CLI CHEAT SHEET_
Cisco IOS commands for the CCNA — copy-paste ready. Show commands. Config templates. Troubleshooting one-liners. Pick a topic, scan, hit print.VLAN CHEAT SHEET
VLANs segment a single physical switch into multiple broadcast domains. Access ports carry one VLAN untagged; trunk ports carry many VLANs tagged with 802.1Q. CCNA Domain 2.
▶ CREATE VLAN + ACCESS PORT
vlan 10 name STAFF exit interface fa0/1 switchport mode access switchport access vlan 10 spanning-tree portfast spanning-tree bpduguard enable
▶ CONFIGURE 802.1Q TRUNK
interface gi0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20,30 switchport trunk native vlan 99 switchport nonegotiate
▶ VOICE VLAN ON ACCESS PORT
interface fa0/2 switchport mode access switchport access vlan 10 switchport voice vlan 20 mls qos trust cos
▶ SHOW / VERIFY
show vlan brief show vlan id 10 show interfaces trunk show interfaces fa0/1 switchport show mac address-table dynamic vlan 10
[ ⚠ GOTCHA ]
Native VLAN must match on both ends of a trunk or you get a CDP mismatch and traffic gets dropped. Default native is VLAN 1 — change it to an unused VLAN (e.g. 99) on both sides for security.
show interfaces trunk will flag native VLAN mismatches.
INTER-VLAN ROUTING CHEAT SHEET
Routing between VLANs uses either a router-on-a-stick (one trunked physical interface with subinterfaces) or a Layer 3 switch with SVIs. SVI is faster and more common in modern deployments. CCNA Domain 2.
▶ ROUTER ON A STICK (ROAS)
! Switch side — trunk the link to the router interface gi0/1 switchport trunk encapsulation dot1q switchport mode trunk ! Router side — subinterface per VLAN interface gi0/0 no ip address no shutdown interface gi0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 interface gi0/0.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0
▶ LAYER 3 SWITCH WITH SVIs
ip routing
interface vlan 10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan 20
ip address 192.168.20.1 255.255.255.0
no shutdown
! Routed port (not a VLAN — point-to-point Layer 3 link)
interface gi0/24
no switchport
ip address 10.0.0.1 255.255.255.252
▶ SHOW / VERIFY
show ip route connected show ip interface brief show vlan brief show interfaces gi0/0.10
[ ⚠ GOTCHA ]
On a Layer 3 switch,
ip routing must be enabled globally. Without it, the SVIs come up but the switch won't route between them. Also: an SVI is up/up only if at least one access/trunk port in that VLAN is up.
SPANNING TREE PROTOCOL CHEAT SHEET
STP/RSTP prevents Layer 2 loops by electing a Root Bridge and blocking redundant paths. Rapid PVST+ (Cisco default on most catalyst switches) converges in seconds with per-VLAN topology. CCNA Domain 2.
▶ SET MODE + ROOT BRIDGE
spanning-tree mode rapid-pvst ! Primary root for VLANs 1-100 spanning-tree vlan 1-100 root primary ! Secondary (failover) root spanning-tree vlan 1-100 root secondary ! OR set priority manually (must be multiple of 4096) spanning-tree vlan 1-100 priority 4096 spanning-tree vlan 101-200 priority 8192
▶ HARDEN ACCESS PORTS
interface fa0/1 spanning-tree portfast spanning-tree bpduguard enable ! Or globally — applies to all portfast-enabled ports spanning-tree portfast default spanning-tree portfast bpduguard default ! Root Guard on uplinks to other switches interface gi0/1 spanning-tree guard root
▶ SHOW / VERIFY
show spanning-tree show spanning-tree vlan 10 show spanning-tree summary show spanning-tree root show spanning-tree interface fa0/1 detail show spanning-tree inconsistentports
[ ⚠ GOTCHA ]
Lower bridge ID wins root election (priority first, then MAC). Default priority is 32768 + VLAN ID — so on a new network the oldest switch (lowest MAC) becomes root by accident. Always explicitly set the root on your core/distribution layer.
ETHERCHANNEL CHEAT SHEET
Bundle multiple physical links into one logical interface for more bandwidth and faster failover. LACP (802.3ad) is the industry standard; PAgP is Cisco-proprietary. STP sees the bundle as a single link. CCNA Domain 2.
▶ LACP (RECOMMENDED — STANDARDS-BASED)
interface range gi0/1-2
channel-protocol lacp
channel-group 1 mode active
! Configure the logical Port-Channel interface
interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan 10,20,30
▶ PAgP (CISCO-PROPRIETARY)
interface range gi0/1-2 channel-protocol pagp channel-group 2 mode desirable interface port-channel 2 switchport mode trunk
▶ MODE COMBINATIONS
LACP modes:
active — sends LACPDUs, negotiates
passive — replies but doesn't initiate
on — forces bundle (no negotiation — risky)
PAgP modes:
desirable — sends PAgP, negotiates
auto — replies but doesn't initiate
on — forces bundle (no negotiation — risky)
WORKING PAIRS:
active + active ✓
active + passive ✓
passive + passive ✗ (neither initiates)
desirable + desirable ✓
desirable + auto ✓
auto + auto ✗
on + on ✓ (both must be on)
on + anything else ✗ (mode mismatch)
▶ SHOW / VERIFY
show etherchannel summary show etherchannel port-channel show interfaces port-channel 1 show interfaces etherchannel show lacp neighbor show pagp neighbor
[ ⚠ GOTCHA ]
All physical members of an EtherChannel must match: speed, duplex, allowed VLAN list, native VLAN, trunk mode. One mismatch and the bundle stays down or runs in "suspended" state. In
show etherchannel summary, look for an (P) flag on each member — that means "in port-channel and forwarding."
OSPF CHEAT SHEET (SINGLE AREA)
OSPF is a link-state IGP — each router builds an identical topology database and runs Dijkstra to compute shortest paths. Single-area OSPF means everything sits in Area 0 (the backbone). CCNA Domain 3.
▶ BASIC CONFIG
router ospf 1 router-id 1.1.1.1 network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 passive-interface default no passive-interface gi0/0
▶ INTERFACE-LEVEL ALTERNATIVE
router ospf 1 router-id 1.1.1.1 interface gi0/0 ip ospf 1 area 0 interface gi0/1 ip ospf 1 area 0 ip ospf hello-interval 5 ip ospf dead-interval 20 ip ospf priority 100 ! influence DR/BDR election ip ospf network point-to-point ! skip DR election entirely
▶ COST + AUTHENTICATION
! Manually set reference bandwidth so 10G/40G links rank correctly router ospf 1 auto-cost reference-bandwidth 100000 ! in Mbps ! Per-interface cost override interface gi0/0 ip ospf cost 5 ! MD5 authentication interface gi0/0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 SecretP@ss
▶ SHOW / VERIFY
show ip ospf neighbor
show ip ospf interface brief
show ip ospf interface gi0/0
show ip route ospf
show ip protocols
show ip ospf database
clear ip ospf process ! force re-adjacency (disruptive)
[ ⚠ GOTCHA ]
For two routers to form an adjacency, ALL of these must match: area ID, hello/dead timers, subnet (same subnet on the link), authentication, and stub flags. MTU must match too —
show ip ospf neighbor stuck at EXSTART is almost always an MTU mismatch.
OSPF MULTI-AREA CHEAT SHEET
Multi-area OSPF splits the topology to limit LSA flooding and SPF recalculations. Area 0 is the backbone; all other areas must connect to it (directly or via virtual link). CCNA Domain 3.
▶ ABR CONFIG (TWO AREAS)
router ospf 1 router-id 2.2.2.2 network 10.0.0.0 0.0.0.255 area 0 network 10.1.0.0 0.0.0.255 area 1
▶ AREA TYPES (SPECIAL AREAS)
! Stub area — blocks Type 5 (external LSAs) — replaces with default route router ospf 1 area 1 stub ! Totally stubby (Cisco-proprietary) — also blocks Type 3 inter-area router ospf 1 area 1 stub no-summary ! NSSA — like stub but allows local redistribution as Type 7 router ospf 1 area 2 nssa ! Inter-area route summarization (on the ABR) router ospf 1 area 1 range 10.1.0.0 255.255.0.0
▶ LSA TYPES (REFERENCE)
Type 1 Router LSA — every router, intra-area
Type 2 Network LSA — DR on multi-access segment
Type 3 Summary LSA — ABR floods inter-area routes
Type 4 ASBR Summary — ABR advertises path to ASBR
Type 5 External LSA — ASBR redistributes external
Type 7 NSSA External — external INSIDE an NSSA area
▶ SHOW / VERIFY
show ip ospf show ip ospf database show ip ospf database router show ip ospf database summary show ip ospf database external show ip ospf border-routers show ip route ospf
[ ⚠ GOTCHA ]
Every non-backbone area must connect to Area 0. If you can't physically wire it, use a virtual link through a transit area — but virtual links are a stopgap, not a design choice. Also: stub areas can't contain an ASBR. If you need to redistribute INTO an area, use NSSA instead.
STATIC ROUTING CHEAT SHEET
Manually configured routes. Useful for stub networks, default routes to the ISP, or as floating backups behind a dynamic protocol. Administrative distance is 1 by default. CCNA Domain 3.
▶ BASIC STATIC ROUTE
! Destination network / mask / next-hop ip route 192.168.10.0 255.255.255.0 10.0.0.2 ! Or by exit interface (used on point-to-point links) ip route 192.168.10.0 255.255.255.0 gi0/0 ! Default route (the "gateway of last resort") ip route 0.0.0.0 0.0.0.0 10.0.0.2
▶ FLOATING STATIC (BACKUP)
! Primary path — administrative distance 1 (default) ip route 192.168.10.0 255.255.255.0 10.0.0.2 ! Backup — AD 200 so it only installs if primary dies ip route 192.168.10.0 255.255.255.0 172.16.0.2 200
▶ HOST ROUTE + NULL ROUTE
! Host route — single IP ip route 192.168.10.50 255.255.255.255 10.0.0.2 ! Blackhole route — drops all traffic to this prefix ip route 10.99.0.0 255.255.0.0 null0
▶ SHOW / VERIFY
show ip route
show ip route static
show ip route 192.168.10.0
show ip route 0.0.0.0 ! gateway of last resort
[ ⚠ GOTCHA ]
A static route only installs in the routing table if its next-hop is reachable. If you point to an interface that's down, the route disappears. Floating statics rely on this: when the primary's next-hop goes unreachable, IOS removes it and the AD-200 backup takes over.
ACCESS CONTROL LIST CHEAT SHEET
ACLs filter traffic based on packet headers. Standard ACLs (1-99) match source IP only; extended (100-199) match source + dest + protocol + port. Top-down, first match wins, implicit deny at the end. CCNA Domain 5.
▶ STANDARD ACL (NUMBERED)
access-list 10 deny host 192.168.1.50
access-list 10 permit 192.168.1.0 0.0.0.255
! Implicit "deny any" follows automatically
interface gi0/0
ip access-group 10 in
▶ EXTENDED ACL (NUMBERED)
! Permit HTTP/HTTPS from LAN to anywhere access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443 ! Permit DNS access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 53 ! Deny everything else (explicit — for logging) access-list 101 deny ip any any log interface gi0/0 ip access-group 101 in
▶ NAMED ACL (PREFERRED MODERN STYLE)
ip access-list extended WEB-OUT
permit tcp 192.168.1.0 0.0.0.255 any eq 80
permit tcp 192.168.1.0 0.0.0.255 any eq 443
deny ip any any log
interface gi0/0
ip access-group WEB-OUT out
! Edit a single line later
ip access-list extended WEB-OUT
no 20
15 permit tcp 192.168.1.0 0.0.0.255 any eq 25
▶ SHOW / VERIFY
show access-lists
show access-lists WEB-OUT
show ip access-lists
show ip interface gi0/0 ! shows which ACL is applied which direction
clear access-list counters
[ ⚠ GOTCHA ]
Standard ACLs filter on source only — apply them close to the destination so you don't accidentally block legitimate traffic from the same source. Extended ACLs filter on source + dest + port — apply them close to the source to drop traffic before it crosses the network. Practice top-down evaluation in the drill →
NAT / PAT CHEAT SHEET
NAT rewrites IP addresses (and PAT also rewrites ports) as packets traverse a boundary. PAT (NAT overload) is what every home/office router does to share one public IP across many internal hosts. CCNA Domain 4.
▶ MARK INSIDE / OUTSIDE
! Every NAT config starts here — mark which side is which
interface gi0/0
description LAN
ip nat inside
interface gi0/1
description WAN
ip nat outside
▶ PAT (NAT OVERLOAD) — MOST COMMON
! Define which internal hosts get translated access-list 1 permit 192.168.1.0 0.0.0.255 ! Translate via outside interface, overload to share one IP ip nat inside source list 1 interface gi0/1 overload
▶ STATIC NAT (PORT FORWARDING)
! 1:1 mapping — internal server visible on public IP ip nat inside source static 192.168.1.50 198.51.100.50 ! Port forward only TCP/22 (SSH) to internal server ip nat inside source static tcp 192.168.1.50 22 interface gi0/1 22
▶ DYNAMIC NAT (POOL)
ip nat pool PUBLIC_POOL 198.51.100.10 198.51.100.20 netmask 255.255.255.0 access-list 1 permit 192.168.1.0 0.0.0.255 ip nat inside source list 1 pool PUBLIC_POOL
▶ SHOW / VERIFY
show ip nat translations show ip nat translations verbose show ip nat statistics clear ip nat translation * ! flush all entries debug ip nat ! verbose — careful on busy routers
[ ⚠ GOTCHA ]
Four NAT terms to keep straight: Inside Local = real internal IP. Inside Global = what the internal host looks like FROM the outside (the translated address). Outside Global = real external IP. Outside Local = how the outside host appears INSIDE (rare — used in tricky NAT-on-both-sides scenarios). Exam loves this terminology.
DHCP CHEAT SHEET
DHCP hands out IP/mask/gateway/DNS to clients. A Cisco router or L3 switch can act as the server, or as a relay forwarding requests to a central server in another subnet. CCNA Domain 4.
▶ DHCP SERVER ON A ROUTER
! Reserve the static stuff first (gateway, printers, servers)
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp pool LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 1.1.1.1 8.8.8.8
domain-name lan.local
lease 7
▶ DHCP RELAY (HELPER ADDRESS)
! Forward DHCP broadcasts to a server in another subnet
interface vlan 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.0.0.5
▶ DHCP CLIENT (INTERFACE GETS IP FROM SERVER)
interface gi0/1 ip address dhcp no shutdown
▶ RESERVATION (BIND IP TO MAC)
ip dhcp pool PRINTER
host 192.168.10.50 255.255.255.0
client-identifier 0100.1122.3344.55 ! 01 prefix + MAC
default-router 192.168.10.1
▶ SHOW / VERIFY
show ip dhcp binding
show ip dhcp pool
show ip dhcp conflict
show ip dhcp server statistics
clear ip dhcp binding *
debug ip dhcp server packet ! verbose
[ ⚠ GOTCHA ]
DHCP discover/offer messages are broadcasts — they don't cross subnet boundaries. That's what
ip helper-address fixes: it converts client broadcasts into unicasts targeted at a server elsewhere. Without it, clients in non-server VLANs never get an IP.
CDP / LLDP CHEAT SHEET
Discovery protocols let directly connected devices learn about each other — hostname, IP, platform, port. CDP is Cisco-proprietary and on by default; LLDP is the IEEE 802.1AB standard and off by default. CCNA Domain 2.
▶ CDP (ON BY DEFAULT)
! Disable globally (best practice on internet-facing edge) no cdp run ! Disable per interface only interface gi0/1 no cdp enable ! Tune timers cdp timer 30 ! advertisement interval cdp holdtime 90 ! how long peers cache us
▶ LLDP (OFF BY DEFAULT)
lldp run ! Per-interface tx/rx control interface gi0/0 lldp transmit lldp receive ! Timers (different from CDP) lldp timer 30 lldp holdtime 120 lldp reinit 2
▶ SHOW / VERIFY
show cdp neighbors show cdp neighbors detail show cdp interface show cdp entry * show lldp neighbors show lldp neighbors detail show lldp interface
[ ⚠ GOTCHA ]
CDP leaks model number, IOS version, IP address, and VLAN to anyone with physical or trunked access — turn it off on ports facing untrusted networks. Both protocols run at Layer 2 only and don't cross routers. If you're seeing a neighbor in
show cdp through what you thought was a Layer 3 device, you've actually got a bridge somewhere.
IPv6 CHEAT SHEET
128-bit addresses, no broadcasts (uses multicast and anycast instead), built-in link-local addressing, and SLAAC for self-configuration. Different config style from IPv4 — every IPv6 interface gets multiple addresses. CCNA Domain 1.
▶ ENABLE IPv6 + ASSIGN ADDRESS
! Required before any IPv6 routing happens
ipv6 unicast-routing
interface gi0/0
ipv6 address 2001:db8:1::1/64
ipv6 address fe80::1 link-local
ipv6 enable
no shutdown
▶ SLAAC + EUI-64
! Auto-configure address from RA + interface MAC interface gi0/0 ipv6 address autoconfig ! Manual prefix, host portion derived via EUI-64 interface gi0/0 ipv6 address 2001:db8:1::/64 eui-64
▶ STATIC + DEFAULT ROUTE
ipv6 route 2001:db8:10::/64 2001:db8:0::2
ipv6 route ::/0 2001:db8:0::2 ! default route
▶ OSPFv3 + EIGRP for IPv6
ipv6 router ospf 1 router-id 1.1.1.1 interface gi0/0 ipv6 ospf 1 area 0
▶ SHOW / VERIFY
show ipv6 interface brief show ipv6 interface gi0/0 show ipv6 route show ipv6 neighbors show ipv6 protocols show ipv6 ospf neighbor ping 2001:db8:1::2
[ ⚠ GOTCHA ]
Every IPv6 interface has a link-local address (
fe80::/10) that's used for OSPF adjacencies, neighbor discovery, and next-hop in static routes. You can let IOS auto-generate it via EUI-64 — but configuring it manually (fe80::1) makes troubleshooting drastically easier. Also: there's no ARP in IPv6 — it's Neighbor Discovery (NDP) using ICMPv6 type 135/136.
★ HOW TO USE THIS
Each tab gives you the same three things: a config block you can paste into a lab and tweak, a list of show commands to verify what's actually happening, and a gotcha that catches CCNA students on the exam. Hit COPY on any block to grab it without selecting. Hit PRINT THIS CHEAT SHEET to get a paper version of the active topic — formatted for a single page.
Direct-link any topic by its hash:
/cheatsheet.html#vlan·#inter-vlan·#stp·#etherchannel#ospf·#ospf-multi·#static·#acl#nat·#dhcp·#cdp-lldp·#ipv6
v1 — IOS 15.x / IOS XE syntax. Most commands work on Cisco Packet Tracer too. If a command doesn't take, check your platform's specific feature set — Packet Tracer is missing some features (IPv6 OSPF authentication, NAT64, EIGRP named mode, etc.). Spotted a typo or want a topic added? Ping me.