Ready to Start Your Career?
By: Tamas Szucs
April 25, 2017
Foundational Cisco Commands and Tips
By: Tamas Szucs
April 25, 2017
Console settings
- Protocol: Serial
- Port: COMx
- Baud rate: 9600
- Flow control: RTS/CTS
Basic commands
User mode
enablePrivileged mode
configure terminalHW properties
show inventory rawHW summary information
show inventory oidEnvironment information
show environmentShow interface status
show interface statusShow up/down state od interface
show ip interface briefShow running rules
show running-configDevice reload
reloadDisable dialog
If the "Would you like to enter the initial configuration dialog? [yes/no]" message is displayed on the device starts up, then enter: "no".
Do command
If you use do command, then you do not have to enter user mode.
Password reset in router
- Turn on the router
- Ctrl+Break
- Password reset in CLI: config-register 0x2142reset
- No
- Yes
- enablecopy startup-config running-configenable secret <password>config-register 0x2102copy running-config startup-config (or write)
- Enter
- reload
Password reset switch
- Turn on the switch
- Press mode button while green.
- Password reset in CLI: flash_initload_helperrename flash:config.text flash:config.text.origbootcopy flash:config.txt.orig running-config
- Enter
- enable secret <password> do write reload
License installing
- Read the PA key in license PDF
- Read device ID: enableshow license feature
- If the "Enable" is "No", then install of license: show license udi
- Read PID and SN
- Enter https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#
- Enter PA key to "Get New Licences" field
- Enter PID and SN the appearing fields
- Enter administrator e-mail address to "Send To" field
- Download the license file, and copy a pendrive
- The pendrive plugged into the Cisco device
- Copy and install the license file: copy usbflash1:/<path_of_license_file>/<license_file>.lic flash0:/license install flash0:/<license_file>.lic
- Reload device, and show the license: reloadenableshow license feature
- If the "Enable" is "Yes", then all right.
Reset default configuration
- enableerase startup-configreload
- No
Clone configuration
- Copy the running configuration to txt file (50-60 per line): enableshow running-config
- Enter
- Copy configuration to the new device, and copy txt file to CLI (50-60 per line): enableconfigure terminal
- If ssh authorization also includes the configuration, then needed the RSA key generation, and only then proceed further replenishment of the configuration copy running-config startup-config (or write)
- Enter
- Ctrl+Zwrite
RSA key generation
- Needed the hostname and domain name: hostname <hostname>ip domainname <domainname>enableconfigure terminalcrypto key generate rsa1024Ctrl+Zwrite
Automatic setting of VLAN upstate
- no autostate
Add new rules
- Read the current configuration rules: enableshow running-config | include <filtered data>
- Search the similar rule: Edit → Find → <sample>, and edit rule configure terminal
- Insert new edited rule
ACL
Add ACL
- access-list <ACL_list_ID> permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>
- E.g. Allow <source_IP-address>:443 to internet: access-list <ACL_list_ID> permit tcp host <source_IP-address> any eq https
- E.g. Allow <source_IP-address> to internet access-list <ACL_list_ID> permit ip host <source_IP-address>
Add ACL
- ip access-list extended <ACL_list_ID>permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>
Delete ACL
- access-list <ACL_list_ID> no permit/deny...
Route
Add route
- Routers and switches: ip route <source_IP-address> <IP-mask> <destination_IP-address>
- ASA: route <source_IP-address> <IP-mask> <destination_IP-address>
Delete route
- Routers and switches: no ip route <source_IP-address> <IP-mask> <destination_IP-address>
- ASA: no route <source_IP-address> <IP-mask> <destination_IP-address>
Show route table
- Routers and switches: show ip route
- ASA: show route
Static (forward)
Add static
- static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
- E.g. SSH forward: static (inside,outside) tcp <source_IP-address> ssh <destination_IP-address> ssh netmask <IP_mask>
Delete static
- No static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
- Save configuration (approve)
- Ctrl+Zwrite
VLAN configuration
Create VLAN
- enableshow vlanconfigure terminalinterface vlan <vlan_number>description <vlan_name>ip address <IP-range>Ctrl+Zwrite
Insert switch port to VLAN
- enablesh vlanconfigure terminalinterface gigabitEthernet (or fastEthernet) <panel>/<port_number>switchport access vlan <vlan_number>Ctrl+Zwrite
Port security
- Get device port: show run interface gi <port_of_device>show interface gi <port_of_device>
- Select device port: configure terminalinterface gi <port_of_device>
- Turn off old MAC: no switch port mac <old_mac_address>
- Turn on new MAC: switch port mac <old_mac_address>
- Approval of options: shutdownno shutdownCtrl+Zwrite
- Get device port: show interface gi <port_of_device>
Renewal VPN access in ASA
- Enter ASA
- Withdrawal of the old certificate: Configuration → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Revoke
- Assigning a new certificate: Manage User Database → Add → Username: based on device or username; Email ID: lived e-mail address; Subject DN: DN; Allow enrollment: select
- Send One-Time-Password to e-mail: Email OTP
- Enter with the new user to the external site of VPN
- Requesting the certificate: Click here
- The certificate was download, and then import your own certificates specified in the certificate of allocation username and received e-mail On-Time-Password
