Cisco IOS: The operating system that runs on Cisco networking devices (routers, switches, firewalls) - similar to Windows on a PC
CLI (Command-Line Interface): A text-based interface where you type commands to configure devices
GUI (Graphical User Interface): Point-and-click interface, but most network engineers prefer CLI
Definition: A text-based interface used to configure and manage Cisco networking devices through typed commands.
vs. GUI (Graphical User Interface):
CLI = Text commands, faster for experts, scriptable
GUI = Point-and-click, visual, easier for beginners
Key Point: CCNA focuses heavily on CLI - you MUST master it for the exam!
Connection Type
Port Type
Cable Required
Use Case
RJ45 Console
RJ45 connector
Rollover cable
Traditional method, most common
USB Console
USB Mini-B/Type-C
USB cable
Modern devices, laptop-friendly
Rollover Cable Specifications
💡 Memory Tip: "Rollover = Complete reversal" (1→8, 2→7, etc.)
Terminal Emulator Software
PuTTY (putty.org) - Free, Windows
SecureCRT - Professional, paid
Tera Term - Free, Windows
Terminal - Built-in macOS/Linux
Default Console Settings:
Baud Rate: 9600
Data Bits: 8
Parity: None
Stop Bits: 1
Flow Control: None
? = Shows available commands
?
command? (no space) = Shows completions for that word
command?
command ? (with space) = Shows next options
command ?
Tab key = Auto-completes commands
Shortcuts: You only need to type enough letters to make the command unique
enable → en
enable
en
configure terminal → conf t
configure terminal
conf t
show running-config → sh run
show running-config
sh run
There are three main modes, each with different capabilities:
Router>
Most limited access
Can view some information only
Indicated by > symbol
>
Enter with: Just connect to device
CLI exec mode (also called user EXEC mode) is the basic command-line interface level in network devices like Cisco routers and switches. It's indicated by the ">" prompt and provides access to basic monitoring commands with limited privileges.
Key points about exec mode:
Default mode when first logging into a device
Limited to basic show commands and connectivity tests
Cannot make configuration changes
Common commands available include:
ping
show version
show ip interface brief
traceroute
telnet
Router#
Full access to view configurations
Can restart device, save configs
Indicated by # symbol
#
Enter with: enable command
Privileged EXEC mode (indicated by the "#" prompt) is the elevated access level in network devices that allows administrators to view and modify device configurations. It's accessed using the "enable" command from user EXEC mode.
Key features of Privileged EXEC mode:
Access to ALL show commands
Ability to:
Debug
Reset/reload device
Enter configuration mode
Manage system files
Test network connectivity
Router(config)#
Where you make configuration changes
Indicated by (config)#
(config)#
Enter with: configure terminal or conf t
A. Enable Password (Weak Security)
Command: enable password [password]
enable password [password]
Characteristics:
Type 7 encryption (Cisco proprietary)
⚠️ EASILY decryptable (online tools available)
NOT encrypted by default (plaintext in config)
Requires service password-encryption to encrypt
service password-encryption
LEGACY - DO NOT USE IN PRODUCTION
Example:
Router(config)# enable passw[REDACTED:PASSWORD]o123
Router(config)# exit
Router# show running-config
!
enable passw[REDACTED:PASSWORD]o123 ← PLAINTEXT (insecure!)
With service password-encryption:
Router(config)# service password-encryption
enable password 7 [REDACTED:PASSWORD] ← Type 7 (still weak!)
B. Enable Secret (Strong Security)
Command: enable secret [password]
enable secret [password]
Type 5 encryption (MD5 hashing algorithm)
✅ ALWAYS encrypted automatically
One-way hash (cannot be decrypted, only cracked)
TAKES PRECEDENCE over enable password
RECOMMENDED for production use
Router(config)# enable secret MySecureP@ss123
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ← Type 5 MD5
Router(config)# enable password CCNA
Stores password in plain text
Can be encrypted with service password-encryption, but weak encryption (Type 7)
Easily cracked
Router(config)# enable secret Cisco
Always encrypted with MD5 (Type 5)
Much harder to crack
If both are configured, only enable secret works
service password-encryption Behavior
⚠️ CRITICAL EXAM CONCEPT - Frequently Tested!
When ENABLED:
✅ Encrypts ALL current plaintext passwords ✅ Future passwords will be encrypted ✅ Affects: enable password, line passwords, etc. ❌ Does NOT affect enable secret (already encrypted)
When DISABLED:
Router(config)# no service password-encryption
❌ Does NOT decrypt existing passwords (they stay encrypted) ❌ Future passwords will be stored in plaintext ❌ Does NOT affect enable secret
Visual Example:
BEFORE:
enable password cisco
AFTER enabling service password-encryption:
enable password 7 0822455D0A16
AFTER disabling service password-encryption:
enable password 7 0822455D0A16 ← STILL ENCRYPTED!
(But new passwords will be plaintext)
Two Configuration Files
File
Location
Volatility
Description
running-config
RAM
Volatile (lost on reload)
Currently active configuration
startup-config
NVRAM
Non-volatile (persistent)
Configuration loaded at boot
Critical Workflow:
1. Make changes in CLI → Updates running-config (RAM)
2. Device reloads → running-config is LOST
3. Device loads → startup-config from NVRAM
4. Result → Your changes are GONE!
SOLUTION: Always save!
Router# copy running-config startup-config
Viewing Configuration Files
Show Running Config:
Router# sh run ← Abbreviated
Router(config)# do show run ← From config mode
Show Startup Config:
Router# show startup-config
Router# sh start ← Abbreviated
Saving Configuration - Three Methods
⭐ EXAM TIP: All three commands do the EXACT same thing!
Command
Exam Frequency
write
Shortest command
⭐⭐⭐
write memory
Descriptive (write to memory)
copy running-config startup-config
Most explicit
⭐⭐⭐⭐⭐
Destination filename [startup-config]? [Enter]
Building configuration...
[OK]
Shortcut:
Router# copy run start ← Abbreviated version
Help System
Function
Example Output
Show all available commands
List of all commands
show ?
Show all 'show' commands
show arp, show ip, show run, etc.
s?
Show commands starting with 's'
setup, show, shutdown
e?
Show commands starting with 'e'
enable, exit
Router> ?
enable Turn on privileged commands
exit Exit from the EXEC
Router> e?
enable exit
Router> enable
Router# show ?
arp ARP table
ip IP information
running-config Current operating configuration
startup-config Startup configuration
[...]
Tab Completion
Rule: Press Tab to auto-complete commands if unambiguous
Tab
Router> en[Tab] → Router> enable
Router# conf t[Tab] → Router# configure terminal
Router# sh run[Tab] → Router# show running-config
Ambiguous Commands
Error: % Ambiguous command: "e"
% Ambiguous command: "e"
Reason: Multiple commands start with the same letters
Router> e
enable exit ← Two commands start with 'e'
Router> en ← Now unambiguous
Purpose: Moves you from User EXEC mode to Privileged EXEC mode
Router> ← User EXEC mode (limited access)
Router> enable ← Type this command
Password: ← Enter password if configured
Router# ← Now in Privileged EXEC mode (full access)
Real-world scenario: You connect to a router and need to view configurations or make changes. The enable command is your first step.
Purpose: Enters Global Configuration mode where you can make changes to the device
Router# configure terminal ← Full command
Router(config)# ← Now in Global Config mode
OR (shortcut):
Router# conf t ← Short version
Router(config)# ← Same result
Real-world scenario: You need to set passwords, change hostnames, configure interfaces, etc. All configuration changes happen here.
enable password
Purpose: Sets a password to protect Privileged EXEC mode (stores in plain text by default)
Router# configure terminal
Router(config)# enable password MyPass123
Router# exit
Password: [REDACTED:PASSWORD] ← Type password (won't show on screen)
Router# ← Access granted
In configuration file:
enable password MyPass123 ← Visible in plain text! (NOT SECURE)
Problem: Anyone looking at the config can see "MyPass123"
Purpose: Encrypts passwords (including enable password) using weak Type 7 encryption
Before encryption:
Router(config)# do show running-config
enable password [REDACTED:PASSWORD] ← Plain text
After enabling encryption:
enable password [REDACTED:PASSWORD] ← Now encrypted (7 = Type 7 encryption)
Important Notes:
Type 7 encryption is WEAK and easily cracked online
Only affects display, not the actual password
If you disable it later, already-encrypted passwords stay encrypted
New passwords after disabling won't be encrypted
enable secret
Purpose: Sets a MORE SECURE password using MD5 encryption (Type 5) - ALWAYS USE THIS!
Router(config)# enable secret Cisco123
! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ← MD5 encrypted (5 = Type 5)
Comparison with enable password:
Router(config)# do show run
enable password [REDACTED:PASSWORD] ← This is IGNORED
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ← This is USED
When you type enable:
Password: [REDACTED:PASSWORD] ← Must use enable secret password
Router# ← Access granted (enable password is ignored)
Key Point: If both are configured, ONLY enable secret works!
do
Purpose: Run Privileged EXEC commands while in Global Configuration mode
Without do:
Router(config)# show running-config
^
% Invalid input detected at '^' marker. ← ERROR! Can't use show in config mode
Router# show running-config ← Must exit to use show command
With do (Better!):
Router(config)# do show running-config ← Works! No need to exit
[Configuration displays here]
Router(config)# ← Still in config mode
More examples:
Router(config)# do show ip interface brief
Router(config)# do show version
Router(config)# do ping 8.8.8.8
Router(config)# do show startup-config
no
Purpose: Removes or negates a previously configured command
Example 1 - Removing a password:
Router(config)# enable password [REDACTED:PASSWORD] ← Set password
Router(config)# do show run | include enable
enable password [REDACTED:PASSWORD] ← Password exists
Router(config)# no enable password [REDACTED:PASSWORD] ← Remove it
← Password gone!
show run | include enable
This is a Cisco IOS command used on network devices (routers/switches).
Part
Meaning
show run
Short for show running-config - displays the current active configuration
`
include
Filter that shows only lines containing the specified keyword
The keyword you're searching for
It filters the running configuration and displays only lines that contain the word "enable".
Router# show run | include enable enable secret 5 $1$abc$XYZ123hashedpassword enable password [REDACTED:PASSWORD]
Check if an enable password or enable secret is configured
Quickly find enable-related settings without scrolling through the entire config
| exclude - shows lines without the keyword
| exclude
| begin - starts output from the first match
| begin
| section - shows entire config sections containing the keyword
| section
In short: It's a quick way to find enable password configurations on your device.
Example 2 - Disabling encryption:
Router(config)# service password-encryption ← Enable encryption
Router(config)# no service password-encryption ← Disable encryption
Example 3 - Removing enable secret:
Router(config)# no enable secret ← Remove the secret password
Important: Already encrypted passwords stay encrypted even after no service password-encryption
no service password-encryption
Purpose: Displays the CURRENT, ACTIVE configuration (what's in RAM right now)
Current configuration : 1024 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname Router
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
[More configuration...]
end
Router# sh run ← Same command, shorter
Important: This shows what's CURRENTLY running. If you haven't saved, it will be lost on reboot!
show startup-config
Purpose: Displays the SAVED configuration that loads when device restarts (stored in NVRAM)
Example - Before saving:
startup-config is not present ← Nothing saved yet!
Example - After saving:
Destination filename [startup-config]?
Router# show startup-config ← Now it displays saved config
enable secret 5 $1$mERr$...
[Rest of configuration...]
Router# sh start ← Same command
Purpose: Saves running-config to startup-config
Router# write
[OK] ← Configuration saved!
What happens:
Copies everything from running-config (RAM) → startup-config (NVRAM)
Now your changes survive a reboot
Purpose: Same as write - saves configuration
Router# write memory
Exactly the same result as write
Purpose: Most explicit way to save configuration (copies one file to another)
Destination filename [startup-config]? ← Press Enter to confirm
Long form explanation:
Source: running-config (what's currently active)
Destination: startup-config (what loads on boot)
Same result as write and write memory
Router# write ← Option 1
Router# write memory ← Option 2
Router# copy running-config startup-config ← Option 3
ALL DO THE SAME THING! Use whichever you prefer.
Router> enable ← 1. Enter privileged mode
Password:
Router# configure terminal ← 2. Enter config mode
Router(config)# enable secret MySecurePass ← 3. Set password
Router(config)# service password-encryption ← 4. Encrypt other passwords
Router(config)# do show running-config ← 5. Check config without exiting
enable secret 5 $1$mERr$... ← See encrypted password
Router(config)# exit ← 6. Exit config mode
Router# write ← 7. Save configuration
Router# show startup-config ← 8. Verify it saved
enable secret 5 $1$mERr$... ← Confirmed!
Router# exit ← 9. Log out
The "do" Command
Purpose: Execute privileged EXEC commands from Global Configuration mode
Without "do":
% Invalid input detected at '^' marker.
With "do":
[Configuration displays successfully]
💡 Exam Tip: Use "do" to check your work without exiting config mode!
Canceling Commands
Syntax: no [command]
no [command]
Examples:
Router(config)# enable password cisco
Router(config)# no enable password ← Removes it
Router(config)# no service password-encryption ← Disables it
Router(config)# hostname R1
R1(config)# no hostname ← Resets to default
Type
Algorithm
Used By
Security Level
Type 5
MD5 hash
🔒 Strong (one-way hash)
Type 7
Cisco proprietary
enable password + encryption
⚠️ Weak (reversible)
❌ Mistake:
R1(config)# exit
R1# reload
[Device reboots]
Router> ← Hostname is back to default!
✅ Correct:
Router(config)# hostname
R1 R1(config)# exit
R1# copy running-config startup-config
R1# reload [Device reboots]
R1> ← Hostname is preserved!
Router(config)# enable secret admin
Passwo[REDACTED:PASSWORD]isco ← REJECTED!
✅ Understanding: When BOTH are configured, enable secret ALWAYS wins
Passwo[REDACTED:PASSWORD]dmin ← CORRECT! (enable secret)
❌ Mistake: Thinking it decrypts passwords when disabled
Scenario:
Router# sh run | include enable
Router# conf t
✅ Reality: Disabling only affects FUTURE passwords
❌ Mistake: Thinking you can configure in Privileged EXEC
Router# hostname R1
✅ Correct: Must enter Global Configuration mode
R1(config)#
❌ Mistake: Using crossover for console connection
Cable Usage:
Rollover → Console port (out-of-band management)
Crossover → Connecting similar devices via Ethernet (switch-to-switch)
Straight-through → Connecting different devices (PC to switch)
❌ Mistake: Trying to use "do" in User or Privileged EXEC mode
Router> do enable
✅ Correct: "do" only works in Global Configuration mode
Router(config)# do show running-config ← Valid
"Greater, Hashtag, Config"
> = Greater than nothing → User EXEC (least privileges)
# = Hashtag → Privileged EXEC (more privileges)
(config)# = Config → Global Configuration (full privileges)
"SECRET is STRONG, PASSWORD is PATHETIC"
SECRET → Type 5 (MD5) → 5 letters in "secret"
PASSWORD → Type 7 → Weak → 7 deadly sins (evil/weak)
"WW CRS" (We Write, Copy Run Start)
Write
Write Memory
Copy Running-config Startup-config
"ROLL to CONSOLE"
ROLLover cable → CONSOLE port
"CROSS when same, STRAIGHT when different"
CROSSover → Same devices (switch-switch)
STRAIGHT-through → Different devices (PC-switch)
Type 5 = MD5 = MIGHTY STRONG Type 7 = Cisco = CHEAPLY WEAK
"RAM Runs, NVRAM Never Vanishes"
RAM → Running-config (volatile)
NVRAM → startup-config (Never Vanishes)
# Connect via console cable
# Open PuTTY: COM3, 9600 baud
Router(config)# hostname Branch-R1
Branch-R1(config)# enable secret SecureP@ss123
Branch-R1(config)# service password-encryption
Branch-R1(config)# no enable password
Branch-R1(config)# exit
Branch-R1# copy running-config startup-config
Branch-R1# show startup-config | include enable
Branch-R1#
Scenario: Password not working
Password: [typing but nothing shows]
# Troubleshooting checklist:
1. Is Caps Lock on? (passwords are case-sensitive)
2. Are you typing the correct password?
3. Is both enable password AND enable secret configured?
(If yes, use enable secret password)
Check configuration:
Router# show running-config | include enable
enable password 7 094F471A1A0A
# You must use the enable secret password!
Problem:
Router> ← Changes lost!
Diagnosis:
Router# show startup-config | include hostname
hostname Router ← Still default!
Router# show running-config | include hostname
hostname R1 ← Changes in RAM only
Solution:
R1# show startup-config | include hostname
hostname R1 ← Now saved!
Without "do" (inefficient):
R1# show running-config | include hostname
hostname R1
R1# configure terminal
R1(config)# enable secret cisco123
R1# show running-config | include enable
With "do" (efficient):.
R1(config)# do show running-config | include hostname
R1(config)# do show running-config | include enable
R1(config)# ← Never left config mode!
# Initial state
Router# show run | include enable
enable password cisco ← Plaintext
# Enable encryption
enable password 7 0822455D0A16 ← Now encrypted
# Add enable secret
Router(config)# enable secret admin123
# Disable encryption
enable password 7 0822455D0A16 ← STILL Type 7!
# Add new password (will be plaintext)
Router(config)# enable password newpass
enable password newpass ← Plaintext (no encryption)
What does CLI stand for and what is its purpose?
Command-Line Interface - a text-based interface used to configure and manage Cisco networking devices through typed commands.
What cable type is used to connect to an RJ45 console port?
Rollover cable (also called console cable) - Pin 1→8, Pin 2→7, Pin 3→6, Pin 4→5, Pin 5→4, Pin 6→3, Pin 7→2, Pin 8→1
What are the default console port settings?
9600 baud rate, 8 data bits, No parity, 1 stop bit, No flow control (Mnemonic: 9-8-N-1-N)
Name three popular terminal emulator programs.
1) PuTTY (putty.org), 2) SecureCRT, 3) Tera Term
What are the three main IOS command modes and their prompts?
User EXEC Mode: Router>
Privileged EXEC Mode: Router#
Global Configuration Mode: Router(config)#
What is another name for User EXEC mode?
User mode (it's the most restricted mode with limited viewing capabilities)
Can you make configuration changes in Privileged EXEC mode?
NO - Privileged EXEC mode allows full viewing, saving configs, and reloading the device, but CANNOT make configuration changes.
What can you do in Privileged EXEC mode that you cannot do in User EXEC mode?
View full configurations (show running-config, show startup-config), save configurations, reload the device, set the clock/time.
Which mode allows you to actually change the device configuration?
Global Configuration Mode (config)# - This is where you make changes to device settings.
What are the two types of configuration files on a Cisco device?
running-config (RAM, volatile, currently active)
startup-config (NVRAM, non-volatile, loaded at boot)
What happens to running-config when the device is reloaded?
It is LOST - running-config is stored in RAM (volatile memory) and disappears when power is lost.
What happens to startup-config when the device is reloaded?
It is PRESERVED - startup-config is stored in NVRAM (non-volatile memory) and persists through reboots.
Where is running-config stored?
RAM (Random Access Memory) - volatile storage
Where is startup-config stored?
NVRAM (Non-Volatile RAM) - persistent storage
What is the difference between a rollover cable and a crossover cable?
Rollover: Console port connection (out-of-band management)
Crossover: Ethernet connection between similar devices (switch-to-switch, router-to-router)
Last changed3 days ago