Skip to content

Portal | Level: L1: Foundations | Topics: Cisco CLI, VLANs, STP / Spanning Tree, LACP / Link Aggregation | Domain: Networking

Cisco Fundamentals for DevOps - Primer

Why This Matters

You will never be the network engineer. But you will be the person staring at a server that cannot reach its gateway, reading a switch config someone pasted in Slack, or trying to explain to the network team why your LACP bond is flapping.

Cisco IOS runs on a majority of enterprise switches and routers. Even when the gear is Arista or Juniper, the concepts (VLANs, trunking, STP, ACLs) are identical -- only syntax changes. Learning IOS gives you a transferable mental model for all network troubleshooting.

This primer gives you enough IOS literacy to: read and interpret configs without guessing, run the right show commands during an outage, understand what the network team is telling you, and debug server-side symptoms that originate at the switch port.

Core Concepts

1. IOS CLI Modes

IOS has a strict mode hierarchy. You cannot run configuration commands from the wrong mode.

User EXEC        Switch>
  |
  v  enable
Privileged EXEC  Switch#
  |
  v  configure terminal
Global Config    Switch(config)#
  |
  v  interface GigabitEthernet0/1
Interface Config Switch(config-if)#

Key navigation:

Switch> enable              # enter privileged mode
Switch# show running-config # view active config
Switch# configure terminal  # enter config mode
Switch(config)# exit        # go back one level
Switch(config)# end         # return to priv exec
Switch# disable             # back to user exec

The ? key shows available commands at any point. Tab completes partial commands.

Name origin: IOS originally stood for "Internetwork Operating System." Cisco trademarked the name long before Apple's iOS for iPhones -- which is why Apple licenses the "iOS" trademark from Cisco.

2. Essential Show Commands

These are the commands you will actually use during incidents. Memorize them.

Interface status:

Switch# show interfaces status
Port    Name      Status    Vlan  Duplex Speed
Gi0/1   web-01    connected 100   a-full a-1000
Gi0/2   web-02    notconnect 100  auto   auto
Gi0/3   db-01     err-disabled 200 auto  auto

Key states: connected, notconnect (cable/host down), err-disabled (security violation or error threshold).

Interface details:

Switch# show interfaces GigabitEthernet0/1
  ...
  5 minute input rate 45000 bits/sec, 30 packets/sec
  1024 input errors, 0 CRC, 512 frame
  0 output errors

Non-zero CRC or frame errors = bad cable, SFP, or duplex mismatch.

ARP and MAC address tables:

# What IP has what MAC? (L3 device)
Switch# show arp
Internet  10.0.1.5  0  aabb.cc00.1234  ARPA  Vlan100

# What MAC is on what port? (L2 device)
Switch# show mac address-table
Vlan  Mac Address      Type     Ports
100   aabb.cc00.1234   DYNAMIC  Gi0/1

Routing table (on L3 switches/routers):

Switch# show ip route
C    10.0.1.0/24 is directly connected, Vlan100
S    10.0.2.0/24 [1/0] via 10.0.1.1
O    10.0.3.0/24 [110/20] via 10.0.1.1

Codes: C = connected, S = static, O = OSPF, B = BGP, D = EIGRP.

3. VLANs and Trunking

VLANs segment a switch into isolated broadcast domains. Trunks carry multiple VLANs between switches.

Access port — belongs to one VLAN:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100

Trunk port — carries tagged frames for many VLANs:

Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 100,200
Switch(config-if)# switchport trunk native vlan 1

Verify:

Switch# show vlan brief
VLAN Name                 Status    Ports
1    default              active    Gi0/10-20
100  web-servers          active    Gi0/1-4
200  databases            active    Gi0/5-8

Switch# show interfaces trunk
Port   Mode  Encapsulation Status  Native vlan
Gi0/24 on    802.1q        trunking 1

Common mistake: Server NIC configured for VLAN 100 but switch port is on VLAN 200. Traffic flows but cannot reach the gateway. Always verify both sides.

4. Spanning Tree Basics

STP prevents loops in redundant L2 topologies. Without it, a broadcast storm takes down the network in seconds.

Port states:

Blocking → Listening → Learning → Forwarding
             (15s)       (15s)

Verify STP:

Switch# show spanning-tree vlan 100
VLAN0100
  Root ID    Priority  32868
             Address   aabb.cc00.0001
  Bridge ID  Priority  32868
             Address   aabb.cc00.0002

Interface  Role  Sts  Cost  Prio
Gi0/1      Desg  FWD  4     128
Gi0/24     Root  FWD  4     128
Gi0/25     Altn  BLK  4     128

Roles: Root (toward root bridge), Designated (away from root), Alternate (blocked backup).

Remember: STP port state progression mnemonic: "Blocks Listen, Learns, Forwards" -- or just "BLLFo." The 15-second timers between Listening and Learning mean a port takes 30 seconds to start forwarding after coming up. PortFast skips this for end hosts.

PortFast — skip STP delay on access ports:

Switch(config-if)# spanning-tree portfast

Use only on ports connected to end hosts, never on switch-to-switch links. Enabling portfast on a trunk between switches can cause a broadcast storm.

5. Basic ACLs

ACLs filter traffic. Standard ACLs match source IP only. Extended ACLs match source, destination, port, and protocol.

Extended ACL example:

Switch(config)# ip access-list extended BLOCK-SSH
Switch(config-ext-nacl)# permit tcp 10.0.1.0 \
  0.0.0.255 any eq 22
Switch(config-ext-nacl)# deny tcp any any eq 22
Switch(config-ext-nacl)# permit ip any any

Switch(config)# interface Vlan100
Switch(config-if)# ip access-group BLOCK-SSH in

Key rules:

Gotcha: The implicit deny any at the end of every ACL is invisible -- it doesn't show up in show access-lists. If your ACL permits SSH from one subnet but you forgot the final permit ip any any, all other traffic is silently dropped. Every new engineer learns this the hard way.

  • ACLs are evaluated top-down, first match wins
  • Implicit deny any at the end of every ACL
  • Apply inbound (in) or outbound (out) on an interface — direction matters
  • show access-lists shows hit counts per line

6. Port Security

Port security limits which MAC addresses can use a port. It catches unauthorized devices and mispatched cables.

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security \
  maximum 2
Switch(config-if)# switchport port-security \
  violation shutdown
Switch(config-if)# switchport port-security \
  mac-address sticky

Violation modes: shutdown (err-disable the port), restrict (drop + log), protect (drop silently).

Recover an err-disabled port:

Switch# show interfaces status | include err
Gi0/3  db-01  err-disabled  200  auto  auto

Switch(config)# interface GigabitEthernet0/3
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

7. Troubleshooting Connectivity

A systematic approach when a server cannot reach the network:

Step 1: Is the port up?
  show interfaces status
   notconnect = cable/NIC problem
   err-disabled = security or error issue

Step 2: Correct VLAN?
  show vlan brief
  show running-config interface Gi0/1
   Verify VLAN matches server's expected subnet

Step 3: MAC learned?
  show mac address-table interface Gi0/1
   No entry = server not sending frames (NIC down)

Step 4: ARP resolution? (L3 switch/router)
  show arp | include 10.0.1.5
   No entry = host not responding to ARP

Step 5: Routing?
  show ip route 10.0.2.0
   No route = traffic has nowhere to go

Step 6: ACL blocking?
  show access-lists
   Check hit counts on deny lines

Step 7: STP?
  show spanning-tree interface Gi0/1
   BLK state = port is blocked by STP

What Experienced People Know

  • show interfaces status is the single most useful command. It tells you link state, VLAN, speed, and duplex in one view.
  • err-disabled ports are silent killers. The server NIC shows "link up" but all traffic is dropped. Always check switch side.
  • Native VLAN mismatches between trunk endpoints cause intermittent, maddening connectivity issues. Both ends must agree.
  • show logging on the switch reveals port flaps, STP topology changes, and security violations that happened while you were not watching.
  • Duplex mismatch (one side auto, other side forced) causes late collisions and packet loss that looks like application timeouts, not network errors.
  • When in doubt about a change, use show running-config vs show startup-config to see uncommitted changes. IOS does not auto-save — run copy run start or write memory.
  • ACL hit counts reset on reload. Use show access-lists during troubleshooting to see if traffic is matching deny rules in real time.
  • LACP bond issues almost always trace to mismatched switchport configs (one port trunk, another access, or VLAN mismatch across bundle members).
  • show cdp neighbors reveals what is physically connected to each port. Use it to verify cabling without walking to the rack.
  • Never make changes on a production switch without reload in 5 as a safety net. If your change kills your session, the switch auto-reverts in 5 minutes.

War story: The reload in 5 trick has saved countless network engineers. You schedule a reload in 5 minutes, make your change, and if it works you cancel with reload cancel. If your change kills your SSH session, you can't cancel it -- and the switch reboots with the old config in 5 minutes. Without this, a bad ACL or VLAN change on a remote switch means a physical trip to the datacenter.

Wiki Navigation

Prerequisites

Related Content