When you start a session on a router, you generally begin in user EXEC mode, which is one of two access levels of the EXEC mode. For security purposes, only a limited subset of EXEC commands are available in user EXEC mode. This level of access is reserved for tasks that do not change the configuration of the router, such as determining the router status.

If your device is configured to require users to log in the login process will require a username and a password. If you enter incorrect password three times, the connection attempt is refused.

User EXEC mode is set by default to privilege level 1. Privileged EXEC mode is set by default to privilege level 15. For more information see the Privileged EXEC Mode. When you are logged in to a networking device in user EXEC mode your session is running at privilege level 1. When you are logged in to a networking device in privileged EXEC mode your session is running at privilege level 15. You can move commands to any privilege level between 1 and 15 using the privilege command. See the Cisco IOS Privilege Levels for more information on privilege levels and the privilege command.

In general, the user EXEC commands allow you to connect to remote devices, change terminal line settings on a temporary basis, perform basic tests, and list system information.

To list the available user EXEC commands, enter a question mark (?). The list of commands will vary depending on the software feature set and router platform you are using.

The user EXEC mode prompt consists of the hostname of the device followed by an angle bracket (>), for example, Router>.

The default hostname is generally Router, unless it has been changed during initial configuration using the setup EXEC command. You can also change the hostname using the hostname global configuration command.

Note

Examples in Cisco IOS documentation assume the use of the default name of "Router." Different devices (for example, access servers) may use a different default name. If the routing device (router, access server, or switch) has been named with the hostname command, that name will appear as the prompt instead of the default name.

Note	You can enter commands in uppercase, lowercase, or mixed case. Only passwords are case-sensitive. However, Cisco IOS documentation convention is to always present commands in lowercase.

In order to have access to all commands, you must enter privileged EXEC mode, which is the second level of access for the EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. In privileged EXEC mode, you can enter any EXEC command, because privileged EXEC mode is a superset of the user EXEC mode commands.

Because many privileged EXEC mode commands set operating parameters, privileged EXEC level access should be password protected to prevent unauthorized use. The privileged EXEC command set includes those commands contained in user EXEC mode. Privileged EXEC mode also provides access to configuration modes through the configurecommand, and includes advanced testing commands, such as debug.

Privileged EXEC mode is set by default to privilege level 15. User EXEC mode is set by default to privilege level 1. For more information see the User EXEC Mode. By default the EXEC commands at privilege level 15 are a superset of those available at privilege level 1. You can move commands to any privilege level between 1 and 15 using the privilege command. See the Cisco IOS Privilege Levels for more information on privilege levels and the privilege command.

The privileged EXEC mode prompt consists of the hostname of the device followed by a pound sign (#), for example, Router#.

To access privileged EXEC mode, use the enable command. If a privileged EXEC mode password has been configured the system will prompt you for a password after you issue the enable command. Use the exit command to leave privileged EXEC mode.

Note	Privileged EXEC mode is sometimes referred to as "enable mode," because the enable command is used to enter the mode.

If a password has been configured on the system, you will be prompted to enter it before being allowed access to privileged EXEC mode. The password is not displayed on the screen and is case-sensitive. If an enable password has not been set, privileged EXEC mode can be accessed only by a local CLI session (terminal connected to the console port).

If you attempt to access privileged EXEC mode on a router over a remote connection, such as aTelnet connection, and you have not configured a password for privileged EXEC mode, you will see the % No password set error message. For more information on remote connections see the Remote CLI Sessions. The system administrator uses the enable secret or enable passwordglobal configuration command to set the password that restricts access to privileged EXEC mode. For information on configuring a password for privileged EXEC mode, see the Protecting Access to Privileged EXEC Mode.

To return to user EXEC mode, use the disable command:

Note that the password will not be displayed as you type, but is shown here for illustrational purposes. To list the commands available in privileged EXEC mode, issue question mark (?) at the prompt. From privileged EXEC mode you can access global configuration mode, which is described in the following section.

Note

Because the privileged EXEC command set contains all of the commands available in user EXEC mode, some commands can be entered in either mode. In Cisco IOS documentation, commands that can be entered in either user EXEC mode or privileged EXEC mode are referred to as EXEC mode commands. If user or privileged is not specified in the documentation, assume that you can enter the referenced commands in either mode.

The term "global" is used to indicate characteristics or features that affect the system as a whole. Global configuration mode is used to configure your system globally, or to enter specific configuration modes to configure specific elements such as interfaces or protocols. Use the configure terminalprivileged EXEC command to enter global configuration mode.

To access global configuration mode, use the configure terminal command in privileged EXEC mode:

Note that the system prompt changes to indicate that you are now in global configuration mode. The prompt for global configuration mode consists of the hostname of the device followed by (config) and the pound sign ( # ). To list the commands available in privileged EXEC mode, issue ? at the prompt.

Commands entered in global configuration mode update the running configuration file as soon as they are entered. In other words, changes to the configuration take effect each time you press the Enter or Return key at the end of a valid command. However, these changes are not saved into the startup configuration file until you issue the copy running-config startup-config EXEC mode command.

The system dialog prompts you to end your configuration session (exit configuration mode) by pressing the Control (Ctrl) and "z" keys simultaneously; when you press these keys, ^Z is printed to the screen. You can actually end your configuration session by entering the Ctrl-Z key combination, using the end command, and using the Ctrl-C key combination. The end command is the recommended way to indicate to the system that you are done with the current configuration session.

Caution

If you use Ctrl-Z at the end of a command line in which a valid command has been typed, that command will be added to the running configuration file. In other words, using Ctrl-Z is equivalent to hitting the Enter (Carriage Return) key before exiting. For this reason, it is safer to end your configuration session using the end command. Alternatively, you can use the Ctrl-C key combination to end your configuration session without sending a Carriage Return signal.

You can also use the exit command to return from global configuration mode to EXEC mode, but this only works in global configuration mode. Pressing Ctrl-Z or entering the end command will always take you back to EXEC mode regardless of which configuration mode or configuration submode you are in.

To exit global configuration command mode and return to privileged EXEC mode, use the end or exit command.

From global configuration mode, you can enter a number of protocol-specific, platform-specific, and feature-specific configuration modes.

Interface configuration mode, described in the following section, is an example of a configuration mode you can enter from global configuration mode.

One example of a specific configuration mode you can enter from global configuration mode is interface configuration mode.

Many features are enabled on a per-interface basis. Interface configuration commands modify the operation of an interface such as an Ethernet, FDDI, or serial port. Interface configuration commands always follow an interface global configuration command, which defines the interface type.

For details on interface configuration commands that affect general interface parameters, such as bandwidth or clock rate, refer to the Cisco IOS Interface Configuration Guide .

To access and list the interface configuration commands, use the interface type number command.

To exit interface configuration mode and return to global configuration mode, enter the exit command.

Configuration submodes are configuration modes entered from other configuration modes (besides global configuration mode). Configuration submodes are for the configuration of specific elements within the configuration mode. One example of a configuration submode is subinterface configuration mode, described in the following section.

From interface configuration mode, you can enter subinterface configuration mode. Subinterface configuration mode is a submode of interface configuration mode. In subinterface configuration mode you can configure multiple virtual interfaces (called subinterfaces) on a single physical interface. Subinterfaces appear to be distinct physical interfaces to the various protocols.

For detailed information on how to configure subinterfaces, refer to the appropriate documentation module for a specific protocol in the Cisco IOS software documentation set.

To exit subinterface configuration mode and return to interface configuration mode, use the exit command. To end your configuration session and return to privileged EXEC mode, press Ctrl-Z or enter the end command.

Local CLI sessions require direct access to the console port of the networking device. Local CLI sessions start in user EXEC mode. See the Cisco IOS CLI Modes for more information on the different modes that are supported on your networking device. All of the tasks required to configure and manage a networking device can be done using a local CLI session. The most common method for establishing a local CLI session is to connect the serial port on a PC to the console port of the networking device and then to launch a terminal emulation application on the PC. The type of cable and connectors required and the settings for the terminal emulation application on the PC depend on the type of networking device that you are configuring. See the documentation for your networking device for more information on setting it up for a local CLI session.

Remote CLI sessions are created between a host such as a PC and a networking device such as a router over a network using a remote terminal access application such as Telnet and SSH. Local CLI sessions start in user EXEC mode. See the Cisco IOS CLI Modes for more information on the different modes that are supported on your networking device. Most of the tasks required to configure and manage a networking device can be done using a remote CLI session. The exceptions are tasks that interact directly with the console port (such as recovering from a corrupted operating system (OS) by uploading a new OS image over the console port) and interacting with the networking device when it is in ROMMON mode.

Telnet is the most common method for accessing a remote CLI session on a networking device.

Note

SSH is a more secure alternative to Telnet. SSH provides encryption for the session traffic between your local management device such as a PC and the networking device that you are managing. Encrypting the session traffic with SSH prevents hackers that might intercept the traffic from being able to decode it. See Secure Shell Version 2 Support feature module for more information on using SSH.

Cisco networking devices use the word "lines" to refer to the software components that manage local and remote CLI sessions. You use the line console 0 global configuration command to enter line configuration mode to configure options, such as a password, for the console port.

Remote CLI sessions use lines that are referred to as vty lines. You use the line vty line-number[ending-line-number]global configuration command to enter line configuration mode to configure options, such as a password, for remote CLI sessions.

The first step in creating a secure environment for your networking device is protecting access to user EXEC mode by configuring passwords for local and remote CLI sessions.

You can protect access to user EXEC mode for local CLI sessions by configuring a password on the console port. See the Configuring a Password for Local CLI Sessions.

You can protect access to user EXEC mode for remote CLI sessions by configuring a password on the vtys. See the Configuring a Password for Remote CLI Sessions for instructions on how to configure passwords for remote CLI sessions.

The second step in creating a secure environment for your networking device is protecting access to privileged EXEC mode with a password. The method for protecting access to privileged EXEC mode is the same for local and remote CLI sessions.

You can protect access to privileged EXEC mode by configuring a password for it. This is sometimes referred to as the enable password because the command to enter privileged EXEC mode is enable.

The PSB states the following requirements for password complexity restrictions on Cisco products:

• Whenever a user or an administrator wants to create or change a password, the following restrictions apply to the products:
  • The new password contains characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.
  • No character in the new password should be repeated more than three times consecutively.
  • The new password should not be the same as the associated username, and should not be the username reversed. The password obtained by capitalization of the username or username reversed also is not accepted.
  • The new password should not be "cisco", "ocsic", or any variant obtained by changing the capitalization of letters therein, or by substituting "1", "|", or "!" for i, and substituting "0" for "o", and substituting "$" for "s".
• It must be possible to individually enable or disable each of these restrictions as part of the product configuration. A user interface should be available for one time to override the restrictions when a password is being set by an administrator.

The first restriction need not be applied to passwords that are expected to be used via a numerical pin pad; in this case, passwords consisting only of digits are permitted. However, such passwords must be used only for access to messaging services, and not for general computer networking services.

For an administrator to enable the restrictions, no particular default setting is required. Restrictions should be enabled by default on products that permit nonadministrative end users to change their own passwords.

AAA enforces these restrictions on creating passwords used in a AAA context which includes passwords created using the username command and passwords created to download authorization data.

The complexity restrictions are enabled or disabled using the aaa password restriction command. The behavior should be backward-compatible in allowing passwords that were configured before the complexity restrictions were enabled. The CLI should be disabled by default. When the CLI is enabled on a running router, the passwords configured prior to enabling the command should not be subject to the complexity restrictions. The passwords configured following the command should be subject to complexity restrictions. When a router is rebooted using a startup configuration containing the password complexity command enabled, the passwords present in the startup configuration should be allowed without the complexity restrictions; any passwords that are configured after the router has booted should be subject to the complexity restrictions.

The PSB states the following requirement for password complexity restrictions on Cisco products:

• If the product authenticates remote entities using protocols that do not require the product to possess recoverable copies of the remote entities' credentials, then no recoverable copies of credentials which are used only in this way are to be stored.
• In the specific case where the product authenticates remote entities using the traditional password interchange in which the remote entity discloses its credential to the product for direct comparison against a database, stored credentials must be protected by a method at least as strong as a SHA-1 digest. The use of SHA-256 or SHA-384 instead of SHA-1 is recommended.

To be compliant with the PSB, AAA enforces the protection of stored credentials using SHA-256.

The fastest method to recover from a lost or misconfigured password for local CLI sessions is to establish a remote CLI session with the networking device and repeat the steps in the Configuring a Password for Local CLI Sessions. Your networking device must be configured to allow remote CLI sessions and you must know the remote CLI session password to perform this procedure.

• If you cannot establish a remote session to your networking device, and you have not saved the misconfigured local CLI session password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous local CLI session password is restored.

Caution

Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking device only during a period of time that has been allocated for network maintenance.

The fastest method to recover from a lost or misconfigured password for remote CLI sessions is to establish a local CLI session with the networking device and repeat the steps in the Configuring a Password for Remote CLI Sessions. Your networking device must be configured to allow local CLI sessions and you must know the local CLI session password to perform this procedure.

• If you cannot establish a local CLI session to your networking device, and you have not saved the misconfigured remote CLI session password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous remote CLI session password is restored.

Caution

Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking device only during a period of time that has been allocated for network maintenance.

• If you have not saved the misconfigured privileged EXEC mode password to the startup configuration, you can restart the networking device. When the networking device starts up again it will read the startup configuration file. The previous privileged EXEC mode password is restored.

Caution

Restarting a networking device will cause it to stop forwarding traffic. This will also cause an interruption in any services that are running on the networking device, such as a DHCP server service. You should restart a networking only device during a period of time that has been allocated for network maintenance.

Before You Begin

If you have not previously configured a password for remote CLI sessions, you must perform this task over a local CLI session using a terminal or a PC running a terminal emulation application attached to the console port.

Your terminal, or terminal emulation application, must be configured with the settings that are used by the console port on the networking device. The console ports on most Cisco networking devices require the following settings: 9600 baud, 8 data bits, 1 stop bit, no parity, and flow control is set to "none". See the documentation for your networking device if these settings do not work for your terminal.

Note	If you have not previously configured a password for remote CLI sessions, you must perform this task over a local CLI session using a terminal attached to the console port. >

1.    enable

2.    configure terminal

3.    line vty line-number [ending-line-number]

4.    password password

5.    end

6.    telnet ip-address

7.    exit

• Troubleshooting Tips
  

1.    enable

2.    configure terminal

3.    line console line-number

4.    password password

5.    end

6.    exit

7.    Press the Enter key, and enter the password from Step 4 when prompted.

• Troubleshooting Tips
  

Cisco no longer recommends that you use the enable password command to configure a password for privileged EXEC mode. The password that you enter with the enable passwordcommand is stored as plain text in the configuration file of the networking device. You can encrypt the password for the enable passwordcommand in the configuration file of the networking device using the service password-encryption command. However the encryption level used by the service password-encryption command can be decrypted using tools available on the Internet.

Instead of using the enable passwordcommand, Cisco recommends using the enable secret commandbecause it encrypts the password that you configure with strong encryption. For more information on password encryption issues see the Cisco IOS Password Encryption Levels. For information on configuring the enable secretcommand see the Configuring the Enable Secret Password.

Note

The networking device must not have a password configured by the enable secret command in order for you to perform this task successfully. If you have already configured a password for privileged EXEC mode using the enable secretcommand, that the password configured takes precedences over the password that you configure in this task using the enable password command. You cannot use the same password for the enable secretcommand and the enable password command. >

1.    enable

2.    configure terminal

3.    enable password password

4.    end

5.    exit

6.    enable

• Troubleshooting Tips
  

1.    enable

2.    configure terminal

3.    service password-encryption

4.    end

Cisco recommends that you use the enable secret command, instead of the enable password command to configure a password for privileged EXEC mode. The password created by the enable secret command is encrypted with the more secure MD5 algorithm.

Note	You cannot use the same password for the enable secretcommand and the enable password command. >

1.    enable

2.    configure terminal

3.   Do one of the following:

4.    end

5.    exit

6.    enable

• Troubleshooting Tips
  

This task describes how to configure the networking device for first-line technical support users. First-line technical support staff are usually not allowed to run all of the commands available in privileged EXEC mode (privilege level 15) on a networking device. They are prevented from running commands that they are not authorized for by not being granted access to the password assigned to privileged EXEC mode or to other roles that have been configured on the networking device.

The privilege command is used to move commands from one privilege level to another in order to create the additional levels of administration of a networking device that is required by companies that have different levels of network support staff with different skill levels.

The default configuration of a Cisco IOS device permits two types of users to access the CLI. The first type of user is allowed to access only user EXEC mode. The second type of user is allowed access to privileged EXEC mode. A user who is allowed to access only user EXEC mode is not allowed to view or change the configuration of the networking device, or to make any changes to the operational status of the networking device. However, a user who is allowed access to privileged EXEC mode can make any change to a networking device that is allowed by the CLI.

In this task the two commands that normally run at privilege level 15 are reset to privilege level 7 using the privilege command so that first-line technical support users will be allowed to run the two commands. The two commands for which the privilege levels will be reset are the clear counters command and reload command.

• The clear counters command is used to reset the counter fields on interfaces for statistics such as packets received, packets transmitted, and errors. When a first-line technical support user is troubleshooting an interface-related connectivity issue between networking devices, or with remote users connecting to the network, it is useful to reset the interface statistics to zero and then monitor the interfaces for a period of time to see if the values in the interface statistics counters change.
• The reload command is used initiate a reboot sequence for the networking device. One common use of the reload command by the first-line technical support staff is to cause the networking device to reboot during a maintenance window so that it loads a new operating system that was previously copied onto the networking device's file system by a user with a higher level of authority.

Any user that is permitted to know the enable secret password that is assigned to the first-line technical support user role privilege level can access the networking device as a first-line technical support user. You can add a level of security by configuring a username on the networking device and requiring that the users know the username and the password. Configuring a username as an additional level of security is described in the Configuring a Device to Require a Username for the First-Line Technical Support Staff.

Before Cisco IOS Releases 12.0(22)S and 12.2(13)T, each command in a privilege level had to be specified with a separate privilege command. In Cisco IOS Releases 12.0(22)S, 12.2(13)T, and later releases, a "wildcard" option specified by the new keyword all was introduced that allows you to configure access to multiple commands with only one privilege command. By using the new all keyword, you can specify a privilege level for all commands which begin with the string you enter. In other words, the all keyword allows you to grant access to all command-line options and suboptions for a specified command.

For example, if you wanted to create a privilege level to allow users to configure all commands which begin with service-module t1 (such as service-module t1 linecode or service-module t1 clock source) you can use the privilege interface all level 2 service-module t1 command instead of having to specify each service-module t1 command separately.

If the command specified in the privilege command (used with the all keyword) enables a configuration submode, all commands in the submode of that command will also be set to the specified privilege level.

Note

The all "wildcard" keyword option for the privilege command is not supported in versions of Cisco IOS software prior to Cisco IOS Releases 12.0(22)S and, 12.2(13)T. You must not have the aaa new-model command enabled on the networking device. You must not have the login local command configured for the local CLI sessions over the console port or the remote CLI sessions. Note For clarity, only the arguments and keywords that are relevant for each step are shown in the syntax for the steps in this task. See the Cisco IOS command reference book for your Cisco IOS release for further information on the additional arguments and keywords that can be used with these commands. Caution Do not use the no form of the privilege command to reset the privilege level of a command to its default because it might not return the configuration to the correct default state. Use the reset keyword for the privilege command instead to return a command to its default privilege level. For example, to remove the privilege exec level reload command from the configuration and return the reload command to its default privilege of 15, use the privilege exec reset reloadcommand. >

1.    enable password

2.    configure terminal

3.    enable secret level level password

4.    privilege exec level level command-string

5.    privilege exec all level level command-string

6.    end

Router> enable

Router# configure
 terminal

Router(config)# enable secret level 7 Zy72sKj

Router(config)# privilege exec level 7 clear counters

Router(config)# privilege
 exec
 all
 level
 7 reload

Router(config)# end

1.    enable level password

2.    show privilege

3.    clear counters

4.    clear ip route *

5.    reload in time

6.    reload cancel

7.    disable

8.    show privilege

Router> enable 7 Zy72sKj

Router# show privilege
Current privilege level is 7

Router# clear
 counters
Clear "show interface" counters on all interfaces [confirm]
Router#
02:41:37: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console

Router# clear
 ip
 route
 *
         ^
% Invalid input detected at '^' marker.
Router#

Router# reload in 10
Reload scheduled in 10 minutes by console
Proceed with reload? [confirm]
Router#
***
*** --- SHUTDOWN in 0:10:00 ---
***
02:59:50: %SYS-5-SCHEDULED_RELOAD: Reload requested for 23:08:30 PST Sun Mar 20

Router# reload
 cancel
***
*** --- SHUTDOWN ABORTED ---
***
04:34:08: %SYS-5-SCHEDULED_RELOAD_CANCELLED:  Scheduled reload cancelled at 15:38:46 PST Sun Mar 27 2005

Router# disable

Router> show privilege
Current privilege level is 1

• Troubleshooting Tips
  

Before You Begin

The following commands must have been modified to run at privilege level 7 for this task:

• clear counters
• reload

See the Configuring the Networking Device for the First-Line Technical Support Staff for instructions on how to change the privilege level for a command.

Note

MD5 encryption for the username command is not supported in versions of Cisco IOS software prior to Cisco IOS Releases 12.0(18)S and 12.2(8)T. You must not have the aaa-new model command enabled on the networking device. You must not have the login local command configured for the local CLI sessions over the console port or the remote CLI sessions. Note For clarity, only the arguments and keywords that are relevant for each step are shown in the syntax for the steps in this task. Refer to the Cisco IOS command reference book for your Cisco IOS release for further information on the additional arguments and keywords that can be used with these commands. >

1.    enable password

2.    configure terminal

3.    username username privilege level secret password

4.    end

5.    disable

6.    login

7.    show privilege

8.    clear counters

9.    clear ip route *

10.    reload in time

11.    reload cancel

12.    disable

13.    show privilege

Router> enable

Router# configure
 terminal

Router(config)# username admin privilege 7 secret Kd65xZa

Router(config)# end

Router# disable

Router# login 

Router# show privilege
Current privilege level is 7

Router# clear
 counters
Clear "show interface" counters on all interfaces [confirm]
Router#
02:41:37: %CLEAR-5-COUNTERS: Clear counter on all interfaces by console

Router# clear ip route
 *
         ^
% Invalid input detected at '^' marker.
Router#

Router# reload in 10
Reload scheduled in 10 minutes by console
Proceed with reload? [confirm]
Router#
***
*** --- SHUTDOWN in 0:10:00 ---
***
02:59:50: %SYS-5-SCHEDULED_RELOAD: Reload requested for 23:08:30 PST Sun Mar 20

Router# reload
 cancel
***
*** --- SHUTDOWN ABORTED ---
***
04:34:08: %SYS-5-SCHEDULED_RELOAD_CANCELLED:  Scheduled reload cancelled at 15:38:46 PST Sun Mar 27 2005

Router# disable

Router> show
 privilege
Current privilege level is 1