Here are some invaluable commands to master when dealing with Cisco IOS devices. Please realize that choosing the actual numbered order is an excercise in futility. The most important IOS command is the one that helps you put out the current fire. Also, the options that can be used with these presents a ginormous number of possible commands. I've just compiled some of my favorites.
Friday, July 29, 2011
Top Ten Cisco IOS Commands - 1) sh int
The Cisco IOS "show interface" command is an invaluable command to know. Also, it is probably one you have used before. With this command you can see the following info and more:
You may know this already, but, what can be difficult is how to extract the precise data you want in a format that you can use. Here are some forms of the "sh int" command that I've found very useful:
Obviously, the basic first...

The description field can be handy. If you use it when programming ports, it can come back to help you later...
Also, errors can be seen. Here you'll see I've got some collisions and a receive error...
Another variation on errors...

- IP address & mask
- Speed & duplex
- MAC address
- Status
- Errors
- Utilization
- Last clear counter time
You may know this already, but, what can be difficult is how to extract the precise data you want in a format that you can use. Here are some forms of the "sh int" command that I've found very useful:
Obviously, the basic first...
Ok, I cheated on this one. "Show ip interface brief" displays management IPs and up/down status...
Same command from a router...
A summary of interfaces and their utilization...The description field can be handy. If you use it when programming ports, it can come back to help you later...
Also, errors can be seen. Here you'll see I've got some collisions and a receive error...
Another variation on errors...
Trunk info...
I use this a lot when setting up a new printer or workstation...
Need to check on the status of your gbics?...
As you can see, the data that can be extracted from this root command "sh int" is only limited by your ability to understand the options and some experience with the cli.
Check this out. It is a Cisco page giving the field descriptions...
Cisco 12.2 docs "interface" commandBack to Top Ten Cisco IOS Commands
Wednesday, July 20, 2011
Top Ten Cisco IOS Commands - 4) sh cdp neighbor
CDP (Cisco discovery protocol) is a layer 2 proprietary protocol for Cisco devices. It sends announcements (default is every 60 seconds) about IOS version, IP address, hostname, etc. to multicast address 0100-0ccc-cccc on each connected interface. The type of information that you receive from the "show cdp neighbors" command varies depending on the version of IOS you are running. CDP can be enabled on a per-interface basis and I would recommend disabling it on external facing interfaces. (You may not want devices outside your network to glean anything from the CDP protocol running on your router!) Also, it is often used in conjunction with snmp by some monitoring software to map networks, poll IOS versions, etc.
Here are some examples...
R1# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
SEPE9CA70FB2479 Fas 3/0/11 125 H P M IP Phone Port 1
2821.local.com Fas 1/0/48 134 R S I 2821 Gig 0/0.1
R1# sh cdp neighbors ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
GroupVI Group Virtual interface
Lex Lex interface
Port-channel Ethernet Channel of interfaces
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRingVirtual TokenRing
Vlan Catalyst Vlans
detail Show detailed information
fcpa Fiber Channel
| Output modifiers
<cr>
R1# sh cdp neighbors detail
-------------------------
Device ID: SEPE9CA70FB2479
Entry address(es):
IP address: 10.22.1.10
Platform: Cisco IP Phone 7975, Capabilities: Host Phone Two-port Mac Relay
Interface: FastEthernet3/0/11, Port ID (outgoing port): Port 1
Holdtime : 178 sec
Second Port Status: Up
advertisement version: 2
Duplex: full
Power drawn: 12.000 Watts
Power request id: 31097, Power management id: 3
Power request levels are:12000 0 0 0 0
Management address(es):
-------------------------
Device ID: 2821.local.com
Entry address(es):
IP address: 10.16.1.1
Platform: Cisco 2821, Capabilities: Router Switch IGMP
Interface: FastEthernet1/0/48, Port ID (outgoing port): GigabitEthernet0/0.1
Holdtime : 127 sec
advertisement version: 2
VTP Management Domain: ''
Duplex: full
Management address(es):
R1# sh cdp traffic
CDP counters :
Total packets output: 393013, Input: 15743
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0,
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 393013, Input: 15743
R1# sh cdp interface Fa1/0/48
FastEthernet1/0/48 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
As I mentioned, you can and should disable it on some interfaces...
R1# config t
R1(config)# int fa0/0
R1(config-if)# no cdp enable
Here are some examples...
R1# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
SEPE9CA70FB2479 Fas 3/0/11 125 H P M IP Phone Port 1
2821.local.com Fas 1/0/48 134 R S I 2821 Gig 0/0.1
R1# sh cdp neighbors ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
GroupVI Group Virtual interface
Lex Lex interface
Port-channel Ethernet Channel of interfaces
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRingVirtual TokenRing
Vlan Catalyst Vlans
detail Show detailed information
fcpa Fiber Channel
| Output modifiers
<cr>
R1# sh cdp neighbors detail
-------------------------
Device ID: SEPE9CA70FB2479
Entry address(es):
IP address: 10.22.1.10
Platform: Cisco IP Phone 7975, Capabilities: Host Phone Two-port Mac Relay
Interface: FastEthernet3/0/11, Port ID (outgoing port): Port 1
Holdtime : 178 sec
Second Port Status: Up
advertisement version: 2
Duplex: full
Power drawn: 12.000 Watts
Power request id: 31097, Power management id: 3
Power request levels are:12000 0 0 0 0
Management address(es):
-------------------------
Device ID: 2821.local.com
Entry address(es):
IP address: 10.16.1.1
Platform: Cisco 2821, Capabilities: Router Switch IGMP
Interface: FastEthernet1/0/48, Port ID (outgoing port): GigabitEthernet0/0.1
Holdtime : 127 sec
advertisement version: 2
VTP Management Domain: ''
Duplex: full
Management address(es):
R1# sh cdp traffic
CDP counters :
Total packets output: 393013, Input: 15743
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0,
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 393013, Input: 15743
R1# sh cdp interface Fa1/0/48
FastEthernet1/0/48 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
As I mentioned, you can and should disable it on some interfaces...
R1# config t
R1(config)# int fa0/0
R1(config-if)# no cdp enable
Back to Top Ten Cisco IOS Commands
Top Ten Cisco IOS Commands - 3) sh line, sh users
A good understanding of terminal connections is important when administering Cisco devices.
The Cisco IOS command "show line" gives you a snapshot of which terminal "lines" are in use...
R1# sh line
Tty Line Typ Tx/Rx A Modem Roty Uses Noise Overruns Int
0 0 CTY - - - - - 0 0 0/0 -
* 1 1 AUX 115200/115200- inout - 3 0 53/0 -
* 514 514 VTY - - - - - 80 0 0/0 -
515 515 VTY - - - - - 2 0 0/0 -
516 516 VTY - - - - - 0 0 0/0 -
517 517 VTY - - - - - 0 0 0/0 -
518 518 VTY - - - - - 0 0 0/0 -
519 519 VTY - - - - - 0 0 0/0 -
520 520 VTY - - - - - 0 0 0/0 -
521 521 VTY - - - - - 0 0 0/0 -
522 522 VTY - - - - - 0 0 0/0 -
523 523 VTY - - - - - 0 0 0/0 -
524 524 VTY - - - - - 0 0 0/0 -
525 525 VTY - - - - - 0 0 0/0 -
526 526 VTY - - - - - 0 0 0/0 -
527 527 VTY - - - - - 0 0 0/0 -
528 528 VTY - - - - - 0 0 0/0 -
529 529 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
2-513
The terminal types are CTY=console, AUX=auxilliary, and VTY=virtual terminal.
The console and auxilliary ports are serial connections and the vty lines are for remote connections over the network using telnet or ssh.
The console port is typically used when setting up the device for the first time or in disaster recovery type scenarios when an IOS image upgrade isn't cooperating, or the device doesn't have a valid IOS image, for example.
The auxiliary port is typically used by a modem for "out-of-band" access as a backup connection for when the network is having issues. It's almost as good as the console port, but, doesn't give you rommon access.
You can manually disconnect any of these lines with the following command...
R1# clear line <x>
[confirm] <------------press enter here
[OK]
Additionally, sometimes you'll want to know what IP addresses are connected. Use the "sh users" command for this...
R1# sh users
Line User Host(s) Idle Location
514 vty 0 idle 2d00h 10.10.0.2
515 vty 1 idle 00:01:01 10.10.11.23
*516 vty 2 idle 00:00:00 10.10.11.12
Interface User Mode Idle Peer Address
Se0/2/0:0 Sync PPP 00:00:00
Se0/2/1:0 Sync PPP 00:00:00
Se0/2/2:0 Sync PPP 00:00:00
Mu1 Sync PPP 00:00:00 192.168.101.20
Here the asterisk by line 516 shows my IP address. Also, try the command "who" on some IOS versions. It does pretty much the same thing.
The Cisco IOS command "show line" gives you a snapshot of which terminal "lines" are in use...
R1# sh line
Tty Line Typ Tx/Rx A Modem Roty Uses Noise Overruns Int
0 0 CTY - - - - - 0 0 0/0 -
* 1 1 AUX 115200/115200- inout - 3 0 53/0 -
* 514 514 VTY - - - - - 80 0 0/0 -
515 515 VTY - - - - - 2 0 0/0 -
516 516 VTY - - - - - 0 0 0/0 -
517 517 VTY - - - - - 0 0 0/0 -
518 518 VTY - - - - - 0 0 0/0 -
519 519 VTY - - - - - 0 0 0/0 -
520 520 VTY - - - - - 0 0 0/0 -
521 521 VTY - - - - - 0 0 0/0 -
522 522 VTY - - - - - 0 0 0/0 -
523 523 VTY - - - - - 0 0 0/0 -
524 524 VTY - - - - - 0 0 0/0 -
525 525 VTY - - - - - 0 0 0/0 -
526 526 VTY - - - - - 0 0 0/0 -
527 527 VTY - - - - - 0 0 0/0 -
528 528 VTY - - - - - 0 0 0/0 -
529 529 VTY - - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
2-513
The terminal types are CTY=console, AUX=auxilliary, and VTY=virtual terminal.
The console and auxilliary ports are serial connections and the vty lines are for remote connections over the network using telnet or ssh.
The console port is typically used when setting up the device for the first time or in disaster recovery type scenarios when an IOS image upgrade isn't cooperating, or the device doesn't have a valid IOS image, for example.
The auxiliary port is typically used by a modem for "out-of-band" access as a backup connection for when the network is having issues. It's almost as good as the console port, but, doesn't give you rommon access.
You can manually disconnect any of these lines with the following command...
R1# clear line <x>
[confirm] <------------press enter here
[OK]
Additionally, sometimes you'll want to know what IP addresses are connected. Use the "sh users" command for this...
R1# sh users
Line User Host(s) Idle Location
514 vty 0 idle 2d00h 10.10.0.2
515 vty 1 idle 00:01:01 10.10.11.23
*516 vty 2 idle 00:00:00 10.10.11.12
Interface User Mode Idle Peer Address
Se0/2/0:0 Sync PPP 00:00:00
Se0/2/1:0 Sync PPP 00:00:00
Se0/2/2:0 Sync PPP 00:00:00
Mu1 Sync PPP 00:00:00 192.168.101.20
Here the asterisk by line 516 shows my IP address. Also, try the command "who" on some IOS versions. It does pretty much the same thing.
Back to Top Ten Cisco IOS Commands
Labels:
command
Monday, July 11, 2011
Top Ten Cisco IOS Commands - 5) sh archive log config all
This will be one of your favorites if you ever have to use it to roll back changes to a Cisco router or switch.
First, setup the configuration change logging:
R1# config term
Enter archive config mode:
R1(config)# archive
Enter logger config mode:
R1(config-archive)# log config
Enable logging of config changes:
R1(config-archive-log-config)# logging enable
Set the max number of entries to retain in the log:
R1(config-archive-log-config)# logging size 500
Suppress displaying passwords in the log file:
R1(config-archive-log-config)# hidekeys
Enable sending config changes to a syslog server:
R1(config-archive-log-config)# notify syslog
In order to view the log entries:
R1# sh archive log config all
...
...
387 28 unknown user@vty0 |ip access-list standard GoodIP
388 28 unknown user@vty0 | remark Internal Servers
389 28 unknown user@vty0 | permit 10.22.65.10
390 28 unknown user@vty0 | permit 10.22.22.10
391 28 unknown user@vty0 | permit 10.24.97.10
392 28 unknown user@vty0 | permit 10.25.17.10
393 0 unknown user@vty2 |!exec: enable
394 0 unknown user@vty0 |!exec: enable
395 31 unknown user@vty0 |interface Tunnel200
396 31 unknown user@vty0 | shutdown
...
...
That's pretty useful if you need to know the last command(s) you or someonelse issued on the device. But, for larger entries or pastes wouldn't it be great if you could see that same data in a format ready to copy into a text editor? Try this...
sh archive log config all provisioning
First, setup the configuration change logging:
R1# config term
Enter archive config mode:
R1(config)# archive
Enter logger config mode:
R1(config-archive)# log config
Enable logging of config changes:
R1(config-archive-log-config)# logging enable
Set the max number of entries to retain in the log:
R1(config-archive-log-config)# logging size 500
Suppress displaying passwords in the log file:
R1(config-archive-log-config)# hidekeys
Enable sending config changes to a syslog server:
R1(config-archive-log-config)# notify syslog
In order to view the log entries:
R1# sh archive log config all
...
...
387 28 unknown user@vty0 |ip access-list standard GoodIP
388 28 unknown user@vty0 | remark Internal Servers
389 28 unknown user@vty0 | permit 10.22.65.10
390 28 unknown user@vty0 | permit 10.22.22.10
391 28 unknown user@vty0 | permit 10.24.97.10
392 28 unknown user@vty0 | permit 10.25.17.10
393 0 unknown user@vty2 |!exec: enable
394 0 unknown user@vty0 |!exec: enable
395 31 unknown user@vty0 |interface Tunnel200
396 31 unknown user@vty0 | shutdown
...
...
That's pretty useful if you need to know the last command(s) you or someonelse issued on the device. But, for larger entries or pastes wouldn't it be great if you could see that same data in a format ready to copy into a text editor? Try this...
sh archive log config all provisioning
Back to Top Ten Cisco IOS Commands
Saturday, July 2, 2011
Top Ten Cisco IOS Commands - 6) "netstat"
These are your Cisco "netstat" commands. Basic protocol, IP, and port info can be seen with this IOS command on your switch...
Switch1# sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 10.65.128.14 10000 0 0 11 0
17 --listen-- 10.65.128.14 1975 0 0 11 0
17 0.0.0.0 0 10.65.128.14 2228 0 0 211 0
17 0.0.0.0 0 10.65.128.14 67 0 0 2211 0
17 10.60.18.66 2603 10.65.128.14 161 0 0 1001 0
17 --listen-- 10.65.128.14 162 0 0 1011 0
17 --listen-- 10.65.128.14 60839 0 0 1011 0
17 --listen-- --any-- 161 0 0 20001 0
17 --listen-- --any-- 162 0 0 20011 0
17 --listen-- --any-- 65150 0 0 20001 0
17 --listen-- 10.65.128.14 123 0 0 1 0
17 10.40.9.64 162 10.65.128.14 49391 0 0 0 0
Here is the Cisco router equivalent...
R1# sh tcp brief
TCB Local Address Foreign Address (state)
48C0AD3C 80.64.160.1.20969 sql.domain.local.445 TIMEWAIT
48BF3818 80.64.160.1.31238 domain.web.local.1433 TIMEWAIT
4AD39ED8 60.136.65.230.42744 60.136.65.19.179 ESTAB
4AB25F74 25-149-211-185-TX.39937 82.22.144.71.443 TIMEWAIT
4908FBA0 80.64.169.1.2000 80.11.169.86.444 ESTAB
4896967C 25-149-211-185-TX.58906 79.202.72.7.443 TIMEWAIT
4A7B74F4 25-149-211-185-TX.32817 www.hosting.domain.443 TIMEWAIT
4A4298F0 80.64.169.1.2000 80.64.169.137.32726 ESTAB
48C0C658 60.136.65.230.33956 43.220.116.71.443 TIMEWAIT
4AC486D0 80.64.169.1.2000 80.64.169.132.20257 ESTAB
4A7CA068 80.64.169.1.2000 80.64.169.16.16777 ESTAB
4A29B594 60.136.65.29.32424 domain.web.local.1120 TIMEWAIT
497F0088 80.64.160.1.23 80.60.18.66.2552 ESTAB
And lastly, the firewall equivalent...
ASA1#sh conn all
683 in use, 5678 most used
TCP OUTSIDE 82.66.52.251:1334 DMZ 93.39.11.88:443, idle 0:00:02, bytes 5797, flags UIOB
TCP OUTSIDE 40.62.183.137:7686 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6596, flags UIOB
TCP OUTSIDE 64.58.31.86:65248 DMZ 93.39.11.88:443, idle 0:00:06, bytes 6951, flags UIOB
TCP OUTSIDE 70.248.216.190:60370 DMZ 93.39.11.88:443, idle 0:00:08, bytes 4121, flags UIOB
TCP OUTSIDE 62.25.17.1:2220 DMZ 93.39.11.66:443, idle 0:00:08, bytes 22512, flags UIOB
TCP OUTSIDE 64.126.13.254:27426 DMZ 93.39.11.88:443, idle 0:00:14, bytes 36091, flags UIOB
TCP OUTSIDE 66.124.99.125:1318 DMZ 93.39.11.88:443, idle 0:00:24, bytes 3944, flagsUIOB
TCP OUTSIDE 70.157.5.177:50653 DMZ 93.39.11.88:443, idle 0:00:34, bytes 10785, flags UIOB
TCP OUTSIDE 99.189.255.7:60222 DMZ 93.39.11.88:443, idle 0:00:03, bytes 26135, flags UIOB
TCP OUTSIDE 99.189.255.7:60221 DMZ 93.39.11.88:443, idle 0:00:29, bytes 103690, flags UIOB
TCP OUTSIDE 99.189.255.7:60219 DMZ 93.39.11.88:443, idle 0:00:05, bytes 86075, flags UIOB
TCP OUTSIDE 173.22.186.97:51866 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6565, flags UIOB
TCP OUTSIDE 173.22.186.97:51865 DMZ 93.39.11.88:443, idle 0:00:03, bytes 72144, flags UIOB
If you are looking for a specific IP address within any of the above commands, filter the results by adding 'pipe' and 'include' to the end of the command...
sh conn | i <ip address>
sh tcp brief | i <ip address>
sh ip sockets | i <ip address>
Switch1# sh ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 10.65.128.14 10000 0 0 11 0
17 --listen-- 10.65.128.14 1975 0 0 11 0
17 0.0.0.0 0 10.65.128.14 2228 0 0 211 0
17 0.0.0.0 0 10.65.128.14 67 0 0 2211 0
17 10.60.18.66 2603 10.65.128.14 161 0 0 1001 0
17 --listen-- 10.65.128.14 162 0 0 1011 0
17 --listen-- 10.65.128.14 60839 0 0 1011 0
17 --listen-- --any-- 161 0 0 20001 0
17 --listen-- --any-- 162 0 0 20011 0
17 --listen-- --any-- 65150 0 0 20001 0
17 --listen-- 10.65.128.14 123 0 0 1 0
17 10.40.9.64 162 10.65.128.14 49391 0 0 0 0
Here is the Cisco router equivalent...
R1# sh tcp brief
TCB Local Address Foreign Address (state)
48C0AD3C 80.64.160.1.20969 sql.domain.local.445 TIMEWAIT
48BF3818 80.64.160.1.31238 domain.web.local.1433 TIMEWAIT
4AD39ED8 60.136.65.230.42744 60.136.65.19.179 ESTAB
4AB25F74 25-149-211-185-TX.39937 82.22.144.71.443 TIMEWAIT
4908FBA0 80.64.169.1.2000 80.11.169.86.444 ESTAB
4896967C 25-149-211-185-TX.58906 79.202.72.7.443 TIMEWAIT
4A7B74F4 25-149-211-185-TX.32817 www.hosting.domain.443 TIMEWAIT
4A4298F0 80.64.169.1.2000 80.64.169.137.32726 ESTAB
48C0C658 60.136.65.230.33956 43.220.116.71.443 TIMEWAIT
4AC486D0 80.64.169.1.2000 80.64.169.132.20257 ESTAB
4A7CA068 80.64.169.1.2000 80.64.169.16.16777 ESTAB
4A29B594 60.136.65.29.32424 domain.web.local.1120 TIMEWAIT
497F0088 80.64.160.1.23 80.60.18.66.2552 ESTAB
And lastly, the firewall equivalent...
ASA1#sh conn all
683 in use, 5678 most used
TCP OUTSIDE 82.66.52.251:1334 DMZ 93.39.11.88:443, idle 0:00:02, bytes 5797, flags UIOB
TCP OUTSIDE 40.62.183.137:7686 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6596, flags UIOB
TCP OUTSIDE 64.58.31.86:65248 DMZ 93.39.11.88:443, idle 0:00:06, bytes 6951, flags UIOB
TCP OUTSIDE 70.248.216.190:60370 DMZ 93.39.11.88:443, idle 0:00:08, bytes 4121, flags UIOB
TCP OUTSIDE 62.25.17.1:2220 DMZ 93.39.11.66:443, idle 0:00:08, bytes 22512, flags UIOB
TCP OUTSIDE 64.126.13.254:27426 DMZ 93.39.11.88:443, idle 0:00:14, bytes 36091, flags UIOB
TCP OUTSIDE 66.124.99.125:1318 DMZ 93.39.11.88:443, idle 0:00:24, bytes 3944, flagsUIOB
TCP OUTSIDE 70.157.5.177:50653 DMZ 93.39.11.88:443, idle 0:00:34, bytes 10785, flags UIOB
TCP OUTSIDE 99.189.255.7:60222 DMZ 93.39.11.88:443, idle 0:00:03, bytes 26135, flags UIOB
TCP OUTSIDE 99.189.255.7:60221 DMZ 93.39.11.88:443, idle 0:00:29, bytes 103690, flags UIOB
TCP OUTSIDE 99.189.255.7:60219 DMZ 93.39.11.88:443, idle 0:00:05, bytes 86075, flags UIOB
TCP OUTSIDE 173.22.186.97:51866 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6565, flags UIOB
TCP OUTSIDE 173.22.186.97:51865 DMZ 93.39.11.88:443, idle 0:00:03, bytes 72144, flags UIOB
If you are looking for a specific IP address within any of the above commands, filter the results by adding 'pipe' and 'include' to the end of the command...
sh conn | i <ip address>
sh tcp brief | i <ip address>
sh ip sockets | i <ip address>
Back to Top Ten Cisco IOS Commands
Labels:
command
Friday, July 1, 2011
Top Ten Cisco IOS Commands - 7) sh arp
A brief into to ARP:
Arp broadcasts only go as far as the local subnet before being replied to. Usually there are only 2 things that can happen here, 1) the destination node responds with its MAC address (through a switch). Or, 2) a router or other gateway device responds with its MAC address because it knows a route to the destination node on a different subnet (this is referred to as proxy-arp, it forwards the broadcast for you to the non-local subnet). Knowing these two possible results is an important concept to remember when looking up IP or MAC info on your Cicso routers and switches.
The requesting node doesn't care who responds as long as it gets the MAC address, so there are some obvious security concerns with this protocol.
If you run the "sh arp" on your switch or router you can see the results are about the same. You get info about devices that are communicating directly with interfaces on the device (i.e., IP, MAC, interface name, aging timer)...
Switch1# s arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.45 41 0025.13f7.0141 ARPA Vlan333
Internet 192.168.0.43 - 0025.13f6.c041 ARPA Vlan333
Internet 192.168.9.25 98 0025.77c2.6dc1 ARPA Vlan333
Internet 192.168.0.1 140 0025.77c2.6dc1 ARPA Vlan333
Internet 192.168.18.66 0 0025.77c2.6dc1 ARPA Vlan333
Internet 192.168.0.65 7 00e0.d812.77f1 ARPA Vlan333
Router1# s arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.44.0.1 43 da30.9171.834a ARPA GigabitEthernet0/0
Internet 10.44.0.2 19 f4ac.c178.f442 ARPA GigabitEthernet0/0
Internet 10.44.0.10 227 0026.77c2.6bc1 ARPA GigabitEthernet0/0
Internet 10.44.0.44 156 001f.bd8b.3545 ARPA GigabitEthernet0/0
Internet 10.44.0.66 266 001b.044c.1280 ARPA GigabitEthernet0/0
Internet 10.44.0.13 64 0024.c4d5.4cf0 ARPA GigabitEthernet0/0
Internet 10.44.0.12 157 001b.2acc.2b50 ARPA GigabitEthernet0/0
Internet 10.44.0.18 86 001d.9d13.55c1 ARPA GigabitEthernet0/0
Internet 10.44.0.130 - 001d.2abb.2a36 ARPA GigabitEthernet0/0
Internet 266.243.123.25 5 001f.9e58.c0d3 ARPA GigabitEthernet0/1
Internet 266.243.123.26 - 001b.2abb.3337 ARPA GigabitEthernet0/1
Now that you know the IPs and MACs you just need the port numbers associated with them and you'll have a pretty decent port mapping of the switch. Try this...
Switch1# sh mac address-table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0200.0ccc.cccc STATIC CPU
All 0200.0ccc.cccd STATIC CPU
All 0162.c200.0000 STATIC CPU
All 0162.c200.0001 STATIC CPU
All 0162.c200.0002 STATIC CPU
All 0162.c200.0003 STATIC CPU
All 0162.c200.0004 STATIC CPU
All 0162.c200.0005 STATIC CPU
All 0162.c200.0006 STATIC CPU
All 0162.c200.0007 STATIC CPU
All 0162.c200.0008 STATIC CPU
All 0162.c200.0009 STATIC CPU
All 0162.c200.000a STATIC CPU
All 0162.c200.000b STATIC CPU
All 0162.c200.000c STATIC CPU
All 0162.c200.000d STATIC CPU
All 0162.c200.000e STATIC CPU
All 0162.c200.000f STATIC CPU
All 0162.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
1 0025.8386.9034 DYNAMIC Gi1/0/3
1 0025.83f0.e52a DYNAMIC Gi3/0/4
300 001b.2abb.2f90 DYNAMIC Gi1/0/3
300 001b.2abb.25c0 DYNAMIC Gi1/0/3
300 001b.d44c.9277 DYNAMIC Gi1/0/3
300 001e.bd8b.2145 DYNAMIC Gi1/0/3
300 0024.c4c5.4df0 DYNAMIC Gi1/0/3
300 0025.8206.9085 DYNAMIC Gi1/0/3
300 0025.83c2.5ac1 DYNAMIC Gi1/0/3
300 ec30.9171.8322 DYNAMIC Gi1/0/3
333 001b.d44c.1180 DYNAMIC Gi1/0/3
333 0025.5586.9485 DYNAMIC Gi1/0/3
333 0015.83c2.6dc4 DYNAMIC Gi1/0/3
333 0fe0.d810.ba7f DYNAMIC Gi1/0/3
333 0fe0.d812.83d1 DYNAMIC Gi1/0/3
333 0fe0.d812.644f STATIC Fa1/0/47
Looking at MAC addresses associated with IP addresses can be confusing at first. For example, you may be wondering why there are so many MAC addresses assigned to one port, Gi1/0/3 above. This port happens to be a trunk port which carries all inter-vlan traffic. So, some of these are other switches, routers, etc.
When looking at your devices arp cache, you'll sometimes see multiple IP addresses with the same MAC entry. This is because of the proxy-arp mentioned above. The MAC you see is your gateway device. Run an "arp -a" command on your Windows pc you'll only see your gateway device's MAC for anything you ping outside your local subnet.
Additional notes:
Arp cache timeout defaults vary by vendor. Windows is sometimes 10 minutes, while Cisco devices are often 4 hours!
Most newer switches today have layer 3 (routing) capability, so, they may be the gateway device and perform the inter-vlan routing that used to require a router.
Also, sometimes you'll see "bia" in front of the MAC address on cisco routers and switches, this means "burned in address."
Back to Top Ten Cisco IOS Commands
Subscribe to:
Posts (Atom)