The Cisco CLI (Command Line Interface) is a tool we use to set up and manage Cisco devices like switches and routers. Let's see how you can access and use it.
Accessing the CLI
You can access the CLI in a few different ways:
Connecting via Console
This is a direct, physical connection using a console cable.
- Hook up your computer to the Cisco device with a console cable.
- Open up a terminal program like PuTTY, SecureCRT, or Tera Term.
- Choose "Serial" as the connection type and set these settings:
- Speed (Baud rate): 9600
- Data bits: 8
- Parity: None
- Stop bits: 1
- Flow control: None
- Hit
Open
to start your session.
Connecting via SSH
SSH is a secure way to access the CLI remotely over the network.
- Open your terminal program (like PuTTY, SecureCRT, or Tera Term).
- Enter the device's IP address and select SSH as the connection type, then click
Open
. - When prompted, enter your username and password.
Connecting via Telnet
Telnet also lets you access the CLI remotely, but it's less secure since it doesn’t encrypt your data.
- Open your terminal program.
- Enter the device’s IP address, choose Telnet as the connection type, and click
Open
. - Enter your username and password when prompted.
Basic Modes and Commands in IOS
The Cisco IOS has different modes that let you do different things:
- User EXEC Mode: This is the basic mode for running simple commands. The prompt looks like
Router>
. - Privileged EXEC Mode: This mode gives you full access to all commands. Type
enable
to enter, anddisable
to go back to User EXEC. The prompt changes toRouter#
. - Global Configuration Mode: This is where you make configuration changes. Get there by typing
configure terminal
. The prompt will look likeRouter(config)#
.
Sub-Modes
- Interface Configuration Mode: Used to configure specific interfaces like Gigabit Ethernet. You get here from Global Config Mode by typing
interface [interface_name]
. The prompt changes toRouter(config-if)#
. - Line Configuration Mode: For setting up terminal lines like console and VTY (remote access). Enter this mode by typing
line [type] [number]
in Global Config. The prompt becomesRouter(config-line)#
. - Router Configuration Mode: Used to configure routing protocols like OSPF or EIGRP. You enter this mode by typing
router [protocol]
from Global Config. The prompt changes toRouter(config-router)#
.
Basic Device Setup
Set a Hostname
To give your device a name, use:
shellRouter(config)# hostname Router1
Set Passwords
You’ll want to secure access to the device.
- Console Password:
shell
Router(config)# line console 0 Router(config-line)# password yourpassword Router(config-line)# login
- Enable Secret: This sets a password for entering Privileged Mode.
shell
Router(config)# enable secret yourpassword
Secure VTY Lines for Remote Access
These commands secure the lines used for SSH or Telnet access.
shellRouter(config)# line vty 0 4 Router(config-line)# login local Router(config-line)# transport input ssh
Set a Banner
You can set a message that appears before the login prompt.
shellRouter(config)# banner motd # Unauthorized access is prohibited #
Configure Interfaces
- Assigning an IP Address: Set up an IP address on an interface.
shell
Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# no shutdown
Save Your Configuration
To save your settings so they persist after a reboot:
shellRouter# copy running-config startup-config
Routing Configuration
Static Routing
To manually set a route to a specific network:
shellRouter(config)# ip route 192.168.2.0 255.255.255.0 192.168.1.2
Default Route
You can add a default route that directs traffic when no specific route is set.
shellRouter(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2
Dynamic Routing
- RIP: Set up Routing Information Protocol (RIP) for dynamic routing.
shell
Router(config)# router rip Router(config-router)# version 2 Router(config-router)# network 192.168.1.0 Router(config-router)# network 192.168.2.0
- EIGRP: Set up Enhanced Interior Gateway Routing Protocol (EIGRP).
shell
Router(config)# router eigrp 100 Router(config-router)# network 192.168.1.0 Router(config-router)# network 192.168.2.0
VLAN Setup (Switches)
Creating a VLAN
To create a VLAN and name it:
shellSwitch(config)# vlan 10 Switch(config-vlan)# name Sales
Assigning Ports to a VLAN
Here’s how to assign a port to a specific VLAN.
shellSwitch(config)# interface FastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10
Setting Up Trunking Between Switches
Trunk ports carry traffic for multiple VLANs between switches.
shellSwitch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode trunk
Checking VLAN Configuration
To verify your VLAN settings:
shellSwitch# show vlan brief
Access Control Lists (ACLs)
Standard ACL
A basic access list to control traffic based on source IP.
shellRouter(config)# access-list 10 permit 192.168.1.0 0.0.0.255 Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip access-group 10 in
Extended ACL
A more advanced ACL to control traffic based on multiple criteria, like IP and port numbers.
shellRouter(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip access-group 100 in
Checking ACLs
To see if an ACL is applied and how it's performing:
shellRouter# show access-lists Router# show ip interface GigabitEthernet0/0
Advanced IOS Commands
Configuring NAT
Set up Network Address Translation to allow internal devices to access external networks.
shellRouter(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# ip nat inside source list 1 interface GigabitEthernet0/0 overload Router(config)# interface GigabitEthernet0/0 Router(config-if)# ip nat outside Router(config)# interface GigabitEthernet0/1 Router(config-if)# ip nat inside
OSPF Configuration
Set up Open Shortest Path First (OSPF) for dynamic routing.
shellRouter(config)# router ospf 1 Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
BGP Configuration
Set up Border Gateway Protocol (BGP) for routing between different networks.
shellRouter(config)# router bgp 65001 Router(config-router)# neighbor 192.168.2.1 remote-as 65002 Router(config-router)# network 192.168.1.0 mask 255.255.255.0
Port Security (Switches)
Secure switch ports by limiting the number of devices that can connect.
shellSwitch(config)# interface FastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky
Configuring DHCP
You can set up a Cisco router to act as a DHCP server, automatically assigning IP addresses.
shellRouter(config)# ip dhcp pool LAN Router(config-dhcp)# network 192.168.1.0 255.255.255.0 Router(config-dhcp)# default-router 192.168.1.1 Router(config-dhcp)# dns-server 8.8.8.8 `` ` ### Configuring HSRP For redundancy, set up Hot Standby Router Protocol (HSRP) so that another router can take over if one fails. ```shell Router(config)# interface GigabitEthernet0/1 Router(config-if)# standby 1 ip 192.168.1.254 Router(config-if)# standby 1 priority 110 Router(config-if)# standby 1 preempt
Monitoring and Troubleshooting
Viewing Configuration
To see the current configuration:
shellRouter# show running-config
Viewing Interface Status
Check the status of your interfaces:
shellRouter# show ip interface brief
Checking the Routing Table
To see the routing table:
shellRouter# show ip route
Monitoring CPU and Memory Usage
Keep an eye on the router’s resources:
shellRouter# show processes cpu Router# show processes memory
Checking Interface Statistics
Get detailed stats on an interface:
shellRouter# show interfaces GigabitEthernet0/0
Testing Connectivity
To test network connectivity:
- Ping:
shell
Router# ping 192.168.1.1
- Traceroute:
shell
Router# traceroute 192.168.1.1
Debugging
Turn on debugging to see detailed information about processes:
shellRouter# debug ip routing Router# undebug all
Packet Capture
On newer models, you can capture packets directly on the device:
shellRouter# monitor capture point ip cef POINT1 all Router# monitor capture point associate POINT1 Router# monitor capture point start POINT1