Cisco IOS Command Lines Modes

Cisco IOS Command Lines Modes, What is User mode, Privileged mode and Global Configuration mode

         Cisco IOS has a Command Line Interface (CLI) and it has three command line modes. Each mode has access to different set of IOS commands.

User mode (User EXEC mode)

User Mode is the first mode a user has access to after logging into the router. The user mode can be identified by the > prompt following the router name. This mode allows the user to execute only the basic commands, such as those that show the system’s status. The router cannot be configured or restarted from this mode.

The user mode can be identified as shown below


Privileged mode (Privileged EXEC Mode)

Privileged mode mode allows users to view the system configuration, restart the system, and enter router configuration mode. Privileged mode also allows all the commands that are available in user mode. Privileged mode can be identified by the # prompt following the router name. From the user mode, a user can change to Privileged mode, by running the “enable” command. Also we can keep a enable password or enable secret to restrict access to Privileged mode. An enable secret password uses stronger encryption when it is stored in the configuration file and it is more safe.

The Privileged mode can be identified as shown below


Global Configuration mode

Global Configuration mode mode allows users to modify the running system configuration. From the Privileged mode a user can move to configuration mode by running the “configure terminal” command from privileged mode. To exit configuration mode, the user can enter “end” command or press Ctrl-Z key combination.

The Global Configuration mode can be identified as shown below.


Global Configuration mode has various submodes, starting with global configuration mode, which can be identified by the (config)# prompt following the router name. Following are the important Global Configuration submodes.

Interface mode (Router physical interface configuration mode)


Subinterface mode (Router sub-interface configuration mode)


Line mode (Router line configuration mode – console, vty etc.)


Router configuration mode (Routing protocols configuration mode.)



Posted By – RamCruiseWalker


Upgrade or install IOS from Trivial File Transfer Protocol (TFTP) Server

To install IOS from TFTP server, follow these steps.

1) If you want a fresh install, erase the contents of the flash memory using the “erase” command as shown below.

Router01#erase flash
Erasing the flash filesystem will remove all files! Continue? [confirm]y
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
<outout omitted>
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erasedee
Erase of flash: complete

2) Copy an IOS file from TFTP server to flash memory. Make sure that you have the IOS file available in the root of the TFTP server.

To copy an IOS file from TFTP server to the flash memory, use the following command from privilege mode.

Router01#copy tftp flash
Address or name of remote host []?
Source filename [C2600-Adventerprisek9-Mz_124-2_T.bin]?
Destination filename [C2600-Adventerprisek9-Mz_124-2_T.bin]?
Accessing tftp://
Erase flash: before copying? [confirm]y
Erasing the flash filesystem will remove all files! Continue? [confirm]y
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
  <output omitted>
Erase of flash: complete
Loading C2600-Adventerprisek9-Mz_124-2_T.bin from (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  <output omitted>
[OK - 29771296 bytes]
Verifying checksum...  OK (0xECA5)
29771296 bytes copied in 376.332 secs (79109 bytes/sec)

After the IOS image file is copied to flash, you must reboot your router in order for it to use the new image. There are two ways you can reboot your router.

Power if off and then power it on (Hard reboot)

Run the “reload” IOS command from privilege mode (Soft reboot)


Backup IOS and configuration files to Trivial File Transfer Protocol (TFTP) Server

How to copy the contents of flash memory to TFTP Server

To copy the contents of the flash (IOS file is stored in flash memory) memory to TFTP server, use the following command from privileged mode.

Router01#copy flash tftp
Source filename []? C2600-Adventerprisek9-Mz_124-2_T.bin
Address or name of remote host []?
Destination filename [C2600-Adventerprisek9-Mz_124-2_T.bin]?
<output omitted>
29771296 bytes copied in 139.732 secs (213060 bytes/sec)

The file will be copied to the root folder of the TFTP server.

How to backup Running Configuration File to TFTP Server

To back up Running Configuration File to TFTP server, use the following command.

Router01# copy running-config tftp



Naming Convention of Cisco IOS Image Files

              IOS is the Operating System software used on Cisco routers and current Cisco Network Switches.Cisco IOS (Internetwork Operating System) image file is normally stored in flash memory and it has a naming convention.

Following output shows the “show-flash” command from privileged mode.

Ramanece #show flash
System flash directory:
  File  Length   Name/status
  3   5571584   c2600-i-mz.122-28.bin
  2   28282     sigdef-category.xml
  1   227537    sigdef-default.xml
                    [5827403 bytes used, 58188981 available, 64016384 total]
                    63488K bytes of processor board System flash (Read/Write)

The name of the Cisco IOS (Internetwork Operating System) file is c2600-i-mz.122-28.bin.

• The “c2600” means that this IOS image is for a 2600 series router. Other values which may appear here for different router platforms are listed below.

c1005 – For 1005 platform

c1600 – For 1600 platform

c1700 – For 1700 series platforms

c2500 – For 2500 series platforms

c2800 – For 2800 series platform

c2900 – For 2900 series platforms

c3620 – For 3620 platform

c3640 – For 3640 platform

c4000 – For 4000 series platform

c4500 – For 4500 and 4700 platforms

• The “i” indicates  that this is the IP routing version of the IOS.

Normal values which may appear here are

a – appn

a2 – atm

a3 – SNA switching

b – appletalk

c – communications servers etc

i – ip

j – enterprise

l – IPX

n – Novell

o – firewall

p – service provider

v – voice

• The “mz” indicates that this version of the IOS runs from RAM and the IOS file is compressed.

• The “122-28” indicates that this is IOS version 12.2, patch level 28.

 Posted By – RamCruiseWalker


Configure Solarwinds Trivial File Transfer Protocol (TFTP) Server to backup IOS and configuration files

                  Solarwinds Trivial File Transfer Protocol (TFTP) Server is a free TFTP Server product from Solarwinds. After the installation of Solarwinds Trivial File Transfer Protocol (TFTP) Server in a computer, you need to configure it to backup IOS and configuration files of Cisco Routers and Switches.

Follow these steps to configure Solarwinds Trivial File Transfer Protocol (TFTP) Server

1) Make sure that the computer on which Solarwinds Trivial File Transfer Protocol (TFTP) Server is on the same network and the TCP/IP settings of the computer is on the same network where the router interface is connected. In our environment, the IP Address of the fa0/0 interface

If you want to configure the IP address for the routers fa0/0 interface, connect the router and follow these steps.

OmniSecuRouter01#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
OmniSecuRouter01(config)#interface fa0/0
OmniSecuRouter01(config-if)#ip address
OmniSecuRouter01(config-if)#no shutdown

To configure TCP/IP settings of the computer similiar as below. Here the IP address of the computer where Solarwinds Trivial File Transfer Protocol (TFTP) Server installed is

Solarwinds tftp server tcpip settings

Test the connectivity by pinging to the router.

Remember that the standard UDP port number for Trivial File Transfer Protocol (TFTP) is 69. Make sure that the firewall on the computer where Solarwinds Trivial File Transfer Protocol (TFTP) Server is installed is NOT blocking UDP port 69.

2) Run the Solarwinds Trivial File Transfer Protocol (TFTP) by clicking it from Start > Programs. Click menu File > Configure.

Solarwinds TFTP server configure menu

3) Start TFTP server by clicking the “Start” button and make sure the service is started by checking the status. Also verify the default root directory location of the TFTP Server.

Solarwinds TFTP server configure dialog box

Posted By – RamCruiseWalker


Install Solarwinds Trivial File Transfer Protocol (TFTP) Server

                              Many Trivial File Transfer Protocol (TFTP) server software products are available for free download on the Internet. Solarwinds Trivial File Transfer Protocol (TFTP) server is one of the leading free Trivial File Transfer Protocol (TFTP) server software. Click the following link to download Solarwinds Trivial File Transfer Protocol (TFTP) server. You need to register on Solarwinds web site to download the Solarwinds Trivial File Transfer Protocol (TFTP) server product.

After downloading the Solarwinds Trivial File Transfer Protocol (TFTP) server, complete the following steps to install and configure it.

Remember, these steps may vary depending on version.

1) Double click the setup file to run the Solarwinds Trivial File Transfer Protocol (TFTP) server installation wizard. Click “Next” to continue.

2) Click the “I accept the terms of the license agreement” radio button and click “Next” to continue.

3) Enter the customer information and click “Next” to continue.

4) Select the installation location and click “Next” to continue.

5) Click “Install” to start the installation of Solarwinds Trivial File Transfer Protocol (TFTP) server.

 Solarwinds TFTP server installation-install

6) Click the “Finish” button to complete the installation.

Posted By – RamCruiseWalker


Trivial File Transfer Protocol (TFTP)

Trivial File Transfer Protocol (TFTP) is a file transfer protocol, which is the basic form of File Transfer Protocol (FTP).

Trivial File Transfer Protocol (TFTP) has a very simple design and it requires only a very small amount of memory.

Trivial File Transfer Protocol (TFTP) is mainly used for network booting of computers and network infrastructure devices such as routers and switches.

Trivial File Transfer Protocol (TFTP) is used in Cisco networking environment to back up Cisco IOS (Operating System) image file, configuration files, Network Booting and for an IOS upgrade.

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol and it is implemented on top of the User Datagram Protocol (UDP). The standard UDP port number for Trivial File Transfer Protocol (TFTP) is 69.

Many Trivial File Transfer Protocol (TFTP) server software products for windows Operating System are available for free download on the Internet. Some are listed below.

Solarwinds Trivial File Transfer Protocol (TFTP) server

tftpd32 Trivial File Transfer Protocol (TFTP) server

Open Trivial File Transfer Protocol (TFTP) server

Posted By – RamCruiseWalker


Cisco Router Boot Sequence, Cisco Router POST (Power On Self Test)

When a Cisco router boots up, it performs a series of steps, called the router boot sequence, to test the hardware and load the necessary software.

Cisco router boot sequence consists of the following steps:

1. The router performs a POST (Power On Self Test). The POST (Power On Self Test) tests the hardware to verify that all components of the device are operational and present. For example, the POST checks for the different interfaces on the router. The POST is stored in and run from ROM (read-only memory).

2. The bootstrap program (The bootstrap is a program in ROM that is used to execute programs) checks the Configuration Register value to find where to load the IOS. The default value of configuration register is 0x2102 (hexadecimal value). The configuration register value 0x2102 indicates that the router should load Cisco IOS Operating System software image from Flash memory and load the startup configuration with a console speed of 9600 baud rate. The bootstrap looks for and loads the Cisco IOS software from flash if the configuration register value is 0x2102.

The Bootstrap program is responsible for initializing hardware and finding where IOS program is located and then loading IOS image. By default, the IOS software is loaded from flash memory in all Cisco routers. Other possible location of the IOS image is a TFTP (Trivial File Transfer Protocol) server, configured in a computer).

If the Bootstrap program is not able to find a valid IOS image, it will act as ROM Monitor. ROM Monitor is capable of providing a command-line environment that can be used to perform certain configuration tasks, such as downloading IOS image using TFTP, recovering a lost password, changing the configuration register value etc.

3. The IOS software looks for a valid configuration file stored in NVRAM. This file is called startup-config.

4. If a Startup Configuration (startup-config) file is present in NVRAM, the router will load and apply the configuration commands in Startup Configuration (startup-config) file. If a valid Startup Configuration (startup-config) file is not in NVRAM, IOS will display System Configuration setup.

5. Once the startup-config configuration is loaded, IOS will present CLI interface in User mode.

Cisco Router Boot Order

Posted By – RamCruiseWalker


Configuring And Testing The Network


In this chapter, we will learn how to configure the various internetwork devices such as the router and the switch. We will also cable the network correctly according to the requirements and learn the various   CISCO IOS – CISCO internetwork operating system basics that we will use throughout the course. As we mentioned in the beginning of the course, this will be a lab oriented course and therefore, you are expected to have lab equipment. If you do not have the physical devices, do not worry because we will discuss an alternative that can be used for learning purposes in this course.

Upon completion of this chapter, you will be able to:

  • Understand the role of the CISCO IOS
  • understand the config file on routers and switches
  • Understand the IOS command structure
  • Configure basic configuration of a router or a switch
  • Verify the configuration on a router using show commands.

    Internetwork operating system

    I am sure that you already know that computers have operating systems. The operating system allows the computer to function and also allows us to input and receive output. The operating system is the intermediary between us and the computer’s internal components. Similarly, the router also has an operating system.

    CISCO uses the IOS (internetwork operating system) to allow us to use the various capabilities in the routers.

    The CISCO IOS allows us to perform functions such as:

    • Routing
    • Security for the network
    • Expand the network based on requirements among others.

    Unlike other operating systems that you may be accustomed to however, the CISCO IOS is accessed using a CLI (Command Line Interface). If you have used programs such as DOS™ then you are familiar with the CLI prompt.

Access methods

The CLI on routers may be accessed using one of the following ways:

  • Console port
  • Auxiliary port
  • Virtual terminal lines.

There are several programs that we can use to access the CLI on routers.

  1. The console port is the main port that is used to configure a router. When the router is new and out of the box, this is the interface that is used to configure the router. After the initial configuration, we can use other configuration methods. The console port is also used for disaster recovery in case the router is unusable or as a way to troubleshoot the router when other connectivity means are unavailable.
  2. The second way we can configure a router is using an auxiliary port. The auxiliary port is used to configure the router through the use of a modem. This port is rarely used and as such we will not discuss its use further.
  3. The third way we can configure a router is by using the virtual terminal lines. As the name suggests, the virtual terminal lines are configured as a way to access the router remotely.

The administrator can configure the router to be accessed from a remote location using these lines.

In this course, we will learn how to configure the two types of VTY lines, either through telnet or the more secure SSL.

NOTE: the operation of the router depends on the commands that we issue during configuration as well as the IOS functioning.

Configuration files on the router

As mentioned earlier, the router is a computer and it the configuration we do determines its operation. The router has two types of memory; volatile and non-volatile memory. The configuration we make is stored in one of these two types of memory depending on the commands we issue.

There are two types of configuration files on the router.

The startup configuration file (startup-config) – this is the file that is used during the startup of the router. It is stored in the non-volatile memory which is called the NVRAM. The startup configuration consists of all the commands we have issued and saved in the router. Once the router boots up, this file is loaded from the NVRAM to the RAM where it is used as the running configuration file.

The running configuration the operation of the router is determined by the running configuration. Any command that we issue on a router is immediately executed and stored in the running- configuration. This file is stored in the RAM or the volatile memory. This means that if the router loses power, any unsaved changes in this file will be lost. When the running- configuration is saved, it is stored in the NVRAM and becomes the startup-config.


The CISCO CLI is structured hierarchically. The modes are executed from the top to bottom. Each mode gives access to certain commands that can be issued. The list below shows the CISCO IOS modes from the top to bottom.

  • User exec mode
  • Privileged exec mode
  • Global config mode
  • Other specific configuration modes

On gaining access to the router, there will be various prompts that will denote the specific level in which the administrator is in. however, the beginning of the prompt will be the router’s name. The various prompts are discussed below.

  1. User executive mode

This is the main or the first mode that one can access on a router. It is limited to few verification and troubleshooting commands. By default, authentication is not required but as best practice we will configure security so as to ensure protection of our routers.

On accessing the router, you will notice the prompt that ends with this symbol “>” after the router’s name. By default the name of the router is usually “Router“. This prompt is shown below.


In this mode, we can view basic information using the “show” command.

  1. Privileged executive mode

This is the second mode in the IOS CLI. In this mode, we can view various troubleshooting and verification commands such as “show and debug“. By default, this mode is also not secured, as best practice we will also secure this mode using a password.

This mode is denoted by the HASH (#) symbol preceeded by the name of the router. To enter this mode, we issue the command “enable” from the user exec mode.


NOTE: To move from the user exec mode to the privileged mode the command – “enable” should be entered from the user exec mode.

The “disable” command is used to exit the privileged exec mode and return to the user exec mode.

  1. Global configuration mode

The main configuration on a router is executed in this mode. Parameters such as the router’s name, ip domain lookup, banners among others can be configured. In this mode, we can also gain access to other specific configuration parameters such as interface configuration.

The global configuration mode is shown by the prompt: (config)# as shown below:


NOTE: To enter this mode from the privileged exec mode we enter the command: “Configure terminal”

To exit we to the privileged mode we enter the command: “exit”

  1. Specific configuration mode.

There are other specific configuration modes on the router. These are entered in the global configuration mode and are used to configure various functions and options on the router such as the interfaces, routing options, console lines among others. The specific configuration mode commands will be discussed progressively throughout the course.

commands format

When configuring the router, we need to understand the format used in configuration. The image below shows the IOS command structure.

We can also obtain help when typing a command we are unsure of in CISCO IOS. This is done by using a question mark “?” followed by the <enter> key. As shown in the image below.

We can use this command when we are unsure of the correct command to use or we have made an error.

We can also use the <tab> key to autocomplete commands. This may be useful when the command is too long and used frequently. However, we recommend that as we are beginning to learn the IOS, we should use the full command till at a later stage.

There are other shortcut keys used and these are shown below.

  1. Ctrl-R – to re-display a line
  2. Ctrl-Z – exit the configuration mode and returns the user to the user exec mode.
  • Down and up arrows – these are used to scroll through previously entered commands.
  • Ctrl-Shift-6 – this command is used to interrupt a command that has been issued.
  • Ctrl-C – this command can be used to abort a configuration line and return to the privileged mode.

There are other basics that are used in CISCO IOS, however, these we will learn as we continue in this course.

NOTE: you will be expected to know and memorize all the commands used in this course for the exam. In the ICND 1, ICND 2 and CCNA composite exams, the use of these commands will be frequent and you will NOT have anywhere to refer to.


Examination commands

When configuring a router, you may need to troubleshoot different configurations. The use of examination commands is vital in this respect. The examination commands are viewed in the privileged executive mode and will start with “show” in the prompt. Some of these commands and their functions are shown below.

  1. Show version – shows information on the CISCO IOS running on a router or a switch. Such as the version, release date.
  2. Show startup-config – this command shows the configuration file that is stored in the NVRAM.
  3. Show running-config – the commands that are currently being used by the router for its operation can be viewed using this command. This information is usually stored in the router’s RAM.

Network simulation using packet tracer

As mentioned earlier, access to physical network devices may at some times be difficult, and since this course is based mainly in a lab environment where we need to access and configure these devices, we need an alternative.

Your instructor should be able to give you access to packet tracer. A program that can be used to simulate networks in the lab environment. This software will give you access to most if not all, commands and devices needed in CCNA. In this course, we will use packet tracer and real devices in configurations.

After installation, the main window of packet tracer will be as shown below.

Familiarize yourself with the software. At the bottom left, we have the various categories of devices that may be used in the network. These include routers, switches, and connections among others. Clicking on any of these icons will bring a list of more devices in each category.

To use a device, simply click on its icon and drag it to the main work area shown in white.

On the right hand side, near the bottom, there are two icons in the shape of envelopes. These icons are used to capture packets and you will use them at a later stage. As you continue to use this software, you will become more and more experienced and gradually you will know all the capabilities and functions.

The scenario

In this chapter, we will configure 2 routers and 1 host PC in packet tracer. This will be basic configuration, aimed at showing you the main features of IOS and immersing you into the CISCO configuration environment using packet tracer.

The topology shown below shows 2 routers and a PC. The connection from the PC to router R1 is done using a crossover cable while the interconnection between the two routers is done using a serial cable.

The serial interface on R1 is the DCE side while the connection on router R2 is the DTE side. If you are using physical devices you should be aware of this cabling.

In this topology, we have 2 routers labeled R1 and R2. We have a connection between them which is S0/0/0 DCE on R1 and S0/0/0 on R2.

Router R1 is connected to PC A through 2 interfaces. One is the console port which will be used to configure the router, while the other will be the network port to PCA’s NIC via Fa0/0 on R1.

In packet tracer, the diagrams shown below are a guide to making this topology.


Drag and drop into the main work area the devices that will be used in the configuration as shown in the topology. In this case we use 2 1841 CISCO ISR routers. By default they are labeled Router0 and Router1. Also in the end device section drag and drop a PC icon, as shown in the diagram.


Click on the router0 icon. A new panel opens up and details the back panel of the router. At the top, there are three tabs – physical, config, CLI. In this case we are interested in the physical. This router, does not have a WAN connection interface as shown in the part highlighted by the red arrow. We need to install the WAN interface module on both routers so that we can interconnect them using serial links.

To do this, we have to shut down the router and look for the appropriate module on the left which can be used for serial WAN connections. To turn off the router, you need click the switch button shown by the blue arrow in the diagram above.


We need to add the correct WAN module. From the left to the panel on the right highlighted by the red arrow in the previous diagram. In this case and most other scenarios, we will be using the WIC-2T module highlighted in red. Drag and drop it to the empty space as shown above.

NOTE: the router goes off when the power button is switched. After installing the module you need to switch it back on.


Next we need to connect the devices with the correct cable. The connection from the PC to Router0 uses a crossover cable while the connection between the two routers uses a serial DCE cable. In the connections tab at the bottom make sure you use the correct cable.

To connect devices:

  1. Select a cable by clicking on it.
  2. Click on the device you want to connect to
  3. Choose the correct interface number
  4. Repeat process on the other end of the cable by dragging it to the opposite device and clicking on the correct interface.

These steps are shown in the diagrams below

The connections shown are for router0 and router1.


Connection on Router0 shown above using serial0/0/0

Connection on Router0 shown above using serial0/0/0

The connection on Router1 using serial0/0/0 there are two connections from PC0 to Router0. One connection shown by the black dotted line is the LAN interface on PC0’s fastethernet interface while the blue one is the console cable used to configure Router0 as shown below.

As you can see from the diagram above, the interface labels are visible. To enable this, go to options, then click on preferences and in the preferences tab select the option that says “always show device labels” as shown below marked by a red arrow.

The console cable connects to the RS 232 port on the PC and the console port on the router.

Now that we have interconnected the devices, we need to access the CLI interface on the router from the PC0.

To do this, we need to click on PC0’s icon. Whereby we will receive this output.

As mentioned earlier, packet tracer simulates the operation of different network devices, in we click on the desktop tab, we will see the same options as we would a physical computer.

In this tab, we have several options such as the ip address configuration, the terminal and command prompt among others. In this case we will use the prompt which will connect us to the routers CLI.

After clicking the terminal tab, leave the configurations options on default and click OK. This will connect you to the router in its boot-up process shown by the several “#” output.

After the boot-up process is complete, you should receive a command prompt shown below. Type in “no” and press enter.

After this prompt, we will enter the user exec mode. As we mentioned earlier, this is the first access point in the CISCO IOS CLI.

It is denoted by the output:


To enter the privileged configuration mode we should type in “enable” and enter. This will take us to the privileged executive mode denoted by the output shown below.


In this mode we can do various troubleshooting commands such as show and debug commands.

Next we need to access the global configuration mode so that we can begin our configuration. To do this, we need to type in:

“configure terminal” followed by ENTER. This will take us into the global configuration mode which is shown in the prompt output as:


NOTE: if you are using real devices, the steps followed should be the same, and the output received should not be different. However, if you need more information, contact your trainer.


In this section, we should configure the following.

  1. Hostname on router0
  2. Limit access to the router
  3. Configure banners
  4. Disable ip domain lookup
  5. Configure the interfaces
  6. Verify the configuration
  7. Test local network connectivity
  8. Document the network

The commands used will be done mainly from the global configuration mode on router0. We will not configure Router1 but the same concepts will be used. Keep this in mind.

Hostname on Router0

In the topology diagram, the first router was R1 not Router0, when naming routers, remember to only use alphanumeric symbols and the underscore only. There should be no space between the names because this will return an error.

To change a hostname of a router or a switch the command needed in the global configuration mode is:

Router(config)# hostname <NAME_OF_ROUTER>

The parameter shown in angle braces will be the name used on the router or switch.

In this scenario, In the global configuration mode on Router0, the command needed to change the name of this router from Router0 to R1 will be:

Router(config)#hostname <R1>

After entering this command, you should be able to see the change reflected immediately from:

“Router(config)# ” to “R1(config)#

Now with that command we have successfully changed the name of the router.

Limit access to the router

The next thing we need to do is to limit access to the router. We need to do this so as to strengthen the security. Every device should have locally configured passwords to limit access.

We have seen that the CISCO IOS is organized hierarchically. One of the reasons behind this is to enhance security. In this respect we need to configure security on our router. The passwords we will configure are to require authentications at various points on our routers. The passwords we will configure are:

  • the console line password – to limit connection to the router using the console port
  • the enable password – to limit access to the privileged Executive mode
  • enable secret password – to configure encrypted passwords to protect the privileged EXEC mode
  • VTY lines password – to protect access to the router via telnet
  1. Console line

We first need to secure the console lines. As we saw earlier, the console lines allow access to configuration of the router through the router’s console port. To do this, we need to access the console line in the global configuration mode.

The command to access the console line is:

Router(config)# <line console 0>

The first line is usually 0 as shown above. After entering this command, we will enter the specific configuration mode for the console line which is shown below:


From this mode, we need to enter a password and also a command to require authentication before accessing the console line. The commands needed to do this are:

Router(config-line)#password <cisco>

Router(config-line)# login

The first line specifies that the password for the console on this router is “cisco” and the second line – “login” states that for anyone to access this router, you will need to enter a password to access the CLI using the console port.

To verify this command, the next time someone tries to access this router after it is rebooted, they will be required to enter this password.

In this scenario, we will use the password “cisco123” and the commands needed on R1 will be

  1. Privileged exec mode – enable password

The privileged executive mode allows us to access the global configuration commands, therefore, it is important to secure this mode so as to limit access.

To do this, we need to configure the “enable password” on the router’s global configuration mode. This will require the use of a password to enter the privileged executive mode.

In the global configuration mode enter the following:

Router(config)#enable password cisco

The above command specifies that to be able to access the privileged access mode, the user has to enter the password cisco in the user exec mode.

On R1, we configure the password “cisco1” for the privileged executive mode using the following command.

R1(config)#enable password cisco1

To verify this command, enter the command “end” to return to the privileged exec mode, then enter the command “disable” to return to the user exec mode.

To login to the privileged exec mode on R1, you will be required to enter the password “cisco1”.

  1. Enable secret command

The use of the enable password, is not secure since the password is stored in the flash memory as plain text and it can be easily cracked. To enable a more secure password for the privileged exec mode, we use the enable secret command.

The enable secret command will create an encrypted password.

To enter this command on a router use the following command:

R1(config)#enable secret <cisco12>

This specifies that we should use an encrypted password of “cisco12

If we use this command on R1, it will override the enable password and replace it with the secure password. To do this on R1 enter the following command.

R1(config)#enable secret cisco12

  1. Vty lines

We also need to limit remote access to the router, the vty lines allow access to a router via Telnet. By default, many Cisco devices support five VTY lines that are numbered 0 to 4. A password needs to be set for all available vty lines.

To enable a password for the telnet lines, we need to enter the specific configuration mode for these lines. To do this, we enter the command shown below:

R1(config)#line vty 0 4

The above command specifies that we want to configure the 5 telnet lines on this router. After entering this command, we will enter the vty lines configuration mode shown by the prompt below.


In this mode, we can configure the password and require authentication when a user wants remote access to a router. The commands needed to accomplish this are:

R1(config-line)#password <telnet_password>


The commands above specify that this router should be configured with a password and should require authentication with said password for access.

On R1, to secure the vty lines using the password cisco1234, the commands needed to accomplish this will be:

  1. Encrypting Password Display

The commands that we have used to configure the passwords are insecure since the passwords are stored in plain text. To enhance the security of the passwords that we have configured, we use the command “service password-encryption“. When this command is executed, the plain text passwords will be encrypted. This means that they one cannot see the password in plain text from the running- config.

To configure this on router R1, enter the command shown below in the global configuration mode:

R1(config)#service password-encryption

This will ensure that no password can be viewed from the running configuration.

Configure banners

Configuring passwords is a good measure to protect the router from unauthorized access. However, we also need to warn would be attackers.

Banners are a way in which we notify unauthorized personnel who would want to access the router. In some cases, failure to apply banners can cause attackers to escape legal ramifications since they can argue that there was no information against unauthorized access.

One way to configure the banner is using the MOTD (message of the Day). To do this, we need to enter the command shown below in the global configuration mode:

R1(config)#banner motd <# insert message in here #>

The # in the banner motd command denotes the beginning and end of the message to be displayed.

On R1, to configure a banner that states “!!!! WARNING, AUTHORIZED ACCESS ONLY!!!!” the command shown below will be used.

R1(config)banner motd #!!!! WARNING, AUTHORIZED ACCESS ONLY!!!! #

Once the command is executed, the banner will be displayed on all subsequent attempts to access the device until the banner is removed.

Configure the interfaces

In this scenario, there are 2 interfaces on R1 and 1 on the PC0 that we need to configure. The addressing scheme used is shown below.

Device Interface Ip address Subnet mask Default gateway
PC0 FastEthernet
R1 FastEthernet0/0

We will not configure Router1. When configuring the PC, the following steps should be taken:

  1. Click on the PC0 icon
  2. Click on the desktop tab
  3. Click on the ip configuration tab
  4. Enter the values shown above
  5. Close the ip configuration tab

On the router, we need to configure the interfaces and also activate them. By default, interfaces on routers are usually deactivated.

To configure the interface on a router, the following commands will be used.

Router(config)#interface <interface_name><interface_number>

Router(config-if)#ip address <interface_ip_address> <subnet_mask>

Router(config-if)#no shutdown


  • In the above configuration, the first line is used to enter into the specific interface configuration mode. This will allow us to enter various interface configuration options.
  • The second line will assign the ip address and the subnet mask according to the specifications
  • The third line will activate the interface and make it usable.

In this scenario, we have 2 interfaces on R1. To configure R1’s FastEthernet0/0 interface, the following commands will be used:

To configure the serial interface the following commands will be used.

As you can remember, we connected the router R1 using a serial DCE cable, this means that this interface must have a clocking signal simulated as you would using a CSU/DSU. The command:

Clock rate 64000 above, specifies that this interface is the DCE side and it has a clock rate of 64000.

In packet tracer, after configuring the interfaces and executing the “no shutdown” command, the end points on the fast Ethernet link from the PC0 to R1, should turn from red to green as shown in the figure below:

Verifying the configuration

After all these configurations are done, we need to verify that they have been executed as well as save the configuration to the NVRAM from the RAM.

To save the configuration, we need to exit to the privileged executive mode and enter the following command:

Router#copy <running-config> <startup config>

The command above when executed will save the running configuration to the NVRAM of the router, this will make the running configuration the startup-configuration in the next boot-up of the router.

On R1, the command needed to save the running configuration to the flash memory will be as shown below.

R1#copy running-config startup-config

After saving the configuration, we also need to verify the operation of the router, as well as check for connectivity to our host PC.

The verification commands we will use will also be used when troubleshooting. More on troubleshooting will be discussed in subsequent chapters.

In this chapter, we will check for the interface configuration, the running configuration, and the connectivity to the PC using ping command.

The running-configuration

After configuring the router, we need to check all the configurations used, to do this we need to check the running configuration. The running configuration as we mentioned earlier is stored in the RAM and therefore, any additional commands we make will need to be saved to the startup configuration.

The running configuration will show us all the commands that we have used while configuring a device.

The command used to check the running configuration is executed in the privileged executive mode and it is shown below.

router# show running config

When executed, this command will show us all the configuration commands used on a router or a switch.

The output of the show running-config on R1 is shown in the exhibit below:

Verify interface operation

When verifying the interfaces on routers, we need to check whether they are operational and whether they have been assigned the correct ip addresses. To accomplish this, we will use the commands shown below in the privileged executive mode:

  • Show ip interface brief
  • Show interface <interface name> <interface number>

Show ip interface brief

The output of this command will show the operational status of an interface at layer 1 and layer 2. The output shows the interface, the ip address assigned, the status, and the status of the protocol which is connectivity at layer 2. If the interface is operational, the status and protocol should be up/up.

Show interface <interface name> <interface number>

The output of this command shows the status of the specific interface as shown in the output below for interface FastEthernet 0/0.

As you can see from the above output, the interface is shown as on and it is operational. This is another way we can verify the status of an interface.


In this chapter, we have looked at the basic configuration in CISCO IOS. We have configured a router in packet tracer given the requirements of the lab. We have also looked at the command structure of IOS. In the next chapter, we will begin routing by looking at how routing works and configuration of static routes.


                                           Posted By – RamCruiseWalker