Cisco IOS Command Reference
Overview
This is a quick reference of commonly (or not so commonly) used Cisco IOS commands that run into during my work.
In all cases iFaceName is the interface name such as gig1/0/1
Interface Commands
- Show brief port listing
- show interfaces description
- Show interfaces with errors
- show interfaces status err-disabled
- Show interfaces with MAC address xx:yy:zz:aa:bb:cc
- show mac address-table address xx:yy:zz:aa:bb:cc
- Show fiber module power level summary
- show interfaces transceiver
Cable Testing
- Time Domain Reflectometer (TDR) Cable Test
- test cable tdr interface iFaceName
- TDR Test Results Display
- show cable-diagnostics tdr interface iFaceName
PoE management
- Power cycle device on PoE interface
- config terminal
interface iFaceName
power inline never
power inline auto
exit
exit - Show PoE Power Usage
- show power inline
SSL Certificate Management
- To list SSL certificates
- show crypto pki certificates
- To list SSL keys
- show crypto key mypubkey rsa
- To delete SSL key for HTTP on switch
- crypto key zeroize rsa HTTPS_SS_CERT_KEYPAIR
- To delete SSL certificate for HTTPS on switch
- no crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
- To import root and intermediate certificates to switch with name certname
- crypto pki trustpoint certname
enrollment terminal PEM
crl optional
exit
crypto pki authenticate certname - To import SSL certificate for HTTPS on switch
- crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment terminal PEM
crl optional
exit
crypto pki import HTTPS_SS_CERT_KEYPAIR pkcs12 scp://user@host:file password key passwordIf experiencing issues with the pkcs12 import try copying the PFX file to flash storage and importing from there.
OpenSSL generate new Self Signed Certificate
To replace the existing HTTPS certificate on a switch with a new self-signed certificate using openssl to generate the certificate you can use the following command in OpenSSL in a bash shell to generate a self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj "/CN=SelfSignedCert" &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx
This will generate a certificate for host name “SelfSignedCert” with a passcode of Cisco123 . On the switch you can issue the following commands to remove the old certificate and import the new certificate:
no ip http secure-server crypto key zeroize rsa HTTPS_SS_CERT_KEYPAIR crypto pki import HTTPS_SS_CERT_KEYPAIR pkcs12 terminal password Cisco123 <PASTE CERTIFICATE FROM OPENSSL> ip http secure-server
Embedded Packet Capture
To capture packets using the embedded capture option and output those to a file use the following setup where capName is the name of the capture and iFaceName is the name of the interface to capture.
First setup the capture and verify it as shown below for your interface. This example captures all inbound and outbound traffic which holds 32MB of data in a circular buffer.
enable monitor capture capName interface iFaceName both monitor capture capName buffer circular size 32 monitor capture capName match any show monitor capture capName end
Start and stop the capture as needed with the commands:
enable monitor capture capName start monitor capture capName stop end
Export the data to an external file for analysis with the commands below. This will save the data to the flash, which you will need to need to copy to your computer and then clean up.
enable monitor capture capName export location flash:capName.pcap monitor capture capName export status copy flash:capName.pcap scp://user@hostname//path/ delete flash:capName.pcap end
When finished clear the capture with the commands below and remove it.
enable monitor capture capName clear no monitor capture capName end