Vai al contenuto

Cisco IOS Ultimate Guide

Cisco IOS Ultimate Guide

ON THIS PAGE: Cisco IOS Ultimate Guide


Cisco IOS overview

IOS (Internetwork Operating System) is a multitasking operating system used on most Cisco routers and switches. IOS provides a command-line interface with the set number of multiple-word instructions. This operating system is used to configure routing, switching, internetworking and other services enabled by a Cisco equipment.

Previous generations of Cisco switches run CatOS, a legacy version of a CLI-based operating sytem.

Below you can see how IOS looks like when a Cisco device is launched for the first time, using a 3745 router as an example:

Cisco 3745 (R7000) processor (revision 2.0) with 249856K/12288K bytes of RAM.
Processor board ID FTX0945W0MY \sR7000 CPU at 350MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
5 FastEthernet interfaces
DRAM setup is 64 bits wide with parity enabled.
151K bytes of NVRAM.
Press RETURN to get started!

Accessing the IOS

There are three most popular methods to access the IOS:

  1. Console access – this form of access is generally used to setup freshly acquired devices. These devices normally don’t have an IP address set, and so can not be accessible over the network. Most of the Cisco equipment feature a physical console port. This port may be linked to a computer via a rollover connection, a specific form of cable having pins on one end reversed on the other end of the cable. The rollover cable is a serial cable, which means that you can’t simply connect it in an Ethernet port on your PC. You will require an adapter that transforms an interface on your computer (typically a 9-pin serial interface) into RJ-45.

Newer Cisco equipment frequently feature a USB console port, as serial connections are scarce on current PCs.

  1. Telnet access — this form of access used to be a widespread approach to access network devices. Telnet is a terminal emulation tool that allows you to access IOS across the network and configure the device remotely. The device that is being setup has to have a Telnet server installed and an IP address specified.

Telnet utilizes a widely known TCP port 23. One of the greatest downsides of this protocol is that it delivers all data as clear-text, which includes the passwords! This is the reason why this form of access is typically not utilized anymore. Instead, SSH is commonly used.

  1. SSH access – like Telnet, this access type allows you to configure devices remotely, but it provides an additional degree of protection by encrypting all interactions using public-key encryption. SSH utilizes widely known TCP port 22.

IOS modes

IOS has numerous distinct modes. There are three primary modes any several submodes. We shall cover the three major modes and one submode.

user EXEC mode — the default mode for the IOS CLI. This is the mode that a user is put in after accessing the IOS. Only basic commands (like ping or telnet) are allowed in this mode.
privileged EXEC Mode — this mode is accessible by entering the enable command from the user EXEC mode. This mode may be password restricted. In this mode a user may inspect and edit a device’s setup.
global configuration mode – this mode may be reached by entering the configure terminal command from the privileged EXEC mode. It is used to alter the device’s setup.

A global configuration mode may have several submodes. For example, when a user wishes to configure an interface, he will have to enter the interface submode by typing the interface INTERFACE TYPE INTERFACE NUMBER command (e.g. interface FastEthernet 0/1 ) from the global configuration mode. This submode may include several commands that are specialized for the interface.

We’ll discuss each of the modes stated above in greater depth in the coming courses.


Ports on an IOS device

Cisco uses the word interface to refer to physical ports on an IOS device. Interfaces may be setup with various parameters, depending on the type of the interface and whether you are configuring an interface on a router or a switch. Let’s look at the Cisco 1841 router as an example:

cisco 1841 back view Cisco IOS Ultimate Guide Cisco IOS
A Cisco 1841 back view in details.


  1. Slot 1 Network Card expansion slot – you may purchase and install an extra interface card of different sorts to fit in here.
  2. Kensington Security Slot – you may bodily secure the router with a wire here to assist prevent theft.
  3. Fast Ethernet port 0/1 with status indication LED.
  4. Console port – you may connect directly to the router’s administration command line interface here using your laptop and a console cable.
  5. Slot 0 Network Card expansion slot – extra slot for additional interface cards. Note the the numbering is from right to left.
  6. CompactFlash memory card slot — the IOS operating system image sits here.
  7. USB port — You may put in a USB drive here to transport files to and from the router.
  8. Fast Ethernet port 0/0 with status indication LED.
  9. Aux port — You may connect a vintage modem here for out of band (outside the typical network route) administration. Not often used in current networks.
  10. On/Off switch.
  11. Input power socket.

To display basic information about the device interfaces in IOS, use the show ip interface short command from the privileged exec mode. This is one of the most regularly used commands on Cisco devices:

Router#sh ip int brief \sInterface IP-Address OK? Method Status Protocol
Router#sh ip int brief
Interface              IP-Address       OK?        Method Status                  Protocol 
FastEthernet0/0     YES   manual administratively   down down 
FastEthernet0/1        unassigned      YES   unset  administratively   down down 
Vlan1                  unassigned       YES         unset  administratively   down down

In the report above we can see that this router has 2 physical interfaces – FastEthernet0/0 and FastEthernet0/1.

Consider the output for the Fa0/0 interface:

Router#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol 
FastEthernet0/0     YES manual administratively down down 

Here is a quick summary of each column:

  • Interface — indicates the type of the interface, in this instance Fast Ethernet 0/0. The first zero defines the physical slot on the router, whereas the second zero specifies the port number.
  • IP-Address – shows the interface’s IP address.
  • OK? – YES in this column shows that the IP address is presently valid.
  • Method – manual in this column implies that the interface has been manually configured. DHCP signifies that the interface has been setup via DHCP.
  • Status – up implies that the interface is administratively up.
  • Protocol – up indicates that the interface is working.

To setup a particular interface, use the interface TYPE SLOT/PORT command from the global config mode. This puts us in the interface submode, where we may specify several interface options:

Router(config)#interface f0/0

Router(config)#interface f0/0
Router(config-if)#speed 100

In the example above you can see that we’ve set the speed option for the interface Fast Ethernet 0/0.

By default, all ports on a Cisco switch are up and running as soon as you power-on the device. This implies that all you need is to connect your devices and the switch and you are set to go. This isn’t the case with Cisco routers, though. You need to manually activate each interface on a router using the no shutdown interface mode command:

Router(config)#int f0/0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Use the show ip interface short command to verify the device’s IP addresses and condition of its interfaces:

Router#sh ip int brief
Interface              IP-Address      OK? Method Status                Protocol 
FastEthernet0/0     YES manual up                    up 
FastEthernet0/1        unassigned      YES unset  administratively down down 
Vlan1                  unassigned      YES unset  administratively down down


Auxiliary Port on a Cisco router

Most Cisco routers feature an extra auxiliary (Aux) port as a backup async port. This port is widely used as a dial-up port for remote router control. It is linked to a modem and allows an administrator to make a phone call to connect to the router’s CLI.

The following illustration demonstrates how to connect a modem to an aux port on a router:

Connect Switch Router using Auxiliary Port Aux Port Cisco IOS Ultimate Guide Cisco IOS
Cisco router auxiliary port in details.

The network administrator uses a terminal emulation tool to connect to the router through the aux port. The setup of the aux port mirrors the the console port configuration:

Router(config)#line aux 0
Router(config-line)#password cisco

The code above allows password verification for people phoning into the router.


Cisco console rollover cable

A rollover cable is normally supplied with each Cisco equipment. This connection links a serial port on your computer to the console port of the device and it is used for the gadget’s initial setup. It is named rollover because the wires on one end are rolled at the other end – the wire at pin 1 connects to the pin 8 on the other side, the wire at pin 2 to the pin 7, etc.

The cable is of light blue hue with a DB-9 connection at one end and an RJ-45 connector at the other:

AE DB9F RJ45M 1.5M Cisco IOS Ultimate Guide Cisco IOS
Cisco rollover cable in details.

You attach the rollover cable to the serial port on your computer. On the Cisco device, there is a blue console port (typically labelled in blue) to which you attach the other end of the cable: After the cable is attached, you may access the device using the terminal emulation software (e.g. Putty or HyperTerminal) (e.g. Putty or HyperTerminal). You need to adjust the PC’s serial port to match the console port settings. Here are the defaults:

  • 9600 baud
  • no hardware flow control
  • 8 data bits
  • no parity bits
  • 1 stop bit
Newer Cisco equipment frequently feature a USB console port, as serial connections are scarce on current PCs.

READ: Using Python to script Cisco routers + how to connnect 60.000 Routers

Get assistance in IOS

You may use the question mark to see a list of commands available at the prompt you are in:

Exec commands:
  <1-99>      Session number to resume
  auto        Exec level Automation
  clear       Reset functions
  clock       Manage the system clock
  configure   Enter configuration mode
  connect     Open a terminal connection
  copy        Copy from one file to another
  debug       Debugging functions (see also 'undebug')
  delete      Delete a file
  dir         List files on a filesystem
  disable     Turn off privileged commands
  disconnect  Disconnect an existing network connection
  enable      Turn on privileged commands
  erase       Erase a filesystem
  exit        Exit from the EXEC
  logout      Exit from the EXEC
  mkdir       Create new directory
  more        Display the contents of a file
  no          Disable debugging informations
  ping        Send echo messages
  reload      Halt and perform a cold restart

If the output covers more than one page, hit the spacebar to show the next page of commands, or press Enter to go one command at a time. To quit the output, hit q.

To show just instructions that start with a certain character or a string of characters, input the letters and then hit the question mark:


debug  delete  

In the screenshot above you can see that we’ve presented all commands that start with de.

If the command is more than one word long, you may use the question mark to show the following command in a string:

Router#debug ?
  aaa           AAA Authentication, Authorization and Accounting
  custom-queue  Custom output queueing
  eigrp         EIGRP Protocol information
  frame-relay   Frame Relay
  ip            IP information
  ipv6          IPv6 information
  ntp           NTP information
  ppp           PPP (Point to Point Protocol) information
  standby       Hot Standby Router Protocol (HSRP)

Router#debug eigrp ?
  fsm      EIGRP Dual Finite State Machine events/actions
  packets  EIGRP packets

In the screenshot above you can see that we’ve listed all instructions that may follow the command debug. We then presented all instructions that may follow the commands debug eigrp.

You may also autocomplete a command. Just input the first few letters and click Tab. If there is just a single match, IOS will perform the command.

You don’t have to enter a whole word to finish a command. Only may input just the initial letter or a couple of characters, and if there is just a single match, IOS will comprehend what are you attempting to do. For example, you may use sh ip int b instead of the lengthier version, display ip interface brief:

Router#sh ip int b
Interface              IP-Address      OK? Method Status                Protocol 
GigabitEthernet0/0     unassigned      YES NVRAM  administratively down down 
GigabitEthernet0/1     unassigned      YES NVRAM  administratively down down 
GigabitEthernet0/2     YES manual up                    down 
Vlan1                  unassigned      YES NVRAM  administratively down down

Note that we were able to execute the command above since each group of characters had just one match in the list of instructions. If we’ve entered sh ip in b instead, IOS would not have recognized our intention:

Router#sh ip in b
% Ambiguous command: "sh ip in b"

The percent Ambiguous command: “show ip in b” message was shown because the third term, in, has more than one interpretation (inspect or interface) (inspect or interface).


IOS command modes

We’ve already learned that IOS has three main command modes: the user exec, privileged exec, and the global configuration modes. Each of these modes serves a different purpose and has its own set of commands. In this lesson we will describe each of this modes in more detail.

User EXEC mode commands

Initially, a user logs into the User Exec mode. This is the mode with the least number of commands. You can get a list of all available commands by typing the character ?.

user exec mode commands

As you can see, most of the commands available are used to show statistics and perform some basic troubleshooting. The prompt on the left side of the screen always displays the device hostname (R1 in this case), followed by the character >.

All commands can be abbreviated to their first letters of the command name. For example, you can abbreviate ping by typing pin, because no other command in the User EXEC mode IOS mode begins with these letters.

Privileged EXEC mode commands

This IOS mode is also called enable mode because you must enter the enable command from a user EXEC mode if you want to access this mode. You can use more commands in the privileged EXEC mode than you were able to use in the user EXEC mode. You can save a device configuration or reload a device in this mode. You can also enter a third mode, the configuration mode. The access to the privileged EXEC mode is usually protected with a password.

The prompt for this mode shows # after the device hostname.

privileged exec mode commands

Global configuration mode commands

To change a device configuration, you need to enter the global configuration mode. This mode can be accessed by typing configure terminal (or conf t, the abbreviated version of the command) from the enable mode. The prompt for this mode is hostname(config).

Global configuration mode commands are used to configure a device. You can set a hostname, configure authentication, set an IP address for an interface, etc. From this mode you can also access submodes, for example the interface mode, from where you can configure interface options.

You can get back to a privileged EXEC mode by typing the end command. You can also type CTRL + C to exit the configuration mode.

global configuration mode commands

Submode commands

A global configuration mode contains many submodes. For example, if you want to configure an interface you have to enter that interface configuration mode. Each submode contains only commands that pertain to the resource that is being configured.

To enter the interface configuration mode you need to specify which interface you would like to configure. This is done by using the interface INTERFACE_TYPE/INTERFACE_NUMBER global configuration command, where INTERFACE_TYPE represents the type of an interface (Ethernet, FastEthernet, Serial…) and INTERFACE_NUMBER represents the interface number, since CIsco devices usually have more than one physical interface. Once inside the interface configuration mode, you can get a list of available commands by typing the “?” character. Each submode has its own prompt. Notice how the command prompt was changed to Router(config-if) after I’ve entered the interface submode:

READ: Using Python to script Cisco routers + how to connnect 60.000 Routers

Run privileged commands inside global config mode

Beginning with the IOS 12.3, the privileged-exec mode commands (such as show running-configuration, show interface status, etc.) may be performed inside the global configuration mode and its submodes. This enables you to run privileged-exec mode commands without having to depart the current configuration mode. Here is an example that demonstrates the utility of this feature:

Router(config)#int g0/0
Router(config-if)#show interface g0/0
% Invalid input detected at '^' marker.

In the sample above you can see that we’re now in the interface submode. We wish to retrieve further information about the interface using the display interface Fa0/1 command, but we received an error since the command is not accessible in this mode. However, if we put the do keyword in front of the command, the command will succeed:

Router(config-if)#do show interface g0/0
GigabitEthernet0/0 is administratively down, line protocol is down (disabled)
  Hardware is CN Gigabit Ethernet, address is 0030.a3ab.1601 (bia 0030.a3ab.1601)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00, 
  Last input 00:00:08, output 00:00:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 watchdog, 1017 multicast, 0 pause input
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns

The command was now run because of the do keyword. Notice that we’re still in the interface submode and we may proceed with the interface configuration.


Pipe character in IOS

IOS enables the use of the pipe character (expressed with the | character) to filter the output of the show and more commands. The pipe function takes the output of the command and delivers it to another function, such as begin or include. This manner, you may filter the output to discover the portion of the output that interests you. Here are a few examples:

R1#show running-config | begin interface
interface FastEthernet0/0
 ip address
 duplex auto
 speed auto
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
interface FastEthernet1/0
 no ip address
 duplex auto
 speed auto
interface FastEthernet2/0
 no ip address
 duplex auto
 speed auto

In the screenshot above you can see that we’ve typed the show running-config | begin interface command (we might have reduced it to show run | b int). This command begins the output from the first occurrence of the term interface.

Another example, this time using include:

R1#show run | include password
no service password-encryption
enable password cisco
 password cisco
 password cisco

As you can see from the sample above, the include function shows just lines that contain the word password. The include function is beneficial in certain instances but may sometimes be misleading since it simply includes precise matching instructions with no context surrounding them, like in this example with password cisco printed twice in the result.

To show just the portion of the output concerning a given characteristic, use the segment function:

R1#show run | section vty
line vty 0 4
 password cisco
line vty 5 15
 password cisco

You can see in the example above that the command displays just the vty part of the running configuration. The section function is not available for all portions of the configuration, but may be quite beneficial for example to display all the settings for a specific routing protocol:

R1#sh run | sec ospf \s ip ospf cost 100 \srouter ospf 1 \s log-adjacency-changes \s passive-interface

R1#sh run | sec ospf
 ip ospf cost 100
router ospf 1
 passive-interface FastEthernet0/0
 network area 0

Running & startup configuration

CIsco devices store instructions in two configuration files:

  • startup configuration
  • running configuration

Immediately after you write a command in the global configuration mode, it will be saved in the ongoing configuration. A running configuration sits in a device’s RAM, thus if a device loses power, all specified instructions will be lost.

To prevent this problem, you need to replicate your existing settings into the starting configuration. A starting configuration is kept in the nonvolatile memory of a device, which implies that all configuration changes are retained even if the device loses power.

To replicate your running configuration into the startup configuration you need to use the command copy running-configuration startup-configuration.

6 2 Cisco IOS Ultimate Guide Cisco IOS