
Foundational Cisco Commands and Tips

Console settings
- Protocol: Serial
- Port: COMx
- Baud rate: 9600
- Flow control: RTS/CTS
Basic commands
User mode
enable
Privileged mode
configure terminal
HW properties
show inventory raw
HW summary information
show inventory oid
Environment information
show environment
Show interface status
show interface status
Show up/down state od interface
show ip interface brief
Show running rules
show running-config
Device reload
reload
Disable dialog
If the „Would you like to enter the initial configuration dialog? [yes/no]” message is displayed on the device starts up, then enter: „no”.Do command
If you use do command, then you do not have to enter user mode.Password reset in router
1. Turn on the router!
2. Ctrl+Break
3. Password reset in CLI:
config-register 0x2142resetAnd "no", and "yes".
enablecopy startup-config running-configenable secret <password>config-register 0x2102copy running-config startup-config (or write)And ENTER.
reload
Password reset switch
1. Turn on the switch!
2. Press mode button while green.
3. Password reset in CLI:
flash_initload_helperrename flash:config.text flash:config.text.origbootcopy flash:config.txt.orig running-configAnd ENTER!
enable secret <password> do write reload
License installing
1. Read the PA key in license PDF!
2. Read device ID:
enableshow license featureIf the „Enable” is „No”, then install of license:
show license udiRead PID and SN!
3. Enter https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#!
4. Enter PA key to „Get New Licences” field!
5. Enter PID and SN the appearing fields!
6. Enter administrator e-mail address to „Send To” field!
7. Download the license file, and copy a pendrive!
8. The pendrive plugged into the Cisco device!
9. Copy and install the license file:
copy usbflash1:/<path_of_license_file>/<license_file>.lic flash0:/license install flash0:/<license_file>.lic
10. Reload device, and show the license:
reloadenableshow license featureIf the „Enable” is „Yes”, then all right.
Reset default configuration
enableerase startup-configreloadAnd "no".
Clone configuration
1. Copy the running configuration to txt file (50-60 per line):
enableshow running-configAnd ENTER!
2. Copy configuration to the new device, and copy txt file to CLI (50-60 per line):
enableconfigure terminalIf ssh authorization also includes the configuration, then needed the RSA key generation, and only then proceed further replenishment of the configuration!
copy running-config startup-config (or write)And ENTER!
Ctrl+Zwrite
RSA key generation
1. Needed the hostname and domain name:
hostname <hostname>ip domainname <domainname>enableconfigure terminalcrypto key generate rsa1024Ctrl+Zwrite
Automatic setting of VLAN upstate
no autostate
Add new rules
1. Read the current configuration rules:
enableshow running-config | include <filtered data>Search the similar rule: Edit → Find → <sample>, and edit rule
configure terminalInsert new edited rule!
ACL
Add ACL
access-list <ACL_list_ID> permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>
E.g. Allow <source_IP-address>:443 to internet:
access-list <ACL_list_ID> permit tcp host <source_IP-address> any eq https)
E.g. Allow <source_IP-address> to internet:
access-list <ACL_list_ID> permit ip host <source_IP-address>)
Add ACL
ip access-list extended <ACL_list_ID>permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>
Delete ACL
access-list <ACL_list_ID> no permit/deny...
Route
Add route
Routers and switches
ip route <source_IP-address> <IP-mask> <destination_IP-address>
ASA
route <source_IP-address> <IP-mask> <destination_IP-address>
Delete route
Routers and switches
no ip route <source_IP-address> <IP-mask> <destination_IP-address>
ASA
no route <source_IP-address> <IP-mask> <destination_IP-address>
Show route table
Routers and switches
show ip route
ASA
show route
Static (forward)
Add static
static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
E.g. SSH forward:
static (inside,outside) tcp <source_IP-address> ssh <destination_IP-address> ssh netmask <IP_mask>
Delete static
No static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
Save configuration (approve)
Ctrl+Zwrite
VLAN configuration
Create VLAN
enableshow vlanconfigure terminalinterface vlan <vlan_number>description <vlan_name>ip address <IP-range>Ctrl+Zwrite
Insert switch port to VLAN
enablesh vlanconfigure terminalinterface gigabitEthernet (or fastEthernet) <panel>/<port_number>switchport access vlan <vlan_number>Ctrl+Zwrite
Port security
1. Get device port:
show run interface gi <port_of_device>show interface gi <port_of_device>
2. Select device port:
configure terminalinterface gi <port_of_device>
3. Turn off old MAC:
no switch port mac <old_mac_address>
4. Turn on new MAC:
switch port mac <old_mac_address>
5. Approval of options:
shutdownno shutdownCtrl+Zwrite
6. Get device port:
show interface gi <port_of_device>
Renewal VPN access in ASA
1. Enter ASA!
2. Withdrawal of the old certificate:
Configuration → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Revoke3. Assigning a new certificate:
Manage User Database → Add → Username: based on device or username; Email ID: lived e-mail address; Subject DN: DN; Allow enrollment: select!4. Send One-Time-Password to e-mail:
Email OTP5. Enter with the new user to the external site of VPN!
6. Requesting the certificate:
Click here7. The certificate was download, and then import your own certificates specified in the certificate of allocation username and received e-mail On-Time-Password!
The user can now enter an external site VPN. The certificate is valid for the specified period of time.