Cisco IOS Modes – User, Privileged, Config & Interface

1. Why IOS Has Multiple Modes

Cisco IOS (Internetwork Operating System) uses a hierarchical mode structure to protect the device from accidental or unauthorised changes. Every command in IOS is only available at a specific mode level — you cannot run a configuration command from user mode, and you cannot run a detailed debug command until you have reached privileged EXEC mode. This design enforces a clear separation between viewing state (lower modes) and changing state (higher modes).

Understanding which mode you are in — identified by the prompt on screen — is the first skill every Cisco engineer must master. An incorrect command at the wrong mode simply returns an error; understanding why that error occurs and how to reach the correct mode quickly is fundamental to working efficiently at the CLI.

Mode	Prompt	Purpose	Access Restricted?
User EXEC	`Router>`	Basic monitoring; limited show commands; no configuration	Password optional (line password or AAA)
Privileged EXEC	`Router#`	Full show commands; debug; copy; reload; entry point to config modes	Yes — enable password or enable secret
Global Configuration	`Router(config)#`	Device-wide configuration: hostname, routing, ACLs, AAA	Requires Privileged EXEC first
Interface Configuration	`Router(config-if)#`	Configure a specific interface: IP address, description, speed	Entered from Global Config
Line Configuration	`Router(config-line)#`	Configure console, VTY, and auxiliary lines: passwords, timeouts	Entered from Global Config
Router / Protocol Config	`Router(config-router)#`	Configure routing process: OSPF, EIGRP, BGP, RIP networks	Entered from Global Config
Sub-Interface Config	`Router(config-subif)#`	Configure logical sub-interfaces (GRE, Router-on-a-Stick)	Entered from Global Config
VLAN Config	`Switch(config-vlan)#`	Configure VLAN parameters: name, state (on switches)	Entered from Global Config

2. IOS Mode Navigation Map

  IOS MODE HIERARCHY — Routers and Switches

  [Power on / Console / SSH login]
          │
          ▼
  ┌───────────────────────────────────────────────────┐
  │  USER EXEC MODE                                   │
  │  Prompt: Router>  or  Switch>                     │
  │  Commands: ping, traceroute, show version,        │
  │            telnet, disconnect, enable             │
  └───────────────────────────┬───────────────────────┘
                              │ enable  (+ password if set)
                              │
                              ▼
  ┌───────────────────────────────────────────────────┐
  │  PRIVILEGED EXEC MODE                             │
  │  Prompt: Router#  or  Switch#                     │
  │  Commands: ALL show commands, debug, copy,        │
  │            reload, write, configure terminal      │
  └───────────────────────────┬───────────────────────┘
               ┌──────────────┘
               │ configure terminal  (conf t)
               │
               ▼
  ┌─────────────────────────────────────────────────────────────────────┐
  │  GLOBAL CONFIGURATION MODE                                         │
  │  Prompt: Router(config)#                                           │
  │  Commands: hostname, ip route, access-list, aaa, ntp, logging     │
  └──┬──────────────────────────────────────────────────────────────┬──┘
     │                                                              │
     │ interface Gi0/0          line vty 0 15    router ospf 1     │
     │                          line con 0       router eigrp 100  │
     ▼                          ▼                ▼                  │
  ┌──────────────────┐  ┌──────────────────┐  ┌──────────────┐     │
  │INTERFACE CONFIG  │  │LINE CONFIG       │  │ROUTER CONFIG │     │
  │Router(config-if)#│  │Router(config-    │  │Router(config-│     │
  │                  │  │line)#            │  │router)#      │     │
  └──────────────────┘  └──────────────────┘  └──────────────┘     │
                                                                     │ vlan 10
                                                                     ▼
                                                             ┌───────────────┐
                                                             │VLAN CONFIG    │
                                                             │Switch(config- │
                                                             │vlan)#         │
                                                             └───────────────┘

  NAVIGATION COMMANDS — memorise these:
  ┌──────────────────────────────────────────────────────────────────┐
  │  enable           — User EXEC  → Privileged EXEC                │
  │  configure terminal (conf t) — Priv EXEC → Global Config        │
  │  interface  — Global Config → Interface Config            │
  │  line       — Global Config → Line Config                 │
  │  router    — Global Config → Router Config               │
  │  exit             — Back one level (any sub-mode → parent)      │
  │  end  or  Ctrl+Z  — ANY mode → Privileged EXEC (instant escape) │
  │  disable          — Privileged EXEC → User EXEC                 │
  └──────────────────────────────────────────────────────────────────┘

3. User EXEC Mode

User EXEC mode is the entry-level access mode. It is the first mode a user reaches after logging in via the console port, an SSH session, or a Telnet connection. The prompt ends with a greater-than sign (>). User EXEC mode is intentionally restricted — it provides enough visibility to confirm basic device state but prevents any changes or detailed inspection.

  Router>
  Switch>

3.1 Commands Available in User EXEC Mode

Command	Purpose
`enable`	Enter Privileged EXEC mode (prompts for enable password if configured)
`ping <ip>`	Send ICMP echo requests to test basic reachability
`traceroute <ip>`	Trace the Layer 3 path to a destination
`show version`	Display IOS version, uptime, hardware model, and memory
`show ip interface brief`	Quick summary of all interfaces and their IP/status (read-only)
`telnet <ip>`	Open a Telnet session to another device
`ssh -l <user> <ip>`	Open an SSH session to another device
`disconnect`	Terminate an active SSH/Telnet session
`logout` / `exit`	Log out from the current session and return to the login prompt
`?`	List all commands available in the current mode (context-sensitive help)

Note: Many detailed show commands (such as show running-config, show ip route, and show interfaces) are not available in User EXEC mode. They require Privileged EXEC. If a show command is refused with % Invalid input detected, move to Privileged EXEC first with enable.

4. Privileged EXEC Mode

Privileged EXEC mode is the full-access operational mode. The prompt ends with a hash / pound sign (#). From here, an engineer can run any show command, execute debug, manage files, save or reload the configuration, and enter Global Configuration mode to make changes. This mode is protected by an enable password or, more securely, an enable secret (which uses MD5 hashing).

  Router#
  Switch#

  Entering Privileged EXEC:
  Router> enable
  Password: ****           ← Enable secret/password entered here (not echoed)
  Router#

  Returning to User EXEC:
  Router# disable
  Router>

4.1 Key Commands in Privileged EXEC Mode

Category	Example Commands	Purpose
Show / Verify	`show running-config` `show startup-config` `show ip route` `show interfaces` `show version` `show ip ospf neighbor`	Display all current configuration and device state; most `show` commands require Privileged EXEC
Debug	`debug ip ospf events` `debug ip icmp` `undebug all`	Enable real-time event tracing; produces verbose output; always disable with `undebug all` after use
File / Config Management	`copy running-config startup-config` `copy running-config tftp` `write memory` (or `wr`) `erase startup-config`	Save running configuration to NVRAM; back up to TFTP; erase the saved config
Reload / Reset	`reload` `boot system`	Restart the device; specify alternate boot image
Enter Config Mode	`configure terminal` (or `conf t`)	Transition to Global Configuration mode to make changes
Clock / Time	`clock set 09:14:22 14 March 2025`	Manually set the hardware clock (normally done by NTP)
Terminal	`terminal length 0` `terminal monitor`	Disable paging (prevent --More-- prompts); enable syslog in VTY session

enable secret vs enable password: Always use

enable secret
              <password>

— it stores the password as an MD5 hash in the config. enable password stores the password in plain text (or weak Type 7 encryption with service password-encryption). If both are configured, enable secret always takes precedence.

5. Global Configuration Mode

Global Configuration mode is the top-level configuration mode — commands entered here affect the entire device. The prompt is Router(config)#. This mode is entered from Privileged EXEC with configure terminal (abbreviated conf t).

  Router# configure terminal
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#

5.1 Key Global Configuration Commands

Command	Purpose
`hostname <name>`	Set the device hostname — immediately changes the CLI prompt
`enable secret <password>`	Set the privileged EXEC password (MD5-hashed)
`service password-encryption`	Apply weak Type 7 encryption to all plain-text passwords in config
`ip route <dest> <mask> <next-hop>`	Add a static route to the routing table
`ip domain-name <name>`	Set the domain name — required for generating RSA keys for SSH
`crypto key generate rsa modulus 2048`	Generate RSA key pair to enable SSH
`username <name> privilege <lvl> secret <pass>`	Create a local user account with a specific privilege level
`aaa new-model`	Enable the AAA security framework
`no ip domain-lookup`	Disable DNS lookup — prevents the router from trying to resolve mistyped commands as hostnames (a lab essential)
`banner motd # message #`	Set the Message-of-the-Day banner displayed at login
`ip access-list standard <name>`	Create/enter a named standard ACL
`logging host <ip>`	Configure remote syslog server
`ntp server <ip>`	Configure NTP server for time synchronisation

6. Interface Configuration Mode

Interface Configuration mode is entered from Global Config by specifying the interface type and number. The prompt changes to Router(config-if)#. All commands entered here apply only to the selected interface — changing to a different interface requires a new interface command.

  ! Enter interface config mode:
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)#

  ! Shorthand accepted:
  Router(config)# interface gi0/0        ← abbreviated
  Router(config)# interface gi 0/0       ← with space
  Router(config)# interface g0/0         ← minimal abbreviation

6.1 Key Interface Configuration Commands

Command	Purpose
`ip address <ip> <mask>`	Assign an IPv4 address to the interface
`ipv6 address <addr>/<prefix>`	Assign an IPv6 address to the interface
`no shutdown`	Enable the interface (interfaces are administratively down by default on routers)
`shutdown`	Administratively disable the interface
`description <text>`	Add a human-readable label to the interface (for documentation)
`speed <10\|100\|1000\|auto>`	Set the interface speed (default auto)
`duplex <half\|full\|auto>`	Set the duplex mode (default auto)
`switchport mode access`	Set switch port as an access port (Layer 2, one VLAN)
`switchport access vlan <id>`	Assign the access port to a specific VLAN
`switchport mode trunk`	Set switch port as a trunk port (carries multiple VLANs)
`ip helper-address <ip>`	Configure DHCP relay — forward broadcasts to a remote DHCP server
`ip access-group <name> <in\|out>`	Apply an ACL to the interface in the specified direction
`spanning-tree portfast`	Enable PortFast on an access port (skip STP listening/learning)

6.2 Moving Between Interfaces

  ! Move directly from one interface to another (no need to exit first):
  Router(config-if)# interface GigabitEthernet0/1
  Router(config-if)#         ← Now in Gi0/1 context

  ! Return to Global Config:
  Router(config-if)# exit
  Router(config)#

  ! Jump directly to Privileged EXEC from any config sub-mode:
  Router(config-if)# end
  Router#
  ! OR use Ctrl+Z — same effect as 'end'

7. Line Configuration Mode

Line Configuration mode is used to configure the management access lines of the device — the console port, VTY (virtual terminal) lines for SSH/Telnet, and the auxiliary port. The prompt is Router(config-line)#.

  ! Console line (physical console port):
  Router(config)# line console 0
  Router(config-line)#

  ! VTY lines for SSH / Telnet (0-4 allows 5 simultaneous sessions):
  Router(config)# line vty 0 4
  Router(config-line)#

  ! All VTY lines (0-15 allows 16 simultaneous sessions):
  Router(config)# line vty 0 15
  Router(config-line)#

  ! Auxiliary port (serial modem access):
  Router(config)# line aux 0
  Router(config-line)#

7.1 Key Line Configuration Commands

Command	Purpose
`password <password>`	Set the line password (used with `login`, not `login local`)
`login`	Require the line password for access; used with the `password` command
`login local`	Require a local username/password from the device's user database (requires `username` commands in global config)
`transport input ssh`	Allow only SSH connections on VTY lines (disables Telnet)
`transport input telnet ssh`	Allow both Telnet and SSH (not recommended for production)
`transport input none`	Block all remote access to VTY lines
`exec-timeout <min> <sec>`	Set the idle session timeout — `exec-timeout 5 0` disconnects after 5 minutes of inactivity
`exec-timeout 0 0`	Disable idle timeout — session never disconnects (lab use only)
`logging synchronous`	Prevent syslog messages from interrupting command typing by re-displaying the current input after a log message
`access-class <acl> in`	Apply an ACL to restrict which source IPs can connect to VTY lines

8. Router / Routing Process Configuration Mode

Router Configuration mode (also called Routing Process mode) is entered to configure dynamic routing protocols — OSPF, EIGRP, BGP, RIP, and others. The prompt is Router(config-router)#. Commands here apply to the specific routing process started with the router command.

  ! Enter OSPF routing process (process ID 1):
  Router(config)# router ospf 1
  Router(config-router)#

  ! Enter EIGRP routing process (AS 100):
  Router(config)# router eigrp 100
  Router(config-router)#

  ! Enter BGP (AS 65001):
  Router(config)# router bgp 65001
  Router(config-router)#

  ! Enter RIPv2:
  Router(config)# router rip
  Router(config-router)# version 2

8.1 Common Router Process Commands

Protocol	Key Commands in (config-router)#
OSPF	`network <ip> <wildcard> area <n>`, `router-id <ip>`, `passive-interface <intf>`, `default-information originate`
EIGRP	`network <ip> <wildcard>`, `no auto-summary`, `passive-interface <intf>`, `eigrp router-id <ip>`
BGP	`neighbor <ip> remote-as <n>`, `network <ip> mask <mask>`, `bgp router-id <ip>`
RIP	`version 2`, `network <classful-ip>`, `no auto-summary`, `passive-interface <intf>`

9. Other Configuration Sub-Modes

9.1 Sub-Interface Configuration Mode

  ! Create and enter a logical sub-interface (used for ROAS, GRE):
  Router(config)# interface GigabitEthernet0/0.10
  Router(config-subif)#

  ! Key sub-interface commands:
  Router(config-subif)# encapsulation dot1q 10       ! Tag for VLAN 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0
  Router(config-subif)# description Sales-VLAN-Gateway

9.2 VLAN Configuration Mode (Switches)

  ! Create and name a VLAN:
  Switch(config)# vlan 10
  Switch(config-vlan)# name Sales
  Switch(config-vlan)# state active   ! or 'suspend'
  Switch(config-vlan)# exit

  ! Create multiple VLANs quickly:
  Switch(config)# vlan 10
  Switch(config-vlan)# name Sales
  Switch(config)# vlan 20
  Switch(config-vlan)# name Finance
  Switch(config)# vlan 30
  Switch(config-vlan)# name Engineering

9.3 Named ACL Configuration Mode

  ! Create/enter a named extended ACL:
  Router(config)# ip access-list extended BLOCK-HTTP
  Router(config-ext-nacl)# deny tcp any any eq 80
  Router(config-ext-nacl)# permit ip any any
  Router(config-ext-nacl)# exit

  ! Named standard ACL:
  Router(config)# ip access-list standard MGMT-ACCESS
  Router(config-std-nacl)# permit 10.0.0.0 0.0.0.255
  Router(config-std-nacl)# deny any

10. Complete Navigation Example – Router Configuration

The following is a complete walkthrough showing all mode transitions during a typical initial router setup, demonstrating how to navigate the IOS mode hierarchy efficiently.

  ! ═══════════════════════════════════════════════════════════════════
  !  Starting from User EXEC after console login
  ! ═══════════════════════════════════════════════════════════════════
  Router>
  Router> enable
  Password: (enable secret entered)
  Router#

  ! ── Enter Global Config ──────────────────────────────────────────
  Router# configure terminal
  Router(config)#

  ! ── Set hostname ─────────────────────────────────────────────────
  Router(config)# hostname HQ-Router
  HQ-Router(config)#                ← Prompt changes immediately

  ! ── Set enable secret ────────────────────────────────────────────
  HQ-Router(config)# enable secret Str0ngEnableP@ss
  HQ-Router(config)# service password-encryption

  ! ── Disable DNS lookup ───────────────────────────────────────────
  HQ-Router(config)# no ip domain-lookup

  ! ── Configure interface ──────────────────────────────────────────
  HQ-Router(config)# interface GigabitEthernet0/0
  HQ-Router(config-if)# description Link-to-ISP
  HQ-Router(config-if)# ip address 203.0.113.1 255.255.255.252
  HQ-Router(config-if)# no shutdown
  HQ-Router(config-if)#

  ! ── Move directly to another interface ───────────────────────────
  HQ-Router(config-if)# interface GigabitEthernet0/1
  HQ-Router(config-if)# description LAN-Interface
  HQ-Router(config-if)# ip address 192.168.1.1 255.255.255.0
  HQ-Router(config-if)# no shutdown

  ! ── Return to Global Config ──────────────────────────────────────
  HQ-Router(config-if)# exit
  HQ-Router(config)#

  ! ── Configure VTY lines for SSH only ─────────────────────────────
  HQ-Router(config)# line vty 0 15
  HQ-Router(config-line)# login local
  HQ-Router(config-line)# transport input ssh
  HQ-Router(config-line)# exec-timeout 10 0
  HQ-Router(config-line)# logging synchronous

  ! ── Jump back to Privileged EXEC from any sub-mode ───────────────
  HQ-Router(config-line)# end
  HQ-Router#

  ! ── Save the configuration ───────────────────────────────────────
  HQ-Router# copy running-config startup-config
  Destination filename [startup-config]?
  Building configuration...
  [OK]
  HQ-Router#

11. Useful IOS CLI Tips

Tip	How It Works	Example
Command abbreviation	Any command can be shortened to the minimum unique prefix — IOS auto-completes if the abbreviation is unambiguous	`conf t` = `configure terminal` `sh ip int br` = `show ip interface brief`
Context-sensitive help (?)	Typing `?` alone lists all valid commands; typing a partial command then `?` lists completions	`sh?` — lists all commands starting with "sh" `show ip ?` — lists all sub-options after "show ip"
Tab completion	Press Tab to auto-complete a partially typed command	`conf<Tab>` → `configure`
Command history	Up/down arrow keys cycle through previously entered commands; `show history` lists recent commands	↑ arrow recalls the last command for re-entry or editing
Ctrl+Z / end	Instantly exit from any configuration sub-mode back to Privileged EXEC — faster than multiple `exit` commands	From `(config-if)#` → press Ctrl+Z → `#`
no command	Prepend `no` to any command to negate (remove) it	`no ip address` removes the IP address `no shutdown` enables an interface `no logging console` disables console logging
terminal length 0	Disables the `--More--` pagination prompt — all output scrolls continuously; useful for copying configs	`Router# terminal length 0`
do command	Run a Privileged EXEC command from inside a configuration sub-mode without exiting — very useful for verifying while configuring	`HQ-Router(config-if)# do show ip interface brief`

12. Common Mode Mistakes and How to Avoid Them

Mistake	What Happens	Fix
Trying to run `show running-config` from User EXEC	`% Invalid input detected at '^' marker` — the command is not available at this mode level	Type `enable` first to enter Privileged EXEC
Typing configuration commands in Privileged EXEC (without `conf t`)	`% Invalid input detected` — config commands are only available in configuration modes	Enter `configure terminal` first, then retype the command
Forgetting `no shutdown` on a newly configured interface	Interface stays administratively down even though it has an IP; routing protocols will not form adjacencies	While in `(config-if)#`, type `no shutdown`
Mistyping a hostname that IOS tries to DNS-resolve	Router freezes for 30–60 seconds while trying to resolve the typo as a DNS name (e.g., `Router# shwo ip route`)	Press Ctrl+C to abort; then configure `no ip domain-lookup` in Global Config to prevent this
Changes lost after reboot	Running configuration changes exist only in RAM and are lost when the device restarts	Always save: `copy running-config startup-config` or `write memory`
Using `enable password` instead of `enable secret`	Password is stored in plain text (or weak reversible Type 7 cipher) in the running config — visible in `show running-config`	Always use `enable secret` — stored as a one-way MD5 hash

13. Key Terms Quick Reference

Term	Definition
User EXEC Mode	Entry-level IOS mode (prompt `Router>`); limited read-only commands; no configuration capability; entered on login
Privileged EXEC Mode	Full operational mode (prompt `Router#`); all show/debug/file commands; gateway to configuration modes; requires enable secret
Global Configuration Mode	Device-wide configuration mode (prompt `Router(config)#`); entered with `configure terminal`; hostname, routes, AAA, banners configured here
Interface Configuration Mode	Single-interface configuration mode (prompt `Router(config-if)#`); entered with `interface <type> <number>`; IP addresses, shutdown, description
Line Configuration Mode	Management line configuration mode (prompt `Router(config-line)#`); entered with `line console 0` or `line vty 0 15`; passwords, transport, timeouts
Router Configuration Mode	Routing process mode (prompt `Router(config-router)#`); entered with `router ospf`, `router eigrp`, etc.; routing protocol parameters
enable	Command typed in User EXEC to enter Privileged EXEC mode; prompts for the enable secret if one is configured
configure terminal	Command typed in Privileged EXEC to enter Global Configuration mode; abbreviated `conf t`
exit	Moves back one mode level (from any sub-mode to its parent)
end / Ctrl+Z	Exits from any configuration mode directly back to Privileged EXEC in one step, regardless of nesting depth
enable secret	Cisco IOS global config command that sets the Privileged EXEC password stored as an MD5 hash; always preferred over `enable password`
do	A prefix that allows Privileged EXEC commands (show, copy) to be run from inside any configuration sub-mode without exiting
no command	Prepending `no` to any IOS configuration command negates or removes that configuration
Running Configuration	The currently active configuration stored in RAM; immediately reflects all changes; lost on reboot unless saved to startup-config
Startup Configuration	The configuration stored in NVRAM; loaded into RAM on boot; updated with `copy running-config startup-config`

14. Cisco IOS Modes – Practice Quiz

1. A technician logs into a Cisco router and sees the prompt `Router>`. They try to run `show running-config` but receive `% Invalid input detected`. What is the reason and the correct fix?

A. The router has no running configuration yet — it needs to be initialised with configure terminal B. The technician is in User EXEC mode — show running-config is only available in Privileged EXEC mode; type enable first to reach the Router# prompt C. The command is misspelled — the correct command is show run-config D. The router needs to be rebooted before the running config is accessible

Correct answer is B. The Router> prompt indicates User EXEC mode. Many detailed show commands — including show running-config, show ip route, show interfaces, and show ip ospf neighbor — are restricted to Privileged EXEC mode. The fix is simply to type enable; if an enable secret is configured the device will prompt for it. After entering the correct password, the prompt changes to Router# and all show commands become available.

2. What is the key difference between `exit` and `end` when used inside a configuration sub-mode such as `Router(config-if)#`?

A. exit saves the configuration; end discards unsaved changes B. Both commands do exactly the same thing — they return to Privileged EXEC mode C. exit moves back one level to the parent mode (interface → global config); end (or Ctrl+Z) exits all configuration modes in one step and returns directly to Privileged EXEC D. exit works only in Global Config; end works only in sub-interface modes

Correct answer is C. This is one of the most important navigation distinctions for the CCNA exam and daily IOS use. exit is a single-step backward navigation command — from (config-if)# it returns to (config)#; from (config)# it returns to # (Privileged EXEC). end (and its keyboard shortcut Ctrl+Z) is a direct escape to Privileged EXEC from any configuration mode, regardless of how deeply nested you are. When you need to quickly run a show command to verify your work and then come back to configure more, end or Ctrl+Z is the fastest path.

3. An engineer is in `Router(config-router)#` mode and needs to run `show ip ospf neighbor` without exiting configuration mode. Which command achieves this?

A. do show ip ospf neighbor — the do prefix allows Privileged EXEC commands to be run from any configuration sub-mode B. exec show ip ospf neighbor C. show ip ospf neighbor — show commands work in all modes D. run show ip ospf neighbor

Correct answer is A. The do keyword is a powerful IOS feature that allows any Privileged EXEC command to be executed from within any configuration mode. Without do, show commands are not available in (config-router)# or any other config sub-mode. Using do show ip ospf neighbor runs the show command and returns you to (config-router)# without disrupting your configuration session. This is extremely useful when verifying the effect of configuration changes as you make them.

4. What is the correct sequence to configure an IP address on interface GigabitEthernet0/1 from a fresh router prompt?

A. Router> ip address 10.0.0.1 255.255.255.0 B. Router> enable, then Router# ip address 10.0.0.1 255.255.255.0 C. Router# configure terminal, then ip address 10.0.0.1 255.255.255.0 D. Router> enable → Router# configure terminal → Router(config)# interface GigabitEthernet0/1 → Router(config-if)# ip address 10.0.0.1 255.255.255.0 → no shutdown

Correct answer is D. This is the complete, correct navigation sequence. Starting from User EXEC (>): (1) enable enters Privileged EXEC (#); (2) configure terminal enters Global Config ((config)#); (3) interface GigabitEthernet0/1 enters Interface Config ((config-if)#); (4) ip address assigns the address; (5) no shutdown enables the interface (router interfaces are administratively down by default). Skipping any step results in a % Invalid input detected error because the command is not available at that mode level.

5. What command, entered in Global Configuration mode, immediately stops the router from attempting to DNS-resolve mistyped commands (a common lab annoyance)?

A. no dns resolve B. no ip domain-lookup C. ip name-server disable D. no ip domain-name

Correct answer is B. By default, Cisco IOS treats any unrecognised command as a hostname and attempts to resolve it via DNS — causing a 30–60 second freeze while waiting for the DNS query to time out. This is particularly frustrating when you mistype a command at the CLI. The fix is no ip domain-lookup in Global Config mode, which disables DNS-based hostname resolution for CLI input. This is one of the first commands most network engineers apply in a lab environment and is often included in initial device hardening templates.

6. Why should `enable secret` be used instead of `enable password`?

A. enable secret supports longer passwords than enable password B. enable secret is visible in the running config; enable password is hidden C. enable secret stores the password as a one-way MD5 hash in the config — it cannot be reversed; enable password stores it in plain text (or weak reversible Type 7 cipher) that is visible in show running-config D. enable password works only on older IOS versions; enable secret is required for IOS 15.x and later

Correct answer is C. The critical difference is how the password is stored. enable password stores the password in plain text in the running and startup configs — anyone who can run show running-config or read a backup config file can see it. Even with service password-encryption, the resulting Type 7 cipher is trivially reversible with freely available tools. enable secret uses an MD5 hash — a one-way function that cannot be reversed to obtain the original password. If both are configured, IOS always uses the enable secret and ignores the enable password.

7. An engineer configures a new IP address on an interface and adds a route, then notices the changes disappear after the device is power-cycled. What was missed?

A. The running configuration was not saved to startup-config — copy running-config startup-config or write memory was not executed; running-config lives in RAM and is lost on reboot B. The interface was not committed with a commit command C. The changes were made in User EXEC mode and therefore not retained D. The no shutdown command was missing — interfaces without no shutdown lose their configuration on reboot

Correct answer is A. Cisco IOS maintains two separate configuration stores: the running-config in volatile RAM (active immediately, lost on power loss) and the startup-config in non-volatile NVRAM (persists through reboots). Changes made through configuration modes are written to running-config only. To make them survive a reboot, the running-config must be explicitly saved: copy running-config startup-config (abbreviated copy run start) or write memory (abbreviated wr). Forgetting this step is one of the most common mistakes for engineers new to IOS.

8. What mode and command sequence is required to configure VTY lines to accept only SSH connections and require a local username and password?

A. Privileged EXEC: transport input ssh and login local B. Interface Config: switchport mode ssh and login local C. Global Config: ip ssh authentication local D. Line Configuration mode: line vty 0 15 → transport input ssh → login local

Correct answer is D. VTY line parameters — including which transport protocols are accepted and what authentication method is used — are configured in Line Configuration mode, entered with line vty 0 15 from Global Config. The command transport input ssh restricts the VTY lines to SSH only (Telnet is blocked). The command login local requires authentication against the local username database (created with username <name> secret <pass> in Global Config). These commands have no effect if entered in the wrong mode.

9. A network engineer types `hostname Branch-Router` in Privileged EXEC mode and receives `% Invalid input detected`. What is the problem?

A. The hostname contains a hyphen which is not allowed in Cisco IOS B. The hostname command is a Global Configuration mode command — it must be entered after typing configure terminal to reach the (config)# prompt C. The hostname is too long — Cisco IOS limits hostnames to 8 characters D. The hostname command requires a reboot to take effect and cannot be entered during an active session

Correct answer is B. hostname is a Global Configuration mode command — it modifies a persistent device-wide setting and therefore belongs in the configuration hierarchy, not in Privileged EXEC. While in Privileged EXEC (Router#), the engineer must first type configure terminal to enter Router(config)#, and only then can

hostname
                  Branch-Router

be executed successfully. The prompt will immediately change to Branch-Router(config)# reflecting the new hostname.

10. What happens when an engineer types `interface GigabitEthernet0/2` while already in `Router(config-if)#` mode for GigabitEthernet0/1?

A. IOS returns an error — you must type exit before entering a new interface B. The new interface command is queued — IOS finishes all Gi0/1 configuration first then switches to Gi0/2 C. IOS immediately switches context to GigabitEthernet0/2 — the prompt changes to (config-if)# for Gi0/2; no exit required; this is standard IOS behaviour for moving between interfaces efficiently D. IOS creates a new sub-interface Gi0/1.0/2

Correct answer is C. Cisco IOS allows you to move directly from one interface context to another by issuing a new interface command without first typing exit. The CLI immediately switches context to the newly specified interface — the prompt shows Router(config-if)# but all commands now apply to GigabitEthernet0/2. This is a deliberately efficient design that allows engineers to configure many interfaces in sequence without the overhead of repeatedly typing exit. The same applies when moving between other configuration sub-modes — you can type line vty 0 15 directly from (config-if)# without exiting first.

← Back to Home