Useful Cisco IOS Commands (Router)

To help traverse the list and help find the command you are looking for. Try using the ‘find’ function in your browser; it is usually accessible by pressing F3 on your keyboard.

{ } – Indicates required component(s).
[ ] – Indicates optional component(s).
{lorem | ipsum} – Indicates a choice of discrete options.
[lorem | ipsum] – Indicates an optional choice of discrete options.
Italics – Indicates that it is not a literal representation of the value.

List compiled by Alex Ward – 18/06/13



Router#clock set 14:45:05 June 18 2013 Set the Time of Day clock on the router.
Router>ping Basic ICMP ping function from within EXEC mode.
Router#ping {ip address} A more detailed ICMP ping from within Privileged EXEX mode.
Router#traceroute {ip address} Performs a traceroute for a given IP address
Router#configure terminal Enters the Global Configuration Mode for higher level configuration
Router(config)#hostname RouterName Sets the hostname of the router
Router(config)#ip route network-address subnet-mask {next-hop IP or exit-interface} Adds a static route the routing table. (Remember to add in pairs to communicating router pair)
Router#copy running-config startup-config Copies the current configuration into the register, for retrieval upon boot
Router(config)#line console 0 Router(config-line)#logging synchronous  Overcomes line interruption from router prompts, whilst typing commands.
CNTRL+SHIFT+6 Exit process

DHCP Configuration

Router(config)#ip dhcp pool {name} Create a DHCP Pool on the router.
Router(dhcp-config)#network {net address} {submask} Set the network on which to act as a DHCP server.
Router(config)#ip dhcp excluded-address {start IP} {end IP} Set a range of address to be excluded from the DHCP pool.
Router(dhcp-config)#dns-server {net address} Set the address of the DNS server – to be issued to clients.
Router(dhcp-config)#default-router {netaddress} Set the default gateway – to be issued to clients.
Router(config-if)#ip helper-address {network address} Set this on an intermediary router. Instructs router to forward DHCP requests to a specified address.
 Router#show ip dhcp binding Shows DHCP lease information.
Router#show ip dhcp pool Displays pool utilisation statistics.

NAT & PAT Configuration

Network Address Translation

Router(config)#ip nat inside source static {inside local} {outside global} Create a static NAT mapping between an inside local address and an outside global address.
Router(config-if)#ip nat outside  
Router(config-if)#ip nat inside  
Router(config)#ip nat pool {name} {inside local} {inside Global} netmask {submask} Create a NAT pool on the router.
Router(config)#ip nat inside source list {ACL name} pool {pool name} Control NAT operations with an access control list.
Router(config)#ip nat inside source list {NAT} pool {MY-NAT-POOL} Specify a NAT pool to translate to hosts permitted by an Access Control List.
Router#clear ip nat translation * Deletes all current dynamic NAT mappings.
Router#show ip nat translations Shows the active NAT mappings on the router.
Router#show ip nat statistics Shows various statistics associated with NAT.

NAT Overload / Port Address Translation

Router(config)#ip nat inside source list {ACL name} interface {int name} overload Configure NAT to work in overload mode on the specified interface and apply an access control list. I.e. to a single inside global IP address.

Security Configuration

Router(config)#no cdp run Disable Cisco Discovery Protocol functionality, for security reasons.
Router(config-line)#exec-timeout {minutes} [seconds] Controls the amount of time a console or virtual session can be idle before termination. Set to 00 for infinite, use only for labs!
Router(config)# banner login & message & Create a login message. End this with a delimiting character like ‘#’ or ‘&’
Router(config)#banner motd & message Create a banner message. End with an ‘&’
Router(config)#no ip domain-lookup Prevents DNS look-up for lab setups
Router(config)#no enable password Removes the enable password, often used in favour of enable secret password.
Router(config)#enable secret {password} Provides better security by encrypting an enable password. It is separate to the line password!
Router(config)#service password-encryption Obscures the passwords within the config on the device.
Router(config)#line console 0 Router(config-line)#password cisco Router(config-line)#login


Configures the console password.
Router(config)#line vty 0 4 Router(config-line)#password cisco Router(config-line)#login


Configures the password for virtual terminal lines
Router(config-line)#no transport inputRouter(config-line)#transport input {telnet | ssh | etc…} Set the VTY lines to deny any input but the methods specified.

Access Control Lists

One ACL – per protocol, per direction, per interface.

One very important thing to remember about ACLs is that an implicit ‘deny all’ rule is placed at the end of all ACL entries. So it is essential to make a statement for ALL intended communications, otherwise they will be blocked.

All ACLs are parsed sequentially.

Standard ACLs

Router(config)#access-list {access-list-number} {deny | permit} [remark] {source-IP | any} [source-wildcard | any] [log]    Configure a Standard ACL – that allows traffic to be permitted or denied based upon the source IP address only.Use the “no” prefix to remove the ACL.
Router(config)#ip access-list standard {name}  Router(config-std-nacl)#sequence-number {permit | deny} [remark] {sourceIP} [source wildcard] [log] Configure a named Standard ACL for IP.

Extended ACLs

Router(config)#access-list {access-list-number} {deny | permit} [remark] {protocol} {source} {source-wildcard} [operand] [port port-number/name] {destination} {destination-wildcard} [operator operand] [port port-number/name] [established] Configure an Extended ACL – that allows for much greater granularity of control i.e. Protocols, Port#s, Source addresses & Destination addresses. – (Extended IP ACL numbers range from 100 to 199), (Expanded IP ACLs range 2000 thru 2699).“The optional (operand) is used to compare source and destination ports. Possible values are: lt (less than), gt (greater than), eq (equal to), neq (not equal to) and range (inclusive range).”“The optional (established) keyword is for TCP sessions and means that the rule will allow only TCP communications that have the ACK bit set i.e. already established. This rule could be used inbound, to prevent TCP sessions being initiated from outside the network.”


Router(config)#ip access-list extended {name}  Router(config-ext-nacl)#[sequence-number] {permit | deny} [remark] {sourceIP} [source wildcard] [log]  
Router(config)#ip access-list extended {ACL name} Router(config-ext–nacl)#permit ip {network} {wildcard mask} any Configure a named, Extended ACL for IP.
Router(config-if)#access-class {aclNumber} {in | out} Apply a ACL to a specific interface.
R2(config-if)#ip access-group  

Interface Configuration

Router#show interfaces {interface name} Displays details and the bandwidth of individual interfaces.
Router#show controllers [interface name] Displays hardware details of an interface. Useful for fault finding serial connections.
Router#show ip interface brief Shows a condensed brief of link state and IP addresses of attached interfaces & loopback(s)
Router(config)#interface [range] {interface ID} Enters the interface configuration mode for a given interface or range of interfaces.
Router(config-if)#ip address {int ip address} {subnet mask} Configure the ip address for a particular interface.


Router(config)#interface {interface-ID.xxxx}  Configures a logical sub-interface on a physical interface. interfaceID.xxxx might be “fa0/1.10” for FastEthernet 0/1 sub-interface#10.
Router(config-subif)#encapsulation {type} {vlan-ID}  This is used in ‘router-on-a-stick’ configurations. After configuring a sub-interface as shown above, you must specify the encapsulation method, such as dot1q or isl etc… Then specify the VLAN to which this sub-interface should interact with.
Router(config-subif)#ip address {int ip address} {subnet mask} Configure the ip address for a particular sub-interface.

WAN Link Technologies

Router(config-if)#encapsulation {type} Set the interface to use a specified protocol of encapsulation e.g. hdlc, ppp, frame-relay etc…

Point-to-Point Protocol

Router#debug ppp [packet | negotiation | error | authentication | compression | cbcp] Troubleshoot PPP, or use the options to troubleshoot PPP sub-processes.
Router(config-if)#encapsulation ppp Set the interface to use PPP encapsulation method.
Router(config-if)#compress [predictor | stac] Configure the router to use traffic compression. Optional elements enable the use of different algorithms. Only use with appropriate forms of traffic i.e. uncompressed.
Router(config-if)#ppp quality {%} Apply Link Quality Monitoring. Specify the LCP percentage threshold for the link to become active.
Router(config-if)#ppp multilink Enable load balancing across multiple physical links.

PPP authentication

Router(config)#aaa new-model Enable AAA with this command.
R1(config)#aaa authentication ppp default local none Enable AAA authentication for PPP using the locally configured credentials.
Router(config-if)#ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default ] [callin] Configuration parameters for PPP authentication. CHAP PAP performs CHAP before PAP.[if-needed] should not be applied alongside of PAP or CHAP – used with TACACS or XTACACS (only compatible with asynchronous interfaces).The list-name and default are only required for AAA/TACACS+.

[callin] option is used to specify authentication on incoming calls only.

Router(config)#username {user} password {cisco} Sets a local username and password for use with PPP authentication protocols.
Router(config)#ppp pap sent-username {user} password {password} Set a PAP username and password for use with PPP coms leaving the local router.

Frame Relay

Router#show frame-relay lmi Show stats for the Frame Relay, Local Management Interface.
Router#show frame-relay pvc Show details regarding established Permanent Virtual Circuits on the local device.
Router#show frame-relay route Displays any Frame-Relay Layer2 routes through the device.
Router#show frame-relay map Display Frame-Relay mappings known to the local device.
Router(config-if)#frame-relay lmi-type [type] Specifiy the type of LMI to be used. Either [cisco | ansi | q933a].
Router(config)#frame-relay switching This enables a router to perform Frame Relay switching globally on the router, by using the DLCI’s instead of IP.
Router(config-if)#frame-relay route {incoming DLCI} interface {outgoing interface-name} {outgoing DLCI} Sets up a PVC on a Frame-Relay switch.
Router(config-if)#encapsulation frame-relay [encapType] Changes the data-link layer protocol to be used on the interface. The type of encapsulation can be set to use the IETF standard with the [ietf] option. Default is set to auto-negotiate.
Router(config-if)#frame-relay intf-type {dce | dte} Frame Relay interface types are separate to physical interface types i.e. a physical DTE device can be assigned as a Frame Relay DCE device. Setting an interface type as DCE, tells the router to send LMI keepalives and route statements on the link. Note that a PVC cannot be established between two frame-relay DTE devices.
Router(config-if)#frame-relay interface-dlci {number} Manually configure the DLCI for the interface. Can be within the range of 16-991.
Router(config)#frame-relay map {L3protocol} {protocol-address} {DLCI value} [broadcast] [ietf] This creates a static mapping of a Layer3 protocol address to a DLCI on the local device. Frame-Relay is an NBMA type of network. However, using the broadcast option, L3 broadcast traffic destined for the mapped network can be forwarded over the link too. Note: for the local device to be able to ping its own interface, a static map must be created for that local interface too.
Router(config-if)#frame-relay inverse-arp Inverse ARP can be used to dynamically discover devices at each end of a Frame-Relay link. Although, due to reliability issues with Inverse ARP, best practice is to statically map IP’s to DLCI’s. Inverse ARP is enabled by default, append the [no] prefix to disable.

Frame-Relay Sub-interfaces

Router(config)#interface {PhyIntName}.{subNumber} {point-to-point | multipoint} Sets up a Frame-Relay sub-interface. Note that this can only be performed once frame-relay encapsulation has been configured on the physical interface.
Router(config-subif)#frame-relay interface-dlci {number} Manually configure the DLCI for the interface. Can be within the range of 16-991.

Dynamic Routing Protocols

Router(config-if)#bandwidth {value} Set the metric bandwidth of a link in kbps. This value is used to calculate the cost of a route in some dynamic protocols. Note: This does not alter the actual level 1 bandwidth.
Router#debug ip routing Used to show modifications being made to the routing table in real-time.
Router#show ip protocols Use to verify the dynamic routing protocol in use.
Router(config)#router ? Show which versions of dynamic routing protocol the IOS version will support
Router(config-router)#no auto-summary Prevents auto summarization occurring at major network boundaries.
Router(config-router)#default-information originate Configure router to share static route information along with dynamic updates.

RIPv1 & v2

Router(config)#router rip Enter RIP configuration state
Router(config-router)#passive-interface interface name To prevent RIP updates being sent from a specific interface
Router#debug ip rip Show RIP updates as they are sent and received
Router(config)#router rip Router(config-router)#network address of directly connected classful network Configure RIPv1 advertisements on a specific interface.
Router(config-router)#default-information originate Configure router to share static route information along with dynamic updates.


Router(config)#router rip Router(config-router)#version 2 Enter RIP configuration state & configure RIPv2.


Router(config)#router eigrp [A.S. number]   Enables EIGRP functionality on the router and allows for further configuration.
Router(config-router)#network network address  Advertise the specified network address to others
Router#show ip eigrp topology  Router#show ip eigrp topology [network address] Displays the EIGRP topology table on a specified router. Including a [network address] Shows more detailed topology for a specific network.
Router(config-if)#ip summary-address eigrp [a.s.] [network] [mask] Apply manual network summarization to a specific interface, to be shared with other EIGRP neighbours.
Router(config)#router eigrp [a.s.] Router(config-router)#redistribute static This command will share the static route of the current router, with other EIGRP neighbours.


Router(config)#router ospf [process-ID] Enables OSPF dynamic routing protocol, and enters configuration mode. Default process ID is 1.
Router(config-router)#network [network address] [wildcard mask] area [area ID] Configures a network to be advertised by OSPF. Use 0 area ID for labs. This must be identical to all included OSPF routers in the same area.
Router#show ip ospf Display detailed OSPF information. Such as process and router ID
Router#show ip ospf interface Displays detailed information about OSPF interfaces
Router#show ip ospf neighbor Show a brief list of OSPF neighbors and which interface they are connected to on the local router.
Router(config)#interface [OSPF interface] Router(config-if)#ip ospf message-digest-key [key #] md5 [key value] Router(config-if)#exit

 Router(config)#router ospf [process ID]

 Router(config-router)#area [area ID] authentication message-digest

Configures an interface for use with MD5 routing update authentication. Note: The same key must be used for an entire area!
Router(config-router)#router-id [network address] Manually sets the router ID for the local router. (Will require a reload if neigbours are present).
Router#clear ip ospf process This will erase and restart the current OSPF process.
Router(config-if)#ip ospf cost [calculated value] Manually set the cost of a link. The value is calculated by 108 ÷ bandwidth of link in bps
Router(config-router)#auto-cost reference-bandwidth [value] This can be used to simulate different connection speeds between routers. This must be set the same for the whole area. 10GigEthernet is 10000.
Router(config-if)#ip ospf hello-interval [seconds] Change the hello interval from the default value: (multi-access is 10 seconds, or 30 seconds for NBMA segments).
Router(config-if)#ip ospf dead-interval [seconds] Change the dead interval from the default value: (40 seconds).
Router(config-if)#ip ospf priority [int value] Change the priority of an OSPF interface. This can alter eligibility for DR & BDR election. Range from 0-255, with Zero as lowest. Setting Zero will stop the router from participating in DR / BDR elections.

Lesser Used Commands

Router#debug {process-name] Debug a specific process. Such as ip routingShow IP routes being learned instantaneously (Use sparingly)
Router#undebug all Stop ALL debugging
Router#undebug {process-name} Stop a debug of a specific process. 
Router(config-if)#description R1 LAN Provides a description of the interface
Router#reload Reloads IOS from the NVRAM
Router(config)#no cdp run Disables the CDP functionality that is enabled as standard. This improves security if not required.
Router(config-if)#no cdp enable This disables CDP advertisements ONLY on the selected interface.
Router#show version Provides a description of the version of IOS loaded and the memory register in use
Router#copy running-config tftp: Backup Configuration Settings TO a TFTP Server
Router#copy tftp: running-configAddress or name of remote host []? filename []? backup_cfg_for_my_router Copy configuration FROM a TFTP Server 

Register Configuration

Router(config)#config-register [registerValue] Set the configuration register to a value. Standard is usually set to: 0×2102.Set to 0x2142 to disable the router from saving configurations.

IOS v.11 Irregularities

Router(config)#subnet-zero Router(config)#ip classless  This is a fix to the problem encountered when attempting to use a classless mask such as /30 with IOS v.11.


5 thoughts on “Useful Cisco IOS Commands (Router)”

    1. The procedure is slightly different on a router to a switch. For a router, if you don’t know the passwords on the router. Refer to the page “How to restore default IOS settings” under learning materials for CCNA.

      If you do have access to the privileged EXEC mode on the router, use the config-register command above and set it to 0x2142.
      After this, issue a reload command.
      Once rebooted, the default settings are restored but if you want to be able to save a configuration you will have to set the register back to 0x2102 using the config-register command.

      I hope that solves your problem.

  1. Router#terminal ip netmask-format decimal
    (sets the terminal to display all subnet masks using the dotted decimal format in place of CIDR prefix notation).

Leave a Reply

Anecdotes from the camps of InfoSec and IT Security