Cisco IOS Command Reference


This is a quick reference of commonly (or not so commonly) used Cisco IOS commands that run into during my work.

In all cases iFaceName is the interface name such as gig1/0/1

Interface Commands

Show brief port listing
show interfaces description
Show interfaces with errors
show interfaces status err-disabled
Show interfaces with MAC address xx:yy:zz:aa:bb:cc
show mac address-table address xx:yy:zz:aa:bb:cc
Show fiber module power level summary
show interfaces transceiver

Cable Testing

Time Domain Reflectometer (TDR) Cable Test
test cable tdr interface iFaceName
TDR Test Results Display
show cable-diagnostics tdr interface iFaceName

PoE management

Power cycle device on PoE interface
config terminal
interface iFaceName
power inline never
power inline auto
Show PoE Power Usage
show power inline

SSL Certificate Management

To list SSL certificates
show crypto pki certificates
To list SSL keys
show crypto key mypubkey rsa
To delete SSL key for HTTP on switch
crypto key zeroize rsa HTTPS_SS_CERT_KEYPAIR
To delete SSL certificate for HTTPS on switch
no crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
To import root and intermediate certificates to switch with name certname
crypto pki trustpoint certname
enrollment terminal PEM
crl optional
crypto pki authenticate certname
To import SSL certificate for HTTPS on switch
crypto pki trustpoint HTTPS_SS_CERT_KEYPAIR
enrollment terminal PEM
crl optional
crypto pki import HTTPS_SS_CERT_KEYPAIR pkcs12 scp://user@host:file password key password

If experiencing issues with the pkcs12 import try copying the PFX file to flash storage and importing from there.

OpenSSL generate new Self Signed Certificate

To replace the existing HTTPS certificate on a switch with a new self-signed certificate using openssl to generate the certificate you can use the following command in OpenSSL in a bash shell to generate a self signed certificate:

openssl req -newkey rsa:2048 -nodes -keyout tmp.key -x509 -days 4000 -out tmp.cer -subj "/CN=SelfSignedCert" &> /dev/null && openssl pkcs12 -export -in tmp.cer -inkey tmp.key -out tmp.bin -passout pass:Cisco123 && openssl pkcs12 -export -out certificate.pfx -password pass:Cisco123 -inkey tmp.key -in tmp.cer && rm tmp.bin tmp.key tmp.cer && openssl base64 -in certificate.pfx

This will generate a certificate for host name “SelfSignedCert” with a passcode of Cisco123 . On the switch you can issue the following commands to remove the old certificate and import the new certificate:

no ip http secure-server 
crypto key zeroize rsa HTTPS_SS_CERT_KEYPAIR
crypto pki import HTTPS_SS_CERT_KEYPAIR pkcs12 terminal password Cisco123
ip http secure-server

Embedded Packet Capture

To capture packets using the embedded capture option and output those to a file use the following setup where capName is the name of the capture and iFaceName is the name of the interface to capture.

First setup the capture and verify it as shown below for your interface. This example captures all inbound and outbound traffic which holds 32MB of data in a circular buffer.

monitor capture capName interface iFaceName both
monitor capture capName buffer circular size 32
monitor capture capName match any
show monitor capture capName

Start and stop the capture as needed with the commands:

monitor capture capName start 
monitor capture capName stop

Export the data to an external file for analysis with the commands below. This will save the data to the flash, which you will need to need to copy to your computer and then clean up.

monitor capture capName export location flash:capName.pcap
monitor capture capName export status
copy flash:capName.pcap scp://user@hostname//path/
delete flash:capName.pcap

When finished clear the capture with the commands below and remove it.

monitor capture capName clear
no monitor capture capName