Foundational Cisco Commands and Tips

Console settings

• Protocol: Serial
• Port: COMx
• Baud rate: 9600
• Flow control: RTS/CTS

Basic commands

User mode

enable

Privileged mode

configure terminal

HW properties

show inventory raw

HW summary information

show inventory oid

Environment information

show environment

Show interface status

show interface status

Show up/down state od interface

show ip interface brief

Show running rules

show running-config

Device reload

reload

Disable dialog

If the „Would you like to enter the initial configuration dialog? [yes/no]” message is displayed on the device starts up, then enter: „no”.

Do command

If you use do command, then you do not have to enter user mode.

Password reset in router

1. Turn on the router!

2. Ctrl+Break

3. Password reset in CLI:

config-register 0x2142reset

And "no", and "yes".

enablecopy startup-config running-configenable secret <password>config-register 0x2102copy running-config startup-config (or write)

And ENTER.

reload

Password reset switch

1. Turn on the switch!

2. Press mode button while green.

3. Password reset in CLI:

flash_initload_helperrename flash:config.text flash:config.text.origbootcopy flash:config.txt.orig running-config

And ENTER!

enable secret <password> do write reload

License installing

1. Read the PA key in license PDF!

2. Read device ID:

enableshow license feature

If the „Enable” is „No”, then install of license:

show license udi

Read PID and SN!

3. Enter https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#!

4. Enter PA key to „Get New Licences” field!

5. Enter PID and SN the appearing fields!

6. Enter administrator e-mail address to „Send To” field!

7. Download the license file, and copy a pendrive!

8. The pendrive plugged into the Cisco device!

9. Copy and install the license file:

copy usbflash1:/<path_of_license_file>/<license_file>.lic flash0:/license install flash0:/<license_file>.lic

10. Reload device, and show the license:

reloadenableshow license feature

If the „Enable” is „Yes”, then all right.

Reset default configuration

enableerase startup-configreload

And "no".

Clone configuration

1. Copy the running configuration to txt file (50-60 per line):

enableshow running-config

And ENTER! 

2. Copy configuration to the new device, and copy txt file to CLI (50-60 per line):

enableconfigure terminal

If ssh authorization also includes the configuration, then needed the RSA key generation, and only then proceed further replenishment of the configuration!

copy running-config startup-config (or write)

And ENTER!

Ctrl+Zwrite

RSA key generation

1. Needed the hostname and domain name:

hostname <hostname>ip domainname <domainname>enableconfigure terminalcrypto key generate rsa1024Ctrl+Zwrite

Automatic setting of VLAN upstate

no autostate

Add new rules

1. Read the current configuration rules:

enableshow running-config | include <filtered data>

Search the similar rule: Edit → Find → <sample>, and edit rule

configure terminal

Insert new edited rule!

ACL

Add ACL

access-list <ACL_list_ID> permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>

E.g. Allow <source_IP-address>:443 to internet:

access-list <ACL_list_ID> permit tcp host <source_IP-address> any eq https)

E.g. Allow <source_IP-address> to internet:

access-list <ACL_list_ID> permit ip host <source_IP-address>)

Add ACL

ip access-list extended <ACL_list_ID>permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>

Delete ACL

access-list <ACL_list_ID> no permit/deny...

Route

Add route

Routers and switches

ip route <source_IP-address> <IP-mask> <destination_IP-address>

ASA

route <source_IP-address> <IP-mask> <destination_IP-address>

Delete route

Routers and switches

no ip route <source_IP-address> <IP-mask> <destination_IP-address>

ASA

no route <source_IP-address> <IP-mask> <destination_IP-address>

Show route table

Routers and switches

show ip route

ASA

show route

Static (forward)

Add static

static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>

E.g. SSH forward:

static (inside,outside) tcp <source_IP-address> ssh <destination_IP-address> ssh netmask <IP_mask>

Delete static

No static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>

Save configuration (approve)

Ctrl+Zwrite

VLAN configuration

Create VLAN

enableshow vlanconfigure terminalinterface vlan <vlan_number>description <vlan_name>ip address <IP-range>Ctrl+Zwrite

Insert switch port to VLAN

enablesh vlanconfigure terminalinterface gigabitEthernet (or fastEthernet) <panel>/<port_number>switchport access vlan <vlan_number>Ctrl+Zwrite

Port security

1. Get device port:

show run interface gi <port_of_device>show interface gi <port_of_device>

2. Select device port:

configure terminalinterface gi <port_of_device>

3. Turn off old MAC:

no switch port mac <old_mac_address>

4. Turn on new MAC:

switch port mac <old_mac_address>

5. Approval of options:

shutdownno shutdownCtrl+Zwrite

6. Get device port:

show interface gi <port_of_device>

Renewal VPN access in ASA

1. Enter ASA!

2. Withdrawal of the old certificate:

Configuration → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Revoke

3. Assigning a new certificate:

Manage User Database → Add → Username: based on device or username; Email ID: lived e-mail address; Subject DN: DN; Allow enrollment: select!

4. Send One-Time-Password to e-mail:

Email OTP

5. Enter with the new user to the external site of VPN!

6. Requesting the certificate:

Click here

7. The certificate was download, and then import your own certificates specified in the certificate of allocation username and received e-mail On-Time-Password!

The user can now enter an external site VPN. The certificate is valid for the specified period of time.