Cisco Command Line Interface (CLI) is the main interface where we will interact with Cisco IOS devices. CLI is accessible directly via console cable or remotely via methods such as Telnet/SSH. From here, we can do things such as monitoring device status or changing configuration. Cisco has divided its CLI into several different modes. Understanding Cisco IOS Command Line Modes is essential because each mode has its own set of commands.
Understanding Cisco IOS Command Line Modes
Cisco has at least 3 main command line modes: user EXEC mode, privileged EXEC mode, and global configuration mode. Of course there are other more specific modes such as interface configuration mode, extended ACL configuration mode, routing/VLAN configuration mode, etc. This flowchart below will show the position of each node against the other modes.
In this article we are just going to deeply examine into the 3 main command line modes.
User EXEC mode
By default this is where we begin the session with our Cisco IOS devices (unless a specific privilege level has been granted to our user account).
The characteristics of user EXEC mode are:
- Indicated by a right angle bracket sign (“>”) next to the device hostname.
- Contains commands that we can use to test device/network configuration such as ping and traceroute.
- A limited set of commands that are not changing the device configuration such as the show and clear command are available.
- We can connect to other device from user EXEC mode by using telnet or ssh
- To protect user EXEC mode we can create username and password combination on the device.
- Issuing exit command here will disconnect the session.
Privileged EXEC mode
Basically, privileged EXEC mode contains the complete command of what we got in user EXEC mode. In this mode, we still cannot do any configuration changes. However, the configuration mode can only be accessed from privileged EXEC mode. Privileged EXEC mode is activated after we use command enable on user EXEC mode.
Below are the characteristics of privileged EXEC mode:
- Indicated by a hash sign (“#”) next to the device hostname
- All commands that are available on user EXEC mode are available in here too
- More complete set of commands under show and clear command are available here. For example, in user EXEC mode there is no show running-config under the show command, but in privileged EXEC mode it is exist.
- Unless the user account that we used has specific privilege level assigned to it, by default it will get the highest privilege level which is level 15.
- Privileged EXEC mode can be protected using an enable password.
- Issuing disable command here will bring us back to the user EXEC mode.
- Issuing exit command here will disconnect the session.
Global configuration mode
This is where the real configurations are done. We can enter global configuration mode from privileged EXEC mode by using command configure terminal. From here we can do changes on the global device configuration such as hostname, domain-name, creating user accounts, etc; or we can enter more specific configuration within global configuration mode and make changes such as IP address interface, access-list, DHCP, policy, etc.
Some characteristics of global configuration mode are:
- Indicated by device hostname prompt, followed by a word “config” inside a bracket and then hash sign (“#”).
- All commands from EXEC mode can be used here by adding a word do before the command that we want to execute, for example if we want to use show running-config in global configuration mode we have to type it as do show running-config.
- Despite that we can change configuration within global configuration mode, if we want to save the configuration we have to do it by exiting back to privileged EXEC mode and issue command write memory or copy running-config startup-startup configfrom there (however, these two commands can also be used from within global configuration mode by adding a do prefix to the command, as explained in the previous point).
- Global configuration mode can be protected by assigning a custom privilege level to the user account then set allowed commands and block the rest, thus limiting the configuration capability.
- Issuing exit here will bring us back to the privileged EXEC mode.