📘 Cisco IOS Command Cheatsheet¶

🧱 1. INITIAL SETUP (Switches & Routers)¶

🔐 2. BASIC SECURITY CONFIGURATION¶

🌐 3. INTERFACE & IP CONFIGURATION¶

🎛️ 4. SWITCHING & VLAN CONFIGURATION¶

🛣️ 5. ROUTING CONFIGURATION¶

Static Routing¶

OSPF¶

🔧 6. VERIFICATION & TROUBLESHOOTING¶

💽 7. FILES, SAVING, AND RESETTING¶

📌 FINAL NOTES ON MODES¶

IPv6¶

1. Global Unicast Addresses (GUAs)¶

• Purpose: Publicly routable (equivalent to IPv4 public addresses).
• Prefix: 2000::/3 (first three bits 001).

• Structure:

• Global Routing Prefix: typically 48 bits, assigned by your ISP.

• Subnet ID: 16 bits for internal subnetting.
• Interface ID: 64 bits (often derived via EUI‑64).
• Example:

2001:db8:85a3:42::7334

2. Link‑Local Addresses¶

• Purpose: Used for NDP (Neighbor Discovery), router advertisements, and on‑link communications only.
• Standard Prefix: FE80::/10 (per RFC 4291), but in practice every link‑local is configured as FE80::/64.
• Assignment: Auto‑generated by the host—no DHCPv6 needed.
• Interface ID: Usually formed via EUI‑64 (from the MAC) or randomly.
• Zone Index: When testing on hosts you append the interface (e.g. fe80::1%GigabitEthernet0/1).
• Example:

fe80::c800:ff:feB4:3a9f

3. Unique Local Addresses (ULAs)¶

• Purpose: Private‑use (similar to IPv4 RFC 1918).
• Prefix: FC00::/7; in practice FD00::/8 (the “L” bit set to 1).

• Layout:

• Global ID: 40 random bits

• Subnet ID: 16 bits
• Interface ID: 64 bits
• Scope: Routable within an organization but not on the public Internet.
• Example:

fd12:3456:789a:1::1

4. Multicast Addresses¶

• Purpose: One‑to‑many traffic.
• Prefix: FF00::/8.
• Format:

|8 bits|4 flags|4 scope|112‑bit group ID|
|11111111| Flgs | Scope | Group ID       |

• Flags: e.g. P‑bit (permanent vs. transient).

• Scope values:

  • 1 – node‑local
  • 2 – link‑local
  • 5 – site‑local
  • 8 – organization‑wide
  • E – global
  • Well‑Known Examples:

• ff02::1 – all‑nodes (link‑local)

• ff02::2 – all‑routers (link‑local)
• ff05::2 – all‑routers (site‑local)

5. Anycast Addresses¶

• Purpose: Packets delivered to the “nearest” member among a group.
• How to Create: Assign the same unicast address (GUA or ULA) on multiple devices in the same subnet.
• Behavior: Routers automatically forward to the topologically closest instance.

6. IPv6 Notation & Abbreviation¶

1. Leading zeros in each 16‑bit block must be omitted:

2001:0db8:0000:0000:0000:0000:0000:0001
→ 2001:db8:0:0:0:0:0:1

2001:db8:0:0:0:0:0:1
→ 2001:db8::1

Address Configuration¶

IPv6 hosts can obtain addresses in several ways. On the CCNA you’ll need to understand manual (static) assignment, SLAAC, EUI‑64 interface‑ID formation, and DHCPv6 (both stateful and stateless).

A. Manual (Static) Configuration¶

1. Enable IPv6 routing on the router (global config):

Router(config)# ipv6 unicast-routing

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ipv6 address 2001:db8:1:1::1/64

Router(config-if)# ipv6 address FE80::1 link-local

Tip: A missing /prefix-length or the ipv6 unicast-routing command are the most common “it doesn’t work” culprits.

B. SLAAC (Stateless Address Auto Configuration)¶

• How it works:

• Host generates a link‑local address (FE80::/64) via EUI‑64 or random.

• Host sends a Router Solicitation (RS) multicast (FF02::2).
• Router replies with a Router Advertisement (RA) (FF02::1) containing one or more Prefix Information Options (PIOs).

• If the RA’s M‑bit is 0 (do not use DHCPv6) and the O‑bit is 0, the host uses the advertised prefix + its interface‑ID to form its global address.

• RA flags in the PIO:

• M (Managed) bit = 1 → use DHCPv6 for address (stateful).

• O (Other) bit = 1 → use DHCPv6 for additional info (DNS, etc.), but SLAAC for address.

• Verification commands on Cisco:

show ipv6 interface GigabitEthernet0/0
show ipv6 neighbors
show ipv6 route

C. EUI‑64 Interface‑ID Formation¶

When SLAAC uses EUI‑64, a 48‑bit MAC (e.g. 00‑0C‑29‑3E‑5B‑7C) is transformed:

1. Split the MAC into two 24‑bit halves:

00:0C:29    |    3E:5B:7C

00:0C:29:FF:FE:3E:5B:7C

• Original first byte 0x00 → binary 00000000
• Invert bit 7 → binary 00000010 → 0x02
• Result → 02:0C:29:FF:FE:3E:5B:7C
• Interface‑ID = that 64‑bit value, e.g.:

2001:db8:1:1:02c:29ff:fe3e:5b7c/64

Note: Many modern OSes use “privacy extensions” to randomize the IID instead of EUI‑64.

D. DHCPv6¶

1. Stateful DHCPv6¶

• Clients request addresses from a DHCPv6 server (M‑bit = 1).
• DHCPv6 message flow:

Solicit → Advertise → Request → Reply

2. Stateless DHCPv6¶

• SLAAC builds the address (M‑bit = 0), but O‑bit = 1 in RA signals the host to get DNS and other options from DHCPv6.
• Message flow for option retrieval:

Information‑request → Reply

3. Cisco DHCPv6 Server Example¶

ipv6 dhcp pool MYPOOL
  address prefix 2001:db8:1:1::/64
  dns-server 2001:db8:ffff::1
!
interface GigabitEthernet0/0
  ipv6 address FE80::1 link-local
  ipv6 nd prefix 2001:db8:1:1::/64 3600 1800
  ipv6 dhcp server MYPOOL

These cover all the CCNA‑level address configuration methods for IPv6. Next up, would you like to explore Neighbor Discovery Protocol (NDP) in depth (NS/NA, DAD, RS/RA)?

Neighbor Discovery Protocol (NDP)¶

NDP replaces ARP, ICMP router redirects, and more from IPv4. On the CCNA exam, you’ll need to know the core packet types, their purposes, and key behaviors.

A. NDP Packet Types¶

B. Router Solicitation (RS) & Advertisement (RA)¶

• RS (Type 133)

• Sent by hosts to FF02::2 (all‑routers multicast) at boot or when interface comes up.

• Hop Limit = 255 (ensures on‑link source).
• No payload other than NDP header.

• RA (Type 134)

• Sent by routers periodically (\~200 sec default) or in response to RS.

• Destination:

  • Unicast to the solicit­ing host, or
  • FF02::1 (all‑nodes) if periodic.

  • Key fields in the Prefix Information Option (PIO):

  • Prefix (64 bits) and prefix length.

  • M‑bit (Managed) → DHCPv6 for address.
  • O‑bit (Other) → DHCPv6 for other info.
  • Valid Lifetime, Preferred Lifetime for SLAAC.

Verification Commands

show ipv6 interface GigabitEthernet0/0
  # shows current RAs received, flags, lifetimes
show ipv6 route
  # prefixes learned via RAs (marked 'R')

C. Neighbor Solicitation (NS) & Advertisement (NA)¶

• Solicited-Node Multicast

• Each IPv6 address has a solicited-node group:

  FF02:0:0:0:0:1:FFXX:XXXX
  

  where XX:XXXX = last 24 bits of the IPv6 address. * NS (Type 135)

• Used for:

  • Address resolution (like ARP): host asks “Who has X? Tell me.”
  • Duplicate Address Detection (DAD): host probes its own tentative address.
  • Sent to the solicited‑node multicast of the target.

  • Fields:

  • Target Address = the IPv6 address being resolved or probed.

  • Source Link‑Layer Address option (when not DAD) carries sender’s MAC.
  • NA (Type 136)

• Response to NS for address resolution.

• Or sent unsolicited with the Override flag to update caches.

• Fields:

  • Target Address = the address being announced.
  • Target Link‑Layer Address option with the responder’s MAC.

  • Flags:

  • Solicited (S) = 1 when replying to an NS.

  • Override (O) = 1 to overwrite stale cache entries.

Verification Commands

show ipv6 neighbors
  # neighbor table with Link‑Layer addresses and state

D. Duplicate Address Detection (DAD)¶

• Purpose: Ensure uniqueness of an address before binding.

• Mechanism:

• Host assigns the tentative address (IID = EUI‑64 or random).

• Sends an NS with Source Address = :: and Target Address = tentative.

• Waits for NA replies.

  • No reply within the DAD timeout → address is unique, assign it.
  • If an NA is received → collision detected → interface goes into error.
  • Exam Tip: DAD uses an NS packet; look for src=:: dst=solicited-node-multicast(target).

E. Key Takeaways¶

1. Multicast addresses for NDP:

2. RS → FF02::2

3. RA → FF02::1 or unicast
4. NS → solicited‑node multicast FF02::1:FFxx:xxxx
5. NA → unicast or multicast to FF02::1
6. Hop Limit = 255 for all NDP messages—to verify on‑link.
7. RA flags: M‑bit, O‑bit, Valid/Preferred lifetimes.
8. NS/NA flags: S (Solicited), O (Override).
9. DAD = NS with src=::, target = tentative address.

—--

NDP vs ARP¶

flowchart TD
  subgraph ARP["IPv4 ARP"]
    A1["Host A: knows IPv4 of Host B<br>wants MAC"] --> A2["Broadcast ARP Request<br>Who has IP B? Tell A"]
    A2 --> A3["All hosts on LAN receive request"]
    A3 -- If IP matches B --> A4["Host B unicasts ARP Reply to A<br>MAC = B’s MAC"]
    A4 --> A5["Host A updates ARP cache<br>sends frame to MAC"]
  end

  subgraph NDP["IPv6 NDP"]
    B1["Host A: knows IPv6 of Host B<br>wants L2 address"] --> B2["Multicast NS to solicited-node<br>Who has IPv6 B? Tell A"]
    B2 --> B3["All hosts listen on solicited-node group"]
    B3 -- If IPv6 matches B --> B4["Host B unicasts NA to A<br>L2 = B’s MAC<br>flags S=1, O=1"]
    B4 --> B5["Host A updates neighbor cache<br>sends frame to MAC"]
  end

  style ARP fill:#000000,stroke:#ffffff,stroke-width:2px
  style NDP fill:#000000,stroke:#dddddd,stroke-width:2px

IPv6 Routing¶

1. Enabling IPv6 Routing¶

On Cisco routers, IPv6 routing is off by default. Before any IPv6 routes will work, you must enable it globally:

Router(config)# ipv6 unicast-routing

Without this, static routes and dynamic protocols will be ignored.

2. Static Routing with ipv6 route¶

A. Point‑to‑Point Static Route¶

Router(config)# ipv6 route 2001:DB8:1:0::/64 2001:DB8:2:0::2

• Destination prefix: 2001:DB8:1:0::/64
• Next‑hop (must be reachable link‑local or global): here 2001:DB8:2:0::2

B. Using a Link‑Local Next‑Hop¶

Router(config)# ipv6 route 2001:DB8:3:0::/64 FE80::2 GigabitEthernet0/1

• If you specify a link‑local (FE80::2), you must include the outgoing interface.

C. Default Route¶

Router(config)# ipv6 route ::/0 2001:DB8:2:0::2

• ::/0 matches all destinations not in the routing table.

D. Administrative Distance¶

• Static: 1 (or 254 if you add the distance keyword)
• Learned via OSPFv3: 110

3. Understanding the IPv6 Routing Table (show ipv6 route)¶

Example output snippet:

IPv6 Route Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       O - OSPFv3, IA - OSPFv3 Inter-area, E1/E2 - OSPFv3 External

O   2001:DB8:10:0::/64 [110/20]
     via FE80::1, GigabitEthernet0/0
C   2001:DB8:20:0::/64 [0/0]
     via GigabitEthernet0/1
S   ::/0 [1/0]
     via FE80::2, GigabitEthernet0/2
L   FE80::1/128 [0/0] via GigabitEthernet0/0

• Codes tell you how the route was learned.
• Metric is in brackets [AD/Metric].
• Next‑hop may be link‑local (FE80::) or global.

Key codes to know:

• C = directly Connected
• L = Local address of router interface
• S = Static route
• O = OSPFv3 intra‑area
• IA = OSPFv3 inter‑area
• E1/E2 = OSPFv3 external types

4. OSPFv3 Fundamentals¶

IPv6’s version of OSPF has a few differences from OSPFv2:

A. Enabling OSPFv3¶

Router(config)# ipv6 router ospf 1
Router(config‑rtr)# router-id 1.1.1.1

• Process ID (1) is locally significant.
• Router ID must be set manually (32‑bit IPv4 format).

B. Enabling on Interfaces (no network statements)¶

Router(config)# interface GigabitEthernet0/0
Router(config‑if)# ipv6 ospf 1 area 0

• OSPFv3 is enabled per interface, not via broad network statements.

C. Link‑Local Next‑Hop & Neighbors¶

• OSPFv3 uses IPv6 link‑local addresses for adjacency and next‑hop resolution.
• Verify adjacencies:

show ipv6 ospf neighbor
show ipv6 ospf interface

D. Area Types & LSAs¶

• LSA Types are similar: Router LSAs, Network LSAs, Summary LSAs, External LSAs.
• Be aware of stub areas, totally stubby, and NSSA (exam typically only mentions “stub”).

5. CCNA‑Level Verification Commands¶

• Global status

show ipv6 protocols

show ipv6 route

show ipv6 ospf neighbor

show ipv6 ospf interface GigabitEthernet0/0

traceroute ipv6 2001:DB8:1:0::1
ping ipv6 2001:DB8:1:0::1

Know the Administrative Cost for common IPv6 Routes

Tip:

• When two routes to the same prefix exist, the router picks the one with the lowest AD.
• You do not calculate these values—they’re just memorized defaults.
• Occasionally you may see or configure a “floating” static route by setting a higher AD, but you still pick from known values.

ICMPv6: Informational & Error Messages¶

ICMPv6 serves two primary roles: Neighbor Discovery (covered in NDP) and error/reporting for IPv6 packet delivery. On the CCNA you’ll be expected to recognize common message types and their purposes.

A. NDP Message Types (ICMPv6 Codes)¶

Note: The Code field for all NDP messages is always zero.

B. ICMPv6 Error Messages¶

Behavior:

• Error messages are sent to the IPv6 source address, never a multicast address.
• The invoking packet’s header + first 8 bytes of payload are embedded in the ICMPv6 message so the sender can correlate the error.

C. ICMPv6 Informational Messages¶

Exam Tip: IPv6 uses ICMPv6 exclusively for ping and traceroute (no separate “ping6” command on Cisco routers; it’s simply ping ipv6 …).

D. CCNA‑Level Takeaways¶

1. NDP is implemented via ICMPv6 types 133–137 (all Code = 0).
2. Error messages use Types 1–4 with multiple Codes; remember “1 = Dest Unreachable,” “2 = Too Big,” “3 = Time Exceeded,” “4 = Parameter Problem.”
3. Echo Request/Reply are Types 128/129.
4. Error ICMPv6 messages always return to the unicast source of the offending packet.

5. Router & Link MTU Discovery:

6. Packet Too Big (Type 2) drives Path MTU Discovery.

IPv6 ACLs: Basics & Syntax¶

IPv6 ACLs function similarly to IPv4 ACLs but use the ipv6 access-list command and support IPv6‑specific features (e.g., prefix lists).

1. Defining a Named IPv6 ACL¶

Router(config)# ipv6 access-list MY_IPV6_ACL

• Named (versus numbered) is the CCNA norm.
• Once created, you add entries beneath this mode:

Router(config‑ipv6-acl)# permit tcp 2001:DB8:1:0::/64 any eq 80
Router(config‑ipv6-acl)# deny icmp any any nd-na
Router(config‑ipv6-acl)# permit ipv6 any any

2. Entry Format¶

[action] [protocol] [source] [source-prefix-length] [destination] [dest-prefix-length] [operator [port]]

• action: permit or deny
• protocol: ipv6 (all), tcp, udp, icmp, icmp6, or specific ICMPv6 types/codes (e.g., icmp6 nd-ns, icmp6 packet-too-big)
• source/destination: IPv6 prefix and prefix length (no wildcard masks)
• ports/operators: eq, gt, lt, range for TCP/UDP; not supported for plain ipv6

Example Entries¶

! Permit SSH from anywhere to the subnet
permit tcp any 2001:DB8:2:0::/64 eq 22

! Deny all ICMPv6 Neighbor Solicitations (ND‑NS)
deny icmp6 any any nd-ns

! Permit only HTTPS to a host
permit tcp any host 2001:DB8:3:0::5 eq 443

! Deny everything else
deny ipv6 any any

! Implicit “permit ipv6 any any” at end if no deny exists

3. Applying an IPv6 ACL¶

ACLs are applied per interface and per direction:

Router(config)# interface GigabitEthernet0/1
Router(config‑if)# ipv6 traffic-filter MY_IPV6_ACL in
Router(config‑if)# ipv6 traffic-filter MY_IPV6_ACL out

• in filters packets entering the interface.
• out filters packets leaving the interface.

Permit/Deny Semantics¶

1. Top‑down processing: First matching entry is used; no further entries are checked.
2. Implicit deny: At the end of every ACL there is an invisible deny ipv6 any any.
3. Implicit permit: If you issue only permit statements, the end-of-ACL implicit deny still applies—unmatched traffic is dropped.
4. Explicit permit for IPv6‑specific: To allow all other IPv6 traffic, you must explicitly add permit ipv6 any any before the implicit deny.

Prefix Lists¶

IPv6 prefix lists let you match on prefixes without worrying about individual entries for every subnet size.

1. Defining a Prefix List¶

Router(config)# ipv6 prefix-list PL_FILTER seq 5 permit 2001:DB8:0:0::/64 le 128
Router(config)# ipv6 prefix-list PL_FILTER seq 10 deny 2001:DB8:0:1::/64 eq 64

• seq: sequence number for ordering
• permit/deny: action
• prefix: network prefix

• ge/le: minimum/maximum prefix length to match

• le 128 means any subnet longer (more specific) than /64 up to /128

• ge 48 means any prefix shorter (less specific) than /48

2. Using Prefix Lists in ACLs or Routing¶

• In ACLs (with the ipv6 access-list syntax):

Router(config‑ipv6-acl)# permit ipv6 any any prefix-list PL_FILTER

Router(config‑bgp)# neighbor X.X.X.X prefix-list PL_FILTER in

Tips

• Remember no wildcard masks—you always specify prefix/length.
• Learn the common ICMPv6 types (e.g., nd-ns, nd-na, echo-request, packet-too-big).
• Don’t forget to apply ACLs on the correct interface and direction.
• Always include an explicit permit if you need to allow “all other” IPv6 traffic.
• Understand how prefix lists simplify filtering variable‑length subnets.

Multicast in IPv6¶

IPv6 uses multicast far more extensively than IPv4. Rather than broadcasts, IPv6 relies on multicast for discovery and many control-plane functions.

1. Well‑Known Multicast Addresses¶

IPv6 multicast addresses all begin with FF00::/8. The next 4 bits are flags, followed by a 4‑bit scope, then a 112‑bit group ID.

Key points:

• Scope values (hex):

• 1 = node‑local

• 2 = link‑local
• 5 = site‑local
• 8 = organization‑wide
• E = global
• Flags (4 bits): e.g., P‑bit indicates permanent vs. transient group.

Multicast Listener Discovery (MLD)¶

MLD is the IPv6 equivalent of IGMP. It lets routers know which multicast groups are active on which links so they can forward multicast traffic appropriately.

A. MLD Versions¶

• MLDv1 (RFC 2710)

• Uses Query and Report messages.

• Hosts send Report when they want to join a group.

• MLDv2 (RFC 3810)

• Adds “source-specific” joins (like IGMPv3).

• Supports Include and Exclude lists for finer control.

B. MLD Message Types (ICMPv6)¶

C. MLD Operation¶

1. Query Phase

2. Routers periodically send a General Query to FF02::1 (all‑nodes).

3. They may send Multicast-Address-Specific Queries to a group address.

4. Report Phase

5. Hosts respond with Report messages to the group’s multicast address.

6. In MLDv2, a Report can include source‐specific filters.

7. Timer Management

8. Routers maintain a timer per link to know when all listeners have left.

9. If no more Reports arrive for a group before the timer expires, the router stops forwarding that group to the link.

D. CCNA‑Level Takeaways¶

• Well‑known addresses: memorize FF02::1, FF02::2, solicited‑node FF02::1:FFxx:xxxx.
• MLD vs. IGMP: MLD is ICMPv6‑based (types 130–143) instead of IGMP.
• MLDv2 adds source filtering—know the concept but not deep syntax.
• Verification on Cisco routers:

show ipv6 mld groups
show ipv6 mld interface GigabitEthernet0/0

Transition Mechanisms (High‑Level)¶

On the CCNA you won’t be configuring these in depth, but you should understand their purposes, basic operation, and trade‑offs.

1. Dual‑Stack¶

• Definition: Devices and networks run IPv4 and IPv6 simultaneously.

• How it works:

• Hosts have both an IPv4 A‑record and an IPv6 AAAA‑record in DNS.

• Applications choose which to use based on DNS response (“Happy Eyeballs” algorithm).

• Pros:

• Simplest increment‑by‑increment migration.

• No encapsulation overhead.

• Cons:

• You must maintain two parallel protocol stacks (ACLs, routing, security).

• Potential for inconsistent policy between IPv4 and IPv6.

2. 6to4 Tunneling¶

• Purpose: Automatic, “configured‑on‑the‑fly” IPv6 connectivity over IPv4 Internet.

• Addressing:

• 6to4 prefix = 2002::/16.

• An end‑host or router with global IPv4 address W.X.Y.Z derives its 6to4 prefix as:

  2002:WXY Z::/48
  └──┬──┘ 
   hex(IPv4)
  

  e.g., IPv4 192.0.2.4 → prefix 2002:c000:0204::/48. * Encapsulation:

• IPv6 packets are wrapped in IPv4 protocol 41 and sent to a 6to4 relay.

• Configuration Example (Cisco IOS):

interface Tunnel0
  ipv6 address 2002:c000:0204::1/64
  tunnel source 192.0.2.4
  tunnel mode ipv6ip 6to4

• + Auto‑configured, minimal manual config.
• – Relies on public relays; can be unreliable and has MTU issues.

3. ISATAP (Intra‑Site Automatic Tunnel Addressing Protocol)¶

• Purpose: Connect IPv6 islands across an IPv4 intranet.

• Addressing:

• ISATAP hosts derive an interface ID of the form:

  0000:5EFE:W.X.Y.Z
  

  where W.X.Y.Z is the IPv4 address. * Combined with a site’s IPv6 prefix (e.g., 2001:db8:acad::/64), the host’s IPv6 address becomes:

  2001:db8:acad::5EFE:c000:0204
  

  * Encapsulation:

• Uses IPv4 unicast (protocol 41) between ISATAP routers/hosts.

• Configuration Example (Cisco IOS):

interface Tunnel1
  ipv6 address 2001:db8:acad::1/64
  tunnel source GigabitEthernet0/0
  tunnel mode isatap

• + Works over existing IPv4 infrastructure internally.
• – Not suitable over the public Internet; limited to site‑to‑site.

Key Takeaways¶

1. Dual‑stack is preferred for long‑term; you run both stacks side by side.
2. 6to4 uses a built‑in 2002::/16 prefix mapped from your IPv4 address and public relays.
3. ISATAP embeds an IPv4 address in the low 32 bits of the IPv6 interface‑ID for site tunnels.
4. Both tunneling methods encapsulate IPv6 inside IPv4 (protocol 41) and can suffer from MTU/traceroute issues.