Ready to Start Your Career?

Foundational Cisco Commands and Tips

Tamas Szucs's profile image

By: Tamas Szucs

April 25, 2017

Console settings

  • Protocol: Serial
  • Port: COMx
  • Baud rate: 9600
  • Flow control: RTS/CTS

Basic commands

User mode


Privileged mode

configure terminal

HW properties

show inventory raw

HW summary information

show inventory oid

Environment information

show environment

Show interface status

show interface status

Show up/down state od interface

show ip interface brief

Show running rules

show running-config

Device reload


Disable dialog

If the "Would you like to enter the initial configuration dialog? [yes/no]" message is displayed on the device starts up, then enter: "no".

Do command

If you use do command, then you do not have to enter user mode.

Password reset in router

  1. Turn on the router
  2. Ctrl+Break
  3. Password reset in CLI: config-register 0x2142reset
  4. No
  5. Yes
  6. enablecopy startup-config running-configenable secret <password>config-register 0x2102copy running-config startup-config (or write)
  7. Enter
  8. reload

Password reset switch

  1. Turn on the switch
  2. Press mode button while green.
  3. Password reset in CLI: flash_initload_helperrename flash:config.text flash:config.text.origbootcopy flash:config.txt.orig running-config
  4. Enter
  5. enable secret <password> do write reload

License installing

  1. Read the PA key in license PDF
  2. Read device ID: enableshow license feature
  3. If the "Enable" is "No", then install of license: show license udi
  4. Read PID and SN
  5. Enter
  6. Enter PA key to "Get New Licences" field
  7. Enter PID and SN the appearing fields
  8. Enter administrator e-mail address to "Send To" field
  9. Download the license file, and copy a pendrive
  10. The pendrive plugged into the Cisco device
  11. Copy and install the license file: copy usbflash1:/<path_of_license_file>/<license_file>.lic flash0:/license install flash0:/<license_file>.lic
  12. Reload device, and show the license: reloadenableshow license feature
  13. If the "Enable" is "Yes", then all right.

Reset default configuration

  1. enableerase startup-configreload
  2. No

Clone configuration

  1. Copy the running configuration to txt file (50-60 per line): enableshow running-config
  2. Enter
  3. Copy configuration to the new device, and copy txt file to CLI (50-60 per line): enableconfigure terminal
  4. If ssh authorization also includes the configuration, then needed the RSA key generation, and only then proceed further replenishment of the configuration copy running-config startup-config (or write)
  5. Enter
  6. Ctrl+Zwrite

RSA key generation

  1. Needed the hostname and domain name: hostname <hostname>ip domainname <domainname>enableconfigure terminalcrypto key generate rsa1024Ctrl+Zwrite

Automatic setting of VLAN upstate

  1. no autostate

Add new rules

  1. Read the current configuration rules: enableshow running-config | include <filtered data>
  2. Search the similar rule: Edit → Find → <sample>, and edit rule configure terminal
  3. Insert new edited rule



  1. access-list <ACL_list_ID> permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>
  2. E.g. Allow <source_IP-address>:443 to internet: access-list <ACL_list_ID> permit tcp host <source_IP-address> any eq https
  3. E.g. Allow <source_IP-address> to internet access-list <ACL_list_ID> permit ip host <source_IP-address>


  1. ip access-list extended <ACL_list_ID>permit/deny <protocol> <host> <source_IP-address> <host> <destination_IP-address> <eq/neq> <ports separated by a space>

Delete ACL

  1. access-list <ACL_list_ID> no permit/deny...


Add route

  1. Routers and switches: ip route <source_IP-address> <IP-mask> <destination_IP-address>
  2. ASA: route <source_IP-address> <IP-mask> <destination_IP-address>

Delete route

  1. Routers and switches: no ip route <source_IP-address> <IP-mask> <destination_IP-address>
  2. ASA: no route <source_IP-address> <IP-mask> <destination_IP-address>

Show route table

  1. Routers and switches: show ip route
  2. ASA: show route

Static (forward)

Add static

  1. static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
  2. E.g. SSH forward: static (inside,outside) tcp <source_IP-address> ssh <destination_IP-address> ssh netmask <IP_mask>

Delete static

  1. No static (inside,outside/outside,inside) tcp <source_IP-address> <port> <destination_IP-address> <port> netmask <IP_mask> <port>
  2. Save configuration (approve)
  3. Ctrl+Zwrite

VLAN configuration

Create VLAN

  1. enableshow vlanconfigure terminalinterface vlan <vlan_number>description <vlan_name>ip address <IP-range>Ctrl+Zwrite

Insert switch port to VLAN

  1. enablesh vlanconfigure terminalinterface gigabitEthernet (or fastEthernet) <panel>/<port_number>switchport access vlan <vlan_number>Ctrl+Zwrite

Port security

  1. Get device port: show run interface gi <port_of_device>show interface gi <port_of_device>
  2. Select device port: configure terminalinterface gi <port_of_device>
  3. Turn off old MAC: no switch port mac <old_mac_address>
  4. Turn on new MAC: switch port mac <old_mac_address>
  5. Approval of options: shutdownno shutdownCtrl+Zwrite
  6. Get device port: show interface gi <port_of_device>

Renewal VPN access in ASA

  1. Enter ASA
  2. Withdrawal of the old certificate: Configuration → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Remote Access VPN → Certificate Management → Local Certificate Authority → Manage User Certificates → old certificate → Revoke
  3. Assigning a new certificate: Manage User Database → Add → Username: based on device or username; Email ID: lived e-mail address; Subject DN: DN; Allow enrollment: select
  4. Send One-Time-Password to e-mail: Email OTP
  5. Enter with the new user to the external site of VPN
  6. Requesting the certificate: Click here
  7. The certificate was download, and then import your own certificates specified in the certificate of allocation username and received e-mail On-Time-Password
The user can now enter an external site VPN. The certificate is valid for the specified period of time.
Schedule Demo