Free CCNA | Intro to the CLI | Day 4 | CCNA 200-301 Complete Course

Welcome to Jeremy’s IT Lab. This is a complete course for the CCNA, including everything you need to pass the exam, all 100% free. Make sure you stay tuned till the end of the video for the quiz to test your knowledge of the material in this video.

Also, remember to download and use the Anki flashcards with the link in the description, which will help you very much in your studies. Let’s get started. In this fourth lesson, we will finally get started actually configuring some Cisco devices.

This lesson is about the Cisco IOS CLI. Cisco IOS is the operating system used on Cisco devices, like Windows on a PC, or macOS on an imac. Keep in mind, Cisco’s IOS is not related to Apple’s iOS for iPhones.

Now, what is a CLI? CLI stands for command-line interface. It’s the interface you use to configure Cisco devices, like routers, switches, and firewalls.

Here’s an image of the Cisco IOS CLI. The color scheme can be changed, this is just the default color scheme with the software I used when taking this screenshot. Now, there is also something called a GUI, which means graphical user interface.

Here’s an example of a Cisco GUI, from Cisco’s ASDM which can be used to configure Cisco's firewalls. However, we won’t cover GUIs in this course, and most network engineers prefer to use the CLI over a GUI. Now, how exactly do you connect to a Cisco device to configure it with the CLI?

There are a couple methods, but I’m going to talk about connecting via the console port. Connecting to a device via the console port typically involves bringing your laptop to the device and connecting to the console port of the device. There are also methods to connect to a device remotely, but we’ll cover that later.

In any case, when you first configure a device, you have to connect to the console port. This is an image of a Cisco catalyst switch, and notice the two console ports. one of them is an RJ45 port, just like the switch’s network ports.

The other is a USB mini-b connector. You can connect to either of these, but let’s say we’re going to connect to the RJ45 port. You’re going to need the proper cable.

This is the kind of cable you will use. Notice one end has an RJ45 connector, just like the Ethernet UTP cables we looked at. The other end is a DB9 connector.

However, most laptops these days no longer have a serial port to plug the cable into, so you’ll probably need an adapter, like this, to connect to a USB port on your laptop. The actual name of the cable on the left is ‘rollover cable’. The name is similar to a crossover cable, but it’s different than an Ethernet UTP crossover cable.

Like in an Ethernet UTP cable, there are 8 pins on each end that are used. However, they connect like this: pin 1 to pin 8, pin 2 to pin 7, pin 3 to pin 6, pin 4 to pin 5, pin 5 to pin 4, pin 6 to pin 3, pin 7 to pin 2, and pin 8 to pin 1. So, once you’ve connected your computer to the device, how do you actually access the CLI?

Well, you need to use a terminal emulator, this one here, PuTTy, is a popular choice. You can get it at putty. org.

select serial, here, and then click open and you should be connected to the CLI. You should be able to connect with the default settings, but click serial down here, and you can view and edit the default settings for the serial connection. Note that these settings match the defaults on Cisco devices, so you’ll probably never have to change them, but it’s good to be aware of them, and try to remember them for the test.

The speed, also known as baud rate, is 9,600 bits per second. there are 8 data bits, and 1 stop bit. Understanding data bits and stop bits is outside of the scope of the CCNA, but basically it means that for each 8 bits of data one stop bit is sent, to mark the end of the 8 bits.

Parity is set to none. Parity is used to detect errors. And finally, flow control is set to none.

Flow control is exactly what it sounds like, controlling the flow of data from transmitter to receiver, but again you don’t have to worry about the details for the exam. Just remember Cisco’s defaults. Speed of 9600 bits per second, 8 data bits, 1 stop bit, no parity, and no flow control.

Once you connect to the device, you will be greeted with a screen like this. Since this is the first time booting up the device, I am asked if I would like to enter the initial configuration dialog, and I answer no. Then I pressed the enter key to get started, and I’m now free to type commands into the CLI.

When you first enter the CLI, you will by default be in what’s called ‘user EXEC mode’. User EXEC mode is indicated by the ‘greater than sign’ next to the host name of the device. Note that the default host name for this device is ‘Router’.

The text displayed here always indicates the hostname of the device. All devices have a hostname, and for a Cisco router the default name is Router. User exec mode is very limited.

Users can look at some things, but can’t make any changes to the configuration. Usually you don’t do anything in this mode. You also might hear it called just ‘user mode’.

So, let’s move to a mode with a little more power to make changes to the device. If you enter the ‘enable’ command in user EXEC mode, you will be placed in privileged exec mode. In privileged exec mode, a pound sign, or hashtag, whatever you want to call it, is displayed.

Privileged EXEC mode provides complete access to view the device’s configuration, restart the device, etc. This is not the mode in which you actually change the configuration, however you can change the time on the device, and also save the current configuration file, among many other things. This is a comparison of the commands available in user EXEC mode, on the left, and privileged EXEC mode, on the right.

Also, I’m taking these screenshots from Cisco Packet Tracer software. Packet tracer is a network simulator. It is a fantastic resource for the CCNA, but it is limited beyond the CCNA.

There are many things which Packet Tracer doesn’t support, so if I were to show these commands on a real device, you would probably see even more commands available here. I want to repeat, however, that Packet tracer is an excellent resource for the CCNA and you don’t really need to use anything else for your CCNA. One more thing, notice the command I used to view the available commands.

You can use a question mark to view the commands that are available to you. Now I want to show you a convenient feature of the CLI. That is the tab key.

In the sample output here, notice the first line says en, the second says enable, and then I entered privileged exec mode. Well, if you press tab, the CLI will automatically complete the word for you, and display the complete word on a new line. However, another convenient thing is that you don’t even need to complete the command.

Here I just typed ‘en’, and hit enter, and I was brought to privileged EXEC mode. This can really save you a lot of typing when you’re entering many commands. There are limits to this, however.

Although ‘en’ was enough for the router to understand that I meant to use the command ‘enable’, that’s because it’s the only command that begins with EN that can be entered in user EXEC mode. If I type just ‘e’, however, we are told that it is an ambiguous command. That’s because there’s more than one command that begins with e.

How can we view the commands that begin with e? Well, remember the question mark from before? If I type e, followed by a question mark, it displays the possible commands that begin with e.

There are two, enable and exit, so if I type just ‘e’ and hit enter, the router doesn’t know which command I want to use. So, the shortest form of the enable command is ‘en’. And, the shortest form of the exit command is ‘ex’.

Now let’s actually make some changes to the router’s configuration. To do so, we enter ‘global configuration mode’. The command to enter configuration mode is configure terminal.

When in global configuration mode, config is inserted after the hostname. Once again, you don’t have to type the whole word. Notice I type con, followed by the question mark, and there are two options, configure and connect.

So, the shortest possible command for configure is conf, c-o-n-f. However, terminal is the only option beginning with T, so all I need to type is CONF T to enter global configuration mode. From now on, in all of my lab demonstrations and such, I will probably be typing conf t instead of configure terminal.

Try to remember that the full command is configure terminal, but also feel free to use the shortcuts. Now, we don’t want just anyone to be able to make changes to the network configuration, or even be able to just look at the configuration, because that could be a security risk. We can protect privileged exec mode with a password, so that if a user enters the ‘enable’ command from user EXEC mode, they are asked for the password.

That is done with the command ‘enable password’ in global configuration mode. First, I want to clarify the use of the question mark. Notice that I used the question mark with no space after password.

here is the output. If you use the question mark with no space, it shows you all possible completions of that word. I already typed the full word password, so it just displays the word again, and there are no other words that begin with p-a-s-s-w-o-r-d.

Next I used the question mark again, this time with a space after password. Notice the difference in the output. This time it shows all possible options we could enter next in the command.

In this case, I used the middle one. Notice that LINE is in all capital letters. That means that you don’t actually type LINE, you type a line which will become the password.

I typed CCNA in all capitals as the password. Note that Password ARE case-sensitive, so CCNA in capital letters and ccna in lower-case letters are different passwords. Once again I typed the question mark to check if there are any further options.

This cr means that there are no further options, the only option is to press enter to enter the command. I pressed enter, and now the password is set. Let’s test it.

So, let’s test out our password. I type exit to return to privileged EXEC mode. from privileged exec mode, if I type exit again I am logged out of the device and see the starting screen again.

If I press enter here I am brought back to user exec mode. If I enter the enable command, I am asked for a password. No password displays here, but I am brought to privileged exec mode.

That’s because the password does not display as you type it, for security purposes. Also, note that if you enter the wrong password 3 times , you will be denied access for having ‘bad secrets’. I think everyone has bad secrets of some kind, but in this case it means an incorrect password.

Let’s review what we’ve done so far. In my experience it was difficult to get used to operating in the CLI when I first started learning, so we’ll take it slow and review along the way. Also, make sure to check out the next video after you finish this, which will have you doing these same tasks in packet tracer.

Hands-on practice is absolutely essential to get comfortable with the CLI. So, I use the enable command to enter privileged exec mode. From privileged exec mode, I use configure terminal to enter global configuration mode.

In global configuration mode, I use the command enable password CCNA to protect privileged exec mode with a password. Remember, this password is case-sensitive. Then I type exit to return to privileged exec mode.

And exit again to return to user exec mode. I type enable again. then I enter the password, which isn’t displayed as I type it, and I am brought back into privileged EXEC mode.

We confirmed the function of the password, but let’s take a look at the configuration file itself to check it. First I want to explain the two configuration files kept on the device. As I said, there are two separate configuration files kept on the device at once.

One is the running-config. This is the current, active configuration file on the device. As you enter commands in the CLI, you edit the active configuration.

The startup-config is the configuration file that will be loaded upon restart of the device. If you reload the device, or shut it down and then turn it on later, the startup-config will be loaded. So let’s take a look at the configuration files.

Use the ‘show running-config’ command in global configuration mode to view the running configuration file. There is lots of data in the file by default, so I only included the output up to the command we entered. Here’s the command, enable password CCNA, in the running-config.

How about the startup-config? You can view it with the show startup-config command, however as you can see, at this point it just displays the message ‘startup-config is not present’. This is because we haven’t saved the running configuration yet, so every time we restart the router it will load a default configuration, not the startup-configuration.

Let’s save the configuration file. There are actually three ways you can save the running-configuration, to make it the startup-configuration. All three of these commands are executed from privileged exec mode.

The first is ‘write’. It says building configuration, and then an OK message to indicate that the configuration was saved. The second method is write memory, it performs the same function.

The third command is copy running-config startup-config. This tells the router to copy the running-config file to the startup-config file, again performing the same function as the previous two commands. Now if I use the show startup-config command again, it displays the same configuration as the show running-config command.

Once again, however, this is only the beginning of the output, there is more below. We’ll check it out in the packet tracer lab video coming up next. Now, you can see the enable password right here, in plain text.

This is a security risk, because anyone who simply takes a glance at this password knows how to get into privileged exec mode, and then global configuration mode to make changes to the device. Let’s level up the security a bit. You can do so with the ‘service password-encryption’ command in global configuration mode.

Notice I used the short version of configure terminal, conf t, to enter global configuration mode. Remember that all of these commands have shortcuts. I’ll usually use the full command for these instructional videos, but in the labs when I enter the commands live you’ll see me using the shortcuts a lot.

Anyway, the service password-encryption command will encrypt all passwords in a jumble of numbers and letters, so that they cannot be easily read. If I enter the show running-config command again, notice that the password ‘CCNA’ has become 08026F6028. The password itself hasn’t changed, it is still CCNA, only the way it is displayed in the configuration has changed.

Also, you may notice that a 7 has appeared before the password. This number ‘7’ indicates the type of encryption used to encrypt the password. The number 7 means it is using Cisco’s proprietary encryption algorithm, from the service password-encryption command.

Later in this video you will see another number in that place. While using the ‘service password-encryption’ command is more secure than not using it, it’s still not very secure. In this screenshot I simply searched for a cisco type 7 password cracker on google, found this website, and was able to crack the password in a few seconds.

The good news, though, is that there is a more secure enable password that can be used on Cisco devices, with a tougher type of encryption. The more secure method is to use the enable secret command, instead of the enable password command. This time I used a password of Cisco, with an upper-case C.

Once again, this is case-sensitive. Then I view the running configuration once more. However, since I was still in global configuration mode, I typed ‘do’ in front of the command.

This is a convenient trick that allows you to execute privileged exec mode commands like show running-config or show startup-config, in other configuration levels. Also notice I used shortcuts, sh instead of show, and run instead of running-config. Now you can see the enable secret in the running-configuration.

Notice the number 5 before the encrypted password. Number 5 indicates MD5 type encryption, which is much more secure than what we got with the service password-encryption command. It can still be cracked, no password is invincible, but its much better.

Also notice that the enable password command remains, it isn’t replaced. However, if both the enable secret and enable password commands are configured, the enable password will be ignored, only the enable secret will be valid. One final note, the ‘service password-encryption’ command has NO effect on the enable secret command.

The enable secret is always encrypted, whether or not you entered the service password-encryption command. So, really you should always use the enable secret, instead of the enable password, as it is more secure. Now I want to show you one more thing in the CLI before we move on to the quiz for today’s video.

That is, how you cancel, or delete, a command that you entered. That is done by typing ‘no’ in front of the command. For example, if I type ‘no’ in front of the service password encryption command, future passwords will no longer be encrypted.

However, as you can see here, passwords which are already encrypted will NOT be decrypted by disabling service password-encryption. If I enter a new password, however, it will be in clear text, NOT encrypted. So, let me summarize the service-password encryption command.

If you enable service password-encryption. . current passowords will be encrypted.

future passwords will also be encrypted. Once again, however, the enable secret will not be affected, it is always encrypted. If you disable service password-encryption.

. . current passwords will not be decrypted, they will remain encrypted.

Future passwords will not be encrypted, they will remain in clear-text. The enable secret will not be effected, once again it is always encrypted. Let’s review all of the commands and such we learned in this lesson.

First, the different modes of the Cisco CLI we looked at today. First is user EXEC mode, indicated by the greater than sign. Next is privileged exec mode, indicated by a pound, or hashtag.

Finally is global configuration mode, indicated by config in brackets, plus the hashtag. Now let’s review some commands. The first is enable, which is used to enter privileged exec mode.

Next is configure terminal, which is used to enter global configuration mode. Next is enable password, which configures a password to protect privileged exec mode. The next command is service password-encryption, which encrypts the enable password, as well as other passwords which we can configure on the device.

enable secret, which configures a more secure enable password, which is always encrypted. Next is run (ERRATA: should be 'do'), which is used in front of a privileged exec-level command to let you run it in global configuration mode. The next command is no, which is used to remove a command which you previously configured.

Next is show running-config, which displays the current, active configuration file on the device. Show startup-config displays the saved configuration file which will be loaded if the device is restarted. Okay, last three, and these are all used to save the current running configuration and make it the startup configuration.

They are… write, write memory, and copy running-config startup-config. Okay, let’s move on to this video’s quiz, first up, question 1. What kind of cable is used to connect to a Cisco device via the RJ45 console port?

A, rollover cable. B, crossover cable. Or C, USB cable.

Pause the video to think about your answer. The answer is A , rollover cable. Let’s check the answers.

A crossover cable is used to connect two devices, for example switch and switch, or router and router, or router and PC, etc. ) via Ethernet. It is not used to connect to a Cisco device via the RJ45 console port.

So b, crossover cable, is incorrect. This picture shows the wiring on an Ethernet crossover cable… Although USB cables can be used to connect to the console of a Cisco device, the USB console port is separate from the RJ45 console port. So c, USB cable, is incorrect.

This photo shows the usb and RJ45 console ports on a Cisco switch…. A rollover cable is used to connect to the RJ45 console port on a Cisco device. So A, rollover cable, is the correct answer.

This image shows the wiring in a rollover cable, connecting pin 1 on one side to pin 8 on the other, pin 2 to pin 7, pin 3 to pin 6, etc. Let’s go to Question 2. You type enable to enter privileged exec mode on your Cisco router, however the password you enter is not accepted.

What could be the problem? A, service password-encryption is enabled. B, service password-encryption is disabled.

Or C, Caps Lock is on. Pause the video to think about your answer. the answer is C, caps lock is on.

Let’s check. service password-encryption is irrelevant. It doesn’t change the password itself, only how it is displayed in the configuration.

So A, service password-encryption is enabled, and B, service password-encryption is disabled, are incorrect. Passwords are case-sensitive, so if caps lock is on it could cause you to enter an incorrect password even if you think you’re entering it correctly. So C, caps lock is on, is the correct answer.

Let’s go to question 3. What is the most secure method to protect access to privileged EXEC mode? A, the enable secret command.

B, the enable password command. Or C, the enable password command, with service password-encryption. Pause the video to think about your answer.

The answer is A, the enable secret command. Let’s check. The enable password command configures a plain-text password, which is not secure as it can be easily read.

So B, the enable password, is incorrect. Using service password-encryption encrypts the enable password to make it more secure, but it is a weak form of encryption. So c, enable password with service password-encryption, is incorrect.

The enable secret command configures a password that is automatically encrypted. It uses MD5, a more secure form of encryption than the service password-encryption command. So A, the enable secret command, is the correct answer.

Let’s go to question 4. If both the enable password and the enable secret command are configured, what will happen when you use enable to enter privileged EXEC mode? A, you must enter the enable password, followed by the enable secret.

B, you must enter the enable password only. Or C, you must enter the enable secret only. Pause the video to think about your answer.

The answer is C, you must enter the enable secret only. There’s not much else to explain here, the enable secret always takes precedence over the enable password, and you’ll never be asked to enter both. So C, you must enter the enable secret only, is the correct answer.

let’s go to the final question. You enter the conf t command to enter global configuration mode. What is the full-length version of the command?

A, configuration time. B, configure terminal. Or C, configuration terminal.

Pause the video to think about your answer. The answer is B, configure terminal. Again, no special explanation is necessary here.

Even though the shortcuts are great to use to reduce the amount of typing you have to do to enter commands, make sure you still know the full-length versions of the commands! In addition to the quiz we just did, there are a couple other supplementary materials to help you remember what you learned. The first is review flash cards, check the link in the description.

These flash cards will be extremely helpful when memorizing all of these commands and how they work. In addition, there will also be a packet tracer practice lab, to give you hands-on practice configuring Cisco devices in the CLI. Especially for this video I highly recommend you do the practice lab.

It will really help you get used to the CLI. That lab will be in the next video. Thank you for watching.

That's all for this video. If you want to show your support, please subscribe to the channel, like the video, leave a comment, and share the video with anyone else studying for the CCNA. I accept donations via cryptocurrency or Patreon via the links in the description.

I'm also a Brave verified publisher and accept BAT, or Basic Attention Token, tips via the Brave browser. Click the link in the description to check out Brave, a fast and sleek browser that pays you to surf the Internet. That's all for now.