Cisco IOS basic configuration

Course: Generel networking (no course) 

Title: Cisco IOS basic configuration 

Author: Thomas Ivarsson 

Last edit: March 16, 2012 

Cisco IOS basic configuration 

A brief introduction to the Cisco IOS 

Basic navigation 

The Cisco Internetwork Operating System (IOS) is built in hierarchical layers, 

each with its own functions, privileged level and purpose. The three base layers 

och modes are the user executive mode, privileged executive mode and global 

configuration mode. Each of the modes have their own prompt: 

Router> 

Router# 

Router(config)# 

// user executive mode 

// privileged executive mode 

// global configuration mode 

There are also a number of special configuration modes such as the interface, line 

and router configuration mode: 

Router(config-if)# 

Router(config-line)# 

Router(config-router)# 

// interface configuration mode 

// line configuration mode 

// router configuration mode 

To navigate up one level in the hierarchy, for example from the user executive 

mode to the privileged executive mode, use the specific command to reach that 

mode. To move back down, use the exit command. A few examples: 

Router>enable 

Router#configure terminal 

Router(config)#exit 

Router#configure terminal 

Router(config)#interface FastEthernet 0/1 

Router(config-if)#exit 

Router(config)#line console 0 

Router(config-line)#end 

Router#disable 

Router> 

As can be seen by the last two commands, end and disable, there are actually a 

few command besides exit that will let you move back down. The end command 

moves you directly from a special configuration mode back to the privileged 

executive mode, bypassing the global configuration mode. The disable 

command moves you from the privileged to the unprivileged executive mode. 

Using exit in privileged executive mode will disconnect you from the device. 

1/9





A brief introduction to the different modes 

The user executive mode is limited to examining the device. It is possible to get a 

good view of how the device is functioning only by accessing this mode. Though 

it's not possible to change any of the device configuration a basic troubleshooting 

session can be conducted in this mode, giving enough information to decide if the 

devices is causing the problem. 

The privileged executive mode have access to all the commands from the user 

executive mode but it also adds commands with regard to the configuration and 

handling of the configuration of the router. Once a user have access to the 

privileged executive mode the user can access any configuration mode, so having 

privileged executive mode access can be compared to having root access in a 

Unix-like operating system. 

Global configuration mode handles configuration that affects the device as a 

whole. The global configuration mode also the level used to gain access to more 

specific configuration modes such as the interface configuration mode where 

configuration for a specific interface is made or the router configuration mode 

where configuration for a specific routing process (protocol) is configured. 

A brief introduction to the command structure 

The commands in Cisco IOS are multiple-word commands where there command 

for a tree of possible commands. In previous the configure terminal 

command was used move from privileged executive mode to global configuration 

mode. But there are other commands starting with the keyword configure: 

Router#configure ? 

confirm 

Confirm replacement of runningconfig 

with a new config file 

memory 

Configure from NV memory 

network 

Configure from a TFTP network 

host 

overwrite-network Overwrite NV memory from TFTP 

network host 

replace 

Replace the running-config with 

a new config file 

revert 

Parameters for reverting the 

configuration 

terminal 

Configure from the terminal 

 

As seen from the example, there are quite a few commands starting with the 

configure keyword in the privileged executive mode. Another thing worth 

noting is the question mark. By using the question mark you tell the device to feed 

you all possible commands based on the string of characters before the question 

2/9





mark. It can be used as in the example as a way to find the commands that follow 

the configure command or it can be used to find out what commands starts with 

a specified group of characters, for example: 

Router#con? 

configure connect 

One more thing worth noting is that the IOS will interpret a command based on 

the characters given, allow shortening of commands if a keyword is the only 

command using that set of characters. While con is not enough for the devices to 

tell that you mean configure, conf is – since no other command starts with conf 

the device will interpret it as configure: 

Router#con t 

% Ambiguous command: "con t" 

Router#conf t 


When there's no ambiguity as to what keyword is being entered, the TAB key can 

be used to complete the word: 

Router#con 

Router#con 

Router#conf t 

Router#conf terminal 

Naming the device 

// 'con' is ambiguous 

// so the result is 'con' 

// 't' is not ambiguous 

// so the result is 'terminal' 

When a device is booted without a configuration file, it will take its name from 

the kind of device it is. It's a good idea to change this name, making it easier to 

identify what devices one is connected to. The device name is also used by the 

Cisco Discovery Protocol (CDP), a link protocols used by Cisco devices to 

exchange information over a link. CDP can be quite useful when troubleshooting 

and correct naming is surly be a blessing when trying to document an 

undocumented network built with Cisco devices. 

To change the name of the device, enter global configuration mode and execute 

the following command: 

Switch(config)#hostname LION 

LION(config)# 

Notice how the prompt changes, indicating that the word Switch (or Router in 

previous commands) actually was the name of the device. If you want to give the 

device a complete domain name, such as lion.example.com you add the 

domain name as a separate configuration command: 

LION(config)#ip domain-name example.com 

The domain name is actually a sub-command to the ip keyword, indicating its 

3/9





connection to the Internet Protocol (IP). The domain name configured with the 

command will be the default domain name, used when querying the DNS for IP 

addresses or doing a reverse look-up. 

DNS look-up and the 'no' keyword 

When speaking of look-ups, the Cisco IOS have a somewhat annoying feature 

(annoying if you don't know about it): whenever you feed it an IP address as a 

command in user or privileged executive mode, the device will try to make a 

telnet connection to that IP address. Example: 

Router>192.168.231.11 

Trying 192.168.231.11 ... 

The IP address is interpreted as the command telnet - this is not the 

annoying part. The problem is that anything that can be interpreted as a name or 

FQDN will also result in an attempt to make a telnet connection. In fact, any 

string of characters that can't be interpreted as a command but can be interpreted 

as a name will result in an attempted telnet connection. Example: 

Router#not-a-command 

Translating "not-a-command"...domain server 

(255.255.255.255) 


(255.255.255.255) 


(255.255.255.255) 

% Unknown command or computer name, or unable to find 

computer address 

The switch in the example tries to find a DNS server (at IP address 

255.255.255.255), waiting for a time out for every translation attempt. There are 

two ways around this waiting period. Either you have a working DNS server that 

can tell the device that there's no host named not-a-command, or you can disable 

to DNS look-up all together. 

To configure one (or more) DNS server for the device to use, the ip nameserver 

command is used for every server: 

Router(config)#ip name-server 192.168.231.10 

To disable DNS look-ups, use: 

Router(config)#no ip domain-lookup 

The 'no' keyword used in the command is the standard way to negate a command. 

Issuing the command no ip name-server 192.168.231.10 would remove 

that IP address from the list of possible name servers and using the command no 

4/9





shutdown in interface configuration mode will active the interface. 

Configuring passwords 

Passwords can be configured to control who has access to what. A password can 

be set to protect the privileged executive mode, forcing the user to type a 

password in order to move from user executive mode and up to privileged 

executive mode.This password is known as the 'enable' password. Keeping track 

of that name also helps in finding the first keyword in the command: 

Switch(config)#enable secret password 

Using the above command will force the user the enter the password 'password' 

directly after issuing the enable command. 

Switch>enable 

Password: 

Switch# 

// enter 'password', not shown 

The keyword secret tells the device to encrypt the password in the configuration 

file. The algorithm used for the encryption is a modified MD5 hash function that 

is cryptographically weaker than the original MD5 algorithm, but at least it wards 

of most of the nosy shoulder surfers. It's possible to replace the secret keyword 

with the keyword password, but this will leave the password unencrypted. Both 

keywords can be used at the same time: 

Switch(config)#enable password class 

Switch(config)#enable secret password 

Switch(config)#exit 

Switch#disable 

Switch>enable 

Password: 

// enter 'class', not shown 

Password: 



Switch>enable 

Password: 


Switch# 

As can be seen from the example, the password configured with the keyword 

password is ignored as long as the 'secret' password is present in the 

configuration. If the 'secret' password is removed, 'class' will be the password used 

to access the privileged executive mode: 

Switch(config)#no enable secret 

Switch(config)#exit 


Switch>enable 

Password: 

// enter 'class', not shown 

Switch# 

5/9





Protecting the console port 

Initial configuration of a device is usually done through a specific port, the 

console port. To access the device via the console port, one usually need physical 

contact with the devices, non the less, it's recommended to protect this port with a 

password. To configure a password for the port and to force anyone that connects 

via the console to enter the password 'cisco', do the following: 

Router(config)#line console 0 

Router(config-line)#password cisco 

Router(config-line)#login 

The last line of the configuration is very important, without it, the password is 

configured but the user is not forced to use it to log in – connect to the port, you're 

presented with the prompt. Using the login command, the user will in see 

something like this: 

User Access Verification 

Password: 

Enter the correct password (in our example cisco) and you're in. 

Passwords for network access 

It's often a good idea to create a network facing management interface for the 

devices in a network. If something is wrong, the administrator will be able to 

troubleshoot by examining multiple devices without having to leave desk. Without 

the ability to administrate the devices using the network, the administrator might 

have to travel for hours just to find out that the problem was not in the device that 

is currently being visited. 

The general interface for network management is not bound to any particular 

network protocol and is configured via a line configuration mode in the same way 

as the console port is. The line is named vty an it's a virtual terminal. There are 

several virtual terminals in most devices and they can be configured in groups. 

When configuring the console port, the port number '0' was given to indicate the 

console port being configured (since the device only has one console port the 

number has to be '0'). Routers have five (0 through 4) VTY lines by default and 

switches have 16 (0 through 4 and 5 thorough 15). It's possible to configure all or 

a subset. Let's configure line 0 through 3 and give them password 'class': 

Switch(config)#line vty 0 3 

Switch(config-line)#password class 

Switch(config-line)#login 

While it might be a good idea to give the login command, it should be the 

default for the VTY line – then again, it doesn't hurt to be on the safe side. Once 

6/9





the devices (in this case the switch) have an active network interface with a valid 

address, it's possible to make telnet connections to the devices using that address. 

Encrypting the passwords 

When configuring the 'enable' password, there was a choice to make it encrypted 

or unencrypted using the secret or password keyword before the password. The 

passwords for the console and VTY lines are always unencrypted. But it is 

possible to mask the passwords in the configuration file. If one looks at the default 

configuration file when a non configured devices is first started, this line can be 

found close to the top of the file: 

no service password-encryption 

By giving the command in global configuration mode without the no keyword, the 

password-encryption services is enabled and all unencrypted password in the 

'hidden', that is hashed into a HEX-value. The hash is cryptographically weak 

(really weak), but once again, some one ready over your shoulder might have a 

harder time remembering 121A0C041104 the the password used for the VTY line 

(all depending on the password policy or strength of the password). 

Configuring banners 

It is often recommended that users trying to connect to a device is 'greeted' by a 

banner, telling them that it's a private system, that only authorized personnel 

should access it and that any attempt to access the device will be logged. There 

are several banners available in Cisco IOS and while Cisco always promotes the 

message-of-the-day banner, this example shows how to configure a 'login banner': 

Router(config)#banner login * 

Enter TEXT message. End with the character '*' 

This is the text of the banner 

* 


The thing worth noting here is the star character '*'. That's the character used to 

tell the device that the banner is finished. Pick one that won't be used in the 

banner text by placing it after the banner and once the text is in place (just type it 

as you would in a text editor) end it by using the character again. The banner will 

now be displayed anytime someone tries to connect to the device: 

7/9





Trying 10.228.4.2 

Connected to 10.228.4.2. 

Escape character is '^]'. 

This is the text of the banner 

User Access Verification 

Password: 

Working with the configuration 

The configuration typed into the devices is applied and stored in RAM. Once the 

devices powers down or reloads, the configuration is lost. To view the 

configuration that is currently stored in RAM, use the following command: 

Router#show running-config 

Use 'space' to move 'a page' forward and use 'enter' to step one line at a time. If 

you want to quit before you make it to the end, type 'q'. 

It is possible to view sections of the configuration or to start reading from a given 

string. To only view the configuration for the interface FastEthernet 0/0: 

Router#show running-config interface FastEthernet 0/0 

To view all lines with the keyword ip, use: 

Router#show running-config | include ip 

To view the configuration, starting at the first interface (provided the 

configuration don't contain a line with the string 'interface' that is before the first 

interface configuration line) use: 

Router#show running-config | begin interface 

Saving the configuration 

The current 'running' configuration can be stored to NVRAM where the devices 

will find it and read it at reboot with the command: 

Switch#copy running-config startup-config 

To view the configuration that will be used on reboot, just create a show command 

in the same way as when viewing the 'running' configuration but use startupconfig 

instead of running-config. Use the copy keyword along with the 

question mark to find out other ways that the configuration can be stored or 

moved around. 

8/9





Removing the configuration 

Sometimes you want to remove the configuration. The configuration stored in 

NVRAM might be dated or the maybe the there's something wrong with the 

configuration and it need to be removed. The following command can be used to 

remove the configuration stored in NVRAM: 

Switch#erase startup-config 

Sometimes there is something wrong with parts of the current configuration, for 

example, an interface might have been misconfiguration with a lot of unwanted 

configuration. To negate that configuration use the default keyword to take the 

interface back to the default configuration: 

Router(config)#default interface FastEthernet 0/0 

Try it before you buy it 

Sometimes an administrator might find that new configuration is needed but it's 

not clear if the configuration will work or not. A nightmare is to be looked out of 

network devices physically located hours away, especially in the middle of the 

night where people are depending on the device to be functioning in the morning. 

Since the configurations is only stored in RAM and will disappear at reboot if not 

stored, this can be used to try new configuration with a potential lockout without 

having to travel to resolve the problem: 

Router#reload in 5 

Reload scheduled in 5 minutes by vty0 (192.168.230.56) 

Reload reason: Reload Command 

Proceed with reload? [confirm] 

Router# 

*** 

*** --- SHUTDOWN in 0:05:00 --- 

*** 

Router#reload cancel 

Router# 

*** 

*** --- SHUTDOWN ABORTED --- 

*** 

The first command tells the device to automatically reload in five minutes. Once 

the command has been applied and it's confirmed that everything is works as 

expected, the reload can be canceled and the configuration saved using the second 

command. Since the configuration wasn't saved, the reload would've remove it ... 

9/9

Cisco IOS basic configuration

Create successful ePaper yourself

Delete template?

Save as template?