Switch and Router Memory :
The memory sections and functions discussed in this section are the same for switches and routers, but to avoid saying “switches and routers” 300 time, we’ll just say “switches”.
Of the following, take note of which ones lose their contents on a reload and which do not.
ROM : Read-Only Memory
ROM stores the witch’s bootstrap startup program, operating system software, and power-on diagnostic test programs (POSTs)
Flash Memory:
Generally referred to as “flash”, you’ll find the IOS images here. Flash is erasable and reprogrammable ROM. Flash content is retained on a reload.
RAM: Random-Access Memory
Stores operational information such as routing and switching tables and the running configuration file. RAM contents are lost when the router is powered down or reloaded.
(The running config file is the latest overall version of the config file)
NVRAM: Non-Volatile RAM
NVRAM holds the router’s startup configuration file. NVRAM contents are not lost on a reload.
(The startup config file is the latest saved version of your config file. So if you’ve made changes and saved them, the contents of your startup config file and your running config file will be the same. If you have made changes and not saved them, the running config file and the startup config file will have different contents and different files anyway.)
Quick note: If you try to reload and you made changes but you have not yet saved them, the switch will prompt you if you want to save these changes.
The Boot Process
When a Cisco switch powers up, it runs a series of POSTs (Power-On Self Tests). A POST is a diagnostic designed to verify the basic operation of the network interfaces, memory, and CPU.
Here are some of the POST results I saw when reloading our freshly-erased switch:

Note: you can see most of the POSTs the device runs not all of them!
POSTs are effective in detecting major issues early in the boot process. If the POST detects a critical problem that would cause the router to overheat after booting ( a broken fan, perhaps) these things will happen:
- The POST will fail
- The device tells you exactly what POST failed.
- The boot process stops.
- Your stomach hurts!
Assuming the POSTs are all passes, the switch looks for a source from which to load a valid Internetwork Operating System (IOS) image. The router has three sources from which it can load an IOS image, and it looks for the image in this order:
- Flash (the default location)
- TFTP (Trivial file Transfer Protocol) Server (which can be another device in your network. Cisco router can serve as a TFTP server)
- Read-Only Memory (ROM)
Note: We can change this order later.
Back to the boot! Once the IOS image is found, the router looks for a valid startup configuration file. The order of that search is:
- NVRAM
- TFTP Server (whether it’s a router or a switch)
- You’re prompted with system configuration dialog. (the last resort)
Setup Mode — One Way in, Two Ways Out
The switch we are working with, doesn’t have any startup config file because we erased it from NVRAM before we reload the switch. As you can see below, first it’ll give you some hardware information and then a bunch of interface-related messages after that.


Now we are prompted with a question about system config dialog.
This is a prompt to try to get us into setup mode which is a way of setting up the switch via a series of questions. We could go to the command line and just configure from there which is probably what we’re going to end up doing but I want you to see this and also want you to know how to get out of it if you want to.

Now it’s asking for enable secret (we’ll talk about it later) and we can’t skip it by ENTER or ESC buttons.


Here is my current interface summary.
How can we get out of it now? ESC doesn’t do nothing!
Actually it told us before how to abort!

If it still didn’t work, just type “VLAN1” and then ctrl-c .
Then you’ll see these options:

We hit 0 because we want to go back to IOS command prompt.
And if for some reason, you want to go back to setup mode, you can do it by typing “enable” and then “setup”

And again, we can hit ctrl-c to escape.

And if you’ve made changes, it’s going to give you a message that says that configuration changes weren’t saved.
Enable Secret and Enable Password
What happens after Logging Out of a switch if we want to come back and log in?

Note: We already changed the host name to SW1.
This means that we are in “user exec mode”. You can’t do any configuration at all.
We’ve got to at least get into “enable mode” (or “privilege exec mode”)
Maybe though we want to put a password protection when it comes to enable mode. ( to prevent others to “erase the switch” or delete a file with all VLAN information in a vlan.dat and reload it to initialize the switch)
We can protect enable mode with both “enable secret” and “enable password” passwords, and when you configure both, the “enable secret” always takes precedence over the “enable password”
Then we do a quick save and then we’re going to log out.

Then we again will see this screen:
When we press RETURN, that would be user exec.

The password comes in when you enter “enable”!
So we could get into user exec but we can’t get into privilege exec without that enable password.
It won’t accept enable password! And you’ll have “Bad secrets” message which tells you to enter enable secret.

Let’s do a ‘show run’ here for show running config.

As you see, enable secret takes precedence over enable password, and also you see some characters instead of the real enable secret password ( It’s the encrypted version of it). The number 5 refers to the level of encryption. The levels are 0-7 ( 0 is clear text password)
Note: This is a very easy encryption to be broken.
Console Port Protection with One Password
At the end of the process, you’ll see this on the screen:

Line con 0 refers to console port 0 which we also saw on the screen when we logged out.
If we want to protect the switch at the physical level, and that’s that line con 0 (console port connection)
Any network hardware has a console port. It looks like this:

Usually on a Cisco device, it’s off by itself on the back, and NOT next to other ports like you see here which is next to an internal port.
Let’s go back to our configuration. There is no password protection on our console port. Here what we’ll do:

Now if we log out, we’ll get this:

Which password should we enter?
‘User Access’ tells you that we need to get into the console. So we’ll enter ‘basketball’ (it’ll not appear)
Then we’ll go to enable mode. It’ll ask for another password. Which one should we enter?
We enter ccna which was our enable secret.
If you’re looking at the config of the switch and you didn’t know what this was, would you know what to put in? No!

Now if we enter “show config”, we’ll see this at the end:

A single password in a console port is better than none, but there are some things to consider with this protection plan:
- There is no accountability, since no username is asked for.
- A password is easier to crack than a username/password combination.
- Passwords are shared by humans who shouldn’t share them.
We’re better of protecting the console port with unique username/password combos, and that’s just what we’ll do by creating a database of usernames and passwords right on the switch(so it’s called local database and it’s used to authenticate people) . Don’t let “database” intimidate you, this is the easiest database you’ll ever worked with. Here are the users and their passwords for this lab. (All of the previous configs are still on the switch.)
We choose a name (signal) and a password for it.


Now we’ve got a database.
How do we apply it to the console line?
( Note : First of all we need to remove the password ”basketball” because we’re going to switch over from authenticating with that password to a username database.

But if you leave password “basketball” there, someone someday might get confused about that. We won’t remove it now to see what will happen! )
So we’ll go to line, and let’s see what’s our options to login.

Local password checking means it’s looking on this device for that username/password database that we just created.
Now if we logout, we’ll be asked for a username.


Now let’s go ahead and do a username ‘chris’

and when I login I want to be put straight into privilege exec mode, because we know the default is user exec.

So we put ‘privilege’ and then assign the highest level of 15.
Then finish the command as you normally would.
Now that particular user will be able to come in at privilege level 15 and the other users will not.
So if we logout and come back :

As you can see, we don’t have to enter “enable password” and that user will be put straight to the enable mode.
Let’s see one more thing about all of our passwords.
We enter ‘show config’ :

All passwords are at zero privilege and they can be seen. If we want the passwords not to be seen like this, we need to turn on password-encryption (you can see that we have ‘no service password-encryption’ on the screen.


Now as you can see, all the passwords are encrypted and now their privilege went to the highest level which is 7.
Also at the end of our configuration, we can see this on the screen:

The word ‘basketball’ is totally hashed.