Navigating the Cisco IOS – CCNA Course

Navigating the Cisco IOS

By now, you have a new-found love and respect for your Cisco equipment after knowing all the work that occurs when you turn on your router or switch.

What better way to prove that love and respect but by mastering the IOS that the Cisco devices have so painstakingly found and loaded for your administration and configuration pleasure? This article looks at the hierarchical levels of the IOS and what type of interactivity you can encounter at each level.


At your company, you may have level 1 technicians who are not strong in Cisco fundamentals, thus, you want to ensure only that they have access to basic troubleshooting and statistics without worrying that they might change the configuration or cause some other network catastrophe. Because a multitude of administrators might need to gain access to these Cisco devices, it makes sense to ensure that the first level of IOS hierarchy they encounter is somewhat limited in the extent of what can be done. This is the nature of User EXEC.

In User EXEC, you are limited in the number and type of commands that are available to you. For instance, the majority of show commands are available at this level of the IOS hierarchy because they do not detrimentally affect the router or the switch to perform these commands.

In addition, you can test IP connectivity to other devices with ping as well as remotely administer other devices or troubleshoot all the way to Layer 7 with Telnet. The Cisco IOS prompt for User EXEC is signified by the greater than sign (>) following the hostname of the Cisco device. For example, a cisco router and switch with their default hostnames would look like Router> and Switch>, respectively. The following figure displays the commands that you have available at User EXEC.

Exec commands:
access-enable      create a temporary access-list entery
access-profile     apply user-profile to interface
call               voice call
clear              reset functions
connect            open a terminal connection
crypto             encryption related commands
disable            turn off privileged commands
disconnect         disconnect an existing network conection
enable             turn on privileged commands
exit               exit from EXEC
help               description of teh interactive help system
lock               lock the terminal
login              log in as a particular user
logout             exit from the EXEC
modemui            start a modem-like user interface
mrinfo             request neighbor and version information from a multicast 
mstat              show statistics after multiple multicast traceroutes
mtrace             trace reverse multicast path from a destination to source
name-connection    name an existing network connection
pad                open a X.29 PAD connection
ping               send exho messages
ppp                start IETF point-to-point protocol (PPP)
release            release a resource
renew              renew a resource
resume             resume an active network connection
rlogin             open an rlogin connection
set                set system parameter (not config)
show               show running system information
slip               start serial-line IP (SLIP)
ssh                open a secure shell client connection
systat             display information about terminal lines
tclquit            quit tool command language shell
telnet             open a telnet connection
terminal           set a terminal line parameters
traceroute         trace route to destination
tunnel             open a tunnel connection
udptn              open an udptn connection
where              list active connection
x28                become an X.28 PAD
x3                 set X.3 parameters on PAD

Privileged EXEC

Assuming you need to acquire more functionality from your Cisco devices beyond basic troubleshooting and statistical displays, you have to have anther layer of the Cisco IOS hierarchy in which you have access to all commands. Happily named, Privileged EXEC is the next level of the IOS, in which you have the same commands as you do in User EXEC, as well as some commands that can alter the Cisco device’s functionality.

For example, in Privileged EXEC, you can perform debug commands that can show you hundreds of real-time routing and switching functions and report them to the console. Because this can cause quite a processing strain on the device, these commands are reserved for only those who can access Privileged EXEC. Additionally, some show commands such as show startup-config and show running-config can be seen only by those who should be able (privileged) to see the configuration of the devices (including passwords). Some other new and dangerous commands available in Privileged EXEC include delete, clear, erase, configure, copy, and reload (reboots the device), to name a few.

To gain access to Privileged EXEC, type the command enable from User EXEC. After you press Enter, the prompt changes from > to #, signifying that you are now in Privileged EXEC mode. Because anybody can read this section and learn how to get to these commands, it makes sense to have some way for the IOS to prompt for a password to authorize those who truly should be granted access. In the future article, we’ll discuss how to apply these passwords to restrict who gains access from User EXEC to Privileged EXEC. To return back to User EXEC, the reverse command is disabled.

Global configuration

One of the commands that you can access through Privileged EXEC is configured. This means that we have to enter yet another level of the Cisco IOS to make any configuration changes to the Cisco device. By typing the configure terminal command, you are telling the Cisco IOS that you are going to configure the Cisco device via your terminal window. The new level you enter after you complete this command is called Global Configuration.

You can recognize it by looking at the command prompt, which will reflect Router (config)# for routers and switch (config)# for Switches.

The following figure displays a partial output of just some of the commands that are available in Global Configuration. Note that the commands delete, debug, clear, configure, and copy do not show up in the list of commands. You have a different set of commands available to you at this level of the IOS versus Privileged and User EXEC. This means that you must exit Global Configuration to use these commands as well as the show, reload, and other Privileged EXEC specific commands.

Of equal note, after you enter a command in the IOS, it is immediately applied to running-config and applied to the device’s operation. The configurations are not listed and then applied later like batch files or executed compiled programs. Configuration help is shown in the following figure.

Router#configure terminal	
Enter configuration commands. One per line. End with CNTL/Z	
Configure commands:	
Aaa	            Authentication, authorization and accounting
Aal2-profile	    Configure AAL2 profile
Access-list	    Add an access list entry
Alias	            Create command alias
Appfw	            Configure the application firewall policy
Application	    Define application
Archive	            Archive the configuration
Arp	            Set a static ARP entry
Async-bootp	    Modify system bootp parameters
Backhaul-session-manager Configure backhaul session manager
Banner	            Define a login banner
Bba-group	    Configure BBA group
Boot	            Modify system boot parameters
Bridge	            Adjust system buffer pool parameters
Busy-message	    Display message when connection to host fails
Call                Configure call parameters
Call-history-mib    Define call history mib parameters
Call-manager-fallback	SRST for cisco call manager manager fallback. For call manager        express configuration use the telephony-service command
Carrier-id	    Name of the carrier associated with this trunk group
ccm-manager	    Call manager
Cdp	            Global CDP configuration subcommands
Chat-script	    Define a modem chat script
Class-map	    Configure QOS class map
Clns	            Global CLNS configuration subcommands
Clock	            Configure time-of-day clock
Cns	            CNS agents
Config-register	    Define the configuration register
Configuration	    Configuration access
Connect	            Cross-connect two interfaces
Control-plane	    Configure control plane services
Crypto     	    Encryption module
Default	            Set a command to its defaults
Default-value	    Default character bits values
Define	            Interface range macro definition
Dial-control-mib    Define dial control mib parameters
Dial-peer	    Dial map(peer) configuration commands

As the name states, any configuration that is applied in this level applies globally to the Cisco router or switch. Here we can perform configuration tasks such as changing the hostname of the router or switch, creating a login banner, creating a password to prompt users trying to gain access to Privileged EXEC and many others. It is also at this level of the Cisco IOS hierarchy that you can enter several different sub-configuration modes to apply specific configurations for things such as interfaces, routing protocols, and EXEC lines.

Interface Configuration

Directly from Global Configuration, you can configure interface-specific commands that apply only to interfaces specified in the configuration. Now you can enable the interfaces, assign IP addresses, set speeds, and configure other interface commands. Once again, the commands that are available at this sub-configuration level of the IOS are not applicable at Global Configuration or Privileged EXEC and User EXEC.

To configure an interface, you must specify the interface you want to configure. If the device has fixed (non-modular) interfaces, you simply specify the type of interface followed by the interface number (and remember Cisco routers start their numbering schema with 0). For example, the 1600 series router has a fixed Ethernet interface that cannot be removed from the router. To configure that interface, you type interface Ethernet 0 from Global Configuration. Most devices today utilize the modular configuration in which you have to specify the module number as well as the interface number because these devices can change functionality depending on the type of module inserted into them. For example, to configure the second WAN serial interface on the first module on a 2800 series router, you would input interface serial 0/1 where 0 is the module number (the first module starts with 0) and 1 is the interface. The prompt in Interface Configuration Mode is displayed as Router(config-if)#, regardless of the interface type. This means you must keep track of what interface you are configuring because the prompt does not specify the type.

Line Configuration

Also accessed from Global Configuration, line configuration are specific to those EXEC lines through which a user can gain access to the Cisco device. Specifically, you can configure options such as logins and passwords for a user trying to gain User EXEC access to the console and auxiliary ports, as well as the 5 vty (virtual teletype) Telnet lines into a router or switch. From Global Configuration, you must utilize the keyword, line, followed by the EXEC line you want to configure. For example, to configure console-specific commands, you would type line console 0 from Global Configuration. The prompt changes to Router (config-line)#, regardless of the line you are configuring.

Context-Sensitive Help

Even though the Cisco IOS is a command-line interface, it is not without its help features to help you through your navigation of the IOS. Specifically, to see what commands are available at any level of the IOS, you can use the help feature of the IOS, the question mark. By typing ? (no Enter keystroke necessary) at any level of the IOS, you get a listing of all the commands available and a brief description of the command.

Quite often, the list of available commands may extend beyond one terminal screen. This is apparent because the string More is displayed at the bottom of the list on the screen. To see the next page of listed commands, you can press the space bar and the command list scrolls another terminal screen’s length. If you prefer to see the commands line by line, you can keep hitting the Enter key and it displays only the next command each time you press it. On the chance that you have found the command you were looking for in the list, you can hit any key (pause for inevitable “where’s any key?” joke) to get back to the command prompt.

In some instances, you may not recall the command that you are looking for, but you do remember the first letter of the command. Let’s say, for example, the command is in  Global configuration and starts with the letter l. you could use the question mark and scroll through all the commands; however, the IOS enables you to see the commands starting with l if you type the letter followed immediately by the question mark (no space in between), as demonstrated below. Similarly, if you remembered that the command started with lcg, you can type those characters, followed immediately by the question mark, to see the commands logging and login string.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
12tp-class lane li-view line
Logging  login login-string

Keep in mind that many commands in the IOS require a string of keywords to comprehend what you are trying to achieve with the command. For instance, if I was searching for the command logging and hit the enter key, the IOS would report back an error to the terminal screen that the command was incomplete because it does not understand where I want to send my logging information. If you are unsure of the commands available, once again, you use the question mark for command help. In this case, you must put a space after the first keyword followed by the question mark. The IOS then displays a list of commands that are valid after the keyword logging, as displayed here:

Router(config)#logging ?
Hostname or A.B.C.D IP address of the logging host buffered set buffered logging parameters buginf logging for debugging cns-
Events	        set CNS event logging level
Console	        set console logging parameters
Count	        count every log message and timestamp last occurrence
Exception	limit size of exception flush output
Facility	facility parameter for syslog messages filter specify logging filter
History	        Configure syslog history table
Host	        Set syslog server IP address and parameters monitor set terminal line (monitor) logging parameters on Enable logging to all enabled destinations origin-id Add origin ID to syslog messages
Queue-limit	Set logger message queue size
Rate-limit	Set messages per second limit
Reload	        Set reload logging level
Server-arp	Enable sending ARP requests for syslog servers when first configured
Source-interface Specify interface for source address in logging transactions
Trap	        Set syslog server logging level
Userinfo	Enable logging of user info on privileged mode enabling


To make things easy for administration, the Cisco IOS enables you to abbreviate commands as long as you type enough characters for the IOS to interpret the command that you want to input. For instance, the previous example involved trying to locate the command that started with l in Global Configuration. Because there were several commands that started with l, you would need to type in more characters to find the logging command. Specifically, you would need to type log, which is just enough characters for the IOS to understand that you want to use the logging command. If you want the IOS to complete typing the command for you, you can hit the Tab key and it auto-completes the command when you provide enough characters.

Shortcut Keys

To make terminal editing simpler and faster, Cisco has created several shortcut keystrokes that can speed up IOS navigation. The most useful of these shortcuts enable you to cycle through your command history to re-use or edit previously typed commands. You can use both the up and down arrows keys or Ctrl+N and Ctrl+P (if arrow keys are not supported at your terminal) to cycle through the last 10 commands in the history buffer relative to the level of the IOS you are currently located. The following table lists some other useful terminal editing keystrokes that will help you navigate within a command line.

Keystrokes Function
Ctrl+A Move the cursor to the beginning  of the command line
Ctrl+E Move the cursor to the end of the command line
Ctrl+B Move the cursor back one character
Ctrl+F Move the cursor forward one character
Esc+B Move the cursor back one word
Esc+F Move the cursor forward one word

The terminal editing keys discussed so far are very useful for moving within a particular level of the IOS. However, you need to know how to navigate back from those different levels of the Cisco IOS. Namely, if you need to go back one level of the IOS, simply type the command exit. For instance, if you are in the Interface Configuration mode of the IOS and you need to go back to Global Configuration, just type exit, and your prompt display should change from

Router(config-if)# to Router(config)#

Suppose you are back in the interface configuration and you need to ping or traceroute to your neighbor or do a show command to verify that the interface is working. Recall that this variety of commands can be performed only in Privileged EXEC or User EXEC. To return to these levels of the IOS hierarchy, you can type exit until you are all the way back. You can also use the keystroke Ctrl+Z or the keyword end, which will automatically take you back to Privileged EXEC, regardless of how deep in the configuration levels you happen to be.

Router(config-if)# to Router(config)#

Common Syntax Errors

As mentioned before, the IOS reports back error messages if you have not provided the correct syntax for a command. The three syntax error messages that you may encounter are as follows:

  1. Ambiguous Command: This error is displayed when you have not typed enough characters for the IOS to distinguish which command you want to use. In other words, several commands start with those same characters, so you must type more letters of the command for the IOS to recognize your particular command.
  2. Incomplete Command: This IOS has recognized your keyword syntax with this error message; however, you need to add more keywords to tell the IOS what you want to do with this command.
  3. Invalid Input: Also known as the “Fat finger” error, this console error message is displayed when you mistype a command. The IOS displays a caret mark (^) at the point up to which the IOS could understand your command.

Below is an example for each of these three error console messages. Also, notice that this configuration snapshot now includes abbreviations to get into Privileged EXEC and Global Configuration.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z
Router(config)#r% Ambiguous command: “r”
% Incomplete command.
Router (config)# router rip
% Invalid input detected at ‘^’ marker.

Step by Step

  1. Go into Privileged EXEC by typing enable or en (or any abbreviation you feel comfortable with).
  2. Enter Global Configuration by typing configure terminal or configt.
  3. Enter the Line Configuration mode for the console by typing line console 0 or line con 0.
  4. Look at the list of commands available by using ?
  5. Press the space bar to cycle page by page or Enter to cycle line by line.
  6. Return back to Global Configuration by typing exit.
  7. Enter the interface Configuration for serial 0/0 by typing interface serial 0/0 or int ser 0/0.
  8. Exit back to Privileged EXEC by typing Ctrl+Z or end.

Use the output below as a loose reference of what the output might look like.

! Step 1
! Step 2
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.o
! Step 3
Router(config)#line con 0
! Step 4

Line Configuration Commands

Absolute-timeout	Set absolute timeout for line disconnection
Access-class	        Filter connections based on an IP access
Activation-character	Define the activation character
Auto command	        Automatically execute an EXEC command`
Auto command-options	Auto command options
Auto hangup	        Automatically hangup when last connection closes
Auto select	        Set line to auto select
! Step 5
Buffer-length	Set DMA buffer length
***output removed for Brevity
! Step 6
! Step 7
Router(config)#int ser 0/0
! Step 8
*Sep 26 23:40:41.019: %SYS-5-CONFIG_I:Configured from console by console

Also, Read our other CCNA course topics,