Which command places the switch in global configuration mode?
You’ve probably been staring at a blinking cursor on a network switch and wondering how to get to the right place to start typing your first command. If you’re working with Cisco IOS, the answer is simple: type configure terminal (or the shorthand conf t). But that’s just the tip of the iceberg. Let’s dig into what global configuration mode actually is, why it matters, and how to avoid the common pitfalls that trip up even seasoned pros.
What Is Global Configuration Mode
In the world of switches, you’re constantly juggling several layers of configuration. Think of the command line as a set of rooms: the user EXEC mode is the front desk, the privileged EXEC mode (the “enable” prompt) is the manager’s office, and global configuration is the boardroom where you make the big decisions.
When you’re in global configuration mode, every command you type affects the device as a whole—unless you’re in a specific sub‑interface or VLAN configuration block. It’s the place where you define hostnames, enable features, set passwords, and create VLANs that will be visible across the entire switch It's one of those things that adds up..
How It Differs From Other Modes
| Mode | Prompt | Typical Tasks |
|---|---|---|
| User EXEC | Switch> |
Basic monitoring (show commands) |
| Privileged EXEC | Switch# |
Full control, but still outside the configuration tree |
| Global Configuration | Switch(config)# |
System‑wide settings, feature enablement |
| Interface/ VLAN | Switch(config-if)# or Switch(config-vlan)# |
Settings that apply to a single interface or VLAN |
Not the most exciting part, but easily the most useful.
Knowing which mode you’re in is critical because a command that works in one mode might be ignored or even cause an error in another The details matter here. Which is the point..
Why It Matters / Why People Care
You might think “I’ll just type the command I need and call it a day.So ” But if you’re in the wrong mode, your command won’t stick. Imagine configuring a new VLAN on the user prompt—nothing happens, and you’re left scratching your head. Or worse, you’re in global config and accidentally enable a feature that you didn’t intend to, causing a network outage.
This changes depending on context. Keep that in mind That's the part that actually makes a difference..
In practice, the global configuration mode is where the switch’s personality is defined. A mis‑typed command here can ripple across the network: wrong VLAN assignments, misconfigured spanning‑tree settings, or even security holes. That’s why the community places a lot of emphasis on mastering the entry into this mode.
How It Works (or How to Do It)
1. Log In and Enter Privileged EXEC
First, you need to be at the privileged prompt (Switch#). If you’re only at the user prompt (Switch>), type:
enable
You’ll be prompted for a password. Once you’re in, the prompt changes to Switch# Simple, but easy to overlook..
2. Switch to Global Configuration
From the privileged prompt, enter:
configure terminal
or its shorthand:
conf t
You’ll see the prompt change to Switch(config)#. That’s your green light to start making system‑wide changes.
3. Verify You’re in the Right Mode
A quick sanity check: type show running-config | section hostname. Even so, if you’re in global config, the command will return the current hostname. If you’re in a sub‑mode, you’ll get an error or a different output That's the part that actually makes a difference..
4. Exit Back to Normal
When you’re done, type:
end
or press Ctrl+Z. The prompt will return to Switch#.
Common Mistakes / What Most People Get Wrong
-
Forgetting to
enablefirst – If you’re still atSwitch>,configure terminalwill refuse you. Always start withenable. -
Using the wrong shorthand – Some people type
confinstead ofconf t. The former won’t work; the latter is the accepted shortcut. -
Assuming you’re in global config when you’re in a sub‑mode – After creating a VLAN with
vlan 10, you’re dropped intoSwitch(config-vlan)#. To exit, you needexittwice, not just once And it works.. -
Editing the wrong file –
configure terminaledits the running-config. If you need to persist changes, remember towrite memoryorcopy running-config startup-configAnd it works.. -
Mixing Cisco and Huawei syntax – On Huawei devices, the command is
system view. Mixing the two will lead to confusion and frustration.
Practical Tips / What Actually Works
- Keep a cheat sheet. A quick reference card with
enable,configure terminal,end, andwrite memorysaves time during troubleshooting. - Use
terminal length 0. When you’re pulling long config outputs, this prevents paging and lets you scroll freely. - use
show running-config. After making a change, always verify it’s there. It’s the fastest sanity check. - Remember
nocommands. To delete a setting, prependnoto the command you want to reverse. As an example,no vlan 10removes VLAN 10. - Pinpoint errors with
debug. If a command hangs,debug allcan reveal why, but use it sparingly—debug can flood your console.
FAQ
Q1: What if I’m using a switch from a different vendor?
A1: Vendors differ. Huawei uses system view, Juniper uses configure, and Aruba uses configure. Always check the vendor’s documentation.
Q2: Can I skip the enable step?
A2: No. The enable command is the gateway to privileged EXEC, which is required to enter global configuration. Without it, you’re stuck at the user level.
Q3: Is configure terminal the same as conf t on all platforms?
A3: On Cisco IOS and many derivatives, yes. Some older or specialized platforms may not support the shorthand, so it’s safer to use the full command The details matter here..
Q4: How do I save my configuration after exiting global mode?
A4: Use write memory or copy running-config startup-config. This writes the current running config to NVRAM so it survives reboots.
Q5: What happens if I accidentally delete the wrong configuration?
A5: If you delete the wrong line, you can usually recover by re‑entering the command. If you delete critical settings like VLANs or passwords, you may need to re‑configure or restore from a backup.
Closing
Getting into global configuration mode is a rite of passage for anyone who wants to tinker with switches. It’s the command that unlocks the device’s full potential, but it also carries responsibility. Now, treat it with respect, double‑check your prompts, and you’ll be on your way to mastering your network’s backbone. Happy configuring!
6. Common Pitfalls When Leaving Global Config Mode
Even after you’ve successfully entered configure terminal, the work isn’t done. The next step—exiting cleanly—can be just as error‑prone as getting in.
| Symptom | What’s really happening | Fix |
|---|---|---|
“% Invalid input detected at ‘#’” when you type exit |
You’re still in a sub‑mode (e.Here's the thing — , line console). Even so, g. In real terms, g. Plus, , interface, line, or router config) and the parser expects a command that belongs to that context. |
|
| Changes disappear after a reboot | You edited the running configuration but never saved it. So naturally, | Consult the vendor’s command reference; for Huawei it’s system view, for Juniper it’s configure, etc. |
Prompt returns to Switch> instead of Switch# |
You inadvertently typed disable or logged out of privileged EXEC. |
|
terminal length 0 has no effect |
You’re in a sub‑mode that overrides the global terminal settings (e. | Re‑enter enable and supply the enable secret/password. |
conf t is not recognized on a non‑Cisco device |
The device uses a different CLI syntax. | Type end to jump straight back to privileged EXEC, or issue enough exit commands to climb the hierarchy. |
7. Automation Friendly Ways to Jump Into Global Config
If you’re managing dozens of switches, typing the same sequence over and over is a recipe for fatigue and mistakes. Here are three automation‑friendly approaches that still respect the “enter‑global‑config‑mode” principle.
-
Expect Scripts (Linux/macOS/Windows Subsystem for Linux)
#!/usr/bin/expect -f set timeout 10 spawn ssh admin@10.0.0.1 expect "Password:" send "mySecret\r" expect ">" send "enable\r" expect "Password:" send "enableSecret\r" expect "#" send "configure terminal\r" expect "(config)#" # Insert any configuration lines here, e.g.: send "interface vlan 10\r" send "ip address 192.168.10.1 255.255.255.0\r" send "no shutdown\r" send "end\r" send "write memory\r" expect "#" send "exit\r" expect eofThe script logs in, elevates, drops into global config, pushes a handful of commands, saves, and exits—all without a single manual keystroke.
-
Ansible Network Modules
Ansible’sios_config(oreos_config,junos_config, etc.) abstracts the “enter config mode” step. You simply declare the desired lines:- name: Configure VLAN 20 on Cisco switches ios_config: lines: - vlan 20 - name Marketing save_when: changedAnsible handles the
enableprompt, theconfigure terminalentry, and the finalwrite memoryfor you Most people skip this — try not to. Nothing fancy.. -
Cisco Embedded Event Manager (EEM) Scripts
For on‑device automation, EEM can trigger a config change based on an event (e.g., a syslog message):event manager applet auto_vlan event syslog pattern "LINK-3-UPDOWN" action 1.0 cli command "enable" action 2.0 cli command "configure terminal" action 3.0 cli command "interface $_syslog_msg_interface" action 4.0 cli command "switchport mode access" action 5.0 cli command "switchport access vlan 30" action 6.0 cli command "end" action 7.0 cli command "write memory"The device itself decides when to enter global config, eliminating human latency entirely.
8. Best‑Practice Checklist (One‑Page Summary)
| ✅ | Item |
|---|---|
| 1 | Verify you have privileged EXEC (Switch#). |
| 6 | Immediately verify with show running-config or a targeted show command. |
| 7 | Persist the change: write memory / copy running-config startup-config. |
| 9 | Document the change in your change‑management system. |
| 3 | Enter global config with configure terminal (or vendor‑specific equivalent). |
| 8 | Exit cleanly with end → exit or logout. |
| 4 | Make atomic changes—one logical block at a time. Which means |
| 5 | Use no to undo unwanted statements rather than deleting large sections. Consider this: |
| 2 | Confirm you’re on the correct device (IP, hostname). |
| 10 | Keep a CLI cheat sheet on your terminal or in a password manager note. |
9. When Things Still Go Wrong
Even seasoned network engineers occasionally hit a wall. Here’s a quick “triage” flow:
-
Prompt not changing?
- Check the console cable/SSH session for line‑mode issues.
- Re‑authenticate; sometimes a stale session loses privileged rights after a timeout.
-
configure terminalreturns an error- Verify the device isn’t in ROMMON or bootloader mode.
- Confirm you’re not on a StackWise member that’s offline.
-
Changes are rejected
- Look for
% Invalid inputmessages; syntax may be wrong for that IOS version. - Use
?for context‑sensitive help.
- Look for
-
Device reboots after a config change
- Check for
boot configoverrides or a corrupted NVRAM image. - Restore from a known‑good backup if the running config can’t be saved.
- Check for
-
Unable to save (
write memoryfails)- Verify there’s enough free space in NVRAM (
dir flash:). - Look for a read‑only filesystem flag caused by a failed power cycle.
- Verify there’s enough free space in NVRAM (
If all else fails, capture the console output (terminal monitor), copy it into a ticket, and involve a senior engineer. The CLI is deterministic; the missing piece is usually a tiny oversight.
Conclusion
Entering global configuration mode (configure terminal) is more than a rote command—it’s the gateway that transforms a passive network appliance into a fully programmable building block. That said, by understanding the underlying privilege levels, respecting the hierarchy of sub‑modes, and consistently saving your work, you avoid the most common “I broke the network” moments. Now, pair the command with a disciplined workflow: cheat‑sheet at hand, verification after every edit, and a habit of persisting changes. Whether you’re typing manually, scripting with Expect, or automating with Ansible or EEM, the same principles apply: gain privileged access, enter the correct configuration context, make precise changes, verify, save, and exit cleanly.
Master this sequence, and you’ll find that the once‑intimidating “global config” prompt becomes a familiar launchpad for every network enhancement you need to implement. Happy configuring!
10. Best‑Practice Checklist for Every configure terminal Session
| ✅ Item | Why It Matters | Quick Test |
|---|---|---|
| Log into a dedicated admin account | Reduces the risk of privilege creep and makes audit trails clearer. | `show running-config |
Enable logging console |
Gives you a timestamped record of every command you type. | show logging |
Activate archive with log config |
Automatically snapshots every change to a syslog server or local flash. | show archive |
Lock the session with exec-timeout 0 0 (or a short timeout) |
Prevents an idle privileged shell from being hijacked. Now, | `show running-config |
Use context‑sensitive help (? ) before pressing Enter |
Catches typos early and shows version‑specific syntax. Plus, | Type interface ? Worth adding: |
Validate with do show running-config after each logical block |
Guarantees the change landed where you expect it. Here's the thing — | do show run interface Gi1/0/5 |
Commit to NVRAM only after a successful verify |
Guarantees you won’t lock yourself out with a bad config. But | write memory → verify /md5 |
| Document the change in the ticketing system before you exit | Provides traceability for compliance audits. | Copy‑paste `show run |
| Take a post‑change backup | A safety net if the next change unintentionally reverts your work. Here's the thing — | copy running-config flash:postchange-$(date +%F). Here's the thing — cfg |
Close the session with end → exit |
Guarantees you leave the device in a clean state. | Observe the prompt return to > or #. |
11. Automation Friendly Alternatives
While the manual configure terminal workflow is indispensable for ad‑hoc troubleshooting, most production environments benefit from repeatable, code‑driven changes. Below are three common approaches that still respect the “enter global config” paradigm, but offload the repetitive typing to a tool Easy to understand, harder to ignore..
| Tool | How It Maps to configure terminal |
Example Snippet |
|---|---|---|
| Ansible (network_cli) | Ansible opens an SSH session, escalates to enable, then issues config mode commands automatically. Now, 255. Still, 10. |
event manager applet link-down<br> event syslog pattern "LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down"<br> action 1.0 cli command "shutdown" |
| Python + Netmiko / NAPALM | Scripts establish an SSH channel, invoke enter_config_mode(), push a list of commands, then exit_config_mode() and save_config(). 255'])<br> net.In real terms, 0 cli command "interface GigabitEthernet1/0/1"<br> action 4. 0 cli command "enable"<br> action 2.Think about it: |
```python from netmiko import ConnectHandler<br>dev = {'device_type':'cisco_ios','host':'10. 10.send_config_set(['interface Loopback0','ip address 10.Because of that, 1','username':'admin','password':'cisco'}<br>with ConnectHandler(**dev) as net:<br> net. Think about it: 0. Now, 0. That said, |
| Cisco EEM (Embedded Event Manager) | EEM policies can trigger a cli command "configure terminal" block when a specific event occurs (e. Day to day, 0 cli command "configure terminal"<br> action 3. 1 255., link down). g.255.Consider this: enable()<br> net. config_mode()<br> net.exit_config_mode()<br> net. |
Key takeaway: Even when you automate, the underlying device still expects you to enter configuration mode. Understanding the manual steps makes it easier to debug failed playbooks or scripts.
12. Security Hardening Tips Specific to Config Mode
- Limit
privilege execlevels – Assign only the needed commands to a role. - Enable AAA local authentication and point to an external RADIUS/TACACS+ server for audit trails.
- Disable
service password-encryptionif you store clear‑text passwords in a secure vault; otherwise, keep it on to avoid accidental exposure inshow run. - Use
no logging consoleon production devices to prevent sensitive command output from appearing on the console port. - Apply
command authorization exec levelto restrict who can even typeconfigure terminal.
13. Common Gotchas Across IOS Variants
| IOS Family | Gotcha | Fix |
|---|---|---|
| IOS XE (Catalyst 9000) | configure terminal is sometimes aliased to conf t but the alias may be disabled in a custom banner. And |
Use the full command or re‑enable the alias with alias exec conf t configure terminal. That's why |
| IOS XR | Global config mode is entered with configure (no terminal). Here's the thing — |
Remember: configure → commit → exit. Now, |
| NX‑OS | The prompt changes to config instead of config‑term. |
Same syntax (configure terminal) works, but the prompt is different. |
| ASA | configure terminal drops you into a policy context if you’re already in a class‑map. |
Use exit until you reach the global config prompt (#). |
Final Thoughts
The phrase “enter global configuration mode” may seem like a simple technical step, but it encapsulates a disciplined mindset: gain the right level of privilege, operate in the correct hierarchical context, make deliberate edits, verify them, and lock them down permanently. By internalising the checklist, the troubleshooting flow, and the security hardening measures outlined above, you’ll reduce the likelihood of accidental outages, keep audit trails clean, and make life easier for anyone who inherits your configuration Small thing, real impact..
Whether you’re typing commands line‑by‑line on a console cable, scripting them with Python, or orchestrating large‑scale changes via Ansible, the same fundamentals apply. Master them, and you’ll find that the “configure terminal” prompt transforms from a source of anxiety into a powerful, predictable gateway to every feature your Cisco device offers Worth knowing..
Happy configuring—may your configs be clean, your commits be saved, and your network always stay up Simple, but easy to overlook..
