NetApp CN1610 Reference Manual

NetApp® CN1610 Network Switch

CLI Command Reference

NetApp, Inc. 495 East Java Sunnyvale, CA 94089 U.S.A. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 463-8277 Documentation comments: doccomments@netapp.com Information Web: www.netapp.com

Part number: 215-06286_C0 August 2017

Drive

Copyright information

No part of this means—graphic, electronic, or mechanical, including photocopy storage in an electronic retrieval system—without prior written permission of the copyright owner. Software derived from copyrighted NetApp material is subject to the following license and disclaimer:

THIS SOFTWARE IS PROVIDED BY NETAPP "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL NETAPP BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

NetApp reserves the right to change any products described herein at any time, and without notice. NetApp assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of NetApp.

document covered by copyright may be reproduced in any form or by any

ing, recordin

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE

g, taping, or

Trademark information

The product described in this manual may be protected by one or more U.S. patents, foreign patents, or pending applications.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7103 (October 1988) and FAR 52-227-19 (June 1987).

Active IQ, AltaVault, Arch Design, ASUP, AutoSupport, Campaign Express, Clustered Data ONTAP, Customer Fitness, Data ONTAP, DataMotion, Element, Fitness, Flash Accel, Flash Cache, FlashPool, FlexArray, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare, FlexVol, FPolicy, Fueled by SolidFire, GetSuccessful, Helix Design, LockVault, Manage ONTAP, MetroCluster, MultiStore, NetApp, NetApp Insight, OnCommand, ONTAP, ONTAPI, RAID DP, RAID-TEC, SANscreen, SANshare, SANtricity, SecureShare, Simplicity, Simulate ONTAP, Snap Creator, SnapCenter, SnapCopy, SnapDrive, SnapIntegrator, SnapLock, SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator, SnapVault, SolidFire, SolidFire Helix, StorageGRID, SyncMirror, Tech OnTap, Unbound Cloud, and WAFL and other names are trademarks or registered trademarks of NetApp, Inc., in the United States, and/or other countries. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. A current list of NetApp trademarks is available on the web.

http://www.netapp.com/us/legal/netapptmlist.aspx

Table of Contents

Chapter 1 About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 2 Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . 7

Command Syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Command Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Common Parameter Values. . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Interface Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . . 12

Using the no Form of a Command . . . . . . . . . . . . . . . . . . . . . . . 13

CN1610 Software Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Command Completion and Abbreviation . . . . . . . . . . . . . . . . . . . 21

CLI Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

CLI Line-Editing Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Accessing the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Network Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . 30

Console Port Access Commands . . . . . . . . . . . . . . . . . . . . . . . . 38

Telnet Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Secure Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Management Security Commands . . . . . . . . . . . . . . . . . . . . . . . 50

Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

User Account Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

RADIUS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

TACACS+ Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Configuration Scripting Commands . . . . . . . . . . . . . . . . . . . . . .130

Table of Contents 1

Prelogin Banner, System Prompt, and Host Name Commands . . . . . . . .133

Chapter 4 Utility Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

AutoInstall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

CLI Output Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . .140

Dual Image Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

System Information and Statistics Commands . . . . . . . . . . . . . . . . .145

Box Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Logging Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Email Alerting and Mail Server Commands . . . . . . . . . . . . . . . . . .202

System Utility and Clear Commands. . . . . . . . . . . . . . . . . . . . . .210

Simple Network Time Protocol Commands . . . . . . . . . . . . . . . . . .225

Time Zone Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

DNS Client Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

IP Address Conflict Commands . . . . . . . . . . . . . . . . . . . . . . . .243

Serviceability Packet Tracing Commands . . . . . . . . . . . . . . . . . . .244

Support Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .272

BCM Shell Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

sFlow Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

Remote Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . .284

Chapter 5 Switching Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Port Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . .309

Spanning Tree Protocol Commands . . . . . . . . . . . . . . . . . . . . . .318

VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351

Double VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .369

Private VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .373

Switch Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376

Voice VLAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .382

Provisioning (IEEE 802.1p) Commands . . . . . . . . . . . . . . . . . . . .385

2 Table of Contents

Asymmetric Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . .386

Protected Ports Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .388

GARP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

GVRP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

GMRP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397

Port-Based Network Access Control Commands . . . . . . . . . . . . . . .401

802.1X Supplicant Commands . . . . . . . . . . . . . . . . . . . . . . . . .428

Storm-Control Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Link Local Protocol Filtering Commands . . . . . . . . . . . . . . . . . . .442

Port-Channel/LAG (802.3ad) Commands . . . . . . . . . . . . . . . . . . .444

Port Mirroring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .466

Static MAC Filtering Commands. . . . . . . . . . . . . . . . . . . . . . . .471

DHCP L2 Relay Agent Commands . . . . . . . . . . . . . . . . . . . . . .476

DHCP Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .485

DHCP Snooping Configuration Commands . . . . . . . . . . . . . . . . . .487

Dynamic ARP Inspection Commands . . . . . . . . . . . . . . . . . . . . .499

IGMP Snooping Configuration Commands . . . . . . . . . . . . . . . . . .508

IGMP Snooping Querier Commands. . . . . . . . . . . . . . . . . . . . . .519

MLD Snooping Commands . . . . . . . . . . . . . . . . . . . . . . . . . .524

MLD Snooping Querier Commands . . . . . . . . . . . . . . . . . . . . . .535

Port Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .540

LLDP (802.1AB) Commands . . . . . . . . . . . . . . . . . . . . . . . . .546

LLDP-MED Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . .557

Denial of Service Commands. . . . . . . . . . . . . . . . . . . . . . . . . .566

MAC Database Commands. . . . . . . . . . . . . . . . . . . . . . . . . . .579

ISDP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583

Chapter 6 IPv6 IPv6 Management Commands . . . . . . . . . . . . . . . . . . . . .593

IPv6 Management Commands . . . . . . . . . . . . . . . . . . . . . . . . .594

Table of Contents 3

Chapter 7 Quality of Service Commands . . . . . . . . . . . . . . . . . . . . . . . .605

Class of Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . .606

Differentiated Services Commands. . . . . . . . . . . . . . . . . . . . . . .616

DiffServ Class Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .618

DiffServ Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . .628

DiffServ Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . .636

DiffServ Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . .638

MAC Access Control List Commands . . . . . . . . . . . . . . . . . . . . .648

IP Access Control List Commands . . . . . . . . . . . . . . . . . . . . . . .655

IPv6 Access Control List Commands . . . . . . . . . . . . . . . . . . . . .676

Time Range Commands for Time-Based ACLs . . . . . . . . . . . . . . . .687

Command Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691

4 Table of Contents

About This Document

Note

Introduction This document describes command-line interface (CLI) commands you use to

view and configure the CN1610 software. You can access the CLI by using a direct connection to the serial port or by using Telnet or SSH over a remote network connection.

Some commands in this document may not be available with your version of the FASTPATH software. Enter a question mark (?) after typing one or more characters of a word to list the available commands or parameters that begin with the letters. See “Using CLI Help” on page 25 for more information.

Audience This document is for system administrators who configure and operate systems

using FASTPATH options of the FASTPATH software.

Software engineers who integrate FASTPATH software into their hardware platform can also benefit from a description of the configuration options.

This document assumes that you have an understanding of the FASTPATH software base and have read the appropriate specification for the relevant networking device platform. It also assumes that you have a basic knowledge of Ethernet and networking concepts.

software. It provides an understanding of the configuration

About FASTPATH Software

Refer to the release notes for the FASTPATH application-level code. The release notes detail the platform-specific functionality of the Switching, SNMP, Configuration, Management, and other packages. The suite of features the FASTPATH packages support is not available on all the platforms to which FASTPATH software has been ported.

FASTPATH

◆ Assist attached hardware in switching frames, based on Layer 2, 3, or 4

◆ Provide a complete device management portfolio to the network

software has two purposes:

information contained in the frames.

administrator.

About This Document

Scope FASTPATH software encompasses both hardware and software support. The

software is partitioned to run in the following processors:

◆ CPU

This code runs the networking device management portfolio and controls the overall networking device hardware. It also assists in frame forwarding, as needed and specified. This code is designed to run on multiple platforms with minimal changes from platform to platform.

◆ Networking device processor

This code does the majority of the packet switching, usually at wire speed. This code is platform-dependent, and substantial changes might exist across products.

Product Concept Fast Ethernet and Gigabit Ethernet switching continues to evolve from high-end

backbone applications to desktop switching applications. The price of the technology continues to decline, while performance and feature sets continue to improve. Devices that are capable of switching Layers 2, 3, and 4 are increasingly in demand. FASTPATH software provides a flexible solution to these ever-increasing needs.

The exact functionality provided by each networking device on which the FASTPATH software base runs varies depending upon the platform and requirements of the FASTPATH software.

FASTPATH software includes a set of comprehensive management functions for managing both FASTPATH software and the network. You can manage the FASTPATH software by using one of the following two methods:

◆ Command-Line Interface (CLI)

◆ Simple Network Management Protocol (SNMP)

Each of the FASTPATH management methods enables you to configure, manage, and control the software locally or remotely using in-band or out-of-band mechanisms. Management is standards-based, with configuration parameters and a private Management Information Base (MIB) providing control for functions not completely specified in the MIBs.

Using the Command-Line Interface

About this chapter The command-line interface (CLI) is a text-based way to manage and monitor the

system. You can access the CLI by using a direct serial connection or by using a remote logical connection with Telnet or SSH.

Topics in this chapter

This chapter describes the CLI syntax, conventions, and modes. It contains the following sections:

◆ “Command Syntax” on page 8

◆ “Command Conventions” on page 9

◆ “Common Parameter Values” on page 10

◆ “Interface Naming Convention” on page 12

◆ “Using the no Form of a Command” on page 13

◆ “CN1610 Software Modules” on page 14

◆ “Command Modes” on page 15

◆ “Command Completion and Abbreviation” on page 21

◆ “CLI Error Messages” on page 22

◆ “CLI Line-Editing Conventions” on page 23

◆ “Using CLI Help” on page 25

◆ “Accessing the CLI” on page 27

Chapter 2: Using the Command-Line Interface 7

Command Syntax

A command is one or more words that might be followed by one or more parameters. Parameters can be required or optional values.

Some commands, such as parameters. Other commands, such as

show network

network parms

clear vlan

, do not require

, require that you supply a value after the command. You must type the parameter values in a specific order, and optional parameters follow required parameters. The following example describes the

network parms ipaddr netmask [gateway]

◆

network parms

◆

ipaddr

network parms

is the command name.

and

netmask

command syntax:

are parameters and represent required values that you

must enter after you type the command keywords.

◆ [

gateway

] is an optional parameter, so you are not required to enter a value

in place of the parameter.

The NetApp CN1610 Network Switch CLI Command Reference lists each command by the command name and provides a brief description of the command. Each command reference also contains the following information:

◆ Format shows the command keywords and the required and optional

parameters.

◆ Mode identifies the command mode you must be in to access the command.

◆ Default shows the default value, if any, of a configurable setting on the

device.

The

show

commands also contain a description of the information that the

command shows.

8 Command Syntax

Command Conventions

The parameters for a command might include mandatory values, optional values, or keyword choices. Parameters are order-dependent. The following Parameter Conventions table describes the conventions this document uses to distinguish between value types:

Symbol Example Description

[] square brackets

italic

font in a

parameter.

{} curly braces

| Vertical bars

[{}] Braces within square brackets

[value]

value

[value]

{choice1 | choice2}

choice1 | choice2

[{choice1|choice2}]

Indicates an optional parameter.

Indicates a variable value. You must replace the italicized text and brackets with an appropriate value, which might be a name or number.

Indicates that you must select a parameter from the list of choices.

Separates the mutually exclusive choices.

Indicates a choice within an optional element.

Chapter 2: Using the Command-Line Interface 9

Common Parameter Values

Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (““) are not valid user-defined strings. The following Parameter Descriptions table describes common parameter values and value formatting:

Parameter Description

ipaddr This parameter is a valid IP address. You can

enter the IP address in the following formats:

a (32 bits) a.b (8.24 bits) a.b.c (8.8.16 bits) a.b.c.d (8.8.8.8)

In addition to these formats, the CLI accepts decimal, hexadecimal, and octal formats through the following input formats (where n is any valid hexadecimal, octal or decimal number):

0xn

(CLI assumes hexadecimal format.)

(CLI assumes octal format with leading

zeros.)

(CLI assumes decimal format.)

ipv6-address

FE80:0000:0000:0000:020F:24FF:FEBF:DBCB, or FE80:0:0:0:20F:24FF:FEBF:DBCB, or FE80::20F24FF:FEBF:DBCB, or FE80:0:0:0:20F:24FF:128:141:49:32

For additional information, refer to RFC 3513.

Interface or slot/port

Valid slot and port number separated by a forward slash. For example, 0/1 represents slot number 0 and port number 1.

Logical Interface Represents a logical slot and port number. This is

applicable in the case of a port-channel (LAG). You can use the logical slot/port to configure the port-channel.

10 Common Parameter Values

Parameter Description

Character strings Use double quotation marks to identify character

strings, for example, “System Name with Spaces”. An empty string (“”) is not valid.

Chapter 2: Using the Command-Line Interface 11

Interface Naming Convention

FASTPATH software references physical entities such as cards and ports by using a slot/port naming convention. The FASTPATH software also uses this convention to identify certain logical entities, such as link aggregation groups (LAGs), which are also known as port-channels.

When a command indicates that the variable is

slot/port

, an example of a valid entry is 0/1. This represents slot 0, port 1 on the switch. To configure port 12, the slot/port to enter would be 0/12.

To configure a LAG, which is a group of ports acting as a single interface, you enter the keyword

lag

followed by the LAG number, for example

lag 2

For many commands, you can also specify a range of physical or LAG interfaces to configure at the same time with the same settings. To specify a range of interfaces, the slot/port is separated by a dash, for example 0/1-0/4 indicates that the same settings will apply to ports 1, 2, 3, and 4.

The slot number has two uses. In the case of physical ports, it identifies the card containing the ports. In the case of logical and CPU ports it also identifies the type of interface or port.

Slot Type Description

Physical slot numbers Physical slot numbers begin with zero, and are

allocated up to the maximum number of physical slots.

CPU slot numbers The CPU slots immediately follow the logical

slots.

The port identifies the specific physical port being managed on a given slot.

Port Type Description

Physical ports The physical ports for each slot are numbered

sequentially starting from zero.

CPU ports CPU ports are handled by the driver as one or

more physical entities located on physical slots.

12 Interface Naming Convention

Using the no Form of a Command

The no keyword is a specific form of an existing command and does not represent a new or distinct command. Almost every configuration command has a In general, use the back to the default. For example, the reverses the shutdown of an interface. Use the command without the keyword to re-enable a disabled feature or to enable a feature that is disabled by default. Only the configuration commands are available in the

no form to reverse the action of a command or reset a value

no shutdown

no form.

configuration command

no form.

Chapter 2: Using the Command-Line Interface 13

CN1610 Software Modules

The CN1610 software consists of flexible modules that can be applied in various combinations to develop advanced Layer 2/3/4+ products. The commands and command modes available on your switch depend on the installed modules. Additionally, for some the modules included in the CN1610 software.

The CN1610 software suite includes the following modules:

◆ Switching (Layer 2)

◆ Quality of Service

◆ Management (CLI and SNMP)

◆ IPv6 Management—Allows management of the CN1610 switch through an

IPv6 address without requiring any IPv6 Routing features in the system. The management address can be associated with the network port (front-panel switch ports), a routine interface (port or VLAN), and the Service port.

◆ Security

show

commands, the output fields might change based on

14 CN1610 Software Modules

Command Modes

The CLI groups commands into modes according to the command function. Each of the command modes supports specific CN1610 software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.

The command changes in each command mode to help you identify the current mode. The following CLI Command Modes table describes the command modes and the prompts visible in that mode:

Command Mode Prompt Mode Description

User EXEC

Privileged EXEC

Global Config

VLAN Config

(CN1610)>

(CN1610)#

(CN1610) (Config)#

(CN1610)(Vlan)#

Contains a limited set of commands to view basic system information.

Allows you to enter any

EXEC

command, enter the VLAN mode, or enter the Global Configuration mode.

Groups general setup commands and permits you to make modifications to the running configuration.

Groups all the VLAN commands.

Chapter 2: Using the Command-Line Interface 15

Command Mode Prompt Mode Description

Interface Config

Line Console

(CN1610) (Interface slot/port)#

(CN1610) (Interface slot/port (startrange)slot/port(endrange) #

(CN1610) (configline)#

Manages the operation of an interface.

Use this mode to set up a physical port for a specific logical connection operation.

You can also use this mode to manage the operation of a range of interfaces. For example, the prompt may display as follows:

(CN1610) (Interface 0/1-0/4) #

Contains commands to configure outbound Telnet settings and console interface settings, as well as to configure console login/enable authentication.

Line SSH

(CN1610) (configssh)#

Contains commands to configure SSH login/enable authentication.

Line Telnet

(CN1610) (configtelnet)#

Contains commands to configure Telnet login/enable authentication.

AAA IAS User Config

(CN1610) (ConfigIAS-User)#

Allows password configuration for a user in the IAS database.

16 Command Modes

Command Mode Prompt Mode Description

Mail Server Config

Policy Map Config

Policy Class Config

Class Map Config

MAC Access-list Config

(CN1610) (MailServer)#

(CN1610) (Configpolicy-map)#

(CN1610) (Configpolicy-class-map)#

(CN1610) (Configclass-map)#

(CN1610) (Configmac-access-list)#

Allows configuration of the email server.

Contains the QoS Policy-Map configuration commands.

Consists of class creation, deletion, and matching commands. The class match commands specify Layer 2, Layer 3, and general match criteria.

Contains the QoS class map configuration commands for IPv4.

Allows you to create a MAC Access-List and to enter the mode containing MAC Access-List configuration commands.

TACACS Config

(CN1610) (Tacacs)#

Contains commands to configure properties for the TACACS servers.

ARP Access-List Config Mode

(CN1610) (Configarp-access-list)#

Contains commands to add ARP ACL rules in an ARP Access List.

Chapter 2: Using the Command-Line Interface 17

The following CLI Mode Access and Exit table explains how to enter or exit each mode:

Command Mode Prompt Mode Description

User EXEC This is the first level of

access.

Privileged EXEC From the User EXEC mode,

enable

enter

Global Config From the Privileged EXEC

mode, enter

configure

VLAN Config From the Privileged EXEC

mode, enter

vlan database

Interface Config From the Global Config

mode, enter:

interface slot/port

interface slot/port(startrange)slot/port(endrange)

Line Console From the Global Config

mode, enter

line console

To exit, enter

To exit to the User EXEC mode, enter

exit

or press

To exit to the Privileged EXEC mode, enter

Ctrl-Z.

press

To exit to the

Privileged EXEC mode, enter press

Ctrl-Z.

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

logout

Ctrl-Z

exit

, or

exit

, or

Ctrl-Z.

Ctrl-Z

AAA IAS User Config

18 Command Modes

From the Global Config mode, enter

aaa ias-user username name

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

Command Mode Prompt Mode Description

Mail Server Config From the Global Config

mode, enter

mail-server address.

Policy-Map Config

Policy-Class-Map Config

Class-Map Config

From the Global Config mode, enter

policy-map

From the Policy Map mode, enter

class

From the Global Config mode, enter

class-map

optional keyword

, and specify the

ipv4

specify the Layer 3 protocol for this class.

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

To exit to the Policy Map mode, enter

exit

To return to the Privileged EXEC mode, enter

Ctrl-Z

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

MAC Access-list Config

From the Global Config mode, enter

mac access-list extended name

TACACS Config From the Global Config

mode, enter

host ip-addr addr

tacacs-server

, where

ip-

is the IP address of the

TACACS server on your

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

To exit to the Global Config mode, enter

exit

. To return to the Privileged EXEC mode, enter

Ctrl-Z

network.

Chapter 2: Using the Command-Line Interface 19

Command Mode Prompt Mode Description

ARP Access-List Config Mode

From the Global Config mode, enter the

access-list command

arp

To exit to the Global Config mode, enter the

exit

command. To return to the Privileged EXEC mode, enter Ctrl-Z.

20 Command Modes

Command Completion and Abbreviation

Command completion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. Once you have entered enough letters, press the SPACEBAR or TAB key to complete the word.

Command abbreviation allows you to execute a command when you have entered enough letters to uniquely identify the command. You must enter all of the required keywords and parameters before you enter the command.

Chapter 2: Using the Command-Line Interface 21

CLI Error Messages

If you enter a command and the system is unable to execute it, an error message appears. The following table describes the most common CLI error messages:

Message Text Description

% Invalid input detected at '^' marker. Indicates that you entered an

incorrect or unavailable command. The carat (^) shows where the invalid text is detected. This message also appears if any of the parameters or values are not recognized.

Command not found / Incomplete command. Use ? to list commands.

Indicates that you did not enter the required keywords or values.

Ambiguous command Indicates that you did not enter

enough letters to uniquely identify the command.

22 CLI Error Messages

CLI Line-Editing Conventions

The following CLI editing conventions table describes the key combinations you can use to edit commands or increase the speed of command entry. You can access this list from the CLI by entering modes.

Key Sequence Description

DEL or Backspace Delete previous character.

Ctrl-A Go to beginning of line.

Ctrl-E Go to end of line.

Ctrl-F Go forward one character.

Ctrl-B Go backward one character.

Ctrl-D Delete current character.

Ctrl-U, X Delete to beginning of line.

Ctrl-K Delete to end of line.

help

from the User or Privileged EXEC

Ctrl-W Delete previous word.

Ctrl-T Transpose previous character.

Ctrl-P Go to previous line in history buffer.

Ctrl-R Rewrites or pastes the line.

Ctrl-N Go to next line in history buffer.

Ctrl-Y Prints last deleted character.

Ctrl-Q Enables serial flow.

Ctrl-S Disables serial flow.

Ctrl-Z Return to root command prompt.

Tab, <SPACE> Command-line completion.

Exit Go to next lower command prompt.

Chapter 2: Using the Command-Line Interface 23

Key Sequence Description

? List available commands, keywords,

or parameters.

24 CLI Line-Editing Conventions

Using CLI Help

Enter a question mark (?) at the command prompt to display the commands available in the current mode:

(CN1610)>?

enable Enter into user privilege mode.

help Display help for various special keys.

logout Exit this session. Any unsaved changes are lost.

password Change an existing user’s password.

ping Send ICMP echo packets to a specified IP address.

quit Exit this session. Any unsaved changes are lost.

show Display Switch Options and Settings.

telnet Telnet to a remote host.

Enter a question mark (?) after each word you enter to display available command keywords or parameters:

(CN1610)#network ?

ipv6 Configure IPv6 parameters for system network.

mac-address Configure MAC Address.

mac-type Select the locally administered or burnedin MAC

address.

mgmt_vlan Configure the Management VLAN ID of the switch.

parms Configure Network Parameters of the device.

protocol Select DHCP, BootP, or None as the network config

protocol.

If the help output shows a parameter in angle brackets, you must replace the parameter with a value:

(CN1610)#network parms ?

<ipaddr> Enter the IP address.

If there are no additional command keywords or parameters, or if additional parameters are optional, the following message appears in the output:

<cr> Press Enter to execute the command

Chapter 2: Using the Command-Line Interface 25

You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example:

(CN1610) #show m?

mac mac-addr-table mac-address-table

mail-server mbuf mldsnooping

monitor msg-queue

26 Using CLI Help

Accessing the CLI

You can access the CLI by using a direct console connection or by using a Telnet or SSH connection from a remote management host.

For the initial connection, you must use a direct connection to the console port. You cannot access the system remotely until the system has an IP address, subnet mask, and default gateway. You can set the network configuration information manually, or you can configure the system to accept these settings from a BOOTP server on your network. For more information, see “Console Port Access

Commands” on page 38.

Chapter 2: Using the Command-Line Interface 27

28 Accessing the CLI

Management Commands

This chapter describes the management commands available in the FASTPATH CLI.

The Management Commands chapter contains the following sections:

◆ “Network Interface Commands” on page 30

◆ “Console Port Access Commands” on page 38

◆ “Telnet Commands” on page 41

◆ “Secure Shell Commands” on page 47

◆ “Management Security Commands” on page 50

◆ “Access Commands” on page 51

◆ “User Account Commands” on page 53

◆ “SNMP Commands” on page 89

◆ “RADIUS Commands” on page 107

◆ “TACACS+ Commands” on page 125

◆ “Configuration Scripting Commands” on page 130

◆ “Prelogin Banner, System Prompt, and Host Name Commands” on page 133

The commands in this chapter are in one of three functional groups:

◆ Show commands display switch settings, statistics, and other information.

◆ Configuration commands configure features and options of the switch. For

every configuration command, there is a configuration setting.

◆ Clear commands clear some or all of the settings to factory defaults.

show

command that displays the

Chapter 3: Management Commands 29

Network Interface Commands

This section describes the commands you use to configure a logical interface for management access. To configure the management VLAN, see “network

mgmt_vlan” on page 351.

enable (Privileged EXEC access)

do (Privileged EXEC commands)

This command gives you access to the Privileged EXEC mode. From the Privileged EXEC mode, you can configure the network interface.

Format

enable

Mode User EXEC

This command executes Privileged EXEC mode commands from any of the configuration modes.

Format

Priv Exec Mode Command

Mode ◆ Global Config

◆ Interface Config

◆ VLAN Config

The following is an example of the EXEC command

(CN1610) #configure

(CN1610)(config)#do script list

script list

command that executes the Privileged

in Global Config Mode.

Configuration Script Name Size(Bytes)

-------------------------------- ----------backup-config 2105 running-config 4483 startup-config 445

3 configuration script(s) found. 2041 Kbytes free.

30 Network Interface Commands

serviceport ip This command sets the IP address, the netmask and the gateway of the network

management port. You can specify the

none

option to clear the IPv4 address and

mask and the default gateway (i.e., reset each of these values to 0.0.0.0).

serviceport protocol

serviceport protocol dhcp

Format

serviceport ip {

ipaddr netmask [gateway

] | none}

Mode Privileged EXEC

This command specifies the network management port configuration protocol. If you modify this value, the change is effective immediately. If you use the

bootp

parameter, the switch periodically sends requests to a BootP server until a response is received. If you use the requests to a DHCP server until a response is received. If you use the

dhcp parameter, the switch periodically sends

none

parameter, you must configure the network information for the switch manually.

Format

serviceport protocol {none | bootp | dhcp}

Mode Privileged EXEC

This command enables the DHCPv4 client on a Service port.

Default none

Format

serviceport protocol dhcp

Mode Privileged EXEC

The following shows an example of the command.

(CN1610) # serviceport protocol dhcp

network parms This command sets the IP address, subnet mask and gateway of the device. The

IP address and the gateway must be on the same subnet. When you specify the

none

option, the IP address and subnet mask are set to the factory defaults.

Format

network parms {

ipaddr netmask [gateway

]| none}

Mode Privileged EXEC

Chapter 3: Management Commands 31

network protocol This command specifies the network configuration protocol to be used. If you

modify this value, change is effective immediately. If you use the

bootp

parameter, the switch periodically sends requests to a BootP server until a response is received. If you use the requests to a DHCP server until a response is received. If you use the

dhcp parameter, the switch periodically sends

none

parameter, you must configure the network information for the switch manually.

Default none

network protocol dhcp

network macaddress

Format

network protocol {none | bootp | dhcp}

Mode Privileged EXEC

This command enables the DHCPv4 client on a Network port.

Default none

Format

network protocol dhcp

Mode Global Config

The following shows an example of the command.

(CN1610) # network protocol dhcp

This command sets locally administered MAC addresses. The following rules apply:

◆ Bit 6 of byte 0 (called the U/L bit) indicates whether the address is

universally administered (b'0') or locally administered (b'1').

◆ Bit 7 of byte 0 (called the I/G bit) indicates whether the destination address

is an individual address (b'0') or a group address (b'1').

◆ The second character, of the twelve character macaddr, must be 2, 6, A or E.

A locally administered address must have bit 6 On (b'1') and bit 7 Off (b'0').

Format

network mac-address

macaddr

Mode Privileged EXEC

32 Network Interface Commands

network mac-type This command specifies whether the switch uses the burned in MAC address or

the locally-administered MAC address.

Default burnedin

Format

network mac-type {local | burnedin}

Mode Privileged EXEC

no network mac-

This command resets the value of MAC address to its default.

type

Format

no network mac-type

Mode Privileged EXEC

show network This command displays configuration settings associated with the switch's

network interface. The network interface is the logical interface used for in-band connectivity with the switch via any of the switch's front panel ports. The configuration parameters associated with the switch's network interface do not affect the configuration of the front panel ports through which traffic is switched or routed. The network interface is always considered to be up, whether or not any member ports are up; therefore, the

show network

command will always

show Interface Status as Up.

Format

show network

Modes ◆ Privileged EXEC

◆ User EXEC

Term Definition

Interface Status The network interface status; it is always considered

to be “up”.

IP Address The IP address of the interface. The factory default

value is 0.0.0.0.

Subnet Mask The IP subnet mask for this interface. The factory

default value is 0.0.0.0.

Chapter 3: Management Commands 33

Term Definition

Default Gateway The default gateway for this IP interface. The

factory default value is 0.0.0.0.

IPv6 Administrative

Whether enabled or disabled.

Mode

IPv6 Prefix is The IPv6 address and length. Default is Link Local

format.

Burned In MAC Address

Locally Administered MAC Address

The burned in MAC address used for in-band connectivity.

If desired, a locally administered MAC address can be configured for in-band connectivity. To take effect, 'MAC Address Type' must be set to 'Locally Administered'. Enter the address as twelve hexadecimal digits (6 bytes) with a colon between each byte. Bit 1 of byte 0 must be set to a 1 and bit 0 to a 0, i.e. byte 0 should have the following mask 'xxxx xx10'. The MAC address used by this bridge when it must be referred to in a unique fashion. It is recommended that this be the numerically smallest MAC address of all ports that belong to this bridge. However it is only required to be unique. When concatenated with dot1dStpPriority a unique Bridge Identifier is formed which is used in the Spanning Tree Protocol.

MAC Address Type The MAC address which should be used for in-band

connectivity. The choices are the burned in or the Locally Administered address. The factory default is to use the burned in MAC address.

Configured IPv4 Protocol

Configured IPv6 Protocol

34 Network Interface Commands

The IPv4 network protocol being used. The options are bootp | dhcp | none.

The IPv6 network protocol being used. The options are dhcp | none.

Term Definition

DHCPv6 Client DUID

The DHCPv6 client’s unique client identifier. This row is displayed only when the configured IPv6 protocol is dhcp.

IPv6 Autoconfig Mode

Whether IPv6 Stateless address autoconfiguration is enabled or disabled.

Management VLAN The VLAN used to establish an IP connection to the

switch from a workstation that is connected to a port in the same VLAN.

The following shows example CLI display output for the network port.

(CN1610) #show network

Interface Status............................... Down

IP Address..................................... 0.0.0.0

Subnet Mask.................................... 0.0.0.0

Default Gateway................................ 0.0.0.0

IPv6 Administrative Mode....................... Enabled

Burned In MAC Address.......................... 00:A0:98:EA:2E:7A

Locally Administered MAC address............... 00:00:00:00:00:00

MAC Address Type............................... Burned In

Configured IPv4 Protocol....................... None

Configured IPv6 Protocol....................... None

IPv6 AutoConfig Mode........................... Disabled

Management VLAN ID............................. 1

show serviceport This command displays service port configuration information.

Format

show serviceport

Mode ◆ Privileged EXEC

◆ User EXEC

Chapter 3: Management Commands 35

Term Definition

Interface Status The network interface status. It is always considered

to be up.

IP Address The IP address of the interface. The factory default

value is 0.0.0.0.

Subnet Mask The IP subnet mask for this interface. The factory

default value is 0.0.0.0.

Default Gateway The default gateway for this IP interface. The

factory default value is 0.0.0.0.

IPv6 Administrative Mode

Whether enabled or disabled. Default value is enabled.

IPv6 Prefix is The IPv6 address and length. Default is Link Local

format.

Configured IPv4 Protocol

Configured IPv6 Protocol

DHCPv6 Client DUID

The IPv4 network protocol being used. The options are bootp | dhcp | none.

The IPv6 network protocol being used. The options are dhcp | none.

The DHCPv6 client’s unique client identifier. This row is displayed only when the configured IPv6 protocol is dhcp.

IPv6 Autoconfig Mode

Burned in MAC Address

Whether IPv6 Stateless address autoconfiguration is enabled or disabled.

The burned in MAC address used for in-band connectivity.

The following shows example CLI display output for the service port.

(CN1610) #show serviceport

Interface Status............................... Up

IP Address..................................... 10.27.21.176

Subnet Mask.................................... 255.255.252.0

Default Gateway................................ 10.27.20.1

IPv6 Administrative Mode....................... Enabled

36 Network Interface Commands

IPv6 Prefix is ................................

fe80::2a0:98ff:feea:2e7b/64

Configured IPv4 Protocol....................... DHCP

Configured IPv6 Protocol....................... None

IPv6 AutoConfig Mode........................... Disabled

Burned In MAC Address.......................... 00:A0:98:EA:2E:7B

Chapter 3: Management Commands 37

Console Port Access Commands

This section describes the commands you use to configure the console port. You can use a serial cable to connect a management host directly to the console port of the switch.

configure This command gives you access to the Global Config mode. From the Global

Config mode, you can configure a variety of system settings, including user accounts. From the Global Config mode, you can enter other command modes, including Line Config mode.

Format

configure

Mode Privileged EXEC

line This command gives you access to the Line Console mode, which allows you to

configure various Telnet settings and the console port, as well as to configure console login/enable authentication.

Format

line {console | telnet | ssh}

Mode Global Config

Term Definition

console Console terminal line.

telnet Virtual terminal for remote console access (Telnet).

ssh Virtual terminal for secured remote console access

(SSH).

The following shows an example of the CLI command.

(CN1610)(config)#line telnet (CN1610)(config-telnet)#

38 Console Port Access Commands

serial baudrate This command specifies the communication rate of the terminal interface. The

supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200.

Default 9600

Format

serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200}

Mode Line Config

no serial baudrate

This command sets the communication rate of the terminal interface.

Format

no serial baudrate

Mode Line Config

serial timeout This command specifies the maximum connect time (in minutes) without console

activity. A value of 0 indicates that a console can be connected indefinitely. The time range is 0 to 160.

Default 5

Format

serial timeout

0-160

Mode Line Config

no serial timeout This command sets the maximum connect time (in minutes) without console

activity.

Format

no serial timeout

Mode Line Config

show serial This command displays serial communication settings for the switch.

Format

Chapter 3: Management Commands 39

show serial

Modes ◆ Privileged EXEC

◆ User EXEC

Term Definition

Serial Port Login Timeout (minutes)

The time, in minutes, of inactivity on a serial port connection, after which the switch will close the connection. A value of 0 disables the timeout.

Baud Rate (bps) The default baud rate at which the serial port will try

to connect.

Character Size (bits) The number of bits in a character. The number of

bits is always 8.

Flow Control Whether Hardware Flow-Control is enabled or

disabled. Hardware Flow Control is always disabled.

Stop Bits The number of Stop bits per character. The number

of Stop bits is always 1.

Parity The parity method used on the Serial Port. The

Parity Method is always None.

40 Console Port Access Commands

Telnet Commands

This section describes the commands you use to configure and view Telnet settings. You can use Telnet to manage the device from a remote management host.

ip telnet server enable

Use this command to enable Telnet connections to the system and to enable the Telnet Server Admin Mode. This command opens the Telnet listening port.

Default enabled

Format

ip telnet server enable

Mode Privileged EXEC

no ip telnet server enable

Use this command to disable Telnet access to the system and to disable the Telnet Server Admin Mode. This command closes the Telnet listening port and

disconnects all open Telnet sessions.

Format

no ip telnet server enable

Mode Privileged EXEC

telnet This command establishes a new outbound Telnet connection to a remote host.

The host value must be a valid IP address or host name. Valid values for port should be a valid decimal integer in the range of 0 to 65535, where the default value is 23. If

[debug] is used, the current Telnet options enabled is displayed.

The optional line parameter sets the outbound Telnet operational mode as linemode where, by default, the operational mode is character mode. The

localecho option enables local echo.

Format

telnet [localecho]

ip-address|hostname port

[debug] [line]

Modes ◆ Privileged EXEC

◆ User EXEC

Chapter 3: Management Commands 41

Note

transport input telnet

no transport input telnet

This command regulates new Telnet sessions. If enabled, new Telnet sessions can be established until there are no more sessions available. An established session remains active until the session is ended or an abnormal network error ends the session.

If the Telnet Server Admin Mode is disabled, Telnet sessions cannot be established. Use the

ip telnet server enable command to enable Telnet

Server Admin Mode.

Default enabled

Format

transport input telnet

Mode Line Config

Use this command to prevent new Telnet sessions from being established.

Format

no transport input telnet

Mode Line Config

transport output telnet

This command regulates new outbound Telnet connections. If enabled, new outbound Telnet sessions can be established until the system reaches the maximum number of simultaneous outbound Telnet sessions allowed. An established session remains active until the session is ended or an abnormal

network error ends it.

Default enabled

Format

transport output telnet

Mode Line Config

no transport output telnet

Use this command to prevent new outbound Telnet connection from being established.

Format

no transport output telnet

Mode Line Config

42 Telnet Commands

session-limit This command specifies the maximum number of simultaneous outbound Telnet

sessions. A value of 0 indicates that no outbound Telnet session can be established.

Default 5

Format

session-limit

0-5

Mode Line Config

no session-limit This command sets the maximum number of simultaneous outbound Telnet

sessions to the default value.

Format

no session-limit

Mode Line Config

session-timeout This command sets the Telnet session timeout value.The timeout value unit of

time is minutes.

Default 5

Format

session-timeout

1-160

Mode Line Config

no session-timeout This command sets the Telnet session timeout value to the default. The timeout

value unit of time is minutes.

Format

no session-timeout

Mode Line Config

telnetcon maxsessions

This command specifies the maximum number of Telnet connection sessions that can be established. A value of 0 indicates that no Telnet connection can be

established. The range is 0-5.

Default 5

Chapter 3: Management Commands 43

Note

Format

telnetcon maxsessions

0-5

Mode Privileged EXEC

no telnetcon maxsessions

This command sets the maximum number of Telnet connection sessions that can be established to the default value.

Format

no telnetcon maxsessions

Mode Privileged EXEC

telnetcon timeout This command sets the Telnet connection session timeout value, in minutes. A

session is active as long as the session has not been idle for the value set. The time is a decimal value from 1 to 160.

When you change the timeout value, the new value is applied to all active and inactive sessions immediately. Any sessions that have been idle longer than the new timeout value are disconnected immediately.

Default 5

Format

telnetcon timeout

1-160

Mode Privileged EXEC

no telnetcon

This command sets the Telnet connection session timeout value to the default.

timeout

Changing the timeout value for active sessions does not become effective until the session is accessed again. Also, any keystroke activates the new timeout duration.

Format

no telnetcon timeout

Mode Privileged EXEC

44 Telnet Commands

show telnet This command displays the current outbound Telnet settings. In other words,

these settings apply to Telnet connections initiated from the switch to a remote system.

Format

show telnet

Modes ◆ Privileged EXEC

◆ User EXEC

Term Definition

Outbound Telnet Login Timeout

The number of minutes an outbound Telnet session is allowed to remain inactive before being logged off.

Maximum Number of Outbound Telnet

The number of simultaneous outbound Telnet connections allowed.

Sessions

Allow New Outbound Telnet Sessions

Indicates whether outbound Telnet sessions will be allowed.

show telnetcon This command displays the current inbound Telnet settings. In other words, these

settings apply to Telnet connections initiated from a remote system to the switch.

Format

show telnetcon

Modes ◆ Privileged EXEC

◆ User EXEC

Term Definition

Remote Connection Login Timeout (minutes)

This object indicates the number of minutes a remote connection session is allowed to remain inactive before being logged off. May be specified as a number from 1 to 160. The factory default is 5.

Maximum Number of Remote Connection Sessions

Chapter 3: Management Commands 45

This object indicates the number of simultaneous remote connection sessions allowed. The factory default is 5.

Term Definition

Allow New Telnet Sessions

Telnet Server Admin

New Telnet sessions will not be allowed when this field is set to no. The factory default value is yes.

The administrative mode of the telnet server.

Mode

Telnet Server Port The TCP port number where the telnet server is

listening.

The following output shows an example of the command:

(CN1610) #show telnetcon

Remote Connection Login Timeout (minutes)...... 5

Maximum Number of Remote Connection Sessions... 5

Allow New Telnet Sessions...................... Yes

Telnet Server Admin Mode....................... Enable

Telnet Server Port............................. 23

46 Telnet Commands

Note

Secure Shell Commands

This section describes the commands you use to configure Secure Shell (SSH) access to the switch. Use SSH to access the switch from a remote management host.

The system allows a maximum of 5 SSH sessions.

ip ssh Use this command to enable SSH access to the system. (This command is the

short form of the

Default disabled

ip ssh server enable command.)

Format

ip ssh

Mode Privileged EXEC

ip ssh protocol This command is used to set or remove protocol levels (or versions) for SSH.

Either SSH1 (1), SSH2 (2), or both SSH 1 and SSH 2 (1 and 2) can be set.

Default 2

Format

ip ssh protocol [1] [2]

Mode Privileged EXEC

ip ssh server enable This command enables the IP secure shell server. No new SSH connections are

allowed, but the existing SSH connections continue to work until timed-out or logged-out.

Default enabled

Format

ip ssh server enable

Mode Privileged EXEC

Chapter 3: Management Commands 47

no ip ssh server enable

sshcon maxsessions

no sshcon maxsessions

This command disables the IP secure shell server.

Format

no ip ssh server enable

Mode Privileged EXEC

This command specifies the maximum number of SSH connection sessions that can be established. A value of 0 indicates that no ssh connection can be

established. The range is 0 to 5.

Default 5

Format

sshcon maxsessions

0-5

Mode Privileged EXEC

This command sets the maximum number of allowed SSH connection sessions to the default value.

Format

no sshcon maxsessions

Mode Privileged EXEC

sshcon timeout This command sets the SSH connection session timeout value, in minutes. A

session is active as long as the session has been idle for the value set. The time is a decimal value from 1 to 160.

Changing the timeout value for active sessions does not become effective until the session is re accessed. Also, any keystroke activates the new timeout duration.

Default 5

Format

sshcon timeout

1-160

Mode Privileged EXEC

no sshcon timeout This command sets the SSH connection session timeout value, in minutes, to the

default.

48 Secure Shell Commands

Changing the timeout value for active sessions does not become effective until the session is re accessed. Also, any keystroke activates the new timeout duration.

show ip ssh

Format

no sshcon timeout

Mode Privileged EXEC

This command displays the ssh settings.

Format

show ip ssh

Mode Privileged EXEC

Term Definition

Administrative Mode This field indicates whether the administrative mode

of SSH is enabled or disabled.

SSH port The TCP port where the SSH server is listening

Protocol Level The protocol level may have the values of version 1,

version 2 or both versions 1 and version 2.

SSH Sessions

The number of SSH sessions currently active.

Currently Active

Max SSH Sessions

The maximum number of SSH sessions allowed.

Allowed

SSH Timeout The SSH timeout value in minutes.

Keys Present Indicates whether the SSH RSA and DSA key files

are present on the device.

Key Generation in Progress

Chapter 3: Management Commands 49

Indicates whether RSA or DSA key files generation is currently in progress.

Management Security Commands

This section describes commands you use to generate keys and certificates, which you can do in addition to loading them as before.

crypto key generate rsa

no crypto key generate rsa

crypto key generate dsa

no crypto key generate dsa

Use this command to generate an RSA key pair for SSH. The new key files will overwrite any existing generated or downloaded RSA key files.

Format

crypto key generate rsa

Mode Global Config

Use this command to delete the RSA key files from the device.

Format

no crypto key generate rsa

Mode Global Config

Use this command to generate a DSA key pair for SSH. The new key files will overwrite any existing generated or downloaded DSA key files.

Format

crypto key generate dsa

Mode Global Config

Use this command to delete the DSA key files from the device.

Format

no crypto key generate dsa

Mode Global Config

50 Management Security Commands

Access Commands

Use the commands in this section to close remote connections or to view information about connections to the system.

disconnect Use the

all active sessions, or use view the possible values for command.

Format

Mode Privileged EXEC

linuxsh Use the

exit the Linux shell and return to the CN1610 CLI. The shell session will timeout after five minutes of inactivity. The inactivity timeout value can be changed using the command “session-timeout” on page 43 in Line Console mode.

Default ip-port:2324

Format

Mode Privileged EXEC

Parameter Description

ip-port The IP port number on which the telnet daemon

disconnect command to close Telnet or SSH sessions. Use all to close

session-id to specify the session ID to close. To

session-id, use the show loginsession

disconnect {session_id | all}

linuxsh

command to access the Linux shell. Use the

linuxsh [ip-port]

exit

command to

listens for connections. ip-port is an integer from 1 to 65535. The default value is 2324.

show loginsession This command displays current Telnet, SSH and serial port connections to the

switch. This command displays truncated user names. Use the

loginsession long

Format

Chapter 3: Management Commands 51

show loginsession

command to display the complete usernames.

show

Mode Privileged EXEC

Term Definition

ID Login Session ID.

User Name The name the user entered to log on to the system.

Connection From IP address of the remote client machine or EIA-232

for the serial port connection.

Idle Time Time this session has been idle.

Session Time Total time this session has been connected.

Session Type Shows the type of session, which can be telnet,

serial, or SSH.

show loginsession long

This command displays the complete user names of the users currently logged in to the switch.

Format

show loginsession long

Mode Privileged EXEC

The following shows an example of the command.

(CN1610) #show loginsession long User Name

-----------admin test1111test1111test1111test1111test1111test1111test1111test1111

52 Access Commands

Note

User Account Commands

This section describes the commands you use to add, manage, and delete system users. FASTPATH software has two default users: admin and guest. The admin user can view and configure system settings, and the guest user can view settings.

You cannot delete the admin user. There is only one user allowed with level-15 privileges. You can configure up to five level-1 users on the system.

aaa authentication login

Use this command to set authentication at login. The default and optional list names created with the command are used with the command. Create a list by entering the

method

command, where

The

method

argument identifies the list of methods that the authentication

list-name

aaa authentication login list-name

is any character string used to name this list.

aaa authentication login

algorithm tries, in the given sequence.

The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure. To ensure that the authentication succeeds even if all methods return an error, specify fInal method in the command line. For example, if authentication method after

radius

, no authentication is used if the RADIUS

none

is specified as an

none

as the

server is down.

Default

defaultList

. Used by the console and only contains the

◆

method none.

◆

networkList

. Used by telnet and SSH and only contains the

method local.

Format

aaa authentication login {default |

method1 [method2...]

list-name}

Mode Global Config

Parameter Definition

default Uses the listed authentication methods that follow

this argument as the default list of methods when a user logs in.

Chapter 3: Management Commands 53

Parameter Definition

list-name Character string of up to 15 characters used to name

the list of authentication methods activated when a user logs in.

no aaa authentication login

method1...

[method2...]

At least one from the following:

◆ enable. Uses the enable password for

authentication.

◆ line. Uses the line password for authentication.

◆ local. Uses the local username database for

authentication.

◆ none. Uses no authentication.

◆ radius. Uses the list of all RADIUS servers for

authentication.

◆ tacacs. Uses the list of all TACACS servers for

authentication.

The following shows an example of the command.

(CN1610)(config)# aaa authentication login default radius local enable none

This command returns to the default.

Format

aaa authentication login {default |

list-name}

Mode Global Config

aaa authentication enable

Use this command to set authentication for accessing higher privilege levels. The default enable list is as

enable

followed by

enableList

none

. It is used by console, and contains the method

A separate default enable list, enableNetList, is used for Telnet and SSH users instead of enableList. This list is applied by default for Telnet and SSH, and contains enable followed by deny methods. In CN1610, by default, the enable password is not configured. That means that, by default, Telnet and SSH users

54 User Account Commands

will not get access to Privileged EXEC mode. On the other hand, with default conditions, a console user always enter the Privileged EXEC mode without entering the enable password.

The default and optional list names created with the

enable

command are used with the list by entering the where

list-name

aaa authentication enable list-name method

is any character string used to name this list. The

enable authentication

aaa authentication

command. Create a

command

method

argument identifies the list of methods that the authentication algorithm tries in the given sequence.

The user manager returns ERROR (not PASS or FAIL) for enable and line methods if no password is configured, and moves to the next configured method in the authentication list. The method

none

reflects that there is no authentication

needed.

The user will only be prompted for an enable password if one is required. The following authentication methods do not require passwords:

1. none

2. deny

3. enable (if no enable password is configured)

4. line (if no line password is configured)

See the examples below.

◆

aaa authentication enable default enable none

◆

aaa authentication enable default line none

◆

aaa authentication enable default enable radius none

◆

aaa authentication enable default line tacacs none

The first two examples do not prompt for a password; however, because the last two examples contain the

radius

and

tacacs

methods, the password prompt is

displayed.

If the login methods include only enable, and there is no enable password configured, then CN1610 does not prompt for a username. In such cases, CN1610 only prompts for a password. CN1610 supports configuring methods after the local method in authentication and authorization lists. If the user is not present in the local database, then the next configured method is tried.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify

Chapter 3: Management Commands 55

none

as the final method in the command line.

Note

Use the command “show authorization methods” on page 59 to display information about the authentication methods.

Requests sent by the switch to a RADIUS server include the username where

is the requested privilege level. For enable to be authenticated on Radius

servers, add

$enabx$

users to them. The login user ID is now sent to TACACS+

$enabx$

servers for enable authentication.

Default default

Format

aaa authentication enable {default |

method1 [method2...]

list-name}

Mode Global Config

Parameter Description

default Uses the listed authentication methods that follow

this argument as the default list of methods, when using higher privilege levels.

list-name Character string used to name the list of

authentication methods activated, when using access higher privilege levels. Range: 1-15 characters.

method1

[method2...]

Specify at least one from the following:

◆

deny

. Used to deny access.

◆

enable

. Uses the enable password for

authentication.

◆

line

. Uses the line password for authentication.

◆

none

. Uses no authentication.

◆

radius

. Uses the list of all RADIUS servers for

authentication.

◆

tacacs

. Uses the list of all TACACS+ servers

for authentication.

The following example sets authentication when accessing higher privilege levels.

(CN1610)(config)# aaa authentication enable default enable

56 User Account Commands

no aaa

Use this command to return to the default configuration.

authentication enable

Format

no aaa authentication enable {default |

list-name

}

Mode Global Config

aaa authorization Use this command to configure an exec authorization method list. This list is

identified by

default

or a user-specified

list-name

. If

tacacs

is specified as the authorization method, authorization commands are notified to a TACACS+ server.

Exec Authorization When exec authorization is configured for a line mode, the user may not be

required to use the enable command to enter Privileged EXEC mode. If the authorization response indicates that the user has sufficient privilege levels for Privileged EXEC mode, then the user bypasses User EXEC mode entirely.

The exec authorization usage scenario is this:

1. Configure Authorization Method List

aaa authorization exec listname method1 [method2....]

2. Apply AML to an Access Line Mode (console, telnet, SSH)

authorization exec listname

3. When the user logs in, in addition to authentication, authorization will be performed to determine if the user is allowed direct access to Privileged EXEC mode.

Format

aaa authorization exec {default|list-name} method1[method2]

Mode Global Config

Parameter Description

exec Provides exec authorization.

default The default list of methods for authorization

services.

Chapter 3: Management Commands 57

Parameter Description

list-name Alphanumeric character string used to name the list

of authorization methods.

method

TACACS+/RADIUS/Local

and

none

are supported.

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) (Config)#aaa authorization exec default tacacs+ none

no aaa

This command deletes the authorization method list.

authorization

Format

no aaa authorization commands {default|list-name}

Mode Global Config

authorization exec This command applies a command authorization method list to an access method

so that the user may not be required to use the enable command to enter Privileged EXEC mode. For usage scenarios on exec authorization, see the command “aaa authorization” on page 57.

Format

authorization exec list-name

Mode Line console, Line telnet, Line SSH

Parameter Description

list-name The command authorization method list.

no authorization

This command removes command authorization from a line config mode.

exec

Format

no authorization exec

Mode Line console, Line telnet, Line SSH

58 User Account Commands

authorization exec default

no authorization exec default

show authorization methods

This command applies a default command authorization method list to an access method so that the user may not be required to use the enable command to enter Privileged EXEC mode. For usage scenarios on exec authorization, see the command “aaa authorization” on page 57.

Format

authorization exec default

Mode Line console, Line telnet, Line SSH

This command removes command authorization from a line config mode.

Format

no authorization exec default

Mode Line console, Line telnet, Line SSH

This command displays the configured authorization method lists.

Format

show authorization methods

Mode Privileged EXEC

The following shows example CLI display output for the command.

(CN1610) #show authorization methods

Exec Authorization Method Lists

------------------------------------dfltExecAuthList : none

Line Exec Method List

--------- --------------------Console dfltExecAuthList Telnet dfltExecAuthList SSH dfltExecAuthList

enable authentication

Chapter 3: Management Commands 59

Use this command to specify the authentication method list when accessing a higher privilege level from a remote telnet or console.

Format

enable authentication {default | list-name}

Mode Line Config

Parameter Description

no enable authentication

username (Global Config)

default Uses the default list created with the

authentication enable

command.

list-name Uses the indicated list created with the

authentication enable

command.

aaa

The following example specifies the default authentication method when accessing a higher privilege level console.

(CN1610)(config)# line console (CN1610)(config-line)# enable authentication default

Use this command to return to the default specified by the

authentication

Format

command.

no enable authentication

enable

Mode Line Config

Use the user database. The default privilege level is 1. Using the

username

command in Global Config mode to add a new user to the local

encrypted

keyword allows the administrator to transfer local user passwords between devices without having to know the passwords. When the

encrypted

parameter, the password must be exactly 128 hexadecimal characters

password

parameter is used along with

in length. If the password strength feature is enabled, this command checks for password strength and returns an appropriate error if it fails to meet the password strength criteria. Giving the optional parameter

override-complexity-check

disables the validation of the password strength.

Format

username name {password password [encrypted [overridecomplexity-check] | level level [encrypted [overridecomplexity-check]] | override-complexity-check]} | {level level [override-complexity-check] password}

Mode Global Config

60 User Account Commands

Parameter Description

name The name of the user. Range: 1-64 characters.

password The authentication password for the user. Range 8-

64 characters. This value can be zero if the

passwords min-length

command has been

executed. The special characters allowed in the password include ! # $ % & ' ( ) * + , - . / : ; < = > @ [ \ ] ^ _ ` { | } ~.

level The user level. Level 0 can be assigned by a level 15

user to another user to suspend that user’s access. Range 0-15. Enter access level 1 for non-privileged (switch> prompt) or 15 for highest privilege (switch# prompt) Access. If not specified where it is optional, the privilege level is 1.

encrypted Encrypted password entered, copied from another

switch configuration.

override-complexity-

Disables the validation of the password strength.

check

The following example configures user

bob

with password

xxxyyymmmm

and user

level 15.

(CN1610)(config)# username bob password xxxyyymmmm level 15

The following example configures user test with password testPassword and assigns a user level of 1. The password strength will not be validated.

(CN1610)(config)# username test password testPassword level 1 override-complexity-check

A third example.

(Switching) (Config)#username test password testtest

A fourth example.

(Switching) (Config)# username test password e8d63677741431114f9e39a853a15e8fd35ad059e2e1b49816c243d7e08152b052 eafbf23b528d348cdba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864 level 1 encrypted override-complexity-check

Chapter 3: Management Commands 61

(Switching) (Config)# username test level 15 password

Enter new password:********

Confirm new password:********

A fifth example.

(Switching) (Config)# username test level 15 override-complexitycheck password

Enter new password:********

Confirm new password:********

no username Use this command to remove a user name.

username nopassword

Format

no username

name

Mode Global Config

Use this command to remove an existing user’s password (NULL password).

Format

username

name

nopassword

[level level]

Mode Global Config

Parameter Description

name The name of the user. Range: 1-32 characters.

password The authentication password for the user. Range 8-

64 characters.

level The user level. Level 0 can be assigned by a level 15

user to another user to suspend that user’s access. Range 0-15.

62 User Account Commands

username unlock Use this command to allows a locked user account to be unlocked. Only a user

with Level 1 access can reactivate a locked user account.

username snmpv3 accessmode

no username snmpv3 accessmode

Format

username

name

unlock

Mode Global Config

This command specifies the snmpv3 access privileges for the specified login user. The valid accessmode values are

readonly or readwrite. The username

is the login user name for which the specified access mode applies. The default is

readwrite for the “admin” user and readonly for all other users. You must enter

the

username in the same case you used when you added the user. To see the

case of the

Default s

Format

username, enter the show users command.

◆ admin - readwrite

◆ other - readonly

username snmpv3 accessmode

readwrite

}

username {readonly |

Mode Global Config

This command sets the snmpv3 access privileges for the specified user as readwrite for the “admin” user and readonly for all other users. The

username

value is the user name for which the specified access mode will apply.

Format

no username snmpv3 accessmode

username

Mode Global Config

username snmpv3 authentication

This command specifies the authentication protocol to be used for the specified user. The valid authentication protocols are or

sha, the login password is also used as the snmpv3 authentication password

and therefore must be at least eight characters in length. The

none, md5 or sha. If you specify md5

username is the

user name associated with the authentication protocol. You must enter the

username in the same case you used when you added the user. To see the case of

the

username, enter the show users command.

Chapter 3: Management Commands 63

Default no authentication

no username snmpv3 authentication

username snmpv3 encryption

Format

username snmpv3 authentication sha}

username

{none | md5 |

Mode Global Config

This command sets the authentication protocol to be used for the specified user to

none. The username is the user name for which the specified authentication

protocol is used.

Format

no username snmpv3 authentication

username

Mode Global Config

This command specifies the encryption protocol used for the specified user. The valid encryption protocols are

If you select encryption key

des, you can specify the required key on the command line. The

must be 8 to 64 characters long. If you select the des protocol but

do not provide a key, the user is prompted for the key. When you use the

des or none.

des

protocol, the login password is also used as the snmpv3 encryption password, so it must be a minimum of eight characters. If you select

none, you do not need to

provide a key.

The

username value is the login user name associated with the specified

encryption. You must enter the added the user. To see the case of the

username in the same case you used when you

username, enter the show users

command.

Default no encryption

Format

username snmpv3 encryption

username

{none | des

[key]

}

Mode Global Config

64 User Account Commands

no username snmpv3 encryption

This command sets the encryption protocol to none. The username is the login user name for which the specified encryption protocol will be used.

Format

no username snmpv3 encryption

username

Mode Global Config

username snmpv3 encryption

This command specifies the des encryption protocol and the required encryption key for the specified user. The encryption key

must be 8 to 64 characters long.

encrypted

Default no encryption

Format

username snmpv3 encryption encrypted

username

des

Mode Global Config

show users This command displays the configured user names and their settings. The

users

command displays truncated user names. Use the

command to display the complete usernames. The

show users long

show users

command is only available for users with Level 15 privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.

key

show

Format

show users

Mode Privileged EXEC

Term Definition

User Name The name the user enters to login using the serial

port, SSH, or Telnet.

Access Mode Shows whether the user is able to change parameters

on the switch (Level 15) or is only able to view them (Level 1). As a factory default, the “admin” user has Level 15 access and the “guest” has Level 1 access.

Chapter 3: Management Commands 65

Term Definition

SNMPv3 Access Mode

The SNMPv3 Access Mode. If the value is set to

ReadWrite, the SNMPv3 user is able to set and

retrieve parameters on the system. If the value is set to

ReadOnly, the SNMPv3 user is only able to

retrieve parameter information. The SNMPv3 access mode may be different than the CLI access mode.

SNMPv3 Authentication

The authentication protocol to be used for the specified login user.

SNMPv3 Encryption The encryption protocol to be used for the specified

show users long This command displays the complete usernames of the configured users on the

switch.

Format

show users long

Mode Privileged EXEC

The following shows an example of the command.

(CN1610) #show users long User Name

-----------admin guest test1111test1111test1111test1111

show users accounts

This command displays the local user status with respect to user account lockout and password aging.This command displays truncated user names. Use the

users long

Format

command to display the complete usernames.

show users accounts [detail]

show

Mode Privileged EXEC

66 User Account Commands

Term Definition

User Name The local user account’s user name.

Access Level The user’s access level (1 for non-privilege

(switch>prompt) or 15 for highest privilege (switch# prompt).

Password Aging Number of days, since the password was configured,

until the password expires.

Password Expiry Date The current password expiration date in date format.

Lockout Indicates whether the user account is locked out

(true or false).

If the detail keyword is included, the following additional fields display.

Term Definition

Password Override Complexity Check

Displays the user's Password override complexity check status. By default it is disabled.

Password Strength Displays the user password's strength (Strong or

Weak). This field is displayed only if the Password Strength feature is enabled.

The following example displays information about the local user database.

(CN1610)#show users accounts

UserName Privilege Password Password Lockout Aging Expiry date

------------------- --------- -------- ------------ ------admin 15 --- --- False guest 1 --- --- False

console#show users accounts detail

UserName....................................... admin

Privilege...................................... 15

Password Aging................................. ---

Password Expiry................................ ---

Chapter 3: Management Commands 67

Lockout........................................ False

Override Complexity Check...................... Disable

Password Strength.............................. ---

UserName....................................... guest

Privilege...................................... 1

Password Aging................................. ---

Password Expiry................................ ---

Lockout........................................ False

Override Complexity Check...................... Disable

Password Strength.............................. ---

show users loginhistory [long]

show users loginhistory [username]

Use this command to display information about the login history of users.

Format

show users login-history [long]

Mode Privileged EXEC

Use this command to display information about the login history of users.

Format

show users login-history [username name]

Mode Privileged EXEC

Parameter Description

name Name of the user. Range: 1-20 characters.

The following example shows user login history outputs.

Console>show users login-history Login Time Username Protocol Location

-------------------- --------- --------- --------------Jan 19 2005 08:23:48 Bob Serial Jan 19 2005 08:42:31 John SSH 172.16.0.1 Jan 19 2005 08:49:52 Betty Telnet 172.16.1.7

login authentication Use this command to specify the login authentication method list for a line

(console, telnet, or SSH). The default configuration uses the default set with the command

68 User Account Commands

aaa authentication login

Format

list-name

}

Mode Line Configuration

Parameter Description

default Uses the default list created with the

authentication login

command.

list-name Uses the indicated list created with the

authentication login

command.

aaa

The following example specifies the default authentication method for a console.

(CN1610) (config)# line console (CN1610) (config-line)# login authentication default

no login authentication

Use this command to return to the default specified by the

command.

authentication

password This command allows the currently logged in user to change his or her password

without having Level 15 privileges.

Format

password

Mode User EXEC

The following is an example of the command.

console>password

Enter old password:********

Enter new password:********

Confirm new password:********

password (Line Configuration)

Chapter 3: Management Commands 69

Use the

password

command in Line Configuration mode to specify a password

on a line. The default configuration is no password is specified.

Format

password [password [encrypted]]

Mode Line Config

Parameter Definition

password Password for this level. Range: 8-64 characters

encrypted Encrypted password to be entered, copied from

another switch configuration. The encrypted password should be 128 characters long because the assumption is that this password is already encrypted with AES.

The following example specifies a password

(CN1610)(config-line)# password

mcmxxyyy

on a line.

The following is another example of the command.

(Switching)(Config-line)# password testtest

(Switching) (Config-line)# password e8d63677741431114f9e39a853a15e8fd35ad059e2e1b49816c243d7e08152b052 eafbf23b528d348cdba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864 encrypted

(Switching) (Config-line)# password

Enter new password:********

Confirm new password:********

no password (Line

Use this command to remove the password on a line.

Configuration)

Format

no password

Mode Line Config

70 User Account Commands

password (User EXEC)

password (aaa IAS User Config)

Use this command to allow a user to change the password for only that user. This command should be used after the password has aged. The user is prompted to enter the old password and the new password.

Format

password

Mode User EXEC

The following example shows the prompt sequence for executing the password command.

(CN1610)>password Enter old password:******** Enter new password:******** Confirm new password:********

This command is used to configure a password for a user. An optional parameter [encrypted] is provided to indicate that the password given to the command is already preencrypted.

Format

password password [encrypted]

Mode aaa IAS User Config

no password (aaa

This command is used to clear the password of a user.

IAS User Config)

Format

no password

Mode aaa IAS User Config

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#password client123 (CN1610) (Config-aaa-ias-User)#no password

The following is an example of adding a MAB Client to the Internal user database.

(CN1610) #

Chapter 3: Management Commands 71

(CN1610) #configure (CN1610) (Config)#aaa ias-user username 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#password 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#exit (CN1610) (Config)#

enable password (Privileged EXEC)

Use the

enable password

configuration command to set a local password to

control access to the privileged EXEC mode.

Format

enable password [

password

[encrypted]]

Mode Privileged EXEC

Parameter Description

password Password string. Range: 8-64 characters.

encrypted Encrypted password you entered, copied from

another switch configuration. The encrypted password should be 128 characters long because the assumption is that this password is already encrypted with AES.

The following shows an example of the command.

(Switching) #enable password testtest

(Switching) #enable password e8d63677741431114f9e39a853a15e8fd35ad059e2e1b49816c243d7e08152b052 eafbf23b528d348cdba1b1b7ab91be842278e5e970dbfc62d16dcd13c0b864 encrypted

(Switching) #enable password

Enter old password:********

Enter new password:********

Confirm new password:********

72 User Account Commands

no enable password (Privileged EXEC)

passwords minlength

no passwords minlength

Use the

no enable password

Format

no enable password

command to remove the password requirement.

Mode Privileged EXEC

Use this command to enforce a minimum password length for local users. The value also applies to the enable password. The valid range is 8-64.

Default 8

Format

passwords min-length

8-64

Mode Global Config

Use this command to set the minimum password length to the default value.

Format

no passwords min-length

Mode Global Config

passwords history Use this command to set the number of previous passwords that shall be stored

for each user account. When a local user changes his or her password, the user will not be able to reuse any password stored in password history. This ensures

that users don’t reuse their passwords often. The valid range is 0-10.

Default 0

Format

passwords history

0-10

Mode Global Config

no passwords

Use this command to set the password history to the default value.

history

Format

no passwords history

Mode Global Config

Chapter 3: Management Commands 73

passwords aging Use this command to implement aging on passwords for local users. When a

user’s password expires, the user will be prompted to change it before logging in again. The valid range is 1-365. The default is 0, or no aging.

Default 0

Format

passwords aging

1-365

Mode Global Config

no passwords aging Use this command to set the password aging to the default value.

Format

no passwords aging

Mode Global Config

passwords lock-out Use this command to strengthen the security of the switch by locking user

accounts that have failed login due to wrong passwords. When a lockout count is configured, a user that is logged in must enter the correct password within that count. Otherwise the user will be locked out from further switch access. Only a user with Level 15 access can reactivate a locked user account. Password lockout does not apply to logins from the serial console. The valid range is 1-5. The default is 0, or no lockout count enforced.

Default 0

Format

passwords lock-out

1-5

Mode Global Config

no passwords lock-

Use this command to set the password lock-out count to the default value.

out

Format

no passwords lock-out

Mode Global Config

74 User Account Commands

passwords strength-check

no passwords strength-check

passwords strength maximum consecutivecharacters

Use this command to enable the password strength feature. It is used to verify the strength of a password during configuration.

Default Disable

Format

passwords strength-check

Mode Global Config

Use this command to set the password strength checking to the default value.

Format

no passwords strength-check

Mode Global Config

Use this command to set the maximum number of consecutive characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.

Default 0

Format

passwords strength maximum consecutive-characters 0-15

Mode Global Config

passwords strength maximum repeatedcharacters

Use this command to set the maximum number of repeated characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.

Default 0

Format

passwords strength maximum consecutive-characters 0-15

Mode Global Config

Chapter 3: Management Commands 75

passwords strength minimum uppercase-letters

no passwords strength minimum uppercase-letters

passwords strength minimum lowercase-letters

Use this command to enforce a minimum number of uppercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0

means no restriction on that set of characters.

Default 2

Format

passwords strength minimum uppercase-letters

Mode Global Config

Use this command to reset the minimum uppercase letters required in a password to the default value.

Format

no passwords minimum uppercase-letter

Mode Global Config

Use this command to enforce a minimum number of lowercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0

means no restriction on that set of characters.

Default 2

Format

passwords strength minimum lowercase-letters

Mode Global Config

no passwords strength minimum

Use this command to reset the minimum lower letters required in a password to the default value.

lowercase-letters

Format

no passwords minimum lowercase-letter

Mode Global Config

76 User Account Commands

passwords strength minimum numericcharacters

no passwords strength minimum numeric-characters

passwords strength minimum specialcharacters

Use this command to enforce a minimum number of numeric characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0

means no restriction on that set of characters.

Default 2

Format

passwords strength minimum numeric-characters

Mode Global Config

Use this command to reset the minimum numeric characters required in a password to the default value.

Format

no passwords minimum numeric-characters

Mode Global Config

Use this command to enforce a minimum number of special characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0

means no restriction on that set of characters.

Default 2

Format

passwords strength minimum special-characters

Mode Global Config

no passwords strength minimum

Use this command to reset the minimum special characters required in a password to the default value.

special-characters

Format

no passwords minimum special-characters

Mode Global Config

Chapter 3: Management Commands 77

passwords strength minimum character-classes

no passwords strength minimum character-classes

passwords strength exclude-keyword

Use this command to enforce a minimum number of characters classes that a password should contain. Character classes are uppercase letters, lowercase letters, numeric characters and special characters. The valid range is 0-4. The

default is 4.

Default 4

Format

passwords strength minimum character-classes

Mode Global Config

Use this command to reset the minimum number of character classes required in a password to the default value.

Format

no passwords minimum character-classes

Mode Global Config

Use this command to exclude the specified keyword while configuring the password. The password does not accept the keyword in any form (in between the string, case in-sensitive and reverse) as a substring. User can configure up to a

maximum of 3 keywords

Format

passwords strength exclude-keyword

keyword

Mode Global Config

no passwords strength exclude-

Use this command to reset the restriction for the specified keyword or all the keywords configured.

keyword

Format

no passwords exclude-keyword

[keyword]

Mode Global Config

show passwords

Use this command to display the configured password management settings.

configuration

Format

78 User Account Commands

show passwords configuration

Mode Privileged EXEC

Term Definition

Minimum Password Length

Minimum number of characters required when changing passwords.

Password History Number of passwords to store for reuse prevention.

Password Aging Length in days that a password is valid.

Lockout Attempts Number of failed password login attempts before

lockout.

Minimum Password Uppercase Letters

Minimum Password Lowercase Letters

Minimum Password Numeric Characters

Maximum Password Consecutive Characters

Maximum Password Repeated Characters

Minimum number of uppercase characters required when configuring passwords.

Minimum number of lowercase characters required when configuring passwords.

Minimum number of numeric characters required when configuring passwords.

Maximum number of consecutive characters required that the password should contain when configuring passwords.

Maximum number of repetition of characters that the password should contain when configuring passwords.

Minimum Password Character Classes

Minimum number of character classes (uppercase, lowercase, numeric and special) required when configuring passwords.

Password ExcludeKeywords

The set of keywords to be excluded from the configured password when strength checking is enabled.

show passwords

Use this command to display the last password set result information.

result

Format

Chapter 3: Management Commands 79

show passwords result

Mode Privileged EXEC

Term Definition

aaa ias-user username

Last User Whose Password Is Set

Password Strength Check

Last Password Set Result

Shows the name of the user with the most recently set password.

Shows whether password strength checking is enabled.

Shows whether the attempt to set a password was successful. If the attempt failed, the reason for the failure is included.

The Internal Authentication Server (IAS) database is a dedicated internal database used for local authentication of users for network access through the IEEE 802.1X feature.

Use the

aaa ias-user username

command in Global Config mode to add the specified user to the internal user database. This command also changes the mode to AAA User Config mode.

Format

aaa ias-user username user

Mode Global Config

no aaa ias-user

Use this command to remove the specified user from the internal user database.

username

Format

no aaa ias-user username user

Mode Global Config

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#exit (CN1610) (Config)#no aaa ias-user username client-1 (CN1610) (Config)#

80 User Account Commands

Note

aaa session-id Use this command in Global Config mode to specify if the same session-id is

used for Authentication, Authorization and Accounting service type within a session.

Default

Format

common

aaa session-id [common | unique]

Mode Global Config

Parameter Description

common Use the same session-id for all AAA Service types.

unique Use a unique session-id for all AAA Service types.

no aaa session-id Use this command in Global Config mode to reset the aaa session-id behavior to

the default.

Format

no aaa session-id [unique]

Mode Global Config

aaa accounting Use this command in Global Config mode to create an accounting method list for

user EXEC sessions, user-executed commands, or DOT1X. This list is identified by default or a user-specified list_name. Accounting records, when enabled for a line-mode, can be sent at both the beginning and at the end (start-stop) or only at the end (stop-only). If none is specified, then accounting is disabled for the specified list. If tacacs is specified as the accounting method, accounting records are notified to a TACACS+ server. If radius is the specified accounting method, accounting records are notified to a RADIUS server.

Note the following:

◆ A maximum of five Accounting Method lists can be created for each exec

and commands type.

◆ Only the default Accounting Method list can be created for DOT1X. There is

no provision to create more.

Chapter 3: Management Commands 81

The same list-name can be used for both exec and commands accounting

◆

type

◆ AAA Accounting for commands with RADIUS as the accounting method is

not supported.

◆ Start-stop or None are the only supported record types for DOT1X

accounting. Start-stop enables accounting and None disables accounting.

◆ RADIUS is the only accounting method type supported for DOT1X

accounting.

Format

aaa accounting {exec | commands | dot1x} {default | list_name} {start-stop | stop-only |none} method1 [method2…]

Mode Global Config

Parameter Description

exec Provides accounting for a user EXEC terminal

sessions.

commands Provides accounting for all user executed

commands.

dot1x Provides accounting for DOT1X user commands.

default The default list of methods for accounting services.

list-name Character string used to name the list of accounting

methods.

start-stop Sends a start accounting notice at the beginning of a

process and a stop accounting notice at the beginning of a process and a stop accounting notice at the end of a process.

stop-only Sends a stop accounting notice at the end of the

requested user process.

none Disables accounting services on this line.

method Use either TACACS or radius server for accounting

purposes.

82 User Account Commands

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) #aaa accounting commands default stop-only tacacs (CN1610) #aaa accounting exec default start-stop radius (CN1610) #aaa accounting dot1x default start-stop radius (CN1610) #aaa accounting dot1x default none (CN1610) #exit

For the same set of accounting type and list name, the administrator can change the record type, or the methods list, without having to first delete the previous configuration.

(CN1610) # (CN1610) #configure (CN1610) #aaa accounting exec ExecList stop-only tacacs (CN1610) #aaa accounting exec ExecList start-stop tacacs (CN1610) #aaa accounting exec ExecList start-stop tacacs radius

The first aaa command creates a method list for exec sessions with the name ExecList, with record-type as stop-only and the method as TACACS+. The second command changes the record type to start-stop from stop-only for the same method list. The third command, for the same list changes the methods list to {tacacs,radius} from {tacacs}.

no aaa accounting This command deletes the accounting method list.

Format

no aaa accounting {exec | commands | dot1x} {default | list_name default}

Mode Global Config

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) #aaa accounting commands userCmdAudit stop-only tacacs radius (CN1610) #no aaa accounting commands userCmdAudit (CN1610) #exit

password (AAA IAS User Configuration)

Use this command to specify a password for a user in the IAS database. An optional parameter encrypted is provided to indicate that the password given to the command is already preencrypted.

Chapter 3: Management Commands 83

no password (AAA IAS User Configuration)

Format

password password [encrypted]

Mode AAA IAS User Config

Parameter Definition

password Password for this level. Range: 8-64 characters

encrypted Encrypted password to be entered, copied from

another switch configuration.

Use this command to clear the password of a user.

Format

no password

Mode AAA IAS User Config

The following shows an example of the command.

(CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username client-1 (CN1610) (Config-aaa-ias-User)#password client123 (CN1610) (Config-aaa-ias-User)#no password

The following is an example of adding a MAB Client to the Internal user database.

(CN1610) # (CN1610) #configure (CN1610) (Config)#aaa ias-user username 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#password 1f3ccb1157 (CN1610) (Config-aaa-ias-User)#exit (CN1610) (Config)#

clear aaa ias-users Use this command to remove all users from the IAS database.

Format

clear aaa ias-users

Mode Privileged EXEC

84 User Account Commands

Parameter Definition

password Password for this level. Range: 8-64 characters

encrypted Encrypted password to be entered, copied from

another switch configuration.

The following is an example of the command.

(CN1610) # (CN1610) #clear aaa ias-users (CN1610) #

show aaa ias-users Use this command to display configured IAS users and their attributes.

Passwords configured are not shown in the show command output.

Format

show aaa ias-users [username]

Mode Privileged EXEC

The following is an example of the command.

(CN1610) # (CN1610) #show aaa ias-users

UserName

------------------- Client-1 Client-2

Following are the IAS configuration commands shown in the output of show running-config command. Passwords shown in the command output are always encrypted.

aaa ias-user username client-1 password a45c74fdf50a558a2b5cf05573cd633bac2c6c598d54497ad4c46104918f2c encrypted exit

accounting Use this command in Line Configuration mode to apply the accounting method

list to a line config (console/telnet/ssh).

Chapter 3: Management Commands 85

Format

accounting {exec | commands } {default | listname}

Mode Line Configuration

Parameter Description

exec Causes accounting for an EXEC session.

commands This causes accounting for each command execution

attempt. If a user is enabling accounting for exec mode for the current line-configuration type, the user will be logged out.

default The default Accounting List

listname Enter a string of not more than 15 characters.

The following is a example of the command.

(CN1610) # (CN1610) #configure (CN1610) (Config)#line telnet (CN1610)(Config-line)# accounting exec default (CN1610) #exit

no accounting Use this command to remove accounting from a Line Configuration mode.

Format

no accounting {exec|commands]

Mode Line Configuration

show accounting Use this command to display ordered methods for accounting lists.

Format

show accounting

Mode Privileged EXEC

The following shows example CLI display output for the command.

(CN1610) #show accounting

86 User Account Commands

Number of Accounting Notifications sent at beginning of an EXEC session: 0 Errors when sending Accounting Notifications beginning of an EXEC session: 0 Number of Accounting Notifications at end of an EXEC session: 0 Errors when sending Accounting Notifications at end of an EXEC session: 0 Number of Accounting Notifications sent at beginning of a command execution: 0 Errors when sending Accounting Notifications at beginning of a command execution: 0 Number of Accounting Notifications sent at end of a command execution: 0 Errors when sending Accounting Notifications at end of a command execution: 0

show accounting methods

clear accounting statistics

Use this command to display configured accounting method lists.

Format

show accounting methods

Mode Privileged EXEC

The following shows example CLI display output for the command.

(CN1610) # (CN1610) #show accounting methods

Acct Type Method Name Record Type Method Type

---------- ------------ ------------ -----------Exec dfltExecList start-stop TACACS Commands dfltCmdsList stop-only TACACS Commands UserCmdAudit start-stopTACACS DOT1X dfltDot1xList start-stopradius

Line EXEC Method List Command Method List

------- --------------------------------------Console dfltExecList dfltCmdsList Telnet dfltExecList dfltCmdsList SSH dfltExecList UserCmdAudit

This command clears the accounting statistics.

Chapter 3: Management Commands 87

Format

clear accounting statistics

Mode Privileged EXEC

show domain-name This command displays the configured domain-name.

Format

show domain-name

Mode Privileged EXEC

The following shows example CLI display output for the command.

(CN1610) # (CN1610) #show domain-name

Domain : Enable Domain-name :abc

88 User Account Commands

Note

SNMP Commands

This section describes the commands you use to configure Simple Network Management Protocol (SNMP) on the switch. You can configure the switch to act as an SNMP agent so that it can communicate with SNMP managers on your network.

snmp-server This command sets the name and the physical location of the switch, and the

organization responsible for the network. The parameters be up to 255 characters in length.

Default none

name, loc

and

con

can

snmp-server community

Format

snmp-server {sysname

con

}

name

| location

loc

| contact

Mode Global Config

To clear the snmp-server, enter an empty string in quotes. For example, snmpserver {sysname “ “} clears the system name.

This command adds (and names) a new SNMP community, and optionally sets the access mode, allowed IP address, and create a view for the community.

Community names in the SNMP Community Table must be unique. When making multiple entries using the same community name, the first entry is kept and processed and all duplicate entries are ignored.

Default Two communities are created by default:

◆ public, with read-only permissions, a view name of Default,

and allows access from all IP addresses

◆ private, with read/write permissions, a view name of Default,

and allows access from all IP addresses.

Format

Chapter 3: Management Commands 89

snmp-server community community-string [{ro | rw |su }] [ipaddress ip-address]

[view view-name]

Mode Global Config

Parameter Description

community-name A name associated with the switch and with a set of

SNMP managers that manage it with a specified privileged level. The length of

community-name

can

be up to 16 case-sensitive characters.

ro | rw | su The access mode of the SNMP community, which

can be public (Read-Only/RO), private (ReadWrite/RW), or Super User (SU).

ip-address The associated community SNMP packet sending

address and is used along with the client IP mask value to denote a range of IP addresses from which SNMP clients may use that community to access the device. A value of 0.0.0.0 allows access from any IP address. Otherwise, this value is ANDed with the mask to determine the range of allowed client IP addresses.

view-name The name of the view to create or update.

no snmp-server community

This command removes this community name from the table. The community name to be deleted.

Format

no snmp-server community

community-name

name

is the

Mode Global Config

snmp-server community-group

This command configures a community access string to permit access via the SNMPv1 and SNMPv2c protocols.

Format

snmp-server community-group community-string group-name [ipaddress ipaddress]

Mode Global Config

90 SNMP Commands

Note

Parameter Description

community-string The community which is created and then associated

with the group. The range is 1 to 20 characters.

group-name The name of the group that the community is

associated with. The range is 1 to 30 characters.

ipaddress Optionally, the IPv4 address that the community

may be accessed from.

snmp-server enable traps violation

no snmp-server enable traps violation

The Port MAC locking component interprets this command and configures violation action to send an SNMP trap with default trap frequency of 30 seconds. The Global command configures the trap violation mode across all interfaces valid for port-security. There is no global trap mode as such.

For other port security commands, see “Port Security Commands” on page 540.

Default disabled

Format

snmp-server enable traps violation

Mode ◆ Global Config

◆ Interface Config

This command disables the sending of new violation traps.

Format

no snmp-server enable traps violation

Mode Interface Config

snmp-server enable

This command enables the Authentication Flag.

traps

Default enabled

Format

Chapter 3: Management Commands 91

snmp-server enable traps

Note

Mode Global Config

no snmp-server enable traps

snmp trap linkstatus

no snmp trap linkstatus

This command disables the Authentication Flag.

Format

no snmp-server enable traps

Mode Global Config

This command enables link status traps on an interface or range of interfaces.

This command is valid only when the Link Up/Down Flag is enabled. See “snmp

trap link-status” on page 92

Format

snmp trap link-status

Mode Interface Config

This command disables link status traps by interface.

This command is valid only when the Link Up/Down Flag is enabled.

Format

no snmp trap link-status

Mode Interface Config

snmp trap link-

This command enables link status traps for all interfaces.

status all

This command is valid only when the Link Up/Down Flag is enabled. See “snmp

trap link-status” on page 92.

Format

snmp trap link-status all

Mode Global Config

92 SNMP Commands

Note

no snmp trap linkstatus all

snmp-server enable traps linkmode

no snmp-server enable traps linkmode

This command disables link status traps for all interfaces.

This command is valid only when the Link Up/Down Flag is enabled. See “snmp

trap link-status” on page 92.

Format

no snmp trap link-status all

Mode Global Config

This command enables Link Up/Down traps for the entire switch. When enabled, link traps are sent only if the Link Trap flag setting associated with the port is

enabled. See “snmp trap link-status” on page 92.

Default enabled

Format

snmp-server enable traps linkmode

Mode Global Config

This command disables Link Up/Down traps for the entire switch.

Format

no snmp-server enable traps linkmode

Mode Global Config

snmp-server enable traps multiusers

This command enables Multiple User traps. When the traps are enabled, a Multiple User Trap is sent when a user logs in to the terminal interface (EIA 232

or Telnet) and there is an existing terminal interface session.

Default enabled

Format

snmp-server enable traps multiusers

Mode Global Config

Chapter 3: Management Commands 93

no snmp-server enable traps multiusers

snmp-server enable traps stpmode

no snmp-server enable traps stpmode

This command disables Multiple User traps.

Format

no snmp-server enable traps multiusers

Mode Global Config

This command enables the sending of new root traps and topology change notification traps.

Default enabled

Format

snmp-server enable traps stpmode

Mode Global Config

This command disables the sending of new root traps and topology change notification traps.

Format

no snmp-server enable traps stpmode

Mode Global Config

snmp-server

This command configures the SNMP engine ID on the local device.

engineID local

Default The engineID is configured automatically, based on the device

MAC address.

Format

snmp-server engineID local {engineid-string|default}

Mode Global Config

Parameter Description

engineid-string A hexadecimal string identifying the engine-id, used

for localizing configuration. Engine-id must be an even length in the range of 6 to 32 hexadecimal characters.

94 SNMP Commands

CAUTION

Parameter Description

default Sets the engine-id to the default string, based on the

device MAC address.

Changing the engine-id will invalidate all SNMP configuration that exists on the box.

no snmp-server

This command removes the specified engine ID.

engineID local

Default The engineID is configured automatically, based on the device

MAC address.

Format

no snmp-server engineID local

Mode Global Config

snmp-server filter This command creates a filter entry for use in limiting which traps will be sent to

a host.

Default No filters are created by default.

Format

snmp-server filter filtername oid-tree {included|excluded}

Mode Global Config

Parameter Description

filtername The label for the filter being created. The range is 1

to 30 characters.

oid-tree The OID subtree to include or exclude from the

filter. Subtrees may be specified by numerical (1.3.6.2.4) or keywords (system), and asterisks may be used to specify a subtree family (1.3.*.4).

Chapter 3: Management Commands 95

Parameter Description

included The tree is included in the filter.

excluded The tree is excluded from the filter.

no snmp-server

This command removes the specified filter.

filter

Default No filters are created by default.

Format

snmp-server filter filtername [oid-tree]

Mode Global Config

snmp-server group This command creates an SNMP access group.

Default Generic groups are created for all versions and privileges using the

default views.

Format

snmp-server group group-name {v1 | v2c | v3 {noauth | auth | priv}} [context context-name] [read read-view] [write write-view] [notify notify-view]

Mode Global Config

Parameter Description

group-name The group name to be used when configuring

communities or users. The range is 1 to 30 characters.

v1 This group can only access via SNMPv1.

v2 This group can only access via SNMPv2c.

v3 This group can only access via SNMPv3.

noauth This group can be accessed only when not using

Authentication or Encryption. Applicable only if SNMPv3 is selected.

96 SNMP Commands

Parameter Description

auth This group can be accessed only when using

Authentication but not Encryption. Applicable only if SNMPv3 is selected.

priv This group can be accessed only when using both

Authentication and Encryption. Applicable only if SNMPv3 is selected.

context-name The SNMPv3 context used during access.

Applicable only if SNMPv3 is selected.

read-view The view this group will use during GET requests.

The range is 1 to 30 characters.

write-view The view this group will use during SET requests.

The range is 1 to 30 characters.

notify-view The view this group will use when sending out traps.

The range is 1 to 30 characters.

no snmp-server

This command removes the specified group.

group

Format

no snmp-server group group-name {v1|v2c| 3 {noauth|auth|priv}} [context context-name]

Mode Global Config

snmp-server host This command configures traps to be sent to the specified host.

Default No default hosts are configured.

Format

snmp-server host host-addr {informs [timeout seconds] [retries retries]|traps version {1 | 2c }} communitystring [udp-port port] [filter filter-name]

Mode Global Config

Chapter 3: Management Commands 97

NetApp CN1610 Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Copyright information

Trademark information

About This Document

Introduction This document describes command-line interface (CLI) commands you use to

Audience This document is for system administrators who configure and operate systems

About FASTPATH Software

Scope FASTPATH software encompasses both hardware and software support. The

Product Concept Fast Ethernet and Gigabit Ethernet switching continues to evolve from high-end

Using the Command-Line Interface

About this chapter The command-line interface (CLI) is a text-based way to manage and monitor the

Topics in this chapter

Command Syntax

Command Conventions

Common Parameter Values

Interface Naming Convention

Using the no Form of a Command

CN1610 Software Modules

Command Modes

Command Completion and Abbreviation

CLI Error Messages

CLI Line-Editing Conventions

Using CLI Help

Accessing the CLI

enable (Privileged EXEC access)

do (Privileged EXEC commands)

serviceport ip This command sets the IP address, the netmask and the gateway of the network

serviceport protocol

serviceport protocol dhcp

network parms This command sets the IP address, subnet mask and gateway of the device. The

network protocol This command specifies the network configuration protocol to be used. If you

network protocol dhcp

network mac-address

network mac-type This command specifies whether the switch uses the burned in MAC address or

no network mac-type

show network

show serviceport

configure

line This command gives you access to the Line Console mode, which allows you to

serial baudrate This command specifies the communication rate of the terminal interface. The

no serial baudrate

serial timeout

no serial timeout

show serial

ip telnet server enable

no ip telnet server enable

telnet This command establishes a new outbound Telnet connection to a remote host.

transport input telnet

no transport input telnet

transport output telnet

no transport output telnet

session-limit

no session-limit

session-timeout

no session-timeout

telnetcon maxsessions

no telnetcon maxsessions

telnetcon timeout

no telnetcon timeout

show telnet

show telnetcon

ip ssh

ip ssh protocol This command is used to set or remove protocol levels (or versions) for SSH.

ip ssh server enable

no ip ssh server enable

sshcon maxsessions

no sshcon maxsessions

sshcon timeout

no sshcon timeout This command sets the SSH connection session timeout value, in minutes, to the

show ip ssh

crypto key generate rsa

no crypto key generate rsa

crypto key generate dsa

no crypto key generate dsa

disconnect command to close Telnet or SSH sessions. Use all to close

linuxsh

show loginsession