Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Device Operations Foundational

Cisco IOS Device Management

How you actually log into and configure a Cisco device. Covers console / SSH / Telnet access, command modes (user / privileged / config), saving config, banners, the password types, and modern best practices for line security.

TL;DR
  • Three ways in: console (cable for first setup), SSH (remote standard), AUX (out-of-band fallback). Telnet exists but never use it — unencrypted.
  • Three command modes: user EXEC (R1>), privileged EXEC (R1#), global config (R1(config)#). Each unlocks more capability.
  • `copy running-config startup-config` (or `wr`) saves changes to survive a reload. Forget this and your config evaporates.

Mental model

A Cisco device runs IOS, which exposes a command-line interface. You connect to that CLI through one of several access methods, navigate through a hierarchy of command modes, and either inspect (with show commands) or configure (with everything else).

Every Cisco engineer’s day-1 muscle memory:

R1>           ← user EXEC (show some things, ping, traceroute)
R1> enable    ← move up to privileged EXEC
R1#           ← privileged EXEC (all show commands, debug, reload)
R1# configure terminal
R1(config)#   ← global config (change device settings)
R1(config)# interface GigabitEthernet0/0
R1(config-if)#   ← interface config (change one interface)

exit moves you back one level. end jumps all the way to privileged EXEC. Ctrl+Z is the keyboard shortcut for end.

The three ways in

MethodUsed forEncryption
ConsoleFirst setup, password recovery, troubleshooting when network is downNone (physical cable)
SSH (VTY)Daily remote managementTLS, port 22
AUX / OOB managementOut-of-band backup access (over a separate management network or modem)Varies
Telnet (VTY)DON’T USE — port 23, unencryptedNone

Always disable Telnet, always enable SSH. Telnet sends passwords in plain text — any attacker on the path can read them. There’s zero reason to allow it in 2026.

Configuring SSH and disabling Telnet

R1(config)# hostname R1
R1(config)# ip domain-name corp.local                ! required for crypto key gen
R1(config)# crypto key generate rsa modulus 2048     ! generate SSH keys

! Configure VTY lines (remote access)
R1(config)# line vty 0 15
R1(config-line)# transport input ssh                 ! only SSH allowed
R1(config-line)# login local                         ! use local username database
R1(config-line)# exec-timeout 10 0                   ! kick idle sessions after 10 min

! Create a local user
R1(config)# username admin privilege 15 secret strong-password

! Console line — set a password
R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# logging synchronous                 ! stop log msgs interrupting your typing
R1(config-line)# exec-timeout 0 0                    ! console doesn't time out (debatable)

Critical: the secret keyword stores a hashed password. The older password keyword stores it in plaintext (or weakly reversible Type 7). Always secret, never password.

Password types — know your hash

Cisco IOS supports several password storage formats:

TypeWhat it isUse?
Type 0PlaintextNever
Type 7Weakly reversibleNever — decoded in seconds
Type 5MD5 hashAcceptable, weak by modern standards
Type 8PBKDF2-SHA256Good
Type 9scryptBest — use this for new configs
! Type 9 (scrypt) — modern, strong
R1(config)# username admin algorithm-type scrypt secret strong-password

! Enable password encryption for all stored passwords
R1(config)# service password-encryption

service password-encryption upgrades any remaining Type 0 to Type 7 (still weak, but at least not plaintext). It doesn’t downgrade stronger hashes.

Saving and reloading

R1# copy running-config startup-config        ! save the current config
R1# wr                                          ! shortcut for the same
R1# show running-config                         ! what's running now
R1# show startup-config                         ! what will load on next reload
R1# reload                                      ! reboot

Forgetting to save is the #1 mistake of new engineers. Make config changes → forget to save → device reloads (planned or panic) → all your changes gone. Always end a config session with wr.

Banners

A banner shows on login. Two types you’ll meet:

R1(config)# banner motd #
Enter TEXT message. End with the character '#'.
WARNING: Authorized access only. Activity is logged.
#

R1(config)# banner login #
Welcome to corporate router R1.
#

motd (message of the day) appears before login. login appears after authentication. Use motd for legal warnings — courts have ruled this matters for prosecuting unauthorized access.

The four “show” commands you’ll run constantly

R1# show running-config                ! the live config
R1# show ip interface brief            ! one-line summary of every interface
R1# show version                        ! IOS version, uptime, model, serial
R1# show running-config | section interface  ! filter to interface configs

| pipes the output through filters. | include X, | begin X, | section X, | exclude X — all useful. CCNA loves to test the difference between include (lines containing) and section (whole subsection starting with).

Common mistakes

  1. Leaving Telnet enabled. transport input ssh on every VTY line, every device.

  2. service password-encryption and thinking it’s secure. It uses weak Type 7 — decoded with online tools in seconds. Use stronger algorithms for important secrets (Type 8 or 9).

  3. No console password. A physical attacker can connect to the console port and get unrestricted access. Always set a console password.

  4. exec-timeout 0 0 on VTY lines. Means idle sessions never time out. A walked-away admin’s session is a permanent open door. Set 10 min or less for VTY.

  5. Forgetting copy running startup. The single most common reason for “my config disappeared after reboot.”

  6. Putting the enable password instead of enable secret. The old enable password stores Type 7. enable secret stores Type 5/8/9. Always secret.

  7. Using the same enable secret across every device. If one device is compromised, the secret is reused everywhere. Use TACACS+/RADIUS (centralized AAA) so each user has unique credentials.

  8. Disabling DNS-lookup on console without realizing why. no ip domain-lookup is a common config item — without it, mistyping a command makes the router try to DNS-resolve it as a hostname, timing out for ~30 seconds. Most engineers add this on every device.

Lab to try tonight

  1. Console into a fresh Cisco router (CML, Packet Tracer, or real device).
  2. Set hostname, enable secret (Type 9), and a console password.
  3. Configure SSH: generate RSA key 2048, create a local user, enable SSH on VTY lines, disable Telnet.
  4. From another device, SSH in. Verify Telnet fails.
  5. Configure a motd banner with a legal warning.
  6. Make some config changes. Run show running-config then show startup-config — note they differ.
  7. wr. Re-run both — they now match.
  8. Reload. Verify your changes survived.
  9. Bonus: configure AAA pointing at a RADIUS / TACACS+ server (see AAA topic).

Cheat strip

ConceptPlain English
Modesuser (R1>) → priv (R1#) → config (R1(config)#)
ConsolePhysical cable. Day-1 setup, password recovery.
SSH / VTYDaily remote access. Port 22, encrypted.
TelnetNever use. Plaintext.
enable secretPrivileged password. Hashed.
secret (in username)Hashed user password. Always this, never password.
Type 9scrypt — best password hash
service password-encryptionType 0 → 7. Weak but better than nothing.
copy run startSave config. Survive reboot.
exit / end / Ctrl+ZBack one level / all the way out
wrShortcut for copy run start
← Previous topic

OSI Model & TCP/IP

Two networking reference models compared side-by-side. The seven OSI layers, the four TCP/IP layers, and which one the real internet actually runs on (spoiler: not OSI).
Next topic →

IPv4 Addressing

32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Security Fundamentals

AAA · RADIUS & TACACS+

Authentication, Authorization, Accounting — centralize who can log in, what they can do, and what they did. Covers RADIUS vs TACACS+, method lists, and why every network with more than 5 devices uses centralized auth.

 Network Fundamentals

IPv4 Addressing

32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.

 Network Fundamentals

OSI Model & TCP/IP

Two networking reference models compared side-by-side. The seven OSI layers, the four TCP/IP layers, and which one the real internet actually runs on (spoiler: not OSI).

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages