Cisco CLI Switch Command Cheat Sheet

The Cisco Command Line Interface (CLI) is a text-based interface used for configuring and managing Cisco network devices, including switches. The CLI provides a command-driven environment where network administrators can enter commands to perform various configuration, monitoring, and troubleshooting tasks on Cisco switches.

Setting the Administrative Functions 

The administrative functions help you better manage/administer your network and makes troubleshooting much easier. These functions include:

• Hostnames
• Passwords
• Interface descriptions

Now that you have launched the CLI, type in the enable command to enter privileged EXEC mode. Set a Hostname, EXEC mode password, Console password, TELNET (VTY) password, and interface descriptions for the switch as shown in the table below.

Configuring the IP Address and Subnet Mask

Since all ports on a switch are enabled by default, there is usually no IP address configured on its interfaces. IP addresses aren’t needed on a switch. The only reason we would set an IP address, mask, and default gateway is for management purposes. The IP address is configured under a logical interface, called a management domain or VLAN. You would typically use the default VLAN 1 to manage a switch, as shown in the example below.

Setting the IP Default Gateway

If you want to manage your switches from outside your LAN, you need to set a default gateway on the switches, just as you would with a host. The default gateway is essentially the address of the router that the switch will be communicating with. If you don’t configure a default gateway, then VLAN1 will be unable to send traffic to another network. You do this from a global config.

Expand Your Cybersec Expertise for Free Alongside 20,000+ Other IT Professionals

Sign up to receive weekly cybersec tips, news, insights that will expand your skillset.

Subscribe

We won’t send you spam. Unsubscribe at any time.

Setting Port Security

To prevent unauthorized access to your LAN, it is usually advisable to identify and limit the MAC addresses of the workstations that are allowed to access the switch port. Port security is the tool that helps us achieve this.

If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached. When the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

We have two options for associating MAC addresses with interfaces: static and dynamic. In the static method, we have to manually define the exact MAC address of the host. In the dynamic method, we use the sticky feature (see table below) that allows interfaces to learn MAC addresses automatically until it reaches the maximum number of allowed hosts.

The above commands set port security on ports fa0/2 and fa0/3 to allow a maximum association of one MAC address, and only the first MAC address associated with the port will be able to send frames through the switch. Use the sticky command if you don’t want to manually type in all the MAC addresses of each device. A security violation occurs if a workstation whose MAC address is unrecognized attempts to access the interface. We need to specify what action should be taken for security violations. Three possible modes are available:

• Protect Frames from non-allowed addresses would be dropped, and no log entry for dropped frames. This mode will only work with sticky options.
• Restrict Frames from non-allowed addresses would be dropped, and a log entry and security violation alert will be generated.
• Shutdown The switch will generate the violation alert and disable the port. The only way to re-enable the port is to manually enter the no shutdown command. This is the default violation mode. Here’s the command:

Saving Configuration Changes 

Whenever you make changes to your switch configuration file, you must save the changes to memory, so they don’t get lost after reboot. There are two types of configuration files: the running (current operating) configuration and the startup configuration. The running configuration is stored in RAM (a volatile memory that loses its content after a restart or shutdown); the startup configuration is stored in NVRAM (a non-volatile memory that retains its content even after a restart or shutdown), thus avoiding reconfiguration every time it is powered off.

Configuring VLANs

Virtual Local Area Network (VLAN), as the name implies, is a virtual segmentation of a switched network to provide for security, flexibility, and effective network administration. So by assigning switch ports or users to VLAN groups on a switch or group of connected switches. You gain the flexibility to add only the users or departments you want into that broadcast domain, without worrying about the physical location of the hosts.

You can create VLANs from 2 to 4094 depending on the model of your switch. VLAN 1 is the default VLAN. You can manually or dynamically (via the Dynamic Trunking Protocol) configure a port as an access or trunk port. A switch port can belong to only one VLAN if it is an access port (carries the traffic of only one VLAN) or all VLANs if it is a trunk port (carries the traffic of multiple VLANs). To configure VLANs on a Cisco Catalyst switch, use the global config vlan command as shown below:

Assigning Switch Ports to VLANs

You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries, plus the number of VLANs to which it can belong. You can configure each port on a switch to be in a specific VLAN (access port) by using the interface switchport command as shown below.

To configure trunking and encapsulation on a Fast Ethernet port fa0/5, use the following command:

The switchport mode command can be configured using four different options:

• Switchport mode trunk The interface is configured into perpetual trunking mode and negotiates to convert the neighboring link into a trunk link.
• Switchport mode access Disables port trunk mode; puts the interface (access port) into permanent non-trunking mode. No trunking negotiation takes place.
• Switchport mode is dynamically desirable This is the default mode for all Ethernet interfaces. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
• Switchport mode dynamic auto Makes the interface become a trunk only if the connected port is set to trunk or desirable.
• Switchport no-negotiate Prevents the interface from producing Dynamic Trunking Protocol frames

Configure Access Control List

To configure the access control list and associated parameters, use the following command:

Verifying Your Configuration

Now that you are done configuring your switch, you need to test and verify your configuration. The following are some useful commands:

The above cheat sheet provides a basic summary of the Cisco CLI switch commands. Remember to replace the specific parameters used and/or placeholders such as  [interface-name], [mode], [number], [acl-number], [source], [destination], and [protocol] with the appropriate values for your configuration. Please note that the specific command syntax and available options may vary depending on the switch model and firmware version. Refer to the Cisco documentation and command references for detailed information on specific commands and their usage.