NET101 Week 11 Intermediate

Breaking the CLI (Cisco IOS Basics)

Command-Line Administration: Modes, Configuration, and Device Management

Track your progress through this week's content

Opening Framing: Why the CLI Still Matters

Every router and switch you have configured in this course so far has been managed through a command-line interface. You have typed commands like ip address, no shutdown, and show ip interface brief without a full explanation of the system behind them. This week changes that. It teaches the Cisco IOS CLI as a structured operating environment with distinct modes, a configuration hierarchy, security mechanisms, and a specific methodology for making and saving changes.

GUI-based management tools exist for Cisco devices, but the CLI remains the primary interface for network engineers in production. It is faster, scriptable, more precise, and universally available — even when the management network is partially down and a web interface cannot load. The CCNA exam, job interviews, and daily operational work all assume CLI fluency. Every command you have used in labs this semester operates within the mode hierarchy taught this week.

This is also the week where device security begins. A router with no password on the console port, no enable secret, and no encrypted credentials is an open door to anyone with physical or remote access. Understanding how to secure the CLI is the first step in device hardening — a topic that expands significantly in NET202 (Network Security).

Learning Outcomes

  • LO1: Navigate the Cisco IOS CLI mode hierarchy (User EXEC, Privileged EXEC, Global Configuration, and sub-configuration modes) and explain what each mode allows.
  • LO2: Configure device identity (hostname, banner) and basic security (console password, enable secret, line passwords, service password-encryption).
  • LO3: Explain the difference between the running configuration and the startup configuration, and use copy run start to persist changes.
  • LO4: Use essential show commands to verify device status, interface state, routing tables, and configuration.
  • LO5: Troubleshoot common IOS configuration problems including unsaved changes, wrong mode errors, and locked-out access.

Key insight: knowing which mode you are in determines which commands are available. Most CLI mistakes come from typing a command in the wrong mode.

1) The IOS Mode Hierarchy: Where You Are Determines What You Can Do

Cisco IOS organizes its CLI into a hierarchy of modes. Each mode provides a different set of commands, and you must be in the correct mode to execute any given command. Typing a configuration command in User EXEC mode will produce an error. Typing a show command in interface configuration mode requires a different syntax. Understanding the mode hierarchy is the single most important CLI skill.

Mode Prompt How to enter What you can do
User EXEC Router> Default mode at login Basic monitoring: ping, traceroute, limited show commands
Privileged EXEC Router# enable Full monitoring, show, debug, copy, reload, enter config mode
Global Configuration Router(config)# configure terminal Device-wide settings: hostname, routing, banners, enable secret, access lists
Interface Configuration Router(config-if)# interface g0/0 Interface-specific: IP address, shutdown/no shutdown, speed, duplex, description
Line Configuration Router(config-line)# line console 0 or line vty 0 4 Console and remote access settings: password, login, exec-timeout
Router Configuration Router(config-router)# router ospf 1 Routing protocol settings: network statements, router-id, passive-interface 
Mode navigation flow

Router>                          ← User EXEC (limited)
Router> enable
Router#                          ← Privileged EXEC (full monitoring + management)
Router# configure terminal
Router(config)#                  ← Global Configuration (device-wide changes)
Router(config)# interface g0/0
Router(config-if)#               ← Interface Configuration (per-interface changes)
Router(config-if)# exit
Router(config)#                  ← Back to Global Config
Router(config)# exit
Router#                          ← Back to Privileged EXEC
Router# disable
Router>                          ← Back to User EXEC

Shortcuts:
- end (or Ctrl+Z): Return to Privileged EXEC from any config mode
- exit: Move one level up
- do show ...: Run a show command from any config mode
The prompt tells you everything

The > symbol means User EXEC. The # symbol means Privileged EXEC or a configuration sub-mode. The text in parentheses tells you which configuration context you are in. If you are ever unsure what commands are available, type ? — IOS displays every valid command for the current mode.

2) Device Identity: Hostname and Banner Configuration

The first configuration task on any new device is setting its identity. The hostname appears in every CLI prompt, making it immediately clear which device you are connected to. In a network with dozens of routers and switches, a meaningful hostname prevents catastrophic mistakes — configuring the wrong device is one of the most common causes of outages. 

Setting the hostname

Router(config)# hostname HQ-RTR-01
HQ-RTR-01(config)#

The prompt immediately changes to reflect the new name.
Convention: use location-role-number (e.g., HQ-RTR-01, BRANCH-SW-02)

Login Banners

Banners display messages to anyone connecting to the device. The most important banner is the Message of the Day (MOTD), which typically contains a legal warning. In many jurisdictions, a banner stating that unauthorized access is prohibited is a legal prerequisite for prosecuting intruders. Without it, a defense attorney can argue the user had no reason to believe access was restricted. 

Configuring banners

HQ-RTR-01(config)# banner motd #
*** WARNING: Authorized personnel only. ***
*** All access is logged and monitored.  ***
*** Unauthorized access is prohibited.   ***
#

The # character is a delimiter — any character not in the banner text works.
The MOTD banner appears before the login prompt on console, VTY, and AUX lines.
Banner type Command When it displays
MOTD banner motd First thing shown to any connecting user (before login)
Login banner login After MOTD, before the username/password prompt
EXEC banner exec After successful authentication
Never put the hostname or IP in the MOTD banner

Banners are visible before authentication. Including the device name, location, or IP address in the MOTD banner gives reconnaissance information to anyone who connects — including attackers. Keep banners generic and legal.

3) Securing CLI Access: Passwords, Secrets, and Encryption

A fresh Cisco device has no passwords configured. Anyone with console access can reach Privileged EXEC mode and change any configuration. Securing the CLI is not optional — it is the first task after setting the hostname.

Console Line Password

HQ-RTR-01(config)# line console 0
HQ-RTR-01(config-line)# password cisco123
HQ-RTR-01(config-line)# login
HQ-RTR-01(config-line)# exec-timeout 5 0
HQ-RTR-01(config-line)# exit

Explanation:
- password: sets the console password
- login: tells IOS to require the password at the console prompt
  (without "login", the password exists but is never asked for)
- exec-timeout 5 0: auto-logout after 5 minutes of inactivity

VTY Line Password (Remote Access)

HQ-RTR-01(config)# line vty 0 4
HQ-RTR-01(config-line)# password remote123
HQ-RTR-01(config-line)# login
HQ-RTR-01(config-line)# transport input ssh
HQ-RTR-01(config-line)# exec-timeout 5 0
HQ-RTR-01(config-line)# exit

Explanation:
- line vty 0 4: configures the first 5 virtual terminal lines (SSH/Telnet sessions)
- transport input ssh: allows only SSH (blocks Telnet — Telnet sends passwords in cleartext)
- Modern best practice: always use SSH, never Telnet

Enable Secret

HQ-RTR-01(config)# enable secret Str0ngP@ss!

The enable secret protects entry into Privileged EXEC mode.
It is stored as a one-way hash (Type 5 MD5 or Type 9 scrypt).
This replaces the older "enable password" which stored in cleartext.

Rule: ALWAYS use "enable secret", NEVER "enable password".

Encrypting Stored Passwords

HQ-RTR-01(config)# service password-encryption

Before:
  line con 0
   password cisco123    ← visible in cleartext in the config

After:
  line con 0
   password 7 0822455D0A16    ← Type 7 encrypted (reversible but not plaintext)

Note: Type 7 encryption is weak (easily reversed with online tools).
It only prevents shoulder-surfing when viewing the config.
The enable secret (Type 5/9) uses a strong hash. For line passwords,
Type 7 is better than nothing but not a substitute for proper access control.
Security feature Command What it protects Strength
Console password line console 0 + password + login Physical console access Basic (Type 7 if encrypted)
VTY password line vty 0 4 + password + login Remote SSH/Telnet access Basic (Type 7 if encrypted)
Enable secret enable secret Privileged EXEC mode entry Strong (Type 5 MD5 / Type 9 scrypt hash)
Password encryption service password-encryption All cleartext passwords in the config Weak (Type 7 — reversible, prevents casual viewing only)
SSH access only transport input ssh Prevents Telnet (cleartext protocol) Strong (encrypted management sessions)
Local usernames for better security

Instead of shared line passwords, production devices use local usernames with individual credentials or centralized AAA (RADIUS/TACACS+) authentication. The command username admin secret Str0ng! creates a local account, and login local on the line tells IOS to require username-based login. This provides accountability — you can see who logged in, not just that someone did.

4) Running Configuration vs. Startup Configuration

Cisco IOS maintains two separate configuration files. Understanding the difference is critical because unsaved changes are lost on reboot — one of the most common mistakes in network administration.

Configuration Stored in Behavior
Running config RAM (volatile) Active configuration being used right now. Every command you type modifies this immediately. Lost on reboot or power loss.
Startup config NVRAM (non-volatile) Saved configuration loaded at boot. Only changes when you explicitly copy the running config to it. 
Saving the configuration

HQ-RTR-01# copy running-config startup-config
Destination filename [startup-config]?    ← press Enter
Building configuration...
[OK]

Shorthand: copy run start  (or  wr  on older IOS versions)

This copies the active config in RAM to NVRAM.
After this command, a reboot will restore the current configuration.
Viewing configurations

HQ-RTR-01# show running-config
  Displays the active configuration (what is running right now)

HQ-RTR-01# show startup-config
  Displays the saved configuration (what will load at next boot)

If these differ, you have unsaved changes.
If show startup-config says "startup-config is not present",
no configuration has ever been saved.

The Boot Process

  1. POST (Power-On Self Test): Hardware diagnostics stored in ROM.
  2. Bootstrap: ROM loads the IOS image from Flash memory.
  3. IOS loads: The operating system initializes.
  4. Startup config loads: IOS reads NVRAM and applies the saved configuration. If no startup config exists, IOS enters the Setup Wizard.
Memory map

+--------+     +----------+     +--------+     +--------+
|  ROM   |     |  Flash   |     |  RAM   |     | NVRAM  |
|--------|     |----------|     |--------|     |--------|
| POST   |     | IOS      |     | Running|     | Startup|
| Boot-  |     | image    |     | config |     | config |
| strap  |     | (bin)    |     | (live) |     | (saved)|
+--------+     +----------+     +--------+     +--------+

Boot sequence: ROM → Flash (IOS) → NVRAM (startup-config) → RAM (running-config)
The most common IOS mistake

Making configuration changes, testing them, confirming they work — and then forgetting to run copy run start. The next power outage or scheduled reboot erases all changes. This happens in production environments more often than any engineer wants to admit.

5) Essential Show Commands: Reading the Device's State

The show command family is how you read the current state of a Cisco device. These commands do not change anything — they only display information. Every troubleshooting workflow starts with show commands to understand the current state before making changes.

Command What it shows When to use it
show running-config Entire active configuration Verify what is currently configured on the device
show startup-config Saved configuration in NVRAM Compare with running config to check for unsaved changes
show ip interface brief All interfaces with IP, status (up/down), and protocol state Quick check of which interfaces are active and their addresses
show ip route IPv4 routing table (connected, static, dynamic routes) Verify the router knows how to reach destination networks
show interfaces g0/0 Detailed interface stats: errors, CRC, collisions, input/output packets Diagnose Layer 1/2 problems on a specific interface
show version IOS version, uptime, hardware model, memory, boot image Identify the device type, OS version, and how long since last reboot
show ip arp ARP cache (IP-to-MAC mappings) Verify Layer 2 reachability to adjacent devices
show ip dhcp binding Active DHCP leases Verify DHCP is assigning addresses (covered in Week 10)
show clock Current device time Verify time for log correlation and certificate validity 
Example: show ip interface brief

HQ-RTR-01# show ip interface brief
Interface              IP-Address      OK? Method Status      Protocol
GigabitEthernet0/0     10.1.1.1        YES manual up          up
GigabitEthernet0/1     10.20.0.1       YES manual up          up
Serial0/0/0            unassigned      YES unset  administratively down down
Loopback0              1.1.1.1         YES manual up          up

Reading the output:
- g0/0 and g0/1 are up/up — working correctly
- s0/0/0 is "administratively down" — someone ran "shutdown" on it
- Loopback0 is always up/up (virtual interface)
- Method "manual" means the IP was statically configured
Filtering show output

HQ-RTR-01# show running-config | include interface
  Shows only lines containing "interface"

HQ-RTR-01# show running-config | section router ospf
  Shows the OSPF configuration block

HQ-RTR-01# show running-config | begin line
  Shows everything from the first "line" match onward

The pipe (|) with include, exclude, section, or begin filters
long output to the specific information you need.

6) Configuration and Verification: A Complete Initial Setup

The following example brings together all the concepts from this week into a single, complete initial configuration for a new router. This is the sequence you would follow when deploying a device from factory defaults. 

Complete initial router configuration

! Step 1: Set hostname
Router(config)# hostname HQ-RTR-01

! Step 2: Secure Privileged EXEC
HQ-RTR-01(config)# enable secret C1sc0Str0ng!

! Step 3: Secure console access
HQ-RTR-01(config)# line console 0
HQ-RTR-01(config-line)# password C0nsole!
HQ-RTR-01(config-line)# login
HQ-RTR-01(config-line)# exec-timeout 5 0
HQ-RTR-01(config-line)# logging synchronous
HQ-RTR-01(config-line)# exit

! Step 4: Secure remote access (SSH only)
HQ-RTR-01(config)# line vty 0 4
HQ-RTR-01(config-line)# password Rem0te!
HQ-RTR-01(config-line)# login
HQ-RTR-01(config-line)# transport input ssh
HQ-RTR-01(config-line)# exec-timeout 5 0
HQ-RTR-01(config-line)# exit

! Step 5: Encrypt all plaintext passwords
HQ-RTR-01(config)# service password-encryption

! Step 6: Set legal banner
HQ-RTR-01(config)# banner motd #
Authorized access only. All activity is logged.
#

! Step 7: Configure interfaces
HQ-RTR-01(config)# interface g0/0
HQ-RTR-01(config-if)# ip address 10.1.1.1 255.255.255.0
HQ-RTR-01(config-if)# description LAN - Head Office
HQ-RTR-01(config-if)# no shutdown
HQ-RTR-01(config-if)# exit

! Step 8: Save configuration
HQ-RTR-01# copy running-config startup-config

Verification Checklist

Verification task Command Expected result
Hostname is set Check the prompt Prompt shows HQ-RTR-01#
Enable secret works disable then enable Password prompt appears; correct password grants access
Console password works Disconnect and reconnect to console Password prompt appears before User EXEC access
Passwords are encrypted show running-config | include password Line passwords show Type 7 encrypted values, not cleartext
Banner displays Disconnect and reconnect Legal warning appears before the login prompt
Interface is up show ip interface brief g0/0 shows up/up with correct IP
Configuration is saved show startup-config Matches running config (hostname, passwords, interfaces all present)

7) Troubleshooting and Failure Modes

IOS CLI mistakes are usually not dramatic. They are quiet — a misconfigured password that locks you out, an unsaved config that disappears on reboot, or a command typed in the wrong mode that does nothing. The table below covers the most common problems.

Symptom Likely cause First diagnostic step
Command not recognized (% Invalid input) Wrong mode — the command exists but not in the current mode Check the prompt; use exit or end to reach the correct mode
Configuration lost after reboot Forgot to run copy run start Compare show running-config with show startup-config before rebooting
Cannot enter Privileged EXEC (password rejected) Wrong enable secret, or both enable secret and enable password exist (secret takes priority) If locked out, use password recovery procedure (requires console + reboot)
Console login prompt never appears login command missing under line console 0 Without login, the password is set but never requested
SSH connection refused No SSH key generated, or transport input ssh not set on VTY lines Verify crypto key generate rsa was run and VTY lines allow SSH
Interface shows "administratively down" The shutdown command is applied (default on some interfaces) Enter interface config and run no shutdown
Log messages interrupt typing Syslog messages print to the console asynchronously Configure logging synchronous under the console line

Password Recovery Overview

If the enable secret is lost, the only recovery path is the password recovery procedure. This requires physical console access, a reboot into ROMMON mode, changing the configuration register to skip the startup config, then resetting the password. The exact steps vary by platform. The key point is: password recovery requires physical access. This is why physical security of network equipment matters — anyone with console access and the ability to reboot the device can bypass all software passwords.

logging synchronous — a small command with big impact

Without logging synchronous, syslog messages print in the middle of whatever you are typing, breaking your command across multiple lines. With it, IOS reprints your partial command after the log message, keeping your typing intact. This is a quality-of-life setting that every experienced engineer configures immediately.

Real-World Design Context: CLI Management at Scale

The CLI skills from this week apply directly to production environments, but at scale the methodology evolves beyond one-device-at-a-time manual configuration.

  • Configuration management: Production networks store device configs in version-controlled repositories (RANCID, Oxidized, Git-based backups). Every copy run start should be followed by an automated backup. Diffs between stored configs and running configs detect unauthorized changes.
  • AAA (Authentication, Authorization, Accounting): Production devices use RADIUS or TACACS+ servers instead of local passwords. Every login is authenticated against a central directory, authorization controls which commands each user can run, and accounting logs every command executed. This is covered in NET202 and NET301.
  • Automation: For networks with hundreds of devices, engineers use Ansible, Python (Netmiko/NAPALM), or Cisco DNA Center to push configurations at scale. The CLI commands remain the same — the automation framework sends them programmatically. Understanding the CLI is a prerequisite for automation, not a replacement.
  • Out-of-band management: Production devices have a separate management network (out-of-band) so that CLI access is available even when the production network is down. Console servers provide serial access to dozens of devices from a single management host.
  • Change control: In enterprise environments, no configuration change happens without a change ticket, peer review, a rollback plan, and a maintenance window. The ability to compare running vs. startup config and to reload a device to its last known-good config are essential change-control mechanisms.

Guided Lab: Hostnames, Passwords, and Banner Configuration

Goal: Perform a complete initial setup of a Cisco router from factory defaults, including hostname, security configuration, interface addressing, and configuration persistence.

Topology

  [PC1] ---- [SW1] ---- [R1]
                          g0/0
                          10.1.1.0/24

R1 starts in factory-default state (no configuration).

Part A: Basic Identity and Security

  1. Connect to R1 via console. Note that no password is required (factory default).
  2. Enter Privileged EXEC: enable (no password required yet).
  3. Enter Global Configuration: configure terminal
  4. Set hostname: hostname LAB-RTR-01
  5. Set enable secret: enable secret LabP@ss1
  6. Configure console password:
    line console 0
    password C0nsole1
    login
    exec-timeout 5 0
    logging synchronous
    exit
  7. Configure VTY password:
    line vty 0 4
    password Vty1Pass
    login
    exec-timeout 5 0
    exit
  8. Encrypt passwords: service password-encryption
  9. Set MOTD banner: banner motd # Authorized access only. #

Part B: Interface Configuration

  1. Configure g0/0:
    interface g0/0
    ip address 10.1.1.1 255.255.255.0
    description LAN - Lab Network
    no shutdown
    exit
  2. Return to Privileged EXEC: end
  3. Verify: show ip interface brief — confirm g0/0 is up/up.

Part C: Save and Verify

  1. Save: copy running-config startup-config
  2. Compare: show running-config vs. show startup-config — they should match.
  3. Verify passwords are encrypted: show running-config | include password
  4. Test security: disconnect from console, reconnect. Confirm:
    • MOTD banner appears
    • Console password is requested
    • Enable secret is requested when entering Privileged EXEC

Part D: Verify Host Connectivity

  1. Configure PC1 with IP 10.1.1.10/24 and gateway 10.1.1.1.
  2. Ping from PC1 to R1 (10.1.1.1). Verify replies.
  3. On R1, check show ip arp for PC1's entry.

Deliverable

A report containing: the complete show running-config output (with passwords visible as encrypted values), show ip interface brief, and a description of the login experience when reconnecting to the console (banner, password prompts, mode transitions).

Week 11 Outcome Check

By the end of this week, you should be able to:

  • Navigate between User EXEC, Privileged EXEC, Global Configuration, and sub-configuration modes
  • Set hostname and MOTD banner with security-appropriate content
  • Secure console, VTY, and Privileged EXEC access with passwords and enable secret
  • Explain the difference between running config (RAM) and startup config (NVRAM) and save changes correctly
  • Use essential show commands to verify device state, interface status, and configuration
  • Filter show output with pipe commands (include, section, begin)
  • Troubleshoot wrong-mode errors, unsaved configs, locked-out access, and administratively-down interfaces

Next week is the NET101 Final Capstone: designing, IP-planning (VLSM), and configuring a 3-switch, 1-router network with full connectivity.

Hands-On Labs

Use these activities to build CLI fluency and device management skills.

Lab 1: Mode Navigation Speed Drill

Task: Starting from User EXEC, navigate to each of the following modes and back: Privileged EXEC, Global Config, Interface Config (g0/0), Line Config (console 0), Line Config (vty 0 4), Router Config (router ospf 1). Time yourself and repeat until you can do the full sequence in under 60 seconds.
Deliverable: A log showing the prompt at each mode transition.
Why it matters: Mode navigation should be automatic. Hesitation wastes time and causes errors in production.
Time estimate: 15-20 minutes

Lab 2: Full Device Initial Configuration

Task: From a factory-default router in Packet Tracer, perform the complete initial setup from the guided lab without referring to notes. Configure hostname, enable secret, console and VTY passwords, SSH transport, service password-encryption, MOTD banner, one LAN interface, and save the configuration.
Deliverable: Screenshot of show running-config showing all security settings applied and encrypted.
Why it matters: This exact sequence is performed every time a new device is deployed in a production network.
Time estimate: 25-35 minutes

Lab 3: Unsaved Configuration Recovery Scenario

Task: Configure a router with hostname, IP addresses, and a static route. Do NOT save the configuration. Reload the router and observe what happens. Then reconfigure, save properly with copy run start, reload again, and verify the configuration persists. Document both outcomes.
Deliverable: A side-by-side comparison of show running-config before and after reload (unsaved) and before and after reload (saved).
Why it matters: Experiencing the consequences of unsaved changes in a lab prevents the mistake in production.
Time estimate: 20-25 minutes

Checkpoint Questions

  1. What is the difference between the > and # prompts in Cisco IOS? What command moves you from one to the other?
  2. Why must you type login under line console 0 in addition to setting a password? What happens if you set a password but omit login?
  3. What is the difference between enable secret and enable password? Which one should you always use and why?
  4. Explain the difference between running-config and startup-config. Where is each stored, and what happens to running-config when the device loses power?
  5. What command saves the running configuration to NVRAM? What is the shorthand version?
  6. Why should the MOTD banner not include the device hostname or IP address?
  7. You type ip address 10.1.1.1 255.255.255.0 and IOS responds with % Invalid input detected. What is the most likely problem?
  8. What does show ip interface brief tell you that show running-config does not? When would you use each?

Weekly Reflection

Reflection prompt (200-300 words):

This week focused on the operational environment that underlies every configuration task you have done this semester. Reflect on what CLI management means for professional network operations.

  • Why does a structured mode hierarchy (User EXEC → Privileged EXEC → Global Config) exist instead of giving every user full access to every command?
  • What are the consequences of not saving configuration changes? How would you build a habit or process to prevent this in a production environment?
  • Why is the CLI still the primary management interface even though GUIs and automation tools exist?
  • How does securing device access (passwords, SSH, banners) relate to the broader concept of defense in depth that you will study in NET202?

A strong reflection should connect CLI management practices to the operational discipline and security mindset expected of a professional network engineer.

Recommended References

Keep the Cisco IOS Command Reference bookmarked. When you encounter an unfamiliar command in a running config or a lab exercise, looking it up in the reference builds vocabulary faster than any other method.

Week 11 Quiz

Test your understanding of IOS mode hierarchy, password security, running vs. startup config, show commands, and device management fundamentals.

Take Week 11 Quiz