Useful Cisco IOS Commands (Switch)

To help traverse the list and help find the command you are looking for. Try using the ‘find’ function in your browser; it is usually accessible by pressing F3 on your keyboard.

{ } – Indicates required component(s).
[ ] – Indicates optional component(s).
{lorem | ipsum} – Indicates a choice of discrete options.
[lorem | ipsum] – Indicates an optional choice of discrete options.
Italics – Indicates that it is not a literal representation of the value.

List compiled by Alex Ward – 18/06/13



File Management

Switch# show flash Displays details of the available IOS images.
Switch# dir {directory} Displays the content and size of a specified directory. E.g. flash is one such directory.
Switch# delete flash:{subdirectory/filename} Deletes a specific file. Can delete all files within a directory/subdirectory when an asterisk * is used.
Switch# show boot Display the boot environment variables.
Switch(config)# boot system flash:{/c2960-lanbase-mz.122-25.SEE1.bin} Set the switch to boot from a different IOS image.
Switch# write eraseSwitch# reload  Restores the configuration of the Switch to default settings. Note: Does not erase VLAN configuration.
Switch# copy running-config startup-config Save the current configuration settings.
Switch# copy startup-config tftp Copy the current version of the startup configuration TO a TFTP server.
Switch# copy flash tftp Copy a file from the flash memory TO a TFTP server.
Switch# copy tftp flash Copy a file FROM a TFTP server to the flash memory.
Switch# rename flash:/{directory/filename} flash:/{directory/newfilename} Renames a file held within the flash memory.

General Configuration

Switch# terminal history Enables the terminal history feature.
Switch# terminal history size {value} Enter a value for the number of lines to recall under the terminal history feature. 0-256 lines.
Switch# terminal no history size Restores the history size to the default value of 10 lines.
Switch# terminal no history Disables the terminal history feature.
Switch(config)# ip default-gateway {IP-address} Configures the default gateway for the switch.
Switch(config)# ip http authentication enable Optional authentication for securing HTTP access.
Switch(config)# ip http server Enable HTTP server on the switch – enables switch configuration via TCP/IP.

Security Configuration

Switch(config)# ip dhcp snooping Enable anti-DHCP spoofing measures on catalyst switches.
Switch(config)# ip dhcp snooping vlan number {number} Enable DHCP snooping for specific VLANs.
Switch(config-if)# ip dhcp snooping trust Set ports as trusted DHCP ports.
Switch(config)# ip dhcp snooping limit rate {value} Set an upper limit on the number of times an ‘attacker’ can send bogus DHCP requests through an untrusted port.

Switch-port Security

Switch# show port-security interface {value} Display the details of port security settings for an interface.
Switch(config-if)# switchport port-security mac-address {MAC-address} Sets a static port security rule for an interface.
Switch(config-if)# switchport port-security maximum {value} Sets the maximum permissible number of secure addresses allowed on a port.
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown}  Define the course of remedial action to be taken by the switch if the maximum number of layer 2 addresses is reached on a port. Protect = drop | Restrict = drop, log, send SNMP trap, increment violation counter | Shutdown = set port to error-disabled state, log, send SNMP trap and increment violation counter.
Switch(config-if)# switchport port-security mac-address sticky Enables sticky learning on a port. This will dynamically learn secure layer 2 addresses and add them to the running-config. Note that running-config must be saved after learning is complete!

SSH Configuration

Switch(config)# ip domain-name {domain-name} Sets a host domain name for the switch, required for SSH.
Switch(config)# crypto key generate rsa Enables the SSH server on the switch and generates an RSA key pair. – Recommended modulus length is 1024 bits.
Switch# ip ssh version [1 or 2] Set the version of SSH standard to run on the local SSH server. – If option is left blank, the latest version will be selected.
Switch# ip ssh {timeout seconds} Set the time period for an SSH session to be established. Default is 120. – Range is 0 – 120 seconds.
Switch# ip ssh {authentication-retries number} Sets the number of times a client can re-authenticate within a 10 minute period. – Range is 0 to 5 attempts.
Switch(config-line)#transport input {telnet | ssh | all} Either accept just telnet or SSH or accept both.
Switch(config-line)#login local Use local usernames instead of AAA.
Switch(config)#username {username} password {Password} Create a local set of credentials.

Interface Configuration

Switch(config)# interface range {interface prefix / number range} Configure a group of interfaces e.g. fa0/1 – 5 for Fast Ethernet ports 1 thru 5.
Switch(config-if)# mdix auto Permits the switch to use the MDIX automatic cable medium detection facility – append no to disable the feature. (Command is not compatible with Catalyst 2950 or 3550).
Switch(config)# mac-address-table static {MAC address} vlan {vlan-id} interface {interface-id} This creates a static mapping of a MAC to a specified port on the switch. Append no to remove.
Switch(config)# interface vlan {value} Enter the interface configuration mode for a VLAN of number.
Switch(config-if)# ip address {interface address} {subnet mask} Configure a VLAN-interface IP address.
Switch(config-if)# switchport mode {type} Set the VLAN membership mode for a port – access or trunk.
Switch(config-if)# switchport access vlan {number} Assign a specific switch port to use a specified VLAN number.
Switch(config-if)# switchport trunk native vlan {native id} Assign a specific VLAN to the switch port to be the NATIVE. This is necessary for untagged traffic on 802.1Q trunk ports.
Switch(config-if)# no switchport trunk native vlan Reset the NATIVE VLAN back to the default of VLAN 1.

Dynamic Trunking Protocol

Switch# show dtp [interface] Displays details of DTP configuration.
Switch(config-if)# switchport mode {type} Set the membership mode for a port – access or trunk. This sets the port to ON if trunk mode is selected.
Switch(config-if)# switchport mode dynamic auto Local switch port advertises to the remote port that it can trunk, but does not request to go into trunking state. Will only trunk if remote port is ON or DESIRABLE.
Switch(config-if)# switchport mode dynamic desirable Sets the local switch port to advertise to the remote port that it would like to trunk. Will only trunk if remote port is set to ON, DESIRABLE or AUTO.
Switch(config-if)# switchport nonegotiate Sets the local switch port to TRUNK and refrains from sending DTP frames from that port. Required for communication with non-Cisco equipment.

Spanning Tree Protocol

Switch# show spanning-tree [summary] Displays details of the STP environment.
Switch# debug spanning-tree events Show notifications of STP topology events in real-time.
Switch(config)# spanning-tree mode {mode} Change the STP mode to be used. mst, pvst or rapid-pvst.
Switch(config-if)# spanning-tree cost {value} Manually set the cost of an interface for the STA to use in calculations. Between 1 and 200,000,000.
Switch(config-if)# no spanning-tree cost Reset the cost of the interface to the default value.
Switch(config)# spanning-tree vlan {vlan-id} root primary Set the switch to be the lowest priority value on the network. Set to either 24576 or the next 4096 increment below the lowest already on the network.
Switch(config)# spanning-tree vlan {vlan-id} root secondary Set the switch to be the penultimate lowest priority value on the network. If the root fails, this will become the root. Set to 28672, presumes all other switches are set to 32768 default value.
Switch(config)# spanning-tree vlan {vlan-id} priority {value} Allows the admin to manually set bridge priority for a specified VLAN. Used to setup load balancing – between 0 and 65536 in increments of 4096. Default on Catalyst switches is 32768.
Switch(config)# spanning-tree port-priority {value} Used to alter the default port priority value. As with bridge priority, lower values have a greater precedence. Can be used to resolve a port priority tie. Ranges from 0-240 in increments of 16. Default value is 128.
Switch(config-if)#spanning-tree portfast Enable PortFast feature on an access port to mitigate STP processes on that port. This will reduce the time taken for the link to come up.


Switch(config)# vlan {id} Enters VLAN configuration mode.
Switch(config-vlan)# name {enter a name for the VLAN}. Sets the name of a VLAN.
Switch(config-if)#switchport mode trunk Set an interface to Trunk
Switch(config-if)#switchport trunk native vlan {vlanNo.} Specify the Native vlan for the Trunk.
Switch(config-if)# switchport trunk allowed vlan add {vlanNo.} Specify VLANs permitted on a trunk.
Switch(config-if)# switchport trunk allowed vlan remove {vlanNo.} Remove specific VLANs permitted on a trunk.
Switch(config-if)#switchport trunk allowed vlan none Remove all VLANs assigned to a trunk port.


Switch# show vtp status Displays the state of the VTP configuration on the device.
Switch(config)# vtp mode {server} Set the VTP mode for the device. Client, server or transparent. Be sure this is set first!  
Switch(config)# vtp domain {name} Set the VTP domain name.
Switch(config)# vtp password {value} Set a password for the VTP domain.
Switch(config)# vtp pruning Enables VTP pruning, use on the VTP server only.

2900 Series (Legacy Commands)

Switch# vlan database This accesses the VLAN database.
Switch(vlan)# vlan {id} [name] Assign an ASCI name to the VLAN.


Switch# show history Displays the terminal history if enabled (See general configuration).
Switch# show env {all} Shows the status of all hardware monitoring sensors on the device.
Switch# show interface [interface-id | vlan vlan-id | switchport] Shows detailed information for specific interfaces, vlans or switch ports.
Switch# show interface trunk Shows detailed information about trunk ports in use on the switch.
Switch# show vlan [brief | id vlan-id | name vlan-name | summary] Is used to display VLAN information for verification purposes.
Switch# show spanning-tree Displays details of the STP environment.
Switch# debug spanning-tree events Show notifications of STP events in real-time.
Switch# show ip ssh Shows the status of the SSH server on the switch.
Switch# show mac-address-table Displays the Media Access Control address table (CAM table) on the switch.


One thought on “Useful Cisco IOS Commands (Switch)”

Leave a Reply

Anecdotes from the camps of InfoSec and network security