show running-config – Active Configuration Guide

1. Purpose and Importance

show running-config (abbreviated show run) is the Cisco IOS command that displays the current active configuration held in the device’s RAM. It is the single most important verification command in Cisco IOS because it shows exactly what the device is doing right now — every interface setting, every routing protocol statement, every ACL, every password, and every feature that has been configured.

Because changes made in configuration mode take effect instantly and update the running-config in real time, this command is also the authoritative source during troubleshooting: if something is not in show run, it is not configured.

View all settings currently in effect on the device
Verify configuration changes just made before saving them
Diagnose misconfigurations (wrong IP, missing routing statement, ACL blocking traffic)
Audit security settings (password encryption, AAA, SSH)
Generate documentation of the device configuration

2. Running-Config vs. Startup-Config

Cisco IOS maintains two separate configuration files. Understanding the distinction between them is fundamental and directly tested on the CCNA exam:

Aspect	Running-Config	Startup-Config
Storage location	RAM (volatile memory)	NVRAM (non-volatile memory)
Purpose	The live, active configuration the device is using right now	The saved configuration loaded from NVRAM at every reboot
When changes take effect	Immediately — the moment you press Enter in config mode	Only after a reboot, when it is loaded into RAM as the new running-config
Persistence after reboot	Lost — RAM is cleared on power-off or reload	Retained — NVRAM is non-volatile and survives power loss
How to view	`show running-config` or `show run`	`show startup-config`
How to save running → startup	`copy running-config startup-config` or `write memory` (alias)
How to erase startup-config	`write erase` or `erase startup-config` — followed by `reload` to start fresh

Critical rule: Any configuration change you make is immediately live but will be lost on reboot unless you run copy running-config startup-config. Never end a change window without saving.

3. Annotated Full Output Example

Below is a representative show running-config output for a branch router, with every major section labelled:

Router# show running-config

Building configuration...

Current configuration : 1842 bytes
!                                              ← exclamation marks are comment separators
version 15.7
service password-encryption                   ← encrypts all Type 7 passwords in config
!
hostname HQ-Router                             ← GLOBAL SECTION: device identity
ip domain-name example.com
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0  ← MD5-hashed enable password
!
username admin privilege 15 secret 5 $1$...  ← local user database
!
interface GigabitEthernet0/0                  ← INTERFACE SECTION
 ip address 10.10.1.1 255.255.255.0
 ip access-group 100 in                       ← ACL applied inbound
 duplex full
 speed 1000
 no shutdown
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 shutdown                                     ← interface is disabled
!
router ospf 1                                 ← ROUTING PROTOCOL SECTION
 router-id 1.1.1.1
 network 10.10.1.0 0.0.0.255 area 0
!
ip access-list extended 100                   ← ACL SECTION
 permit tcp 192.168.1.0 0.0.0.255 any eq 443
 deny   ip any any log
!
line con 0                                    ← LINE SECTION: console access
 password 7 070C285F4D06
 login
line vty 0 4                                  ← VTY: Telnet/SSH remote access
 transport input ssh
 login local
!
end

4. Key Configuration Sections

Section	What It Contains	Troubleshooting Use	Example
Global	Hostname, domain name, DNS, logging, SNMP, enable secret, service password-encryption, NTP, AAA	Verify hostname, check password encryption is enabled, confirm NTP source	hostname BranchRouter ip domain-name example.com enable secret 5 $1$mERr$...
Interfaces	IP address and mask, shutdown/no shutdown state, VLAN membership, speed/duplex, ACL applied, description	Find misconfigured IPs, identify shut interfaces, spot wrong VLAN, confirm ACL binding	interface Vlan10 description Users ip address 10.1.10.1 255.255.255.0 no shutdown
Routing Protocols	OSPF, EIGRP, RIP, BGP — network statements, router-id, passive interfaces, redistribution	Confirm networks are advertised; find missing network statements; check passive interfaces	router ospf 10 router-id 1.1.1.1 network 10.1.10.0 0.0.0.255 area 0 passive-interface default no passive-interface Gi0/0
ACLs	Numbered and named access control lists — permit/deny rules	Identify rules that may be blocking traffic; check which interface the ACL is applied to	access-list 100 deny ip any 10.1.20.0 0.0.0.255 access-list 100 permit ip any any
Lines	Console (line con 0), VTY (Telnet/SSH), Auxiliary (AUX); passwords, login method, timeout, transport	Verify SSH-only access (`transport input ssh`), check login method (local vs. AAA), confirm exec timeout	line vty 0 4 exec-timeout 10 0 transport input ssh login local
VLAN / Switching	VLAN definitions, spanning-tree mode, EtherChannel, trunk configuration	Confirm VLAN exists and is active; check STP mode; verify port-channel membership	vlan 10 name Users spanning-tree mode rapid-pvst

5. Navigating and Filtering Large Configurations

On a large device a full show run may scroll through hundreds of lines. IOS offers powerful pipe operators and terminal commands to focus on the exact section you need:

! Disable paging to scroll without pressing SPACE (useful when capturing to a terminal)
Router# terminal length 0

! Re-enable paging
Router# terminal length 24

! Show only lines that CONTAIN a specific string (case-sensitive)
Router# show run | include ospf
Router# show run | include access-list
Router# show run | include ip address

! Show a complete configuration SECTION (the block starting at the matched line)
Router# show run | section interface GigabitEthernet0/1
Router# show run | section router ospf
Router# show run | section vty

! Start showing from a specific line and display everything AFTER it
Router# show run | begin interface

! Show only a specific interface's config block
Router# show run interface GigabitEthernet0/1

! EXCLUDE lines containing a string (useful to hide default commands)
Router# show run | exclude !
Router# show run | exclude ^!

Practical tip: show run | section vty is the fastest way to check whether remote access is configured for SSH-only and using local login. show run | include access-group instantly shows every interface that has an ACL applied.

6. Saving, Exporting, and Backing Up

Task	Command	Notes
Save to NVRAM (make persistent)	`copy running-config startup-config` or `write memory` (alias)	Must be done after every change; without this, changes are lost on reboot
View saved config	`show startup-config`	Shows what will be loaded on next reboot; compare to `show run` to see unsaved changes
Erase saved config	`write erase` or `erase startup-config`	Deletes NVRAM startup-config; device will boot with factory defaults on next reload
Back up to TFTP server	`copy running-config tftp:`	IOS prompts for server IP and filename; used for off-device backup
Back up to SCP (secure)	`copy running-config scp:`	Encrypts the transfer; preferred over TFTP in production
Restore from TFTP	`copy tftp: running-config`	Merges the TFTP file into the running-config; does not erase existing config first
Load startup from TFTP	`copy tftp: startup-config`	Replaces the NVRAM startup-config; takes full effect on next reload

Automating daily backups with Kron (IOS scheduler):

kron policy-list backup-config
 cli copy running-config tftp://10.0.0.50/backup-$(hostname).cfg
exit
kron occurrence daily-backup at 3:00 recurring
 policy-list backup-config
exit

7. Security Considerations

The running-config contains some of the most sensitive data on a network device: passwords, SNMP community strings, pre-shared keys, and routing authentication keys. Protecting this data is essential.

Risk	Problem	Mitigation
Plain-text passwords in config	Any user with privilege 15 access can read VTY/console passwords in clear text	Enable `service password-encryption` (Type 7 obfuscation); use `enable secret` (MD5/scrypt hashing) instead of `enable password`
Weak enable password	`enable password` stores the password in a reversible Type 7 format that is easily decoded	Always use `enable secret`, which stores a one-way hash (Type 5 MD5 minimum; Type 8/9 scrypt on modern IOS)
Hardcoded local passwords	Local usernames and passwords in the config are a single point of failure and cannot be revoked centrally	Use AAA with RADIUS or TACACS+ for centralised authentication; keep local accounts only as emergency fallback
Unencrypted backup transfers	`copy running-config tftp:` transmits the entire config (including hashed passwords) in plain text	Use `copy running-config scp:` for encrypted file transfer; restrict TFTP server access with ACLs
Unrestricted config access	Any user who can reach the device over Telnet or console can read the full config	Restrict VTY access with an ACL; use SSH only (`transport input ssh`); set short exec-timeout; use privilege levels

! Recommended security hardening in running-config:
service password-encryption          ! obfuscate Type 7 line passwords
enable secret 9 <scrypt-hash>        ! strong one-way hash for enable mode
username admin privilege 15 algorithm-type scrypt secret Str0ngP@ss!
!
line vty 0 4
 exec-timeout 10 0                   ! auto-logout after 10 minutes idle
 transport input ssh                 ! SSH only; no Telnet
 login local
!
ip ssh version 2                     ! enforce SSH v2

8. Troubleshooting Workflow with show running-config

Scenario: John cannot reach the server at 10.1.20.100 from his PC in VLAN 10 (10.1.10.x). The devices are on different VLANs routed by a Layer 3 switch.

Check interface configurations — are both SVIs up and correctly addressed?

L3-Switch# show run | section interface

interface Vlan10
 ip address 10.1.10.1 255.255.255.0
 no shutdown
!
interface Vlan20
 ip address 10.1.20.1 255.255.255.0
 shutdown                              ← PROBLEM: Vlan20 SVI is shut down

Fix: interface Vlan20 → no shutdown

Check routing protocol — is VLAN 20 included in OSPF?

L3-Switch# show run | section router

router ospf 10
 network 10.1.10.0 0.0.0.255 area 0   ← PROBLEM: VLAN 20 not advertised

Fix: add "network 10.1.20.0 0.0.0.255 area 0"

Check ACLs — is any ACL blocking traffic between VLANs?

L3-Switch# show run | include access-group
 ip access-group 100 in               ← ACL 100 applied inbound on Vlan10

L3-Switch# show run | section ip access-list
access-list 100 deny ip any 10.1.20.0 0.0.0.255   ← PROBLEM: blocks all traffic to VLAN 20
access-list 100 permit ip any any

Fix: remove the deny rule or adjust to permit specific required traffic

Save and document after each fix

copy running-config startup-config

9. Key Points & CCNA Exam Tips

show running-config (or show run) displays the live active configuration from RAM — includes all unsaved changes
Running-config is in RAM (volatile); startup-config is in NVRAM (non-volatile, survives reboot)
Config changes take effect immediately but are lost on reboot unless saved with copy running-config startup-config or write memory
Know the five major config sections: Global, Interfaces, Routing Protocols, ACLs, Lines (Console/VTY)
Pipe filter commands: | include <string> (lines matching), | section <keyword> (full block), | begin <keyword> (from that line onward), | exclude (hide matching lines)
terminal length 0 disables paging so the full config scrolls without interruption
Use enable secret — never enable password; enable secret uses a one-way hash (MD5/scrypt)
service password-encryption encrypts all Type 7 line passwords but this is obfuscation, not strong encryption — always use secret variants for critical passwords
write erase deletes the startup-config; combine with reload to reset a device to factory defaults
Back up configurations regularly: copy running-config tftp: (plain) or copy running-config scp: (encrypted)
If a feature is not in show run, it is not configured — this is the golden rule of Cisco IOS troubleshooting

Show Running-Config Command Quiz

1. What does the `show running-config` command display?

A. The current active configuration stored in RAM B. The saved configuration stored in NVRAM C. The startup sequence for the device D. The historical log of all commands entered

Correct answer is A. show running-config displays the live, active configuration currently in RAM. This includes every setting that is in effect right now, including any unsaved changes made since the last copy running-config startup-config. It is the authoritative source for what the device is doing.

2. What is the key difference between running-config and startup-config?

A. Running-config is saved permanently; startup-config is temporary B. Startup-config is the active config; running-config is a backup C. Both are stored in RAM D. Running-config is the live config in RAM; startup-config is stored in NVRAM and loaded at reboot

Correct answer is D. Running-config lives in RAM and reflects the device’s current state; it is lost if the device reboots without being saved. Startup-config lives in NVRAM (non-volatile) and is loaded into RAM as the new running-config every time the device boots.

3. Which command saves the running configuration so changes survive a reboot?

A. copy startup-config running-config B. copy running-config startup-config C. save config D. write erase

Correct answer is B.

copy running-config
                  startup-config

writes the current RAM config to NVRAM, making changes permanent across reboots. The abbreviated alias write memory (or wr) does the same thing. copy startup-config running-config does the opposite — it loads the saved config into RAM.

4. Where in the running configuration would you find interface IP addresses and shutdown commands?

A. Global configuration section B. VLAN configuration section C. Interface configuration section D. Routing protocol section

Correct answer is C. Interface IP addresses, no shutdown / shutdown state, speed/duplex settings, ACL bindings, and descriptions are all found in the interface configuration blocks, which begin with interface <name>. Use show run | section interface or show run interface GigabitEthernet0/1 to view them quickly.

5. What does `show running-config | include` do?

A. Filters the running-config output to display only lines containing the specified string B. Saves the running-config to a file C. Shows the full configuration of a specific interface D. Reloads the configuration

Correct answer is A. The | include <string> pipe filter shows only the lines in the output that contain the specified keyword. For example, show run | include access-group instantly shows every interface with an ACL applied. Use | section instead to see the complete configuration block that contains the keyword.

6. What is a potential security concern when viewing the running configuration?

A. It hides IP addresses B. It only shows saved configurations C. It disables interfaces during viewing D. It may expose sensitive data such as passwords, SNMP community strings, and routing authentication keys

Correct answer is D. The running-config may contain plain-text or weakly obfuscated passwords (Type 7), SNMP community strings, VPN pre-shared keys, and routing protocol authentication keys. Mitigations include service password-encryption for line passwords and using enable secret (one-way hash) instead of enable password. Restrict who has privilege 15 access to view the config.

7. Which command backs up the running configuration to an external TFTP server?

A. copy startup-config tftp: B. copy running-config tftp: C. backup config D. save config tftp

Correct answer is B.

copy running-config
                  tftp:

prompts for the TFTP server IP and the destination filename, then transfers the current active configuration. For security-sensitive environments, use copy running-config scp: instead, which encrypts the transfer using SSH.

8. What must you do after making configuration changes to ensure they survive a reboot?

A. Nothing — Cisco IOS saves changes automatically B. Run write erase C. Run copy running-config startup-config to write the config to NVRAM D. Reboot the device immediately

Correct answer is C. Cisco IOS does not save automatically. Every change you make updates RAM (running-config) instantly but those changes will be lost on the next reboot unless you explicitly run copy running-config startup-config (or the alias write memory). This is one of the most commonly tested facts on the CCNA exam.

9. How do you view only the VTY line configuration from the running config?

A. show run | section vty B. show run vty C. show vty config D. show running-config line vty

Correct answer is A. show run | section vty displays the entire VTY line configuration block, including the password, login method, exec-timeout, and transport input settings. The | section filter is more useful than | include here because it shows the complete block, not just individual lines. This is the fastest way to confirm whether SSH-only access is properly configured.

10. Which statement about changes made to the running-config is true?

A. Changes are automatically saved to startup-config B. Changes are discarded immediately after exiting configuration mode C. Changes only take effect after a reboot D. Changes take effect immediately but are lost on reboot unless explicitly saved

Correct answer is D. This is the fundamental behaviour of Cisco IOS: changes to running-config are live immediately (the moment you press Enter they affect the device) but they live only in volatile RAM. A power loss or reboot wipes RAM, discarding all unsaved changes. Always save with copy running-config startup-config before ending a change window.

← Back to Home