Reproduction in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden.
Trademarks used in this text: Dell, the DELL logo, and PowerConnect are trademarks of Dell Inc.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products.
Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.
The Command Language Interface (CLI) is a network management application operated
through an ASCII terminal without the use of a Graphical User Interface (GUI) driven software
application. By directly entering commands, you achieve greater configuration flexibility. The
CLI is a basic command-line interpreter similar to the UNIX C shell.
You can configure and maintain a device by entering commands from the CLI, which is based
solely on textual input and output; you enter commands using a terminal keyboard and the
textual output displays via a terminal monitor. You can access the CLI from a VT100 terminal
connected to the console port of the device or through a Telnet connection from a remote host.
The first time you use the CLI from the console a Setup Wizard is invoked. The Setup Wizard
guides you in setting up a minimum configuration, so that the device can be managed from the
Web Based Interface. Refer to the Getting Started Guide and User Guide for more information
on the Setup Wizard.
This guide describes how the Command Line Interface (CLI) is structured, describes the
command syntax, and describes the command functionality.
This guide also provides information for configuring the PowerConnect device, details the
procedures, and provides configuration examples. Basic installation configuration is described in
the User’s Guide and must be completed before using this document.
Command Groups
The system commands can be broken down into functional groups as shown below.
Command GroupDescription
AAAConfigures connection security including authorization and
passwords.
ACLConfigures and displays ACL information.
Address TableConfigures bridging address tables.
Configuration and Image FilesManages the device configuration files.
ClockConfigures clock commands on the device.
DHCP FilteringConfigures DHCP filtering commands.
Command Groups23
Ethernet ConfigurationConfigures all port configuration options for, example ports, storm
GVRPConfigures and displays GVRP configuration and information.
IGMP SnoopingConfigures IGMP snooping and displays IGMP configuration and
IP AddressingConfigures and manages IP addresses on the device.
LACPConfigures and displays LACP information.
LineConfigures the console and remote Telnet connection.
LLDPConfigures and displays LLDP information.
www.dell.com | support.dell.com
Management ACLConfigures and displays management access-list information.
PHY DiagnosticsDiagnoses and displays the interface status.
Port ChannelConfigures and displays Port Channel information.
Port MonitorMonitors activity on specific target ports.
QoSConfigures and displays QoS information.
RADIUSConfigures and displays RADIUS information.
RMONDisplays RMON statistics.
SNMPConfigures SNMP communities, traps and displays SNMP
Spanning TreeConfigures and reports on Spanning Tree protocol.
SSHConfigures SSH authentication.
Syslog CommandsManages and displays syslog messages.
System ManagementConfigures the device clock, name and authorized users.
TACACSConfigures TACACS+ commands.
User InterfaceDescribes user commands used for entering CLI commands.
VLANConfigures VLANs and displays VLAN information.
Web ServerConfigures Web based access to the device.
802.1xConfigures commands related to 802.1x security protocol.
file-system loggingEnables logging file system events.Global
management loggingEnables logging management access list events.Global
show loggingDisplays the state of logging and the syslog messages
show logging fileDisplays the state of logging and the syslog messages
Displays the SSH public keys stored on the device.Privileged EXEC
Displays SSH public keys stored on the device.Privileged EXEC
Generates DSA key pairs for secure login to a remote
access server.
Generates RSA key pairs for secure login to a remote
access server.
Displays the secure login public key of the device.Privileged EXEC
severity.
buffer based on severity.
the internal buffer.
on severity.
stored in the internal buffer.
stored in the logging file.
Global
Configuration
Global
Configuration
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Configuration
Configuration
Configuration
Privileged EXEC
Privileged EXEC
42Command Groups
show syslog-serversDisplays the syslog servers settings.Privileged EXEC
System Management Commands
Command GroupDescriptionAccess Mode
pingSends ICMP echo request packets to another node
on the network.
tracerouteDiscovers the routes that packets will actually take
when traveling to their destination.
telnetLogs in to a host that supports Telnet.
resumeSwitches to another open Telnet session
reload
hostnameSpecifies or modifies the device host name.Global
stack masterForces selection of a stack master.Global
stack reloadReloads stack members.Privileged EXEC
stack display-orderConfigures the display order of the units in a stack.Global
show stackDisplays information about stack status.User EXEC
show usersDisplays information about the active users.User EXEC
show sessionsLists the open Telnet sessions.
show systemDisplays system information.User EXEC
show versionDisplays the system version information.User EXEC
asset-tagSpecifies the device asset-tag.Global
show system idDisplays the service ID information.User EXEC
service cpu-utilizationEnables measuring CPU utilization.Global
show cpu utilizationDisplays information about the CPU utilization of
Reloads the operating system.Privileged EXEC
active processes.
User EXEC
User EXEC
User EXEC
User EXEC
Configuration
Configuration
Configuration
User EXEC
Configuration
Configuration
Privileged EXEC
Command Groups43
TACACS Commands
Command GroupDescriptionMode
tacacs-server hostSpecifies a TACACS+ host. Global
tacacs-server keySets the authentication encryption key used for all
tacacs-server source-ipSpecifies the source IP address that will be used for the
www.dell.com | support.dell.com
tacacs-server timeoutSets the timeout value. Global
show tacacsDisplays configuration and statistics for a TACACS+
User Interface Commands
Command GroupDescriptionAccess Mode
enableEnters the privileged EXEC mode.User EXEC
disableReturns to User EXEC mode.Privileged EXEC
loginChanges a login username.Priv/User EXEC
configure
exit (Configuration)Exits any configuration mode to the next highest
exitCloses an active terminal session by logging off the
endEnds the current configuration session and returns to
helpDisplays a brief description of the help system.All
terminal datadumpEnables dumping all output of a show command
show historyLists the commands entered in the current session.Privileged EXEC
show privilegeDisplays the current privilege level.User EXEC
TACACS+ communications between the device and
the TACACS+ daemon.
communication with TACACS+ servers.
servers.
Enables the global configuration mode.
mode in the CLI mode hierarchy.
device.
the Privileged EXEC mode.
without prompting.
Configuration
Global
Configuration
Global
Configuration
Configuration
Privileged EXEC
Privileged EXEC
All
Priv/User EXEC
After Privileged
EXEC
User EXEC
44Command Groups
VLAN Commands
Command GroupDescriptionAccess Mode
vlan databaseEnters the VLAN database configuration mode.Global
Configuration
vlanCreates a VLAN.VLAN Database
interface vlanEnters the interface configuration (VLAN) mode.Global
Configuration
interface range vlanEnters the interface configuration mode to configure
multiple VLANs.
nameConfigures a name to a VLAN. Interface (VLAN)
private-vlan primaryDefines the primary PVLAN.Interface (VLAN)
private-vlan isolatedDefines the isolated VLAN of the PVLAN.Interface (VLAN)
private-vlan
community
switchport modeConfigures the VLAN membership mode of a port.Interface
switchport access vlanConfigures the VLAN ID when the interface is in
switchport private-vlanDefines the private-vlan port VLANs.Interface
show vlan private-vlanDisplays information about private VLANs.Privileged EXEC
switchport trunk
allowed vlan
switchport trunk native
vlan
switchport general
allowed vlan
switchport general pvidConfigures the PVID when the interface is in general
switchport general
ingress-filtering disable
Associates the primary VLAN and community VLANs.Interface (VLAN)
access mode.
Adds or removes VLANs from a port in general mode.Interface
Defines the port as a member of the specified VLAN,
and the VLAN ID is the "port default VLAN ID
(PVID)".
Adds or removes VLANs from a general port. Interface
mode.
Disables port ingress filtering.Interface
Global
Configuration
Configuration
Configuration
Configuration
Configuration
Configuration
Interface
Configuration
Configuration
Configuration
Interface
Configuration
Configuration
Interface
Configuration
Configuration
Command Groups45
switchport general
acceptable-frame-type
tagged-only
switchport forbidden
vlan
switchport customer
vlan
ip internal-usage-vlanReserves a VLAN as the internal usage VLAN of an
mac-to-vlanAdds MAC addresses to the MAC-to-VLAN database.VLAN
www.dell.com | support.dell.com
show vlan mac-to-vlanDisplays the MAC-to-VLAN database.Privileged EXEC
show vlanDisplays VLAN information.Privileged EXEC
show vlan internal
usage
show interfaces
switchport
Web Server Commands
Command GroupDescriptionAccess Mode
ip http serverEnables the device to be configured from a browser. Global
ip http portSpecifies the TCP port for use by a web browser to
ip https portConfigures a TCP port for use by a secure web browser
ip https serverEnables the device to be configured from a secured
crypto certificate
generate
crypto certificate
request
crypto certificate
import
ip https certificateConfigures the active certificate for HTTPS. Global
Discards untagged frames at ingress. Interface
Configuration
Forbids adding specific VLANs to a port. Interface
Configuration
Sets the port’s VLAN when the interface is in customer
mode.
interface.
Displays a list of VLANs used internally by the device.Privileged EXEC
Displays switchport configuration.Privileged EXEC
configure the device.
to configure the device.
browser.
Generates a HTTPS certificate.Global
Generates and displays certificate requests for HTTPS.Privileged EXEC
Imports a certificate signed by Certification Authority
for HTTPS.
Interface
Configuration
Interface
Configuration
Configuration
Configuration
Global
Configuration
Global
Configuration
Global
Configuration
Configuration
Global
Configuration
Configuration
46Command Groups
show ip httpDisplays the HTTP server configuration.Privileged EXEC
show ip httpsDisplays the HTTPS server configuration.Privileged EXEC
show crypto certificate
mycertificate
Displays the SSL certificates of the device.Privileged EXEC
802.1x Commands
Command DescriptionAccess Mode
aaa authentication
dot1x
dot1x system-authcontrol
dot1x port-controlEnables manual control of the authorization state of
dot1x reauthentication
dot1x timeout reauthperiod
dot1x re-authenticateManually initiates a re-authentication of all 802.1x-
dot1x timeout quietperiod
dot1x timeout txperiod
dot1x max-reqSets the maximum number of times that the device
dot1x timeout supptimeout
dot1x timeout servertimeout
show dot1xAllows multiple hosts on an 802.1x-authorized port,
Specifies one or more authentication, authorization,
and accounting (AAA) methods for use on interfaces
running IEEE 802.1x.
Enables 802.1x globally.Global
the port
Enables periodic re-authentication of the client.Interface
Sets the number of seconds between re-authentication
attempts.
enabled ports or the specified 802.1x-enabled port.
Sets the number of seconds that the device remains in
the quiet state following a failed authentication
exchange.
Sets the number of seconds that the device waits for a
response to an Extensible Authentication Protocol
(EAP) - request/identity frame from the client, before
resending the request.
sends an EAP - request/identity frame to the client,
before restarting the authentication process.
Sets the time for the retransmission of an Extensible
Authentication Protocol (EAP)-request frame to the
client.
Sets the time for the retransmission of packets to the
authentication server.
that has the dot1x port-control interface configuration
command set to auto.
Global
Configuration
Configuration
Interface
Configuration
Configuration
Interface
Configuration
Privileged EXEC
Interface
Configuration
Interface
Configuration
Interface
Configuration
Interface
Configuration
Interface
Configuration
Privileged EXEC
Command Groups47
show dot1x users
show dot1x statisticsDisplays 802.1x statistics for the specified interface.Privileged EXEC
dot1x auth-not-reqEnables unauthorized users access to that VLAN.Interface (VLAN)
dot1x multiple-hostsAllows multiple hosts (clients) on an 802.1x-
dot1x single-hostviolation
www.dell.com | support.dell.com
dot1x guest-vlanDefines a guest VLAN.Interface
dot1x guest-vlan
enable
show dot1x advancedDisplays 802.1x advanced features for the device or for
Displays active 802.1x authenticated users.
authorized port, that has the dot1x port-control
Interface Configuration mode command set to auto.
Configures the action to be taken, when a station
whose MAC address is not the supplicant MAC
address, attempts to access the interface.
Enables unauthorized users on the interface to access
the guest VLAN.
the specified interface.
Privileged EXEC
Configuration
Interface
Configuration
Interface
Configuration
Configuration
Interface
Configuration
Privileged EXEC
48Command Groups
Command Modes
GC (Global Configuration) Mode
CommandDescription
aaa authentication enableDefines authentication method lists for accessing higher privilege
enable passwordSets a local password to control access to normal and privilege levels.
endEnds the current configuration session and returns to the previous
file-system loggingEnables logging file system events.
gvrp enable (Global)Enables GVRP globally.
hostnameSpecifies or modifies the device host name.
interface ethernetEnters the interface configuration mode to configure an Ethernet
interface port-channelEnters the interface configuration mode of a specific port-channel.
www.dell.com | support.dell.com
interface range ethernetEnters the interface configuration mode to configure multiple
interface range port-channelEnters the interface configuration mode to configure multiple port-
interface range vlanEnters the interface configuration mode to configure multiple
interface vlanEnters the interface configuration (VLAN) mode.
ip default-gatewayDefines a default gateway.
ip domain-lookupEnables the IP Domain Naming System (DNS)-based host name-to-
ip domain-nameDefines a default domain name, that the software uses to complete
ip hostDefines static host name-to-address mapping in the host cache.
ip http authenticationSpecifies authentication methods for HTTP server users.
ip http portSpecifies the TCP port for use by a web browser to configure the
ip http serverEnables the device to be configured from a browser.
ip https authenticationSpecifies authentication methods for HTTPS server users.
ip https certificateConfigures the active certificate for HTTPS.
ip https serverEnables the device to be configured from a secured browser.
ip https portConfigures a TCP port for use by a secure web browser to configure
ip igmp snooping (Global)Enables Internet Group Management Protocol (IGMP) snooping
ip name-serverSets the available name servers.
ip ssh portSpecifies the port to be used by the SSH server.
ip ssh pubkey-authEnables public key authentication for incoming SSH sessions.
command mode.
type interface.
ethernet type interfaces.
channels.
VLANs.
address translation.
unqualified host names.
device.
the device.
50Command Modes
ip ssh serverEnables the device to be configured from a SSH server.
lacp system-priorityConfigures the system LACP priority.
lineIdentifies a specific line for configuration and enters the line
configuration command mode.
loggingLogs messages to a syslog server.
logging bufferedLimits syslog messages displayed from an internal buffer based on
severity.
logging buffered sizeChanges the number of syslog messages stored in the internal buffer.
logging consoleLimits messages logged to the console based on severity.
logging fileLimits syslog messages sent to the logging file based on severity.
logging onControls error messages logging.
mac access-listCreates Layer 2 ACLs.
management access-classDefines which management access-list is used.
management access-listDefines a management access-list, and enters the access-list for
configuration.
management loggingEnables logging management access list events.
passwords agingSets the expiration time for passwords in the local database.
passwords history
passwords history hold-timeSets the number of days a password is relevant for tracking its
passwords lockout
passwords min-lengthSets the minimum required length for passwords in the local
power inline traps enable
power inline usage-thresholdConfigures the administrative mode of the inline power on an
priority-queue out num-ofqueues
qosEnables Quality of Service (QoS) on the device and enters QoS basic
qos map dscp-queueModifies the DSCP to CoS map.
qos trust (Global)Configure the system to "trust" state.
radius-server deadtimeImproves RADIUS response times when servers are unavailable.
Sets the number of required password changes before a password in the
local database can be reused.
password history.
Sets the number of failed login attempts before a user account is
locked.
database.
Adds a description of the powered device type attached to the interface.
interface.
Enables the egress queues to be SP queues.
or advance mode.
Command Modes51
radius-server hostSpecifies a RADIUS server host.
radius-server keySets the authentication and encryption key for all RADIUS
radius-server retransmitSpecifies the number of times the software searches the list of
radius-server source-ipSpecifies the source IP address used for communication with
radius-server timeoutSets the interval for which a device waits for a server host to reply.
rmon alarmConfigures alarm conditions.
www.dell.com | support.dell.com
rmon eventConfigures a RMON event.
rmon table-sizeConfigures the maximum RMON tables sizes.
service cpu-utilizationEnables measuring CPU utilization.
snmp-server communitySets up the community access string to permit access to SNMP
snmp-server contactSets up a system contact.
snmp-server enable trapsEnables the device to send SNMP traps or SNMP notifications.
snmp-server engineID localSpecifies an SNMP EngineID on the local device.
snmp-server filterCreates and modifies filter entries.
snmp-server groupConfigures a new SNMP group or a table that maps SNMP users to
snmp-server hostSpecifies the recipient of Simple Network Management Protocol
snmp-server v3-hostSpecifies an SNMP v3 notification recipient.
snmp-server locationSets up the information on where the device is located.
snmp-server setSets SNMP MIB value by the CLI.
snmp-server trap
authentication
snmp-server userConfigures a new SNMP v3 user.
snmp-server viewCreates and modifies view entries.
sntp authenticateGrants authentication for received Simple Network Time Protocol
sntp authentication-keyDefines an authentication key for Simple Network Time Protocol
spanning-treeEnables spanning tree functionality.
communications between the device and the RADIUS daemon.
RADIUS server hosts.
RADIUS servers.
protocol.
SNMP views.
notification operation.
Enables the device to send Simple Network Management Protocol
traps when authentication failed.
(SNTP) traffic from servers.
(SNTP).
52Command Modes
spanning-tree bpduDefines BPDU handling when spanning tree is disabled on an
interface
spanning-tree forward-timeConfigures the spanning tree bridge forward time.
spanning-tree hello-timeConfigures the spanning tree bridge Hello Time.
spanning-tree max-ageConfigures the spanning tree bridge maximum age.
spanning-tree modeConfigures the spanning tree protocol.
spanning-tree mst
configuration
spanning-tree mst max-hopsConfigures the number of hops in an MST region before the BDPU is
spanning-tree mst priorityConfigures the device priority for the specified spanning-tree
spanning-tree pathcost
method
spanning-tree priorityConfigures the spanning tree priority.
stack display-orderConfigures the display order of the units in a stack.
stack masterForces selection of a stack master.
tacacs-server keySets the authentication encryption key used for all TACACS+
tacacs-server source-ipSpecifies the source IP address that will be used for the
tacacs-server timeoutSets the timeout value.
tacacs-server hostSpecifies a TACACS+ host.
usernameEstablishes a username-based authentication system.
vlan databaseEnters the VLAN database configuration mode.
wrr-queue cos-map
Enables configuring an MST region by entering the Multiple
Spanning Tree (MST) mode.
discarded and the port information is aged out.
instance.
Sets the default pathcost method.
communications between the device and the TACACS+ daemon.
communication with TACACS+ servers.
Maps CoS values to a specific egress queu
IC (Interface Configuration) Mode
CommandDescription
back-pressureEnables Back Pressure on a given interface.
bridge multicast forward-allEnables forwarding all multicast frames on a port.
bridge multicast forbidden
forward-all
channel-groupAssociates a port with a Port-channel.
descriptionAdds a description to an interface.
Forbids a port from becoming a forward-all multicast port.
Command Modes53
dot1x guest-vlanDefines a guest VLAN.
dot1x guest-vlan enableEnables unauthorized users on the interface to access the guest
dot1x max-reqSets the maximum number of times that the device sends an EAP -
dot1x multiple-hostsAllows multiple hosts (clients) on an 802.1x-authorized port, that has
dot1x port-controlEnables manual control of the authorization state of the port
www.dell.com | support.dell.com
dot1x re-authenticationEnables periodic re-authentication of the client.
dot1x single-host-violationConfigures the action to be taken, when a station whose MAC address
dot1x timeout quiet-periodSets the number of seconds that the device remains in the quiet state
dot1x timeout re-authperiodSets the number of seconds between re-authentication attempts.
dot1x timeout server-timeoutSets the time for the retransmission of packets to the authentication
dot1x timeout supp-timeoutSets the time for the retransmission of an EAP-request frame to the
dot1x timeout tx-periodSets the number of seconds that the device waits for a response to an
duplexConfigures the full/half duplex operation of a given ethernet interface
flowcontrolConfigures the Flow Control on a given interface.
garp timerAdjusts the GARP application join, leave, and leaveall GARP timer
gvrp enable (Interface)Enables GVRP on an interface.
gvrp registration-forbidDe-registers all VLANs, and prevents dynamic VLAN registration on
gvrp vlan-creation-forbidEnables or disables dynamic VLAN creation.
ip addressSets an IP address
ip address dhcpAcquires an IP address on an interface from the DHCP server.
ip internal-usage-vlanReserves a VLAN as the internal usage VLAN of an interface.
lacp port-priorityConfigures the priority value for physical ports.
lacp timeoutAssigns an administrative LACP timeout.
VLAN.
request/identity frame to the client, before restarting the
authentication process.
the dot1x port-control Interface Configuration mode command set to
auto.
is not the supplicant MAC address, attempts to access the interface.
following a failed authentication exchange.
server
client.
Extensible Authentication Protocol (EAP) - request/identity frame,
from the client, before resending the request.
when not using auto-negotiation.
values.
the port.
54Command Modes
mdixEnables automatic crossover on a given interface.
nameConfigures a name to a VLAN.
negotiationEnables auto-negotiation operation for the speed and duplex
parameters of a given interface.
power inlineConfigures the administrative mode of the inline power on an
interface.
power inline powered-device
power inline priorityDisplays port monitoring status
port monitorStarts a port monitoring session.
port securityDisables new address learning/forwarding on an interface.
port monitor vlan-taggingTransmits tagged ingress mirrored packets.
port security maxConfigures the maximum number of addresses that may be learned
port security modeConfigures the port security learning mode
port security routed secureaddress
port storm-control broadcast
enable
port storm-control broadcast
rate
port storm-control includemulticast
private-vlan communityAssociates the primary VLAN and community VLANs.
private-vlan isolatedDefines the isolated VLAN of the PVLAN.
private-vlan primaryDefines the primary PVLAN.
qos cosConfigures the default port CoS value.
qos trust (Interface)Enables each port trust state while the system is in basic mode.
rmon collection historyEnables a Remote Monitoring (RMON) MIB history statistics group
service-aclApplies an ACL to the input interface.
shutdownDisables interfaces.
sntp client enable (Interface)Enables the Simple Network Time Protocol (SNTP) client on an
spanning-tree costConfigures the spanning tree path cost for a port.
spanning-tree disableDisables spanning tree on a specific port.
Adds a description of the powered device type attached to the interface.
on the port while the port is in port security mode
Adds MAC-layer secure addresses to a routed port.
Enables broadcast storm control.
Configures the maximum broadcast rate.
Enables the device to count multicast packets.
on an interface.
interface.
Command Modes55
spanning-tree link-typeOverrides the default link-type setting.
spanning-tree mst costConfigures the path cost for multiple spanning tree (MST)
spanning-tree mst portpriority
spanning-tree portfastEnables PortFast mode.
spanning-tree port-priorityConfigures port priority.
speedConfigures the speed of a given Ethernet interface when not using
switchport private-vlanDefines the private-vlan port VLANs.
www.dell.com | support.dell.com
LC (Line Configuration) Mode
CommandDescription
autobaudConfigures the line for automatic baud rate detection (autobaud)
enable authenticationSpecifies the authentication method list when accessing a higher
historyEnables the command history function.
history sizeConfigures the command history buffer size for a particular line.
login authenticationSpecifies the login authentication method list for a remote telnet or
passwordSpecifies a password on a line.
password-agingSets the expiration time of line passwords in the local database.
speedConfigures the baud rate of the line.
calculations.
Configures the priority of a port.
auto-negotiation.
privilege level from a remote telnet or console.
console.
MA (Management Access-level) Mode
CommandDescription
deny (Management)Defines a deny rule.
permit (Management)Defines a permit rule.
56Command Modes
MC (MST Configuration) Mode
CommandDescription
abort (mst)Exits the MST region configuration mode without applying
configuration changes.
exit (mst)Exits the MST region configuration mode and applies all
configuration changes.
instance (mst)Maps VLANs to the MST instance.
name (mst)Defines the configuration name.
revision (mst)Defines the configuration revision number.
show (mst)Displays the current or pending MST region configuration.
ML (MAC Access-List) Mode
CommandDescription
deny (MAC)Denies traffic if the conditions defined in the permit statement
match.
PE (Privileged EXEC) Mode
CommandDescription
boot systemSpecifies the system image that the device loads at startup.
clear arp-cacheDeletes all dynamic entries from the ARP cache.
clear bridgeRemoves any learned entries from the forwarding database.
clear gvrp statisticsClears all the GVRP statistics information.
clear hostDeletes entries from the host name-to-address cache
clear host dhcpDeletes entries from the host name-to-address mapping received
from Dynamic Host Configuration Protocol (DHCP).
clear loggingClears messages from the internal logging buffer.
clear logging fileClears messages from the logging file
clear spanning-tree detectedprotocols
clock setManually sets the system clock.
configureEnters the Global Configuration mode.
copyCopies files from a source to a destination.
crypto certificate requestGenerates and displays certificate requests for HTTPS.
Restarts the protocol migration process on all interfaces or on the
specified interface.
Command Modes57
deleteDeletes a file from a Flash memory device.
delete startup-configDeletes the startup-config file.
dirDisplays a list of files on a flash file system.
dot1x re-authenticateManually initiates a re-authentication of all 802.1x-enabled ports or
exitCloses an active terminal session by logging off the device.
loginChanges a login username.
moreDisplays a file.
reloadReloads the operating system.
www.dell.com | support.dell.com
renameRenames a file.
set enable-password activeReactivates a locked local password.
set interface activeReactivates an interface that was suspended by the system.
set line activeReactivates a locked line.
set username active
show access-listsDisplays ACLs defined on the device.
show arpDisplays entries in the ARP table.
show authentication methodsDisplays information about the authentication methods.
show bootvarDisplays the active system image file that the device loads at startup
show bridge address-tableDisplays all entries in the bridge-forwarding database.
show bridge address-table
count
show bridge multicast
address-table
show bridge multicast
filtering
show crypto key mypubkeyDisplays the SSH public keys stored on the device.
show crypto key pubkey-chain
ssh
show crypto certificate
mycertificate
show crypto slogin key
mypubkey
show dot1xDisplays 802.1x status for the device or for the specified interface.
show dot1x advancedDisplays 802.1x enhanced features for the device or for the specified
the specified 802.1x-enabled port.
Reactivates a locked user account.
Displays the number of addresses present in all VLANs or at specific
VLAN.
Displays multicast MAC or IP address table information.
Displays the multicast filtering configuration.
Displays SSH public keys stored on the device.
Displays the SSL certificates of the device
Displays the secure login public key of the device.
interface.
58Command Modes
show dot1x usersDisplays 802.1x users for the device.
show dot1x statisticsDisplays 802.1x statistics for the specified interface.
show fiber-ports opticaltransceiver
show hostsDisplays the default domain name, a list of name server hosts, the
show interfaces access-listsDisplays access lists applied on interfaces.
show interfaces advertiseDisplays autonegotiation advertisement data.
show interfaces configurationDisplays the configuration for all interfaces.
show interfaces countersDisplays traffic seen by the physical interface.
show interfaces descriptionDisplays the description for all interfaces.
show interfaces port-channelDisplays Port-channel information.
show interfaces statusDisplays the status for all interfaces.
show ip interfaceDisplays the usability status of interfaces configured for IP.
show ip sshDisplays the SSH server configuration.
show loggingDisplays the state of logging and the syslog messages stored in the
show logging fileDisplays the state of logging and the syslog messages stored in the
show management accessclass
show management access-listDisplays management access-lists.
show passwords configurationDisplays information about password management.
show ports securityDisplays the port-lock status.
show ports security addressesDisplays current dynamic addresses in locked ports
show ports storm-controlDisplays the storm control configuration.
show cpu utilizationDisplays information about the CPU utilization of active processes.
show radius-serversDisplays the RADIUS server settings.
show running-configDisplays the contents of the currently running configuration file.
show snmpDisplays the SNMP status.
show snmp engineidDisplays the local SNMP EngineID.
show snmp filtersDisplays the configuration of SNMP filters.
show snmp groupsDisplays the configuration of SNMP groups.
show snmp usersDisplays the configuration of SNMP users.
Displays the optical transceiver diagnostics
static and the cached list of host names and addresses.
internal buffer.
logging file.
Displays the active management access-list.
Command Modes59
show snmp viewsDisplays the configuration of SNMP views.
show spanning-treeDisplays spanning tree configuration.
show startup-configDisplays the startup configuration file contents.
show syslog-serversDisplays the syslog servers settings.
show tacacsDisplays configuration and statistics for a TACACS+ servers.
show users accountsDisplays information about the local user database.
show users login-historyDisplays information about the login history of users.
show vlan internal usageDisplays a list of VLANs used internally by the device.
show vlan mac-to-vlanDisplays the MAC-to-VLAN database.
www.dell.com | support.dell.com
show vlan private-vlanDisplays information about private VLANs.
stack reloadReloads stack members
test copper-port tdrDiagnoses with TDR (Time Domain Reflectometry) technology the
SP (SSH Public Key) Mode
CommandDescription
key-stringManually specifies a SSH public key.
user-keySpecifies which SSH public key is manually configured and enters
quality and characteristics of a copper cable attached to a port.
the SSH public key-string configuration command
UE (User EXEC) Mode
CommandDescription
clear countersClears statistics on an interface.
enableEnters the Privileged EXEC mode.
exitCloses an active terminal session by logging off the device.
loginChanges a login username.
pingSends ICMP echo request packets to another node on the network.
show clockDisplays the time and date from the system clock.
show copper-ports cablelength
show copper-ports tdrDisplays the last TDR (Time Domain Reflectometry) tests on
show gvrp configurationDisplays GVRP configuration information.
60Command Modes
Displays the estimated copper cable length attached to a port.
specified ports.
show gvrp error-statisticsDisplays GVRP error statistics.
clear gvrp statisticsDisplays GVRP statistics.
show historyLists the commands entered in the current session.
show ip igmp snooping
mrouter
show ip igmp snooping
groups
show ip igmp snooping
interface
show ip igmp snooping
mrouter
show lacp ethernetDisplays LACP information for Ethernet ports.
show lacp port-channelDisplays LACP information for a port-channel.
show lineDisplays line parameters.
show ports monitorDisplays port monitoring status
show power inlineDisplays information about inline power.
show privilegeDisplays the current privilege level.
show qosDisplays the QoS status.
show qos interfaceAssigns CoS values to select one of the egress queues.
show qos mapDisplays all the maps for QoS.
show rmon alarmDisplays alarm configurations.
show rmon alarm-tableDisplays the alarms table.
show rmon collection historyDisplays the requested history group configuration.
show rmon eventsDisplays the RMON event table.
show rmon historyDisplays RMON Ethernet Statistics history.
show rmon logDisplays the RMON logging table.
show rmon statisticsDisplays RMON Ethernet Statistics.
show stackDisplays information about stack status.
show systemDisplays system information.
show system idDisplays the service id information.
show usersDisplays information about the active users.
show versionDisplays the system version information.
terminal datadumpEnables dumping all output of a show command without prompting.
Enables automatic learning of multicast switch ports in the context
of a specific VLAN.
Displays multicast groups learned by IGMP snooping.
Displays IGMP snooping configuration.
Displays information on dynamically learned multicast router
interfaces.
Command Modes61
terminal historyEnables the command history function for the current
terminal history sizeConfigures the command history buffer size for the current
VC (VLAN Configuration) Mode
CommandDescription
bridge addressAdds a static MAC-layer station source address to the bridge table.
bridge multicast addressRegisters MAC-layer multicast addresses to the bridge table, and
www.dell.com | support.dell.com
bridge multicast forbidden
address
bridge multicast forbidden
forward-all
bridge multicast forward-allEnables forwarding of all multicast frames on a port.
ip igmp snooping (Interface)Enables Internet Group Management Protocol (IGMP) snooping on
ip igmp snooping host-timeout
ip igmp snooping leave-timeout
ip igmp snooping mrouter
learn-pim-dvmrp
ip igmp snooping mroutertime-out
mac-to-vlanAdds MAC addresses to the MAC-to-VLAN database.
vlanCreates a VLAN.
dot1x auth-not-reqEnables unauthorized users access to that VLAN.
nameConfigures a name to a VLAN.
terminal session.
terminal session.
adds static ports to the group.
Forbids adding a specific multicast address to specific ports.
Enables forbidding forwarding of all multicast frames to a port.
a specific VLAN.
Configures the host-time-out.
Configures the leave-time-out.
Enables automatic learning of multicast router ports.
Configures the mrouter-time-out.
62Command Modes
Using the CLI
This chapter describes how to start using the CLI and describes the command editing features
to assist in using the CLI.
CLI Command Modes
Introduction
To assist in configuring the device, the Command Line Interface (CLI) is divided into different
command modes. Each command mode has its own set of specific commands. Entering a
question mark "?" at the system prompt (console prompt) displays a list of commands available
for that particular command mode.
From each mode a specific command is used to navigate from one command mode to another.
The standard order to access the modes is as follows: User EXEC mode, Privileged EXEC mode, Global Configuration mode, and Interface Configuration mode. The following figure illustrates
the command mode access path.
Using the CLI63
www.dell.com | support.dell.com
When starting a session, the initial mode is the User EXEC mode. Only a limited subset of
commands are available in the User EXEC mode. This level is reserved for tasks that do not
change the configuration. To enter the next level, the Privileged EXEC mode, a password is
required.
The Privileged EXEC mode gives access to commands that are restricted on User EXEC mode
and provides access to the device Configuration mode.
The Global Configuration mode manages the device configuration on a global level.
The Interface Configuration mode configures specific interfaces in the device.
User EXEC Mode
After logging into the device, the user is automatically in the User EXEC command mode
unless the user is defined as a privileged user. In general, the User EXEC commands allow the
user to perform basic tests, and list system information.
64Using the CLI
The user-level prompt consists of the device host name followed by the angle bracket (>).
Console>
The default host name is Console unless it was changed using the hostname command in the
Global Configuration mode.
Privileged EXEC Mode
Privileged access is password protected to prevent unauthorized use because, many of the
privileged commands set operating system parameters. The password is not displayed on the
screen and is case sensitive.
Privileged users enter directly into the Privileged EXEC mode. To enter the Privileged EXEC
mode from the User EXEC mode, perform the following steps:
1
At the prompt enter the
appears.
2
Enter the password and press <Enter>. The password is displayed as *. The Privileged EXEC
mode prompt is displayed. The Privileged EXEC mode prompt consists of the device host
name followed by
Console#
To return from the Privileged EXEC mode to the User EXEC mode, use the disable command.
The following example illustrates how to access the Privileged EXEC mode and return to the
User EXEC mode:
#
.
enable
command and press <Enter>. A password prompt
Console> enable
Enter Password: ******
Console#
Console# disable
Console>
The exit command is used to return from any mode to the previous mode except when
returning to the User EXEC mode from the Privileged EXEC mode. For example, the exit
command is used to return from the Interface Configuration mode to the Global Configuration
mode.
Using the CLI65
Global Configuration Mode
Global Configuration mode commands apply to features that affect the system as a whole,
rather than just a specific interface. The configure Privileged EXEC mode command is used to
enter the Global Configuration mode.
To enter the Global Configuration mode, at the Privileged EXEC mode prompt enter the
command configure and press <Enter>. The Global Configuration mode prompt is displayed.
The Global Configuration mode prompt consists of the device host name followed by (config)
and #.
Console(config)#
www.dell.com | support.dell.com
To return from the Global Configuration mode to the Privileged EXEC mode, the user can use
one of the following commands:
•exit
•end
•Ctrl+Z
The following example illustrates how to access the Global Configuration mode and return to
the Privileged EXEC mode:
Console#
Console# configure
Console(config)# exit
Console#
Interface Configuration Mode and Specific Configuration Modes
Interface Configuration mode commands modify specific interface operations. The following
are the Interface Configuration modes:
•
Line Interface
include commands such as line timeout settings, etc. The
command is used to enter the Line Configuration command mode.
•
VLAN Database
Global Configuration mode command is used to enter the VLAN Database Interface
Configuration mode.
Management Access List
•
management access-list
Management Access List Configuration mode.
— Contains commands to configure the management connections. These
line
Global Configuration mode
— Contains commands to create a VLAN as a whole. The
— Contains commands to define management access-lists. The
Global Configuration mode command is used to enter the
vlan database
66Using the CLI
•
Ethernet
Global Configuration mode command is used to enter
— Contains commands to manage port configuration. The
the Interface Configuration mode to
interface ethernet
configure an Ethernet type interface.
•
Port Channel
— Contains commands to configure port-channels, for example, assigning
ports to a port-channel. Most of these commands are the same as the commands in the
Ethernet interface mode, and are used to manage the member ports as a single entity. The
interface port-channel
Global Configuration mode command is used to enter the Port
Channel Interface Configuration mode.
SSH Public Key-chain
•
keys. The
crypto key pubkey-chain ssh
— Contains commands to manually specify other device SSH public
Global Configuration mode command is used to enter
the SSH Public Key-chain Configuration mode.
•QoS — Contains commands related to service definitions. The qos Global Configuration
mode command is used to enter the QoS services configuration mode.
•MAC Access-List— Configures conditions required to allow traffic based on MAC
addresses. The mac access-list Global Configuration mode command is used to enter the
MAC access-list configuration mode..
Starting the CLI
The device can be managed over a direct connection to the device console port or via a Telnet
connection. The device is managed by entering command keywords and parameters at the
prompt. Using the device command-line interface (CLI) is very similar to entering commands
on a UNIX system.
If access is via a Telnet connection, ensure that the device has a defined IP address,
corresponding management access is granted, and the workstation used to access the device is
connected to the device prior to using CLI commands.
NOTE: The following steps are for use on the console line only.
To start using the CLI, perform the following steps:
1
Connect the DB9 null-modem or cross over cable to the RS-232 serial port of the device to
the RS-232 serial port of the terminal or computer running the terminal emulation
application.
NOTE: The default data rate, for Carrier, is 115,200 (Console port on unit shows a default data rate of
9600).
a
Set the data format to 8 data bits, 1 stop bit, and no parity.
b
Set Flow Control to
c
Under
Properties
d
Select
Terminal keys for
Terminal keys (not Windows keys
none
, select
.
VT100 for Emulation
mode.
Function, Arrow, and Ctrl keys
).
. Ensure that the setting is for
Using the CLI67
NOTICE: When using HyperTerminal with Microsoft® Windows 2000,ensure that Windows® 2000
Service Pack 2 or later is installed.With Windows 2000 Service Pack 2, the arrow keys function properly
in HyperTerminal’s VT100 emulation. Go to www.microsoft.com for information on Windows 2000 service
packs.
For more information, see
2
Enter the following commands to begin the configuration procedure:
Console> enable
Console# configure
Console(config)#
Configure the device and enter the necessary commands to complete the required tasks.
www.dell.com | support.dell.com
3
4
When finished, exit the session with the
When a different user is required to log onto the system, use the login Privileged EXEC mode
command. This effectively logs off the current user and logs on the new user.
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a command, and
arguments specify configuration parameters. For example, in the command show interfaces status ethernet 1/e11, show, interfaces and status are keywords, ethernet is an argument that
specifies the interface type, and 1/e11 specifies the port.
To enter commands that require parameters, enter the required parameters after the command
keyword. For example, to set a password for the administrator, enter:
When working with the CLI, the command options are not displayed. The command is not
selected from a menu, but is manually entered. To see what commands are available in each
mode or within an interface configuration, the CLI provides a method of displaying the
available commands, the command syntax requirements and in some instances, parameters
required to complete the command. The standard command to request help is the character ?.
There are two instances where help information can be displayed:
•
Keyword lookup
commands and corresponding help messages are is displayed.
Partial keyword lookup
•
place of a parameter. The matched keyword or parameters for this command are displayed.
68Using the CLI
— The character ? is entered in place of a command. A list of all valid
— If a command is incomplete and or the character ? is entered in
To assist in using the CLI, there is an assortment of editing features. The following features are
described:
•Terminal Command Buffer
•Command Completion
•Keyboard Shortcuts
Copying and Pasting Text
Up to 100 lines of text (i.e., commands) can be copied and pasted into the device.
NOTE: This editing features are for Telnet only.
NOTE: It is the user’s responsibility to ensure that the text copied into the device consists of legal
commands only.
When copying and pasting commands from a configuration file, make sure that the following
conditions exist:
•A device Configuration mode has been accessed.
•The commands contain no encrypted data, like encrypted passwords or keys. Encrypted data
cannot be copied and pasted into the device.
Setup Wizard
The CLI supports a Setup Wizard. This is an easy-to-use user interface which quickly guides the
user in setting up basic device information, so that the device can be easily managed from a
Web Based Interface. Refer to the Getting Started Guide and User Guide for more information
on the Setup Wizard.
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally managed Command
History buffer. Commands stored in the buffer are maintained on a First In First Out (FIFO)
basis. These commands can be recalled, reviewed, modified, and reissued. This buffer is not
preserved across device resets.
KeywordDescription
Up-arrow key
Ctrl+P
Down-arrow keyReturns to more recent commands in the history buffer after recalling
By default, the history buffer system is enabled, but it can be disabled at any time. For
information about the command syntax to enable or disable the history buffer, see history.
Recalls commands in the history buffer, beginning with the most recent
command. Repeats the key sequence to recall successively older
commands.
commands with the up-arrow key. Repeating the key sequence will recall
successively more recent commands.
Using the CLI69
There is a standard default number of commands that are stored in the buffer. The standard
number of 10 commands can be increased to 216. By configuring 0, the effect is the same as
disabling the history buffer system. For information about the command syntax for configuring
the command history buffer, see history size.
To display the history buffer, see show history.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to cancel the effect of
a command or reset the configuration to the default value. This guide describes the negation
effect for all applicable commands.
www.dell.com | support.dell.com
Command Completion
An appropriate error message displays if the entered command is incomplete or invalid; or has
missing or invalid parameters. This assists in entering the correct command.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands. The following
table describes the CLI shortcuts.
Keyboard KeyDescription
Up-arrow keyRecalls commands from the history buffer, beginning with the most recent
Down-arrow keyReturns the most recent commands from the history buffer after recalling
Ctrl+AMoves the cursor to the beginning of the command line.
Ctrl+EMoves the cursor to the end of the command line.
Ctrl+Z / EndReturns back to the Privileged EXEC mode from any configuration mode.
Backspace keyDeletes one character left to the cursor position.
command. Repeat the key sequence to recall successively older commands.
commands with the up arrow key. Repeating the key sequence will recall
successively more recent commands.
70Using the CLI
CLI Command Conventions
When entering commands there are certain command entry standards that apply to all
commands. The following table describes the command conventions.
ConventionDescription
[ ]In a command line, square brackets indicate an optional entry.
{ }In a command line, curly brackets indicate a selection of compulsory
parameters separated by the | character. One option must be selected.
For example, flowcontrol {auto|on|off} means that for the flowcontrol
command either auto, on or off must be selected.
Italic fontIndicates a parameter.
<Enter> Indicates an individual key on the keyboard. For example, <Enter>
indicates the Enter key.
Ctrl+F4Any combination of keys pressed simultaneously on the keyboard.
Screen
Display
all
Indicates system messages and prompts appearing on the console.
When a parameter is required to define a range of ports or parameters and
all
is an option, the default for the command is
defined. For example, the command
interface range port-channel
option of either entering a range of channels, or selecting
command is entered without a parameter, it automatically defaults to
all
when no parameters are
has the
all
. When the
all
.
Using the CLI71
www.dell.com | support.dell.com
72Using the CLI
AAA Commands
aaa authentication login
The aaa authentication login Global Configuration mode command defines login
authentication. To return to the default configuration, use the no form of this command.
enableUses the enable password for authentication.
lineUses the line password for authentication.
localUses the local username database for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command
authentication login default local
NOTE: On the console, login succeeds without any authentication check if the authentication method is
not defined.
— Uses the listed authentication methods that follow this argument as the
default list of methods when a user logs in.
list-name
when a user logs in. (Range: 1-12 characters).
method1 [method2
— Character string used to name the list of authentication methods activated
...] — Specify at least one from the following table:
.
}
aaa
Command Mode
Global Configuration mode
AAA Commands73
User Guidelines
•The default and optional list names created with the
used with the
login authentication
•Create a list by entering the
particular protocol, where
list-name
command.
aaa authentication login
is any character string used to name this list. The
aaa authentication login
list-name method
command for a
command are
method
argument identifies the list of methods that the authentication algorithm tries, in the given
sequence.
•The additional methods of authentication are used only if the previous method returns an
error, not if it fails. To ensure that the authentication succeeds even if all methods return an
error, specify
none
as the final method in the command line.
www.dell.com | support.dell.com
Example
The following example configures the authentication login, so that user authentication is
performed as follows: Authentication is attempted at the RADIUS server. If the RADIUS server
is not available, authentication is attempted at the local user database. If there is no database,
then no authentication is performed.
Console(config)# aaa authentication login radius local none
aaa authentication enable
The aaaauthentication enable Global Configuration mode command defines authentication
method lists for accessing higher privilege levels. To return to the default configuration, use the
no form of this command.
default list of methods, when using higher privilege levels.
list-name
•
when using access higher privilege levels (Range: 1-12 characters).
method1 [method2
•
...]
}
— Uses the listed authentication methods that follow this argument as the
— Character string used to name the list of authentication methods activated,
...] — Specify at least one from the following table:
KeywordDescription
enableUses the enable password for authentication.
lineUses the line password for authentication.
noneUses no authentication.
74AAA Commands
radiusUses the list of all RADIUS servers for authentication. Uses username
$enabx$., where x is the privilege level.
tacacsUses the list of all TACACS+ servers for authentication. Uses username
"$enabx$." where x is the privilege level.
Default Configuration
If the
default
the command
list is not set, only the enable password is checked. This has the same effect as
aaa authentication enable default enable
.
On the console, the enable password is used if it exists. If no password is set, the process still
succeeds. This has the same effect as using the command
enable none
Command Mode
.
aaa authentication enable default
Global Configuration mode
User Guidelines
•The default and optional list names created with the
used with the
enable authentication
command.
aaa authentication enable
command are
•The additional methods of authentication are used only if the previous method returns an
error, not if it fails. To ensure that the authentication succeeds even if all methods return an
error, specify
•All
aaa authentication enable default
none
as the final method in the command line.
requests sent by the device to a RADIUS or TACACS+
server include the username $enabx$., where x is the requested privilege level.
Example
The following example sets the enable password for authentication when accessing higher
privilege levels.
The login authentication Line Configuration mode command specifies the login
authentication method list for a remote telnet or console. To return to the default configuration
specified by the aaa authentication login command, use the no form of this command.
AAA Commands75
Syntax
login authentication {default
no login authentication
•
default
•
list-name
Default Configuration
Uses the default set with the command
Command Mode
www.dell.com | support.dell.com
Line Configuration mode
User Guidelines
•Changing login authentication from default to another value may disconnect the telnet
session.
Example
The following example specifies the default authentication method for a console.
The enable authentication Line Configuration mode command specifies the authentication
method list when accessing a higher privilege level from a remote telnet or console. To return to
the default configuration specified by the aaa authentication enable command, use the no form
of this command.
Syntax
enable authentication {default
no enable authentication
•
default
•
list-name
command.
Default Configuration
Uses the default set with the
76AAA Commands
|
list-name
— Uses the default list created with the
— Uses the indicated list created with the
aaa authentication enable
}
aaa authentication enable
aaa authentication enable
command.
command.
Command Mode
Line Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example specifies the default authentication method when accessing a higher
privilege level from a console.
The ip http authentication Global Configuration mode command specifies authentication
methods for HTTP server users. To return to the default configuration, use the no form of this
command.
Syntax
ip http authentication
no ip http authentication
•
method1 [method2
method1 [method2
...]
...] — Specify at least one from the following table:
KeywordDescription
localUses the local username database for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command
authentication local
Command Mode
.
Global Configuration mode
ip http
AAA Commands77
User Guidelines
•The additional methods of authentication are used only if the previous method returns an
error, not if it fails. To ensure that the authentication succeeds even if all methods return an
error, specify
Example
The following example configures the HTTP authentication.
Console(config)# ip http authentication radius local
ip https authentication
www.dell.com | support.dell.com
The ip https authentication Global Configuration mode command specifies authentication
methods for HTTPS server users. To return to the default configuration, use the no form of this
command.
Syntax
ip https authentication
no ip https authentication
•
method1 [method2
KeywordSource or destination
localUses the local username database for authentication.
noneUses no authentication.
radiusUses the list of all RADIUS servers for authentication.
tacacsUses the list of all TACACS+ servers for authentication.
none
as the final method in the command line.
method1 [method2
...]
...] — Specify at least one from the following table:
Default Configuration
The local user database is checked. This has the same effect as the command
authentication local
Command Mode
Global Configuration mode
User Guidelines
•The additional methods of authentication are used only if the previous method returns an
error, not if it fails. To ensure that the authentication succeeds even if all methods return an
error, specify
78AAA Commands
.
none
as the final method in the command line.
ip https
Example
The following example configures HTTPS authentication.
Console(config)# ip https authentication radius local
show authentication methods
The show authentication methods Privileged EXEC mode command displays information
about the authentication methods.
Syntax
show authentication methods
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the authentication configuration.
Console# sh authentication methods
Login Authentication Method Lists
---------------------------------
Console_Default: None
Network_Default:
Enable Authentication Method Lists
----------------------------------
Console_Default:
Network_Default:
Local
Enable, None
Enable
AAA Commands79
LineLogin Method ListEnable Method List
-------------------------------------------------
ConsoleDefaultDefault
TelnetDefaultDefault
SSHDefaultDefault
http: Local
https: Local
www.dell.com | support.dell.com
dot1x:
console#
password
The password Line Configuration mode command specifies a password on a line. To remove the
password, use the no form of this command.
Syntax
password
no password
•
password
•
encrypted
configuration.
password [encrypted
— Password for this level (Range: 1-159 characters).
— Encrypted password to be entered, copied from another device
]
Default Configuration
No password is defined.
Command Mode
Line Configuration mode
User Guidelines
If a password is defined as encrypted, the required password length is 32 characters.
Example
The following example specifies password secret on a console.
Console(config)# line console
Console(config-line)# password secret
80AAA Commands
enable password
The enable password Global Configuration mode command sets a local password to control access
to user and privilege levels. To remove the password requirement, use the no form of this command.
Syntax
enable password [level
level] password [encrypted
]
no enable password [level
password
•
•
level
(Range: 1-15).
encrypted
•
Default Configuration
No enable password is defined.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets local level 15 password secret to control access to privilege levels.
Console(config)# enable password level 15 secret
— Password for this level (Range: 1-159 characters).
— Level for which the password applies. If not specified the level is 15
— Encrypted password entered, copied from another device configuration.
level
]
username
The username Global Configuration mode command creates a user account in the local
database. To remove a user name, use the no form of this command.
Syntax
username
no username
•
•
•
•
name [password password
name
name
— The name of the user (Range: 1- 20 characters).
password
level
encrypted
— The authentication password for the user (Range: 1-159 characters).
— The user level (Range: 1-15).
— Encrypted password entered, copied from another device configuration.
] [
level level
] [
encrypted
]
AAA Commands81
Default Configuration
No user is defined.
Command Mode
Global Configuration mode
User Guidelines
•User account can be created without a password.
Example
The following example configures user bob with password lee and user level 15 to the system.
www.dell.com | support.dell.com
Console(config)# username bob password lee level 15
passwords min-length
The passwords min-length Global Configuration mode command sets the minimum length
required for passwords in the local database. To remove the minimum password length
requirement, use the no form of this command.
Syntax
passwords min-length length
no passwords min-length
•
length
Default Configuration
No minimum password length.
Command Mode
Global Configuration mode
User Guidelines
•Relevant to local user passwords, line passwords, and enable passwords.
•The software checks the password length when an unencrypted password is defined or a user
enters an unencrypted password when logging in.
NOTE: The length of encrypted passwords is only checked when the user logs in. Similarly, the length of
passwords that were defined before the minimum password length requirement was configured are
checked only when the user logs in.
82AAA Commands
— The minimum length required for passwords. (Range: 8-64 characters)
Example
The following example configures a minimum length of 8 characters required for passwords in
the local database.
Console(config)# passwords min-length 8
passwords aging
The passwords aging Global Configuration mode command sets the expiration time of
username and enable passwords. To remove the password expiration time, use the no form of
this command.
Syntax
passwords aging username
name days
no passwords aging username
passwords aging enable-password
no passwords aging enable-password
•
days—
The number of days before a password expires. (Range: 1-365)
•
name
— The name of the user (Range: 1- 20 characters).
•
level
— The level to which the password applies (Range: 1-15).
Default Configuration
No password expiration time.
Command Mode
Global Configuration mode
User Guidelines
•Relevant to local user passwords, line passwords, and enable passwords.
•The password expiration date is calculated from the day the password is defined, and not from
the day aging time is defined.
•Ten days before the password expiration date, the user receives a syslog warning to change the
password within "n" days. These warnings continue until the password expiration date.
•After the password expiration date, the user receives three chances to log in and change the
password. If the user still does not change the password, the account is locked.
•It is recommended that local device time be updated using an external SNTP clock.
name
level days
level
AAA Commands83
Example
The following example sets the expiration time of the level 15 enable password to 180 days.
The password-aging Line Configuration mode command configures the expiration time of line
passwords in the local database. To return to the default configuration, use the no form of this
command.
www.dell.com | support.dell.com
Syntax
password-aging
no password-aging
•
days—
Default Configuration
No password expiration time.
Command Mode
Line Configuration mode
User Guidelines
•The password expiration date is calculated from the day the password is defined, and not from
the day aging time is defined.
•Ten days before the password expiration date, the user receives a warning to change the
password within "n" days. These warnings continue until the password expiration date.
•After the password expiration date, the user receives three chances to log in and change the
password. If the user still does not change the password, the account is locked.
Example
The following example configures password aging to 120 days.
Console(config)# line telnet
days
The number of days before a password expires (Range: 1-365).
Console(config-line)# password-aging 120
84AAA Commands
passwords history
The passwords history Global Configuration mode command sets the number of required
password changes before a password in the local database can be reused. To remove this
requirement, use the no form of this command.
Syntax
passwords history
no passwords history
•
number—
reused. (Range: 1-10).
Default Configuration
No required number of password changes before reusing a password.
Command Mode
Global Configuration mode
User Guidelines
•Relevant to local user passwords, line passwords, and enable passwords.
•Password history is not checked during the configuration download.
•Password history is saved even if the feature is disabled.
•A user’s password history is saved as long as the user is defined.
•If the user enters a password that is identical to the previously used one, the password is not
included in the password history count. This is required to enable the user to modify privilege
level or aging, without having to change passwords.
number
Indicates the required number of password changes before a password can be
Example
The following example configures the required number of password changes before a password
can be reused to 3.
Console(config)# passwords history 3
passwords history hold-time
The passwords history hold-time Global Configuration mode command configures the number
of days a password is relevant for tracking its password history. To return to the default
configuration, use the no form of this command.
AAA Commands85
Syntax
passwords history hold-time
no passwords hold-time
•
days—
(Range: 1-product specific).
Default Configuration
Not enabled.
Command Mode
Global Configuration mode
www.dell.com | support.dell.com
User Guidelines
Relevant to local user passwords, line passwords, and enable passwords.
Passwords are not deleted from the history database when they are no longer relevant for
tracking purposes. Increasing the number of days a password is relevant, for tracking purposes,
may make a password, that is no longer relevant for tracking purposes, relevant again.
Example
The following example configures the number of days that a password is relevant for tracking its
password history to 120.
Console(config)# passwords history hold-time 120
days
Number of days a password is relevant for tracking its password history
passwords lockout
The passwords lockout Global Configuration mode command sets the number of failed login
attempts before a user account is locked. To remove this condition, use the no form of this
command.
Syntax
passwords lockout
no passwords lockout
•
number—
Default Configuration
No locked user account due to failed login attempts.
Command Mode
Global Configuration mode
86AAA Commands
number
Number of failed login attempts before the user account is locked (Range: 1-5).
User Guidelines
•Relevant to local user passwords, line passwords, and enable passwords.
•The user account can still access the local console.
•A different administrator, with privilege level 15, can release a locked account by using the
username active
Example
The following example configures the number of failed login attempts before a user account is
locked to 3.
Console(config)# passwords lockout 3
command.
set
aaa login-history file
The aaa login-history file Global Configuration mode command enables writing to the login
history file. To disable writing to the file, use the no form of this command.
Syntax
aaa login-history file
no aaa login-history file
Default Configuration
Writing to the login history file is enabled.
Command Mode
Global Configuration mode
User Guidelines
The login history is also saved in the internal buffer of the device.
Example
The following example enables writing to the login history file.
Console(config)# aaa login-history file
AAA Commands87
set username active
The set username active Privileged EXEC mode command reactivates a locked user account.
Syntax
set username
•
name—
Default Configuration
This command has no default configuration.
name
active
Name of the user (Range: 1-20 characters).
www.dell.com | support.dell.com
Command Mode
Privileged EXEC mode
User Guidelines
•A locked user account can be reactivated from the local console.
•A different user, with privilege level 15, can reactivate a locked user account from any remote
or local connection.
Example
The following example reactivates a suspended user with username bob.
Console# set username bob active
set line active
The set line active Privileged EXEC mode command reactivates a locked line.
Syntax
set line {console | telnet | ssh} active
•
console
•
telnet
•
ssh
—Virtual terminal for secured remote console access (SSH).
—Console terminal line.
—Virtual terminal for remote console access (Telnet).
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
88AAA Commands
User Guidelines
There are no user guidelines for this command.
Example
The following example reactivates the line for a virtual terminal for remote console access.
Console# set line telnet active
set enable-password active
The set enable-password active Privileged EXEC mode command reactivates a locked enable
password.
Syntax
set enable-password
•
level
—The user level (Range: 1 -15).
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
level
active
Example
The following example reactivates a locked level 15 enable password.
Console# set enable-password 15 active
show passwords configuration
The show passwords configuration Privileged EXEC mode command displays information
about password management.
Syntax
show passwords configuration
Default Configuration
This command has no default configuration.
AAA Commands89
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays information about password management in the local database.
Console# show passwords configuration
Minimal length: 8
www.dell.com | support.dell.com
History: 10
History hold time: 365 days
Lock-out: Disabled
Enable Passwords
LevelAgingExpiry dateLockout
----------------------------
190Jan 18 20051
1590Jan 18 20050
Line Passwords
LevelAgingExpiry dateLockout
----------------------------
Console---
Telnet90Jan 18 2005LOCKOUT
SSH90Jan 21 20050
90AAA Commands
The following table describes significant fields shown above.
FieldDescription
Minimal lengthMinimum length required for passwords in the local database.
HistoryNumber of required passwords changes before a password in the local
database can be reused.
History hold timePeriod of time that a password is relevant for tracking password history.
Lockout controlControl locking a user account after a series of authentication failures.
Enable passwordsDescribes the configuration and status of a local password with a specific
level.
AgingPassword expiration time in days.
Expiry dateExpiration date of a password.
LockoutIf lockout control is enabled, specifies the number of failed authentication
attempts since the user last logged in successfully. If the user account is
locked, specifies LOCKOUT.
Line PasswordsDescribes the configuration and status of a specific line password.
show users login-history
The show users login-history Privileged EXEC mode command displays information about the
login history of users.
Syntax
show users login-history [username
•
name—
Default Configuration
Name of the user (Range: 1-20 characters).
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
name
]
AAA Commands91
Example
The following example displays the login history of users.
Console# show users login-history
Login TimeUsernameProtocolLocation
--------------------------------------
Jan 18 2004 23:58:17RobertHTTP172.16.1.8
Jan 19 2004 07:59:23RobertHTTP172.16.0.8
www.dell.com | support.dell.com
Jan 19 2004 08:23:48BobSerial
Jan 19 2004 08:29:29RobertHTTP172.16.0.8
Jan 19 2004 08:42:31JohnSSH172.16.0.1
Jan 19 2004 08:49:52BettyTelnet172.16.1.7
show users accounts
The show users accounts Privileged EXEC mode command displays information about the local
user database.
Syntax
show users accounts
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
92AAA Commands
Example
The following example displays the local users configured with access to the system.
Console# show users accounts
UsernamePrivilegePassword
Aging
Password
Expiry date
Lockout
-------------------------------------------
Bob1120Jan 21 2005-
Admin15120Jan 21 2005-
The following table describes significant fields shown above.
FieldDescription
UsernameName of the user.
PrivilegeUser’s privilege level.
Password AgingUser’s password expiration time in days.
Password Expiry DateExpiration date of the user’s password.
LockoutIf lockout control is enabled, specifies the number of failed authentication
attempts since the user last logged in successfully. If the user account is
locked, specifies LOCKOUT.
AAA Commands93
www.dell.com | support.dell.com
94AAA Commands
ACLCommands
mac access-list
The mac access-list Global Configuration mode command creates Layer 2 ACLs. To delete an
ACL, use the no form of this command.
Syntax
mac access-list
name
no mac access-list
name
•
Default Configuration
The default for all ACLs is permit all.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example shows how to create a MAC ACL.
Console(config)# mac access-list macl-1
Console(config-mac-al)#
—Specifies the name of the ACL.
name
deny (MAC)
The deny MAC-Access List Configuration mode command denies traffic if the conditions
defined in the deny statement match.
Syntax
deny
destination
•destination — Specifies the MAC address of the host to which the packet is being sent.
ACL Commands95
Default Configuration
This command has no default configuration.
Command Mode
MAC-Access List Configuration mode
User Guidelines
•MAC BPDU packets cannot be denied.
•Each MAC address in the ACL is a ACE (Access Control Element) and can only be removed
by deleting the ACL using the
the Web-based interface.
www.dell.com | support.dell.com
Example
The following example shows how to create a MAC ACL with rules.
Console(config)# mac access-list macl-1
Console (config-mac-acl)# deny 66:66:66:66:66:66
Console(config-mac-acl)# exit
Console(config)#
service-acl
no mac access-list
Global Configuration mode command or
The service-acl Interface (VLAN) Configuration mode command applies an ACL to the input
interface. To detach an ACL from an input interface, use the no form of this command.
Syntax
service-acl input acl-name
no service-acl input
•
Default Configuration
This command has no default configuration.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
There are no user guidelines for this command.
96ACL Commands
acl-name
—Specifies the ACL to be applied to the input interface.
Example
The following example, binds (services) an ACL to VLAN 2.
Console(config)# interface vlan 2
Console(config-if)# service-acl input macl-1
show access-lists
The show access-lists Privileged EXEC mode command displays access control lists (ACLs)
defined on the device.
Syntax
show access-lists [name
name
•
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
—Name of the ACL.
]
Examples
The following example displays the access lists.
Console# showaccess-lists
MAC access list macl-1
deny host 66:66:66:66:66:66
show interfaces access-lists
The show interfaces access-lists Privileged EXEC mode command displays access lists applied
on interfaces.
Syntax
show interfaces access-lists [vlan
vlan-id
•
—VLAN number.
vlan-id
]
ACL Commands97
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Examples
The following example displays an ACLs applied on the device interfaces:
www.dell.com | support.dell.com
Console# show interfaces access-lists
InterfaceInput ACL
-------------------
VLAN 2ACL1
VLAN 10ACL3
98ACL Commands
Address Table Commands
bridge address
The bridge address Interface Configuration (VLAN) mode command adds a MAC-layer station
source address to the bridge table. To delete the MAC address, use the no form of this
command.
Syntax
bridge address
[
permanent
mac-address {ethernet interface | port-channel
|
delete-on-reset
|
delete-on-timeout
|
secure
port-channel-number
]
}
no bridge address [mac-address
mac-address
•
•
interface —
•
port-channel-number —
•
permanent —
•
delete-on-reset
•
delete-on-timeout —
•
secure
security
locked mode.
Default Configuration
No static addresses are defined. The default mode for an added address is
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
•Using the no form of the command without specifying a MAC address deletes all static MAC
addresses belonging to this VLAN.
— A valid MAC address.
A valid Ethernet port.
The address can only be deleted by the
— The address is deleted after reset.
— The address is deleted after the port changes mode to unlock learning (
command). This parameter is only available when the port is in the learning
]
A valid port-channel number.
no bridge address
The address is deleted after "age out" time has expired.
command.
permanent
no port
.
Address Table Commands99
Example
The following example adds a permanent static MAC-layer station source address
3aa2.64b3.a245 on port 1/e16 to the bridge table.