End of Support

Setting the PTP Priority

To set the priority 1 value, use the ptp priority1 command. Lower values take precedence.

This command configures the priority 1 value of 120 to use when advertising the clock.

switch(config)# ptp priority1 120
switch(config)#

To set the priority 2 value for the clock, use the ptp priority2 command.

This command configures the priority 2 value of 128.

switch(config)# ptp priority2 128
switch(config)#

Configuring the Source IP

To set the source IP address for all PTP packets, use the ptp source command.

Example

This command configures the source IP address of 10.0.2.1 for all PTP packets.

switch(config)# ptp source ip 10.0.2.1
switch(config)#

This command configures the source IP address of 2001:db8:ac10:fe01:: for all PTP packets.

switch(config)# ptp source ip 2001:db8:ac10:fe01::
switch(config)#

Aboot Shell

The Aboot shell is an interactive command-line interface used to manually boot a switch, restore the internal flash to its factory-default state, run hardware diagnostics, and manage files. The Aboot shell resembles the Linux Bourne Again Shell (Bash).

The Aboot shell provides commands for restoring the state of the internal flash to factory defaults or a customized default state. You can select these recovery methods to:

Restore the factory-default flash contents before transferring the switch to another owner.
Restore Aboot shell access if the Aboot password is lost or forgotten.
Restore console access ifthe baud rate or other settings are incompatible with the terminal.
Replace the internal flash contents with configuration or image files stored on a USB flash drive.

Aboot Shell Operation

When the switch is powered on or rebooted, Aboot reads its configuration from boot-config on the internal flash and attempts to boot a configured EOS software image (with the extension .swi).

You can monitor the automatic boot process or enter the Aboot shell only from the console port. You can connect a PC or terminal directly to the port and run a terminal emulator to interact with the serial port or access it through a serial concentrator device.

The boot-config stores the console settings; the factory-default settings for Arista switches are 9600 baud, no parity, 8 character bits, and 1 stop bit. If you do not know the current settings, perform a full flash recovery to restore the factory default settings.When the console port is connected and the configured terminal settings are proper, the terminal displays a message similar to the following a few seconds after powering up the switch:

Aboot 1.0.0

Press Control-C now to enter the Aboot shell

To abort the automatic boot process and enter the Aboot shell, select Ctrl-C (ASCII 3 in the terminal emulator) after the Press Control-C now to enter Aboot shell message appears. Pressing Ctrl-C can interrupt the boot process up through the starting of the new kernel.

If the boot-config file does not contain a password command, the Aboot shell starts immediately. Otherwise, you must enter the password using the password prompt to start the shell. If you enter the wrong password three times, Aboot displays this message:

Type "fullrecover" and press Enter to revert /mnt/flash to factory default 

state, or just press Enter to reboot:

Selecting Enter continues a normal soft reset without entering the Aboot shell.
Typing fullrecover and pressing Enter performs a full flash recovery to restore the factory-default settings, removing all previous flash drive contents.

The Aboot shell starts by printing:

Welcome to Aboot.

Aboot then displays the Aboot# prompt.

Aboot reads its configuration from boot-config on the internal flash.

Accessing the Aboot Shell

This procedure accesses the Aboot Shell.

Reload the switch and select enter or type y when prompted, as described in the Typical Reset Sequence.
The command line displays this Aboot entry prompt.
```
Press Control-C now to enter Aboot shell
```
Type Ctrl-C.
If the boot-config file does not contain a PASSWORD command, the CLI displays an Aboot welcome banner and prompt.
```
^C Welcome to Aboot.
Aboot#
```
The CLI displays a password prompt if the boot-config file contains a PASSWORD command. In this case, proceed to Step 3. Otherwise, the CLI displays the Aboot prompt.
If prompted, enter the Aboot password.
```
Press Control-C now to enter Aboot shell 
 ^CAboot password: 
Welcome to Aboot. 
Aboot#
```
Aboot allows three attempts to enter the correct password. After the third attempt, the CLI prompts the user to continue the reboot process without entering the Aboot shell or restoring the flash drive to the factory default state.
```
Press Control-C now to enter Aboot shell 
^CAboot password: 
incorrect password 
Aboot password: 
incorrect password 
Aboot password: 
incorrect password 
Type "fullrecover" and press Enter to revert /mnt/flash to factory default 
state, or just press Enter to reboot: fullrecover 
All data on /mnt/flash will be erased; type "yes" and press Enter to proceed, 
or just press Enter to cancel:
```
The fullrecover operation replaces the flash contents with a factory default configuration. The CLI displays text similar to the following when performing a fullrecover, finishing with another entry option in the Aboot shell.
Note: For hardware purchased after June 2017, the factory default partition will not have the backup EOS software image. It increases the flash size on smaller flash size disks, and other options are available in the fullrecover command functionality to restore the factory default EOS image applicable to both fixed system and modular system hardware.
```
Erasing /mnt/flash
Writing recovery data to /mnt/flash
boot-config
startup-config
EOS.swi
210770 blocks
Restarting system.


Aboot 1.9.0-52504.EOS2.0


Press Control-C now to enter Aboot shell
```

Aboot File Structure

When you enter the Aboot CLI, the current working directory is the root directory on the switch. Switch image and configuration files are at /mnt/flash. When exiting the Aboot shell, only /mnt/flash preserves the contents. The /mnt directory contains the file systems of storage devices. Aboot mounts the internal flash device at /mnt/flash.

When you insert a USB flash drive in one of the flash ports, Aboot mounts its file system on /mnt/usb1. The file system is unmounted when you remove the USB flash drive from the port. Most USB drives contain an LED that flashes when the system is accessing it; wait to remove the drive from the flash port until the LED stops flashing.

Booting From the Aboot Shell

Aboot boots the EOS software image (with the extension .swi), which is available in boot-config automatically if you take no action during the boot process. Suppose the boot process fails for any reason, such as an incorrectly configured software image. In that case, Aboot enters the shell, allowing you to manually correct the configuration or boot a software image. The boot command loads and boots an EOS software image file.

The boot command syntax is

boot SWI

where SWI lists the location of the EOS image that the command loads. SWI options include:

device:path loads the image file from the specified storage device. The default device value is flash; other values include file and usb1.
/PATH loads the image file from the specified path in the switch directory.
http://server/path loads the image file from the HTTP server on the host server.
ftp://server/path loads the image file from the FTP server on the host server.
tftp://server/path loads the image file from the TFTP server on the host server.
nfs://server/path mounts the path’s parent directory from the host server and loads the image file from the loaded directory.

It accepts the same commands as the SWI variable in the boot-config file. See boot-config Command Line Content for a list of boot command formats.

Suppose the boot-config does not have a specified image or booting the image results in an error condition (for example, an incorrect path or unavailable HTTP server). In that case, Aboot halts the boot process and drops into the shell.

Example

To boot EOS.swi from internal flash, enter one of these commands on the Aboot command line:

boot flash:EOS.swi

boot /mnt/flash/EOS.swi

Secure Booting from Aboot

Secure boot provides a security feature in Aboot, Arista bootloader, that verifies the cryptographic signature of the EOS software image before booting up the switch. Aboot embeds certificates that allow it to recognize and validate official EOS releases from Arista. If a successful signature verification occurs, the secure boot check passes and Aboot proceeds to boot the software image. If the signature verification fails, the switch aborts booting the software.

In addition to the verification of Arista signed images, secure boot can also validate images using a user-configured root certificate. This mechanism allows you to sign your SWI images and have them recognized by secure boot. It is also possible to configure secure boot to only accept SWI images signed by the user certificate.

Secure boot prevents and detects unauthorized modifications to the software image by anyone with access to EOS. To provide this guarantee, it must not be possible for anyone, including a system administrator, to disable any of the secure boot configuration or firmware components from EOS. That includes disabling secure boot, changing the certificates used to validate the software image signature, or unauthorized modifications to the BIOS or Aboot firmware.

Two main components store the firmware and secure boot configuration:

The BIOS SPI flash
The Trusted Platform Module (TPM) Nonvolatile Random Access Memory (NVRAM)

When properly configured with secure boot enabled, EOS locks both hardware components before running the software image. This ensures that no component of secure boot can be tampered with from EOS.

The switch embeds the bootloader Aboot in the BIOS firmware and stores the complete firmware image, BIOS plus Aboot, in the BIOS SPI flash. The flash also stores certificates used by secure boot to validate the image signature. Configure the BIOS SPI flash as write-protected by Aboot to prevent unauthorized modifications to the BIOS, Aboot, or secure boot certificates from EOS.

The TPM NVRAM stores critical configuration parameters for secure boot. The NVRAM indexes that store secure boot data in the TPM can only be overwritten by using the highest level of privilege on the TPM. Aboot unconditionally locks the highest level of privilege on the TPM prior to transferring execution to EOS, and ensures that NVRAM sections storing the secure boot level configuration cannot undergo modification.

Use the following commands to enable, disable, or display secure boot:

Aboot# securebootctl secureboot -enable
Aboot# securebootctl secureboot -display
Secure Boot enabled

Aboot# securebootctl secureboot -disable
Aboot# securebootctl secureboot -display
Secure Boot disabled

Use the following command to add a certificate path, /mnt/flash/user-test.crt, for secure boot:

Aboot# secureboot cert -add /mnt/flash/user-test.crt
Added the following user certificate:
DC=com, DC=test, CN=User Test Cert

Use the following command to display certificate information:

Aboot# securebootctl cert -display
Arista: DC=com, DC=mycompany, CN=MyCompany Issuing Cert Authority

Use the following commands to configure Arista Certificates to verify software images:

Aboot# securebootctl aristacert -enable
Aboot# securebootctl aristacert -display
Arista certificate used
Aboot# securebootctl cert -display
Arista: DC=com, DC=aristanetworks, CN=AristaIT-ICA ECDSA Issuing Cert Authority

Use the following command to disable Arista certificates for secure boot:

Aboot# securebootctl aristacert -disable
Aboot# securebootctl aristacert -display
Arista certificate ignored
Aboot# securebootctl cert -display
Arista: ignored
User: No certificate is configured

If you enable secure boot, disable Arista certificates, and no user certificate configured, the switch does not boot because it cannot find a valid certificate to verify the software image. The following message displays on the switch:

=== WARNING ===
Invalid configuration detected:
- Arista certificate ignored
- no user certificate inserted
- Secure Boot is enabled
            
Boot is not going to be allowed until one of those is addressed.
            
Please insert a user certificate, enable the Arista certificate or disable Secure Boot to proceed to EOS.

Using an Aboot Password

Secure boot compatible Aboot images support storing an Aboot password in the TPM as a more secure option than storing the password in /mnt/flash. You can only configure the password in the Aboot mode. Once you set the password, EOS can no longer set the Aboot password.

Use the following command to display the Aboot password status:

Aboot# securebootctl abootpassword -display
Password status: disabled

EOS disables the password by default.

Use the following commands to enable the password, and then display password information:

Aboot# securebootctl abootpassword -enable
Enter password:
Confirm password:
Aboot# securebootctl abootpassword -display
Password status: enabled
Password value: $6$poC4fj2Bk4aAPKga$hOl92bbCeyU9UM3sv3hfesRamMaQwLH5Yi01LhW/hw2BtNyQ8UmvhreMFSrDoQ6ji9WB1l5e/.KDWhtP4zMLW0

Displaying Boot Information

The show boot command displays the following information on platforms that support secure boot:

switch# show boot
Software image: flash:/EOS.swi
Console speed: (not set)
Aboot password (encrypted): (not set)
Memory test iterations: (not set)

Secure boot: enabled
SPI flash protection: enabled
Password storage: tpm
Arista certificate: enabled
Extra certificate:
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAMoGOI8anKHzMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
[ … ]
LTwkN1KGUMiP8OWtooCNmqW+pdp/VGexIV/e0Xj8wGoffSczfY1XAAsD4PsbWnQ9
kn5CQrzU3DSoeWkQbK24an+EAqEX4ZUl5WDi7de5pzt343lfUXZB9Gd1BA==
-----END CERTIFICATE-----

Measured Boot

Measured boot provides a tamper-detection mechanism that records the system boot process. It calculates the cryptographic hashes of system components and configurations, and then securely stores them in the Platform Configuration Registers PCRs) of a Trusted Platform Module (TPM) chip. This process creates a hash chain of the boot sequence. After the system starts, the TPM Quote operation, along with the extension records, verify the PCR values and confirms that the system components haven't changed and has trusted software.

Measured boot differs based on the version of TPM installed on the system. Use the following commands to determine the TPM version:

switch# show management security
[...]
Security Chip: IFX SLB9670 TPM 1.2 (6.43.243.0)
[...]

The output displays TPM Version 1.2.

switch# show management security
[...]
STM ST33TPHF2X TPM 2.0 (1.512))
[...]

Enabling or Disabling Measured Boot

EOS stores the Secure Boot configuration, including the measured boot configuration, in the TPM NVRAM. The NVRAM indexes storing the secure boot data can only be configured as writable with the highest privilege level on the TPM, platform authorization for TPM 2.0 or physical presence for TPM 1.2.

Aboot unconditionally locks the highest level of privilege on the TPM before transferring execution to EOS. You can only configure measured boot in Aboot mode.

Use the following command to enable measured boot:

Aboot# securebootctl measuredboot -enable
Aboot# securebootctl measuredboot - display
Measure Boot enabled

Use the following commands to disable measured boot and display the measured boot status:

Aboot# securebootctl measuredboot -disable
Aboot# securebootctl measuredboot - display
Measure Boot disabled

Note: You cannot disable measured boot from EOS. It must be disabled in Aboot mode.

Displaying Measured Boot Status

Use the following command to display measured boot status:

switch#  show boot
[...]
Measured boot: enabled
[...]

Aboot Commands

To list the contents of the internal flash, enter ls /mnt/flash at the Aboot# prompt.

Example

Aboot# ls /mnt/flash
EOS.swi boot-config startup-config

Commonly used commands include:

ls prints a list of the files in the current working directory.
cd changes the current working directory.
cp copies a file.
more prints the contents of a file one page at a time.
vi edits a text file.
boot boots a software image file.
swiinfo prints information about a software image.
recover recovers the factory-default configuration.
reboot reboots the switch.
udhcpc configures a network interface automatically via DHCP.
ifconfig prints or alters network interface settings.
wget downloads a file from an HTTP or FTP server.
showtech prints device hardware information.

Aboot can access networks through the Ethernet management ports. Aboot provides network interfaces mgmt1 and mgmt2 unconfigured by default; you can configure management port settings using Aboot shell commands like ifconfig and udhcpc. After configuring a management interface, use wget to transfer files from an HTTP or FTP server, tftp to transfer files from a TFTP server, or mount to mount an NFS filesystem.

Aboot Configuration Commands

This section describes the Aboot configuration commands that a boot-config file can contain.

CONSOLESPEED
NET commands

CONSOLESPEED

The CONSOLESPEED command in the boot-config file specifies the console baud rate when the switch is booted. The connected terminal must match the specified rate to communicate with the switch. Baud rate options include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200.

The default baud rate is 9600.

Command Syntax

CONSOLESPEED= baud_rate

Parameters

baud_rate specifies the console speed. Values include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200.

Example

This command in a boot-config file sets the baud rate to 2400 when the switch boots.

CONSOLESPEED=2400

NET Commands

Aboot uses NET commands in the boot-config file during switch booting to configure the network interface used for switch configuration. You can enter these commands manually in Aboot.

NETDEV indicates the configured network interface. If boot-config does not contain a NETDEV command, the booting process does not attempt to configure a network interface. Other NET commands specify settings that Aboot uses to configure the interface.

Command Syntax

NETDEV=device_interface

NETAUTO=auto_setting

NETIP=interface_address

NETMASK=interface_mask

NETGW=gateway_address

NETDOMAIN=domain_name

NETDNS=dns_address

Parameters

device_interface the network interface. Options include:
- ma1 management port 1.
- ma2 management port 2.
auto_setting the configuration method. Options include:
- dhcp interface is configured through a DHCP server; other NET commands are not.
- If the NETAUTO command is omitted, the interface configures with other NET commands.
interface_address interface IP address, in dotted-decimal notation.
interface_mask interface subnet mask, in dotted-decimal notation.
gateway_address default gateway IP address, in dotted decimal notation.
domain_name interface domain name.
dns_address IP address of the Domain Name Server, in dotted decimal notation.

Examples

This command specifies management port 1 as the network interface configured for management traffic.
```
NETDEV=ma1
```
This command instructs the switch to configure the network interface through a DHCP server, ignoring other NET commands.
```
NETAUTO=dhcp
```

These NET commands configure the network interface.

NETIP=10.12.15.10
NETMASK=255.255.255.0
NETGW=10.12.15.24
NETDOMAIN=mycompany.com
NETDNS=10.12.15.13

install bios source

install bios source command is used to install an Aboot Update File (AUF) to upgrade Aboot firmware.

install bios source indicates the location of the source file and the actions taken.

Command Syntax

install bios source SOURCE [active | standby] [reload | now]

Parameters

SOURCE the file location.

Examples

This command installs an AUF file update.auf stored in /mnt/flash.
```
switch# install bios source flash:/update.auf
```
Note: Follow the prompts after executing the command during the installation process.
This command performs a reboot directly after installation.
```
switch# install bios source flash:/update.auf reload
```
This command skips the prompts and performs the reboot automatically after installation.
```
switch# install bios source flash:/update.auf now
```
This command performs the installation only on the standby supervisor.
```
switch# install bios source flash:/update.auf standby
```
Note: By default, the active supervisor gets upgraded, followed by the standby where applicable.

PASSWORD (ABOOT)

PASSWORD specifies the Aboot password, as described in Accessing the Aboot Shell. The Aboot shell does not require a password when boot-config does not contain a PASSWORD command.

The boot-config file stores the password as an MD5-encrypted string generated from a clear-text seed by the UNIX password program or the crypt library function. When entering the Aboot password, the user types the clear-text seed.

There is no method of recovering the password from the encrypted string. If the clear-text password is lost, delete the corresponding PASSWORD command line from the boot-config file.

Note:

The EOS boot secret command adds or modifies the PASSWORD configuration line.

Command Syntax

PASSWORD = encrypted_string

Parameters

encrypted_string, the encrypted string that corresponds to the clear-text Aboot password.

Example

This line is a PASSWORD command example in which the encrypted string corresponds to the clear-text password abcde.

PASSWORD=$1$CdWp5wfe$pzNtE3ujBoFEL8vjcq7jo/

SWI

SWI specifies the location and file name of the EOS image file that Aboot loads when booting, using the same format as boot-config to designate a local or network path.

Command Syntax

SWI = SWI_PATH

Parameters

SWI_PATH specifies the location of the EOS image file. Options include:

file_path specifies a file location on the internal flash drive.
file:file_path specifies a file location in the switch directory.
usb1:file_path specifies a file location on the USB drive.
http:file_path specifies an HTTP path to the image file.
ftp:file_path specifies an FTP path to the image file.
tftp:file_path specifies a TFTP path to the image file.
nfs:file_path specifies an NFS path to the image file.

Examples

This SWI command in boot-config causes Aboot to boot the switch from the file EOS.swi on the switch’s internal flash drive.
```
SWI=flash:EOS.swi
```
This SWI command in boot-config causes Aboot to boot the switch from the file EOS.swi at the specified location on foo.com.
```
SWI=http://foo.com/images/EOS.swi
```

Switch Booting Commands

boot console
boot secret
boot system
delete startup-config
protocol
redundancy
redundancy manual switchover
reload
reload (scheduled)
show platform bios
show redundancy file-replication
show redundancy status
show redundancy switchover sso
show reload
show reload cause
show reload fast-boot

boot console

The boot console command configures terminal settings for serial devices connecting to the console port. The only console setting specified from boot-config is speed.

The factory-default console settings are 9600 baud, no parity, 8 character bits, and 1 stop bit. If you do not know the current settings, restore the factory default settings described in Restoring the Factory Default EOS Image and Startup Configuration.

The no boot console and default boot console commands restore the factory default settings on the switch and remove the corresponding CONSOLESPEED command from the boot-config file.

Command Mode

Global Configuration

Command Syntax

boot console speed baud_rate

Parameters

baud_rate console baud rate. Options include 1200, 2400, 4800, 9600, 19200, 38400, 57600, and 115200.

Examples

This command sets the console speed to 57600 baud.

switch(config)# boot console speed 57600
switch(config)#

This command displays the result of the console speed change.

switch(config)# show boot-config
Software image: flash:/EOS.swi
Console speed: 57600
Aboot password (encrypted): (not set)
switch(config)#

The above boot console command adds the following line to boot-config.
```
CONSOLESPEED=57600
```

boot secret

The boot secret command creates or edits the Aboot shell password and stores the encrypted string in the PASSWORD command line of the boot-config file.

The no boot secret and default boot secret commands remove the Aboot password from the boot-config file. When the Aboot password does not exist, no password is required to enter the Aboot shell.

Command Mode

Global Configuration

Command Syntax

boot secret [ENCRYPT_TYPE] password

no boot secret

default boot secret

Parameters

ENCRYPT_TYPE indicates the encryption level of the password parameter. Settings include:
- no parameter and the password is clear text.
- 0 the password is clear text. Equivalent to the no parameter case.
- 5 the password is an MD5-encrypted string.
- sha512, the password is entered as a sha512 encrypted string.
password specifies the boot password.
- password must be in clear text if ENCRYPT_TYPE specifies clear text.
- password must be an appropriately encrypted string if ENCRYPT_TYPE specifies encryption.

Restrictions

The sha512 encryption option is not available on Trident platform switches.

Examples

These equivalent commands set the Aboot password to xr19v.

switch(config)# boot secret xr19v
switch(config)#

switch(config)# boot secret 0 xr19v
switch(config)#

This command displays the result:

switch(config)# show boot-config
Software image: flash:/EOS.swi
Console speed: (not set)
Aboot password (encrypted): $1$k9YHFW8D$cgM8DSN.e/yY0p3k3RUvk.
switch(config)#

The boot secret commands earlier add this line to boot-config:

PASSWORD=$1$k9YHFW8D$cgM8DSN.e/yY0p3k3RUvk.

The user must enter xr19v at the login prompt to access the Aboot shell.

These commands set the Aboot password to xr123 and display the resulting boot-config code. In the past, the encrypted string uses xr123 as the clear-text seed.
```
switch(config)# boot secret 5 $1$QfbYkVWb$PIXG0udEquW0wOSiZBN3D/
switch(config)# show boot-config
Software image: flash:/EOS.swi
Console speed: (not set)
Aboot password (encrypted): $1$QfbYkVWb$PIXG0udEquW0wOSiZBN3D/
switch(config)#
```
The boot secret command above adds this line to boot-config:
```
PASSWORD=$1$QfbYkVWb$PIXG0udEquW0wOSiZBN3D/
```
The user must enter xr123 at the login prompt to access the Aboot shell.
This command removes the Aboot password, allowing access to the Aboot shell without a password.
```
switch(config)# no boot secret
switch(config)#
```

boot system

The boot system command specifies the location of the EOS software image that Aboot loads when the switch boots. The command can refer to files on Flash or a module in the USB flash port.

Command Mode

Global Configuration

Command Syntax

boot system device file_path

Parameters

device - Location of the image file. Options include:
- file: - File is located in the switch file directory.
- flash: - File is located in flash memory.
- usb1: - File is located on a drive inserted in the USB flash port. Available if you have a USB flash drive in the port.
- file_path path and name of the file.

Examples

This command designates EOS1.swi, on USB flash memory, as the EOS software image load file.
```
switch(config)# boot system usb1:EOS1.swi
switch(config)#
```
The boot system command earlier adds this line to boot-config.
SWI=usb1:/EOS1.swi
This command designates EOS1.swi, on the switch flash, as the EOS software image load file.
```
switch(config)# boot system flash:EOS.swi
switch(config)#
```
The boot system command earlier adds this line to boot-config:
```
s
```

delete startup-config

The delete startup-config command erases or deletes the startup-config file.

Command Mode

Privileged EXEC

Command Syntax

delete startup-config [CONFIRMATION]

Parameters

CONFIRMATION confirmation for immediate erasure. Options include:

no parameter the switch requires a confirmation before starting the erasure.
now the erasure begins immediately without prompting the user to confirm the request.

Examples

This command deletes the startup configuration from the switch. When the delete startup-config command is entered, the switch sends a message prompting the user to confirm the request.
```
switch# delete startup-config
Proceed with erasing startup configuration? [confirm] y
switch#
```
This command deletes the startup configuration from the switch immediately without prompting.
```
switch# delete startup-config now
switch#
```

protocol

The protocol command configures how the supervisors on a modular switch will handle switchover events. By default, the switch is set to route processor redundancy (RPR), which synchronizes startup-config files between the supervisor modules and partially boots the standby supervisor. You can set the mode to simplex (manual switchover only) or to stateful switchover (SSO), which synchronizes both startup-config and running-config files between the supervisor modules, fully boots the standby module to speed the switchover process, and minimizes packet loss. SSO synchronizes the L2 state between the supervisors, but the L3 state is not synchronized. This can result in traffic loss for traffic forwarded on routes learned by a dynamic routing protocol. Enabling nonstop forwarding can eliminate most packet loss for BGP and OSPF.

The no protocol and default protocol commands set the redundancy protocol to the default value (rpr) by removing the protocol command from running-config.

Command Mode

Redundancy Configuration

Command Syntax

protocol {rpr | simplex | sso}

no protocol

default protocol

Parameters

rpr route processor redundancy protocol (RPR, the default).
simplex no redundancy. Switchover must be initiated manually.
sso stateful switchover (SSO).

Related Commands

redundancy places switch in redundancy configuration mode.

Example

These commands enter redundancy configuration mode and set the redundancy protocol to SSO.

switch(config)# redundancy
switch(config-redundancy)# protocol sso
switch(config-redundancy)#

redundancy

The redundancy command places the switch in redundancy configuration mode.

Command Mode

Global Configuration

Command Syntax

redundancy

Commands Available in Redundancy Configuration Mode

protocol

Related Commands

redundancy manual switchover manually initiates a switchover.

Example

These commands enter redundancy configuration mode and set the redundancy protocol to stateful switchover.

switch(config)# redundancy
switch(config-redundancy)# protocol sso
switch(config-redundancy)#

redundancy manual switchover

The redundancy manual switchover command immediately switches control of the switch to the standby supervisor. If the redundancy mode is set to simplex or the standby supervisor is unavailable for any other reason, this command will not function.

Command Mode

Privileged EXEC

Command Syntax

redundancy manual switchover

Related Command

redundancy places the switch in redundancy configuration mode.

Example

This command forces a switchover to the standby supervisor. The switchover is executed immediately without further confirmation from the user.

switch# redundancy manual switchover
This supervisor will be restarted.
switch#

reload

The reload command power cycles the switch and resets it under Aboot control. The hard reset clears the switch, including memory states and other hardware logic.

Note: The reload fast-boot and reload hitless commands initiate Smart System Upgrade (SSU); for a description of this feature and the appropriate command syntax, refer to the Smart System Upgrade (Leaf SSU) section.

The command behaves differently in fixed and modular systems.

Fixed 1-RU systems: the power supply remains powered up through the reset. All other switch components lose power for two to five seconds.
Modular systems: the power supply on the active supervisor remains powered up through the reset. xAll other supervisor components lose power for at least one second. After the supervisor becomes functional, it manages the power-cycling of all line cards.

Command Mode

Privileged EXEC

Command Syntax

reload [TARGET] [CONFIRMATION]

Parameters

TARGET specifies which supervisor(s) to reset. Some options are available only on dual-supervisor switches. Options include:
- no parameter the active supervisor is reset.
- all supervisors are reset.
- peer the peer supervisor is reset.
- power the active supervisor is reset.
CONFIRMATION confirmation for immediate reset. Options include:
- no parameter the switch requires a confirmation before starting the reset.
- now the reset begins immediately without prompting the user to confirm the request.

Related Commands

reload (scheduled) schedules a pending reload operation.
show reload cause displays cause of most recent reload.

Examples

Begin the reboot process by typing the reload command:
```
switch# reload
switch#
```
When the reload command is entered, the switch sends a message prompting the user to save the configuration if it contains unsaved modifications, then asks the user to confirm the reload request. In this example, the user does not save modifications to the system before reloading.
```
System configuration has been modified. Save? [yes/no/cancel/diff]:n
Proceed with reload? [confirm]y
```
The switch responds by broadcasting messages, including a notification about the system rebooted to all open CLI instances. The reload pauses to provide an option for the user to enter Aboot shell; the Aboot shell supports commands that restore the state of the internal flash to factory defaults or create a customized default state.
```
Broadcast message from root@mainStopping sshd: [  OK  ]
SysRq : Remount R/O
Restarting system

Aboot 1.9.0-52504.EOS2.0

Press Control-C now to enter Aboot shell
```

No action is required to continue the reset process. The switch displays messages to indicate the completion of individual tasks. The reboot is complete when the CLI displays a login prompt.

Booting flash:/EOS.swi
Unpacking new kernel
Starting new kernel
Switching to rooWelcome to Arista Networks EOS 4.4.0
Mounting filesystems:  [  OK  ]
Entering non-interactive startup
Starting EOS initialization stage 1: [  OK  ]
ip6tables: Applying firewall rules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Loading additional modules: nf_conntrack_tftp [  OK  ]
Starting system logger: [  OK  ]
Starting system message bus: [  OK  ]
Starting NorCal initialization: [  OK  ]
Starting EOS initialization stage 2: [  OK  ]
Starting ProcMgr: [  OK  ]
Completing EOS initialization: [  OK  ]
Starting Power On Self Test (POST): [  OK  ]
Generating SSH2 RSA host key: [  OK  ]
Starting isshd: [  OK  ]
Starting sshd: [  OK  ]
Starting xinetd: [  OK  ]
[  OK  ] crond: [  OK  ]

switch login:

reload (scheduled)

The reload (scheduled) command configures the switch to reset at a specified time or after a specified interval. Refer to reload for the functional details of the reset operation.

The switch prompts to save the configuration and confirm the reload request. Once the request is confirmed, the switch resumes normal operation until the reload initiates.

The reload cancel, no reload, and default reload commands cancel the pending reload operation.

Command Mode

Privileged EXEC

Command Syntax

reload [all | power | peer] {at hh:mm [month | day] | in hh:mm} [force | reason]

reload cancel

no reload

default reload

Parameters

All reloads all supervisors.
Power resets the active supervisor.
Peer resets the peer supervisor.
At performs reload at specified times.
- hh:mm specifies reload time in hours (0 to 23) and minutes (0 to 59). If no month and day are specified, reload occurs at the specified time on the day the command is issued.
  - Month optionally specifies the month of the year (Jan, Feb, etc.)
    - Day day of the month. Values range from 1 to 31.
In performs the reload after a specified delay.
- hh:mm specifies delay before reload in hours (0 to 23) and minutes (0 to 59).
Force performs action immediately without prompting.
Reason enter text to display explaining the purpose of the reload.
Cancel cancels any existing reload request.

Related Commands

reload initiates an immediate reload operation.
show reload displays time and reason of any pending reload operation.

Examples

This command schedules a switch reset to begin in 12 hours.

switch# reload in 12:00
System configuration has been modified. Save? [yes/no/cancel/diff]:y
Proceed with reload? [confirm]
Reload scheduled for Tue Mar 27 05:57:25 2012 (in 11 hours 59 minutes)
switch#

This command cancels a scheduled reset.

switch# no reload
Scheduled reload has been cancelled
switch#

This command schedules a reload of the active supervisor to begin in 12 hours.

switch# reload power in 12:00
Reload scheduled for Thu Feb 13 18:56:01 2020 (in 11 hours 59 minutes)
switch#

securebootctl

The securebootctl command in the Privileged EXEC Mode manages and displays the status of Secure Boot on Arista switches. Secure Boot ensures the integrity of the boot process by validating the cryptographic signature of the EOS software image before execution.

Command Mode

EXEC

Command Syntax

securebootctl secureboot [-enable | -disable | -display]

securebootctl cert [[-add path] -delete | -display]

securebootctl aristacert [-disable | -enable | -display]

securebootctl abootpassword [-disable | -enable | -display]

Parameters

securebootctl secureboot - Enable, disable, or display information about secure boot.
securebootctl cert - Add a path to a certificate on the switch and display information about the certificate. Or delete the certificate.
securebootctl aristacert - Configure secure boot to use Arista certificates for validating software images before installing them on the switch.
securebootctl abootpassword - Enable, disable, or display passwords for secure boot.
securebootctl measuredboot - Enable, disable, or display measured boot.

Examples

Use the following command to enable secure boot:

Aboot# securebootctl secureboot -enable
Aboot#

Use the following command to add the path, /mnt/flash, to a certificate on the switch:

Aboot# securebootctl cert -add /mnt/flash
Aboot#

Use the following command to enable an Arista certificate on the switch:

Aboot# securebootctl aristacert -enable
Aboot#

Use the following command to enable a password for secure boot on the switch:

Aboot# securebootctl abootpassword -enable
Enter password:
Confirm password:

show platform bios

The show platform bios [history | detail] command displays the BIOS versions on the switch.

Command Mode

EXEC

Command Syntax

show platform bios

Examples

This command displays the Running, Programmed, and Fallback versions of Aboot.

switch# show platform bios
FixedSystem BIOS versions
  Location   Version                       	 
  ---------- ----------------------------------
  Running	  Aboot-norcal9-9.0.5-13882759  	 
  Programmed Aboot-norcal9-9.0.3-4core-13882759
  Fallback   Aboot-norcal9-9.0.3-4core-13882759
switch#

This command displays the BIOS installation history.

switch# show platform bios history
Supervisor-1 BIOS version history

Timestamp           Version
------------------- ----------------------------------
2020-04-07 04:20:22 Aboot-norcal9-9.0.5-13882759
2020-04-05 08:32:03 Aboot-norcal9-9.0.3-4core-13882759  	 

Supervisor-2 BIOS version history

Last update failed on 2020-04-15: Compatibility check failed.

Timestamp           Version 
------------------- ----------------------------------
2020-04-05 08:32:09 Aboot-norcal9-9.0.5-13882759
switch#

This command displays the BIOS installation history details.

switch# show platform bios history detail
Supervisor-1 BIOS version history

Timestamp           Version                            Checksum
------------------- ---------------------------------- ---------
2020-04-07 04:20:22 Aboot-norcal9-9.0.5-13882759       3fa8...
2020-04-05 08:32:03 Aboot-norcal9-9.0.3-4core-13882759 bb39...

Supervisor-2 BIOS version history

Last update failed on 2020-04-15: Compatibility check failed.

Timestamp           Version                            Checksum
------------------- ---------------------------------- ---------
2020-04-05 08:32:09 Aboot-norcal9-9.0.3-13882759       3fa8...
switch#

show redundancy file-replication

The show redundancy file-replication command displays the status and last synchronization date of file replication between the supervisors on the switch.

Command Mode

EXEC

Command Syntax

show redundancy file-replication

Related Commands

show redundancy status status and redundancy protocol of supervisors.
show redundancy switchover sso displays stateful switchover information since last reload.

Example

This command displays the supervisors' current file replication status.

switch# show redundancy file-replication
0 files unsynchronized, 2 files synchronized, 0 files failed, 2 files total.

File                   Status         Last Synchronized
---------------------- -------------- -----------------------
file:persist/sys       Synchronized   25 days, 19:48:26 ago
flash:startup-config   Synchronized   25 days, 19:48:26 ago
switch#

show redundancy status

The show redundancy status command displays the current status (active or standby) and the configured redundancy protocol of both supervisors, and summary information about the latest switchover event.

Command Mode

EXEC

Command Syntax

show redundancy status

Related Commands

show redundancy file-replication displays status of file replication between supervisors.
show redundancy switchover sso displays stateful switchover information since last reload.

Example

This command displays redundancy information for both supervisors and a summary of the latest switchover.

switch# show redundancy status
  my state = ACTIVE
peer state = STANDBY WARM
      Unit = Primary
   Unit ID = 1

Redundancy Protocol (Operational) = Route Processor Redundancy
Redundancy Protocol (Configured) = Route Processor Redundancy
Communications = Up
Ready for switchover

Last operational redundancy mode change time = 2:17:51 ago
Last operational redundancy mode change reason = Supervisor has control of the active supervisor lock
Last peer switchover time = never
Last peer switchover cause = None

show redundancy switchover sso

The show redundancy switchover sso command displays the number of stateful switchovers since the last reload and a log of the events in the latest stateful switchover.

Command Mode

EXEC

Command Syntax

show redundancy switchover sso

Related Commands

show redundancy file-replication displays status of file replication between supervisors.
show redundancy status displays status and redundancy protocol of supervisors.

Example

This command displays stateful switchover information.

switch# show redundancy switchover sso
Total number of Stateful Switchover completed since reload: 4

Latest Stateful Switchover occured 29 days, 12:48:22 ago @ 2012-06-09 19:47:50 
(completed)
  0.000000: switchover started
  0.000235: stage PCIEAcquired started
  0.000349:   event PCIEAcquired:__dummyInternal1__ completed
  0.000394:   event PCIEAcquired:PlxPcie-system started
  0.027738:   event PCIEAcquired:PlxPcie-system completed
  0.027829: stage PCIEAcquired is complete
  0.027935: stage DmaReady started
  0.028042:   event DmaReady:ForwardingAgent started
  0.079620:   event DmaReady:ForwardingAgent completed
  0.079699: stage DmaReady is complete
  0.079781: stage TimeCriticalServices started
  0.079887:   event TimeCriticalServices:__dummyInternal1__ completed
  0.079928:   event TimeCriticalServices:Stp started
  0.208035:   event TimeCriticalServices:Stp completed
  0.208120: stage TimeCriticalServices is complete
                <-------OUTPUT OMITTED FROM EXAMPLE------->
 39.675076: stage NonCriticalServices started
 39.675145:   event NonCriticalServices:__dummyInternal1__ completed
 39.675183: stage NonCriticalServices is complete
 39.675399: switchover is complete
switch#

show reload

The show reload command displays the time and reason for any pending reload operation. The reload (scheduled) command schedules a reload operation and can be used to cancel a pending reload.

Command Mode

EXEC

Command Syntax

show reload

Related Commands

reload (scheduled) schedules a pending reload operation.
show reload cause displays cause of most recent reload.

Example

These commands schedule a reload for 2:45 pm, display the time of the pending reload, and then cancel the scheduled reload.

switch# reload at 14:45
Proceed with reload? [confirm]
Reload scheduled for Tue Mar 27 14:45:00 2012 ( in 4 hours 11 minutes )
switch# show reload
Reload scheduled for Tue Mar 27 14:45:00 2012 ( in 4 hours 11 minutes )
switch# reload cancel
Scheduled reload has been cancelled
switch#

show reload cause

The show reload cause command displays the reason for the most recent reload operation. The command displays recommended actions and debug information related to the executed reload.

Command Mode

EXEC

Command Syntax

show reload cause

Related Commands

reload initiates an immediate reload operation.
show reload displays time and reason of all pending reload operations.

Example

This command displays the cause of the most recent reload operation.

switch# show reload cause
Reload Cause 1:
-------------------
Reload requested by the user.

Recommended Action:
-------------------
No action necessary.

Debugging Information:
----------------------
None available.
switch#

show reload fast-boot

The show reload fast-boot command verifies that the switch configuration is valid for Smart System Upgrade (SSU).

Command Mode

EXEC

Command Syntax

show reload fast-boot

Related Commands

reload initiates an immediate reload operation.
show reload displays time and reason of all pending reload operations.

Example

This command displays why SSU cannot be initiated and which features must be reconfigured to allow SSU to proceed.

switch# show reload fast-boot
'reload fast-boot' cannot proceed due to the following:
  Spanning-tree portfast is not enabled for one or more ports
  Spanning-tree BPDU guard is not enabled for one or more ports
switch#

Connection Management

The switch supports three connection methods:

Console
SSH
Telnet

The switch always enables the console and SSH. By default, EOS disables Telnet.

Management commands place the switch in a configuration mode to change session connection parameters.

Examples

The management console command places the switch in Console Management Mode:
```
switch(config)#management console
switch(config-mgmt-console)#
```
The management ssh command places the switch in SSH Management Mode:
```
switch(config)#management ssh
switch(config-mgmt-ssh)#
```
The management telnet command places the switch in Telnet Management Mode:
```
switch(config)#management telnet
switch(config-mgmt-telnet)#
```
The exit command returns the switch to global configuration mode:
```
switch(config-mgmt-ssh)#exit
switch(config)#
```

The idle-timeout commands shown in the following examples configure the idle timeout period for the configured connection type. The idle timeout defines the wait for a connection after a recent command before shutting down the connection. Setting the idle timeout to zero automatically disables the connection timeout, the default setting.

Examples

The idle-timeout (SSH Management) command configures an SSH idle-timeout period of three hours.
```
switch(config)# management ssh
switch(config-mgmt-ssh)# idle-timeout 180
```
The idle-timeout (Telnet Management) command automatically disable the connection timeout for Telnet connections.
```
switch(config)# management telnet
switch(config-mgmt-telnet)# idle-timeout 0
```

The shutdown (Telnet Management) command turns the Telnet on and off on the switch.

These commands enable Telnet.

switch(config)# management telnet
switch(config-mgmt-telnet)# no shutdown

These commands disable Telnet.

switch(config)# management telnet
switch(config-mgmt-telnet)# shutdown

Securely Erasing a Switch Storage Device

The Secure Erase feature completely wipes all data from the flash and optional SSD storage devices. It targets partitions mounted at /mnt/crash, /mnt/flash, and /mnt/drive (if present), securely erasing them. After erasing the data, it restores the original partition structure, destroys the Master Boot Record (MBR), and recreates the file systems, labels, and mount points with the same options. The EOS.swi and the boot-config files must be manually reinstalled afterwards, followed by a reboot using Aboot or the full recovery process.

All secure erasing is best effort. Use firmware-based secure erase when available and a software-based mechanism when the firmware mechanism might fail or be insufficient such as writing random data after sending an ATA Secure Erase command or does not exist. Unfortunately, no non-physically destructive mechanism can guarantee the destruction of all data on a storage device.

Note: Certain Arista switches have a dedicated storage device for serial console logging. The console output contains sensitive data, and the switch does not secure erasing this storage device. Locate platform support and usage information regarding serial console here.

Preparing for Secure Erase

Always connect to the switch or supervisor through the serial console before executing the reset system storage secure command. This command leaves the switch in Aboot mode, which is only accessible via the serial console. If the system has dual supervisors, Secure Erase can only be run on the standby supervisor or when redundancy is disabled (Simplex redundancy) or the command will fail. After execution, access the switch through the serial console to complete the recovery process.

Performing Secure Erase

To securely erase the flash and optional SSD storage device(s) on supported platforms, use the reset system storage secure command.

Examples

The following commands check the redundancy status of the supervisor to be erased, then perform a switchover to change its status to standby preparatory to initiating the secure erase:

switch# show redundancy status
  my state = ACTIVE
peer state = STANDBY WARM
      Unit = Primary
   Unit ID = 1

Redundancy Protocol (Operational) = Route Processor Redundancy
Redundancy Protocol (Configured) = Route Processor Redundancy
Communications = Up
Ready for switchover

Last operational redundancy mode change time = 2:17:51 ago
Last operational redundancy mode change reason = Supervisor has control of the active supervisor lock
Last peer switchover time = never
Last peer switchover cause = None
switch#

switch# redundancy manual switchover
This supervisor will be restarted.

Example of error output when attempting to use Secure Erase in the active supervisor with redundancy enabled.

switch# reset system storage secure  
! ERROR! Cannot reset system storage  
on the active supervisor while another  
supervisor is on standby.

The following command securely erases data stored on the switch, excluding dedicated console logging storage. The Secure Erase process does not restore or reinstall the EOS, that is, it doesn't copy the EOS.swi and boot-config files.

switch#reset system storage secure
WARNING! This will destroy all
data and will NOT be recoverable.
Device will reboot into Aboot, and
execution may take up to one hour.
Would you like to proceed? [y/N] y

Aboot# pwd  
/mnt/flash  
Aboot# ls -l  
drwxrwxr-x    3 root     eosadmin      4096 Jul 21 10:23 aboot  
drwxrwx---    2 root     eosadmin     16384 Jul 21 10:21 lost+found  
drwxr-xr-x    2 root     root          4096 Jul 21 10:01 secure_erase_log  
drwxr-xr-x    2 root     eosadmin      4096 Jul 21 10:23 tpm-data

Configuration Sessions Overview

The configure session command creates a configuration session for CLI commands and ends it after issuing the commit command. Each configure session has a unique name. You can enter, modify, and exit the session anytime without impacting the currently running system configuration.

While in the commit stage of a session, the running-config command creates copies of the modified configuration of the session, overwriting any other configuration changes made since creating the session. A session can be aborted or removed, which removes the session completely and frees up memory used by the session. You must explicitly request the changes in a deferred session to the switch configuration by entering a commit command and exiting the mode. Alternatively, abandon the changes by entering an abort command. The switch discards an uncommitted configuration session if the switch reboots and the session times out after 24 hours.

Configuration sessions implement the changes after verifying that no configuration errors occur. Configuration sessions allow the administrator to pre-provision a group of CLI commands in a named session and execute each configuration session at specified times.

Note: Committing a configuration session replaces the running-config with the session configuration which includes the running configuration at the initial session and the commands entered as part of the session. Any changes made to running-config since the initiation of the session overwrite the session during the commit stage.

Configuration Session

The configure session command allows you to execute a series of configuration changes in a temporary location and commit them to running-config by issuing the commit command.

configure session <name of session> and running-config: The user enters a session (versus configure terminal where configuration sessions are not used). It creates a system-named session if a session name is not specified, and it copies a snapshot of the current running-config into the session’s data structure as the basis of further configuration changes.
CLI configuration commands - The user can run any commands inside the session.
rollback clean-config - The user can run the rollback command to revert the session configuration to the factory-default configuration (or clean configuration).
show session-config - The user can run show session-config to show the session configuration, which will be the future running-config after committing.
commit - Issuesthe commit command to commit the changes and replace the current running-config.
abort - Abort the session and discard all changes.
exit - exit from the session and return to the same session by running the configure session again.
For a named session, more than one CLI instance can enter the same session and change the session configuration. After the session commits in any of the CLIs, no other CLI can commit or make any other changes in that session.

Note: Committing a configuration session replaces running-config with the session configuration, which consists of the running configuration at the initial session and the commands entered as part of the session. Any changes made to running-config since the initiation of the session overwrite when the session is in the commit stage.

Replacing the Configuration

The command configure replace URL replaces the current running-config with the configuration saved in a URL. By default, the configuration in the configure replace URL replaces running-config only if the configuration in the URL loads without errors. The command configure replace URL ignore-errors force the operation even if there are errors.

Note: The command copy URL running-config applies a saved configuration file to the system and appends that configuration to the current running-config instead of replacing it. However, Arista recommends using the command configure replace URL to streamline the process of restoring the system to a known good configuration.

The normal workflow uses a configuration session to perform the configure replace.

Configuration CLI

In the CLI, execute the following configuration steps to create a configuration session.

configure session [name of session]
Create or enter a session. If a name is not specified, it automatically generates. The user is in the session configuration mode, and the prompt will change to show the first six characters of the session name. Designating the name of a session is optional. When the name of session is not specified, a unique name is assigned.
```
no configure session  name of session 
```
Delete the specified configuration session. Designating the name of a session is required.
commit
Commit the changes made in the session. Configuration mode issues this command within the session.
```
abort
```
Abort the session, which is the same as deleting it. Configuration mode issues this command within the session.
rollback clean-config
Revert the configuration in the session to the clean, factory-default configuration. Configuration mode issues this command within the session.
service configuration session max completed number
Sets a limit on the maximum number of saved committed sessions.
service configuration session max pending number
Sets a limit on the maximum number of uncommitted sessions that can be outstanding.

Recovery Procedures

These sections describe the following switch recovery procedures:

Removing the Enable Password from the Startup Configuration
Reverting the Switch to the Factory Default Startup Configuration
Restoring the Factory Default EOS Image and Startup Configuration
USB Support for ZeroTouch Provisioning
Restoring the Configuration and Image from a USB Flash Drive

The first three procedures require Aboot Shell access through the console port. If the console port becomes inaccessible, use the last procedure in the list to replace the configuration file through the USB Flash Drive.

The Removing the Enable Password from the Startup Configuration section describes the switch booting process and includes descriptions of the Aboot shell, Aboot boot loader, and required configuration files.

Removing the Enable Password from the Startup Configuration

The enable password controls access to Privileged EXEC mode. The switch stores the enable password as an encrypted string generated from the clear-text password to prevent unauthorized disclosure. When using local switch authentication mode and a configured enable password, the CLI prompts to enter the clear-text password after entering the enable command at the EXEC prompt.

The startup-config file stores the encrypted enable password to ensure the switch loads it when rebooting. If the text version of the enable password is lost or forgotten, restore access to enable mode by removing the encrypted enable password from the startup configuration file.

Note: During the recovery process, the secondary supervisor must be physically removed from the system containing more than one supervisor. It ensures that the switch does not recover the previous configuration from the secondary supervisor upon reboot during the recovery process.

This procedure restores access to enable mode without changing any other configuration settings.

Access the Aboot shell:
1. Power cycle the switch by successively removing and restoring access to its power source.
2. Enter Ctrl-C when prompted early in the boot process.
3. Enter the Aboot password if prompted. If you do not know the Aboot password, refer to Restoring the Factory Default EOS Image and Startup Configuration for instructions on reverting all flash directory contents to the factory default, including the startup configuration and EOS image.
Change the active directory to the /mnt/flash directory.
```
Aboot# cd /mnt/flash
```
Open the startup-config file using VI or emacs.
```
Aboot# vi startup-config
```

Remove the enable password line.

enable password 5 $1$dBXo2KpF$Pd4XYLpI0ap1ZaU7glG1w/

Save the changes and exit vi.
Exit Aboot. The switch reboots.
```
Aboot# exit
```

Reverting the Switch to the Factory Default Startup Configuration

The startup-config file contains configuration parameters that the switch uses during a boot. Parameters that do not appear in the startup-configset to factory defaults when the switch reloads. The process requires the Aboot password if Aboot is password protected.

This procedure reverts EOS configuration settings to default by bypassing the startup-config file during a switch boot.

Access the Aboot shell through the console port:
1. Enter reload at the Privileged EXEC prompt.
2. Enter Ctrl-C when prompted early in the boot process.
3. Enter the Aboot password if prompted. If you do not know the Aboot password, refer to Restoring the Factory Default EOS Image and Startup Configuration for instructions on reverting all flash directory contents to the factory default, including startup-config and EOS image.
Change the active directory to the /mnt/flash directory.
```
Aboot# cd /mnt/flash 
```

Rename the startup configuration file.

Aboot# mv startup-config startup-config.old

Exit Aboot. This boots the switch.
```
Aboot# exit
```
Cancel Zero Touch Provisioning (ZTP). Refer to Canceling Zero Touch Provisioning for instructions.
For non-canceled ZTP, the switch performs one of the following actions:
- Boots using the startup-config file or boot script that it obtains from the network, or
- Remains in ZTP mode if the switch cannot download a startup-config file or boot script.

Configure the admin and enable passwords.

switch> enable
switch# configure terminal
switch(config)# enable password xyz1 
switch(config)# username admin secret abc41

Save the new running-config to the startup configuration file.
```
switch# write
```
(Optional) Delete the old startup configuration file.
```
switch# delete startup-config.old
```
After canceling ZTP, the switch reboots using the factory default settings and to avoid entering ZTP mode on subsequent reboots, create a startup-config file before the next switch reboot.

Restoring the Factory Default EOS Image and Startup Configuration

A fullrecover command removes all internal flash contents including configuration files, EOS image files, and user files, and then restores the factory default EOS image and startup-config. When the default image becomes outdated, the switch requires a subsequent installation of the current EOS image. This process requires Aboot shell access through the console port.

Note: For hardware available after June 2017, the factory default partition does not contain the backup EOS software image. It increases the flash size on smaller flash disks. Other options are available in the fullrecover command functionality to restore the factory default EOS image. It applies to both fixed system and modular system hardware.

This procedure restores the factory default EOS image and startup configuration.

Access the Aboot shell through the console port:
1. Enter reload at the Privileged EXEC prompt.
2. Enter Ctrl-C when prompted early in the boot process.
3. Enter the Aboot password if prompted. If you do not know the Aboot password, enter an empty password three times, after which the CLI displays:
```
Type "fullrecover" and press Enter to revert /mnt/flash to factory default state, or just press Enter to reboot:
```
4. Type fullrecover and go to 4.

Enter fullrecover at the Aboot prompt.

Aboot#fullrecover

Aboot displays this warning:

All data on /mnt/flash will be erased; type "yes" and press Enter to proceed, or just press Enter to cancel:

Enter yes and press the Enter key.
The switch performs one of the following actions:
- Erases the contents of /mnt/flash.
- Writes new boot-config, startup-config, and EOS.swi files to /mnt/flash.
- Returns to the Aboot prompt.
Exit Aboot.The switch reboots.
```
Aboot#exit
```
The serial console settings restore to their default values (9600/N/8/1/N).
Reconfigure the console port if you require non-default settings.
Cancel Zero Touch Provisioning (ZTP). Refer to Canceling Zero Touch Provisioning for instructions.
If you do not cancel ZTP, the switch does one of the following:
- Boots, using the startup-config file or boot script that it obtains from the network or
- Remains in ZTP mode if the switch cannot download a startup-config file or boot script.
When you cancel ZTP, the switch reboots using the factory default settings. To avoid entering ZTP mode on subsequent reboots, create a startup-config file before the next switch reboot.

USB Support for ZeroTouch Provisioning

Use Arista’s Zero Touch Provisioning to configure a switch without user intervention. The USB adds another way to provide the bootstrap name and verify the authenticity of the file server.

USB Deployment

When using a USB drive during ZTP, configure the following features:

Specify the location of the bootstrap file instead of using DHCP Option 67.
Provide the x509 root of trust for verifying the bootstrap download location.
Provide the enrollment token for CloudVision Service customers.

Configuration

Plug in a USB flash drive containing a yaml configuration file into the Arista EOS switch before powering it on.

The configuration (<USB-ROOT>/ztp/ztpConfig.yaml) should look like this:

"bootstrapUrl"
"serverCaCertificate"
"enrollmentToken"
"version": "1.0"

bootstrapUrl - The URL for bootstrap file, such as https://cvp/config.py.

 "bootstrapUrl"

serverCaCertificate - The path for the x509 root of trust on the remote file server on the USB, such as “ca.crt”.

"serverCaCertificate"

enrollmentToken - The path for the enrollment token on the USB, such as “token.tok”

"enrollmentToken"

All ZTP related files, serverCaCertificate and enrollmentToken, should be present in (<USB-ROOT>/ztp/* ), and the location specified in the ztpConfiguration yaml w.r.t to this folder.

"version": "1.0"

All the fields are optional. The following example displays a valid configuration. It performs as if no USB in place.

"bootstrapUrl"
"serverCaCertificate"
"enrollmentToken"
"version": "1.0"

The following is a sample of the configuration. Use the following structure for the USB drive:
USB Drive Roo
- ca.crt
- token.tok

"bootstrapUrl"
"serverCaCertificate"
"enrollmentToken"
"version": "1.0"

Advantages of USB ZTP

DHCP Server no longer need to configure Option 67.
The boot script location can now undergo additional checks, such as validating the endpoint before downloading and running the boot script.
If you want to enroll your devices with the CloudVision Service can do so easily.

Restoring the Configuration and Image from a USB Flash Drive

The USB flash drive port restores an original configuration when you cannot establish a connection to the console port. This process removes the contents of the internal flash drive, restores the factory default configuration, and installs a new EOS image from the USB flash drive.

This procedure restores the factory default configuration and installs an EOS image stored on a USB flash drive.

Prepare the USB flash drive:
1. Verify the drive has a MS-DOS or FAT file system format. Most USB drives ship with a pre-formatted with a compatible file system.
2. Create a text file named fullrecover on the USB flash drive. The filename does not have an extension. The file may be empty.
3. Create a text file named boot-config. The last modified timestamp of the boot-config file on the USB flash must differ from the timestamp of the boot-config file on the switch.
4. Enter this line in the new boot-config file on the USB flash:
```
SWI=flash:EOS.swi
```
5. Copy an EOS image file to the flash drive. Rename it EOS.swi if it has a different file name. For best results, the flash drive should contain only these three files because the procedure copies all files and directories on the USB flash drive to the switch.
  - fullrecover
  - boot-config
  - EOS.swi
Insert the USB flash drive into the USB flash port on the switch, as shown in Figure 1.
Connect a terminal to the console port and configure it with the default terminal settings (9600/N/8/1) to monitor progress messages on the console.
Power up or reload the switch.
The switch erases internal flash contents and copies the files from the USB flash drive to internal flash. The switch then boots automatically.
Cancel Zero Touch Provisioning (ZTP). Refer to Canceling Zero Touch Provisioning for instructions.
If ZTP is not canceled, the switch either:
- Boots, using the startup-config file or boot script that it obtains from the network or
- Remains in ZTP mode if the switch cannot download a startup-config file or boot script.
After canceling ZTP, the switch reboots using the factory default settings to avoid entering ZTP mode on subsequent reboots and creates a startup-config file before the next switch reboot.

Session Management Commands

Global Configuration Commands

Management Configuration Commands

idle-timeout (Console Management)
idle-timeout (SSH Management)
idle-timeout (Telnet Management)
protocol http (API Management)
protocol https (API Management)
protocol https certificate (API Management)
shutdown (API Management)
shutdown (Telnet Management)
vrf (API Management)

Display Commands

show inventory

commit timer

The commit timer command can automatically roll back changes performed during a configuration session if you haven't confirmed them within a preset time interval. This feature can prevent a user from committing configuration changes that could cause a network disruption. The no commit timer command deletes the session.

Command Mode

Configure Session Configuration Mode

Command Syntax

commit timer hh:mm:ss

Parameters

hh:mm:ss - Specify the time interval for the commit session.

Example

Use the following command to create a commit timer for 01.00.00 hour:

switch(config-s-MySession)# commit timer 01:00:00
switch#

configure replace

The configure replace command replaces the current configuration with a new configuration from the specified source.

Command Mode

Privileged EXEC

Command Syntax

configure replace source_file_path:source_file_name [ignore-errors] [md5 md5sum] [skip-checkpoint] [vrf instance_name]

Parameters

source_file_path:source_file_name replaces the current configuration with the configuration from the specified source file.
boot-extensions: - Replace the current configuration with the boot extensions configuration.
certificate: - Replace the current configuration with the certificate configuration.
checkpoint: - Replace the current configuration with the checkpoint configuration.
clean-config: - Replace the current configuration with a clean, default configuration.
extension: - Replace the current extensions configuration with an extensions configuration.
file: - Replace the current configuration with a configuration from a file location.
flash: - Replace the current configuration with a configuration from a flash location.
ftp: - Replace the current configuration with a configuration from a FTP location.
http: - Replace the current configuration with a configuration from an HTTP location.
https: - Replace the current configuration with a configuration from an HTTPS location.
installed-extensions: - Replace the current configuration with the installed extensions status.
running-config: - Replaces the current configuration with the running configuration.
scp: - Replace the current configuration with a configuration from an SCP location.
sftp: - Replace the current configuration with a configuration from an SFTP location.
snapshot: - Replace the current configuration with a configuration from a snapshot.
ssh-auth-principals-cmd: - Retrieve a configuration from an SSH location and replace the current configuration.
ssh-ca-key: - Retrieve a configuration from an SSH location and replace the current configuration.
ssh-key: - Retrieve a configuration from an SSH location and replace the current configuration.
ssh-revoke-list: - Retrieve a configuration from an SSH location and replace the current configuration.
startup-config: - Replace the current configuration with the startup configuration.
system: - Retrieve a configuration from a system location and replace the current configuration.
terminal: - Retrieve a configuration from a terminal location and replace the current configuration.
tftpt: - Retrieve a configuration from a TFTP location and replace the current configuration.
ignore-errors - Replace the configuration and ignore errors while loading the new configuration.
md5 md5sum - Performs a checksum to validate data integrity with the specified MD5 hashing algorithm.
skip-checkpoint - Skips creating the checkpoint fileof running-config.

Example

This command replaces the current configuration state with the startup configuration.

switch(config)# configure replace start-config
! Preserving static routes. Use 'no ip routing delete-static-routes' to clear them.
switch#

configure session

The configure session command allows a series of temporary configuration changes and commits to running-config later by issuing the commit command. EOS discards an uncommitted configuration session if the switch reboots and times out after 24 hours.

Note: Committing a configuration session replaces running-config with the session configuration, which consists of the running configuration at the initial session and the commands entered as part of the session. When the session commits, it overwrites any changes to running-config since the initiation.

The no configure session session_name and default configure session session_name commands delete the specified configuration session.

Command Mode

Privileged EXEC

Command Syntax

configure session [session_name] [abort | commit | [description description]]

no configure session session_name

default configure session

Parameter

session_name -Create a name for the configuration session.
abort - Ends the configuration sessions and deletes it.
commit - Commits the changes executed during the session.
description description - Create a description for the configuration session.

Guidelines

Creates a session with a name generated by the switch if you do not specify a session name.
The switch permits up to five uncommitted sessions.
When the switch reboots, it discards the uncommitted sessions.
Uncommitted sessions time out after 24 hours.

Example

This command creates a session named MySession) and adds commands. Issuing the commit command executes all commands and overwrites any configuration performed since the creation of the session.

switch(config)#configure session
switch(config-s-sess-1)#aaa authentication dot1x default group radius
switch(config-s-sess-1)#dot1x system-auth-control
switch(config-s-sess-1)#commit
switch(config-s-sess-1)#

idle-timeout (Console Management)

The idle-timeout (Console Management) command configures the idle-timeout period for console connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. By default, setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

Command Mode

ManagementConsole Configuration

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

Parameters

idle_period session idle-timeout length. Options include:

0 - Disables the automatic connection timeout.
1 to 86400 - Configures the automatic timeout period in minutes.

Examples

These commands configure a console idle-timeout period of three hours, then return the switch to global configuration mode.

switch(config)# management console
switch(config-mgmt-console)# idle-timeout 180
switch(config-mgmt-console)# exit
switch(config)#

These commands disable automatic connection timeout.

switch(config)# management console
switch(config-mgmt-console)# idle-timeout 0
switch(config-mgmt-console)#

idle-timeout (SSH Management)

The idle-timeout (SSH Management) command configures the idle-timeout period for SSH connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

Command Mode

Management SSH Configuration

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

Parameters

idle_period session idle-timeout length. Options includethe following:

0 - Disables the automatic connection timeout.
1 to 86400 - Configures the automatic timeout period in minutes.

Examples

These commands configure an SSH idle-timeout period of three hours, then return the switch to global configuration mode.

switch(config)# management ssh
switch(config-mgmt-ssh)# idle-timeout 180
switch(config-mgmt-ssh)# exit
switch(config)#

These commands disable automatic connection timeout.

switch(config)# management ssh
switch(config-mgmt-ssh)# idle-timeout 0
switch(config-mgmt-ssh)#

idle-timeout (Telnet Management)

The idle-timeout (Telnet Management) command in the Telenet Management Configuration Mode configures the idle-timeout period for Telnet connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

Command Mode

ManagementTelnet

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

Parameters

idle_period session idle-timeout length. Options include:

0 - Disables the automatic connection timeout.
1 to 86400 - Configures the automatic timeout period in minutes.

Examples

These commands configure a Telnet idle-timeout period of three hours, then return the switch to global configuration mode.

switch(config)# management telnet
switch(config-mgmt-telnet)# idle-timeout 180
switch(config-mgmt-telnet)# exit
switch(config)#

These commands disable automatic connection timeout.

switch(config)# management telnet
switch(config-mgmt-telnet)# idle-timeout 0
switch(config-mgmt-telnet)#

management accounts

The management accounts command enters the Accounts Management Configuration Mode and allows the creation of user accounts on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Accounts Management Configuration

Command Syntax

management accounts

[no | default] management accounts

Parameters

management accounts - Enters Accounts Management Configuration Mode.
- account - Enters the Account Configuration Mode after adding a user name.
  - session limit value - Add the number of allowed sessions from 1 to 100 per user.
- password policy policy_name - Configure password policies.
- session default-limit value - Configure the maximum number of remote sessions per user.

Example

Use the following commands to enter Accounts Management Configuration Mode and add a user tech_support1 with a session limit of 10:

switch(config)# management accounts
switch(config-mgmt-accounts)# account tech_support1
switch(config-mgmt-acct-tech_support1)# session limit 10

management api eos-sdk-rpc

The management api eos-sdk-rpc command places the switch in EOS SDK RPC API management configuration mode.

The no management api eos-sdk-rpc and default management api eos-sdk-rpc commands delete the mgmt-api-eos-sdk-rpc configuration mode statements from running-config.

EOS SDK RPC API management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the EOS SDK RPC API management configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api eos-sdk-rpc

no management api eos-sdk-rpc

default management api eos-sdk-rpc

Commands Available in EOS SDK RPC API Configuration Mode

transport (EOS SDK RPC API Management)

Examples

This command places the switch in EOS SDK RPC API management configuration mode.

switch(config)# management api eos-sdk-rpc
switch(config-mgmt-api-eos-sdk-rpc)#

This command returns the switch to global management mode.

switch(config-mgmt-api-eos-sdk-rpc)# exit
switch(config)#

management api external-services

The management api external-services command places the switch in External Services API configuration mode.

The no management api external-services and default management api external-services commands delete the mgmt-api-external-services configuration mode statements from running-config.

External Services API configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the External Services API configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api external-services

no management api external-services

default management api external-services

Commands Available in Mgmt-API Configuration Mode

shutdown (External Services API Management)
vrf (External Services API Management)

Examples

This command places the switch in External Services API Management configuration mode.

switch(config)# management api external-services
switch(config-mgmt-api-external-services)#

This command returns the switch to global management mode.

switch(config-mgmt-api-external-services)# exit
switch(config)#

management api gnmi

The management api gnmi command places the switch in GNMI API Management configuration mode.

The no management api gnmi and default management api gnmi commands delete the mgmt-api-gnmi configuration mode statements from running-config.

GNMI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNMI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api gnmi

no management api gnmi

default management api gnmi

Commands Available in Mgmt-API Configuration Mode

operation (GNMI API Management)
provider (GNMI API Management)
transport (GNMI API Management)

Examples

This command places the switch in GNMI API Management configuration mode.
```
switch(config)# management api gnmi
switch(config-mgmt-api-gnmi)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-gnmi)# exit
switch(config)#
```

management api gnsi

The management api gnsi command places the switch in GNSI API management configuration mode.

The no management api gnsi and default management api gnsi commands delete the mgmt-api-gnsi configuration mode statements from running-config.

GNSI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNSI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api gnsi

no management api gnsi

default management api gnsi

Commands Available in GNSI API Management Configuration Mode

service (GNSI API Management)
transport (GNSI API Management)

Examples

This command places the switch in GNSI API Management configuration mode.
```
switch(config)# management api gnsi
switch(config-mgmt-api-gnsi)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-gnsi)# exit
switch(config)#
```

management api gribi

The management api gribi command places the switch in gRIBI API Management configuration mode.

The no management api gribi and default management api gribi commands delete the mgmt-api-gribi configuration mode statements from running-config.

gRIBI API Management configuration mode is not a group change mode; running-config changes immediately upon entering commands. Exiting the gRIBI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api gribi

no management api gribi

default management api gribi

Commands Available in gRIBI API Management Configuration Mode

transport (gRIBI API Management)

Examples

This command places the switch in gRIBI API Management configuration mode.
```
switch(config)# management api gribi
switch(config-mgmt-api-gribi)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-gribi)# exit
switch(config)#
```

management api http-commands

The management api http-commands command places the switch in HTTP Commands API Management Configuration Mode.

The no management api http-commands and default management api http-commands commands delete the HTTP Commands API Management Configuration Mode statements from running-config.

HTTP Commands API Management Configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting HTTP Commands API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api http-commands

no management api http-commands

default management api http-commands

Commands Available in HTTP Commands API Management Configuration Mode

protocol http
protocol https
protocol https certificate
protocol shutdown
protocol vrf

Examples

This command places the switch in HTTP Commands API Management Configuration Mode.
```
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)#
```
This command returns the switch to Global Configuration Mode.
```
switch(config-mgmt-api-http-cmds)# exit
switch(config)#
```

management api models

The management api models command places the switch in Models API Management configuration mode.

The no management api models and default management api models commands delete the mgmt-api-models configuration mode statements from running-config.

Models API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Models API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api models

no management api models

default management api models

Commands Available in Models API Management Configuration Mode

models (Models API Management)
modules (Models API Management)
provider (Models API Management)

Examples

This command places the switch in Models API Management configuration mode.
```
switch(config)# management api models
switch(config-mgmt-api-models)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-models)# exit
switch(config)#
```

management api netconf

The management api netconf command places the switch in Netconf API Management configuration mode.

The no management api netconf and default management api netconf commands delete the mgmt-api-netconf configuration mode statements from running-config.

Netconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Netconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api netconf

no management api netconf

default management api netconf

Commands Available in Netconf API Management Configuration Mode

transport (Netconf API Management)

Examples

This command places the switch in Netconf API Management configuration mode.
```
switch(config)# management api netconf
switch(config-mgmt-api-netconf)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-netconf)# exit
switch(config)#
```

management api restconf

The management api restconf command places the switch in Restconf API Management configuration mode.

The no management api restconf and default management api restconf commands delete the mgmt-api-restconf configuration mode statements from running-config.

Restconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Restconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

management api restconf

no management api restconf

default management api restconf

Commands Available in Restconf API Management Configuration Mode

transport (Restconf API Management)

Examples

This command places the switch in Restconf API Management configuration mode.
```
switch(config)# management api restconf
switch(config-mgmt-api-restconf)#
```
This command returns the switch to global management mode.
```
switch(config-mgmt-api-restconf)# exit
switch(config)#
```

management archive

The management archive command enters the Archive Management Configuration Mode and allows you to manage log archives and archive space.

Command Mode

Global Configuration

Archive Management Configuration

Command Syntax

management archive [destination flash:] [quotapct percentage] shutdown

Parameters

management archive - Enters the Archive Management Configuration Mode.
destination flash: - Configure a destination for the archive files.
quotapct percentage - Set the quota percentage value from 0 to 100.
shutdown - Disables log archiving on the switch.

Example

Use the following commands to configure the quota percentage as 50:

switch(config)# management archive
switch(config-mgmt-archive)# quotapct 50
switch(config-mgmt-archive)#

management cli

The management cli command places the switch in CLI Management Configuration Mode and allows you to configure command line options.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

CLI Management Configuration

Command Syntax

management cli command deprecated log

[no | default] management cli command deprecated log

Parameters

management cli - Enters the CLI Management Configuration Mode.
command - Configure command options.
deprecated - Configure the CLI behavior for deprecated commands.
log - Create a syslog message when executing a deprecated command.

Example

Use the following commands to create a syslog message when executing a deprecated command:

switch(config)# management cli
switch(config-mgmt-cli)# command deprecated log
switch(config-mgmt-cli)#

management client

The management client command enters the Client Management Configuration Mode and configures remote applications or scripts that utilize the switch powerful eAPI (EOS API) to programmatically send configuration and show commands.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Client Management Configuration

Command Syntax

management client api gnmi [group group_name member server_name] [server server_name]

[no | default] management client api gnmi

Parameters

management client api gnmi - Configures the switch as a gNMI client.
group group_name - Configure gNMI server group definitions.
member server_name - Add a gNMI server to the group.
server server_name - Add a gNMI server to the configuration.

Example

Use the following commands to add the group, gnmi_group, and the member, gnmi_server1 to the client configuration:

switch(config)# management client api gnmi
switch(config-mgmt-client-api-gnmi)# group gnmi_group member gnmi_server1
switch(config-mgmt-client-api-gnmi)#

management console

The management console command places the switch in Console Management Configuration Mode to adjust the idle-timeout period for console connection sessions. The idle-timeout period determines the inactivity interval that terminates a connection session.

The no management console and default management console commands delete the Console Management Configuration Mode statements from running-config.

The Console Management Configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the mgmt-console configuration mode does not affect running-config. The exit command returns the switch to Global Configuration Mode.

Command Mode

Global Configuration

Command Syntax

management console

no management console

default management console

Parameters

idle-timeout (Console Management)
login - Configure options related to logging into the switch.

Examples

This command places the switch into Console Management Configuration Mode:
```
switch(config)# management console
switch(config-mgmt-console)#
```
This command returns the switch to Global Management Mode:
```
switch(config-mgmt-console)# exit
switch(config)#
```

management data source

The management data source command enters the Data Source Management Configuration Mode and allows defining the rules and actions taken on specific data streams.

Command Mode

Global Configuration

Data Source Management Configuration

Command Syntax

management data source [disable] [sensor sensor_name [disabled | ip address ip_address port port] [traffic-policies [disabled] [field-set [ipv4 prefix source_name] [ [ipv6 prefix source_name] [ service source_name]]

Parameters

management data source - Enters the Data Source Configuration Mode.
disable - Disable the management data source.
sensor sensor_name - Specify the name of a sensor.
- disabled - Disable the sensor.
- ip address ip_address - Specify the IPv4 or IPv6 address of the sensor.
- port port - Specify the port.
traffic-policies - Configure traffic policies to apply to the data source.
disabled - Disable traffic policies on the switch.
field-set - Configure field sets to use with the traffic policies.
- ipv4 prefix source_name - Specify the IPv4 prefix and source name.
- ipv6 prefix source_name - Specify the IPv6 prefix and source name.
- service source_name - Specify the service and source name.

Example

Use the following commands to configure a sensor, sensor_db, with the IPv4 address, 192.168.92.157, and port 443:

switch(config)# managment data source
switch(config-mgmt-ds)# sensor sensor_db
switch(config-mgmt-ds-sensor-sensor_db)# ip 192.168.96.157 port 443
switch(config-mgmt-ds-sensor-sensor_db)#

management defaults

The management defaults command enters the Defaults Management Configuration Mode and configures storing secrets on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Defaults Management Configuration

Command Syntax

management defaults secret hash [md5 | scrypt | sha-512 | yescrypt]

[no | default] management defaults

Parameters

management defaults - Enters the Defaults Management Configuration Mode.
secret - Configure storing secrets.
hash- Specify a hash algorithm to use for secrets.
- md5 - Specify Message-Digest Algorithm 5.
- scrypt - Specify scrypt, a password-based key derivation function (KDF) designed specifically to make brute-force attacks against hashed passwords significantly harder, even when attackers use specialized hardware like GPUs or FPGAs.
- sha-512 - Specify SHA-512 a cryptographic hash function that is part of the SHA-2 family, standardized by NIST (National Institute of Standards and Technology). It is a highly secure and widely used algorithm for ensuring data integrity and securing digital operations.
- yescrypt - Specify yescrypt, a modern, highly secure password-based key derivation function (KDF) designed as a successor and alternative to functions like PBKDF2, scrypt, and bcrypt. It was developed by Alexander Peslyak (Solar Designer) and is specifically engineered to achieve the best possible resistance against hardware-accelerated cracking attacks using GPUs, FPGAs, and ASICs.

Example

Use the following commands to add MD5 as the secret hash:

switch(config)# managment defaults
        switch(config-mgmt-defaults)# secret hash md5

management dmf

The management dmf command in the DANZ Monitoring Fabric (DMF) Configuration Mode allows the configuration of up to two DMF controllers on the network.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

DANZ Monitoring Fabric (DMF) Configuration

Command Syntax

managment dmf [disabled] [controller address ip_address1 controller address ip_address2

[no | default]> managment dmf

Parameters

disabled - Disables DMF on the switch.
controller address ip_address1 - Configure the first DMF controller with an IPv4 or IPv6 address.
controller address ip_address2 - Configure the second DMF controller with an IPv4 or IPv6 address.

Example

Use the following commands to add a DMF controller, 172.16.23.47, to the switch:

switch(config)# manangement dmf
switch(config-mgmt-dmf)# controller 172.16.21.47
switch(config-mgmt-dmf)#

management file-systems

The management file-systems command in the File Systems Management Configuration Mode allows the configuration and management of the file system on the switch.

Command Mode

Global Configuration

File Systems Management Configuration

Command Syntax

management file-systems nfs [crash: directory_name] [file: directory_name] [flash: directory_name]

Parameters

nfs - Specifies the network file system.
crash: directory_name - Specify the location of the crash files.
file: directory_name - Specify the location of the files.
flash: directory_name - Specify the location of the flash files.

Example

Use the following commands to manage the crash files:

switch(config)# management file-systems
            switch(config-mgmt-file-systems)# nfs crash:

management http-server

The management http-server command enters the HTTP Management Configuration Mode of the switch to allow Application Programming Interface (API) access to the switch for programmatic commands.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

HTTP Management Configuration

Command Syntax

management http-server [cors allowed-origin origin server_address | all | *]

management http-server default-services

management http-server header csp frame-ancestors uri

management http-server protocol [http [localhost | port port_number]] [https [port port_number | ssl profile_name]] [unix-socket]

management http-server qos dscp dscp_value

management http-server vrf [default | vrf_name

Parameters

management http-server cors - Specify Cross-Origin Resource Sharing for the HTTP Server.
- allowed-origin server_address - Specify an allowed origin server IP address.
- [all | *] - Specify all to allow all CORS.
management http-server default-services - Specify to use default services, capi-doc and tapagg, for the HTTP Server.
management http-server header - Configure additional headers for the HTTP Server.
- csp - Specify content security policy headers.
- frame-ancestors - Specify CSP directive frame-ancestors.
- uri - Configure the URI for the host.
management http-server log-level - Specify any of the level parameters to log as a syslog message.
management http-server protocol - Configure server options.
- http [localhost | port port_number - Configure a local host and port for the HTTPS Server.
- https [port port_number | ssl profile_name - Configure a port and SSL profile name.
- unix-socket - Specify a Unix Domain Socket.
management http-server qos - Configure Quality of Service (QoS) parameters.
- dscp - exit
management http-server vrf [default | vrf_name - Specify using the default VRF on the switch or another configured VRF.

Example

Use the following commands to specify using the default services for the HTTP Server:

switch(config)# management http-server
switch(config-mgmt-http-server)# default-services
switch(config-mgmt-http-server)#

management ldap group

The management ldap command in the Global Configuration mode enters the switch into LDAP Management Configuration Mode and allows the configuration of an LDAP group and server. This allows the switch to authenticate and authorize users against an external Lightweight Directory Access Protocol (LDAP) server and centralizes user management.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

LDAP Management Configuration

Command Syntax

management ldap [group policy policy_name group group_name rolerole_name [after | before] group_name [privilege level]

Parameters

management ldap - Configure LDAP options.
- group policy policy_name - Configure a group policy name.
- group group_name - Configure the group name to add to the configuration.
- role role_name - Specify the role name for the group.
- [after | before] group_name - Specify adding the role before or after a rule.
- privilege level - Configure a privilege level between 0 and 15.

Example

Use the following commands to add the policy, policy1, to group, ldap_group, with the role of manager, and privilege level 10:

switch(config)# management ldap
switch(config-mgmt-ldap)# group policy policy1
switch(config-mgmt-ldap-gp-policy1)# group ldap_group role manager privilege 10
switch(config-mgmt-ldap-gp-policy1)#

management ldap server

The management ldap server command enters the LDAP Management Configuration Mode and allows the configuration of an LDAP server for authentication on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

LDAP Management Configuration

Command Syntax

management ldap server [defaults [authorization group policy policy_name] [base-dn domain_name] [rdn attribute user attr_name] [search username username password password] [ssl-profile profile_name] [timeout seconds]] [host host_name portport_number vrfvrf_name]

[no | default] management ldap server

Parameters

management ldap server - Enters the LDAP Management Configuration Mode and allows the configuration of an LDAP server.
defaults - Configure default LDAP options for all servers.
- authorization group policy policy_name - Configure LDAP options for user authorization using a group policy name.
- base-dn domain_name - Specify a distinguished domain name.
- rdn attribute user attr_name - Add an attribute for a Relative Distinguished Name.
- search username username password password - Configure search options for the LDAP server.
- ssl-profile profile_name - Add an SSL profile to the configuration.
- timeout seconds - Configure the length of time to wait before timing out the session.
host host_name - Specify a hostname or IP address of the LDAP server.
- port port_number - Specify a port number. The configuration uses port 389 by default.
- vrf vrf_name - Specify the VRF name for the configuration.

Example

Use the following commands to use arista.com as the base Domain Name:

switch(config)# management ldap
switch(config-mgmt-ldap)# server defaults
switch(config-ldap-defaults)# base-dn arista.com
switch(config-ldap-defaults)#

management nic profiles

The management nic profiles command enters the Network Interface Card (NIC) Profile Configuration Mode and allow configuration of an interface for an internal service client such as ZTP or an internal monitoring process that needs to reach a provisioning server.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Network Interface Card (NIC) Profile Configuration

Command Syntax

management nic profiles profile profile_name [connection [ssl profile profile_name] [timeout seconds ]] [job job_name metric path path_name] [port port_number] [system auto-discovered]] [polling interval interval

[no | default] management nic profiles profile profile_name

Parameters

management nic profiles profile profile_name - Configure a name for the NIC profile.
connection - Configure connection parameters:
- ssl - Add an SSL profile to the connection
- timeout - Configure the length of time, in seconds, before the connection disconnects.
job job_name - Specifies the type of job to run on the client.
- metric path path_name - Specify the metric path, in the format of a URL, used for the job.
- port port_number - Specify a port between 1 and 65535.
- system auto-discovery - Specify if you want to auto-discover jobs on the switch.
polling interval interval seconds - Specify a polling interval between 1 and 600 seconds.

Example

Use the following commands to add an SSL profile, secure_1, to the NIC profile, nic_mgmt:

switch(config)# management nic profiles profile nic_mgmt
switch(config-mgmt-nic-profile-nic_mgmt)# connection ssl profile secure_1
switch(config-mgmt-nic-profile-nic_mgmt)#

management package

The management package command in the Package Management Configuration Mode configures a remote source for downloading optional software extension packages.

Command Mode

Global Configuration

Package Management Configuration

Command Syntax

management package repository repo_name [description description] [type description] [url url]

Parameters

management package - Enters the Package Management Configuration Mode on the switch.
repository repo_name - Specify the repository name.
description description - Create a description of repository that used in show commands.
type yum - Retrieve the files using yum.
urlurl - Specify the network path to the repository server. The URL defines transport protocol for the files.

Example

Use the following commands to create a repository, prod_ext, with the URL, https://10.11.10.27/arista/extensions/:

switch(config)# management package
            switch(config-mgmt-package)# management package repository pProd-Ext type url https://10.11.10.27/arista/extensions/

management security auto-certificate

The management security auto-certificate command enters the Auto-Certificate Security Management Configuration Mode and automates the management and renewal of the digital certificates used by the switch for various secure management services such HTTPS for APIs.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Auto-Certificate Security Management Configuration

Command Syntax

management security auto-certificate [profile profile_name [digest [sha256 | sha384 | sha512]] [key key_name ] [ parameters [distinguished-name [common-name name] [country name [email email ] [locality locality] [organizationorganization] [organization-unit unit] [serial-number number ] [state state]] [subject-alternative-name [dns dns_name] [email email] [ip ip_address] [uri uri] ] [protocol instance instance_name] [renewal seconds seconds]]

management security auto-certificate [protocol est profile_name [connection retry [count num_retries] [interval seconds seconds]] [credentials enroll [secret [0 | 7 | 8a] secret] [token [0 | 7 | 8a] token] [username username ]] [disabled] [server [ssl profile profile_name] [url url ] [vrf vrf_name

Parameters

management security profile_name - Enters the Security Management Configuration Mode.
auto-certificate profile profile_name - Configure profile options for Automatic Certificate Management.
- digest [sha256 | sha384 | sha512 - Specify the digest algorithm used to sign a Certificate Signing Request (CSR).
- key key_name - Configure a key name used for the certificate.
- parameters - Configure the certificate parameters.
  - distinguished-name - Configure a distinguished name for the certficate.
    - common-name name - Specify the common name.
    - country name - Specify the country.
    - email email - Specify the email address used for the certificate.
    - locality locality - Specify the locality.
    - organization organization - Add the organization.
    - organization-unit unit - Specify the organization unit.
    - serial-number number - Specify the serial number.
    - state state - Specify the state.
  - subject-alternative-name - Configure thealternative subject nameextension.
    - dns dns_name - Add the name of the DNS server.
    - email email - Add the email address.
    - ip ip_address - Specify the IP address of the DNS server.
    - uri uri - Specify the Universal Resource Indicator (URI).
- auto-certificate protocol est profile_name - Specify the profile name for Enrollment over Secure Transport (EST).
  - connection retry -Configure the number of times to retry the connection.
    - count num_retries - Specify the number of retries.
    - interval seconds - Specify the interval between connection retries.
    - seconds - Specify the unit of time.
  - credentials - Configure the credentials used with EST.
    - enroll - Enrollwith the following credentials:
      - secret [0 | 7 | 8a secret - Configure a secret.
      - token [0 | 7 | 8a token - Configure a JSON token.
      - username username - Configure a username and secret.
        
        secret [0 | 7 | 8asecret
    - re-enroll - Re-enroll with the following credentials:
      - secret [0 | 7 | 8a secret - Configure a secret.
      - token [0 | 7 | 8a token - Configure a JSON token.
      - username username - Configure a username and secret.
        
        secret [0 | 7 | 8a secret
    - disabled - Temporarily disable sending requests to the EST server.
    - server -Configure theEST server options:
      - ssl profile profile_name - Specify an SSL profile.
      - url url - Specify the URL of the EST server.
      - vrf vrf_name - Specify the VRF used for the EST server.

management security entropy

The management security entropy command manages the source of cryptographic entropy (randomness) and provides high quality randomness for SSH keys, SSL/TLS certificates, and random session identifiers.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security entropy source [cpu jitter] [hardware exclusive] [haveged]

[no | default] management security entropy

Parameters

entropy source - Configure the source used for entropy on the switch.
cpu jitter - Configure using a CPU-based source with the Jitter RNG algorithm.
hardware exclusive - Configure using hardware exclusively for entropy.
haveged - Use the Hardware Volatile Entropy Gathering and Extension (HAVEGED) algorithm to quickly and efficiently generate high quality cryptographic entropy.

Example

Use the following command to use cpu jitter for security entropy:

switch(config)# managment security
switch(config-mgmt-security)# entropy cpu jitter
switch(config-mgmt-security)#

management security network

The management security network command enters the Security Management Configuration mode and then configures security policies that govern the access and behavior of various management applications on the switch. It defines rules to protect the control plane from unauthorized or malicious network activity.

The [no | default] versions of the command return the feature to its default settings.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security network client protocol [ftp | http | tftp] disabled

[no | default] management security network client protocol

Parameters

network - Configure network protocols.
client - Specify client traffic.
protocol - Select a protocol for client traffic.
[ftp | http | tftp] disabled - Disables the protocol and no longer allows clients to connect over these protocols.

Example

Use the following commands to disable FTP client traffic:

switch(config)# management security
switch(config-mgmt-security)# network client protocol ftp disabled
switch(config-mgmt-security)#

management security ocsp

The management security ocsp command enters the Security Online Certificate Status Protocol (OCSP) Configuration Mode and quickly checks the revocations status of digital certificates used by management services such as HTTP or LDAP over TLS.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security ocsp profile profile_name [chain certificate requirement responder [all | leaf | none]] [extension nonce request [disabled | response]] [response validity-time extended-by seconds] [timeout seconds] [url url] [vrf vrf]

[no | default] management security ocsp profile profile_name

Parameters

ocsp profile profile_name - Configure a name for the OCSP profile.
- chain - Configure a chained certificate for OCSP.
  - certificate requirement - Add a check to the certificate for validity.
  - responder - Configure the requirements for querying the OCSP responder.
    - all - Perform OCSP verification on the whole chain.
    - leaf - Specify to only perform OCSP verification on the leaf.
    - none - Specify to only perform OCSP verification on certificates with a specified responder.
- extension nonce request - Configure sending a nonce in the OCSP requests.
  - disabled - Specify to not send a nonce in the OCSP request.
  - response - Specify to require the OCSP nonce in the OCSP response.
- response validity-time extended-by seconds - Configure a leeway time when checking the validity of OCSP responses from 1 to 10800 seconds.
- timeout seconds - Configure the length of time to timeout OCSP queries from 1 to 600 seconds.
- url url - Configure the URL of overriding OSCP responder.
- vrf vrf - Configure the VRF as the location to perform OCSP queries.

Example

Use the following commands to add the profile, OCSP_1, with an extension nonce request of disabled

switch(config)# management security
switch(config-mgmt-security)# ocsp profile OCSP_1
switch(config-mgmt-sec-ocsp-profile-OCSP_1)# extension nonce request disabled
switch(config-mgmt-sec-ocsp-profile-OCSP_1)#

management security password

The management security password command enters the Security Management Configuration Mode and configures robust password policies for all local user accounts.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security password [encryption reversible aes-256-gcm] [encryption-key common custom key] [minimum length num_char] [policy policy_name [deny last pw_count] [ maximum repetitive num_char sequential num_char] [ minimum [changed num_char] [digits num_char] [length num_char] [lower num_char] [ num_char] [uppernum_char]]

[no | default] management security password

Parameters

password - Configure password policies for the management interface.
encryption reversible aes-256-gcm - Configure a common encryption algorithm.
encryption-key common custom key - Configure a 32-byte customized encryption key.
minimum length num_char - Configure a minimum length between 1 and 32 characters.
policy policy_name - Configure password complexity settings for a policy profile.
- deny last pw_count -
- maximum [repetitive |sequential] num_char
- minimum -Configure the following minimum settings:
  - changed num_char - Configure the number of positional characters that must change 0 to 65535.
  - digits num_char - Configure the number of digits required for the password 0 to 65535.
  - length num_char - Configure the number of characters for the password 0 to 65535.
  - lower num_char - Configure the number of lower case characters required for the password from 0 to 65535.
  - special num_char - Configure the number of special characters, !"#$%&\'()*+,-./:;<=>?@[^]_`{|}~, required for the password from 0 to 65535
  - upper num_char - Configure the number of lower case characters required for the password from 0 to 65535.

Example

Use the following commands to create a password policy, ldap_access, with the minimum length of 15 characters:

switch(config)# management security
switch(config-mgmt-security)# policy ldap_access
switch(config-pwd-policy-ldap_access)# minimum length 15
switch(config-pwd-policy-ldap_access)#

management security session

The management security session command enters the Security Management Configuration Mode and configures the session parameters that govern the behavior, timeouts, and security of interactive management sessions.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security session shared-secret profile profile_name secret secret_name [0 | 7 | 8a]password [infinite] [ mm/dd/yyyy hh:mm:ss [infinite | datelocal-time] [receive-lifetime mm/dd/yyyy hh:mm:ss [infinite |date local-time]] [transmit-lifetime [infinite mm/dd/yyyy hh:mm:ss date local-time]]

Parameters

session shared-secret profile profile_name - Configure a profile for shared secret settings.
secret secret_name - Configure a name for the secret.
- 0 - Indicates that the key is not encrypted.
- 7 - Specifies that a hidden string follows.
- 8a - Specifies that an AES-256-GCM encrypted key follows.
- password - Specify a password
  - infinite - Specify an infinite lifetime for the password.
    - infinite
    - mm/dd/yyyy - Specify a date in the month/day/year format.
    - yyyy-mm-dd - Specify a date in the year-month-day format.
  - mm/dd/yyyy - Specify a date in the month/day/year format.
  - receive-lifetime -Configure the lifetime for receiving the key.
    - infinite
    - mm/dd/yyyy - Specify a date in the month/day/year format.
    - yyyy-mm-dd - Specify a date in the year-month-day format.
  - transmit-lifetime - Configure the lifetime for transmitting the key.
    - infinite
    - mm/dd/yyyy - Specify a date in the month/day/year format.
    - yyyy-mm-dd - Specify a date in the year-month-day format.
  - yyyy-mm-dd - Specify a date in the year-month-day format.
- local-time - Configure secrets using the local timezone from the system clock. By default, the parameter sets to UTC.

Example

Use the following commands to configure a session to use the profile, mySession, with the secret name, mySecret, and the secret, qwerty, with an infinite receive-lifetime and transmit-lifetime, with the default local-time:

switch(config)# management security
switch(config-mgmt-security)# session shared-secret profile mySession
switch(config-mgmt-sec-sh-sec-profile-mySession)# secret mySecret 0 qwerty receive-lifetime infinite 
transmit-lifetime infinite local-time
switch(config-mgmt-sec-sh-sec-profile-mySession)#

management security signature-verification

The management security signature-verification command enters the Security Management Configuration Mode and apply a named SSL profile that dictates the policies for verifying the integrity of the system files related to secure TLS/SSL communications.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

Security Management Configuration

Command Syntax

management security signature-verification extension ssl profile profile_name

[no | default] management security signature-verification

Parameters

signature-verification - Configure verifying signatures of files.
extension - Specifies that the policy applies specifically to SWIX signatures.
ssl - Specifying using SSL to verify the signatures.
profile profile_name - Specify an SSL profile name to use for verification. It must contain a trusted root or intermediate CA certificate corresponding to the private key used by the software vendor.

Example

Use the following commands to verify SWIX signatures using the SSL profile, swix_ca:

switch(config)# management security
switch(config-mgmt-security)# signature-verification extension ssl profile swix_ca
switch(config-mgmt-security)#

management security ssl

The management security ssl command enters the SSL Security Management Configuration mode to configure and manage the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) parameters for all secure management services on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Global Configuration

SSL Security Management Configuration

Command Syntax

management security ssl [monitor expiry time [days | hours] [log interval time [days | hours]]

management security ssl [profile profile_name [certificate cert_name [auto-certificate cert_name] [common-name [key key_name] [username regexp regex]] [local cert_name key cert_name] [policy [expiry-date ignore] [key key_name]] [requirement extended-key-usage [hostname match] [key key_name]] [chain [certificate cert_name] [local cert_name] [policy [expiry-date ignore]] [requirement [basic-constraint ca true] [include root-ca]] [cipher [v1.0 cipher_list] [v1.3 cipher_list] [diffie-hellman parameters [ffdhe2048 | ffdhe3072 | ffdhe4096 | generated]] [dtls version [1.0 | 1.2 | add | remove]] [fips restrictions] [key-establishment-group group_names] [peer certificate [format ip-address exact] [requirement [hostname match subject-alternative-name [common-name]]] [revocation [crl [name crl_name] [policy expiry-date ignore]] [ocsp profile profile_name]] [signature algorithm alg_list] [tls versions [1.0 | 1.1 | 1.2 | 1.3 | add | remove]] [trust [certificate cert_name] [policy expiry-date ignore]] [requirement [basic-constraint ca true] [hostname fqdn]] [system]

[no | default] management security ssl monitor

[no | default] management security ssl profile

Parameters

ssl monitor - Configure monitoring options for all certificates.
- expiry - Log SSL monitoring warnings for certificates approaching an expiration date.
- time [days | hours] - Configure the amount of time prior to certificate expiration from 1 to 999 in days or hours.
- log interval - Configure logging intervals for sending logs to the syslog server.
- time [days | hours] - Configure the length of time between send log messages from 1 to 999 in days or hours.
ssl profile profile_name - Configure an SSL profile for SSL Security Management.
- certificate - Configure a certificate for self-authentication.
  - cert_name - Specify the name of the certificate.
  - auto-certificate profile_name - Specify the name of an auto-certificate profile.
  - common-name
    - key key_name - Configure the key matching the certificate.
    - username regex regex - Configure the REGEX to extract the username.
  - local cert_name - Configure a local certificate name.
    - key key_name - Configure a key matching the local certificate.
  - policy - Configure the policy for the certificate.
    - expiry-date ignore - Ignore the expiration date of the certificate.
    - key key_name - Configure a key matching the certificate.
  - requirement - Add a check to validate the certificate.
    - extended-key-usage - Configure extended key usage for the certificate.
    - hostname match - Specify to verify and match the hostname for the certificate.
    - key key_name - Configure a key matching the certificate.
- chain - Configured chained certificates.
  - certificate cert_name - Specify a certificate name.
  - local cert_name - Configure a local certificate name.
  - policy - Configure the policy for the certificate.
    - expiry-date ignore - Ignore the expiration date of the certificate.
  - requirement - Add a check to validate the certificate.
    - extended-key-usage - Configure extended key usage for the certificate.
    - hostname match - Specify to verify and match the hostname for the certificate.
- cipher - Configure TLS ciphers.
  - v1.0 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.0, 1.1, and 1.2.
  - v1.3 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.3.
- diffie-hellman parameters - Configure Diffie-Hellman parameters:
  - ffdhe2048 - Specify from RFC7919.
  - ffdhe3072 - Specify from RFC7919.
  - ffdhe4096 - Specify from RFC7919.
  - generated - Specify 2048-bit parameters generated by the switch.
- dtls version - Configure Datagram Transport Layer Security (DTLS) settings:
  - 1.0 - Specify DTLS version 1.0.
  - 1.2 - Specify DTLS version 1.2.
  - add - Add versions to the list.
  - remove - Remove versions from the list.
- fips restrictions - Configure FIPS restrictions.
- key-establishment-group group_names - Configure TLS 1.3 key establishment groups using canonical names recognized by the TLS standards.
- peer certificate - Configure peer-related certificate options:
  - format ip-address exact - Specify the format rules for IP addresses to reject wildcards in the IP address.
  - requirement hostname match subject-alternative-name [common-name] - Specify a check for certificate validity to include hostname matching for the common name.
- revocation - Configure checking of the revocation status for certificates.
  - crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
    - policy expiry-date ignore - Configure the policy to ignore certificate expiration dates.
  - ocsp profile profile_name - Specify the name of the Online Certificate Status Protocol (OCSP) profile.
- signature algorithm alg_list - Specify the TLS signature algorithm list.
- tls - Configure TLS settings.
  - versions - Specify the TLS version:
    - 1.0
    - 1.1
    - 1.2
    - 1.3
    - add - Add versions to the list.
    - remove - Remove versions from the list.
- trust - Configure a trusted certificate.
  - certificate cert_name - Specify the name of a certificate.
  - policy expiry-date ignore - Configure the policy to ignore expiration dates.
  - requirement - Add a check to validate the certificate.
    - basic-constraint ca true - Configure the Certificate Authority attribute to true and allow the CA to sign and issue other certificates in the trust chain This certificate is the trust anchor or an intermediate authority.
    - hostname fqdn - Specify that the hostname must be a fully qualified domain name without wildcards.
  - system - Specify using a system-supplied trust certificate.

Example

Use the following commands to set the SSL monitoring of certificates to log warning for certificate expiration to 10 days and log the warning to syslog every 8 hours:

switch(config)# management security
switch(config-mgmt-security)# ssl monitor expiry 10 days log interval 8 hours
switch(config-mgmt-security)#

management ssh

The management ssh command places the switch in SSH Management Configuration Mode to adjust SSH session connection parameters.

The no management ssh and default management ssh commands delete the SSH Management Configuration Mode statements from running-config.

The mgmt-ssh configuration mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the SSH Management Configuration Mode does not affect running-config. The exit command returns the switch to Global Configuration Mode.

Command Mode

Global Configuration

Command Syntax

management ssh

no management ssh

default management ssh

Parameters

authentication - Change authentication settings.
authorized-principals - Configure the authorized principals settings.
cipher - Configure an exclusive list of cryptographic ciphers for SSH.
client-alive - Set SSH ClientAlive options.
compression - Configure SSH compression algorithms.
connection - Configure settings for SSH connections.
fips restrictions - Configure FIPS settings.
hostkey - Set SSH hostkey related options.
idle-timeout - Set idle session timeout (minutes).
ip access group - Set the SSH IPv4 configuration.
ipv6 access group - Set the SSH IPv6 configuration.
key-exchange - Configure an exclusive list of key-exchange methods for SSH.
log-level - Configure SSH daemon logging level.
logging - Configure SSH system logging.
login timeout - Configure options related to logging into SSH.
mac hmac - Exclusive list of MAC algorithms for SSH.
qos - Configure QoS parameters.
rekey - Configure the length of time before rekeying SSH connections.
server-port - Change the server port.
shutdown - Disable SSH on the switch.
trusted-ca - Configure a trusted certficate.
user-keys - Configure SSH user key settings.
username - Configure SSH user-specific settings.
verify - Configure option for SSH verification.
vrf - Configure the VRF to use for SSH.

Examples

This command places the switch in SSH Management Configuration Mode:
```
switch(config)# management ssh
switch(config-mgmt-ssh)#
```
This command returns the switch to Global Configuration Mode:
```
switch(config-mgmt-ssh)# exit
switch(config)#
```

management telnet

The management telnet command places the switch in Telnet Management Configuration Mode to adjust Telnet session connection parameters.

The no management telnet and default management telnet commands delete the Telnet ManagementConfiguration Mode statements from running-config.

The Telnet Management Configuration Mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the Telnet Management Configuration Mode does not affect the running-config. The exit command returns the switch to Global Configuration Mode.

Command Mode

Global Configuration

Command Syntax

management telnet

no management telnet

default management telnet

Examples

This command places the switch in Telnet Management Configuration Mode:
```
switch(config)# management telnet
switch(config-mgmt-telnet)#
```
This command returns the switch to Global Configuration Mode:
```
switch(config-mgmt-telnet)# exit
switch(config)#
```

protocol http (API Management)

The protocol http command enables the hypertext transfer protocol (HTTP) server.

The no protocol http and default protocol http commands disable the HTTP server by removing the protocol http statement from running-config.

Command Mode

Mgmt-API Configuration

Command Syntax

protocol http [TCP_PORT]

no protocol http

default protocol http

Parameters

TCP_PORT Port number used for the HTTP server. Options include:
- no parameter Specifies default port number 80.
- port 1 to 65535 Specifies HTTP server port number. The value ranges from 1 to 65535.
localhost The name of the server bound on the localhost.
port The number of the TCP port to serve on.

Related Commands

management api http-commands places the switch in mgmt-api configuration mode.

Example

These commands enables the management API for the HTTP server.

switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)#

protocol https (API Management)

The protocol https command enables the HTTP secure server. The HTTP secure server is active by default.

The default protocol https command restores the default setting by removing the no protocol https statement from running-config. The no protocol https command disables the HTTP secure server.

Command Mode

API Management Configuration

Command Syntax

protocol https [TCP_PORT]

no protocol https

default protocol https

Parameters

TCP_PORT - Port number used for the HTTPS server. Options include:
- no parameter - Specifies default port number 443.
- port 1 to 65535 - Specifies HTTP server port number. The value ranges from 1 to 65535.
certificate - The HTTPS key and certificate to use for the switch.
cipher - Exclusive list of cryptographic ciphers.
key-exchange - Exclusive list of key-exchange algorithms.
mac - Exclusive list of MAC algorithms.
port - The TCP port number to serve on.
ssl - Configure SSL options.

Related Commands

management api http-commands places the switch in API Management Configuration Mode.

Examples

These commands enables service to the HTTP server. The no shutdown command allows access to the service.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# protocol https
switch(config-mgmt-api-http-cmds)# no shutdown

These commands specify the port number used for the HTTPS server. The no shutdown command allows access to the service.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# protocol https port 52
switch(config-mgmt-api-http-cmds)# no shutdown

protocol https certificate (API Management)

The protocol https certificate command configures the HTTP secure server to request an X.509 certificate from the client. The client then authenticates the certificate with a public key.

The no protocol https certificate and default protocol https certificate commands restore default behavior by removing the protocol https certificate statement from running-config.

Command Mode

API Management Configuration

Command Syntax

protocol https certificate

no protocol https certificate

default protocol https certificate

Related Command

management api http-commands places the switch in API Management Configuration Mode.

Example

These commands configure the HTTP secure server to request an X.509 certificate from the client for authentication.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# protocol https certificate
switch(config-mgmt-api-http-cmds)#

reset system storage secure

Use the reset system storage secure command to trigger the secure erase mechanism. Secure erase is a command that deliberately, permanently, and irreversibly removes and destroys the data stored on a storage device, rendering that data unrecoverable.

Command Mode

EXEC

Command Syntax

reset system storage secure

Examples

To trigger the secure erase mechanism, use the reset system storage secure command.

switch# reset system storage secure
WARNING! This will destroy all
data and will NOT be recoverable.
Device will reboot into Aboot, and
execution may take up to one hour.
Would you like to proceed? [y/N]

If a particular platform does not support the reset system storage secure command , the following message appear:
```
switch#reset system storage secure
% Unavailable command (not supported on this hardware platform)
```

show inventory

The show inventory command displays the hardware components installed in the switch. Each component has a serial number and a description.

Command Mode

EXEC

Command Syntax

show inventory

Example

This command displays the hardware installed in a DCS-7150S-52 switch.

switch> show inventory
System information
  Model                    Description
  ------------------------ ----------------------------------
  DCS-7150S-52-CL          52-port SFP+ 10GigE 1RU + Clock

  HW Version  Serial Number  Mfg Date
  ----------- -------------- ----------
  02.00       JPE13120702    2013-03-27

System has 2 power supply slots
  Slot Model            Serial Number
  ---- ---------------- ----------------
  1    PWR-460AC-F      K192KU00241CZ
  2    PWR-460AC-F      K192L200751CZ

System has 4 fan modules
  Module  Number of Fans  Model            Serial Number
  ------- --------------- ---------------- ----------------
  1       1               FAN-7000-F       N/A
  2       1               FAN-7000-F       N/A
  3       1               FAN-7000-F       N/A
  4       1               FAN-7000-F       N/A

System has 53 ports
  Type             Count
  ---------------- ----
  Management       1
  Switched         52

System has 52 transceiver slots
  Port Manufacturer     Model            Serial Number    Rev
  ---- ---------------- ---------------- ---------------- ----
  1    Arista Networks  SFP-10G-SR       XCW1225FD753     0002
  2    Arista Networks  SFP-10G-SR       XCW1225FD753     0002

  51   Arista Networks  SFP-10G-SR       XCW1225FD753     0002
  52   Arista Networks  SFP-10G-SR       XCW1225FD753     0002

switch>

shutdown (API Management)

The shutdown command disables management over API on the switch in API Management Configuration Mode. EOS disables API Management by default.

The no shutdown command enables the API managementaccess in mgmt-api configuration mode.

The default shutdown command disables the management API access in mgmt-api configuration mode.

Command Mode

Mgmt-API Configuration

Command Syntax

shutdown

no shutdown

default shutdown

Related Command

management api http-commands places the switch in mgmt-api configuration mode.

Examples

These commands disable API access to the HTTP server.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# shutdown
switch(config-mgmt-api-http-cmds)#

These commands enable API access to the HTTP server.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# no shutdown
switch(config-mgmt-api-http-cmds)#

shutdown (Telnet Management)

The shutdown command disables or enables Telnet on the switch. EOS disables by default. The management telnet command places the switch in the Telnet Management Configuration Mode.

To enable Telnet, enter no shutdown at the Telnet Management prompt.
To disable Telnet, enter shutdown at the Telnet Management prompt.

Command Mode

Telnet Management Configuration

Command Syntax

shutdown

no shutdown

Examples

These commands enable Telnet and return the switch to the Global Configuration Mode.

switch(config)# management telnet
switch(config-mgmt-telnet)# no shutdown
switch(config-mgmt-telnet)# exit
switch(config)#

This command disables Telnet.
```
switch(config-mgmt-telnet)# shutdown
```

timeout

The timeout command in the SSH, Telnet, or Console Management Configuration Mode specifies the maximum length of a management session regardless of activity during the session. It prevents sessions from remaining open indefinitely on the switch and provides a separate behavior from the parameter idle-timeout. Both timers operate independently and the timer with the shortest session time ends the session.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

Command Mode

Console Management Configuration

SSH Management Configuration

Telnet Management Configuration

Command Syntax

management [console | ssh | telnet]timeout timeout_period

[no | default] management [console | ssh | telnet] timeout

Parameters

timeout timeout_period - Configure a timeout session from 1 to 86400 minutes. Setting the timeout to 0 disables the timeout session.

Examples

Use the following commands to set the console timeout to 60 minutes.

switch(config)# management console
switch(config-mgmt-console)# timeout 60

Use the following commands to set the SSH timeout to 60 minutes.

switch(config)# management ssh
switch(config-mgmt-ssh)# timeout 60

Use the following commands to set the Telnet timeout to 60 minutes.

switch(config)# management telnet
switch(config-mgmt-telnet)# timeout 60

vrf (API Management)

The vrf command places the switch in the server's VRF configuration mode. If the named VRF does not already exist, this command creates it.

Command Mode

API Management Configuration

Command Syntax

vrf VRF_INSTANCE

Parameters

VRF_INSTANCE - Specifies the VRF instance.

default - Instance created in the default VRF.
vrf_name - Instance created in the specified user-defined VRF.

Related Command

management api http-commands places the switch in API Management Configuration.

Example

This command creates a VRF named management-vrf and places the switch in VRF configuration mode for the new VRF.

switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# vrf management-vrf
switch(config-mgmt-api-http-cmds-vrf-management-vrf)#

Page 15 of 17

End of Support

Setting the PTP Priority

Configuring the Source IP

Aboot Shell

Aboot Shell Operation

Accessing the Aboot Shell

Aboot File Structure

Booting From the Aboot Shell

Example

Secure Booting from Aboot

Measured Boot

Enabling or Disabling Measured Boot

Aboot Commands

Example

Aboot Configuration Commands

Installation Commands (Aboot)

CONSOLESPEED

NET Commands

install bios source

PASSWORD (ABOOT)

SWI

Switch Booting Commands

boot console

boot secret

boot system

delete startup-config

protocol

redundancy

redundancy manual switchover

reload

reload (scheduled)

securebootctl

show platform bios

show redundancy file-replication

show redundancy status

show redundancy switchover sso

show reload

show reload cause

show reload fast-boot

Connection Management

Examples

Examples

Securely Erasing a Switch Storage Device

Preparing for Secure Erase

Performing Secure Erase

Examples

Configuration Sessions Overview

Configuration Session

Replacing the Configuration

Configuration CLI

Recovery Procedures

Removing the Enable Password from the Startup Configuration

Reverting the Switch to the Factory Default Startup Configuration

Restoring the Factory Default EOS Image and Startup Configuration

USB Support for ZeroTouch Provisioning

USB Deployment

Configuration

Advantages of USB ZTP

Restoring the Configuration and Image from a USB Flash Drive

Session Management Commands

Global Configuration Commands

Management Configuration Commands

Display Commands

commit timer

configure replace

configure session

idle-timeout (Console Management)

idle-timeout (SSH Management)

idle-timeout (Telnet Management)

management accounts

management api eos-sdk-rpc

management api external-services

management api gnmi

management api gnsi

management api gribi

management api http-commands

management api models

management api netconf

management api restconf

management archive