Cisco IOS Advanced Command Cheat Sheet

Routers · Switches · Multilayer Switches (MLS) — Focused on IOS / IOS-XE.
💡 Click any command to copy it to clipboard · Use search to filter · Keyboard: Ctrl+E (expand), Ctrl+Shift+E (collapse)

← Back to Configuration Builder

Tip: Ctrl+F also works inside your editor/browser

1. Modes & Navigation Core

user / privileged / config modes

Basic navigation between EXEC, privileged, and configuration modes.

enable

Mode: user EXEC (>)

Enter privileged EXEC mode.

R1> enable R1#

disable

Mode: privileged EXEC (#)

Return from privileged EXEC mode to user EXEC.

configure terminal

Mode: privileged EXEC (#)

Enter global configuration mode.

end

Mode: any config mode

Exit to privileged EXEC mode from configuration mode.

exit

Mode: any

Exit the current mode; may return to previous mode or close session (from user EXEC).

do <EXEC-command>

Mode: any config mode

Run an EXEC command from configuration mode without leaving it.

R1(config)# do show ip interface brief

2. System / Global Management Global

hostname, logging, ntp, aaa, snmp

Core system identity, time, logging, SNMP, and AAA.

hostname <NAME>

Mode: global config

Set device hostname (prompt name).

no ip domain-lookup

Mode: global config

Disable DNS lookup for mistyped commands.

service password-encryption

Mode: global config

Encrypt passwords (weak type 7) in running-config.

enable secret <password>

Mode: global config

Configure strongly encrypted (MD5/type 5 or better) enable password.

clock timezone <ZONE> <offset-hours>

Mode: global config

Set local timezone used for log timestamps.

ntp server <SERVER-IP> [prefer]

Mode: global config

Configure NTP time source.

logging buffered <size>

Mode: global config

Size of in-memory log buffer.

logging host <IP>

Mode: global config

Send syslog messages to remote log server.

aaa new-model

Mode: global config

Enable AAA framework (required for advanced auth).

snmp-server community <STRING> RO|RW snmp-server location <TEXT> snmp-server contact <TEXT>

Mode: global config

Basic SNMPv2 configuration.

3. Interfaces & Layer 2 Basics Switch / Router

physical, L2, SVI

Physical interface tuning and L2 switchport configuration.

interface <TYPE><SLOT/PORT>

Mode: global config

Enter interface configuration mode (e.g. interface g0/1).

description <text>

Mode: interface config

Describe interface usage (appears in show run / show int).

shutdown no shutdown

Mode: interface config

Administratively disable/enable interface.

speed {10 | 100 | 1000 | auto} duplex {half | full | auto}

Mode: interface config

Set speed/duplex on copper interfaces.

switchport mode {access | trunk} switchport access vlan <VLAN-ID>

Mode: interface config (switch)

Configure port as L2 access or trunk and assign VLAN.

interface vlan <VLAN-ID> ip address <IP> <MASK> no shutdown

Mode: global config (MLS)

Create SVI (Switched Virtual Interface) for VLAN (L3 gateway on MLS).

ip helper-address <DHCP-SERVER-IP>

Mode: interface config (L3)

Relay DHCP and other UDP broadcasts to a remote server.

4. VLANs & Trunking Switch / MLS

vlan database, trunks, native vlan

VLAN creation, assignment, and 802.1Q trunks.

vlan <ID> name <NAME>

Mode: global config

Create or modify a VLAN.

show vlan brief

Mode: privileged EXEC

List VLANs and access port membership.

switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan <list> switchport trunk native vlan <ID>

Mode: interface config (trunk ports)

Configure 802.1Q trunk, allowed VLANs, and native VLAN.

show interfaces trunk

Mode: privileged EXEC

Show trunk ports, encapsulation, and VLANs allowed.

5. Spanning Tree (STP / RSTP) Switch / MLS

loops, root bridge, protection

Rapid-PVST configuration and loop-avoidance features.

spanning-tree mode {pvst | rapid-pvst | mst}

Mode: global config

Set STP operating mode.

spanning-tree vlan <ID-LIST> priority <VALUE>

Mode: global config

Set STP bridge priority (lower = more likely to be root).

spanning-tree portfast default spanning-tree bpduguard enable

Mode: global / interface config

Enable fast edge-port convergence and BPDU protection.

spanning-tree guard root

Mode: interface config

Prevent a port from becoming a root port; drop superior BPDUs.

show spanning-tree [vlan <ID>] detail

Mode: privileged EXEC

View STP state, timers, root bridge, and per-port info.

6. EtherChannel (Port-Channel) Switch / MLS

LACP / PAgP

Bundle multiple physical links into one logical Port-channel.

interface range g1/0/1 - 2 channel-group 1 mode active ! LACP (active/passive) ! or channel-group 1 mode desirable ! PAgP ! interface port-channel1 switchport mode trunk switchport trunk allowed vlan 10,20,30

Mode: interface range / Port-channel config

Create a Layer 2 trunk EtherChannel.

show etherchannel summary

Mode: privileged EXEC

View EtherChannel bundles and member port status.

7. Layer 3 Routing (Static & Dynamic) Router / MLS

static, OSPF, EIGRP, BGP (core)

Foundational routing commands for routers and multilayer switches.

Static Routing

ip route <DEST-IP> <MASK> {<NEXT-HOP-IP> | <OUT-INTF>} [distance]

Mode: global config

Configure IPv4 static route.

ip default-gateway <IP>

Mode: global config (L2 switch)

Default gateway for L2 switch management traffic.

OSPFv2

router ospf <PROCESS-ID> router-id <RID> network <IP> <WILDCARD> area <AREA> passive-interface default no passive-interface g0/0

Mode: router config (OSPF)

Basic OSPF configuration.

area <AREA> authentication message-digest interface g0/0 ip ospf message-digest-key 1 md5 <PASSWORD>

Mode: router OSPF / interface config

Enable and configure OSPF MD5 authentication.

show ip ospf neighbor show ip ospf interface show ip route ospf

Mode: privileged EXEC

Check OSPF neighbors, interfaces and learned routes.

EIGRP (Classic)

router eigrp <AS> network <IP> <WILDCARD> passive-interface default no passive-interface g0/0 no auto-summary

Mode: router config (EIGRP)

Basic EIGRP configuration.

show ip eigrp neighbors show ip eigrp topology show ip route eigrp

Mode: privileged EXEC

Verify EIGRP neighbors and routes.

BGP (Edge / PE-CE Basics)

router bgp <ASN> bgp log-neighbor-changes neighbor <PEER-IP> remote-as <ASN> neighbor <PEER-IP> update-source Loopback0 ! network <PREFIX> mask <MASK>

Mode: router config (BGP)

Basic BGP neighbor and network advertisement.

show ip bgp summary show ip bgp show ip bgp neighbors <PEER-IP> advertised-routes

Mode: privileged EXEC

BGP neighbor status, table and advertisements.

8. First-Hop Redundancy (HSRP / VRRP / GLBP) MLS / Router

default gateway redundancy

Redundant default gateway for VLANs / subnets.

HSRP

interface vlan 10 standby 10 ip 192.168.10.254 standby 10 priority 110 standby 10 preempt standby 10 authentication md5 key-string SECRET

Mode: interface config (SVI)

Configure HSRP group 10 on VLAN 10.

VRRP

interface vlan 20 vrrp 20 ip 192.168.20.254 vrrp 20 priority 120 vrrp 20 preempt

Mode: interface config (SVI)

Configure VRRP group 20 for VLAN 20.

GLBP

interface vlan 30 glbp 30 ip 192.168.30.254 glbp 30 priority 150 glbp 30 preempt glbp 30 load-balancing round-robin

Mode: interface config (SVI)

Configure GLBP with load balancing for VLAN 30.

show standby brief show vrrp brief show glbp brief

Mode: privileged EXEC

Quick overview of FHRP status.

9. ACLs & Security (Port-Security, DHCP Snooping, DAI) Security

L3 & L2 protection

Controlling traffic at L3 (ACL) and protecting access ports at L2.

ACLs

access-list 10 permit 192.168.10.0 0.0.0.255

Mode: global config

Standard IPv4 ACL (source-based only).

ip access-list extended WEB-FILTER deny tcp any any eq 80 deny tcp any any eq 443 permit ip any any ! interface vlan 20 ip access-group WEB-FILTER in

Mode: global config / interface config

Extended ACL applied inbound on VLAN SVI.

show access-lists show ip interface <INTF>

Mode: privileged EXEC

Show ACL contents and where they’re applied.

Port Security

interface fa0/10 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address sticky

Mode: interface config (access)

Limit and learn MACs dynamically on access ports.

show port-security interface fa0/10

Mode: privileged EXEC

Check port-security status and violations.

DHCP Snooping & Dynamic ARP Inspection (DAI)

ip dhcp snooping ip dhcp snooping vlan 10,20,30 ! interface g1/0/24 ip dhcp snooping trust

Mode: global / interface config

Enable DHCP snooping and trust uplink towards DHCP server.

ip arp inspection vlan 10,20,30 interface g1/0/24 ip arp inspection trust

Mode: global / interface config

Enable Dynamic ARP Inspection using DHCP snooping bindings.

show ip dhcp snooping binding show ip arp inspection statistics

Mode: privileged EXEC

Verify DHCP snooping and ARP inspection operation.

10. NAT / PAT & DHCP (Server & Relay) Router / MLS

inside/outside, pools, helper

Common NAT and DHCP scenarios for edge routers and MLS.

NAT / PAT

interface g0/0 ip address 203.0.113.1 255.255.255.0 ip nat outside ! interface g0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface g0/0 overload

Mode: interface / global config

PAT (overload) for all inside hosts to one public IP.

show ip nat translations show ip nat statistics

Mode: privileged EXEC

Verify NAT session table and performance.

DHCP Server

ip dhcp excluded-address 192.168.10.1 192.168.10.20 ip dhcp pool VLAN10 network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 1.1.1.1 lease 7

Mode: global config

Configure DHCP server for VLAN 10.

show ip dhcp binding show ip dhcp pool

Mode: privileged EXEC

View leases and pool statistics.

DHCP Relay

interface vlan 20 ip address 192.168.20.1 255.255.255.0 ip helper-address 192.168.0.10

Mode: interface config (SVI)

Relay DHCP requests to central DHCP server.

11. QoS (Classification, Marking, Policy) Router / MLS

class-map · policy-map · service-policy

Basic MQC-style QoS for voice/data prioritization.

class-map match-any VOICE match ip dscp ef ! policy-map WAN-QOS class VOICE priority percent 30 class class-default fair-queue ! interface g0/0 service-policy output WAN-QOS

Mode: global config / interface config

Prioritize EF (Expedited Forwarding) traffic with LLQ on WAN link.

mls qos mls qos trust dscp

Mode: global / interface config (switch)

Enable QoS on switch and trust DSCP from IP phone or upstream device.

show policy-map interface g0/0 show mls qos interface <INTF> statistics

Mode: privileged EXEC

Verify applied QoS policies and counters.

12. IPv6 & OSPFv3 Dual-stack

L3 + OSPFv3 basics

Dual-stack and IPv6 routing basics.

ipv6 unicast-routing

Mode: global config

Enable IPv6 routing globally.

interface g0/0 ipv6 address 2001:db8:10::1/64 ipv6 enable

Mode: interface config

Assign IPv6 address and enable IPv6 on interface.

ipv6 route 2001:db8:20::/64 2001:db8:10::2

Mode: global config

Static IPv6 route.

ipv6 router ospf 10 router-id 10.10.10.10 ! interface g0/0 ipv6 ospf 10 area 0

Mode: OSPFv3 / interface config

Basic IPv6 OSPFv3 configuration.

show ipv6 interface brief show ipv6 route show ipv6 ospf neighbor

Mode: privileged EXEC

Verify IPv6 addressing, routes, and OSPFv3 neighbors.

13. Management: SSH, AAA, SNMP, NTP, Syslog Mgmt

secure access & monitoring

Secure remote access and central monitoring.

SSH & Local Users

username admin privilege 15 secret Str0ngP@ss! ip domain-name lab.local crypto key generate rsa modulus 2048 ip ssh version 2 line vty 0 4 transport input ssh login local exec-timeout 10

Mode: global / line config

Enable SSH with local user auth and timeout.

AAA with Local Fallback

aaa new-model aaa authentication login default local aaa authorization exec default local

Mode: global config

Use local database for login and exec authorization.

Syslog & NTP

logging host 192.168.1.10 logging trap warnings service timestamps log datetime msec ntp server 192.168.1.20 prefer

Mode: global config

Send logs to remote server and sync via NTP.

show logging show ntp status show users show line vty 0 4

Mode: privileged EXEC

Monitor logging, NTP and remote sessions.

14. Monitoring, Show & Debug Ops

health, traffic, neighbors

Frequent show/debug commands for troubleshooting.

show running-config show startup-config show version show inventory

Mode: privileged EXEC

Device configuration and hardware overview.

show ip interface brief show interface <INTF> show interfaces status

Mode: privileged EXEC

Quick interface status, IPs and link state.

show ip route show ip protocols show cdp neighbors detail show lldp neighbors detail

Mode: privileged EXEC

Routing table, routing protocols and L2 neighbor discovery.

ping <IP/NAME> traceroute <IP/NAME>

Mode: user/privileged EXEC

Connectivity and path tracing tests.

debug ip packet debug ip ospf adj undebug all

Mode: privileged EXEC

Powerful debugging (use carefully in production).

show processes cpu sorted show processes memory sorted

Mode: privileged EXEC

CPU/memory usage per process.

15. VRF-Lite (Virtual Routing & Forwarding) Advanced L3

route isolation · multi-tenancy

Multiple isolated routing tables on a single device without MPLS.

ip vrf CUSTOMER_A rd 65000:100 description Customer A tenant

Mode: global config

Create VRF instance with route distinguisher (RD).

interface g0/1 description To Customer A Site ip vrf forwarding CUSTOMER_A ip address 10.1.1.1 255.255.255.252

Mode: interface config

Assign interface to VRF (removes existing IP first).

router ospf 10 vrf CUSTOMER_A network 10.1.1.0 0.0.0.3 area 0 redistribute bgp 65000 subnets

Mode: router config

Run OSPF inside a VRF instance.

router bgp 65000 address-family ipv4 vrf CUSTOMER_A neighbor 10.1.1.2 remote-as 65100 neighbor 10.1.1.2 activate redistribute ospf 10

Mode: BGP config / address-family

BGP per-VRF configuration (VRF-aware BGP).

ip route vrf CUSTOMER_A 192.168.10.0 255.255.255.0 10.1.1.2

Mode: global config

Static route within a specific VRF.

show ip vrf [detail] show ip route vrf CUSTOMER_A show ip protocols vrf CUSTOMER_A ping vrf CUSTOMER_A 192.168.10.1

Mode: privileged EXEC

Verify VRF configuration, routing table and connectivity.

16. MPLS (Multiprotocol Label Switching) Service Provider

LDP · MP-BGP · L3VPN

MPLS basics for label distribution and Layer 3 VPNs.

MPLS & LDP Fundamentals

ip cef mpls ip

Mode: global config

Enable CEF (required) and MPLS globally.

interface g0/0 ip address 10.0.0.1 255.255.255.252 mpls ip

Mode: interface config

Enable MPLS label switching on interface (activates LDP).

mpls ldp router-id Loopback0 force

Mode: global config

Set LDP router-ID (best practice: use loopback).

show mpls interfaces show mpls ldp neighbor show mpls forwarding-table show mpls ldp bindings

Mode: privileged EXEC

Verify MPLS/LDP operation, neighbors and label bindings.

MPLS L3VPN (VRF + MP-BGP)

ip vrf CUSTOMER_B rd 65000:200 route-target export 65000:200 route-target import 65000:200

Mode: global config (PE router)

Define VRF with RD and Route Targets for L3VPN.

router bgp 65000 neighbor 10.255.255.2 remote-as 65000 neighbor 10.255.255.2 update-source Loopback0 ! address-family vpnv4 neighbor 10.255.255.2 activate neighbor 10.255.255.2 send-community extended ! address-family ipv4 vrf CUSTOMER_B redistribute connected redistribute ospf 20

Mode: BGP config (PE router)

MP-BGP configuration for VPNv4 label distribution between PEs.

show bgp vpnv4 unicast all summary show bgp vpnv4 unicast vrf CUSTOMER_B show ip route vrf CUSTOMER_B

Mode: privileged EXEC

Verify MP-BGP VPNv4 neighbors and VRF routes.

MPLS Traffic Engineering (TE)

mpls traffic-eng tunnels ! interface Tunnel100 ip unnumbered Loopback0 tunnel mode mpls traffic-eng tunnel destination 10.255.255.3 tunnel mpls traffic-eng path-option 1 dynamic

Mode: global / tunnel config

Basic MPLS TE tunnel setup (requires RSVP on links).

interface g0/1 mpls traffic-eng tunnels ip rsvp bandwidth 100000

Mode: interface config

Enable RSVP for MPLS TE on core links.

17. VPN Technologies (GRE / DMVPN / IPsec) Tunneling

site-to-site · dynamic mesh · crypto

Overlay VPN solutions for secure site-to-site and dynamic mesh connectivity.

GRE Tunnel (Generic Routing Encapsulation)

interface Tunnel0 description GRE to Branch Office ip address 172.16.0.1 255.255.255.252 tunnel source g0/0 tunnel destination 203.0.113.10 tunnel mode gre ip

Mode: interface config

Basic GRE point-to-point tunnel (no encryption).

IPsec Site-to-Site VPN

crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key Str0ngPSK! address 203.0.113.10 ! crypto ipsec transform-set STRONG-SET esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.10 set transform-set STRONG-SET match address VPN-TRAFFIC ! interface g0/0 crypto map VPN-MAP ! ip access-list extended VPN-TRAFFIC permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

Mode: global / interface config

IPsec VPN with IKEv1, AES-256, and SHA-256.

GRE over IPsec

interface Tunnel0 ip address 172.16.0.1 255.255.255.252 tunnel source g0/0 tunnel destination 203.0.113.10 tunnel protection ipsec profile IPSEC-PROFILE ! crypto ipsec profile IPSEC-PROFILE set transform-set STRONG-SET

Mode: interface / crypto config

GRE tunnel protected by IPsec (tunnel mode, simpler config).

DMVPN (Dynamic Multipoint VPN)

! === HUB Configuration === crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 ! crypto isakmp key Cisco123! address 0.0.0.0 ! crypto ipsec transform-set DMVPN-SET esp-aes 256 esp-sha256-hmac mode transport ! crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-SET ! interface Tunnel0 description DMVPN Hub ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 100 tunnel source g0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ip ospf network broadcast ip ospf priority 255

Mode: HUB config (DMVPN Phase 2/3)

DMVPN hub with NHRP, mGRE and IPsec protection.

! === SPOKE Configuration === interface Tunnel0 description DMVPN Spoke ip address 10.0.0.10 255.255.255.0 ip nhrp map 10.0.0.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 100 ip nhrp nhs 10.0.0.1 tunnel source g0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ip ospf network broadcast ip ospf priority 0

Mode: SPOKE config

DMVPN spoke registering to NHS (Next Hop Server = hub).

show crypto isakmp sa show crypto ipsec sa show ip nhrp show dmvpn

Mode: privileged EXEC

Verify IPsec SAs, NHRP mappings and DMVPN tunnels.

18. VXLAN & EVPN (Overlay Networking) Data Center

L2 over L3 · BGP EVPN · VTEP

Modern data center overlay for L2 extension across IP fabrics.

VXLAN Basics (Flood-and-Learn)

feature nv overlay feature vn-segment-vlan-based ! vlan 10 vn-segment 10010 ! interface nve1 no shutdown source-interface loopback1 member vni 10010 mcast-group 239.0.0.10

Mode: global / interface config (Nexus)

VXLAN with multicast-based BUM (Broadcast/Unknown/Multicast) replication.

VXLAN with BGP EVPN Control Plane

feature bgp feature nv overlay feature vn-segment-vlan-based nv overlay evpn ! router bgp 65000 neighbor 10.0.0.1 remote-as 65000 neighbor 10.0.0.1 update-source loopback0 address-family l2vpn evpn neighbor 10.0.0.1 activate neighbor 10.0.0.1 send-community extended

Mode: global / BGP config (Nexus VTEP)

BGP EVPN for control-plane MAC/IP learning (no multicast needed).

vlan 20 vn-segment 20020 ! evpn vni 20020 l2 rd auto route-target import auto route-target export auto ! interface nve1 no shutdown source-interface loopback1 host-reachability protocol bgp member vni 20020 ingress-replication protocol bgp

Mode: global / NVE config

L2VNI with BGP EVPN using ingress replication.

VXLAN L3VNI (Symmetric IRB)

vrf context TENANT-A vni 50001 rd auto address-family ipv4 unicast route-target import 65000:50001 route-target export 65000:50001 ! vlan 999 vn-segment 50001 ! interface vlan 999 no shutdown vrf member TENANT-A ip forward ! interface nve1 member vni 50001 associate-vrf

Mode: global / VRF / NVE config

L3VNI for inter-subnet routing in VXLAN EVPN fabric.

show nve peers show nve vni show bgp l2vpn evpn summary show l2route evpn mac all show vxlan

Mode: privileged EXEC (Nexus)

Verify VXLAN tunnels, VNIs, EVPN routes and MAC table.

19. IP Multicast (PIM / IGMP) Multicast

PIM-SM · RP · IGMP snooping

One-to-many distribution using PIM Sparse Mode.

ip multicast-routing ! interface g0/0 ip pim sparse-mode

Mode: global / interface config

Enable multicast routing and PIM on interfaces.

ip pim rp-address 10.255.255.1

Mode: global config

Static Rendezvous Point (RP) for PIM-SM.

ip pim autorp listener ip pim send-rp-announce Loopback0 scope 16 ip pim send-rp-discovery Loopback0 scope 16

Mode: global config

Auto-RP for dynamic RP election (Cisco proprietary).

ip igmp snooping ip igmp snooping vlan 10

Mode: global config (switch)

Enable IGMP snooping to constrain multicast at Layer 2.

show ip mroute show ip pim neighbor show ip pim rp mapping show ip igmp groups

Mode: privileged EXEC

Verify multicast routing, PIM neighbors, RP and IGMP joins.

20. SD-WAN & LISP (Locator/ID Separation) Advanced

Viptela / Meraki · LISP basics

Software-Defined WAN and location-identity separation concepts.

Cisco SD-WAN (Viptela) – Concepts

! SD-WAN is configured via vManage GUI/API ! Key components: ! - vManage (orchestrator) ! - vSmart (controller) ! - vBond (orchestrator discovery) ! - vEdge/cEdge (WAN routers) ! ! Basic CLI snippet (cEdge IOS-XE): sdwan interface GigabitEthernet1 tunnel-interface encapsulation ipsec color biz-internet allow-service all ! system system-ip 10.0.0.1 site-id 100

Mode: SD-WAN config mode (IOS-XE 17.x+)

SD-WAN uses zero-touch provisioning and overlay management policies.

LISP (Locator/ID Separation Protocol)

router lisp ! service ipv4 eid-table default instance-id 0 itr map-resolver 10.1.1.10 etr map-server 10.1.1.10 key SECRET etr itr ! interface Loopback10 ip address 192.0.2.1 255.255.255.255 lisp mobility LISP-ROAM

Mode: LISP config

LISP separates endpoint ID (EID) from routing locator (RLOC).

show lisp site show lisp map-cache show lisp database

Mode: privileged EXEC

Verify LISP registrations, mappings and EID database.

21. Route Manipulation (PBR, Route-Maps, Prefix-Lists) Advanced Routing

policy-based routing · filtering · redistribution

Granular control over routing decisions and redistribution.

Policy-Based Routing (PBR)

access-list 101 permit ip 10.10.10.0 0.0.0.255 any ! route-map PBR-POLICY permit 10 match ip address 101 set ip next-hop 192.168.1.254 ! interface g0/1 ip policy route-map PBR-POLICY

Mode: global / interface config

Override routing table for specific traffic (e.g., source-based routing).

Route-Maps for Redistribution

ip prefix-list OSPF-TO-BGP permit 10.0.0.0/8 le 24 ! route-map OSPF-INTO-BGP permit 10 match ip address prefix-list OSPF-TO-BGP set metric 100 set community 65000:100 ! router bgp 65000 redistribute ospf 1 route-map OSPF-INTO-BGP

Mode: global / BGP config

Filter and tag routes during redistribution.

Prefix-Lists & AS-Path Filtering

ip prefix-list ALLOWED-PREFIXES permit 192.168.0.0/16 le 24 ! ip as-path access-list 10 permit ^65001_ ! route-map BGP-IN permit 10 match ip address prefix-list ALLOWED-PREFIXES match as-path 10 set local-preference 200

Mode: global config

Combine prefix and AS-path matching for inbound BGP policy.

show route-map show ip policy show ip prefix-list

Mode: privileged EXEC

Verify route-maps, PBR and prefix-list configuration.

22. High Availability (SSO / NSF / BFD / OER) Resilience

stateful switchover · fast failover

Redundancy and fast convergence features for mission-critical networks.

Stateful Switchover (SSO) & NSF

redundancy mode sso ! router ospf 1 nsf

Mode: global / router config (dual RP routers)

SSO: maintain sessions during supervisor failover. NSF: non-stop forwarding.

Bidirectional Forwarding Detection (BFD)

interface g0/0 bfd interval 300 min_rx 300 multiplier 3 ! router ospf 1 bfd all-interfaces ! router bgp 65000 neighbor 10.0.0.2 fall-over bfd

Mode: interface / router config

BFD provides sub-second failure detection for routing protocols.

show bfd neighbors [details]

Mode: privileged EXEC

Verify BFD session state and timers.

IP SLA & Object Tracking

ip sla 1 icmp-echo 8.8.8.8 source-interface g0/0 frequency 10 ip sla schedule 1 start-time now life forever ! track 1 ip sla 1 reachability ! ip route 0.0.0.0 0.0.0.0 203.0.113.1 track 1

Mode: global config

Use IP SLA to track reachability and conditionally install routes.

show ip sla statistics show track

Mode: privileged EXEC

Monitor IP SLA probes and tracked object status.

23. NetFlow / IPFIX & Model-Driven Telemetry Monitoring

traffic visibility · streaming telemetry

Detailed traffic analytics and real-time device telemetry.

NetFlow (Traditional)

ip flow-export version 9 ip flow-export destination 192.168.1.100 2055 ! interface g0/0 ip flow ingress ip flow egress

Mode: global / interface config

NetFlow v9 export for traffic analysis.

Flexible NetFlow

flow record CUSTOM-RECORD match ipv4 source address match ipv4 destination address collect counter bytes collect counter packets ! flow exporter COLLECTOR destination 192.168.1.100 transport udp 2055 ! flow monitor CUSTOM-MONITOR record CUSTOM-RECORD exporter COLLECTOR ! interface g0/1 ip flow monitor CUSTOM-MONITOR input

Mode: global / interface config

Flexible NetFlow for customizable flow records.

Model-Driven Telemetry (YANG Push)

telemetry ietf subscription 100 encoding encode-kvgpb filter xpath /process-cpu-ios-xe-oper:cpu-usage/cpu-utilization stream yang-push update-policy periodic 3000 receiver ip address 192.168.1.50 57000 protocol grpc-tcp

Mode: global config (IOS-XE 16.10+)

Stream real-time operational data using gRPC and YANG models.

show flow monitor show telemetry ietf subscription all

Mode: privileged EXEC

Verify flow monitors and telemetry subscriptions.

24. Automation & Programmability (RESTCONF, NETCONF, gNMI) DevOps

APIs · YANG models · ZTP

Programmatic device management and configuration.

NETCONF

netconf-yang

Mode: global config (IOS-XE / Nexus)

Enable NETCONF server (default port 830).

RESTCONF

ip http secure-server restconf

Mode: global config (IOS-XE)

Enable RESTCONF over HTTPS (port 443).

gNMI (gRPC Network Management Interface)

gnmi-yang gnmi-yang server gnmi-yang port 50051

Mode: global config (IOS-XR / Nexus)

Enable gNMI for streaming telemetry and configuration.

Zero-Touch Provisioning (ZTP)

! ZTP enabled by default on new devices ! Requires DHCP option 67 (bootfile) pointing to script ! ! Disable ZTP if not needed: no boot ztp

Mode: global config (Nexus / IOS-XE)

ZTP automates initial device provisioning via DHCP + script.

show platform software yang-management process show netconf-yang sessions

Mode: privileged EXEC

Verify YANG/NETCONF process and active sessions.

25. Cisco ASA Firewall ASA

security levels · NAT · ACLs · VPN

ASA-specific firewall configuration (different syntax from IOS routers).

Basic Interface & Security Levels

interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 no shutdown

Mode: interface config

Configure interface with name and security level (0=outside, 100=inside).

interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0

Mode: interface config

Inside interface (high security). Traffic from high→low allowed by default.

Network Objects & NAT

object network WEB-SERVER host 192.168.1.10 nat (inside,outside) static 203.0.113.10

Mode: global config

Static 1:1 NAT for a single host (object-based NAT).

object network INSIDE-NET subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface

Mode: global config

Dynamic PAT (NAT overload) for entire subnet using interface IP.

object network PAT-POOL range 203.0.113.10 203.0.113.20 ! object network INSIDE-NET subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic PAT-POOL

Mode: global config

Dynamic PAT using a pool of public IPs.

Access Control Lists (ACLs)

access-list OUTSIDE-IN extended permit tcp any host 203.0.113.10 eq 443 access-list OUTSIDE-IN extended deny ip any any log ! access-group OUTSIDE-IN in interface outside

Mode: global config

Extended ACL allowing HTTPS to web server, deny all else.

object-group service WEB-SERVICES tcp port-object eq 80 port-object eq 443 ! access-list OUTSIDE-IN extended permit tcp any object WEB-SERVER object-group WEB-SERVICES

Mode: global config

Use object-groups for cleaner ACLs with multiple services.

show access-list show access-list OUTSIDE-IN show run access-list

Mode: privileged EXEC

Verify ACL configuration and hit counts.

Site-to-Site VPN (IKEv2)

crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 14 prf sha256 lifetime seconds 86400 ! crypto ikev2 enable outside

Mode: global config

IKEv2 Phase 1 policy with strong encryption.

crypto ipsec ikev2 ipsec-proposal STRONG protocol esp encryption aes-256 protocol esp integrity sha-256 ! crypto map VPN-MAP 10 match address VPN-TRAFFIC crypto map VPN-MAP 10 set peer 203.0.113.50 crypto map VPN-MAP 10 set ikev2 ipsec-proposal STRONG crypto map VPN-MAP interface outside

Mode: global config

IPsec Phase 2 proposal and crypto map.

tunnel-group 203.0.113.50 type ipsec-l2l tunnel-group 203.0.113.50 ipsec-attributes ikev2 remote-authentication pre-shared-key Str0ngKey! ikev2 local-authentication pre-shared-key Str0ngKey!

Mode: global config

Tunnel group for site-to-site VPN with pre-shared key.

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Mode: global config

Interesting traffic for VPN encryption.

AnyConnect Remote Access VPN

ip local pool VPN-POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0 ! webvpn enable outside anyconnect image disk0:/anyconnect-win-4.10.xxxxx-webdeploy-k9.pkg anyconnect enable

Mode: global config

Enable AnyConnect with IP pool for remote users.

group-policy RemoteUsers internal group-policy RemoteUsers attributes vpn-tunnel-protocol ssl-client ikev2 split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL-ACL ! tunnel-group DefaultWEBVPNGroup general-attributes address-pool VPN-POOL default-group-policy RemoteUsers

Mode: global config

Group policy with split tunneling for AnyConnect.

username vpnuser password Str0ngP@ss! encrypted username vpnuser attributes vpn-group-policy RemoteUsers service-type remote-access

Mode: global config

Local user account for VPN authentication.

Verification & Troubleshooting

show interface ip brief show nameif show route show xlate show conn

Mode: privileged EXEC

Basic ASA status: interfaces, NAT translations, connections.

show crypto ikev2 sa show crypto ipsec sa show vpn-sessiondb anyconnect show vpn-sessiondb detail anyconnect

Mode: privileged EXEC

VPN session monitoring and troubleshooting.

packet-tracer input outside tcp 1.2.3.4 12345 203.0.113.10 443 detailed

Mode: privileged EXEC

Simulate packet flow through ASA (firewall policy, NAT, routing).

26. Nexus Data Center Features NX-OS

vPC · FabricPath · OTV

Cisco Nexus-specific data center technologies (NX-OS).

vPC (Virtual Port-Channel)

feature vpc ! vpc domain 1 role priority 100 peer-keepalive destination 10.0.0.2 source 10.0.0.1 vrf management peer-gateway ! interface port-channel10 switchport mode trunk vpc 10

Mode: global config

Configure vPC for dual-homed server connectivity across two Nexus switches.

show vpc show vpc brief show vpc role show vpc consistency-parameters global

Mode: privileged EXEC

Verify vPC status, role, and consistency parameters.

FabricPath

install feature-set fabricpath feature-set fabricpath ! fabricpath domain default fabricpath switch-id 1 ! vlan 100 mode fabricpath ! interface Ethernet1/1 switchport mode fabricpath no shutdown

Mode: global config

Enable FabricPath for layer 2 multipathing in data center.

show fabricpath route show fabricpath isis adjacency show fabricpath switch-id

Mode: privileged EXEC

Verify FabricPath routes, ISIS adjacencies, and switch IDs.

OTV (Overlay Transport Virtualization)

feature otv ! otv site-identifier 0000.0000.0001 otv site-vlan 10 ! interface Overlay1 otv join-interface Ethernet1/1 otv extend-vlan 100-200 otv use-adjacency-server 10.1.1.1 unicast-only no shutdown

Mode: global config

Configure OTV for layer 2 extension over layer 3 network (DCI).

show otv show otv overlay show otv adjacency show otv route overlay 1

Mode: privileged EXEC

Verify OTV overlay status, adjacencies, and routes.

Nexus-Specific Features

feature lacp feature interface-vlan feature hsrp feature vpc

Mode: global config

Enable features on Nexus (features must be explicitly enabled on NX-OS).

show feature show feature | include enabled

Mode: privileged EXEC

Display enabled features on Nexus switch.

27. Switch Stacking & Clustering HA

StackWise · VSS · stacking

Switch stacking and virtual chassis technologies for high availability.

StackWise (Catalyst Switches)

switch 1 priority 15 switch 2 priority 14 ! switch 1 provision ws-c3850-24p switch 2 provision ws-c3850-24p

Mode: global config

Configure stack priorities (higher is better) and provision switch models.

show switch show switch stack-ports show switch neighbors

Mode: privileged EXEC

Display stack members, stack ring status, and neighbor information.

switch 3 renumber 1

Mode: global config

Renumber a stack member (requires reload).

VSS (Virtual Switching System - Catalyst 6500/4500)

switch virtual domain 100 ! switch 1 domain 100 switch 1 priority 110 ! interface port-channel10 switch virtual link 1 no shutdown

Mode: global config

Configure VSS to combine two physical switches into one logical switch.

show switch virtual show switch virtual role show switch virtual link

Mode: privileged EXEC

Verify VSS status, active/standby role, and virtual switch link.

Stack Management

stack-power stack SP1 stack-power switch 1 30 ! show stack-power

Mode: global/exec

Configure and monitor StackPower (shared power across stack members).

redundancy mode sso ! show redundancy show redundancy states

Mode: global/exec

Configure SSO (Stateful Switchover) and verify redundancy status.

28. Advanced Troubleshooting Tools Debug

SPAN · RSPAN · EPC · packet capture

Advanced monitoring and troubleshooting tools for packet analysis.

SPAN (Switched Port Analyzer)

monitor session 1 source interface GigabitEthernet0/1 monitor session 1 destination interface GigabitEthernet0/24 ! ! Or with filters: monitor session 1 source interface Gi0/1 rx monitor session 1 filter vlan 100

Mode: global config

Mirror traffic from source interface to destination for packet analysis.

show monitor session 1 show monitor session all

Mode: privileged EXEC

Verify SPAN session configuration and status.

RSPAN (Remote SPAN)

! On source switch: vlan 999 remote-span ! monitor session 1 source interface Gi0/1 monitor session 1 destination remote vlan 999 ! ! On destination switch: vlan 999 remote-span ! monitor session 1 source remote vlan 999 monitor session 1 destination interface Gi0/24

Mode: global config

Mirror traffic across switches using a dedicated RSPAN VLAN.

EPC (Embedded Packet Capture - IOS 15.0+)

monitor capture CAP1 interface GigabitEthernet0/0 both monitor capture CAP1 match any monitor capture CAP1 buffer size 10 monitor capture CAP1 start ! ! Wait for traffic... ! monitor capture CAP1 stop monitor capture CAP1 export tftp://10.0.0.100/cap1.pcap

Mode: privileged EXEC

Capture packets directly on router/switch and export to PCAP file.

show monitor capture CAP1 show monitor capture CAP1 buffer brief show monitor capture CAP1 buffer dump

Mode: privileged EXEC

Display EPC capture status and buffer contents.

Conditional Debugging

debug condition interface GigabitEthernet0/0 debug ip packet detail ! ! To remove condition: no debug condition interface GigabitEthernet0/0 undebug all

Mode: privileged EXEC

Limit debug output to specific interface to reduce overhead.

debug condition ip 10.1.1.1 debug ip packet ! show debug condition

Mode: privileged EXEC

Debug only packets from/to specific IP address.

Traffic Analysis Tools

test cable-diagnostics tdr interface Gi0/1 show cable-diagnostics tdr interface Gi0/1

Mode: privileged EXEC

Run Time Domain Reflectometer test to detect cable issues.

! IP SLA for monitoring: ip sla 1 icmp-echo 8.8.8.8 source-interface Gi0/0 frequency 60 ip sla schedule 1 life forever start-time now ! show ip sla statistics show ip sla configuration

Mode: global/exec

Configure IP SLA for proactive network monitoring and troubleshooting.

Performance Monitoring

show processes cpu sorted show processes memory sorted show interfaces stats show platform hardware

Mode: privileged EXEC

Monitor CPU, memory, interface stats, and hardware performance.

29. Maintenance, Files & Recovery Ops

configs, images, reload

Saving configs, backups, and reload management.

copy running-config startup-config copy startup-config running-config

Mode: privileged EXEC

Save or restore configuration to/from NVRAM.

copy running-config tftp: copy tftp: running-config

Mode: privileged EXEC

Backup/restore config via TFTP.

dir delete <FILE> show flash:

Mode: privileged EXEC

File system operations (typically flash:).

reload reload in <MINUTES> reload cancel

Mode: privileged EXEC

Immediate or scheduled reload.

erase startup-config write erase ! (older syntax)

Mode: privileged EXEC

Factory reset (config only; requires reload).