Chapter 4: Using the Command-Line Interface

Chapter 4: Using the Command-Line Interface
Chapter 4 · Introduction

Using the Command-Line Interface

Master the Cisco IOS CLI — the primary interface for configuring, monitoring, and troubleshooting Cisco switches and routers.

Why it matters

The CLI is the network engineer’s most powerful tool. Unlike GUI tools that change or vary between versions, the CLI remains consistent and universal across Cisco devices. Understanding the CLI deeply means you can walk up to any Cisco switch or router in the world and begin working immediately — no familiarization needed.

Every Cisco Catalyst switch and router runs Cisco IOS (Internetwork Operating System). While some devices offer web-based or GUI management tools, the command-line interface remains the universal constant — it works the same way whether you’re configuring a small office switch or a massive enterprise router.

In this chapter, you’ll learn:

  • Three methods to access a Cisco device’s CLI
  • The hierarchy of CLI modes and how to navigate between them
  • How to secure CLI access with passwords
  • IOS help features that make you more efficient
  • The critical difference between running-config and startup-config

Real-world context: When a network is down and you need to fix it fast, you don’t have time to hunt through menus. The CLI gives you direct, immediate control. That’s why the CCNA exam tests CLI knowledge extensively — employers need engineers who can work efficiently under pressure.

Section 4.1 · CLI Access Methods

Accessing the Cisco Catalyst Switch CLI

Before you can configure anything, you need to connect to the device’s command-line interface.

Why it matters

Understanding access methods is crucial for both initial setup and ongoing management. You can’t configure SSH until you first connect via console. You can’t troubleshoot remotely if the network is down and you don’t know how to use the console port. Each method serves a specific purpose in the network lifecycle.

Three Methods to Access the CLI

Console Access

The physical management port — used for initial setup and recovery

The console port is a physical RJ-45 or USB port on the switch. It provides out-of-band access, meaning it works even when the network is down or misconfigured. This is your lifeline when remote access fails.

Telnet Access

Remote access over the network — unencrypted, rarely used today

Telnet sends all data (including passwords) in clear text. While it works for remote access, it’s a security risk and has been largely replaced by SSH. You should know it exists, but avoid using it in production.

SSH Access

Secure remote access — encrypted, the industry standard

SSH (Secure Shell) encrypts all traffic between you and the device. This is how you remotely manage switches and routers in production environments. SSH requires initial configuration via console before it can be used.

Cabling a Console Connection

The console port is your physical entry point to a new switch. Before you can use Telnet or SSH, you must configure the device through the console port — this creates a chicken-and-egg situation that every network engineer encounters.

Port Type Cable Required Computer End Notes
RJ-45 Console Rollover cable + DB-9 adapter Serial (DB-9) or USB-to-Serial Traditional method, still common
Mini-USB Console USB-A to Mini-USB cable USB port Found on many newer switches
USB Type-C Console USB-C to USB-C or USB-A to USB-C USB port Newest standard, simplest setup

Pro tip: Always carry a USB-to-serial adapter and a rollover cable in your toolkit. When a remote switch needs emergency configuration and the network is down, console access is your only option. Modern laptops without serial ports require these adapters.

Default Console Port Settings

When you connect to the console port, your terminal emulator must match these settings exactly — otherwise you’ll see garbled output or nothing at all.

Baud rate: 9600 bits per second Data bits: 8 Parity: None Stop bits: 1 Flow control: None

These settings have been the Cisco standard for decades. Memorize them: 9600-8-N-1. Most terminal emulators (PuTTY, Tera Term, macOS Screen, Linux minicom) default to these settings, but always verify when troubleshooting connection issues.

Section 4.2 · CLI Modes

CLI Modes: The Security Hierarchy

Cisco IOS uses a layered security model with distinct modes for different privilege levels.

Why it matters

The mode-based security model exists for one reason: accident prevention and access control. Not everyone who needs to check switch status should be able to reconfigure the entire network. By separating read-only access (User mode) from privileged access (Enable mode) and configuration access (Global Config mode), Cisco lets administrators grant appropriate permissions based on job role.

The Three Primary Modes

Mode Prompt What You Can Do Purpose
User EXEC Mode Switch> View basic status, ping, traceroute Read-only monitoring for operators
Privileged (Enable) Mode Switch# View all configs, debug, save files, reload Full visibility for senior engineers
Global Configuration Switch(config)# Change any switch setting Making configuration changes

Navigating Between Modes

The command prompt tells you exactly where you are. That last character — >, #, or (config)# — is your location beacon. Learn to read it instantly.

! Start at user mode after connecting Switch> <— The ">" means User EXEC mode Switch> enable Switch# <— The "#" means Enable (Privileged) mode Switch# configure terminal Switch(config)# <— "(config)#" means Global Configuration mode Switch(config)# exit Switch# <— exit moves up one level Switch# configure terminal Switch(config)# end Switch# <— end jumps directly back to enable mode Switch# disable Switch> <— disable moves down to user mode ! Ctrl+Z does the same thing as "end" – returns to enable mode Switch(config)# [Press Ctrl+Z] Switch#

enable

Move from User mode → Enable mode

If an enable password is set, IOS prompts you to enter it. Without the correct password, you stay stuck in user mode — this is the first line of defense against unauthorized configuration changes.

disable

Move from Enable mode → User mode

Use this when you’re done with privileged operations and want to return to a safer, read-only state. Some organizations require engineers to disable back to user mode when stepping away from the terminal.

configure terminal

Move from Enable mode → Global Configuration mode

Shortened to conf t in practice. This is your gateway to changing the device’s behavior. Everything from hostname to VLANs to routing protocols happens within or below this mode.

exit

Move up one level in the mode hierarchy

In configuration submodes, exit returns you to global config. In global config, exit returns you to enable mode. Think of it as “go back one step.”

end or Ctrl+Z

Return directly to Enable mode from any config mode

No matter how deep you are in submodes (interface, line, etc.), end or Ctrl+Z immediately pops you back to enable mode. It’s the emergency exit button for configuration contexts.

Memory aid: The prompt symbols tell the story: > points forward (you want to move up), # is “number one” (top level before config), and (config) means you’re in the construction zone where changes happen.

Section 4.3 · Access Security

Password Security Basics

Prevent unauthorized access by securing the console and privileged modes.

Why it matters

Unsecured network equipment is an open door. Anyone with physical access to a switch and a rollover cable can take control of your network if you haven’t set passwords. Console passwords prevent casual access; enable passwords protect privileged commands. These are your first and most important security configurations.

Setting a Console Password

The console password protects physical access. When someone connects to the console port, IOS will prompt for this password before granting even user mode access.

! Enter global configuration mode first Switch# configure terminal ! Enter line configuration mode for console 0 ! (There’s only one console port, so it’s always "line console 0") Switch(config)# line console 0 ! Tell IOS to require a password on this line Switch(config-line)# login ! Set the actual password Switch(config-line)# password cisco ! Exit back to global config, then save Switch(config-line)# exit Switch(config)# exit Switch# copy running-config startup-config
Command Why It’s Needed
line console 0 Changes context to line configuration mode for the console port. The 0 is required because IOS numbers its lines starting at zero.
login Tells IOS to prompt for a password when someone connects. Without this command, the password exists but is never requested!
password cisco Defines the password text. Replace “cisco” with your actual secure password.

Critical: The login command is easy to forget but absolutely essential. If you set a password but forget login, IOS stores the password but never asks for it — leaving the console completely unprotected. Always verify your security settings with show running-config.

Setting an Enable Password

Console passwords protect the front door. Enable passwords protect the crown jewels. There are two ways to set enable passwords:

! Method 1: enable password (stored in plain text – NOT RECOMMENDED) Switch(config)# enable password cisco ! Method 2: enable secret (encrypted – ALWAYS USE THIS) Switch(config)# enable secret cisco

Always use enable secret instead of enable password. The secret command uses strong MD5 hashing to protect the password in the configuration file. The password command stores it in plain text — visible to anyone who can view the configuration.

Section 4.4 · CLI Assistance

CLI Help Features

Work faster and avoid typos with IOS built-in assistance tools.

Why it matters

No one memorizes every IOS command and parameter. The best network engineers aren’t those with photographic memories — they’re the ones who know how to use the help system efficiently. The ? key and Tab completion save time and prevent configuration errors caused by typos.

The Question Mark (?)

The ? is your lifeline. IOS provides context-sensitive help that changes based on where you are and what you’ve already typed.

? alone

List all commands available in current mode

Type ? at any prompt to see every command you can use from your current position. The list is filtered — you’ll only see commands valid for your current mode.

command ?

Show parameters and options for a specific command

Type a command followed by a space and ? to see what arguments that command accepts. For example: show ? or interface ?

partial?

List commands starting with those letters

Type the beginning of a command followed immediately by ? (no space) to see all commands that start with those characters. Example: sh? shows show, shutdown, etc.
Switch> ? ! Lists all commands available in User EXEC mode Switch# show ? ! Lists all possible show commands Switch(config)# interface ? ! Lists available interface types: FastEthernet, GigabitEthernet, Vlan, etc. Switch(config)# ip ? ! Lists all commands starting with "ip"

Tab Completion

Press the Tab key to auto-complete command names. This speeds up typing and eliminates spelling errors.

Switch# conf[Press Tab] Switch# configure Switch(config)# int fa0/1[Press Tab – if unique] Switch(config)# interface FastEthernet0/1 ! If Tab doesn’t complete, type more characters to make it unique

Command Syntax Help

IOS uses specific notation in help text to indicate required and optional parameters:

Notation Meaning Example
bold text Type exactly as shown show running-config
<angle brackets> Replace with your value hostname <name>
[square brackets] Optional parameter show running-config [all]
{choice|choice} Required choice between options copy {running-config|startup-config}
Section 4.5 · Configuration Contexts

Configuration Submodes and Contexts

Navigate to specific configuration areas using context-setting commands.

Why it matters

Global configuration mode would be overwhelming if every command was available at once. By organizing commands into submodes (interface configuration, line configuration, router configuration), IOS presents only the commands relevant to what you’re working on. This contextual organization prevents errors and makes the CLI more manageable.

Common Configuration Submodes

Submode Command to Enter Prompt Purpose
Interface Config interface FastEthernet 0/1 Switch(config-if)# Configure switch ports
Line Config line console 0 Switch(config-line)# Configure access lines
VLAN Config vlan 10 Switch(config-vlan)# Configure VLANs

Understanding Context Commands

When you enter a submode command, you’re not just changing locations — you’re setting the context for all subsequent commands. Every command you type in interface mode applies to that specific interface until you leave the mode.

! Enter global configuration Switch# configure terminal ! Set context to interface FastEthernet 0/1 ! All following commands apply to this interface only Switch(config)# interface FastEthernet 0/1 Switch(config-if)# description Link to Server-A Switch(config-if)# speed 100 Switch(config-if)# duplex full Switch(config-if)# no shutdown ! Move to a different interface – context changes Switch(config-if)# interface FastEthernet 0/2 Switch(config-if)# description Link to Server-B Switch(config-if)# exit ! Back in global config – commands apply to the switch as a whole Switch(config)# hostname Core-Switch-01

Hostname Command

The hostname command demonstrates context well. It’s a global command that changes the device’s identity, and that identity appears in every prompt.

Switch(config)# hostname Building-A-Switch Building-A-Switch(config)# ! The prompt immediately reflects the new hostname ! This helps you identify which device you’re configuring ! when managing multiple switches

Best practice: Always set meaningful hostnames. When you have 50 switches and a configuration session times out, “Building-A-Floor-2-Switch#” tells you exactly where you are. “Switch#” tells you nothing.

Section 4.6 · File Management

Storing and Managing Configuration Files

The critical distinction between running-config and startup-config — and why it matters for your career.

Why it matters (Pay attention!)

This is where new network engineers get burned. You configure a switch perfectly, pat yourself on the back, and go home. The next day, the power blinks and your configuration is gone. Why? You saved it to RAM (running-config) but not to NVRAM (startup-config). When the switch rebooted, it loaded the old startup-config. This distinction isn’t trivia — it’s the difference between a working network and a 3 AM emergency call.

Two Configuration Files, Two Locations

running-config

The active configuration in RAM — changes take effect immediately

Located in volatile RAM. This is what the switch is using RIGHT NOW. All your configuration commands modify this file. When you type commands, they go here first. But: RAM is erased when power is lost. If you don’t save, you lose everything.

startup-config

The boot configuration in NVRAM — survives power loss

Located in non-volatile NVRAM (flash memory). This is what the switch loads when it boots. Think of it as the “save game” file. Changes here don’t take effect until the next reload. The startup-config persists through power cycles.

The Configuration Workflow

Understanding the relationship between these files is fundamental:

  1. Switch boots → loads startup-config from NVRAM into RAM
  2. You make changes → IOS modifies running-config in RAM
  3. Changes take effect immediately because running-config is active
  4. You save → copy running-config to startup-config in NVRAM
  5. Power loss → RAM clears, but NVRAM keeps startup-config
  6. Next boot → startup-config loads again
! View the currently active configuration Switch# show running-config ! View the saved startup configuration Switch# show startup-config ! Save running-config to startup-config ! This is the MOST IMPORTANT COMMAND after making changes Switch# copy running-config startup-config Destination filename [startup-config]? [Press Enter] Building configuration… [OK] ! Shortcut: "write memory" or "wr" (older but commonly used) Switch# write memory ! Erase the startup-config (factory reset preparation) Switch# write erase ! or Switch# erase startup-config ! or Switch# erase nvram: ! Load startup-config into running-config (merge configurations) Switch# copy startup-config running-config

Career-saving habit: After every configuration change that works, type copy running-config startup-config. Make it muscle memory. The five seconds it takes to save will save you hours of reconfiguration after an unexpected reboot.

Reload: Rebooting the Switch

The reload command reboots the switch. This is necessary after some configuration changes, but it interrupts network connectivity.

Switch# reload System will be restarted. Continue? [confirm] [Press Enter] ! Or cancel with Ctrl+C if you change your mind

Pro tip: Before reloading a production switch, always save your config and consider the impact. A reload drops all traffic through that switch. In a redundant network, this is fine — traffic reroutes. In a single-homed network, you’ve just caused an outage.

Interactive Lab · CLI Simulator

Cisco IOS Terminal Simulator

Practice commands in a realistic terminal environment. Try: enable, configure terminal, hostname, show running-config, copy running-config startup-config

Cisco IOS Simulator
Cisco Internetwork Operating System Software
IOS ™ C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE11
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 19-Aug-17 08:57 by prod_rel_team
Press RETURN to get started!
Switch>

Quick Command Reference

Click to expand list of supported commands

Mode Navigation: enable, disable, configure terminal, exit, end

Show Commands: show running-config, show startup-config, show version

Configuration: hostname, line console 0, login, password, interface FastEthernet 0/1

File Operations: copy running-config startup-config, copy startup-config running-config, write erase

System: reload, quit, ?
Interactive Lab · Mode Navigator

CLI Mode Navigation Diagram

Click each mode to see how to enter and exit. Understand the hierarchy.

Level 1
User EXEC
Switch>
↓ type enable
Level 2
Privileged
Switch#
↓ type configure terminal
Level 3
Global Config
Switch(config)#
↓ type submode commands
Submode
Interface
(config-if)#
Submode
Line
(config-line)#
Submode
VLAN
(config-vlan)#

Click any mode above to see entry and exit commands

The CLI uses a hierarchical security model. Each level builds on the previous one. You cannot skip levels — to reach interface configuration, you must pass through user mode, enable mode, and global configuration.

Practice · Flashcards

Command Flashcards

Click the card to flip. Test yourself both ways — command to purpose, and purpose to command.

Command
enable
Click to flip →
Purpose
Move from User EXEC mode to Privileged (Enable) mode
← Click to flip back
Card 1 of 12Command → Purpose
Assessment · Do I Know This Already?

Chapter 4 Quiz

Test your understanding of CLI modes, configuration files, and basic commands.

Reference · Command Tables

Command Reference Review

Self-quiz mode: Hide commands or purposes to test your recall. Click cells to reveal.

Study Tip

The CCNA exam tests command knowledge extensively. Don’t just read these tables — actively test yourself. Cover the Purpose column and see if you can describe what each command does. Then cover the Command column and see if you can recall the exact syntax.

Table 4-8: Configuration Commands

These commands run in configuration mode (global or submode) to change the device’s settings.

Command Mode and Purpose
line console 0 Global command that changes the context to console configuration mode.
login Line (console and vty) config mode. Tells IOS to prompt for a password (no username).
password <pass-value> Line (console and vty) config mode. Sets the password required on that line when the login command is also configured.
interface <type> <port> Global command that changes the context to interface mode — e.g., interface FastEthernet 0/1.
hostname <name> Global command that sets the switch’s hostname, also used as the first part of the command prompt.
exit Moves back to the next higher mode in configuration mode.
end Exits configuration mode and returns to enable mode from any configuration submode.
Ctrl+Z Not a typed command — key combination that does the same thing as the end command.
Track your progress: 0/8 correct

Table 4-9: EXEC Command Reference

These commands run in EXEC mode (user or enable mode) to manage, inspect, or control the device.

Command Purpose
no debug all / undebug all Enable mode. Disables all currently enabled debug outputs.
reload Enable mode. Reboots the switch or router.
copy running-config startup-config Enable mode. Saves the active config to startup-config, which is loaded on next boot.
copy startup-config running-config Enable mode. Merges startup-config into the currently active running-config in RAM.
show running-config Lists the contents of the active running-config file.
write erase / erase startup-config / erase nvram: Enable mode. Erases the startup-config file entirely.
quit Disconnects the user from the CLI session.
show startup-config Lists the contents of the startup-config file (the one loaded at boot).
enable Moves the user from user mode to enable (privileged) mode; prompts for password if one is set.
disable Moves the user from enable mode back to user mode.
configure terminal Enable mode. Moves the user into global configuration mode.
Track your progress: 0/11 correct