Comprehensive CCNA 200-301 Command

Reference with Detailed Syntax and

Explanations
Table of Contents
1. Command Mode Navigation
2. Basic System Configuration
3. Interface Configuration
4. VLAN and Switching Commands
5. Routing Configuration
6. Network Services
7. Security Configuration
8. Monitoring and Troubleshooting
9. Advanced Features
10. File Management Commands

Command Mode Navigation

Basic Mode Commandswebsentra+1

User EXEC Mode (Router>)

text
! Enter User EXEC Mode (default when connecting)
Router>

! Available commands in User mode:

Router> ?
connect Open a terminal connection
disconnect Disconnect an existing network connection
 enable Turn on privileged commands
exit Exit from the EXEC
logout Exit from the EXEC
ping Send echo messages
resume Resume an active network connection
show Show running system information
telnet Open a telnet connection
traceroute Trace route to destination

Explanation: User EXEC mode provides limited access for basic monitoring. The > prompt
indicates you have minimal privileges - you can view basic information but cannot make
configuration changes.

Privileged EXEC Mode (Router#)

text
! Enter Privileged EXEC Mode
Router> enable
Router> en ! Abbreviated form
Password:

! Alternative with direct password

Router> enable [password]

! Exit Privileged EXEC Mode

Router# disable
Router# exit ! Also works
Router# logout ! Also works

! Available commands in Privileged mode:

Router# ?
archive Archive functions
clear Reset functions
clock Manage system clock
configure Enter configuration mode
copy Copy from one file to another
debug Debugging functions
delete Delete a file
 dir List files on a filesystem
disable Turn off privileged commands
enable Turn on privileged commands
erase Erase a filesystem
more Display the contents of a file
reload Halt and perform a cold restart
setup Run the SETUP command facility
show Show running system information
write Write running configuration to memory

Why use different variations:

• enable - Standard command

• en - Time-saving abbreviation
• Password prompt adds security layer

Global Configuration Mode (Router(config)#)

text
! Enter Global Configuration Mode
Router# configure terminal
Router# config t ! Abbreviated form
Router# conf t ! Even shorter abbreviation

! Exit Global Configuration Mode

Router(config)# exit ! Returns to Privileged EXEC
Router(config)# end ! Returns to Privileged EXEC
Router(config)# Ctrl+Z ! Keyboard shortcut

! Execute Privileged EXEC commands from config mode

Router(config)# do show running-config
Router(config)# do sh run

! Available configuration commands:

Router(config)# ?
aaa Authentication, Authorization and Accounting
access-list Add an access list entry
banner Define a login banner
 boot System Boot Parameters
cdp Global CDP configuration subcommands
clock Configure time-of-day clock
enable Modify enable password parameters
end Exit from configure mode
exit Exit from configure mode
hostname System hostname
interface Select an interface to configure
ip Global IP configuration subcommands
line Configure a terminal line
logging Modify message logging facilities
router Enable a routing process
service Modify use of network based services
username Establish User Name Authentication
vlan VLAN commands

Explanation: Global configuration mode allows system-wide changes. The (config)#

prompt indicates you can modify the device configuration.

Sub-Configuration Modes

Interface Configuration Mode

text
! Enter Interface Configuration Mode
Router(config)# interface gigabitethernet0/0
Router(config)# interface gi0/0 ! Abbreviated
Router(config)# int gi0/0 ! Even shorter

! Multiple interfaces at once

Router(config)# interface range gi0/0-3
Router(config)# int range gi0/0-3, gi1/0-1

! Exit Interface Configuration Mode

Router(config-if)# exit ! Back to global config
Router(config-if)# end ! Back to privileged EXEC
! Interface-specific commands:
Router(config-if)# ?
bandwidth Set bandwidth informational parameter
cdp CDP interface subcommands
description Interface specific description
duplex Configure duplex operation
exit Exit from interface configuration mode
ip Interface Internet Protocol config commands
ipv6 IPv6 interface subcommands
shutdown Shutdown the selected interface
speed Configure speed operation
switchport Set switching mode characteristics

Router Configuration Mode

text
! Enter Router Configuration Mode (for routing protocols)
Router(config)# router ospf 1
Router(config)# router eigrp 100
Router(config)# router rip

! Exit Router Configuration Mode

Router(config-router)# exit
Router(config-router)# end

! Routing protocol commands:

Router(config-router)# ?
area OSPF area parameters
default-information Control distribution of default information
distance Define an administrative distance
exit Exit from routing protocol configuration mode
network Enable routing on an IP network
passive-interface Suppress routing updates on an interface
redistribute Redistribute information from another routing
protocol
router-id Router-id for this OSPF process
Line Configuration Mode
text
! Enter Line Configuration Mode
Router(config)# line console 0
Router(config)# line vty 0 4 ! Virtual terminals 0-4
Router(config)# line vty 0 15 ! Extended VTY lines
Router(config)# line aux 0 ! Auxiliary port

! Exit Line Configuration Mode

Router(config-line)# exit
Router(config-line)# end

! Line-specific commands:
Router(config-line)# ?
access-class Filter connections based on an IP access list
exec-timeout Set the EXEC timeout
exit Exit from line configuration mode
logging Modify message logging facilities
login Enable password checking
password Set a password
privilege Change privilege level for line
transport Define transport protocols for line

Basic System Configuration

Hostname Configurationcomparitech

Basic Hostname Commands

text
! Set hostname (Global Configuration Mode)
Router(config)# hostname R1
R1(config)# hostname CORE-SWITCH-01
CORE-SWITCH-01(config)# hostname Branch-Router
Branch-Router(config)#

! Hostname rules and best practices:

! - Must start with a letter
! - Can contain letters, numbers, and hyphens
! - Case sensitive
! - Maximum 63 characters
! - No spaces allowed (use hyphens instead)

! Examples of good hostnames:

Router(config)# hostname HQ-RTR-01
Router(config)# hostname SW-ACCESS-FL2-01
Router(config)# hostname FW-DMZ-PRIMARY

! Examples to avoid:
Router(config)# hostname 123Router ! Cannot start with number
Router(config)# hostname Core Switch ! No spaces allowed
Router(config)# hostname rtr@branch ! No special characters

Why hostname is important:

• Identifies device in network topology

• Appears in CDP/LLDP advertisements
• Shows in syslog messages
• Helps with network documentation
• Changes command prompt for easy identification

Banner Configuration

Message of the Day (MOTD) Banner

text
! Configure MOTD banner with different delimiters
Router(config)# banner motd #
Enter TEXT message. End with the character '#'.
*** AUTHORIZED ACCESS ONLY ***
This system is for authorized users only.
All activities are logged and monitored.
Disconnect immediately if not authorized.
#

! Using different delimiters

Router(config)# banner motd $
Warning: Unauthorized access prohibited!
$

Router(config)# banner motd ^C

=== PRODUCTION NETWORK ===
Contact: netadmin@company.com
Phone: +1-555-0199
^C

! Login banner (shown before login prompt)

Router(config)# banner login %
Please enter your credentials:
%

! EXEC banner (shown after successful login)

Router(config)# banner exec &
Welcome to the corporate network
Current time: $(timestamp)
&

Banner Types Explained:

• MOTD Banner: Displayed to all users before login

• Login Banner: Displayed before username/password prompt
• EXEC Banner: Displayed after successful authentication
• Delimiter: Character that marks beginning and end of banner text
Password Configurationinfo.pivitglobal

Enable Passwords
text
! Enable password (stored in plain text - not recommended)
Router(config)# enable password cisco123
Router(config)# enable password MyPassword!

! Enable secret (encrypted with MD5)

Router(config)# enable secret StrongP@ssw0rd
Router(config)# enable secret MySecurePass123

! Enable secret with encryption type

Router(config)# enable secret 0 PlainTextPass ! Type 0 = Plain
text
Router(config)# enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! Type
5 = MD5

! View the difference:

Router# show running-config | include enable
enable password cisco123 ! Plain text - INSECURE
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! Encrypted - SECURE

! Remove enable passwords

Router(config)# no enable password
Router(config)# no enable secret

Password Types Explained:

• enable password: Plain text, visible in config (deprecated)

• enable secret: MD5 hashed, more secure
• If both configured, secret takes precedence
• Type 5 encryption uses salted MD5 hash
Console Password Configuration
text
! Configure console password
Router(config)# line console 0
Router(config-line)# password ConsolePass123
Router(config-line)# login
Router(config-line)# exit

! Console with local user authentication

Router(config)# username admin privilege 15 secret AdminPass456
Router(config)# line console 0
Router(config-line)# login local
Router(config-line)# exit

! Console password with additional security

Router(config)# line console 0
Router(config-line)# password console123
Router(config-line)# login
Router(config-line)# exec-timeout 5 0 ! 5 minutes timeout
Router(config-line)# logging synchronous ! Prevent log messages from
interrupting
Router(config-line)# exit

! Disable console password (not recommended)

Router(config)# line console 0
Router(config-line)# no login
Router(config-line)# no password

Console Security Options:

• password + login: Simple password protection

• login local: Uses local user database
• exec-timeout: Automatic logout after inactivity
• logging synchronous: Improves user experience
VTY (Telnet/SSH) Password Configuration
text
! Basic VTY password configuration
Router(config)# line vty 0 4 ! Lines 0-4 (supports 5
concurrent sessions)
Router(config-line)# password TelnetPass789
Router(config-line)# login
Router(config-line)# exit

! Extended VTY lines (more concurrent sessions)

Router(config)# line vty 0 15 ! Lines 0-15 (supports 16
concurrent sessions)
Router(config-line)# password VtyPass123
Router(config-line)# login
Router(config-line)# transport input telnet ssh ! Allow both Telnet
and SSH
Router(config-line)# exit

! VTY with local user authentication

Router(config)# username netadmin privilege 15 secret NetAdmin456
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh ! SSH only for security
Router(config-line)# exec-timeout 10 0 ! 10 minutes timeout
Router(config-line)# exit

! VTY access control with ACL

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 permit 10.1.1.100 0.0.0.0
Router(config)# line vty 0 4
Router(config-line)# access-class 10 in
Router(config-line)# login local
Router(config-line)# transport input ssh

VTY Configuration Variations:

• vty 0 4: Standard 5 concurrent sessions

 • vty 0 15: Extended for 16 concurrent sessions
• transport input: Controls allowed connection methods
• access-class: Restricts access by source IP

Password Encryption
text
! Enable password encryption for all plain text passwords
Router(config)# service password-encryption

! Before encryption:
Router# show running-config | include password
enable password cisco123
password console456
password vty789

! After encryption:
Router# show running-config | include password
enable password 7 0822455D0A16
password 7 045802150C2E
password 7 060506324F41

! Disable password encryption (affects new passwords only)

Router(config)# no service password-encryption

! Password encryption types:

! Type 0 = Plain text
! Type 5 = MD5 hash (enable secret)
! Type 7 = Cisco proprietary (easily reversible)
! Type 8 = PBKDF2 (newer, more secure)
! Type 9 = Scrypt (newest, most secure)

Password Encryption Explanation:

• service password-encryption: Encrypts existing plain text passwords

• Type 7: Weak encryption, easily decoded (not secure)
• Type 5: MD5 hash, much stronger than Type 7
• Type 8/9: Modern password hashing, most secure
Local User Accounts
text
! Create local user accounts
Router(config)# username admin privilege 15 secret AdminP@ss123
Router(config)# username operator privilege 1 secret OperatorPass
Router(config)# username backup privilege 5 secret BackupUser456

! User with password instead of secret

Router(config)# username guest privilege 1 password GuestPass

! User account with different encryption types

Router(config)# username secure1 secret 0 PlainTextPass ! Plain
text input
Router(config)# username secure2 secret 5 $1$salt$hash ! Pre-
hashed MD5
Router(config)# username secure3 secret 8 $8$salt$hash ! PBKDF2
Router(config)# username secure4 secret 9 $9$salt$hash ! Scrypt

! Delete user account

Router(config)# no username guest

! View configured users

Router# show running-config | section username
username admin privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
username operator privilege 1 secret 5 $1$salt$anotherhash

Privilege Levels Explained:

• Privilege 0: Limited access (predefined)

• Privilege 1: Normal user EXEC mode
• Privilege 15: Full privileged EXEC mode
• Privileges 2-14: Custom privilege levels
• Higher numbers = more privileges
Interface Configuration

Physical Interface Configuration

Basic Interface Configuration

text
! Enter interface configuration mode
Router(config)# interface gigabitethernet0/0
Router(config-if)# description "WAN Connection to ISP"
Router(config-if)# ip address 203.0.113.10 255.255.255.252
Router(config-if)# no shutdown
Router(config-if)# exit

! Alternative interface naming conventions:

Router(config)# interface gigabitethernet 0/0 ! Full name
Router(config)# interface gi0/0 ! Abbreviated
Router(config)# interface g0/0 ! Short form
Router(config)# interface GigabitEthernet0/0 ! Case insensitive

! FastEthernet interfaces:
Router(config)# interface fastethernet0/0
Router(config)# interface fa0/0 ! Abbreviated
Router(config)# interface f0/0 ! Short form

! Serial interfaces:
Router(config)# interface serial0/0/0
Router(config)# interface se0/0/0 ! Abbreviated
Router(config)# interface s0/0/0 ! Short form

! Loopback interfaces (virtual):

Router(config)# interface loopback0
Router(config)# interface lo0 ! Abbreviated

Interface Naming Variations:

• Full names: More readable, used in documentation

 • Abbreviations: Faster to type, commonly used in CLI
• Case insensitive: gi0/0 = Gi0/0 = GI0/0

Interface Descriptions
text
! Add descriptive text to interfaces
Router(config)# interface gi0/0
Router(config-if)# description "Connection to Core Switch Port 24"
Router(config-if)# exit

Router(config)# interface gi0/1

Router(config-if)# description WAN-Link-to-Branch-Office-NYC
Router(config-if)# exit

Router(config)# interface gi0/2

Router(config-if)# description ### DMZ Server Farm ###
Router(config-if)# exit

! Description best practices:

! - Use quotes for descriptions with spaces
! - Include connection details (what it connects to)
! - Reference port numbers or locations
! - Use consistent naming conventions
! - Include VLAN information for switch ports
! - Maximum 80 characters

! View descriptions:
Router# show interfaces description
Interface Status Protocol Description
Gi0/0 up up Connection to Core Switch
Port 24
Gi0/1 up up WAN-Link-to-Branch-Office-
NYC
Gi0/2 down down ### DMZ Server Farm ###

! Remove description:
Router(config-if)# no description
IP Address Configuration
text
! Configure primary IP address
Router(config)# interface gi0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown

! Configure secondary IP addresses

Router(config-if)# ip address 192.168.2.1 255.255.255.0 secondary
Router(config-if)# ip address 192.168.3.1 255.255.255.0 secondary

! DHCP client configuration

Router(config-if)# ip address dhcp
Router(config-if)# no shutdown

! DHCP client with hostname

Router(config-if)# ip address dhcp hostname R1-WAN

! Unnumbered interface (borrows IP from another interface)

Router(config)# interface gi0/1
Router(config-if)# ip unnumbered gi0/0

! Remove IP address
Router(config-if)# no ip address

! Configure /30 subnet for point-to-point links

Router(config-if)# ip address 10.1.1.1 255.255.255.252 ! /30 network
! Valid host IPs: 10.1.1.1 and 10.1.1.2
! Network: 10.1.1.0, Broadcast: 10.1.1.3

! Configure /31 subnet (RFC 3021) for point-to-point

Router(config-if)# ip address 10.1.1.0 255.255.255.254 ! /31 network
! Valid host IPs: 10.1.1.0 and 10.1.1.1
! No network or broadcast address needed

IP Address Configuration Explained:

 • Primary address: Main IP on interface
• Secondary address: Additional IPs on same interface
• DHCP client: Automatically obtains IP from DHCP server
• Unnumbered: Saves IP addresses on serial links
• /31 subnets: Efficient for point-to-point links

Speed and Duplex Configuration

text
! Configure interface speed
Router(config-if)# speed 10 ! 10 Mbps
Router(config-if)# speed 100 ! 100 Mbps (Fast Ethernet)
Router(config-if)# speed 1000 ! 1000 Mbps (Gigabit)
Router(config-if)# speed auto ! Auto-negotiate speed

! Configure duplex mode

Router(config-if)# duplex half ! Half-duplex (legacy)
Router(config-if)# duplex full ! Full-duplex (recommended)
Router(config-if)# duplex auto ! Auto-negotiate duplex

! Best practices for speed/duplex:

! Scenario 1: Auto-negotiation (recommended)
Router(config-if)# speed auto
Router(config-if)# duplex auto

! Scenario 2: Fixed speed/duplex (troubleshooting)

Router(config-if)# speed 100
Router(config-if)# duplex full

! Scenario 3: Server connections (fixed gigabit)

Router(config-if)# speed 1000
Router(config-if)# duplex full

! View speed/duplex settings:

Router# show interfaces gi0/0 | include duplex
Full-duplex, 1000Mb/s, media type is T
Speed/Duplex Best Practices:

• Auto-negotiation: Let devices negotiate automatically

• Fixed settings: Use when troubleshooting mismatch issues
• Half-duplex: Creates collision domain, avoid if possible
• Duplex mismatches: Cause performance issues and errors

Interface Shutdown/No Shutdown

text
! Disable interface (administratively down)
Router(config-if)# shutdown

! Enable interface (administratively up)

Router(config-if)# no shutdown
Router(config-if)# no shut ! Abbreviated form

! Check interface status:

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.1 YES manual up up
GigabitEthernet0/1 unassigned YES unset admin down down
GigabitEthernet0/2 10.1.1.1 YES manual up down

! Interface status meanings:

! Status = up, Protocol = up: Interface working properly
! Status = up, Protocol = down: Layer 1 up, Layer 2 problem
! Status = admin down, Protocol = down: Interface shutdown
! Status = down, Protocol = down: Cable/physical problem

Interface Status Troubleshooting:

• up/up: Interface operational

• up/down: Physical layer OK, data link problem
• admin down/down: Interface shutdown command
• down/down: Physical connectivity problem
IPv6 Interface Configuration
text
! Enable IPv6 routing globally
Router(config)# ipv6 unicast-routing

! Configure IPv6 address manually

Router(config)# interface gi0/0
Router(config-if)# ipv6 address 2001:db8:1::1/64
Router(config-if)# no shutdown

! Configure IPv6 with EUI-64

Router(config-if)# ipv6 address 2001:db8:1::/64 eui-64

! Configure link-local address manually

Router(config-if)# ipv6 address fe80::1 link-local

! Enable IPv6 address auto-configuration

Router(config-if)# ipv6 address autoconfig

! Configure multiple IPv6 addresses

Router(config-if)# ipv6 address 2001:db8:1::1/64
Router(config-if)# ipv6 address 2001:db8:2::1/64
Router(config-if)# ipv6 address fe80::1 link-local

! View IPv6 configuration:

Router# show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::1
2001:DB8:1::1

! Remove IPv6 address:

Router(config-if)# no ipv6 address 2001:db8:1::1/64

IPv6 Address Types:

• Global unicast: Routable on internet (2000::/3)

• Link-local: Local link only (fe80::/10)
 • EUI-64: Auto-generated from MAC address
• Autoconfig: SLAAC (Stateless Address Auto-configuration)

VLAN and Switching Commands

VLAN Configurationauvik

Creating and Managing VLANs

text
! Create single VLAN
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# name Engineering
Switch(config-vlan)# exit

Switch(config)# vlan 30
Switch(config-vlan)# name Marketing
Switch(config-vlan)# exit

! Create multiple VLANs at once

Switch(config)# vlan 40,50,60
Switch(config-vlan)# exit

! Create VLAN range

Switch(config)# vlan 100-110
Switch(config-vlan)# exit

! Delete single VLAN

Switch(config)# no vlan 60

! Delete multiple VLANs

Switch(config)# no vlan 100-110
! VLAN with additional parameters
Switch(config)# vlan 100
Switch(config-vlan)# name Guest_Network
Switch(config-vlan)# state active ! VLAN state
(active/suspend)
Switch(config-vlan)# mtu 1500 ! Maximum transmission unit
Switch(config-vlan)# exit

! View VLAN configuration:

Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------
---------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4
10 Sales active
20 Engineering active
30 Marketing active
100 Guest_Network active

VLAN Number Ranges:

• 1: Default VLAN (cannot be deleted)

• 2-1001: Normal range VLANs
• 1002-1005: Reserved for legacy protocols
• 1006-4094: Extended range VLANs (stored in running-config)

Access Port Configuration

text
! Configure single access port
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# no shutdown
Switch(config-if)# exit
! Configure multiple access ports using range
Switch(config)# interface range fastethernet0/2-10
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 20
Switch(config-if-range)# no shutdown
Switch(config-if-range)# exit

! Configure non-contiguous range

Switch(config)# interface range fa0/11-15, fa0/20-24
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 30
Switch(config-if-range)# exit

! Access port with description

Switch(config)# interface fa0/1
Switch(config-if)# description "Sales Desktop PC"
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# no shutdown

! Voice VLAN configuration (for IP phones)

Switch(config)# interface fa0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10 ! Data VLAN
Switch(config-if)# switchport voice vlan 100 ! Voice VLAN
Switch(config-if)# no shutdown

! Return port to default VLAN

Switch(config-if)# no switchport access vlan
! or
Switch(config-if)# switchport access vlan 1

! View switchport configuration:

Switch# show interfaces fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: access
Operational Mode: access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Sales)

Access Port Explained:

• switchport mode access: Forces port into access mode

• switchport access vlan: Assigns port to specific VLAN
• Voice VLAN: Separate VLAN for IP phone traffic
• Range configuration: Efficient for multiple ports

Trunk Port Configuration

text
! Configure trunk port (manual)
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# no shutdown

! Trunk with native VLAN specification

Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30,99

! Trunk allowing all VLANs except specified

Switch(config-if)# switchport trunk allowed vlan all
Switch(config-if)# switchport trunk allowed vlan except 50-60

! Add VLANs to existing allowed list

Switch(config-if)# switchport trunk allowed vlan add 40,45

! Remove VLANs from allowed list

Switch(config-if)# switchport trunk allowed vlan remove 45

! Advanced trunk configuration

Switch(config)# interface gi0/1
Switch(config-if)# description "Trunk to Distribution Switch"
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q ! On older
switches
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# switchport trunk allowed vlan 10,20,30,100,999
Switch(config-if)# no shutdown

! Dynamic trunk negotiation (not recommended for production)

Switch(config-if)# switchport mode dynamic auto ! Passive
negotiation
Switch(config-if)# switchport mode dynamic desirable ! Active
negotiation

! DTP (Dynamic Trunking Protocol) configurations:

! desirable + desirable = Trunk
! desirable + auto = Trunk
! auto + auto = Access (no trunk formed)
! trunk + any = Trunk

! Disable DTP (security best practice)

Switch(config-if)# switchport nonegotiate

! View trunk configuration:

Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 999

Port Vlans allowed on trunk

Gi0/1 10,20,30,100,999

Port Vlans allowed and active in management domain

Gi0/1 10,20,30,100,999

Trunk Configuration Options:

• mode trunk: Forces trunk mode

• mode dynamic auto: Responds to DTP negotiation
• mode dynamic desirable: Actively negotiates trunk
• nonegotiate: Disables DTP for security
Native VLAN Configuration
text
! Configure native VLAN on trunk
Switch(config)# interface gi0/1
Switch(config-if)# switchport trunk native vlan 99

! Native VLAN best practices:

! 1. Change from default VLAN 1 for security
Switch(config)# vlan 999
Switch(config-vlan)# name Native_VLAN
Switch(config-vlan)# exit
Switch(config)# interface gi0/1
Switch(config-if)# switchport trunk native vlan 999

! 2. Use dedicated unused VLAN

Switch(config)# vlan 666
Switch(config-vlan)# name UNUSED_NATIVE
Switch(config-vlan)# exit

! 3. Ensure native VLAN matches on both ends

! Switch A:
Switch-A(config-if)# switchport trunk native vlan 99
! Switch B:
Switch-B(config-if)# switchport trunk native vlan 99

! Verify native VLAN configuration:

Switch# show interfaces gi0/1 switchport | include Native
Administrative Native VLAN tagging: disabled
Native VLAN: 99

! Native VLAN mismatch detection:

Switch# show interfaces gi0/1 trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
% Native VLAN mismatch discovered on Gi0/1 (99), with Gi0/1 (1).

Native VLAN Security:

 • Default native VLAN 1: Security risk, should be changed
• Dedicated unused VLAN: Best practice for native VLAN
• VLAN mismatch: Can cause connectivity issues
• Native VLAN attacks: Can be mitigated by changing default

Advanced Switching Features

Port Security Configuration

text
! Basic port security
Switch(config)# interface fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# no shutdown

! Port security with maximum MAC addresses

Switch(config-if)# switchport port-security maximum 2

! Port security with violation actions

Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security violation protect

! Port security with sticky MAC learning

Switch(config-if)# switchport port-security mac-address sticky

! Port security with static MAC address

Switch(config-if)# switchport port-security mac-address 1234.5678.9abc

! Complete port security configuration

Switch(config)# interface fa0/5
Switch(config-if)# description "Secure Desktop Connection"
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
Switch(config-if)# no shutdown

! Aging configuration for port security

Switch(config-if)# switchport port-security aging time 60 !
Minutes
Switch(config-if)# switchport port-security aging type absolute
Switch(config-if)# switchport port-security aging type inactivity

! View port security configuration:

Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security
Action
(Count) (Count) (Count)
Fa0/1 1 1 0
Shutdown
Fa0/5 1 1 0
Shutdown

! View port security for specific interface:

Switch# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 1234.5678.9abc:10
Security Violation Count : 0

! Clear port security violation

Switch# clear port-security sticky interface fa0/1
Switch# clear port-security all
Port Security Violation Actions:

• Shutdown: Disables port, requires manual re-enabling

• Restrict: Drops violating frames, sends SNMP trap
• Protect: Drops violating frames silently

EtherChannel Configuration
text
! PAgP (Cisco proprietary) EtherChannel
Switch(config)# interface range gi0/1-2
Switch(config-if-range)# channel-group 1 mode desirable
Switch(config-if-range)# exit

Switch(config)# interface port-channel 1

Switch(config-if)# description "EtherChannel to Core Switch"
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

! LACP (IEEE 802.3ad) EtherChannel

Switch(config)# interface range gi0/3-4
Switch(config-if-range)# channel-group 2 mode active
Switch(config-if-range)# exit

Switch(config)# interface port-channel 2

Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100

! Manual EtherChannel (no protocol)

Switch(config)# interface range gi0/5-6
Switch(config-if-range)# channel-group 3 mode on
Switch(config-if-range)# exit

! EtherChannel load balancing

Switch(config)# port-channel load-balance src-dst-ip
Switch(config)# port-channel load-balance src-dst-mac
Switch(config)# port-channel load-balance src-mac

! Advanced EtherChannel configuration

Switch(config)# interface range gi0/7-8
Switch(config-if-range)# description "Member of Port-Channel 4"
Switch(config-if-range)# channel-group 4 mode active
Switch(config-if-range)# lacp port-priority 32768 ! Lower = higher
priority
Switch(config-if-range)# exit

Switch(config)# interface port-channel 4

Switch(config-if)# description "LACP EtherChannel to Server Farm"
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 50,60,70,99

! View EtherChannel configuration:

Switch# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

Number of channel-groups in use: 2

Number of aggregators: 2

Group Port-channel Protocol Ports

------+-------------+-----------+-------------------------------------
----------
1 Po1(SU) LACP Gi0/1(P) Gi0/2(P)
2 Po2(SU) PAgP Gi0/3(P) Gi0/4(P)

! View detailed EtherChannel information:

Switch# show etherchannel 1 detail
Group: 1
---------
Port-channels in the group:
---------------------------

Port-channel: Po1 (Primary Aggregator)

---------
 Age of the Port-channel = 0d:00h:25m:19s
Logical slot/port = 2/1 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled

EtherChannel Protocols:

• PAgP: Cisco proprietary (desirable/auto modes)

• LACP: Industry standard (active/passive modes)
• Manual: No negotiation protocol (on mode)

VLAN Troubleshooting Commands

text
! View all VLANs and port assignments
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------
---------
1 default active Fa0/5, Fa0/6, Fa0/7,
Fa0/8
10 Sales active Fa0/1, Fa0/2, Fa0/3,
Fa0/4
20 Engineering active Fa0/9, Fa0/10, Fa0/11,
Fa0/12
30 Marketing active Fa0/13, Fa0/14, Fa0/15,
Fa0/16

! View specific VLAN

Switch# show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------
---------
10 Sales active Fa0/1, Fa0/2, Fa0/3,
Fa0/4
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- -----
- ------
10 enet 100010 1500 - - - - - 0
0

! View interface VLAN membership

Switch# show interfaces fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: access
Operational Mode: access
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Sales)
Trunking Native Mode VLAN: 1 (default)

! View trunk interfaces

Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/1 1-4094

Port Vlans allowed and active in management domain

Gi0/1 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned

Gi0/1 1,10,20,30

! View MAC address table by VLAN

Switch# show mac address-table vlan 10
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----
 10 1234.5678.9abc DYNAMIC Fa0/1
10 2345.6789.abcd DYNAMIC Fa0/2

Routing Configuration

Static Routing

IPv4 Static Routes

text
! Basic static route
Router(config)# ip route 192.168.2.0 255.255.255.0 10.1.1.2

! Static route with exit interface

Router(config)# ip route 192.168.3.0 255.255.255.0 gigabitethernet0/1

! Static route with both next-hop and exit interface

Router(config)# ip route 192.168.4.0 255.255.255.0 gi0/1 10.1.1.2

! Default route (gateway of last resort)

Router(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1
Router(config)# ip route 0.0.0.0 0.0.0.0 gi0/0

! Host route (specific host)

Router(config)# ip route 192.168.1.100 255.255.255.255 10.1.1.3

! Floating static route (backup with higher AD)

Router(config)# ip route 192.168.5.0 255.255.255.0 10.1.1.4 5
Router(config)# ip route 192.168.5.0 255.255.255.0 10.1.1.5 10 !
Backup

! Static route with description (newer IOS versions)

Router(config)# ip route 192.168.6.0 255.255.255.0 10.1.1.6 name "To
Branch Office"

! Null route (blackhole traffic)

Router(config)# ip route 192.168.100.0 255.255.255.0 null0

! Remove static route

Router(config)# no ip route 192.168.2.0 255.255.255.0 10.1.1.2

! View routing table

Router# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U - per-user
static route
o - ODR, P - periodic downloaded static route, H - NHRP, l -
LISP

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.1.1.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, GigabitEthernet0/0
L 10.1.1.2/32 is directly connected, GigabitEthernet0/0
S 192.168.2.0/24 [1/0] via 10.1.1.2
S 192.168.3.0/24 is directly connected, GigabitEthernet0/1

Static Route Types Explained:

• Network route: Points to specific network

• Default route: Matches all destinations (0.0.0.0/0)
• Host route: /32 route to specific host
• Floating static: Backup route with higher AD
• Null route: Discards matching traffic
IPv6 Static Routes
text
! Enable IPv6 routing
Router(config)# ipv6 unicast-routing

! Basic IPv6 static route

Router(config)# ipv6 route 2001:db8:2::/64 2001:db8:1::2

! IPv6 static route with exit interface

Router(config)# ipv6 route 2001:db8:3::/64 gi0/1

! IPv6 default route

Router(config)# ipv6 route ::/0 2001:db8:1::1
Router(config)# ipv6 route ::/0 gi0/0

! IPv6 host route

Router(config)# ipv6 route 2001:db8:1::100/128 2001:db8:1::3

! IPv6 floating static route

Router(config)# ipv6 route 2001:db8:4::/64 2001:db8:1::4 5

! View IPv6 routing table

Router# show ipv6 route
IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF
ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

S ::/0 [1/0]
via 2001:DB8:1::1
C 2001:DB8:1::/64 [0/0]
via GigabitEthernet0/0, directly connected
L 2001:DB8:1::2/128 [0/0]
via GigabitEthernet0/0, receive
S 2001:DB8:2::/64 [1/0]
 via 2001:DB8:1::2

Dynamic Routing Protocols

OSPF Configuration
text
! Enable OSPF process
Router(config)# router ospf 1
Router(config-router)# router-id 1.1.1.1
Router(config-router)# network 10.1.1.0 0.0.0.3 area 0
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# exit

! OSPF with interface-specific configuration

Router(config)# interface gi0/0
Router(config-if)# ip ospf 1 area 0
Router(config-if)# ip ospf network point-to-point
Router(config-if)# ip ospf cost 10
Router(config-if)# ip ospf priority 255
Router(config-if)# exit

! OSPF passive interface

Router(config)# router ospf 1
Router(config-router)# passive-interface gi0/2
Router(config-router)# passive-interface default ! All interfaces
passive
Router(config-router)# no passive-interface gi0/0 ! Except this one

! OSPF default route injection

Router(config-router)# default-information originate
Router(config-router)# default-information originate always ! Even
without default route
Router(config-router)# default-information originate metric 10

! OSPF area configuration

Router(config-router)# area 1 stub
Router(config-router)# area 1 stub no-summary
Router(config-router)# area 1 nssa

! OSPF route summarization

Router(config-router)# area 0 range 192.168.0.0 255.255.252.0

! OSPF authentication
Router(config)# interface gi0/0
Router(config-if)# ip ospf authentication-key password123
Router(config-if)# exit
Router(config)# router ospf 1
Router(config-router)# area 0 authentication

! OSPF MD5 authentication

Router(config)# interface gi0/0
Router(config-if)# ip ospf message-digest-key 1 md5 md5password
Router(config-if)# exit
Router(config)# router ospf 1
Router(config-router)# area 0 authentication message-digest

! View OSPF configuration

Router# show ip ospf
Routing Process "ospf 1" with ID 1.1.1.1
Start time: 00:00:12.584, Time elapsed: 00:02:31.928
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs

Router# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address
Interface
2.2.2.2 1 FULL/DR 00:00:37 10.1.1.1
GigabitEthernet0/0
3.3.3.3 1 FULL/BDR 00:00:35 10.1.1.2
GigabitEthernet0/0

Router# show ip ospf database

OSPF Router with ID (1.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link

count
1.1.1.1 1.1.1.1 157 0x80000003 0x007F4E 2
2.2.2.2 2.2.2.2 156 0x80000003 0x00A43A 2
3.3.3.3 3.3.3.3 146 0x80000003 0x00C926 2

OSPF Key Concepts:

• Process ID: Locally significant number

• Router ID: Unique identifier in OSPF domain
• Area: Logical grouping of OSPF routers
• Network statement: Specifies interfaces to include

EIGRP Configuration
text
! Enable EIGRP
Router(config)# router eigrp 100
Router(config-router)# no auto-summary
Router(config-router)# eigrp router-id 10.1.1.1
Router(config-router)# network 10.1.1.0 0.0.0.3
Router(config-router)# network 192.168.1.0
Router(config-router)# exit

! EIGRP with specific interface

Router(config)# interface gi0/0
Router(config-if)# ip bandwidth-percent eigrp 100 50 ! Use 50% of
bandwidth
Router(config-if)# ip hello-interval eigrp 100 5 ! Hello every
5 seconds
Router(config-if)# ip hold-time eigrp 100 15 ! Hold time 15
seconds
Router(config-if)# exit

! EIGRP passive interface

Router(config)# router eigrp 100
Router(config-router)# passive-interface gi0/2

! EIGRP load balancing

Router(config-router)# maximum-paths 6 ! Up to 6
equal paths
Router(config-router)# variance 2 ! Unequal cost
load balancing

! EIGRP authentication
Router(config)# key chain EIGRP_KEYS
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string MySecretKey
Router(config-keychain-key)# exit
Router(config-keychain)# exit

Router(config)# interface gi0/0

Router(config-if)# ip authentication mode eigrp 100 md5
Router(config-if)# ip authentication key-chain eigrp 100 EIGRP_KEYS

! View EIGRP configuration

Router# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO
Q Seq
(sec) (ms)
Cnt Num
0 10.1.1.1 Gi0/0 13 00:03:42 12 100
0 5
1 10.1.1.2 Gi0/0 11 00:03:41 16 100
0 3

Router# show ip eigrp topology

EIGRP-IPv4 Topology Table for AS(100)/ID(10.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
 r - reply Status, s - sia Status

P 10.1.1.0/30, 1 successors, FD is 2816

via Connected, GigabitEthernet0/0
P 192.168.1.0/24, 1 successors, FD is 2816
via Connected, GigabitEthernet0/1
P 192.168.2.0/24, 1 successors, FD is 3072
via 10.1.1.1 (3072/2816), GigabitEthernet0/0

EIGRP Characteristics:

• Autonomous System (AS): EIGRP routing domain

• Feasible Distance (FD): Best metric to destination
• Successor: Best next-hop router
• Feasible Successor: Backup next-hop router

RIP Configuration
text
! Enable RIP version 2
Router(config)# router rip
Router(config-router)# version 2
Router(config-router)# no auto-summary
Router(config-router)# network 10.0.0.0
Router(config-router)# network 192.168.1.0
Router(config-router)# exit

! RIP passive interface

Router(config)# router rip
Router(config-router)# passive-interface gi0/2

! RIP default route propagation

Router(config-router)# default-information originate

! RIP authentication
Router(config)# key chain RIP_KEYS
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string RipPassword
Router(config-keychain-key)# exit

Router(config)# interface gi0/0

Router(config-if)# ip rip authentication mode md5
Router(config-if)# ip rip authentication key-chain RIP_KEYS

! View RIP configuration

Router# show ip rip database
10.0.0.0/8 auto-summary
10.1.1.0/30 directly connected, GigabitEthernet0/0
192.168.1.0/24 auto-summary
192.168.1.0/24 directly connected, GigabitEthernet0/1
192.168.2.0/24
[1] via 10.1.1.1, 00:00:23, GigabitEthernet0/0

RIP Characteristics:

• Hop count metric: Maximum 15 hops

• Periodic updates: Every 30 seconds
• Split horizon: Prevents routing loops
• Version 2: Supports VLSM and authentication

Network Services

DHCP Configurationyoutube

DHCP Server Configuration

text
! Exclude addresses from DHCP pool
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
Router(config)# ip dhcp excluded-address 192.168.1.100 192.168.1.110

! Create DHCP pool

Router(config)# ip dhcp pool LAN_POOL
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 4.4.4.4
Router(dhcp-config)# domain-name company.com
Router(dhcp-config)# lease 7 ! 7 days
Router(dhcp-config)# exit

! DHCP pool with additional options

Router(config)# ip dhcp pool GUEST_POOL
Router(dhcp-config)# network 192.168.100.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.100.1
Router(dhcp-config)# dns-server 8.8.8.8
Router(dhcp-config)# domain-name guest.company.com
Router(dhcp-config)# lease 0 8 0 ! 8 hours
Router(dhcp-config)# option 66 ascii "tftp-server.company.com" ! TFTP
server
Router(dhcp-config)# option 67 ascii "config-file.cfg" ! Boot
filename
Router(dhcp-config)# exit

! DHCP reservation (static assignment)

Router(config)# ip dhcp pool PRINTER_STATIC
Router(dhcp-config)# host 192.168.1.50 255.255.255.0
Router(dhcp-config)# client-identifier 01aa.bbcc.ddee.ff
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8
Router(dhcp-config)# exit

! Disable DHCP conflict logging (reduces log spam)

Router(config)# no ip dhcp conflict logging

! Enable DHCP debugging

Router(config)# ip dhcp ping packets 3 ! Ping before
assignment
Router(config)# ip dhcp ping timeout 250 ! 250ms ping
timeout

! View DHCP configuration:

Router# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration
Type
Hardware address/
User name
192.168.1.11 0100.1234.5678.ab Mar 02 1993 12:00 AM
Automatic
192.168.1.12 0100.abcd.ef12.34 Mar 02 1993 12:00 AM
Automatic

Router# show ip dhcp pool

Pool LAN_POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased
addresses
192.168.1.12 192.168.1.1 - 192.168.1.254 2

Router# show ip dhcp conflict

IP address Detection method Detection time VRF

DHCP Pool Parameters Explained:

• network: Defines IP subnet to assign from

• default-router: Gateway IP address
• dns-server: DNS server addresses
• lease: How long client keeps IP address
• option: Additional DHCP options (PXE boot, etc.)

DHCP Client Configuration

text
! Configure interface as DHCP client
Router(config)# interface gi0/0
Router(config-if)# ip address dhcp
Router(config-if)# no shutdown

! DHCP client with custom hostname

Router(config-if)# ip address dhcp hostname R1-Branch

! DHCP client with client-id

Router(config-if)# ip dhcp client client-id gi0/0

! View DHCP client status:

Router# show dhcp lease
Interface : GigabitEthernet0/0
IP Address: 203.0.113.100
Subnet Mask: 255.255.255.0
DHCP Server: 203.0.113.1
Lease Obtained: Mar 01 1993 12:00:00 AM
Lease Expires: Mar 08 1993 12:00:00 AM

DHCP Relay Configuration

text
! Configure DHCP relay (helper address)
Router(config)# interface gi0/1
Router(config-if)# ip helper-address 10.1.1.50

! Multiple DHCP servers

Router(config-if)# ip helper-address 10.1.1.50
Router(config-if)# ip helper-address 10.1.1.51

! DHCP relay with broadcast forwarding control

Router(config)# ip forward-protocol udp 67 ! DHCP/BOOTP
Router(config)# ip forward-protocol udp 53 ! DNS
Router(config)# ip forward-protocol udp 69 ! TFTP
Router(config)# ip forward-protocol udp 137 ! NetBIOS

! Disable specific broadcast forwarding

Router(config)# no ip forward-protocol udp 137
! View DHCP relay statistics:
Router# show ip dhcp relay information

NAT Configurationawjunaid+1

Static NAT Configuration

text
! Define inside and outside interfaces
Router(config)# interface gi0/0
Router(config-if)# ip nat inside
Router(config-if)# exit

Router(config)# interface gi0/1

Router(config-if)# ip nat outside
Router(config-if)# exit

! Static NAT one-to-one mapping

Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10
Router(config)# ip nat inside source static 192.168.1.11 203.0.113.11

! Static NAT with port redirection

Router(config)# ip nat inside source static tcp 192.168.1.10 80
203.0.113.10 8080
Router(config)# ip nat inside source static tcp 192.168.1.10 443
203.0.113.10 8443

! Static NAT for servers

Router(config)# ip nat inside source static 192.168.1.50
203.0.113.50 ! Web server
Router(config)# ip nat inside source static 192.168.1.51
203.0.113.51 ! Mail server
Router(config)# ip nat inside source static 192.168.1.52
203.0.113.52 ! FTP server

! View static NAT translations:

Router# show ip nat translations
Pro Inside global Inside local Outside local Outside
global
--- 203.0.113.10 192.168.1.10 --- ---
tcp 203.0.113.10:8080 192.168.1.10:80 --- ---
--- 203.0.113.50 192.168.1.50 --- ---

Dynamic NAT Configuration

text
! Create access list for inside local addresses
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit 192.168.2.0 0.0.0.255

! Create NAT pool

Router(config)# ip nat pool PUBLIC_POOL 203.0.113.20 203.0.113.30
netmask 255.255.255.0
Router(config)# ip nat pool BACKUP_POOL 203.0.113.40 203.0.113.50
netmask 255.255.255.0

! Apply dynamic NAT

Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

! Dynamic NAT with multiple pools

Router(config)# ip nat inside source list 1 pool PUBLIC_POOL
Router(config)# ip nat inside source list 1 pool BACKUP_POOL overflow

! View NAT pools:

Router# show ip nat pool
Pool PUBLIC_POOL
Starting address: 203.0.113.20
Ending address: 203.0.113.30
Type: generic, total addresses 11, allocated 3, misses 0
Utilization: 27%
PAT (Port Address Translation) Configuration
text
! PAT with pool overload
Router(config)# access-list 10 permit 192.168.0.0 0.0.255.255
Router(config)# ip nat pool PAT_POOL 203.0.113.1 203.0.113.1 netmask
255.255.255.252
Router(config)# ip nat inside source list 10 pool PAT_POOL overload

! PAT with interface overload (most common)

Router(config)# ip nat inside source list 10 interface gi0/1 overload

! PAT with specific port ranges

Router(config)# ip nat pool PAT_PORTS 203.0.113.1 203.0.113.1 netmask
255.255.255.255
Router(config)# ip nat inside source list 10 pool PAT_PORTS overload

! View PAT translations:

Router# show ip nat translations verbose
Pro Inside global Inside local Outside local
Outside global
tcp 203.0.113.1:1024 192.168.1.10:49152 209.165.200.225:80
209.165.200.225:80
create: 00:00:12, use: 00:00:02, timeout: 00:01:00
tcp 203.0.113.1:1025 192.168.1.11:49153 209.165.200.226:443
209.165.200.226:443
create: 00:00:08, use: 00:00:01, timeout: 00:01:00

NAT Troubleshooting Commands

text
! View NAT statistics
Router# show ip nat statistics
Total active translations: 4 (1 static, 3 dynamic; 2 extended)
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
 GigabitEthernet0/0
Hits: 156 Misses: 12
Expired translations: 8
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 pool PAT_POOL refcount 3
pool PAT_POOL: netmask 255.255.255.255
start 203.0.113.1 end 203.0.113.1
type generic, total addresses 1, allocated 1 (100%), misses 0

! Clear NAT translations

Router# clear ip nat translation *
Router# clear ip nat translation inside 192.168.1.10
Router# clear ip nat translation outside 203.0.113.1

! Debug NAT
Router# debug ip nat
Router# debug ip nat detailed

NTP Configuration

NTP Client Configuration

text
! Configure NTP server
Router(config)# ntp server pool.ntp.org
Router(config)# ntp server 132.163.97.1 prefer ! Prefer this
server
Router(config)# ntp server 128.138.141.172

! NTP with authentication

Router(config)# ntp authenticate
Router(config)# ntp authentication-key 1 md5 NTPsecret123
Router(config)# ntp trusted-key 1
Router(config)# ntp server 132.163.97.1 key 1

! Set timezone
Router(config)# clock timezone EST -5
Router(config)# clock summer-time EDT recurring

! Manual time setting (if NTP unavailable)

Router# clock set 14:30:00 1 March 2024

! View NTP status:

Router# show ntp status
Clock is synchronized, stratum 4, reference is 132.163.97.1
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is
2**24
reference time is E8A5F9B4.A2F15B34 (14:30:44.636 EST Fri Mar 1 2024)
clock offset is -2.4123 msec, root delay is 45.18 msec
root dispersion is 59.84 msec, peer dispersion is 3.64 msec

Router# show ntp associations

address ref clock st when poll reach delay
offset disp
*~132.163.97.1 .GPS. 1 64 1024 377 1.2 -
2.41 3.6
~pool.ntp.org .POOL. 16 - 64 0 0.0
0.00 16000.

NTP Server Configuration

text
! Configure as NTP master (stratum 8)
Router(config)# ntp master 8

! NTP source interface (consistent source IP)

Router(config)# ntp source loopback0

! NTP access control

Router(config)# ntp access-group serve-only 10
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

! View NTP associations details:

Router# show ntp associations detail
132.163.97.1 configured, selected, sane, valid, stratum 1
ref ID .GPS., time E8A5F9B4.A2F15B34 (14:30:44.636 EST Fri Mar 1 2024)
our mode client, peer mode server, our poll intvl 1024, peer poll
intvl 1024
root delay 0.00 msec, root disp 1.95, reach 377, sync dist 4.012
delay 1.19 msec, offset -2.4123 msec, dispersion 3.64
precision 2**6, version 4

SNMP Configuration

SNMP Community Configuration

text
! Read-only community
Router(config)# snmp-server community public ro

! Read-write community (not recommended)

Router(config)# snmp-server community private rw

! Community with access list

Router(config)# access-list 20 permit 10.1.1.100
Router(config)# access-list 20 permit 192.168.1.0 0.0.0.255
Router(config)# snmp-server community monitoring ro 20

! SNMP host (trap receiver)

Router(config)# snmp-server host 10.1.1.100 version 2c public
Router(config)# snmp-server host 192.168.1.50 version 2c monitoring

! Enable specific SNMP traps

Router(config)# snmp-server enable traps config
Router(config)# snmp-server enable traps interface
Router(config)# snmp-server enable traps cpu threshold
Router(config)# snmp-server enable traps memory bufferpeak

! System information
Router(config)# snmp-server contact "Network Admin
<netadmin@company.com>"
Router(config)# snmp-server location "Server Room - Building A"
Router(config)# snmp-server chassis-id "R1-HQ-CORE"

! View SNMP configuration:

Router# show snmp
Chassis: R1-HQ-CORE
Contact: Network Admin <netadmin@company.com>
Location: Server Room - Building A
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
9 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
9 Trap PDUs

SNMPv3 Configuration
text
! Create SNMP user
Router(config)# snmp-server user admin admin-group v3 auth md5
AuthPass123 priv aes 128 PrivPass456

! Create SNMP group

Router(config)# snmp-server group admin-group v3 priv read readview
write writeview notify notifyview

! Create SNMP views

Router(config)# snmp-server view readview iso included
Router(config)# snmp-server view writeview system included
Router(config)# snmp-server view notifyview iso included

! SNMPv3 host
Router(config)# snmp-server host 10.1.1.100 version 3 priv admin

! View SNMPv3 users:

Router# show snmp user
User name: admin
Engine ID: 800000090300001B53A25C80
storage-type: nonvolatile active
Rowstatus: active
Authentication Protocol: MD5
Privacy Protocol: AES128
Group-name: admin-group

Security Configuration

Access Control Lists (ACLs)certificationkits

Standard ACL Configuration

text
! Numbered standard ACL (1-99, 1300-1999)
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 permit 192.168.2.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config)# access-list 10 permit any ! Implicit deny,
need explicit permit

! Apply to interface
Router(config)# interface gi0/0
Router(config-if)# ip access-group 10 in
Router(config-if)# exit
! Named standard ACL
Router(config)# ip access-list standard ALLOW_LAN
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# permit host 192.168.2.10
Router(config-std-nacl)# deny any log
Router(config-std-nacl)# exit

! Apply named ACL

Router(config)# interface gi0/1
Router(config-if)# ip access-group ALLOW_LAN out

! Standard ACL examples:

Router(config)# access-list 15 permit 10.1.1.0 0.0.0.255 !
Permit subnet
Router(config)# access-list 15 permit host 10.1.1.100 !
Permit specific host
Router(config)# access-list 15 permit any !
Permit everything
Router(config)# access-list 15 deny 172.16.0.0 0.15.255.255 ! Deny
major network

! View ACL configuration:

Router# show access-lists
Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (5 matches)
20 permit 192.168.2.0, wildcard bits 0.0.0.255
30 deny any (2 matches)

Standard IP access list ALLOW_LAN

10 permit 192.168.1.0, wildcard bits 0.0.0.255 (12 matches)
20 permit host 192.168.2.10 (3 matches)
30 deny any log (1 match)

Standard ACL Best Practices:

• Apply close to destination

• Use named ACLs for easier management
• Include explicit deny with logging
 • Order from specific to general

Extended ACL Configuration

text
! Numbered extended ACL (100-199, 2000-2699)
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
eq 80
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
eq 443
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
eq 22
Router(config)# access-list 100 permit icmp any any echo-reply
Router(config)# access-list 100 deny ip any any log

! Named extended ACL with detailed rules

Router(config)# ip access-list extended WEB_SERVER_ACL
Router(config-ext-nacl)# permit tcp any host 192.168.1.50 eq 80
Router(config-ext-nacl)# permit tcp any host 192.168.1.50 eq 443
Router(config-ext-nacl)# permit tcp any host 192.168.1.50 established
Router(config-ext-nacl)# permit icmp any any echo
Router(config-ext-nacl)# permit icmp any any echo-reply
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit

! Extended ACL with port ranges

Router(config)# ip access-list extended FTP_ACCESS
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any eq
21 ! FTP control
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any range
1024 65535 ! FTP data
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit

! Time-based ACL
Router(config)# time-range BUSINESS_HOURS
Router(config-time-range)# periodic weekdays 8:00 to 17:00
Router(config-time-range)# exit
Router(config)# ip access-list extended TIME_BASED_WEB
Router(config-ext-nacl)# permit tcp any any eq 80 time-range
BUSINESS_HOURS
Router(config-ext-nacl)# permit tcp any any eq 443 time-range
BUSINESS_HOURS
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit

! ACL with object groups (newer IOS)

Router(config)# object-group network INTERNAL_NETWORKS
Router(config-network-group)# 192.168.1.0 255.255.255.0
Router(config-network-group)# 192.168.2.0 255.255.255.0
Router(config-network-group)# exit

Router(config)# object-group service WEB_SERVICES

Router(config-service-group)# tcp eq 80
Router(config-service-group)# tcp eq 443
Router(config-service-group)# exit

Router(config)# ip access-list extended OBJECT_GROUP_ACL

Router(config-ext-nacl)# permit object-group WEB_SERVICES object-group
INTERNAL_NETWORKS any
Router(config-ext-nacl)# deny ip any any

Extended ACL Protocols and Ports:

• TCP ports: 80 (HTTP), 443 (HTTPS), 22 (SSH), 23 (Telnet), 21 (FTP)

• UDP ports: 53 (DNS), 69 (TFTP), 161 (SNMP), 123 (NTP)
• ICMP types: echo, echo-reply, unreachable, time-exceeded
• Keywords: any, host, established, range, eq, lt, gt, neq

ACL Sequence Numbers and Editing

text
! Named ACL with sequence numbers
Router(config)# ip access-list extended NUMBERED_ACL
Router(config-ext-nacl)# 10 permit tcp any host 192.168.1.50 eq 80
Router(config-ext-nacl)# 20 permit tcp any host 192.168.1.50 eq 443
Router(config-ext-nacl)# 30 permit icmp any any echo
Router(config-ext-nacl)# 40 deny ip any any log
Router(config-ext-nacl)# exit

! Insert entry between existing rules

Router(config)# ip access-list extended NUMBERED_ACL
Router(config-ext-nacl)# 15 permit tcp any host 192.168.1.50 eq 22
Router(config-ext-nacl)# exit

! Remove specific line

Router(config)# ip access-list extended NUMBERED_ACL
Router(config-ext-nacl)# no 15
Router(config-ext-nacl)# exit

! View ACL with sequence numbers:

Router# show ip access-lists NUMBERED_ACL
Extended IP access list NUMBERED_ACL
10 permit tcp any host 192.168.1.50 eq www
20 permit tcp any host 192.168.1.50 eq 443
30 permit icmp any any echo
40 deny ip any any log

! Resequence ACL entries

Router(config)# ip access-list resequence NUMBERED_ACL 10 10

Reflexive ACLs (Stateful Filtering)

text
! Define reflexive ACL
Router(config)# ip access-list extended OUTBOUND_ACL
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any reflect
WEB_TRAFFIC
Router(config-ext-nacl)# permit udp 192.168.1.0 0.0.0.255 any eq 53
reflect DNS_TRAFFIC
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit

Router(config)# ip access-list extended INBOUND_ACL

Router(config-ext-nacl)# evaluate WEB_TRAFFIC
Router(config-ext-nacl)# evaluate DNS_TRAFFIC
Router(config-ext-nacl)# deny ip any any log
Router(config-ext-nacl)# exit

! Apply reflexive ACLs

Router(config)# interface gi0/0
Router(config-if)# ip access-group OUTBOUND_ACL out
Router(config-if)# ip access-group INBOUND_ACL in

SSH Configuration

SSH Server Setup

text
! Prerequisites for SSH
Router(config)# hostname R1
R1(config)# ip domain-name company.com

! Generate RSA key pair

R1(config)# crypto key generate rsa
The name for the keys will be: R1.company.com
Choose the size of the key modulus in the range of 360 to 4096 for
your
General Purpose Keys. Choosing a key modulus greater than 512 may
take
a few minutes.

How many bits in the modulus : 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

! Create local user account

R1(config)# username admin privilege 15 secret Admin123!
R1(config)# username operator privilege 1 secret Oper456!

! Configure VTY lines for SSH

R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exec-timeout 10 0
R1(config-line)# exit

! SSH version and parameters

R1(config)# ip ssh version 2
R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 2

! Optional SSH configuration

R1(config)# ip ssh port 2222 ! Change default port
R1(config)# ip ssh source-interface loopback0 ! Source interface for
SSH

! Verify SSH configuration:

R1# show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group14-sha1,diffie-hellman-group14-
sha256
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLnVkqJu9IJf0fDsPcQ...

R1# show ssh

Connection Version Mode Encryption Hmac State
Username
0 2.0 IN aes128-ctr hmac-sha1 Session started
admin
1 2.0 OUT aes128-ctr hmac-sha1 Session started
admin
%No SSHv1 server connections running.

SSH Client Configuration

text
! SSH to remote device
Router# ssh -l username 192.168.1.10
Router# ssh -l admin -p 2222 192.168.1.10 ! Custom port
Router# ssh admin@192.168.1.10 ! Alternative syntax

! SSH with specific options

Router# ssh -v 2 -l admin 192.168.1.10 ! Force SSH version 2
Router# ssh -o "UserKnownHostsFile /dev/null" admin@192.168.1.10 !
Skip host key check

! Test SSH connectivity

Router# telnet 192.168.1.10 22 ! Check if SSH port
open

Layer 2 Security Features

DHCP Snooping
text
! Enable DHCP snooping globally
Switch(config)# ip dhcp snooping

! Enable DHCP snooping on specific VLANs

Switch(config)# ip dhcp snooping vlan 10,20,30

! Configure trusted interfaces (uplink ports, server ports)

Switch(config)# interface gi0/24
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

Switch(config)# interface gi0/1

Switch(config-if)# description "Uplink to Router"
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

! Rate limiting for DHCP packets

Switch(config)# interface range fa0/1-20
Switch(config-if-range)# ip dhcp snooping limit rate 5 ! 5
packets/second
Switch(config-if-range)# exit

! DHCP Option 82 (Information Option)

Switch(config)# ip dhcp snooping information option
Switch(config)# ip dhcp snooping information option allow-untrusted

! View DHCP snooping status:

Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping is operational on following VLANs:
10,20,30

Insertion of option 82 is enabled

circuit-id default format: vlan-mod-port
remote-id: 5254.abc1.2340 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)

----------------------- ------- ------------ ----------------
-
GigabitEthernet0/1 yes yes unlimited
GigabitEthernet0/24 yes yes unlimited
FastEthernet0/1 no no 5

! View DHCP snooping binding table:

Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN
Interface
------------------ --------------- ---------- ------------- ----
--------------------
12:34:56:78:9A:BC 192.168.1.100 7200 dhcp-snooping 10
FastEthernet0/5
AB:CD:EF:12:34:56 192.168.1.101 3600 dhcp-snooping 10
FastEthernet0/6

Dynamic ARP Inspection (DAI)

text
! Enable DAI on VLANs (requires DHCP snooping)
Switch(config)# ip arp inspection vlan 10,20,30

! Configure trusted interfaces

Switch(config)# interface gi0/1
Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

Switch(config)# interface gi0/24

Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

! Rate limiting for ARP packets

Switch(config)# interface range fa0/1-20
Switch(config-if-range)# ip arp inspection limit rate 15 ! 15 ARP
packets/second
Switch(config-if-range)# exit

! ARP ACL for static entries

Switch(config)# arp access-list STATIC_HOSTS
Switch(config-arp-nacl)# permit ip host 192.168.1.10 mac host
1234.5678.9abc
Switch(config-arp-nacl)# permit ip host 192.168.1.11 mac host
2345.6789.abcd
Switch(config-arp-nacl)# exit
! Apply ARP ACL to VLAN
Switch(config)# ip arp inspection filter STATIC_HOSTS vlan 10

! Additional DAI validation

Switch(config)# ip arp inspection validate src-mac ! Validate
source MAC
Switch(config)# ip arp inspection validate dst-mac ! Validate
destination MAC
Switch(config)# ip arp inspection validate ip ! Validate IP
addresses

! View DAI configuration:

Switch# show ip arp inspection vlan 10
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------
10 Enabled Active Deny STATIC_HOSTS

Vlan ACL Logging DHCP Logging Probe Logging

---- ----------- ------------ -------------
10 Deny Deny Off

Switch# show ip arp inspection statistics vlan 10

Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 12 3 0 3

Vlan DHCP Permits ACL Permits Probe Permits Source MAC

Failures
---- ------------ ----------- ------------- -----------------
--
10 9 0 0
0

Vlan Dest MAC Failures IP Validation Failures Invalid Protocol

---- ----------------- ---------------------- ----------------
 10 0 0 0

Monitoring and Troubleshooting

Show Commandsciscoyoutube

System Information Commands

text
! Show version information
Router# show version
Router# sh ver ! Abbreviated

! Output includes:
! - IOS version and feature set
! - System uptime and restart reason
! - Hardware information (router model, memory, interfaces)
! - Configuration register value
! - Boot process information

Router# show running-config

Router# sh run ! Show active configuration
Router# sh run | section interface ! Show only interface section
Router# sh run | include ip route ! Show only lines with 'ip route'
Router# sh run | begin router ospf ! Show from 'router ospf' onwards
Router# sh run | exclude interface ! Exclude lines with 'interface'

Router# show startup-config

Router# sh start ! Show saved configuration

! Show system inventory

Router# show inventory
Router# show diag ! Diagnostic information
Router# show environment ! Environmental status (temperature,
power)
! Show flash memory contents
Router# show flash
Router# dir flash: ! Directory listing
Router# show file systems ! Available file systems

! Show system clock

Router# show clock
Router# show clock detail ! Include time source information

! Show system processes

Router# show processes cpu
Router# show processes memory
Router# show processes cpu sorted ! Sort by CPU usage

Interface Monitoring Commands

text
! Basic interface status
Router# show interfaces
Router# sh int ! All interfaces detailed info
Router# show ip interface brief
Router# sh ip int br ! IP address and status summary
Router# show ipv6 interface brief

! Specific interface information

Router# show interfaces gi0/0
Router# sh int gi0/0 | include error ! Filter for errors only
Router# sh int gi0/0 | include packet ! Filter for packet stats

! Interface descriptions
Router# show interfaces description
Router# sh int desc

! Interface status summary

Router# show interfaces status ! Switch command
Router# show interfaces summary ! Router command

! Interface statistics
Router# show interfaces counters
Router# show interfaces counters errors
Router# show interfaces gi0/0 stats

! Detailed interface information

Router# show interfaces gi0/0 switchport ! Switch-specific info
Router# show interfaces gi0/0 accounting ! Traffic accounting
Router# show interfaces gi0/0 capabilities ! Interface capabilities

! Interface troubleshooting
Router# show controllers gi0/0 ! Hardware controller info
Router# show interfaces gi0/0 | include duplex
Router# show interfaces gi0/0 | include speed

Interface Status Interpretation:

text
Interface Status Codes:
up/up = Interface operational
up/down = Physical layer up, data link layer down
admin down = Interface administratively shutdown
down/down = Physical layer problem

Common Error Types:

- Input errors: CRC, frame, overrun, ignored
- Output errors: Collisions, interface resets, carrier transitions
- Runts: Frames smaller than 64 bytes
- Giants: Frames larger than 1518 bytes (standard Ethernet)

Routing Information Commands

text
! Routing table
Router# show ip route
Router# sh ip ro ! All routes
Router# show ip route summary ! Route count summary
Router# show ip route connected ! Only connected routes
Router# show ip route static ! Only static routes
Router# show ip route ospf ! Only OSPF routes
Router# show ip route eigrp ! Only EIGRP routes

! Specific route lookup

Router# show ip route 192.168.1.1 ! Specific destination
Router# show ip route longer-prefixes ! More specific routes

! IPv6 routing
Router# show ipv6 route
Router# show ipv6 route summary
Router# show ipv6 route static

! Routing protocols
Router# show ip protocols
Router# sh ip prot ! Routing protocol config summary

! CEF (Cisco Express Forwarding)

Router# show ip cef
Router# show ip cef 192.168.1.1 detail
Router# show ip cef summary

OSPF Monitoring Commands

text
! OSPF neighbors
Router# show ip ospf neighbor
Router# sh ip ospf nei ! Neighbor relationships
Router# show ip ospf neighbor detail
Router# show ip ospf neighbor gigabitethernet0/0

! OSPF database
Router# show ip ospf database
Router# sh ip ospf data ! Link state database
Router# show ip ospf database router ! Router LSAs only
Router# show ip ospf database network ! Network LSAs only
Router# show ip ospf database external ! External LSAs only
Router# show ip ospf database summary ! Summary LSAs only
! OSPF interfaces
Router# show ip ospf interface
Router# sh ip ospf int ! OSPF interface details
Router# show ip ospf interface brief
Router# show ip ospf interface gi0/0

! OSPF process information

Router# show ip ospf
Router# show ip ospf border-routers ! ABR and ASBR info
Router# show ip ospf virtual-links ! Virtual link status

! OSPF statistics
Router# show ip ospf statistics
Router# show ip ospf flood-list ! LSAs awaiting flooding
Router# show ip ospf request-list ! LSAs requested but not
received

EIGRP Monitoring Commands

text
! EIGRP neighbors
Router# show ip eigrp neighbors
Router# sh ip eigrp nei ! Neighbor table
Router# show ip eigrp neighbors detail
Router# show ip eigrp neighbors gi0/0

! EIGRP topology
Router# show ip eigrp topology
Router# sh ip eigrp top ! Topology table
Router# show ip eigrp topology all-links ! All routes, not just
successors
Router# show ip eigrp topology 192.168.1.0 ! Specific network

! EIGRP interfaces
Router# show ip eigrp interfaces
Router# sh ip eigrp int ! EIGRP interface information
Router# show ip eigrp interfaces detail
Router# show ip eigrp interfaces gi0/0

! EIGRP traffic statistics

Router# show ip eigrp traffic
Router# show ip eigrp events ! EIGRP event log

Switching Monitoring Commands

text
! VLAN information
Switch# show vlan
Switch# sh vlan br ! VLAN brief summary
Switch# show vlan id 10 ! Specific VLAN
Switch# show vlan name Sales ! VLAN by name

! MAC address table

Switch# show mac address-table
Switch# sh mac addr ! MAC address table
Switch# show mac address-table vlan 10
Switch# show mac address-table interface gi0/1
Switch# show mac address-table dynamic
Switch# show mac address-table static
Switch# show mac address-table aging-time

! Spanning tree
Switch# show spanning-tree
Switch# sh span ! STP information
Switch# show spanning-tree vlan 10
Switch# show spanning-tree interface gi0/1
Switch# show spanning-tree summary
Switch# show spanning-tree root
Switch# show spanning-tree bridge

! Port security
Switch# show port-security
Switch# sh port-sec ! Port security status
Switch# show port-security interface fa0/1
Switch# show port-security address
! Trunk information
Switch# show interfaces trunk
Switch# show interfaces gi0/1 switchport

Debug Commands

WARNING: Debug commands are CPU-intensive and should be used carefully in

production networks!

General Debug Commands

text
! Enable console logging for debug output
Router# terminal monitor

! Show available debug options

Router# debug ?

! Turn on all debugging (DANGEROUS - use with extreme caution)

Router# debug all

! Turn off all debugging

Router# undebug all
Router# no debug all
Router# u all ! Abbreviated

! Show active debug settings

Router# show debugging

Interface Debug Commands

text
! Debug interface events
Router# debug interface
Router# debug interface gi0/0
! Debug Ethernet interface
Router# debug ethernet-interface
Router# debug arp ! ARP process debugging

! Debug serial interface

Router# debug serial interface
Router# debug ppp negotiation ! PPP negotiation
Router# debug frame-relay lmi ! Frame Relay LMI

! Debug wireless interface

Router# debug dot11 interface

Routing Protocol Debug Commands

text
! OSPF debugging
Router# debug ip ospf adj ! OSPF adjacency
Router# debug ip ospf hello ! OSPF hello packets
Router# debug ip ospf lsa-generation ! LSA generation
Router# debug ip ospf spf ! SPF calculation
Router# debug ip ospf events ! OSPF events
Router# debug ip ospf packet ! OSPF packets

! EIGRP debugging
Router# debug ip eigrp neighbor ! EIGRP neighbor events
Router# debug ip eigrp packets ! EIGRP packet details
Router# debug ip eigrp fsm ! EIGRP finite state machine
Router# debug ip eigrp ! General EIGRP debug

! RIP debugging
Router# debug ip rip
Router# debug ip rip database
Router# debug ip rip events

! BGP debugging
Router# debug ip bgp
Router# debug ip bgp updates
Router# debug ip bgp events
Router# debug ip bgp keepalives

Layer 2 Protocol Debug Commands

text
! Spanning Tree Protocol
Switch# debug spanning-tree events
Switch# debug spanning-tree bpdu
Switch# debug spanning-tree root
Switch# debug spanning-tree uplinkfast

! VLAN debugging
Switch# debug vlan events
Switch# debug vlan packets

! VTP debugging
Switch# debug vtp events
Switch# debug vtp packets

! EtherChannel debugging
Switch# debug etherchannel events
Switch# debug lacp events
Switch# debug pagp events

! CDP debugging
Router# debug cdp adj ! CDP adjacency
Router# debug cdp events ! CDP events
Router# debug cdp ip ! CDP IP information
Router# debug cdp packets ! CDP packet details

Service Debug Commands

text
! DHCP debugging
Router# debug ip dhcp server events
Router# debug ip dhcp server packet
Router# debug ip dhcp server linkage

! NAT debugging
Router# debug ip nat
Router# debug ip nat detailed

! PPP debugging
Router# debug ppp authentication
Router# debug ppp negotiation
Router# debug ppp error

! DNS debugging
Router# debug ip dns
Router# debug domain

! NTP debugging
Router# debug ntp events
Router# debug ntp packets
Router# debug ntp adjust

Network Testing Commands

Ping Commands
text
! Basic ping
Router# ping 8.8.8.8
Router# ping google.com

! Extended ping (more options)

Router# ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]: 100
Datagram size [27]: 1500
Timeout in seconds [28]: 5
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service :
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [29]: 64
Sweep max size : 1500
Sweep interval [30]: 100

! IPv6 ping
Router# ping ipv6 2001:4860:4860::8888
Router# ping 2001:4860:4860::8888 ! Simplified

! Ping with specific options

Router# ping 8.8.8.8 repeat 1000 ! 1000 pings
Router# ping 8.8.8.8 size 1500 ! Jumbo frame test
Router# ping 8.8.8.8 source 10.1.1.1 ! Specify source IP

! Continuous ping (Ctrl+Shift+6 to stop)

Router# ping 8.8.8.8 repeat 0

Ping Response Codes:

text
! = Success (reply received)
. = Timeout
U = Destination unreachable
Q = Source quench (congestion)
M = Could not fragment
? = Unknown packet type
& = Packet lifetime exceeded
Traceroute Commands
text
! Basic traceroute
Router# traceroute 8.8.8.8
Router# trace 8.8.8.8 ! Abbreviated

! IPv6 traceroute
Router# traceroute ipv6 2001:4860:4860::8888
Router# traceroute 2001:4860:4860::8888

! Extended traceroute
Router# traceroute
Protocol [ip]:
Target IP address: 8.8.8.8
Source address: 10.1.1.1
Numeric display [n]:
Timeout in seconds [3]: 10
Probe count [31]: 5
Minimum Time to Live [30]:
Maximum Time to Live [32]: 64
Port Number :
Loose, Strict, Record, Timestamp, Verbose[none]:

! Traceroute with options

Router# traceroute 8.8.8.8 source 10.1.1.1
Router# traceroute 8.8.8.8 timeout 10
Router# traceroute 8.8.8.8 probe 5 ! 5 probes per hop

Telnet and SSH Testing

text
! Test TCP port connectivity
Router# telnet 192.168.1.10 80 ! Test HTTP port
Router# telnet 192.168.1.10 443 ! Test HTTPS port
Router# telnet 192.168.1.10 22 ! Test SSH port
Router# telnet 192.168.1.10 25 ! Test SMTP port
! SSH connectivity test
Router# ssh -l username 192.168.1.10
Router# ssh admin@192.168.1.10

! Test specific port ranges

Router# telnet 192.168.1.10 1024 ! Custom application port

Clear Commandsyoutube

Interface Clear Commands

text
! Clear interface counters
Router# clear counters ! All interfaces
Router# clear counters gi0/0 ! Specific interface

! Clear interface statistics

Router# clear interface gi0/0 ! Reset interface

! Clear ARP table

Router# clear arp-cache ! Clear ARP cache
Router# clear arp 192.168.1.10 ! Clear specific entry

Routing Clear Commands

text
! Clear routing table (dynamic routes only)
Router# clear ip route *
Router# clear ip route 192.168.1.0 ! Clear specific route

! Clear OSPF process

Router# clear ip ospf process
Router# clear ip ospf neighbor ! Clear OSPF neighbor table
Router# clear ip ospf database ! Force LSA refresh
! Clear EIGRP neighbors
Router# clear ip eigrp neighbors
Router# clear ip eigrp neighbors gi0/0

! Clear BGP sessions

Router# clear ip bgp * ! All BGP neighbors
Router# clear ip bgp 10.1.1.1 ! Specific neighbor

! Clear IPv6 routing

Router# clear ipv6 route *
Router# clear ipv6 neighbors

NAT and Service Clear Commands

text
! Clear NAT translations
Router# clear ip nat translation * ! All translations
Router# clear ip nat translation inside 192.168.1.10
Router# clear ip nat translation outside 203.0.113.1

! Clear DHCP bindings

Router# clear ip dhcp binding *
Router# clear ip dhcp binding 192.168.1.100

! Clear CDP table

Router# clear cdp table

! Clear MAC address table

Switch# clear mac address-table dynamic
Switch# clear mac address-table dynamic vlan 10
Switch# clear mac address-table dynamic interface gi0/1

! Clear port security

Switch# clear port-security all
Switch# clear port-security sticky interface fa0/1

! Clear spanning tree counters

Switch# clear spanning-tree counters
Switch# clear spanning-tree detected-protocols

! Clear logging buffer

Router# clear logging
Router# clear log ! Abbreviated

Advanced Troubleshooting Commands

Memory and CPU Monitoring

text
! CPU utilization
Router# show processes cpu
Router# show processes cpu sorted
Router# show processes cpu history

! Memory utilization
Router# show processes memory
Router# show processes memory sorted
Router# show memory summary
Router# show memory detailed

! Buffer utilization
Router# show buffers
Router# show buffers usage

Hardware Diagnostics
text
! Hardware information
Router# show inventory
Router# show diag
Router# show hardware

! Environmental monitoring
Router# show environment
Router# show environment temperature
Router# show environment power
Router# show environment fans

! Interface hardware details

Router# show controllers gi0/0
Router# show controllers serial0/0

File Management Commands

Configuration Management
text
! Save running configuration to startup
Router# copy running-config startup-config
Router# copy run start ! Abbreviated
Router# write memory ! Alternative command
Router# wr ! Shortest form

! Copy configuration to/from TFTP server

Router# copy running-config tftp:
Address or name of remote host []? 192.168.1.100
Destination filename [router-config]? R1-backup-config

Router# copy tftp: running-config

Address or name of remote host []? 192.168.1.100
Source filename []? R1-backup-config

! Copy configuration to/from USB

Router# copy running-config usbflash0:R1-config-backup
Router# copy usbflash0:R1-config-backup running-config

! Merge configuration (not replace)

Router# copy tftp: running-config ! Merges with existing config
Router# configure replace tftp://192.168.1.100/R1-config ! Replaces
entire config
! Compare configurations
Router# show archive config differences
Router# show archive config differences system:running-config

IOS Image Management

text
! Show flash contents
Router# show flash
Router# dir flash:
Router# show file systems

! Copy IOS image to/from TFTP

Router# copy tftp: flash:
Address or name of remote host []? 192.168.1.100
Source filename []? c2900-universalk9-mz.SPA.157-3.M4a.bin
Destination filename [c2900-universalk9-mz.SPA.157-3.M4a.bin]?

! Verify IOS image

Router# verify flash:c2900-universalk9-mz.SPA.157-3.M4a.bin

! Boot system commands

Router(config)# boot system flash:c2900-universalk9-mz.SPA.157-
3.M4a.bin
Router(config)# boot system tftp://192.168.1.100/ios-image.bin
Router(config)# boot system rommon ! Boot to ROM monitor

! Delete files from flash

Router# delete flash:old-ios-image.bin
Delete filename [old-ios-image.bin]?
Delete flash:old-ios-image.bin? [confirm]y

! Format flash (CAUTION: Erases all files!)

Router# format flash:

! Squeeze flash (recover deleted space)

Router# squeeze flash:

Archive and Rollback Features

text
! Enable configuration archive
Router(config)# archive
Router(config-archive)# path tftp://192.168.1.100/configs/$h-
Router(config-archive)# write-memory
Router(config-archive)# time-period 1440 ! Archive every 24 hours
Router(config-archive)# exit

! Manual configuration archive

Router# archive config

! Show archived configurations

Router# show archive

! Configure rollback
Router(config)# archive
Router(config-archive)# maximum 10 ! Keep 10 backups
Router(config-archive)# rollback retry-timeout 120
Router(config-archive)# rollback filter adaptive

! Perform configuration rollback

Router# configure replace tftp://192.168.1.100/configs/router-config.1
Router# configure confirm ! Confirm changes within timeout

! Auto-rollback (if session lost)

Router# configure terminal revert timer 10 ! 10 minute timer
Router(config)# ! Make configuration changes
Router# configure confirm ! Confirm to prevent rollback

This comprehensive command reference provides detailed syntax, explanations, and

practical examples for all major CCNA 200-301 topics. Each command includes
variations, use cases, and best practices to help understand when and why to use different
approaches. The guide is organized logically by topic and includes troubleshooting
commands and advanced features to support real-world network operations.