Cisco CLI Switch Command Cheat Sheet

The Cisco Command Line Interface (CLI) is a text-based interface used for configuring and managing Cisco network devices, including switches. The CLI provides a command-driven environment where network administrators can enter commands to perform various configuration, monitoring, and troubleshooting tasks on Cisco switches.

Setting the Administrative Functions 

The administrative functions help you better manage/administer your network and makes troubleshooting much easier. These functions include:

  • Hostnames
  • Passwords
  • Interface descriptions

Now that you have launched the CLI, type in the enable command to enter privileged EXEC mode. Set a Hostname, EXEC mode password, Console password, TELNET (VTY) password, and interface descriptions for the switch as shown in the table below.

Enter privileged EXEC modeSwitch>enable
Enter global configuration modeSwitch#config t
Set a hostnameSwitch(config)#hostname Core-Switch
EXEC mode Password
Set EXEC mode PasswordCore-Switch(config)#enable secret EXEC_P@55w0rd
Console Password
Enter line configuration mode
Set console PasswordCore-Switch(config-line)# password CONSOLE_P@55w0rd
Return to the previous exec modeCore-Switch(config-line)# exit
Telnet (VTY) Password
Enter line configuration modeCore-Switch(config)# line vty 0 15
Set TELNET PasswordCore-Switch(config-line)# password TELNET_P@55w0rd
Core-Switch(config-line)# login
Return to the previous exec modeCore-Switch(config-line)# exit
Interface Descriptions
Enter interface configuration modeCore-Switch(config)#int fa0/1
Set interface description for int. f0/1Core-Switch(config-if)#description 1st Connection to Core Switch
Core-Switch(config-if)#int fa0/2
Set interface description for int. f0/2Core-Switch(config-if)#description 2nd Connection to Core Switch

Configuring the IP Address and Subnet Mask

Since all ports on a switch are enabled by default, there is usually no IP address configured on its interfaces. IP addresses aren’t needed on a switch. The only reason we would set an IP address, mask, and default gateway is for management purposes. The IP address is configured under a logical interface, called a management domain or VLAN. You would typically use the default VLAN 1 to manage a switch, as shown in the example below.

Enter line configuration modeCore-Switch(config)#line vty 0 15
Enter TELNET passwordCore-Switch(config-line)#password TELNET_P@55w0rd
Enter vlan interface configuration modeCore-Switch(config-line)#int vlan 1
Configure an IP address for the interfaceCore-Switch(config-if)#ip address
Enable the interfaceCore-Switch(config-if)#no shut
Return to the previous exec. modeCore-Switch(config-if)#exit
The set message of the day (motd)Core-Switch(config)#banner motd # This is the Core-Switch #
Return to the previous EXEC modeCore-Switch(config)#exit

Setting the IP Default Gateway

If you want to manage your switches from outside your LAN, you need to set a default gateway on the switches, just as you would with a host. The default gateway is essentially the address of the router that the switch will be communicating with. If you don’t configure a default gateway, then VLAN1 will be unable to send traffic to another network. You do this from a global config.

Enter global configuration modeCore-Switch#config t
Configure default-gatewayCore-Switch(config)#ip default-gateway
Return to the previous exec modeCore-Switch(config)#exit

Setting Port Security

To prevent unauthorized access to your LAN, it is usually advisable to identify and limit the MAC addresses of the workstations that are allowed to access the switch port. Port security is the tool that helps us achieve this.

If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached. When the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

We have two options for associating MAC addresses with interfaces: static and dynamic. In the static method, we have to manually define the exact MAC address of the host. In the dynamic method, we use the sticky feature (see table below) that allows interfaces to learn MAC addresses automatically until it reaches the maximum number of allowed hosts.

Enter privileged EXEC modeCore-Switch#enable
Enter global configuration modeCore-Switch#config t
Enter interface configuration modeCore-Switch(config)#int range fa0/2-3
Configure port securityCore-Switch(config-if-range)#switchport port-security maximum 1
Configure interface to auto-learn MAC addressCore-Switch(config-if-range)#switchport port-security mac-address sticky

The above commands set port security on ports fa0/2 and fa0/3 to allow a maximum association of one MAC address, and only the first MAC address associated with the port will be able to send frames through the switch. Use the sticky command if you don’t want to manually type in all the MAC addresses of each device. A security violation occurs if a workstation whose MAC address is unrecognized attempts to access the interface. We need to specify what action should be taken for security violations. Three possible modes are available:

  • Protect Frames from non-allowed addresses would be dropped, and no log entry for dropped frames. This mode will only work with sticky options.
  • Restrict Frames from non-allowed addresses would be dropped, and a log entry and security violation alert will be generated.
  • Shutdown The switch will generate the violation alert and disable the port. The only way to re-enable the port is to manually enter the no shutdown command. This is the default violation mode. Here’s the command:
Disable the port in violation of the policyCore-Switch(config-if-range)#switchport port-security violation shutdown
Return to the previous exec. modeCore-Switch(config-if-range)#exit

Saving Configuration Changes 

Whenever you make changes to your switch configuration file, you must save the changes to memory, so they don’t get lost after reboot. There are two types of configuration files: the running (current operating) configuration and the startup configuration. The running configuration is stored in RAM (a volatile memory that loses its content after a restart or shutdown); the startup configuration is stored in NVRAM (a non-volatile memory that retains its content even after a restart or shutdown), thus avoiding reconfiguration every time it is powered off.

Enter privileged EXEC modeCore-Switch > enable
Save configuration to NVRAMCore-Switch # copy running-config startup-config

Configuring VLANs

Virtual Local Area Network (VLAN), as the name implies, is a virtual segmentation of a switched network to provide for security, flexibility, and effective network administration. So by assigning switch ports or users to VLAN groups on a switch or group of connected switches. You gain the flexibility to add only the users or departments you want into that broadcast domain, without worrying about the physical location of the hosts.

You can create VLANs from 2 to 4094 depending on the model of your switch. VLAN 1 is the default VLAN. You can manually or dynamically (via the Dynamic Trunking Protocol) configure a port as an access or trunk port. A switch port can belong to only one VLAN if it is an access port (carries the traffic of only one VLAN) or all VLANs if it is a trunk port (carries the traffic of multiple VLANs). To configure VLANs on a Cisco Catalyst switch, use the global config vlan command as shown below:

Enter global configuration modeCore-Switch#config t
Create VLAN 2Core-Switch(config)#vlan 2
Allocate VLAN 2 to the Finance dept.Core-Switch (config-vlan)#name Finance
Create VLAN 3Core-Switch(config-vlan)#vlan 3
Allocate VLAN 3 to the Audit dept.Core-Switch(config-vlan)#name Audit
Return to the previous exec. modeCore-Switch(config-vlan)#^Z

Assigning Switch Ports to VLANs

You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries, plus the number of VLANs to which it can belong. You can configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command as shown below.

Enter global configuration modeCore-Switch#config t
Enter interface configuration modeCore-Switch(config)#int fa0/3
configure access portCore-Switch(config-if)#switchport mode access
Core-Switch(config-if)#switchport access vlan 3

To configure trunking and encapsulation on a Fast Ethernet port fa0/5, use the following command:

Enter global configuration modeCore-Switch#config t
Enter interface configuration modeCore-Switch(config)#int fa0/5
Configure encapsulationCore-Switch(config-if)#switchport trunk encapsulation dot1q
Configure trunkingCore-Switch(config-if)#switchport mode trunk

The switchport mode command can be configured using four different options:

  • Switchport mode trunk The interface is configured into perpetual trunking mode and negotiates to convert the neighboring link into a trunk link.
  • Switchport mode access Disables port trunk mode; puts the interface (access port) into permanent non-trunking mode. No trunking negotiation takes place.
  • Switchport mode is dynamically desirable This is the default mode for all Ethernet interfaces. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
  • Switchport mode dynamic auto Makes the interface become a trunk only if the connected port is set to trunk or desirable.
  • Switchport no-negotiate Prevents the interface from producing Dynamic Trunking Protocol frames

Configure Access Control List

To configure the access control list and associated parameters, use the following command:

Enter the access list number, permissions, and other parametersCore-Switch(config)#access-list [acl-number] [permit|deny] [source] [destination] [protocol]
Configure interface nameCore-Switch(config-if)#interface [interface-name]
Configure ip access groupCore-Switch(config-if)#ip access-group [acl-number] [in|out]

Verifying Your Configuration

Now that you are done configuring your switch, you need to test and verify your configuration. The following are some useful commands:

Show the current running configurationCore-Switch# show run
Show the configuration of all interfaces and the status of each oneCore-Switch#show interfaces
Show all vlan numbers, names, and ports associated with each vlanCore-Switch# show vlan
Show the status of interfaces, speed, duplexCore-Switch#show interface status
Show the current MAC address table and the learned MAC address on each interfaceCore-Switch# show mac
Show spanning treeCore-Switch#(config)#do show spanning-tree

The above cheat sheet provides a basic summary of the Cisco CLI switch commands. Remember to replace the specific parameters used and/or placeholders such as  [interface-name], [mode], [number], [acl-number], [source], [destination], and [protocol] with the appropriate values for your configuration. Please note that the specific command syntax and available options may vary depending on the switch model and firmware version. Refer to the Cisco documentation and command references for detailed information on specific commands and their usage.