Kyle's every day Cisco CLI commands
File Edit View Help

Base Setup (Hostname, Mgmt, SSH)

Works on IOS/IOS-XE routers & switches. Replace <ANGLE_BRACKETS>.

enable
configure terminal

! Identity
hostname <HOSTNAME>
ip domain-name <DOMAIN>

! AAA local + SSH v2
username <ADMIN> privilege 15 secret <SECRET>
crypto key generate rsa modulus 2048
ip ssh version 2

! Console & VTY hardening
line console 0
 logging synchronous
 exec-timeout 10 0
 password <CONSOLE_PW>
 login
line vty 0 4
 transport input ssh
 exec-timeout 15 0
 login local

! Management interface (SVI or routed IF)
interface <G0/0/0 or VLAN>
 description Management
 ip address <IP> <MASK>
 no shutdown

! Default route
ip route 0.0.0.0 0.0.0.0 <NEXT_HOP>

! DNS / NTP / Logging
ip name-server <DNS1>
ip name-server <DNS2>
ntp server <NTP1>
ntp server <NTP2>
logging host <SYSLOG_IP>

end
write memory

Switching (VLANs, Trunks, Access Ports, SVIs)

Create VLANs, assign ports, enable inter-VLAN routing with SVIs.

enable
configure terminal

! VLANs
vlan 10
 name USERS
vlan 20
 name SERVERS
vlan 99
 name MGMT

! Access port -> VLAN 10
interface GigabitEthernet1/0/1
 description Workstation-1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 spanning-tree bpduguard enable

! Trunk to uplink
interface GigabitEthernet1/0/24
 description Uplink-Trunk
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,99

! SVIs (L3 on switch)
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 no shutdown
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 no shutdown
interface Vlan99
 ip address 192.168.99.1 255.255.255.0
 no shutdown

! Enable routing + default route
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.99.254

end
write memory

Routing (Static & OSPF)

Add static routes and a minimal OSPFv2 setup.

enable
configure terminal

! Static routes
ip route 0.0.0.0 0.0.0.0 <NEXT_HOP>
ip route 10.50.0.0 255.255.0.0 <NEXT_HOP>

! OSPF (single area)
router ospf 1
 router-id 1.1.1.1
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface <WAN_INTERFACE>

! Interface-style OSPF
interface <LAN_INTERFACE>
 ip ospf 1 area 0

end
write memory

ACLs (Standard & Extended) + Apply

Common patterns and interface binding.

enable
configure terminal

! Standard ACL: allow host then deny others
access-list 10 permit 192.168.10.50
access-list 10 deny any

! Apply on interface
interface GigabitEthernet1/0/2
 ip access-group 10 in

! Extended ACL: allow HTTP/HTTPS for VLAN10
ip access-list extended VLAN10-OUT
 permit tcp 192.168.10.0 0.0.0.255 any eq 80
 permit tcp 192.168.10.0 0.0.0.255 any eq 443
 deny   ip 192.168.10.0 0.0.0.255 any log
 permit ip any any
exit

! Apply outbound on SVI
interface Vlan10
 ip access-group VLAN10-OUT out

end
write memory

NAT (PAT + Static 1:1)

Edge NAT: overload for LAN, plus static for internal server.

enable
configure terminal

! Inside/Outside
interface <INSIDE_LAN_IF>
 ip nat inside
interface <OUTSIDE_WAN_IF>
 ip nat outside

! PAT (overload)
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 100 interface <OUTSIDE_WAN_IF> overload

! Static NAT (1:1)
ip nat inside source static 192.168.10.10 <PUBLIC_IP>

end
write memory

BGP (Edge/Basic)

Single upstream with local prefix advertisements.

enable
configure terminal

router bgp <ASN>
 bgp log-neighbor-changes
 neighbor <UPSTREAM_IP> remote-as <UPSTREAM_ASN>
 neighbor <UPSTREAM_IP> description eBGP-Upstream
 ! Advertise prefixes
 network 192.168.10.0 mask 255.255.255.0
 network 192.168.20.0 mask 255.255.255.0
 ! Optional: password
 ! neighbor <UPSTREAM_IP> password <SECRET>

end
write memory

EIGRP (Classic)

Basic intra-domain dynamic routing.

enable
configure terminal

router eigrp <ASN>
 network 192.168.10.0 0.0.0.255
 network 192.168.20.0 0.0.0.255
 passive-interface default
 no passive-interface <LAN_UPLINK_IF>

! Optional interface tuning
interface <LAN_IF>
 ip hello-interval eigrp <ASN> 5
 ip hold-time eigrp <ASN> 15

end
write memory

HSRP (Gateway Redundancy)

Two routers share a virtual gateway per VLAN.

enable
configure terminal

interface Vlan10
 ip address 192.168.10.2 255.255.255.0   ! Router A real IP (Router B uses .3)
 standby 10 ip 192.168.10.1              ! Virtual IP
 standby 10 priority 110
 standby 10 preempt
 standby 10 track <WAN_IF> 20

! On Router B (lower priority)
! interface Vlan10
!  ip address 192.168.10.3 255.255.255.0
!  standby 10 ip 192.168.10.1
!  standby 10 priority 100
!  standby 10 preempt

end
write memory

VRRP (Gateway Redundancy)

Standards-based alternative to HSRP.

enable
configure terminal

interface Vlan10
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 110
 vrrp 10 preempt

! On Router B (lower priority)
! interface Vlan10
!  ip address 192.168.10.3 255.255.255.0
!  vrrp 10 ip 192.168.10.1
!  vrrp 10 priority 100
!  vrrp 10 preempt

end
write memory

GRE Tunnel + IPSec (IKEv2)

GRE for routed connectivity, protected by IPSec/IKEv2.

enable
configure terminal

! GRE
interface Tunnel0
 ip address 10.255.255.1 255.255.255.252
 tunnel source <WAN_IF>
 tunnel destination <PEER_PUBLIC_IP>

! IKEv2
crypto ikev2 keyring KR
 peer PEER
  address <PEER_PUBLIC_IP>
  pre-shared-key <PSK>
crypto ikev2 proposal PROP
 encryption aes-cbc-256
 integrity sha256
 group 14
crypto ikev2 policy POL
 proposal PROP
crypto ikev2 profile PROF
 match identity remote address <PEER_PUBLIC_IP> 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KR

! IPSec
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec profile IPSEC-PROF
 set transform-set TS
 set ikev2-profile PROF

! Protect GRE
interface Tunnel0
 tunnel protection ipsec profile IPSEC-PROF

end
write memory

QoS (Voice Priority + Fair-Queue)

Prioritize EF traffic; attach policy to WAN egress.

enable
configure terminal

class-map match-any VOICE
 match dscp ef

policy-map WAN-OUT
 class VOICE
  priority percent 20
 class class-default
  fair-queue

interface <WAN_IF>
 service-policy output WAN-OUT

end
write memory

IP SLA Monitoring & Track (Failover Example)

Probe reachability, track result, fail over a default route and adjust HSRP priority.

enable
configure terminal

! Probe target via WAN
ip sla 1
 icmp-echo 8.8.8.8 source-interface <WAN_IF>
 frequency 10
ip sla schedule 1 life forever start-time now

! Track the probe
track 1 ip sla 1 reachability

! Primary + floating backup default route
ip route 0.0.0.0 0.0.0.0 <PRIMARY_NH>
ip route 0.0.0.0 0.0.0.0 <BACKUP_NH> 5 track 1

! Bonus: reduce HSRP priority when WAN fails
interface Vlan10
 standby 10 track 1 decrement 20

end
write memory

Ops / Maintenance

Show/save/clear commands you’ll use daily.

show ip interface brief
show vlan brief
show ip route
show ip ospf neighbor
show access-lists
show ip nat translations
show running-config | section ^interface|^router|^ip nat

write memory
copy running-config startup-config
copy running-config tftp:

show clock
show logging
terminal monitor

clear counters
clear ip nat translation *
Enjoy