name>` to assign a descriptive name. Must be in global configuration mode.
vlan <vlan-id>Switch(config)# vlan 10 Switch(config-vlan)# name Engineering Switch(config-vlan)# vlan 20 Switch(config-vlan)# name Sales Switch(config-vlan)# exit
switchport access vlanAssigns an access port to a specific VLAN. Must be preceded by `switchport mode access` to set the port type. This is the fundamental command for connecting end devices to a VLAN.
switchport access vlan <vlan-id>Switch(config)# interface range GigabitEthernet0/1 - 5 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# exit
switchport mode trunkForces a switch port into trunk mode, enabling it to carry multiple VLANs using 802.1Q tagging. On older Catalyst switches, `switchport trunk encapsulation dot1q` must be configured first.
switchport mode trunkSwitch(config)# interface GigabitEthernet0/24 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30 Switch(config-if)# switchport nonegotiate
show interfaces trunkDisplays all active trunk ports, showing the native VLAN, the allowed VLAN list, and which VLANs are actually forwarding. The most important verification command after configuring a trunk.
show interfaces trunkSwitch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/24 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/24 10,20,30 Port Vlans allowed and active in management domain Gi0/24 10,20,30 Port Vlans in spanning tree forwarding state and not pruned Gi0/24 10,20,30
show vlan briefDisplays all VLANs in the VLAN database with their names and the access ports assigned to each VLAN. Trunk ports are not shown here — use `show interfaces trunk` for trunk information.
show vlan briefSwitch# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2 10 Engineering active Gi0/3, Gi0/4 20 Sales active Gi0/5, Gi0/6 1002 fddi-default act/unsup 1003 token-ring-default act/unsup
show spanning-treeDisplays STP topology information — root bridge ID, local bridge ID, and the state and role of each port. Use `vlan <id>` to limit output to a specific VLAN instance.
show spanning-tree [vlan <vlan-id>]Switch# show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol ieee
Root ID Priority 32778
Address a8aa.aaaa.0001
This bridge is the root
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/1 Desg FWD 4 128.1 P2p
Gi0/24 Desg FWD 4 128.24 P2pspanning-tree portfastEnables PortFast on an access port, causing it to skip STP's listening and learning states and immediately enter forwarding. Should only be enabled on ports connected to end devices, never to switches.
spanning-tree portfastSwitch(config)# interface GigabitEthernet0/1 Switch(config-if)# spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Switch(config)# spanning-tree portfast bpduguard default ! global BPDU Guard
spanning-tree vlan prioritySets the STP bridge priority for a specific VLAN. Priority must be a multiple of 4096 (0, 4096, 8192... 61440). Lower priority = higher chance of becoming root bridge. Default is 32768.
spanning-tree vlan <vlan-id> priority <priority>Switch(config)# spanning-tree vlan 10 priority 4096 Switch(config)# spanning-tree vlan 20 root primary ! shortcut macro ! Verify Switch# show spanning-tree vlan 10 | include Priority Bridge ID Priority 4106 (priority 4096 sys-id-ext 10)
interface vlanCreates a Switched Virtual Interface (SVI) for a VLAN on a multilayer switch. Used to assign an IP address for management access to the switch or for inter-VLAN routing.
interface vlan <vlan-id>Switch(config)# interface vlan 10 Switch(config-if)# ip address 10.10.10.1 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# description Engineering-Gateway Switch(config-if)# ip helper-address 10.0.0.5
switchport port-securityEnables and configures port security on a switch access port. Default: maximum 1 MAC, violation mode shutdown. Must have `switchport mode access` configured first.
switchport port-security [maximum <count>] [mac-address {sticky | <MAC>}] [violation {shutdown | restrict | protect}]Switch(config)# interface GigabitEthernet0/5 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security violation shutdown
show port-securityDisplays port security status. `show port-security interface <int>` shows violation count, mode, and learned MACs for a port. `show port-security address` shows all secured MAC addresses across all ports.
show port-security [interface <int>] | [address]Switch# show port-security interface GigabitEthernet0/5 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Maximum MAC Addresses : 2 Total MAC Addresses : 1 Security Violation Count : 0
vtp modeSets the VTP operating mode for the switch. Best practice is `vtp mode off` or `vtp mode transparent` in production environments to prevent accidental VLAN database overwrites.
vtp mode {server | client | transparent | off}Switch(config)# vtp mode transparent Setting device to VTP Transparent mode for VLANS. ! Verify Switch# show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : URI-CAMPUS VTP Mode : Transparent
ip routeConfigures a static route. Specify the destination network, subnet mask, and either a next-hop IP address or exit interface. The optional distance creates a floating static route with that administrative distance.
ip route <network> <mask> {<next-hop-ip> | <exit-interface>} [<distance>]! Default route Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1 ! Specific static route Router(config)# ip route 10.5.0.0 255.255.0.0 192.168.1.2 ! Floating static (backup to OSPF) Router(config)# ip route 10.5.0.0 255.255.0.0 192.168.2.2 111
show ip routeDisplays the routing table. Protocol codes: C = connected, S = static, O = OSPF, D = EIGRP, R = RIP, B = BGP. Format: `<protocol> <network> [AD/metric] via <next-hop>, <uptime>, <interface>`.
show ip route [<network>] [static | ospf | eigrp | connected]Router# show ip route Codes: C - connected, S - static, O - OSPF, D - EIGRP Gateway of last resort is 203.0.113.1 to network 0.0.0.0 C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 O 10.0.0.0/24 [110/2] via 192.168.1.2, 00:15:23, GigabitEthernet0/0 D 172.16.0.0/16 [90/307200] via 192.168.1.3, 00:10:01, GigabitEthernet0/0 S* 0.0.0.0/0 [1/0] via 203.0.113.1
router ospfEnters OSPF routing configuration mode. The process ID is locally significant (does not need to match neighbors). Multiple OSPF processes can run simultaneously.
router ospf <process-id>Router(config)# router ospf 1 Router(config-router)# network 192.168.1.0 0.0.0.255 area 0 Router(config-router)# network 10.0.0.0 0.0.0.255 area 0 Router(config-router)# router-id 1.1.1.1 Router(config-router)# passive-interface GigabitEthernet0/1
show ip ospf neighborDisplays OSPF neighbor table — shows neighbor router ID, priority, state (should be FULL), dead time, address, and interface. The most important OSPF verification command.
show ip ospf neighborRouter# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 1 FULL/DR 00:00:35 192.168.1.2 GigabitEthernet0/0 3.3.3.3 1 FULL/BDR 00:00:38 192.168.1.3 GigabitEthernet0/0
show ip ospfDisplays OSPF process information including router ID, reference bandwidth, area information, and statistics. Useful for verifying the OSPF router ID and SPF algorithm execution count.
show ip ospf [process-id]Router# show ip ospf
Routing Process 'ospf 1' with ID 1.1.1.1
It is an area border router
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
Number of interfaces in this area is 2
SPF algorithm last executed 00:05:12 agorouter eigrpEnters EIGRP routing configuration mode. The AS number must match on all EIGRP neighbors. Follow with `network` statements and `no auto-summary`.
router eigrp <as-number>Router(config)# router eigrp 100 Router(config-router)# network 192.168.1.0 0.0.0.255 Router(config-router)# network 10.0.0.0 0.0.0.255 Router(config-router)# no auto-summary Router(config-router)# passive-interface GigabitEthernet0/2
show ip eigrp neighborsDisplays the EIGRP neighbor table — shows neighbor address, interface, hold time, uptime, and queue counts. All neighbors should show H (hold) time > 0 and an uptime.
show ip eigrp neighborsRouter# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.1.2 Gi0/0 14 00:12:05 10 100 0 15
1 192.168.1.3 Gi0/0 11 00:08:30 12 100 0 9ip nat inside sourceConfigures NAT translation. The `overload` keyword enables PAT (many-to-one mapping using port numbers). Requires corresponding `ip nat inside` and `ip nat outside` on interfaces.
ip nat inside source list <acl-id> {interface <int> | pool <name>} [overload]Router(config)# access-list 1 permit 10.0.0.0 0.0.0.255 Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip nat inside Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip nat outside
show ip nat translationsDisplays the active NAT translation table with inside local, inside global, outside local, and outside global addresses. Use `clear ip nat translation *` to clear all dynamic entries.
show ip nat translations [verbose]Router# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 203.0.113.1:1024 10.0.0.10:54321 8.8.8.8:53 8.8.8.8:53 tcp 203.0.113.1:1025 10.0.0.11:54322 93.184.216.34:443 93.184.216.34:443
show ip protocolsDisplays information about all routing protocols running on the router, including their timers, networks being advertised, and neighbors. Use this to verify which routing protocols are active and what they are advertising.
show ip protocolsRouter# show ip protocols
Routing Protocol is 'ospf 1'
Outgoing update filter list for all interfaces is not set
Router ID 1.1.1.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Routing for Networks:
192.168.1.0 0.0.0.255 area 0
10.0.0.0 0.0.0.255 area 0
Administrative distance 110passive-interfacePrevents a routing protocol from sending Hello packets on a specified interface while still advertising the connected network. Used on interfaces facing end hosts (no routing neighbors) to suppress unnecessary routing traffic.
passive-interface <interface-id>Router(config)# router ospf 1 Router(config-router)# passive-interface GigabitEthernet0/2 ! Or set all interfaces passive by default, then enable specific ones: Router(config-router)# passive-interface default Router(config-router)# no passive-interface GigabitEthernet0/0
ip dhcp poolCreates a named DHCP pool and enters DHCP pool configuration mode. Configure the pool with `network`, `default-router`, `dns-server`, and `lease` subcommands.
ip dhcp pool <name>Router(config)# ip dhcp excluded-address 10.10.10.1 10.10.10.10 Router(config)# ip dhcp pool VLAN10-POOL Router(dhcp-config)# network 10.10.10.0 255.255.255.0 Router(dhcp-config)# default-router 10.10.10.1 Router(dhcp-config)# dns-server 10.0.0.5 8.8.8.8 Router(dhcp-config)# lease 7
show ip dhcp bindingDisplays all active DHCP leases — shows client IP, client hardware (MAC) address, lease expiration, and type. Use `clear ip dhcp binding *` to clear all dynamic bindings.
show ip dhcp bindingRouter# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID Lease expiration Type 10.10.10.11 0100.5056.aa00.01 Apr 26 2026 10:32 AM Automatic 10.10.10.12 0100.5056.aa00.02 Apr 26 2026 11:15 AM Automatic
ip helper-addressConfigures DHCP relay on a router or SVI interface. Converts DHCP broadcast packets from the connected subnet into unicast packets directed to the DHCP server. Configured on the interface facing the client subnet.
ip helper-address <dhcp-server-ip>Switch(config)# interface vlan 20 Switch(config-if)# ip address 10.20.0.1 255.255.255.0 Switch(config-if)# ip helper-address 10.0.0.5 Switch(config-if)# no shutdown ! Verify DHCP is working after adding helper: Switch# show ip dhcp binding
ntp serverConfigures the device to synchronize its system clock with the specified NTP server. The `prefer` keyword marks this server as the preferred source when multiple NTP servers are configured.
ntp server <ip-address> [prefer]Router(config)# ntp server 10.0.0.5 prefer Router(config)# ntp server 10.0.0.6 Router# show ntp status Clock is synchronized, stratum 3, reference is 10.0.0.5 nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz reference time is E0A12345.ABCD1234 (10:32:15.671 UTC Mon Apr 19 2026)
ip name-serverConfigures DNS server addresses on the Cisco device for hostname resolution. Multiple servers can be listed; they are queried in order. Requires `ip domain-lookup` (enabled by default) to be active.
ip name-server <ip-address> [<ip-address2>]Router(config)# ip name-server 10.0.0.53 8.8.8.8 Router(config)# ip domain-lookup ! Test DNS resolution Router# ping www.cisco.com Translating 'www.cisco.com'...domain server (10.0.0.53) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 72.163.4.185: !!!!!
snmp-server communityConfigures an SNMP v1/v2c community string. RO (read-only) allows the NMS to poll the device. RW (read-write) also allows SET operations. An ACL can restrict which NMS hosts can use the community string.
snmp-server community <string> {RO | RW} [<acl>]Router(config)# snmp-server community PUBLIC_RO RO Router(config)# snmp-server community SECRET_RW RW 10 Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 Router(config)# snmp-server location URI-MDF-Room-201 Router(config)# snmp-server contact noc@uri.edu
logging hostConfigures the device to send syslog messages to a remote syslog server. Combine with `logging trap <level>` to set the minimum severity and `logging buffered` for local storage.
logging host <syslog-server-ip>Router(config)# logging host 10.0.0.10 Router(config)# logging trap warnings Router(config)# logging buffered 16384 informational Router(config)# service timestamps log datetime msec ! View local log buffer Router# show logging | head 20
ipv6 addressAssigns an IPv6 address to a router interface. Use `autoconfig` to enable SLAAC. The global command `ipv6 unicast-routing` must be enabled before IPv6 routing works.
ipv6 address <ipv6-address>/<prefix-length> | ipv6 address autoconfigRouter(config)# ipv6 unicast-routing
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ipv6 address 2001:db8:acad:1::1/64
Router(config-if)# no shutdown
Router# show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::1 (link-local)
2001:DB8:ACAD:1::1show ipv6 neighborsDisplays the IPv6 neighbor cache (the IPv6 equivalent of the ARP table). Shows IPv6 addresses mapped to MAC addresses, discovered via NDP (Neighbor Discovery Protocol).
show ipv6 neighbors [<interface>]Router# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 2001:DB8:ACAD:1::10 0 0050.56aa.0001 REACH Gi0/0 FE80::250:56FF:FEAA:0001 5 0050.56aa.0001 STALE Gi0/0
show ip dhcp conflictDisplays IP addresses that the DHCP server detected as conflicting (already in use when it tried to assign them). The server pings addresses before assigning them; conflicts are logged and excluded from future assignments.
show ip dhcp conflictRouter# show ip dhcp conflict IP address Detection method Detection time 10.10.10.15 Ping Apr 19 2026 09:12:00 10.10.10.22 Gratuitous ARP Apr 19 2026 11:30:00 ! Clear the conflict table after resolving Router# clear ip dhcp conflict *
show ntp associationsDisplays configured NTP servers and peers with their synchronization status. A `*` indicates the currently synchronized source; `+` indicates a candidate; `-` indicates a non-candidate.
show ntp associationsRouter# show ntp associations address ref clock st when poll reach delay offset disp *~10.0.0.5 132.163.96.1 2 23 64 377 1.234 0.002 0.015 ~10.0.0.6 132.163.96.1 2 45 64 377 2.112 0.118 0.032 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
access-listCreates a numbered standard (1–99) or extended (100–199) ACL entry. Standard ACLs filter on source IP only. Extended ACLs can filter on protocol, source, destination, and port.
access-list <1-99> {permit | deny} <source> [<wildcard>] | access-list <100-199> {permit | deny} <protocol> <src> <src-wild> <dst> <dst-wild> [eq <port>]! Standard ACL — permit 10.0.0.0/24 Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 ! Extended ACL — permit SSH from management network Router(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 any eq 22 Router(config)# access-list 110 deny ip any any log
ip access-listCreates a named ACL and enters named ACL configuration mode. Named ACLs support individual entry deletion by sequence number, making them preferred over numbered ACLs in production.
ip access-list {standard | extended} <name>Router(config)# ip access-list extended ALLOW-MGMT Router(config-ext-nacl)# 10 permit tcp 10.0.1.0 0.0.0.255 any eq 22 Router(config-ext-nacl)# 20 permit tcp 10.0.1.0 0.0.0.255 any eq 443 Router(config-ext-nacl)# 30 deny ip any any log ! Delete a specific entry by sequence number Router(config-ext-nacl)# no 20
ip access-groupApplies an ACL to a router interface for inbound or outbound traffic filtering. `in` filters traffic entering the interface; `out` filters traffic leaving the interface.
ip access-group <acl-name-or-number> {in | out}Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip access-group ALLOW-MGMT in ! Apply standard ACL outbound on WAN interface Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip access-group 10 out
show access-listsDisplays all configured ACLs with their entries and hit counters. The match count in parentheses shows how many packets matched each entry — useful for verifying ACL effectiveness.
show access-lists [<acl-name-or-number>]Router# show access-lists
Extended IP access list ALLOW-MGMT
10 permit tcp 10.0.1.0 0.0.0.255 any eq 22 (247 matches)
20 permit tcp 10.0.1.0 0.0.0.255 any eq 443 (1842 matches)
30 deny ip any any log (0 matches)
Standard IP access list 10
10 permit 10.0.0.0, wildcard bits 0.0.0.255 (504 matches)crypto key generate rsaGenerates the RSA key pair required for SSH operation. A minimum of 1024 bits is required for SSHv2; 2048 bits is recommended for production security. The hostname and domain name must be configured before this command.
crypto key generate rsa modulus <bits>Switch(config)# hostname SW-ACCESS-01 SW-ACCESS-01(config)# ip domain-name uri.edu SW-ACCESS-01(config)# crypto key generate rsa modulus 2048 The name for the keys will be: SW-ACCESS-01.uri.edu % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds) SW-ACCESS-01(config)# ip ssh version 2
line vtyEnters VTY line configuration mode for configuring remote management access (SSH/Telnet). Typically configured for lines 0 through 4 (or 0 through 15 on some platforms). Follow with `transport input` and `login` subcommands.
line vty <start-line> <end-line>Switch(config)# line vty 0 15 Switch(config-line)# transport input ssh Switch(config-line)# login local Switch(config-line)# exec-timeout 5 0 Switch(config-line)# logging synchronous Switch(config-line)# ip access-class MGMT-ONLY in
ip dhcp snoopingEnables DHCP snooping globally and per-VLAN. All ports are untrusted by default after enabling. Apply `ip dhcp snooping trust` on uplink ports facing legitimate DHCP servers.
ip dhcp snooping [vlan <vlan-range>]Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10,20,30 Switch(config)# no ip dhcp snooping information option ! disable option 82 if needed ! Trust the uplink Switch(config)# interface GigabitEthernet0/24 Switch(config-if)# ip dhcp snooping trust Switch# show ip dhcp snooping binding
ip arp inspectionEnables Dynamic ARP Inspection (DAI) for specified VLANs. Validates ARP packets against the DHCP snooping binding table on untrusted ports. Requires DHCP snooping to be configured first.
ip arp inspection vlan <vlan-range>Switch(config)# ip arp inspection vlan 10,20,30 ! Trust uplinks (same ports as DHCP snooping trust) Switch(config)# interface GigabitEthernet0/24 Switch(config-if)# ip arp inspection trust Switch# show ip arp inspection statistics vlan 10 Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- --------- 10 45 0 0 0
enable secretSets the privileged exec mode password using MD5 hashing. Always use `enable secret` over `enable password` — the secret is stored as a one-way MD5 hash and is not reversible.
enable secret <password>Switch(config)# enable secret StrongPassword123! Switch(config)# service password-encryption ! apply weak Type-7 to other passwords Switch(config)# no enable password ! remove cleartext password if it exists ! Verify that secret appears as hash in running config: Switch# show running-config | include enable enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
ip access-classApplies an ACL to VTY lines to restrict which IP addresses can establish remote management sessions (SSH/Telnet). This is the VTY-line equivalent of `ip access-group` used on interfaces.
ip access-class <acl> {in | out}Router(config)# ip access-list standard MGMT-HOSTS Router(config-std-nacl)# permit 10.0.1.0 0.0.0.255 Router(config-std-nacl)# deny any log Router(config)# line vty 0 15 Router(config-line)# ip access-class MGMT-HOSTS in Router(config-line)# transport input ssh
usernameCreates a local user account on the device. Privilege level 15 grants full access (same as enable mode). Use `secret` (MD5 hash) rather than `password` (cleartext). Required for `login local` authentication on VTY and console lines.
username <name> privilege <level> secret <password>Switch(config)# username admin privilege 15 secret SecurePass456! Switch(config)# username readonly privilege 1 secret ReadOnlyPass! ! Verify local users Switch# show running-config | section username username admin privilege 15 secret 5 $1$abc... username readonly privilege 1 secret 5 $1$xyz...
show version (Python/API context)DNA Center REST API endpoint to retrieve all network devices from inventory. Returns a JSON array of device objects including hostname, management IP, platform, software version, and reachability status.
GET /dna/intent/api/v1/network-device# Python example:
import requests
headers = {
'X-Auth-Token': '<token>',
'Content-Type': 'application/json'
}
response = requests.get(
'https://dnacenter.uri.edu/dna/intent/api/v1/network-device',
headers=headers,
verify=False
)
devices = response.json()['response']
for d in devices:
print(d['hostname'], d['managementIpAddress'])DNA Center Auth TokenAuthenticates to the Cisco DNA Center API and retrieves an access token. The token must be included in the X-Auth-Token header of all subsequent API requests. Tokens expire and must be refreshed.
POST /dna/system/api/v1/auth/token# Python example:
import requests
from requests.auth import HTTPBasicAuth
response = requests.post(
'https://dnacenter.uri.edu/dna/system/api/v1/auth/token',
auth=HTTPBasicAuth('admin', 'password'),
verify=False
)
token = response.json()['Token']
print(f'Token: {token[:20]}...')Ansible ios_configAnsible module for pushing configuration lines to Cisco IOS devices. The `lines` parameter accepts a list of configuration commands. The optional `parents` parameter specifies parent configuration context (e.g., `router ospf 1`).
cisco.ios.ios_config:
lines:
- <config-command>
parents: <parent-command>---
- name: Configure NTP on all switches
hosts: switches
gather_facts: no
tasks:
- name: Set NTP servers
cisco.ios.ios_config:
lines:
- ntp server 10.0.0.5 prefer
- ntp server 10.0.0.6
- name: Save configuration
cisco.ios.ios_config:
save_when: alwaysAnsible ios_commandAnsible module for running exec-level commands on Cisco IOS devices and capturing their output. Results are stored in the variable specified by `register` and can be processed in subsequent tasks.
cisco.ios.ios_command:
commands:
- <show-command>
register: result---
- name: Gather interface status from all routers
hosts: routers
gather_facts: no
tasks:
- name: Get interface brief
cisco.ios.ios_command:
commands:
- show ip interface brief
- show ip route
register: output
- name: Display output
debug:
var: output.stdout_lines[0]Ansible inventory fileDefines the managed devices and their connection parameters for Ansible. Device groups allow targeting specific subsets in playbooks. Network device inventories typically include the `ansible_network_os` variable to select the correct connection plugin.
[group-name]
<hostname-or-ip> ansible_user=<user> ansible_password=<pass> ansible_network_os=ios# hosts.ini [switches] sw-access-01 ansible_host=10.0.0.11 sw-access-02 ansible_host=10.0.0.12 sw-core-01 ansible_host=10.0.0.1 [routers] rtr-edge-01 ansible_host=10.0.0.254 [all:vars] ansible_user=admin ansible_password=vault_encrypted_pass ansible_network_os=cisco.ios.ios ansible_connection=network_cli
curl — REST API callMakes HTTP requests to REST APIs from the command line. Used for quick API testing without writing a full script. The `-X` flag sets the HTTP method, `-H` adds headers, and `-d` adds a JSON request body.
curl -X <METHOD> -H 'Content-Type: application/json' -H 'X-Auth-Token: <token>' https://<host>/<path># Get all devices from DNA Center curl -X GET \ -H 'X-Auth-Token: eyJhbGciOi...' \ -H 'Content-Type: application/json' \ --insecure \ 'https://10.0.0.100/dna/intent/api/v1/network-device' \ | python3 -m json.tool
Meraki API — List devicesMeraki Dashboard API endpoint to list all devices in an organization. Requires the API key in the X-Cisco-Meraki-API-Key header. All Meraki API calls go to api.meraki.com, not to local devices.
GET /api/v1/organizations/{organizationId}/devicesimport requests
API_KEY = 'your-meraki-api-key'
ORG_ID = '123456'
headers = {
'X-Cisco-Meraki-API-Key': API_KEY,
'Content-Type': 'application/json'
}
url = f'https://api.meraki.com/api/v1/organizations/{ORG_ID}/devices'
response = requests.get(url, headers=headers)
for device in response.json():
print(device['name'], device['model'], device['lanIp'])show netconf-yang sessionsDisplays active NETCONF sessions on the device. Requires NETCONF to be enabled with `netconf-yang` in global configuration. NETCONF uses SSH on port 830.
show netconf-yang sessionsRouter(config)# netconf-yang Router# show netconf-yang sessions R = NETCONF over RESTCONF NC = NETCONF Number of sessions : 1 id transport username source-host global-lock -- --------- -------- ----------- ----------- 1 NC admin 10.0.1.5 None
restconf (config enable)Enables RESTCONF on the Cisco IOS-XE device. RESTCONF is a REST-based alternative to NETCONF that uses HTTP/HTTPS and JSON or XML formatted YANG data models. Requires the `ip http secure-server` to be enabled.
restconfRouter(config)# ip http secure-server Router(config)# restconf # RESTCONF GET request (from external client): curl -k -u admin:password \ -H 'Accept: application/yang-data+json' \ 'https://router1/restconf/data/ietf-interfaces:interfaces'
show platform softwareDisplays the state of YANG management processes (NETCONF-YANG, RESTCONF) on IOS-XE devices. Useful for verifying that the model-driven programmability processes are running.
show platform software yang-management process stateRouter# show platform software yang-management process state confd : Running nesd : Running syncfd : Running ncsshd : Running dmiauthd : Running nginx : Running ndbmand : Running pubd : Running
ansible-playbookRuns an Ansible playbook against devices defined in the inventory. The `--check` flag performs a dry run without making changes. `-v` increases verbosity. `--diff` shows configuration differences.
ansible-playbook <playbook.yml> -i <inventory> [--check] [--diff] [-v]# Dry run first to verify what changes will be made ansible-playbook ntp-config.yml -i hosts.ini --check --diff # Apply the changes ansible-playbook ntp-config.yml -i hosts.ini -v # Target only the switches group ansible-playbook ntp-config.yml -i hosts.ini --limit switches
Ansible VaultEncrypts sensitive data files (passwords, API keys) used in Ansible playbooks. Encrypted files are decrypted at runtime using a vault password. Prevents credentials from being stored in plaintext in version control.
ansible-vault {create | encrypt | decrypt | edit} <file># Create an encrypted variable file ansible-vault create group_vars/all/vault.yml # Enter vault password when prompted, then add: # vault_ssh_password: SecurePassword123! # vault_enable_secret: EnableSecret456! # Run playbook with vault ansible-playbook site.yml -i hosts.ini --ask-vault-pass # Or use a vault password file ansible-playbook site.yml -i hosts.ini --vault-password-file .vault_pass