Since the list is getting longer  and longer, I am splitting it into two posts:


    1. Basic Troubleshooting Commands

    Ping
    Traceroute
    Telnet
    Show interfaces (show interfaces GigabitEthernet 3/6)
    Show ip interface
    Show ip route
    Show running-config
    Show startup-config
    show ip sockets
    show conn
    show tcp brief

    2. Archive Command

    • Configuration Change Logging and Save a copy of current configuration on local when write memory

    archive
    !!log all commands
    log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
    path flash:backup-
    maximum 8
    write-memory

    • Compare Startup-Configuration with Running-configuration

    R1#show archive config differences 
    !Contextual Config Diffs:
    !No changes were found

    • show archive log config all
    • show archive


    3. Enable IPv6 on Cisco Switch 3550/3560
    3560:
    sdm prefer dual-ipv4-and-ipv6 routing

    3550:

    Switch:  interface f0/24 is connected to router P1R1
    interface FastEthernet0/24
    no switchport
    ip address 172.17.255.1 255.255.255.254
    ip authentication mode eigrp 1 md5
    ip authentication key-chain eigrp 1 EIGRP-KEY
    ipv6 address 2001:DB8:CAFE:201::/64 eui-64
    ipv6 rip 1 enable
    spanning-tree portfast
    Tunnel 0:
    interface Tunnel0
    no ip address
    ipv6 address 2001:DB8:CAFE:301::/64 eui-64
    ipv6 enable
    ipv6 rip 1 enable
    tunnel source FastEthernet0/24
    tunnel destination 172.17.255.0    !—> P1R1
    P1R1
    interface Tunnel0
    no ip address
    ipv6 address 2001:DB8:CAFE:301::/64 eui-64
    ipv6 enable
    ipv6 rip 1 enable
    tunnel source Ethernet0/0
    tunnel destination 172.17.255.1

    4. Using ftp to transfer files to flashcopy ftp://test:[email protected] flash:


    5. Clear IOS configuraiton

    write erase

    6. Delete flash: folder

    delete /force /recursive flash:/c2960-lanbase-mz.122-52.SE

    7. Basic Commands to Enable Telnet/SSH on Cisco Devices

    a. Telnet Access

    no aaa new-model
    username test privilege 15 secret test
    line vty 0 15
    login local
    no password
    transport input telnet

    b. SSH Access:

    hostname Switch1
    ip domain-name test.com
    crypto key generate rsa general-usage modulus 2048
    ip ssh time-out 60
    ip ssh version 2
    line vty 0 15
    transport input ssh

    c. Console Access with username/password:

    line con 0
    login local
    exit

    8. Debug IP Traffic based on Access-list

    The debug procedure is the following:
    1) Turn “on” process switching under both interfaces in the router.
    Router(config)#interface g0/0
    Router(config-if)#no ip route-cache
    Router(config)#interface g0/1
    Router(config-if)#no ip route-cache

    2) Create an access-list. Define specific traffic you want to monitor between hosts. 
    Router(config)#access-list 199 permit tcp host 11.11.11.1 eq host 22.22.22.2
    Router(config)#access-list 199 permit tcp host 22.22.22.2 eq host 11.11.11.1
    3) If you are in a telnet session into the router turn “terminal monitor” on.
    Router#term mon
    If you are in a console session into the router, then the “logging console” command.
    Router(config)#logging console
    4)Finally the debug command.
    Router#debug ip packet 199 detail
    Where 199 is the access-list # we created.
    *Jul 23 20:25:30.616: IP: s=11.11.11.1 (local), d=22.22.22.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    ……..
    5)Use the “un all” command to turn it off.
    Router#un all

    9. Kron command

    Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.

    Following is an example to use it save configuration on a regular basis. 

    Router# show kron schedule
    Kron Occurrence Schedule
    backup inactive, will run again in 2 days 22:03:46 at 22:00 on Mon

    Router# show running-configuration
    (truncated)
    kron occurrence backup at 22:00 Mon recurring
     policy-list backup
    !
    kron policy-list backup
     cli write

    Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
    policy-list tclpol
    kron policy-list tclpol
    tclsh flash:/script.tcl

    10. Enable IP Accounting on interface

    IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.

    interface GigabitEthernet0/1
    ip address 100.199.48.15 255.255.255.0
    ip accounting output-packets
    duplex full
    speed 100
    end

    R1#sh ip accounting
    Source Destination Packets Bytes
    100.199.48.10 100.199.3853 6 241
    100.199.38.53 100.199.48.10 4 183
    138.11.117.16 166.6.23.14 1 104


    Accounting data age is 3w0d

    11. Show configuration without break/pause @Cisco Router/Switch
    terminal length 0

    @ASA Firewall
    terminal pager 0

    12. Debug commands at Cisco ASA 9.1(2)

    terminal monitor
    logging buffer-size 1048576
    logging buffered 7
    logging monitor 7
    debug crypto condition peer 10.10.10.10

    debug crypto ipsec 127
    debug crypto ikev1 127

    13. Display Cisco IOS Device Opened Ports

    R#show control-plane host open-ports
    Active internet connections (servers and established)
    Prot               Local Address             Foreign Address                  Service    State
     tcp                        *:22                         *:0               SSH-Server   LISTEN
     tcp                        *:23                         *:0                   Telnet   LISTEN
     udp                       *:161                         *:0                  IP SNMP   LISTEN
     udp                       *:162                         *:0                  IP SNMP   LISTEN
     udp                     *:65110                         *:0                  IP SNMP   LISTEN
     udp                      *:1975                         *:0                      IPC   LISTEN

    The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning

    14. Native VLAN mismatch

    062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).

    although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info.   Solution would be one global command :

    no cdp advertise-v2

    Or

    This solution: using different vtp domain name on those switches:

    Switch(config)# vtp mode transparent
    Switch(config)# vtp domain a_unique_name

    15. IOS Password Recovery Procedures

    • Shut down the router then Power on the router
    • Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
    • Once the Rommon1> prompt appears, enter this command: confreg 0x2142
      Then type reset to reboot Cisco device.
    • When you are prompted to enter the initial configuration, type No, and press Enter.
      At the Router> prompt, type enable.
    • At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
    • Use the config t command in order to enter global configuration mode.
    • Use this command in order to create a new user name and password:
      router(config)#username test privilege 15 password test
    • Use this command in order to change the boot statement: config-register 0x2102
    • Use this command in order to save the configuration: write memory

    16. Reload Device in xx minutes 

    It is helpful for your remote work just in case you lost connection by mis-configuration

    R-Test-Lab#reload in 1
    Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
    Reload reason: Reload Command
    Proceed with reload? [confirm]
    R-Test-Lab#
    ***
    *** — SHUTDOWN in 0:01:00 —
    ***
    R-Test-Lab##show reload
    Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
    Reload reason: Reload Command
    R-Test-Lab#reload cancel
    R-Test-Lab#
    ***
    *** — SHUTDOWN ABORTED —
    ***

    17. Load-Interval 30
    By default, the IOS calculate statistics by interval 5 minutes. The minimal interval is 30 seconds you can set.

    interface GigabitEthernet0/0
     ip flow ingress
     
    load-interval 30

     duplex auto
     speed auto
    end

    Router#sh interfaces g0/0
    GigabitEthernet0/0 is up, line protocol is up
      Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
      Description:
      Internet address is
      MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
         reliability 255/255, txload 1/255, rxload 3/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full Duplex, 1Gbps, media type is RJ45
      output flow-control is XON, input flow-control is XON
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:00:00, output hang never
      Last clearing of “show interface” counters never
      Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      30 second input rate 12706000 bits/sec, 1423 packets/sec  30 second output rate 966000 bits/sec, 957 packets/sec     7877466781 packets input, 4315500899841 bytes, 1023 no buffer
         Received 345354184 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 13 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 520835 multicast, 2112 pause input
         7120190572 packets output, 2103538386166 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         121793930 unknown protocol drops
         0 babbles, 0 late collision, 0 deferred
         4 lost carrier, 0 no carrier, 58519 pause output
         0 output buffer failures, 0 output buffers swapped out

    18. Turn off IP Spoof Protection

    ip verify reverse-path interface outside
    “Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside”

    19. Create Read only Account

    method one.

    username local1 secret Cisco1234
    username local1 privilege 15 autocommand show running

    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization console

    method two.

    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization console

    username local2 privilege 7 password Cisco1234
    privilege exec level 7 show config

    The list is getting longer , and I am splitting it to two posts:

    Cisco My Device Page


    Reference:

    By Jon

    One thought on “Cisco IOS Command Tips and Tricks – Part 1”

    Leave a Reply to Dexter...Cancel reply