Kimkorng

Cisco Command Line Interface (CLI)

16 AUG, 2024

The Cisco CLI (Command Line Interface) is a tool we use to set up and manage Cisco devices like switches and routers. Let's see how you can access and use it.

Accessing the CLI

You can access the CLI in a few different ways:

Connecting via Console

This is a direct, physical connection using a console cable.

  1. Hook up your computer to the Cisco device with a console cable.
  2. Open up a terminal program like PuTTY, SecureCRT, or Tera Term.
  3. Choose "Serial" as the connection type and set these settings:
    • Speed (Baud rate): 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: None
  4. Hit Open to start your session.

Connecting via SSH

SSH is a secure way to access the CLI remotely over the network.

  1. Open your terminal program (like PuTTY, SecureCRT, or Tera Term).
  2. Enter the device's IP address and select SSH as the connection type, then click Open.
  3. When prompted, enter your username and password.

Connecting via Telnet

Telnet also lets you access the CLI remotely, but it's less secure since it doesn’t encrypt your data.

  1. Open your terminal program.
  2. Enter the device’s IP address, choose Telnet as the connection type, and click Open.
  3. Enter your username and password when prompted.

Basic Modes and Commands in IOS

The Cisco IOS has different modes that let you do different things:

  • User EXEC Mode: This is the basic mode for running simple commands. The prompt looks like Router>.
  • Privileged EXEC Mode: This mode gives you full access to all commands. Type enable to enter, and disable to go back to User EXEC. The prompt changes to Router#.
  • Global Configuration Mode: This is where you make configuration changes. Get there by typing configure terminal. The prompt will look like Router(config)#.

Sub-Modes

  • Interface Configuration Mode: Used to configure specific interfaces like Gigabit Ethernet. You get here from Global Config Mode by typing interface [interface_name]. The prompt changes to Router(config-if)#.
  • Line Configuration Mode: For setting up terminal lines like console and VTY (remote access). Enter this mode by typing line [type] [number] in Global Config. The prompt becomes Router(config-line)#.
  • Router Configuration Mode: Used to configure routing protocols like OSPF or EIGRP. You enter this mode by typing router [protocol] from Global Config. The prompt changes to Router(config-router)#.

Basic Device Setup

Set a Hostname

To give your device a name, use:

shell
Router(config)# hostname Router1

Set Passwords

You’ll want to secure access to the device.

  • Console Password:

    shell
    Router(config)# line console 0
Router(config-line)# password yourpassword
Router(config-line)# login

  • Enable Secret: This sets a password for entering Privileged Mode.

    shell
    Router(config)# enable secret yourpassword

Secure VTY Lines for Remote Access

These commands secure the lines used for SSH or Telnet access.

shell
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh

Set a Banner

You can set a message that appears before the login prompt.

shell
Router(config)# banner motd # Unauthorized access is prohibited! #

Configure Interfaces

  • Assigning an IP Address: Set up an IP address on an interface. 
    shell
    Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown

Save Your Configuration

To save your settings so they persist after a reboot:

shell
Router# copy running-config startup-config

Routing Configuration

Static Routing

To manually set a route to a specific network:

shell
Router(config)# ip route 192.168.2.0 255.255.255.0 192.168.1.2

Default Route

You can add a default route that directs traffic when no specific route is set.

shell
Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2

Dynamic Routing

  • RIP: Set up Routing Information Protocol (RIP) for dynamic routing.

    shell
    Router(config)# router rip
Router(config-router)# version 2
Router(config-router)# network 192.168.1.0
Router(config-router)# network 192.168.2.0

  • EIGRP: Set up Enhanced Interior Gateway Routing Protocol (EIGRP).

    shell
    Router(config)# router eigrp 100
Router(config-router)# network 192.168.1.0
Router(config-router)# network 192.168.2.0

VLAN Setup (Switches)

Creating a VLAN

To create a VLAN and name it:

shell
Switch(config)# vlan 10
Switch(config-vlan)# name Sales

Assigning Ports to a VLAN

Here’s how to assign a port to a specific VLAN.

shell
Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

Setting Up Trunking Between Switches

Trunk ports carry traffic for multiple VLANs between switches.

shell
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk

Checking VLAN Configuration

To verify your VLAN settings:

shell
Switch# show vlan brief

Access Control Lists (ACLs)

Standard ACL

A basic access list to control traffic based on source IP.

shell
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 10 in

Extended ACL

A more advanced ACL to control traffic based on multiple criteria, like IP and port numbers.

shell
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip access-group 100 in

Checking ACLs

To see if an ACL is applied and how it's performing:

shell
Router# show access-lists
Router# show ip interface GigabitEthernet0/0

Advanced IOS Commands

Configuring NAT

Set up Network Address Translation to allow internal devices to access external networks.

shell
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip nat outside
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip nat inside

OSPF Configuration

Set up Open Shortest Path First (OSPF) for dynamic routing.

shell
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0

BGP Configuration

Set up Border Gateway Protocol (BGP) for routing between different networks.

shell
Router(config)# router bgp 65001
Router(config-router)# neighbor 192.168.2.1 remote-as 65002
Router(config-router)# network 192.168.1.0 mask 255.255.255.0

Port Security (Switches)

Secure switch ports by limiting the number of devices that can connect.

shell
Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

Configuring DHCP

You can set up a Cisco router to act as a DHCP server, automatically assigning IP addresses.

shell
Router(config)# ip dhcp pool LAN
Router(config-dhcp)# network 192.168.1.0 255.255.255.0
Router(config-dhcp)# default-router 192.168.1.1
Router(config-dhcp)# dns-server 8.8.8.8
``

`

### Configuring HSRP
For redundancy, set up Hot Standby Router Protocol (HSRP) so that another router can take over if one fails.
```shell
Router(config)# interface GigabitEthernet0/1
Router(config-if)# standby 1 ip 192.168.1.254
Router(config-if)# standby 1 priority 110
Router(config-if)# standby 1 preempt

Monitoring and Troubleshooting

Viewing Configuration

To see the current configuration:

shell
Router# show running-config

Viewing Interface Status

Check the status of your interfaces:

shell
Router# show ip interface brief

Checking the Routing Table

To see the routing table:

shell
Router# show ip route

Monitoring CPU and Memory Usage

Keep an eye on the router’s resources:

shell
Router# show processes cpu
Router# show processes memory

Checking Interface Statistics

Get detailed stats on an interface:

shell
Router# show interfaces GigabitEthernet0/0

Testing Connectivity

To test network connectivity:

  • Ping: 
    shell
    Router# ping 192.168.1.1
  • Traceroute: 
    shell
    Router# traceroute 192.168.1.1

Debugging

Turn on debugging to see detailed information about processes:

shell
Router# debug ip routing
Router# undebug all

Packet Capture

On newer models, you can capture packets directly on the device:

shell
Router# monitor capture point ip cef POINT1 all
Router# monitor capture point associate POINT1
Router# monitor capture point start POINT1
SHARE