How to Manage and Save Running Config on Cisco Devices

Cisco IOS

The Cisco device stack uses the Internetwork operating system (IOS), which controls the device’s performance and behavior. The Cisco IOS defines an interface called the Command Line Interface (CLI), which enables administrators to enter commands into a terminal emulation program. The CLI can be accessed through three methods: the console, Telnet and Secure Shell (SSH).

Cisco Modes

Users can be logged in to a Cisco device using the following modes:

  • Exec mode (user mode) — Allows the user to look around but not change anything. Accessing the CLI by any of the three methods logs the user into Exec
  • Enable mode (privileged mode or privileged exec mode) — Allows the user to execute privileged commands, such as the reload command, which tells the switch to reboot the Cisco IOS. To enter this mode, the user runs the enable command mode.
  • Global configuration mode — Allows users to enter nondisruptive commands and display some information. Unlike exec and enable mode, configuration mode accepts configuration commands — commands that tell the switch the details of what to do and how to do it. Commands entered in configuration mode update the active configuration file, but the actual changes in configuration take place only after the device reboots. To enter configuration mode, a user executes the configure terminal (conf t) command.

Configuration mode contains several sub-modes. One is interface configuration mode, which can be entered by running the interface FastEthernet 0/1 (int fa0/1) configuration command.

Basic CLI Commands


The show command is one of the most helpful commands because you can find the status of almost every feature of the Cisco IOS. It reads the current configuration from the Cisco device’s RAM and lists the requested settings in the CLI. For example, the show version command displays information about the Cisco IOS version currently loaded on a device.


Like the show command, debug reveals information about the device’s settings. However, instead of just listing the current status, the debug command asks the device to continue monitoring different processes in it and send messages to the user when different events occur, showing the status of settings over time. As a result, the debug command takes more CPU cycles, but it lets you monitor what is happening in a switch in real time. In short, show is for reporting and debug is for monitoring.


The hostname command assigns a network name to the Cisco device.


Use the ? command to get answers to your questions about other commands, such as their syntax and description.

Where Configuration Files are Stored

A Cisco device needs to use the configuration file to do its work. Cisco devices have random-access memory (RAM) to store data from the configuration file while Cisco IOS is using it, but the RAM loses its contents when the device loses power. In order to load all configuration data back after the device loses power, Cisco use several types of more permanent memory. The following list explains the four main types of memory found in Cisco switches or Cisco routers, as well as the most common use of each type:

  • RAM — RAM is used by a Cisco device for working storage. The running configuration file is stored
  • ROM — Read-only memory (ROM) stores a bootstrap program that is loaded when the switch first powers on. This program finds the full Cisco IOS image and loads it into RAM.
  • Flash memory — This memory can be either inside the device or on a removable memory card. Flash memory stores fully functional Cisco IOS images and is the default location where the switch gets its Cisco IOS at boot time. Flash memory also can be used to store other files, including backup copies of configuration files.
  • NVRAM — Nonvolatile RAM (NVRAM) stores the initial or startup configuration file that is used when the Cisco device is powered on or reloaded.

Copying, Erasing and Saving Running Config on Cisco Devices

To change the configuration of a Cisco device, you need to enter configure terminal mode and then use one or more of the following commands.

Rename a device

Use the command hostname newname to change the name of the device to the string you specify.

Save running config on Cisco device

Use the command copy running-config startup-config (copy run start) to overwrite the current startup config file with what is currently in the running configuration file.

Copy files

The copy command can be used to copy files on a Cisco device, such as a configuration file or a new version of the Cisco IOS. Files can be copied between RAM, NVRAM and a TFTP server. The syntax for the copy commands is as follows:

copy {tftp | running-config | startup-config} {tftp | running-config | startup-config}

The first set of parameters in braces is the “from” location; the next set is the “to” location. When a file is copied into NVRAM or a TFTP server, the copy command always overwrites the existing destination file with the new file. However, when the copy command copies a configuration file into the running config file in RAM, the configuration file in RAM is not replaced; it is merged instead.

Erase the contents of NVRAM

You can use three different commands to erase NVRAM: write erase, erase startup-config and erase nvram. All of them erase the contents of the NVRAM configuration file, so if the device is then reloaded, there is no initial configuration and you have to begin initial device configuration.

Note that Cisco IOS does not have a command that erases the contents of the running configuration file. To clear out the running config file, simply erase the startup config file and then reload the device.

Securing Login to Cisco Devices

Cisco devices authenticate users as they log in, but the default configuration uses only simple password security and the enable password command defines the password for the current login. You can help protect enable mode by using the enable secret command instead. The older enable password command stores the password as clear text in the running configuration, and the only way to encrypt it is to use the weak service password-encryption command. The newer enable secret command automatically encodes the password using a Message Digest 5 (MD5) hash.

Initial Configuration of Cisco Devices

Cisco switches leave the factory with the following default settings:

  • All interfaces are enabled.
  • Auto-negotiation is enabled for ports that can use it (duplex auto and speed auto).
  • All interfaces are a part of VLAN 1.

All you have to do with a new Cisco switch is make all the physical connections — Ethernet cables and a power cord — and it starts working.

To configure the switch:

  1. Enter VLAN 1 configuration mode using the interface vlan 1 global configuration command.
  2. Assign an IP address and mask using the ip address ip-address mask
  3. Enable the VLAN 1 interface using the no shutdown
  4. Add the default gateway with ip default-gateway
  5. Add the DNS server using the ip name-server command to resolve names into IP addresses.

After the initial configuration, you can look at the IP address and mask information using the show interface vlan x command, which shows detailed status information about the VLAN interface. If you use DHCP, use the show dhcp lease command to see the leased IP address.

You can see some of the details of the interface configuration using the show running-config command or the handy show interfaces status command, which lists each interface on a single line that shows the first part of the interface description and the speed and duplex settings.

The show port-security interface command lists the configuration settings for port security on an interface, along with several important facts about the current operation of port security, including information about any security violations. The switch can be configured to take one of three actions when a violation occurs using the following command:  switchport port-security violation {protect | restrict | shutdown}. All three options cause the switch to discard the offending frame, but some of the options make the switch take additional actions, such as sending syslog messages to the console, sending SNMP trap messages to the network management station, or disabling the interface.


As you can see, it is very easy to save the running config, copy it to a tftp server and perform the initial configuration for a Cisco device. Before changing the running config, be sure to make a backup.

Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.