Cisco IOS CLI and basic device security
This section introduces the Cisco IOS Command-Line Interface (CLI) and shows how to apply Cisco IOS commands to implement basic device security using encrypted passwords
Learning objectives
Access a Cisco device’s operating system using a terminal emulator via the console port
Navigate the different CLI modes, including user EXEC, privileged EXEC, and global configuration
Utilize IOS command shortcuts and syntax conventions to efficiently operate the CLI
Configure and encrypt device passwords to prevent unauthorized access
Examine the active and saved device configurations using
show running-configandshow startup-configSave device configuration changes and understand the difference between volatile and non-volatile memory
Welcome to the practical heart of network administration. In this section, we move from conceptual networking fundamentals to the essential hands-on skill of configuring and securing a network device. We will be using the Cisco IOS Command-Line Interface (CLI), the operating system that powers the vast majority of routers and switches worldwide. You will first learn how to physically connect to a device and access the CLI using a terminal emulator. We will then guide you through the CLI's structure, including its different command modes and shortcuts. More importantly, we will immediately apply these skills to the critical task of basic device security, where you will learn how to set passwords, encrypt them, and securely manage your device's configuration. This foundation is your first step toward managing network infrastructure and is a core competency for any cybersecurity professional tasked with protecting network assets.
Topics covered in this section
What is the Cisco IOS CLI?
Connecting to a Cisco device via the console port
Terminal Emulator (PuTTY)
CLI command modes
User EXEC mode
Privileged EXEC mode
Cisco IOS CLI shortcuts
Global configuration mode
Command syntax conventions
Basic device security
enable password command
show running-config and show startup-config commands
Saving the configuration
service password-encryption command
enable secret command
Canceling commands
Command review
What is the Cisco IOS CLI?
The Cisco IOS command-line interface (CLI) is the primary user interface used for configuring, monitoring, and maintaining Cisco devices. This user interface allows you to directly and simply execute Cisco IOS commands, whether using a router console or terminal, or using remote access methods. (cisco.com)
Cisco IOS is the operating system used on Cisco devices. IOS stands for Internetwork Operating System. CLI is the interface used to configure Cisco devices like routers, switches, and firewalls. The CLI is often compared to the GUI or Graphical User Interface, which is not discussed here.
Connecting to a Cisco device via the console port
There are a couple of methods to connect to a Cisco device to configure it with the CLI. First, remotely via Telnet or SSH. Second, locally via the console port. Here we will discuss connecting via the console port. Connecting to a Cisco device via the console port typically involves bringing your laptop to the device and connecting to the console port of the device.
This is a Cisco Catalyst switch. Notice the two console ports: one is an RJ45 (Registered Jack), the other is a USB Mini-B.
Let’s say we’re going to connect to the RJ45 port. We will need the proper cable. A rollover cable (console cable) can be used to connect to the RJ45 console port on a Cisco device. A rollover cable has on one end an RJ45 connector and on the other end a DB9 connector. Most modern laptops do not have a serial port a DB9 connector can be plugged into. So you might need an adapter to connect to a USB port on a laptop.
This image shows the wiring in a rollover cable. Like in an Ethernet UTP cable there are eight pins on each end. Pin 1 on one end connects to Pin 8 on the other, Pin 2 to Pin 7, Pin 3 to Pin 6, and so on.
So we’ve connected a laptop/computer to a Cisco Catalyst device via the device’s RJ45 port.
Terminal Emulator (PuTTY)
Once you have connected your computer to the device you can access the CLI using a Terminal Emulator. PuTTY is a popular choice. You can get PuTTY at putty.org
We are using PuTTY for our current demonstration. Select Serial and click Open and you should be connected to the CLI. You should be able to connect with the default settings.
These settings match the defaults on Cisco devices. Try to remember the defaults for the CCNA test – the speed or baud rate (9600), data bits (8), stop bits (1), parity (none), and flow control (none).
Understanding data bits and stop bits is outside the scope of the CCNA, but the idea is that for each 8 bits of data 1 stop bit is sent to mark the end of the 8 bits. Parity is used to detect errors. Flow control pertains to the flow of data from transmitter to receiver.
Once you connect to the Cisco device (e.g., a Cisco ISR router) you will be greeted with a screen like this:
Since this is the first time booting the device, you are asked to enter the initial configuration dialogue. Answer no. As per the screen instructions, press the enter key (RETURN) to get started. Now you can start typing commands in the CLI.
The tasks discussed in this lesson can be done with Packet Tracer to an adequate approximation to real, physical Cisco devices being configured by a Terminal Emulator/PuTTY.
CLI command modes
User EXEC mode
When you first enter the CLI, you will be by default in the user EXEC mode (also called user mode).
User EXEC mode is indicated by the greater than symbol, after the host name of the device:
Router>
The default host name for this device is Router. The name preceding the greater than symbol always indicates the host name of the device.
User EXEC mode is very limited. Users can look at some settings but cannot make any changes to the configuration. Usually you don’t do anything in this mode.
Let’s move on to a mode with a little more power to make changes to the device.
Privileged EXEC mode
If you enter the enable command in user mode, you will be placed in privileged EXEC mode.
Router>enable (press enter to enter privileged EXEC mode)
Router#
In privileged EXEC mode, a pound sign or hashtag is displayed.
Privileged EXEC mode provides complete access to view the device’s configuration, restart the device, change the time on the device, and save the current configuration file.
But it is not the mode in which you change the configuration.
Cisco IOS CLI shortcuts
Follows is a list of the commands available in user and privileged modes. The first list is from User EXEC Mode (indicated by the Router> prompt) and the second, longer list is from Privileged EXEC Mode (indicated by the Router# prompt, which you get after typing enable). You can use the question mark to view the commands available to you. For example: Router>? and Router#?
User EXEC Mode Commands (Router>?)
<1-99>
Session number to resume
connect
Open a terminal connection
disable
Turn off privileged commands
disconnect
Disconnect an existing network connection
enable
Turn on privileged commands
exit
Exit from the EXEC
logout
Exit from the EXEC
ping
Send echo messages
resume
Resume an active network connection
show
Show running system information
ssh
Open a secure shell link connection
telnet
Open a telnet connection
terminal
Set terminal line parameters
traceroute
Trace route to destination
Privileged EXEC Mode Commands (Router#?)
<1-99>
Session number to resume
auto
Exec level Automation
clear
Reset functions
clock
Manage the system clock
configure
Enter configuration mode
connect
Open a terminal connection
copy
Copy from one file to another
debug
Debugging functions (see also 'undobug')
delete
Delete a file
dir
List files on a filesystem
disable
Turn off privileged commands
disconnect
Disconnect an existing network connection
enable
Turn on privileged commands
erase
Erase a filesystem
exit
Exit from the EXEC
logout
Exit from the EXEC
mkdir
Create new directory
more
Display the contents of a file
no
Disable debugging informations
ping
Send echo messages
reload
Halt and perform a cold restart
resume
Resume an active network connection
rmdir
Remove existing directory
send
Send a message to other tty lines
setup
Run the SETUP command facility
show
Show running system information
ssh
Open a secure shell client connection
telnet
Open a telnet connection
terminal
Set terminal line parameters
traceroute
Trace route to destination
undebug
Disable debugging functions (see also 'debug')
vlan
Configure VLAN parameters
write
Write running configuration to memory, network, or terminal
The tab key is a convenient feature of the CLI. If you press the tab key after typing “Router>en”, the CLI will complete the word and display the complete word on a new line:
Router>en
Router>enable
Router# (you’ve entered privileged EXEC mode)
You do not need to type the complete command. Hit enter after “Router>en” and you will be brought to privileged EXEC mode.
“en” was enough for the router to understand that what was meant by en was enable because enable was the only command that begins with en that can be entered in user mode. If we typed just e:
Router>e (and we press enter) we get a message:
% Ambiguous command: “e”
Router>
There is more than one command that begins with e. We can view the commands that begin with e by using the question mark:
Router>e?
enable exit
Router>e
The shortest form of the enable command is en. The shortest for the exit command is ex.
Global configuration mode
Now let’s make some changes to the router configuration. We need to enter global configuration mode.
Router#configure terminal (the command to enter global configuration mode)
Or
Router#conf t (shortcut for configure terminal)
Router(config)# (now we are in global configuration mode)
In global configuration mode, config is inserted after the host name.
Command syntax conventions
Cisco IOS Command Reference uses certain conventions to present command syntax. Cisco IOS documentation uses the following command syntax conventions:
bold
Bold text indicates commands and keywords that you enter as shown.
italic
Italic text indicates arguments for which you supply values.
[x]
Square brackets enclose an optional keyword or argument.
...
An ellipsis (three consecutive nonbolded periods without spaces) after a syntax element indicates that the element can be repeated.
|
A vertical line, called a pipe, that is enclosed within braces or square brackets indicates a choice within a set of keywords or arguments.
[x | y]
Square brackets enclosing keywords or arguments separated by a pipe indicate an optional choice.
{x | y}
Braces enclosing keywords or arguments separated by a pipe indicate a required choice.
[x {y | z}]
Braces and a pipe within square brackets indicate a required choice within an optional element.
Cisco IOS Configuration Fundamentals Command Reference, Cisco Systems, Inc., 2010
Basic device security
Next we look at how to configure basic device security using enable password and enable secret commands.
enable password command
We can protect access to privileged EXEC mode with a password, so that if a user enters the enable command from the user EXEC mode they are asked for the password. This can be done with the command enable password in global configuration mode.
To know what enable password command options are available, we type the enable password command followed by a question mark:
We get three possible options for password to enter in the command. We are going to use the middle option – the unencrypted cleartext password. “LINE” means you type a line which will become the password.
A closer look at the enable password command syntax (with configuration examples): enable password – Command Reference (cisco.com)
We will type CCNA all capitals as the password. Passwords are case sensitive. We typed the question mark to know what command options exist. <cr> means there are no other options. The only option is to press enter. We press enter to set the password. And the password is set.
To return to privileged EXEC mode, type exit:
Router(config)#exit
Router#
From privileged EXEC mode, another exit command will log us out and back to the starting screen. Then if we press return, we are back in user mode. Now if we enter the enable command to enter privileged EXEC mode, we are asked for a password.
Router>enable
Password:
Router#
We enter CCNA though it does not display for security reasons, but it is accepted and we are (back) in privileged EXEC mode.
If you enter the wrong password three times you will be denied access for having bad secrets:
Router>enable
Password:
Password:
Password:
% Bad secrets
#exit takes you to the previous CLI command mode: e.g., from config-line to config (global configuration mode); from global configuration mode to privileged EXEC mode; from privileged EXEC mode back to the starting screen.
#end takes you to privileged EXEC mode (e.g., from config-line). You can end your configuration session by using the Ctrl-Z key combination, using the end command, or using the Ctrl-C key combination. Cisco says the end command is the recommended way to indicate to the system that you are done with the current configuration session.
To recap–
We used the enable command to enter privileged EXEC mode from user mode.
From privileged EXEC mode we used configure terminal to enter global configuration mode.
In global configuration mode, we used the command enable password CCNA to protect privileged EXEC mode with a password.
Then we typed exit to return to privileged EXEC mode.
And exit again to return to user EXEC mode.
We typed enable again and entered the password CCNA and we were brought back to privileged EXEC mode.
show running-config and show startup-config commands
We have confirmed the function of the password, but let’s check the configuration file.
There are two separate configuration files kept on a Cisco device at once:
running-config – the current active configuration file. As you enter commands in the CLI, you edit the active configuration.
startup-config – the configuration file that will be loaded upon restarting the device.
Use the show running-config command in privileged EXEC mode to view the running configuration file. The IOS CLI will return several results among them the command we entered, i.e., enable password CCNA.
Use the show startup-config command in privileged EXEC mode to view the startup configuration file.
Note, if you did not yet save the running configuration you will get a response that startup config is not present.
Saving the configuration
Cisco IOS software is typically stored in disk/flash memory on Cisco routers and switches. The running configuration is stored in RAM (Random Access Memory). The startup configuration in Cisco devices is typically stored in NVRAM (Non-Volatile RAM).
There are three commands you can use from privileged EXEC mode to save the running configuration to make it the startup configuration.
Now if we use the show startup-config command, the IOS CLI will display the same configuration as the show running-config command.
The CLI output of show running-config displays the enable password “CCNA” in plain text. This is a security risk. An unauthorized person may be able to use this knowledge to enter privileged EXEC mode and then global configuration mode and change the configuration of the router.
service password-encryption command
So how to level up the security? With the service password-encryption command in global configuration mode.
Router#conf t
Router(config)#service password-encryption
The service password-encryption command will encrypt passwords. If we run the command and enter the show running-config command again, we will see that “enable password CCNA” has become “enable password 7 08026F6028”. The 7 denotes the type of encryption applied to the password, a Cisco proprietary encryption algorithm.
The service password-encryption command is more secure than naught, but it is not especially secure and can be cracked using an online Cisco type 7 password cracker.
enable secret command
There is a more secure enable password for Cisco devices with stronger encryption, a method called enable secret command.
Router(config)#enable secret Cisco (here the password used is “Cisco”)
Then we can review the running configuration again, but we can do this from within global configuration mode.
Router(config)#do sh run (i.e., do show running-config)
Using “do” allows us to execute privileged EXEC mode commands like show running-config in other configuration levels.
You can see the enable secret in the running configuration. The number 5 indicates MD5 type encryption which is much more secure than what we get with the service password-encryption command. The enable password command remains and is not replaced. If both commands (enable password and enable secret) are configured, the enable password will be ignored.
The service password-encryption command has no effect on the enable secret command. The enable secret command is always encrypted whether or not you entered the service password-encryption command.
So you should always use the enable secret and not the enable password, as it is always more secure.
Dive deeper into Cisco IOS user security configuration: Configuring Security with Passwords, Privileges, and Logins (cisco.com)
Jump to “Cisco IOS CLI Modes” (under Information About Configuring Security with Passwords, Privileges, and Logins) and to “Protecting Access to Privileged EXEC Mode” (under How to Configure Security with Passwords, Privileges, and Logins).
The section “Protecting Access to User EXEC Mode” covers topics (password-protected access to the vty line for remote access and to the console line for local access) addressed in the lesson How to configure SSH on Cisco devices.
The following Cisco reference explains the command syntax of the enable password and enable secret commands (with configuration examples): Cisco IOS Security Command Reference: Commands D to L
Use context sensitive help (the question mark) to know what configuration options are available to you for the IOS version/device model you are using. For example,
Router(config)#enable secret ?
The enable algorithm-type command can be used to set the algorithm type used to hash a user password configured using the enable secret command. For example, the following command configures an enable secret and secures it with type 9 hashing (scrypt):
enable algorithm-type scrypt secret password
Canceling commands
How to cancel a command:
Router(config)#no service password-encryption
Then verify:
Router(config)#do show running-config
Thus future passwords will no longer be encrypted. But passwords already encrypted will not be decrypted by disabling password-encryption. New passwords however will be in clear text.
Command review
Router> →user EXEC mode
Router# →privileged EXEC mode
Router(config)# →global configuration mode
Router>enable →to enter privileged EXEC mode
Router#configure terminal →to enter global configuration mode
Router(config)#enable password password →to configure a password to protect privileged EXEC mode
Router(config)#service password-encryption →to encrypt the enable password (and other passwords)
Router(config)#enable secret password →to configure a more secure enable password
Router(config)#do privileged-exec-level-command →to execute a privileged EXEC level command from global configuration mode
Router(config)#no command →to remove a previously configured command
Router#show running-config →to display the current active configuration file
Router#show startup-config →to display the saved configuration file which will be loaded if the device is restarted
Router#write →to save the current running configuration and make it the startup configuration
Router#write memory →to save the current running configuration and make it the startup configuration
Router#copy running-config startup-config →to save the current running configuration and make it the startup configuration
Key takeaways
The Cisco IOS CLI is the text-based command-line interface used to configure, manage, and troubleshoot Cisco networking devices.
Initial access to a device for configuration is typically achieved by connecting a computer to the console port using a rollover cable.
A Terminal Emulator program like PuTTY is required on the computer to establish the console connection and interact with the CLI.
The CLI operates in distinct command modes, each providing a different level of access and functionality. The two primary modes are:
User EXEC Mode: Limited to basic monitoring commands (denoted by the
>prompt).Privileged EXEC Mode: Provides full access to view and manage all device functions (denoted by the
#prompt).
Global Configuration Mode is entered from Privileged EXEC mode and is where changes are made to the device's running configuration.
The Cisco IOS CLI supports numerous shortcuts (like
Tabfor auto-complete and?for context-sensitive help) to improve efficiency and reduce errors.Implementing basic device security begins with setting passwords to control access to the device's modes.
The
enable passwordcommand sets a password to enter Privileged EXEC mode, but it is stored in plain text, making it insecure.The
enable secretcommand is the secure alternative, as it encrypts the Privileged EXEC password using a strong cryptographic hash.The
service password-encryptioncommand provides a weaker encryption for other plaintext passwords in the configuration file.The
show running-configcommand displays the current, active configuration in RAM.The
show startup-configcommand displays the saved configuration stored in NVRAM, which is loaded on device boot.Configuration changes are temporary until they are permanently saved from RAM to NVRAM using the
copy running-config startup-configcommand.Commands can be cancelled using the
nokeyword or interrupted using key combinations likeCtrl-C.
References
Free CCNA | Intro to the CLI | Day 4 | CCNA 200-301 Complete Course
Free CCNA | Basic Device Security | Day 4 Lab | CCNA 200-301 Complete Course
cisco.com. (n.d.). Cisco IOS Master Command List, All Releases
Cisco. (April 2010). Cisco IOS Configuration Fundamentals Command Reference
Odom, W. (2020). CCNA 200-301 Official Cert Guide, Volume 1. Cisco Press.
Sean Douglas. (Nov 17, 2022). Top 5 Network Admin Cisco Commands Cheat Sheet (pluralsight)
Last updated