Cisco Commands Cheat Sheet – Learn the Most Important IOS CLI Commands

cisco commands cheat sheet tutorial and guide

Marc Wilson

The Cisco IOS CLI is the main user interface for configuring, maintaining, and troubleshooting most Cisco devices. From this user interface, you can directly execute all Cisco IOS commands, and it doesn’t matter how you reach the Cisco IOS platform; you can enter any CLI command from a remote, console, or terminal interface.

In this Cisco Commands cheat sheet article, we’ll go through the most crucial set of Cisco IOS commands that you'll need as an admin daily. You can use this concise set of commands for a quick reference as needed!

Quick Links

  1. The Cisco IOS Command Hierarchy
  2. Fundamentals
  3. Network Access
  4. IP connectivity
  5. IP Services
  6. Security
  7. Troubleshooting Commands

1.  Cisco IOS Command Hierarchy

The commands in Cisco IOS are hierarchical structured. Knowing the difference between the different modes (and how to move across) will help you configure, monitor, or troubleshoot a router easier.

There are currently eight modes in Cisco IOS commands.

Router>UUser EXEC mode, is the first level of access.
Router#PPrivileged EXEC mode. The second level of access, accessible with the “enable” command.
Router(config)#GConfiguration mode. Accessible only via the privileged EXEC mode.
Router(config-if)#IInterface mode. Level accessible via configuration mode.
Router(config-router)#RRouting mode. Level within configuration mode.
Router(config-line)#LLine level (vty, tty, async). Accessed via the configuration mode
Router(config-vlan)#VConfig-vlan, accessible via the global configuration mode.
Switch(vlan)#VDVlan database, accessible from the privileged EXEC mode.


Commands To Move Between These Six Modes:

enableUMoves from User to Privileged mode.
logoutUExit User mode.
configure <terminal>PMoves from Privileged to Configure mode.
disablePExit user mode.
Interface <interface description>GEnter interface configuration mode.
vlan vlan-idGMoves to configure vlan mode.
Vlan databasePEnter vlan database from Privilege mode.
lineGEnter line from Global configuration mode.


G, R, L, Vreturn to previous mode.


2.  Fundamentals — Basic Configuration

The following are the fundamental Cisco IOS commands. These commands give you the necessary base to move to more advanced and specific commands.

show versionU,PDisplay information about IOS and router.
show interfacesU,PDisplay physical attributes of the router’s interfaces.
show ip routeU,PDisplay the current state of the routing table.
show access-listsPDisplay current configured ACLs and their contents.
show ip interface briefPDisplays a summary of the status for each interface.
show running-configPDisplay the current configuration.
show startup-configPDisplay the configuration at startup.
enableUAcces Privilege mode
config terminalPAccess Configuration mode.
interface <int>GEnter interface configuration.
ip address <ip address> <mask>IAssign an IP address to the specified interface.

no shutdown

ITurn off or turn on an interface. Use both to reset.
description <name-string>ISet a description to the interface.
show ip interface <type number>U,PDisplays the usability status of the protocols for the interfaces.
show running-config interface interface <slot/number>PDisplays the running configuration for a specific interface.
hostname <name>GSet a hostname for the Cisco device.
enable secret <password>GSet an “enable” secret password.
copy running-config startup-configPSaves the current (running) configuration in the startup configuration into the NVRAM. The command saves the configuration so when the device reloads, it loads the latest configuration file.
copy startup-config running-configPIt saves (overwrites) the startup configuration into the running configuration.
copy from-location to-locationPIt copies a file (or set of files) from a location to another location.
erase nvramGDelete the current startup configuration files. The command returns the device to its factory default.
reloadGReboot the device. The NVRAM will take the latest configuration.
erase startup-config


GErase the NVRAM filesystem. The command achieves the similar outcome as “erase nvram”


3. Network Access

This section covers all popular Cisco’s network access protocols. From how to configure and verify VLANs, trunks, to Layer 2 discovery protocols like CDP and LLDP. We’ll also cover simple Etherchannel, Rapid PVST+ Spanning Tree Protocol configuration.

cdp run

no cdp run

PThe “cdp run” command enables Cisco Discovery Protocol. The “no cdp run” disables it.
show cdpPDisplay global information for CDP.
show cdp neighborsPDisplay all CDP neighbors.
lldp run

no lldp run

PThe “lldp run” command enables the LLDP Protocol. The “no lldp run” disables it.
show lldpPDisplays global information for LLDP
show lldp neighborsPShow all LLDP neighbors.
show mac address-tablePDisplay all the MAC address entries in a table.
spanning-tree mode rapid-pvstGA global configuration command that configures the device for Rapid Per VLAN Spanning Tree protocol.
spanning-tree vlan <1-4094> priority <0-61440>GManually set the bridge priority per vlan.
spanning-tree vlan <1-4094> root primaryGMake the switch the root of the SP.
no spanning-tree vlan <1-4094>GDisable SP on the specific VLAN.
show spanning-tree summaryPShow a summary of all SP instances and ports.
show spanning-tree detailPShow detailed information of each port in the spanning-tree process.
show vlanPLists each VLAN and all interfaces assigned to that VLAN. The output does not include trunks.
show vlan briefPDisplays vlan information in brief
show interfaces switchportPDisplay configuration settings about all the switch port interfaces.
show interfaces trunkPDisplay information about the operational trunks along with their VLANs.
vlan <1-4094>GEnter VLAN configuration mode and create a VLAN with an associated number ID.
name <name>VWithin the VLAN configuration mode, assign a name to the VLAN
switchport mode accessIIn the interface configuration mode, the command assigns the interface link type as an access link.
switchport access vlan <>IAssign this interface to specific VLAN.
interface range < >


I – rangeAccess interface range configuration mode from Interface Configuration.
channel-group <number>I – rangeAssign the Etherchannel. Set the interface range to a channel group.
no switchport access vlan <>IRemove VLAN assignment from interface. It returns to default VLAN 1
show vtp statusPDisplay all vtp status
vtp mode <server | client | transparent>GIn the global configuration mode, set the device as server, client, or transparent vtp mode.
switchport mode trunkIAn interface configuration mode. Set the interface  link type as a trunk link.
switchport trunk native vlan <>


ISet native VLAN to a specific number.
switchport trunk allowed vlan <>IAllow specific VLANs on this trunk.
switchport trunk encapsulation dot1qISets the 802.1Q encapsulation on the trunk link.



4. IP Connectivity

This section includes some of the most simple yet useful ip connectivity IOS commands. From displaying a routing table, creating static, to default route. We also include dynamic routes with OSPF.

Show ip routePShow the routing table.
Show ip route ospfPShow routes created by the OSPF protocol.
ip default-gateway <ip_address>GSet the default gateway for the router.
ip route <network> <mask> <next hop>GCreate a new static route
no ip route <network> <mask> <next hop>GRemove a specific static route.
ip route <nex thop>GConfigure a default route
router ospf <process ID>GEnable OSPF with an ID. The command will open the router configuration mode.
show ip ospf interfacePDisplay all the active OSPF interfaces



5. IP Services

This section shows the common commands for configuring NAT, DHCP, and DNS services. It also includes simple and useful SNMP and Syslog commands for monitoring and logging.

ip nat <inside | outside>ISpecific whether the interface is the inside or outside of NAT.
ip nat inside source <ACL No.> <pool | static IP> <overload>GConfigure dynamic NAT. It instructs the router to translate all addresses identified by the ACL on the pool. To configure Port Address Translation (PAT) use the “overload” at the end.
ip nat inside source static <local IP> <global IP>GCreate a static NAT from inside (local IP) to outside (global IP)
ip nat outside source static <ACL No.> <pool | static IP>GCreate a static NAT from outside (ACL) to inside (IP pool)
ntp peer <ip-address>GConfigure the time by synchronizing it from an NTP server.
ip dhcp excluded-address <first-ip-address> <last-ip-address>GThe IP addresses that the DHCP server should not assign to the DHCP client.
ip dhcp pool <name>GEnters the DHCP pool configuration mode and creates a new DHCP pool.
network <network ID> <mask>G – DHCPInside the DHCP configuration mode. Define the address pool for the DHCP server.
default-router <IP address>G – DHCPSet the default gateway IP address for the DHCP clients.
dns-server <IP address>G – DHCPSet the DNS server IP address for the DHCP clients.
ip helper-address <ip address>ITurns an interface into a DHCP bridge. The interface redirects DHCP broadcast packets to a specific IP.
show ip dhcp poolPDisplay information about the DHCP pool
show ip dhcp bindingPDisplay information about all the current DHCP bindings.
ip dns serverGEnable DNS service.
ip domain-lookupGEnable domain lookup service. DNS client
ip name-server <IP address | domain name>GSet a public DNS server.
snmp-server community <community-string> roGEnable SNMP Read-Only public community strings.
snmp-server community <community-string> rwGEnable SNMP Read-Only private community strings.
snmp-server host <ip-address> version <community-string>GSpecific the hosts to receive the SNMP traps
logging <ip address>GDetermines the Syslog server to send log messages.
logging trap levelGLimit Syslog messages based on severity level
show loggingPShows the state logging (syslog). Shows the errors, events, and host addresses. It also shows SNMP configuration and activity.
terminal monitorPEnables debug and system’s error messages for the current terminal.
sh ip sshPVerify SSH access into the device.


6. Security

In this section, we include the most basic AAA configuration commands for Cisco IOS. We’ll also include basic standard and extended ACLs and port security configuration commands.

enable secret <password>GSet an “enable” secret password. Enable secret passwords are hashed via the MD5 algorithm.
line vty 0 4GA global configuration command to access the virtual terminal configuration. VTY is a virtual port used to access the device via SSH and Telnet. 0 4 to allow five simultaneous virtual connections
line console 0


GA global configuration command to access the console configuration.
password <password>LOnce in line mode, set a password for those remote sessions with the “password” command.
Login localThe authentication uses only locally configured credentials.
username <username> privilege <level> secret <password>GRequire a username with a specific password. Also configure different levels of privilege.
service password-encryptionGMakes the device encrypt all passwords saved on the configuration file.
crypto key generate rsaGGenerate a set of RSA key pairs for your device. These keys may be used for remote access via SSH.
access-listGDefined a numbered ACL
ip access-listGDefined an IPv4 ACL.
access-list access-list-number <deny | permit}> source <source> [log]GCreate a standard ACL.
access-list access-list-number <deny | permit}> protocol <> source <source [ports]>destination <destination [ports]> [Options]


GCreate an extended ACL.
ip access-class <access-list-name> <in | out>


no ip access-group <access-list-name> <in | out>

LA line configuration command mode. It restricts incoming and outgoing connections to a particular vty line. Use “no” to remove the restriction.
show ip access-listPShow all IPv4 ACLs
switchport mode accessIFrom the interface configuration mode, this command assigns the interface link type as an access link.


switchport port-securityIenable dynamic port security on the specific interface.
switchport port-security maximum <max value>ISpecify the maximum number of secure MAC addresses on the specific interface.
switchport port-security mac-address <mac-address | sticky [mac-address]>IForce a specific mac-address to the interface. Also use the “sticky” option to make the interface remember the first mac-address connected to the interface.
switchport port-security violation <shutdown | restrict | protect>


IDefine the action to be taken when a violation is detected on the port.
show port securityPDisplay the port security configuration on each interface.


7. Troubleshooting Commands

In the final section of this cheat sheet we’ll include basic troubleshooting commands. We already included some of these commands on previous sections, but they are also very useful when it comes to troubleshooting.

ping <target IP | hostname> <repeat Count [5]> <source [IP | interface]PDiagnose connectivity with extended ping. Check reachability, RRTs, and packet loss.
traceroute <target IP | hostname><source [IP | interface]PUse traceroute to diagnose connectivity on a hop by hop basis.
telnetPUse Telnet to check for listening ports (1 to 65535) on a remote device.
show interfacePUse this command to discover the physical attributes; find duplex, link types, and speed mismatches. Both ends must match. Also use this command to find errors.
speed <10 | 100 | 1000 | auto>ISet the speed of an interface. Or configure it as auto.
duplex <auto | full | half>ISet the interface duplex.
show interface | include fastethernet | input errorsPThis command searches across all interfaces and outputs the ones that include input errors.
show ip interfacePUse this command to discover the status for all the protocols on that interface.

no shutdown

IInterface configuration mode. Restart an interface
show ip routePThis command is useful for determining the route of ip packets.
show cdp neighborsPDiscover basic information about neighboring Cisco’s routers and switches
show mac address-tablePDisplay the contents of the mac-address table.
Show vlan

Show vlan brief

PFind vlan status and interfaces assigned to the vlans.
show vtp statusPUse this command to discover the current VTP mode of the device.
show interfaces trunkPCheck the allowed VLANs on both ends of the trunk.
show ip flow top-talkersPIf Netflow is enabled, this command is very useful to troubleshoot top talkers.


We hope this Cisco Commands Cheat sheet was Helpful and will come in handy in the future! Feel free to bookmark or add this to your website for reference as needed!