Every Cisco network engineer starts their journey at the CLI prompt. Understanding Cisco IOS CLI modes is not just about memorizing prompts—it's about knowing what you can and cannot do at each level. The 200-301 exam tests your ability to navigate and configure devices efficiently, and real-world troubleshooting depends on knowing exactly which mode you're in. This chapter covers the fundamental concept of CLI modes, from user EXEC to global configuration and beyond, forming the bedrock of all IOS operations.
Jump to a section
Imagine a large corporate office building with different levels of access. The ground floor lobby is 'User EXEC mode'—anyone can enter, look at the directory (show commands), but cannot change anything. To go deeper, you need a keycard (enable password). The first secured floor is 'Privileged EXEC mode'—you can access more detailed reports and even restart systems (reload). But to change the building's wiring or security systems, you need to enter the 'Global Configuration mode'—a special room with master controls. Once inside, you can modify the building's core settings (hostname, enable secret). However, specific subsystems—like the HVAC or electrical—have their own sub-rooms (interface configuration, line configuration). To enter those, you must first be in the master control room and then specify which subsystem you want to adjust. Each sub-room has its own set of controls (commands). If you want to leave a sub-room, you use 'exit' to go back to the master room, or 'end' to go all the way back to the secured floor. The building's security logs (debug) are only viewable from the secured floor, and changes take effect immediately unless you use a 'commit' mechanism (like in some newer IOS versions). This hierarchy ensures that only authorized personnel make changes, and mistakes are contained within specific areas.
What Are Cisco IOS CLI Modes?
Cisco IOS (Internetwork Operating System) uses a hierarchical command-line interface. Each mode provides a specific set of commands, and you must be in the correct mode to execute them. The modes form a tree: from the most restricted (User EXEC) to the most privileged (Privileged EXEC), and then into configuration modes (Global, Interface, Line, etc.).
Why Modes Exist
Modes enforce security and prevent accidental misconfiguration. A junior technician can be given access to User EXEC to monitor status, while only senior engineers use configuration modes. The hierarchy also organizes commands logically: interface-specific commands are available only when configuring that interface.
The Mode Hierarchy
User EXEC Mode (>): The initial mode after login. Identified by the > prompt (e.g., Router>). Allows basic monitoring commands like show, ping, telnet, and traceroute. No configuration changes are permitted.
Privileged EXEC Mode (#): Entered by typing enable and providing the enable password or secret. Prompt changes to # (e.g., Router#). Unlocks all EXEC commands, including show running-config, debug, reload, copy, and configure terminal. This is the gateway to configuration.
Global Configuration Mode (config)#: Entered by typing configure terminal from Privileged EXEC. Prompt shows (config)# (e.g., Router(config)#). Commands set global parameters: hostname, enable secret, banners, logging, routing protocols (e.g., router ospf 1).
4. Subconfiguration Modes: Entered from Global Configuration mode by specifying a component:
- Interface Configuration Mode: interface GigabitEthernet0/0 → (config-if)#. Configures IP address, speed, duplex, shutdown.
- Line Configuration Mode: line console 0 → (config-line)#. Configures console, vty, aux lines (password, timeout, exec-timeout).
- Router Configuration Mode: router ospf 1 → (config-router)#. Configures OSPF process.
- VLAN Configuration Mode: vlan 10 → (config-vlan)#. Configures VLAN name.
Navigating Between Modes
`exit`: Moves back one mode level (e.g., from interface config to global config).
`end` or Ctrl+Z: Returns directly to Privileged EXEC mode from any configuration mode.
`disable`: Returns from Privileged EXEC to User EXEC.
`logout` or `quit`: Ends the session.
Verification Commands
Use show commands to confirm the current mode and configuration:
Router> show ?
access-lists List access lists
clock Display the system clock
running-config Current operating configuration
...To see the current mode, look at the prompt. There is no specific show mode command, but show running-config | include hostname shows global config.
Common Pitfalls
Forgetting `enable`: You cannot configure without entering Privileged EXEC first.
Using `exit` instead of `end`: exit may leave you in a sub-mode you didn't intend.
Typing `configure terminal` from User EXEC: You must be in Privileged EXEC.
Interaction with AAA and Roles
In production, modes integrate with AAA (Authentication, Authorization, Accounting) and Role-Based CLI Access. A user may be assigned a privilege level (0-15). Level 1 is User EXEC, Level 15 is full access. Custom levels can restrict commands even within a mode.
Log into a Cisco Device
Connect via console, SSH, or Telnet. After authentication, you land in User EXEC mode. The prompt ends with `>`. Example: `Switch>`. At this point, you can only run basic monitoring commands like `show version`, `show interfaces`, `ping`, and `traceroute`. You cannot view the running configuration or make any changes. This is the most restrictive operational mode, designed for read-only access.
Enter Privileged EXEC Mode
Type `enable` and press Enter. If an enable password or secret is configured, you will be prompted for it. The prompt changes to `#` (e.g., `Switch#`). This mode unlocks all EXEC-level commands: `show running-config`, `show startup-config`, `debug`, `reload`, `copy`, `write memory`, and `configure terminal`. Think of this as the 'administrator' mode. From here, you can enter configuration modes or perform system-level actions.
Enter Global Configuration Mode
From Privileged EXEC, type `configure terminal` (or `conf t` for short). The prompt changes to `(config)#` (e.g., `Switch(config)#`). Now you can set global parameters like hostname, enable secret, banners, logging, and routing protocol processes. For example: `hostname MyRouter` changes the device name immediately. Commands here affect the entire device.
Enter a Subconfiguration Mode
From Global Configuration mode, specify a component. For example, to configure an interface: `interface GigabitEthernet0/0`. The prompt becomes `(config-if)#`. Now you can set IP address (`ip address 192.168.1.1 255.255.255.0`), enable the interface (`no shutdown`), etc. Similarly, `line console 0` enters line configuration (`(config-line)#`) for console settings. Each sub-mode has its own set of commands.
Return to Higher Mode
Use `exit` to go back one level (e.g., from `(config-if)#` to `(config)#`). Use `end` or press Ctrl+Z to jump directly back to Privileged EXEC (`#`). To go from Privileged EXEC to User EXEC, type `disable`. To log out completely, type `logout` or `exit` at User EXEC. Mastering these navigation commands saves time in exams and labs.
Verify Current Mode and Configuration
Always confirm your mode by checking the prompt. Use `show running-config` (in Privileged EXEC) to see all current settings. For specific sections, use `show running-config | section interface` or `show running-config | include hostname`. The `show` command is context-sensitive: in interface mode, `show this` displays the current interface configuration. This verification step prevents mistakes like configuring the wrong interface.
In enterprise networks, CLI modes are the daily reality for network engineers. Consider a scenario where a new switch is being deployed. The engineer connects via console, sees Switch>, types enable (default password often blank on new devices), then configure terminal. They set the hostname, enable secret, and VLANs. Without understanding modes, they might try to set an IP address on an interface while still in global config mode—that won't work. They must enter interface vlan 1 first.
Another scenario: troubleshooting a down interface. The engineer logs in, goes to Privileged EXEC, and runs show interfaces GigabitEthernet0/1. The output shows 'administratively down'. To fix it, they enter global config, then interface config, and type no shutdown. After exiting back to Privileged EXEC, they verify with show interfaces GigabitEthernet0/1 | include line protocol.
In large networks with hundreds of devices, engineers use scripts or tools like Ansible that automate entering these modes. But when manual intervention is needed, knowing the exact sequence is critical. Misconfigurations often happen when an engineer forgets to exit a sub-mode and applies a global command to a specific interface (e.g., typing shutdown in interface mode instead of global config). The prompt is the safeguard.
Performance considerations: The mode hierarchy is lightweight—no performance impact. However, using debug commands (only available in Privileged EXEC) can severely impact CPU. Always disable debugging with undebug all when done.
When misconfigured, the most common issue is forgetting to save the configuration. After making changes, the engineer must copy running-config to startup-config using copy running-config startup-config or write memory. This is only possible from Privileged EXEC. If they log out without saving, all changes are lost on reload.
The CCNA 200-301 exam does not have a specific objective number for CLI modes, but it is foundational for all configuration and troubleshooting tasks. Expect questions that require you to know which mode a command belongs to, or what prompt you will see after a specific sequence.
Common Wrong Answers:
1. Confusing User EXEC with Privileged EXEC: Candidates see > and think they can configure. The exam will test that show running-config requires # mode.
2. Thinking `exit` always returns to Privileged EXEC: In subconfiguration modes, exit goes to global config, not directly to Privileged EXEC. The exam may ask: 'After typing exit in interface config mode, what prompt do you see?' Answer: (config)#.
3. Forgetting that `end` or Ctrl+Z works from any config mode: Candidates might use multiple exit commands, wasting time.
4. Mixing up `enable` and `configure terminal`: enable gets you to Privileged EXEC; configure terminal gets you to global config from Privileged EXEC.
Specific Values/Commands:
- The enable password is stored in the configuration, but enable secret uses MD5 hashing. The exam expects you to know that enable secret overrides enable password.
- The default privilege level for User EXEC is 1, for Privileged EXEC is 15.
- show privilege displays the current privilege level (e.g., 1 or 15).
Decision Rule: When asked 'What command must be executed before...', always check if the action requires configuration. If yes, the sequence is: log in (User EXEC) → enable → configure terminal → sub-mode if needed. If the question involves saving, the final step is copy running-config startup-config from Privileged EXEC.
Elimination Strategy: Look at the prompt in the question. If it ends with >, the candidate cannot configure. If it ends with #, they can configure but must enter configure terminal first. If it ends with (config)#, they can set global parameters. This logic eliminates wrong answers quickly.
User EXEC mode prompt ends with >, only allows basic show and ping commands.
Privileged EXEC mode prompt ends with #, entered via enable command.
Global Configuration mode prompt ends with (config)#, entered via configure terminal.
Subconfiguration modes like (config-if)# are entered from global config mode.
Use exit to move back one mode level, end or Ctrl+Z to return to Privileged EXEC.
The enable secret command uses MD5 hashing and overrides enable password.
Default privilege levels: User EXEC = 1, Privileged EXEC = 15.
These come up on the exam all the time. Here's how to tell them apart.
User EXEC Mode
Prompt ends with >
Accessible directly after login
Limited show commands (e.g., show version)
Cannot view running-config
Cannot enter configuration modes
Privileged EXEC Mode
Prompt ends with #
Entered via enable command
All show commands including running-config
Can execute debug, reload, copy
Gateway to all configuration modes
Mistake
You can enter global configuration mode directly from User EXEC mode.
Correct
You must first enter Privileged EXEC mode using the enable command, then type configure terminal.
New users think configure terminal is available from the initial prompt because they see it in examples.
Mistake
The exit command always returns to Privileged EXEC mode.
Correct
Exit returns to the previous mode. From interface config, exit goes to global config; from global config, exit goes to Privileged EXEC.
Candidates assume exit is a universal 'go back to top' command, but it only goes back one level.
Mistake
The enable password and enable secret are interchangeable and can be used together.
Correct
If both are configured, enable secret takes precedence. The enable password is stored in plaintext (or weak encryption), while enable secret uses MD5 hash.
Older IOS versions only had enable password, but enable secret was added for security. Many think they both work equally.
Mistake
You can save the running configuration to startup-config from any mode.
Correct
The copy running-config startup-config and write memory commands are only available in Privileged EXEC mode.
Candidates may try to save from global config mode and get an invalid command error, thinking the command syntax is wrong.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The enable password is an older method that stores the password in plaintext in the configuration (or weakly encrypted with type 7). Enable secret uses MD5 hashing and is more secure. If both are configured, enable secret takes precedence. On the CCNA exam, always choose enable secret when asked about security. The command is 'enable secret <password>'.
No. 'exit' moves back one mode level: from interface config to global config. To go directly to Privileged EXEC, use 'end' or press Ctrl+Z. This is a common trap on the exam. Remember: exit = one step back, end = all the way back to #.
The prompt ends with '(config)#'. For example, 'Router(config)#'. If you see 'Router(config-if)#', you are in interface configuration mode. The parentheses and the word after 'config' indicate the sub-mode. Always check the prompt before issuing commands.
Use the 'show running-config' command. This command is only available in Privileged EXEC mode (prompt #). If you are in User EXEC (>), you must first type 'enable'. If you are in a configuration mode, use 'end' to return to Privileged EXEC first.
It enters global configuration mode from Privileged EXEC. Once in this mode, you can change global settings like hostname, enable secret, banners, and routing protocols. You can also enter subconfiguration modes for interfaces, lines, etc. Without this command, you cannot make any configuration changes.
Yes, 'write memory' is a legacy command that does the same thing. It is still supported in modern IOS. Both commands save the current running configuration to startup-config. They are only available in Privileged EXEC mode. On the exam, either is acceptable, but 'copy running-config startup-config' is more explicit.
You will exit directly to Privileged EXEC mode. The prompt will change from 'Switch(config-if)#' to 'Switch#'. This is the fastest way to return to the top level. Use 'end' when you are done with configuration and want to verify or save.
You've just covered Cisco IOS CLI Modes — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?