Part 10 – Cisco CLI for Beginners

Cisco CLI for Beginners

Table Of Contents
  1. Cisco CLI for Beginners
  2. Resources

Introduction

Welcome to Part 10 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

After several videos of theory, it’s time to get hands-on. All the theory in the world won’t help you if you can’t put it into practice. By the end of this part, you’ll be able to take a brand-new Cisco router or switch and apply a basic working configuration to it.

We’re starting with Cisco because they’re so common in the industry. Other vendors will feel different, but the underlying principles are the same — so what you learn here will transfer.

Device Hardware

Cisco routers and switches come in many sizes. Small SOHO devices often bundle routing, switching, and Wi-Fi into a single box. In a mid-size or large office, you’ll typically see separate dedicated routers and switches. Service providers use massive chassis-based devices with many modular slots.

When choosing a device, think about the number of ports needed, the required performance, and which features matter. Devices come with a base licence covering core features; additional licences unlock advanced capabilities.

Ports and Connectors

On a typical enterprise router you’ll find:

  • Data interfaces – the main ports for carrying network traffic, labelled with names like GigabitEthernet 0/0/1 (module 0, port 1). Additional interface modules can often be installed to expand capacity.
  • SFP ports – rectangular slots for transceiver modules, used with fiber or copper SFP cables.
  • Management port – a dedicated port for managing the device itself, kept separate from regular traffic. Useful when you have many devices — all their management ports can sit on one dedicated subnet.
  • USB ports – mainly used for firmware updates or copying logs.
  • Console ports – used to connect directly to the device for initial setup or emergency access. There are usually two: a mini-USB (newer) and an RJ45 (traditional). As long as you have physical access, you can always get in through the console port.
  • Auxiliary port – a legacy port, historically used with dial-up modems for remote access. Rarely seen in use today.
  • Power supplies – some devices have one, some have two. Dual power supplies allow connection to separate power sources (e.g. two UPS units or two generator feeds), which is common in data centres for redundancy.

Connecting via Console

A brand-new device has no IP address configured, so you can’t connect to it over the network yet. The first connection must be through the console port. There are two cable options:

  • USB console cable – connects directly from the router’s mini-USB console port to your laptop. Works out of the box on Windows 10; other operating systems may need a driver from Cisco.
  • Serial console cable – connects the router’s RJ45 console port to a serial port. Since most modern laptops don’t have serial ports, you’ll also need a USB-to-serial adapter (which may also need a driver). The serial cable is still worth having — some non-Cisco devices only support serial connections.

Terminal Emulators

To communicate with the router through the console connection, you need a terminal emulator — software that gives you a text-based interface to the device. A popular free option is PuTTY. Search for it, download it, and you’re ready.

When using a serial connection on Windows, you need to know which COM port your adapter is using. Check in Device Manager → Ports. Then open PuTTY, select “Serial” as the connection type, enter the COM port number, and click Open. Hit Enter a couple of times and you’re connected.

CLI Modes

When you first connect, you’ll see a prompt ending in > — this is User EXEC mode. It gives very limited access and doesn’t allow configuration changes.

Type enable (or en) and the prompt changes to # — this is Privileged EXEC mode, which gives full access to the device. On a new router, no password is required at this stage (which is a security gap we’ll address shortly).

Useful CLI Tips

  • Show commands – use these to read information from the device. Examples: show clock, show version, show ip interface brief. If output is too long to fit the screen, use Space (page by page), Enter (line by line), or Q to quit.
  • ? for help – press ? at any point to see available commands or options.
  • Tab completion – start typing a command and press Tab to auto-complete it.
  • Abbreviated commands – Cisco accepts shortened commands as long as they’re unambiguous (e.g. sh int brief instead of show interfaces brief). If too ambiguous, you’ll see an “Ambiguous command” error.
  • Up arrow – cycles back through recently used commands.

Configuration Mode

To make any configuration changes, type configure terminal (or conf t). The prompt changes to include (config)#, indicating you’re now in global configuration mode.

A handy trick: while in configuration mode, prefix any show command with do to run it without dropping back to privileged EXEC mode. For example: do show ip interface brief.

To exit configuration mode, type exit (goes back one level) or press Ctrl+Z (jumps straight back to privileged EXEC mode). You’ll see a log entry when you do — a reminder of why keeping the clock set correctly matters.

Turning Off Commands

To reverse or remove any command, simply put the word no in front of it. For example, no shutdown enables an interface that was shut down.

Basic Configuration

Hostname

Set the device’s name with the hostname command. The prompt updates immediately: hostname InternetRouter.

Configuring an Interface

Enter interface configuration mode with interface GigabitEthernet 0/1. The prompt changes to (config-if)#. Any commands here apply only to that interface. Useful commands:

  • description <text> – optional but highly recommended. Makes it easy to identify what each interface is for, especially on devices with many ports.
  • ip address <ip> <subnet-mask> – assigns an IP address to the interface.
  • no shutdown – enables the interface. Interfaces on Cisco routers are disabled (administratively down) by default.

Verify with show ip interface brief. The Status column shows whether the interface is up or down; Protocol shows whether it’s connected to another device. An interface that’s been unplugged will show down (not administratively down — you didn’t disable it, the cable is just missing).

Loopback Interfaces

You can also create virtual interfaces. A loopback interface is a common example: interface loopback 0. Loopbacks are always up (they don’t depend on a physical cable) and are useful for router identification, management, and testing. We’ll use them more throughout the series.

Authentication

By default, a new router lets anyone type enable with no password — a significant security hole. Here’s how to lock it down.

Enable Secret

Use enable secret <password> — not enable password. The difference matters: password uses weak (Type 7) encryption, which is trivially broken. secret uses strong (Type 5) encryption. You’ll see this clearly when you run show running-config — the secret is stored as a proper hash, while a regular password would be easily reversible.

User Accounts

Create individual accounts so you’re not sharing a single password. Use username <name> privilege 15 secret <password>. Privilege level 15 gives full access — equivalent to Administrator on Windows or root on Linux. Note that accounts are stored locally on each device, so you’ll need to add them on every router and switch. A centralised authentication server (covered in a later video) avoids this.

Remote Access via SSH

Once an interface is configured, you can connect to the router over the network — no console cable needed. Configure the VTY lines (virtual terminal lines) that remote sessions use:

  • Enter line vty 0 4 (routers have 5 VTY lines; switches have 16, so use 0 15)
  • transport input ssh — allow SSH connections only (not Telnet, which sends everything unencrypted)
  • login local — tells the device to check the local user accounts you created

SSH requires a bit of extra setup because it uses encryption. In global configuration mode:

  • ip domain-name <yourdomainname> — SSH needs a domain name to generate its key
  • crypto key generate rsa — generates the RSA encryption key. When prompted for key size, use 2048 bits (the default 512 is far too weak by modern standards)
  • ip ssh version 2 — explicitly enable SSH version 2 (more secure than version 1)

Banners

Banners display messages during login — often used for legal disclaimers. Two common types:

  • Login banner (banner login #...#) – shown before the username/password prompt. The # is a delimiter that marks the start and end of your message text.
  • MOTD banner (banner motd #...#) – “message of the day”, shown whenever anyone accesses the device, even if no login is required.

Saving the Configuration

There are two configs on a Cisco device:

  • Running config – the active configuration, stored in volatile RAM. Lost on reboot.
  • Startup config – saved to non-volatile flash memory. Loaded automatically on boot.

View the running config with show running-config (or sh run). To save your changes, copy the running config to the startup config:

copy running-config startup-config

This is often shortened to copy run start. An older command, write memory (or wr mem), does the same thing and you’ll still see people use it — but stick to copy run start for exams.

Building a Lab

The best way to learn is to practice. There are several options for building your own lab:

  • Physical hardware – buy secondhand routers and switches from eBay or similar. Great for hands-on cabling experience, but limited by what hardware you own, and routers can be loud and take up space.
  • Cisco Packet Tracer – free with a Cisco Networking Academy account. Limited functionality, but great for visualising how packets flow through a network. Good for CCNA level.
  • GNS3 – free software that runs real Cisco IOS images (which you’ll need to source separately). Very flexible and supports multiple vendors.
  • Cisco vIRL / CML – runs real Cisco software images bundled with the product. Cisco-only but very polished. Paid subscription (around USD $199/year).
  • EVE-NG – vendor-neutral, supports many platforms including Cisco. Free and paid tiers available.

Resources

Test your knowledge with the Introduction to Networking quizzes.