Useful Cisco Commands


show run brief – shows a less detailed version of the running configuration. Ex. Doesn’t show full certificate chains.

  • show run brief | section <section> ; fill in section with an area of the config you want to see. “show run brief | sec interface” only shows the interfaces section of the config
  • show run brief | include <phrase> ; fill in phrase with a phrase your searching for in the config. “show run brief | include snmp” will only show the lines that include the phrase “snmp”.
  • show run brief | begin <section> ; fill in section with an area of the config you want to begin at. “show run brief | begin crypto” will start at the “crypto” section of the config

show version – gives detailed information about the device Ex. Serial numbers, licenses, IOS Version, etc.

show ip interface brief – gives a brief description of the interfaces status Ex. Status “UP” indicates the port is active and something is on this port. Status “administratively down” indicates that the port is shutdown and cannot be used.

show log – shows log entries on the device

show ip traffic – displays all IP statistics (TCP, UDP, IP, EIGRP, IGMP)

show process cpu history – shows CPU history over the past 60 seconds, 60 minutes and 72 hours

show cdp neighbors – shows connected Cisco devices that are running CDP (Cisco Discovery Protocol). CDP is Cisco’s version of LLDP.

configure terminal – enters configuration mode

write memory – saves running-config to startup-config

undebug all – disables all debugging on the device

terminal monitor – displays all logging on the console

terminal no monitor – turns off all logging to console

reload – reboots the device

  • reload in HHH:MM – sets a reload timer (H=Hours M=Minutes) “reload in 000:05” will reload the device in 5 minutes
  • reload at HH:MM – sets a time for the device to reload (H=Hours M=Minutes) “reload at 22:30” will reload the switch at 10:30PM
  • reload cancel – cancels the scheduled reload (timer or set time)

Router specific

show crypto isakmp sa – shows a brief description of phase 1, QM_IDLE means phase 1 has been negotiated successfully on both sides

show crypto ipsec sa – shows a detailed version of phase 2, rising # of encaps and decaps means phase 2 has been negotiated successfully on both sides

show webvpn stats – will display all statistics for an SSLVPN

show webvpn gateway – displays brief information about the webvpn (SSLVPN) gateway Ex. Admin/Operation status, IP address, trustpoint, etc

show vlan-switch – displays all VLANs that the router knows about

show ip route – shows routing table

show flash: – displays files held within the routers flash (HDD)

show ip dhcp binding – displays leases currently given out by the router (if doing DHCP)

show ip access-list <access list> – replace <access list> with the name of the access list you would like to view, shows only the access list specified

show license udi – quickly displays serial number, model number and UDI (Unique Device Identifier)

show ip nat translations – shows current NAT translations on the router

clear ip nat translations * – clears all current NAT translations on the router

show crypto session – shows a brief description of phase 1 and phase 2

  • UP-ACTIVE; VPN traffic should flow normally
  • UP-NO-IKE; VPN has did not renegotiate phase 1 properly and is retrying (may require manual intervention but should clear on it’s own)
  • DOWN-NEGOTIATING; VPN is down and negotiating phase 1 and phase 2 a debug will be needed to know what is exactly going on

debug – useful for debugging VPNs or RADIUS

  • debug crypto isakmp – debugs phase 1 and logs entries
  • debug crypto ipsec – debugs phase 2 and logs entries
  • debug radius authentication – debugs all RADIUS authentication packets (useful for testing SSLVPN authentication)
  • debug webvpn – debugs all things SSLVPN

Switch specific

show vlan – shows all the VLANs that a switch knows about

show port-security – shows port security information (if enabled) Ex. violation counts, port-security status

show power inline – shows PoE (Power over Ethernet) port status, power being used (Watts), admin/operational status

AP specific

show dot11 associations – shows clients MAC/IP currently associated with the AP

show dot11 bssid – shows SSIDs broadcasted by the AP and what Radio they are on

test aaa group radius <username> <password> legacy – tests RADIUS authentication against RADIUS server configured. Replace <username> with DOMAIN\USERNAME and <password> with account password. Ex. “test aaa group radius FOOBAR\Atokad [email protected]! legacy”