Session Management Commands

Global configuration Commands

Service configuration Commands

Management configuration Commands

Display Commands

authentication x509

The authentication x509 command in the SSH Management Authentication x509 configuration Mode configures x509 certificates for the SSH connection.

The no version of the command disables the configuration and removes it from the running-config.

 

Command Mode

SSH Management configuration

Authentication x509 configuration

 

Command Syntax

authentication x509 [server ssl profile profile_name] [username [domain | omit]]

no authentication x509

 

Parameters

  • authentication x509 - Configure x509 certificate authentication settings.
  • server ssl profile profile_name - Specify an SSL profile to use with the SSH connection.
  • username - Configure matching the SSH username to a presented X509 certificate Common Name and SAN.
    • domain - Configure the treatment of the domain name in a presented X509 certificate Common Name and SAN.
    • omit - Ignore the domain name in a presented X509 certificate Common Name and SAN when matching them against the logging in SSH username

 

Example

Use the following commands to allow SSH authentication match the SSH user name to a presented x509 certificate and ignore the domain presented in the certificate:

switch(config)# management ssh
switch(config-mgmt-ssh)# authentication x509
switch(config-mgmt-ssh-auth-x509)# username domain omit
switch(config-mgmt-ssh-auth-x509)#

authentication

The authentication command in the SSH Management configuration Mode configures authentication parameters for the SSH connection.

The no version of the command disables the configuration and removes it from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

authentication [empty-passwords [auto | deny | permit]] [protocol [keyboard-interactive | multi-factor | password | public-key]]

no authentication

 

Parameters

  • authentication - Configure authentication settings.
  • empty-passwords [auto | deny | permit] - Specify to permit or deny empty passwords. The configuration uses auto by default to auto-determine if allowing empty passwords or not.
  • protocol [keyboard-interactive | multi-factor | password | public-key]
    • keyboard-interactive - Enable keyboard interactive authentication.
    • multi-factor - Enable multifactor authentication methods.
    • password - Enable password authentication.
    • public-key - Enable public key authentication.

 

Example

Use the following commands to allow SSH authentication to use empty passwords:

switch(config)# management ssh
switch(config-mgmt-ssh)# authentication empty-passwords permit
switch(config-mgmt-ssh)#

authorized-principals

The authorized-principals command in the SSH Management configuration Mode allows the configuration of authorized principals for SSH. The authorized-principals mechanism defines which identities or principals within a signed certificate have permission to log in as a specific local user.

The no version of the command disables the feature and removes the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

authorized-principals command WORD ARGUMENTS

no authorized-principals command

 

Parameters

  • authorized-principals - Configure authorized-principals settings.
  • command - Configure the authorized principals command.
  • WORD - Specify the authorized principals script filename.
  • ARGUMENTS - Specify the input data to pass to the authorized principals command.

 

Example

Use the following commands to run the script, /mnt/flash/scripts/get-principals.py:

switch(config)# management ssh
switch(config-mgmt-ssh)# authorized-principals command /mnt/flash/scripts/get-principals.py
switch(config-mgmt-ssh)#

cipher

The cipher command in the SSH Management configuration Mode defines the specific symmetric encryption algorithms used for SSH sessions. During the SSH handshake, the switch and client compare lists of supported ciphers and must find a common match to establish an encrypted tunnel. If no match found, the switch rejects the connection.

The no version of the command disables the feature and removes the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

cipher algorithm

no cipher

 

Parameters

  • cipher - Add symmetric encryption algorithms.
  • algorithm - Add any of the following algorithms to the configuration:
    • 3des-cbc - Triple DES (112 bit)
    • aes128-cbc - Advanced Encryption Standard (128 bit, CBC mode)
    • aes128-ctr - Advanced Encryption Standard (128 bit, counter mode)
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Advanced Encryption Standard (128 bit, Galois/Counter mode)
    • aes192-cbc - Advanced Encryption Standard (192 bit, CBC mode)
    • aes192-ctr - Advanced Encryption Standard (192 bit, counter mode)
    • aes256-cbc - Advanced Encryption Standard (256 bit, CBC mode)
    • aes256-ctr - Advanced Encryption Standard (2562 bit, counter mode)
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Advanced Encryption Standard (256 bit, Galois/Counter mode)
    • arcfour - Arcfour stream cipher (RC4 like)
    • arcfour128 - Arcfour stream cipher (RFC 4345, 128 bit)
    • arcfour256 - Arcfour stream cipher (RFC 4345, 256 bit)
    • blowfish-cbc - Blowfish block cipher (128 bit, CBC mode)
    • cast128-cbc - CAST-128 (RFC 2144, 128 bit, CBC mode
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - ChaCha20 stream cipher and Poly1305 authenticator

 

Example

Use the following commands to add the algorithms, aes192-cbc and blowfish-cbc, to the configuration:

switch(config)# managment ssh
switch(config-mgmt-ssh)# cipher aes192-cbc blowfish-cbc
switch(config-mgmt-ssh)#

client-alive

The client-alive command in the SSH Management configuration Mode manages the SSH session persistence and timeouts. The switch proactively checks if a connected client has an active session.

The no version of the command disables the feature and removes the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

client-alive [count-max number] interval time]

no client-alive

 

Parameters

  • client-alive - Configure SSH Client Alive parameters.
  • count-max number - Specify the number of times the switch sends a keepalive request without receiving a response before considering the session dead and terminates it. The default number is 3.
  • interval time - Specify the time in seconds that the switch waits before sending a keepalive requests to the client through the encrypted channel. Use a value between 1 and 60 seconds with a default of 0. If configured as 60, the switch pings the client every minute of inactivity.

 

Example

Use the following commands to configure a maximum count of 5 and an interval of 10 seconds:

switch(config)# management ssh
switch(config-mgmt-ssh)# client-alive count-max 5 interval 10
switch(config-mgmt-ssh)#

commit timer

The commit timer command can automatically roll back changes performed during a configuration session if you haven't confirmed them within a preset time interval. This feature can prevent a user from committing configuration changes that could cause a network disruption. The no commit timer command deletes the session.

 

Command Mode

Configure Session configuration Mode

 

Command Syntax

commit timer hh:mm:ss

 

Parameters

hh:mm:ss - Specify the time interval for the commit session.

 

Example

Use the following command to create a commit timer for 01.00.00 hour:
switch(config-s-MySession)# commit timer 01:00:00
switch#

compression

The compressionin the SSH Management configuration Mode controls compressing the data stream from the SSH server before encrypting it. This optimizes bandwidth on slow or congested management links such as out-of-band serials consoles over LTE or saturated WAN links.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

compression disable

 

Parameters

  • compression - Configure SSH compression algorithms.
  • disabled - Disable SSH compression algorithms.

 

Example

Use the following commands to disable SSH compression algorithms:

switch(config)# management ssh
switch(config-mgmt-ssh)# compression disable
switch(config-mgmt-ssh)#

configure replace

The configure replace command replaces the current configuration with a new configuration from the specified source.

 

Command Mode

Privileged EXEC

 

Command Syntax

configure replace source_file_path:source_file_name [ignore-errors] [md5 md5sum] [skip-checkpoint] [vrf instance_name]

 

Parameters
  • source_file_path:source_file_name replaces the current configuration with the configuration from the specified source file.
  • boot-extensions: - Replace the current configuration with the boot extensions configuration.
  • certificate: - Replace the current configuration with the certificate configuration.
  • checkpoint: - Replace the current configuration with the checkpoint configuration.
  • clean-config: - Replace the current configuration with a clean, default configuration.
  • extension: - Replace the current extensions configuration with an extensions configuration.
  • file: - Replace the current configuration with a configuration from a file location.
  • flash: - Replace the current configuration with a configuration from a flash location.
  • ftp: - Replace the current configuration with a configuration from a FTP location.
  • http: - Replace the current configuration with a configuration from an HTTP location.
  • https: - Replace the current configuration with a configuration from an HTTPS location.
  • installed-extensions: - Replace the current configuration with the installed extensions status.
  • running-config: - Replaces the current configuration with the running configuration.
  • scp: - Replace the current configuration with a configuration from an SCP location.
  • sftp: - Replace the current configuration with a configuration from an SFTP location.
  • snapshot: - Replace the current configuration with a configuration from a snapshot.
  • ssh-auth-principals-cmd: - Retrieve a configuration from an SSH location and replace the current configuration.
  • ssh-ca-key: - Retrieve a configuration from an SSH location and replace the current configuration.
  • ssh-key: - Retrieve a configuration from an SSH location and replace the current configuration.
  • ssh-revoke-list: - Retrieve a configuration from an SSH location and replace the current configuration.
  • startup-config: - Replace the current configuration with the startup configuration.
  • system: - Retrieve a configuration from a system location and replace the current configuration.
  • terminal: - Retrieve a configuration from a terminal location and replace the current configuration.
  • tftpt: - Retrieve a configuration from a TFTP location and replace the current configuration.
  • ignore-errors - Replace the configuration and ignore errors while loading the new configuration.
  • md5 md5sum - Performs a checksum to validate data integrity with the specified MD5 hashing algorithm.
  • skip-checkpoint - Skips creating the checkpoint fileof running-config.

     

 

Example

This command replaces the current configuration state with the startup configuration.
switch(config)# configure replace start-config
! Preserving static routes. Use 'no ip routing delete-static-routes' to clear them.
switch#

configure session

The configure session command allows a series of temporary configuration changes and commits to running-config later by issuing the commit command. eos discards an uncommitted configuration session if the switch reboots and times out after 24 hours.

Note: Committing a configuration session replaces running-config with the session configuration, which consists of the running configuration at the initial session and the commands entered as part of the session. When the session commits, it overwrites any changes to running-config since the initiation.

The no configure session session_name and default configure session session_name commands delete the specified configuration session.

Command Mode

Privileged EXEC

Command Syntax

configure session [session_name] [abort | commit | [description description]]

no configure session session_name

default configure session

 

Parameter

  • session_name -Create a name for the configuration session.
  • abort - Ends the configuration sessions and deletes it.
  • commit - Commits the changes executed during the session.
  • description description - Create a description for the configuration session.

 

Guidelines

  • Creates a session with a name generated by the switch if you do not specify a session name.
  • The switch permits up to five uncommitted sessions.
  • When the switch reboots, it discards the uncommitted sessions.
  • Uncommitted sessions time out after 24 hours.

     

 

Example

This command creates a session named MySession) and adds commands. Issuing the commit command executes all commands and overwrites any configuration performed since the creation of the session.
switch(config)#configure session
switch(config-s-sess-1)#aaa authentication dot1x default group radius
switch(config-s-sess-1)#dot1x system-auth-control
switch(config-s-sess-1)#commit
switch(config-s-sess-1)#

connection

The connection command in the SSH Management configuration Mode configures session-handling and security for SSH connections.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

connection [limit number_sessions] per-host [ number_sessions]

no connection

default connection

 

Parameters

  • connection - Configure settings for SSH connections.
  • limit number_sessions - Configure the maximum number of concurrent SSH sessions.
  • per-host number_sessions - Configure the maximum number of concurrent SSH sessions from a single host.

 

Example

Use the following commands to configure a limit of 50 concurrent SSH sessions:

switch(config)# management ssh
switch(config-mgmt-ssh)# connection limit 50
switch(config-mgmt-ssh)#

fips

The fips command in the SSH Management configuration Mode configures the switch to strictly enforce FIPS 140-2/140-3 compliance for all incoming connections. When enabled, the switch disables all cryptographic algorithms not officially validated by Federal Information Processing Standards (FIPS).

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

fips restrictions

no fips restrictions

default fips restrictions

 

Parameters

  • fips - Configure FIPS settings.
  • restrictions - Enable FIPS algorithms for SSH connections.

 

Example

Use the following commands to enable FIPS algorithms for SSH connections on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# fips restrictions
switch(config-mgmt-ssh)#

 

hostkey

The hostkey command in the SSH Management configuration Mode configures the client connections and server connections host keys on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

hostkey [client strict-checking] [server [cert hostkey_filename] [ dsa | ecdsa-nistp256 | ecdsa-nistp521 | ed25519 | rsa] [ssh-key filename]

no hostkey

default hostkey

 

Parameters

  • hostkey - Configure host key settings.
  • restrictions - Enable FIPS algorithms for SSH connections.
  • client strict-checking - Enforce strict host key checking for SSH clients.
  • server - Configure the switch SSH host key settings:
    • cert hostkey_filename - Specify the certificate filename for SSH on the host.
    • dsa - Specify a Digital Signature Algorithm.
    • ecdsa-nistp256 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P256.
    • ecdsa-nistp521 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P521.
    • ed25519 - Specify the Edwards-curve Digital Signature Algorithm 2551.
    • rsa - Specify the RSA Encryption Algorithm.
    • ssh-key: filename - Specify the SSH private key file name.

 

Example

Use the following commands to enable the client strict host key checking for SSH connections on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# hostkey client strict-checking
switch(config-mgmt-ssh)#

 

idle-timeout (Console Management)

The idle-timeout (Console Management) command configures the idle-timeout period for console connection sessions, and optionally, configure a warning to indicate the end of a session. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. By default, setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

 

Command Mode

ManagementConsole configuration

 

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

 

Parameters

idle_period session idle-timeout length. Options include:
  • 0 to 86400 - Configures the automatic timeout period in minutes. Setting the timer to 0 disables the idle-timeout.

 

Examples
  • These commands configure a console idle-timeout period of three hours, then return the switch to global configuration mode.
    switch(config)# management console
    switch(config-mgmt-console)# idle-timeout 180
    switch(config-mgmt-console)# exit
    switch(config)#
  • These commands disable automatic connection timeout.
    switch(config)# management console
    switch(config-mgmt-console)# idle-timeout 0
    switch(config-mgmt-console)#

idle-timeout (SSH Management)

The idle-timeout (SSH Management) command configures the idle-timeout period for SSH connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

 

Command Mode

Management SSH configuration

 

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

 

Parameters

idle_period session idle-timeout length. Options include the following:
  • 0 - Disables the automatic connection timeout.
  • 1 to 86400 - Configures the automatic timeout period in minutes.

 

Examples
  • These commands configure an SSH idle-timeout period of three hours, then return the switch to global configuration mode.
    switch(config)# management ssh
    switch(config-mgmt-ssh)# idle-timeout 180
    switch(config-mgmt-ssh)# exit
    switch(config)#
  • These commands disable automatic connection timeout.
    switch(config)# management ssh
    switch(config-mgmt-ssh)# idle-timeout 0
    switch(config-mgmt-ssh)#

idle-timeout (Telnet Management)

The idle-timeout (Telnet Management) command in the Telenet Management configuration Mode configures the idle-timeout period for Telnet connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.

The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.

 

Command Mode

ManagementTelnet

 

Command Syntax

idle-timeout idle_period

no idle-timeout

default idle-timeout

 

Parameters

idle_period session idle-timeout length. Options include:
  • 0 - Disables the automatic connection timeout.
  • 1 to 86400 - Configures the automatic timeout period in minutes.

 

Examples
  • These commands configure a Telnet idle-timeout period of three hours, then return the switch to global configuration mode.
    switch(config)# management telnet
    switch(config-mgmt-telnet)# idle-timeout 180
    switch(config-mgmt-telnet)# exit
    switch(config)#
  • These commands disable automatic connection timeout.
    switch(config)# management telnet
    switch(config-mgmt-telnet)# idle-timeout 0
    switch(config-mgmt-telnet)#

ip

The ip command in the SSH or Telnet Management configuration Mode configures the IPv4 access group parameters for an SSH or Telnet session.

The [no | default] versions of the command disables the configuration and removes it from the running-config.

 

Command Mode

SSH Management configuration

Telnet Management configuration

 

Command Syntax

ip access-group list_name in [vrf vrf_name]

no access-group list_name

default access-group list_name

 

Parameters

  • access-group list_name - Specify a name for the IPv4 access control list.
  • in - Apply the access control list to inbound packets.
  • vrf vrf_name - Specify the VRF to apply the IP access group list. If not specified, the configuration applies to the default VRF.

 

Example

Use the following commands to apply the IPv6 access group list, MyAGL, to inbound packets on VRF, bluengreen, Telnet management sessions:

switch(config)# management telnet
switch(config-mgmt-telnet)# ip access-group MyAGL in vrf bluengreen
switch(config-mgmt-telnet)#

ipv6

The ipv6 command in the SSH or Telnet Management configuration Mode configures the IPv6 access group parameters for an SSH or Telnet session.

The [no | default] versions of the command disables the configuration and removes it from the running-config.

 

Command Mode

SSH Management configuration

Telnet Management configuration

 

Command Syntax

ipv6 access-group list_name in [vrf vrf_name]

no access-group list_name

default access-group list_name

 

Parameters

  • access-group list_name - Specify a name for the IPv6 access control list.
  • in - Apply the access control list to inbound packets.
  • vrf vrf_name - Specify the VRF to apply the IP access group list. If not specified, the configuration applies to the default VRF.

 

Example

Use the following commands to apply the IPv6 access group list, MyAGL, to inbound packets on VRF, bluengreen, Telnet management sessions:

switch(config)# management telnet
            switch(config-mgmt-telnet)# ipv6 access-group MyAGL in vrf bluengreen
            switch(config-mgmt-telnet)#

key-exchange

The key-exchange command in the SSH Management configuration Mode specifies the mathematical algorithms used by the switch to securely negotiate a shared session key with an SSH peer. The command applies to client and server connections.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

key-exchange [This email address is being protected from spambots. You need JavaScript enabled to view it. | diffie-hellman-group-exchange-sha1 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group1-sha1 | diffie-hellman-group14-sha | diffie-hellman-group14-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | gss-curve25519-sha256- |gss-gex-sha1- | gss-group1-sha1- | gss-group14-sha1- | gss-group14-sha256- | gss-group16-sha512- | gss-nistp256-sha256- | mlkem768x25519-sha25 | sntrup761x25519-sha512 | This email address is being protected from spambots. You need JavaScript enabled to view it.]

no key-exchange

default key-exchange

 

Parameters

  • key-exchange -Select algorithms from the following list:
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Elliptic Curve 255519 with SHA-256 algorithm.
    • diffie-hellman-group-exchange-sha1 - Specify the Negotiated Group Exchange with SHA-1 algorithm.
    • diffie-hellman-group-exchange-sha256 - Specify the Negotiated Group Exchange with SHA-256 algorithm.
    • diffie-hellman-group1-sha1 - Specify the Oakley Group 2 with SHA-1 algorithm.
    • diffie-hellman-group14-sha - Specify the Oakley Group 14 with SHA-1 algorithm.
    • diffie-hellman-group14-sha256 - Specify the Oakley Group 14 with SHA-256 algorithm.
    • diffie-hellman-group16-sha512 - Specify the Oakley Group 16 with SHA-512 algorithm.
    • diffie-hellman-group18-sha512 - Specify the Oakley Group 18 with SHA-512 algorithm.
    • ecdh-sha2-nistp256 - Specify the Elliptic Curve NIST P256 algorithm.
    • ecdh-sha2-nistp384 - Specify the Elliptic Curve NIST P384 algorithm.
    • ecdh-sha2-nistp521 - Specify the Elliptic Curve NIST P521 algorithm.
    • gss-curve25519-sha256-Generic Security Service ECDH over Curve25519 with SHA-256 algorithm
    • gss-gex-sha1- - Specify the Generic Security Service DH with SHA-1 algorithm.
    • gss-group1-sha1- - Specify the Generic Security Service DH using Oakley Group 2 with SHA-1 algorithm.
    • gss-group14-sha1- - Specify the Generic Security Service DH using Oakley Group 14 with SHA-1 algorithm.
    • gss-group14-sha256- - Specify the Generic Security Service DH using Oakley Group 14 with SHA-256 algorithm.
    • gss-group16-sha512- - Specify the Generic Security Service DH using Oakley Group 16 with SHA-256 algorithm.
    • gss-nistp256-sha256- - Specify the Generic Security Service ECDH over NIST P256 with SHA-256 algorithm.
    • mlkem768x25519-sha25 - Specify the Hybrid Module Lattice mlkem768 and X25519 with SHA-256 algorithm.
    • sntrup761x25519-sha512 - Specify the Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 algorithm.

 

Example

Use the following commands to select the algorithm, ecdh-sha2-nistp256, for key exchange for SSH connections on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# key-exchange ecdh-sha2-nistp256
switch(config-mgmt-ssh)#

 

log-level

The log-level command in the SSH Management configuration Mode defines the verbosity of the SSH service messages sent to the system logs.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

log-level [debug | debug1 | debug2 | debug3 | error | fatal | info | quiet | verbose]

no log-level

default default

 

Parameters

  • log-level - Select from the following list to add a log-level to the SSH service messages:
    • [debug | debug1 | debug2 | debug3] - Progressively detailed troubleshooting logs. debug3 logs sensitive information and should only be used during active troubleshooting sessions.
    • error - Log significant errors that prevent a command or session from proceeding normally.
    • fatal - Log only fatal errors that cause the SSH session or process to crash.
    • info - Log standard events such as logins, logouts, and standard operational events. (Default)
    • quiet - No logging for the SSH service.
    • verbose - Logs detailed information about authentication and connection progress.

 

Example

Use the following commands to set the log level for SSH connections on the switch to error:

switch(config)# management ssh
switch(config-mgmt-ssh)# log-level error
switch(config-mgmt-ssh)#

 

logging

The logging command in the SSH Management configuration Mode directs SSH service log events to the eos system logging facility (syslog).

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

logging target system

no logging

default logging

 

Parameters

  • logging - Configure logging for the SSH service.
  • target - Specify the target for the SSH/SSHD service logs.
  • system - Set the target destination for the SSH log messages to the system log buffer.

 

Example

Use the following commands to set the log messages destination to the syslogs on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# logging target system
switch(config-mgmt-ssh)#

 

login

The login command in the Console, SSH, or Telnet Management configuration Mode allows the configuration of login parameters for the sessions.

The [no | default] versions of the command disables the configuration and removes it from the running-config.

 

Command Mode

Console Management configuration

SSH Management configuration

Telnet Management configuration

 

Command Syntax

login user match-list list_name [invert-result]

no login user match-list list_name

default login user match-list list_name

 

Parameters

  • login user match-list list_name - Specify a list of users to match.
  • [invert-result] - Invert the match list results.

 

Example

Use the following commands to match the user list, MyUsers, for a console management session:

switch(config)# managment console
switch(config-mgmt-console)# login user match-list MyUsers
switch(config-mgmt-console)#

mac

The mac command in the SSH Management configuration Mode specifies the algorithms the switch uses to verify the data integrity of SSH packets, ensuring that traffic has not been tampered with in transit.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

mac [hmac-md5-96 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-ripemd160 | hmac-sha1 | hmac-sha1-96 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-sha2-256 | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-sha2-512 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it.]

no mac

default mac

 

Parameters

  • mac - Specify algorithms from the following list.
    • hmac-md5-96 - Specify the Hash Message Authentication Code MD5 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hash Message Authentication Code MD5 for use in ESP and AH algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC MD5-96 algorithm.
    • hmac-ripemd160 - Specify the Hash Message Authentication Code RIPEMD-160 algorithm.
    • hmac-sha1 - Specify the Hash Message Authentication Code SHA-1 algorithm.
    • hmac-sha1-96 - Specify the Hash Message Authentication Code SHA-1 for use in ESP and AH algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA1-96 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA1 algorithm.
    • hmac-sha2-256 - Specify the Encrypt-Then-Mac HMAC SHA1 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Elliptic Curve NIST P384 algorithm.
    • hmac-sha2-512 - Specify the Hash Message Authentication Code SHA2-512 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA2-512 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-128 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hash Message Authentication Code UMAC-128 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-64 algorithm.
    • This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-646 algorithm.

 

Example

Use the following commands to add the MAC algorithm, hmac-sha2-256, on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# mac hmac-sha2-256
switch(config-mgmt-ssh)#

 

management accounts

The management accounts command enters the Accounts Management configuration Mode and allows the creation of user accounts on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Accounts Management configuration

 

Command Syntax

management accounts

[no | default] management accounts

 

Parameters

  • management accounts - Enters Accounts Management configuration Mode.
    • account - Enters the Account configuration Mode after adding a user name.
      • session limit value - Add the number of allowed sessions from 1 to 100 per user.
    • password policy policy_name - Configure password policies.
    • session default-limit value - Configure the maximum number of remote sessions per user.

 

Example

Use the following commands to enter Accounts Management configuration Mode and add a user tech_support1 with a session limit of 10:

switch(config)# management accounts
switch(config-mgmt-accounts)# account tech_support1
switch(config-mgmt-acct-tech_support1)# session limit 10

 

management api eos-sdk-rpc

The management api eos-sdk-rpc command places the switch in eos SDK RPC API Management configuration Mode.

The no management api eos-sdk-rpc and default management api eos-sdk-rpc commands delete the eos SDK RPC API Management configuration statements from running-config.

eos SDK RPC API management configuration mode does not invoke a group change mode. The running-config changes immediately upon entering commands. Exiting the eos SDK RPC API Management configuration Mode does not affect the running-config. The exit command returns the switch to Global configuration Mode.

Command Mode

Global configuration

 

Command Syntax

management api eos-sdk-rpc

no management api eos-sdk-rpc

default management api eos-sdk-rpc

 

Commands Available in eos SDK RPC API configuration Mode
  • transport (eos SDK RPC API Management)

 

Examples
  • This command places the switch in eos SDK RPC API management configuration mode.
    switch(config)# management api eos-sdk-rpc
    switch(config-mgmt-api-eos-sdk-rpc)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-eos-sdk-rpc)# exit
    switch(config)#

management api external-services

The management api external-services command places the switch in External Services API configuration mode.

The no management api external-services and default management api external-services commands delete the mgmt-api-external-services configuration mode statements from running-config.

External Services API configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the External Services API configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api external-services

no management api external-services

default management api external-services

 

Commands Available in Mgmt-API configuration Mode
  • shutdown (External Services API Management)
  • vrf (External Services API Management)

 

Examples
  • This command places the switch in External Services API Management configuration mode.
    switch(config)# management api external-services
    switch(config-mgmt-api-external-services)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-external-services)# exit
    switch(config)#

management api gnmi

The management api gnmi command places the switch in GNMI API Management configuration mode.

The no management api gnmi and default management api gnmi commands delete the mgmt-api-gnmi configuration mode statements from running-config.

GNMI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNMI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api gnmi

no management api gnmi

default management api gnmi

 

Commands Available in Mgmt-API configuration Mode
  • operation (GNMI API Management)
  • provider (GNMI API Management)
  • transport (GNMI API Management)

 

Examples
  • This command places the switch in GNMI API Management configuration mode.
    switch(config)# management api gnmi
    switch(config-mgmt-api-gnmi)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-gnmi)# exit
    switch(config)#

management api gnsi

The management api gnsi command places the switch in GNSI API management configuration mode.

The no management api gnsi and default management api gnsi commands delete the mgmt-api-gnsi configuration mode statements from running-config.

GNSI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNSI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api gnsi

no management api gnsi

default management api gnsi

 

Commands Available in GNSI API Management configuration Mode
  • service (GNSI API Management)
  • transport (GNSI API Management)

 

Examples
  • This command places the switch in GNSI API Management configuration mode.
    switch(config)# management api gnsi
    switch(config-mgmt-api-gnsi)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-gnsi)# exit
    switch(config)#

management api gribi

The management api gribi command places the switch in gRIBI API Management configuration mode.

The no management api gribi and default management api gribi commands delete the mgmt-api-gribi configuration mode statements from running-config.

gRIBI API Management configuration mode is not a group change mode; running-config changes immediately upon entering commands. Exiting the gRIBI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api gribi

no management api gribi

default management api gribi

 

Commands Available in gRIBI API Management configuration Mode
  • transport (gRIBI API Management)

 

Examples
  • This command places the switch in gRIBI API Management configuration mode.
    switch(config)# management api gribi
    switch(config-mgmt-api-gribi)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-gribi)# exit
    switch(config)#

management api http-commands

The management api http-commands command places the switch in HTTP Commands API Management configuration Mode.

The no management api http-commands and default management api http-commands commands delete the HTTP Commands API Management configuration Mode statements from running-config.

HTTP Commands API Management configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting HTTP Commands API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api http-commands

no management api http-commands

default management api http-commands

 

Commands Available in HTTP Commands API Management configuration Mode

 

Examples
  • This command places the switch in HTTP Commands API Management configuration Mode.
    switch(config)# management api http-commands
    switch(config-mgmt-api-http-cmds)#
  • This command returns the switch to Global configuration Mode.
    switch(config-mgmt-api-http-cmds)# exit
    switch(config)#

management api models

The management api models command places the switch in Models API Management configuration mode.

The no management api models and default management api models commands delete the Models API Management configuration statements from running-config.

Models API Management configuration mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting Models API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api models

no management api models

default management api models

 

Commands Available in Models API Management configuration Mode
  • models (Models API Management)
  • modules (Models API Management)
  • provider (Models API Management)

 

Examples
  • This command places the switch in Models API Management configuration mode.
    switch(config)# management api models
    switch(config-mgmt-api-models)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-models)# exit
    switch(config)#

management api netconf

The management api netconf command places the switch in Netconf API Management configuration mode.

The no management api netconf and default management api netconf commands delete the mgmt-api-netconf configuration mode statements from running-config.

Netconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Netconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api netconf

no management api netconf

default management api netconf

 

Commands Available in Netconf API Management configuration Mode
  • transport (Netconf API Management)

 

Examples
  • This command places the switch in Netconf API Management configuration mode.
    switch(config)# management api netconf
    switch(config-mgmt-api-netconf)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-netconf)# exit
    switch(config)#

management api restconf

The management api restconf command places the switch in Restconf API Management configuration mode.

The no management api restconf and default management api restconf commands delete the mgmt-api-restconf configuration mode statements from running-config.

Restconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Restconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

 

Command Mode

Global configuration

 

Command Syntax

management api restconf

no management api restconf

default management api restconf

 

Commands Available in Restconf API Management configuration Mode
  • transport (Restconf API Management)

 

Examples
  • This command places the switch in Restconf API Management configuration mode.
    switch(config)# management api restconf
    switch(config-mgmt-api-restconf)#
  • This command returns the switch to global management mode.
    switch(config-mgmt-api-restconf)# exit
    switch(config)#

management archive

The management archive command enters the Archive Management configuration Mode and allows you to manage log archives and archive space.

 

Command Mode

Global configuration

Archive Management configuration

 

Command Syntax

management archive [destination flash:] [quotapct percentage] shutdown

 

Parameters

  • management archive - Enters the Archive Management configuration Mode.
  • destination flash: - Configure a destination for the archive files.
  • quotapct percentage - Set the quota percentage value from 0 to 100.
  • shutdown - Disables log archiving on the switch.

 

Example

Use the following commands to configure the quota percentage as 50:

switch(config)# management archive
switch(config-mgmt-archive)# quotapct 50
switch(config-mgmt-archive)#

 

management cli

The management cli command places the switch in CLI Management configuration Mode and allows you to configure command line options.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

CLI Management configuration

 

Command Syntax

management cli command deprecated log

[no | default] management cli command deprecated log

 

Parameters

  • management cli - Enters the CLI Management configuration Mode.
  • command - Configure command options.
  • deprecated - Configure the CLI behavior for deprecated commands.
  • log - Create a syslog message when executing a deprecated command.

 

Example

Use the following commands to create a syslog message when executing a deprecated command:

switch(config)# management cli
switch(config-mgmt-cli)# command deprecated log
switch(config-mgmt-cli)#

 

management client

The management client command enters the Client Management configuration Mode and configures remote applications or scripts that utilize the switch powerful eAPI (eos API) to programmatically send configuration and show commands.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Client Management configuration

 

Command Syntax

management client api gnmi [group group_name member server_name] [server server_name]

[no | default] management client api gnmi

 

Parameters

  • management client api gnmi - Configures the switch as a gNMI client.
  • group group_name - Configure gNMI server group definitions.
  • member server_name - Add a gNMI server to the group.
  • server server_name - Add a gNMI server to the configuration.

 

Example

Use the following commands to add the group, gnmi_group, and the member, gnmi_server1 to the client configuration:

switch(config)# management client api gnmi
switch(config-mgmt-client-api-gnmi)# group gnmi_group member gnmi_server1
switch(config-mgmt-client-api-gnmi)#

 

management console

The management console command places the switch in Console Management configuration Mode to adjust the idle-timeout period for console connection sessions. The idle-timeout period determines the inactivity interval that terminates a connection session.

The no management console and default management console commands delete the Console Management configuration Mode statements from running-config.

The Console Management configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the Console Management configuration Mode does not affect running-config. The exit command returns the switch to Global configuration Mode.

 

Command Mode

Global configuration

 

Command Syntax

management console [idle-timeout minutes] [login prompt hostname fqdn] timeout minutes warningminutes]

no management console

default management console

 

Parameters

  • idle-timeout minutes - Configure the time a login can be idle before timing out on the switch.
  • login - Configure options related to logging into the switch.
    • prompt hostname fqdn - Configure the login prompt to use the hostname.
  • timeout minutes warningminutes - Configure the session timeout from 0 to 86400 minutes and generate a warning message about the impending timeout. The warning value must be less than the configured timeout value.

 

Examples
  • The following command places the switch into Console Management configuration Mode:
    switch(config)# management console
    switch(config-mgmt-console)#
  • This command returns the switch to Global Management Mode:
    switch(config-mgmt-console)# exit
    switch(config)#

management data source

The management data source command enters the Data Source Management configuration Mode and allows defining the rules and actions taken on specific data streams.

 

Command Mode

Global configuration

Data Source Management configuration

 

Command Syntax

management data source [disable] [sensor sensor_name [disabled | ip address ip_address port port] [traffic-policies [disabled] [field-set [ipv4 prefix source_name] [ [ipv6 prefix source_name] [ service source_name]]

 

Parameters

  • management data source - Enters the Data Source configuration Mode.
  • disable - Disable the management data source.
  • sensor sensor_name - Specify the name of a sensor.
    • disabled - Disable the sensor.
    • ip address ip_address - Specify the IPv4 or IPv6 address of the sensor.
    • port port - Specify the port.
  • traffic-policies - Configure traffic policies to apply to the data source.
  • disabled - Disable traffic policies on the switch.
  • field-set - Configure field sets to use with the traffic policies.
    • ipv4 prefix source_name - Specify the IPv4 prefix and source name.
    • ipv6 prefix source_name - Specify the IPv6 prefix and source name.
    • service source_name - Specify the service and source name.

 

Example

Use the following commands to configure a sensor, sensor_db, with the IPv4 address, 192.168.92.157, and port 443:

switch(config)# managment data source
switch(config-mgmt-ds)# sensor sensor_db
switch(config-mgmt-ds-sensor-sensor_db)# ip 192.168.96.157 port 443
switch(config-mgmt-ds-sensor-sensor_db)#

 

management defaults

The management defaults command enters the Defaults Management configuration Mode and configures storing secrets on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Defaults Management configuration

 

Command Syntax

management defaults secret hash [md5 | scrypt | sha-512 | yescrypt]

[no | default] management defaults

 

Parameters

  • management defaults - Enters the Defaults Management configuration Mode.
  • secret - Configure storing secrets.
  • hash- Specify a hash algorithm to use for secrets.
    • md5 - Specify Message-Digest Algorithm 5.
    • scrypt - Specify scrypt, a password-based key derivation function (KDF) designed specifically to make brute-force attacks against hashed passwords significantly harder, even when attackers use specialized hardware like GPUs or FPGAs.
    • sha-512 - Specify SHA-512 a cryptographic hash function that is part of the SHA-2 family, standardized by NIST (National Institute of Standards and Technology). It is a highly secure and widely used algorithm for ensuring data integrity and securing digital operations.
    • yescrypt - Specify yescrypt, a modern, highly secure password-based key derivation function (KDF) designed as a successor and alternative to functions like PBKDF2, scrypt, and bcrypt. It was developed by Alexander Peslyak (Solar Designer) and is specifically engineered to achieve the best possible resistance against hardware-accelerated cracking attacks using GPUs, FPGAs, and ASICs.

 

Example

Use the following commands to add MD5 as the secret hash:

switch(config)# managment defaults
        switch(config-mgmt-defaults)# secret hash md5

 

management dmf

The management dmf command in the DANZ Monitoring Fabric (DMF) configuration Mode allows the configuration of up to two DMF controllers on the network.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

DANZ Monitoring Fabric (DMF) configuration

 

Command Syntax

managment dmf [disabled] [controller address ip_address1 controller address ip_address2

[no | default]> managment dmf

 

Parameters

  • disabled - Disables DMF on the switch.
  • controller address ip_address1 - Configure the first DMF controller with an IPv4 or IPv6 address.
  • controller address ip_address2 - Configure the second DMF controller with an IPv4 or IPv6 address.

 

Example

Use the following commands to add a DMF controller, 172.16.23.47, to the switch:

switch(config)# manangement dmf
switch(config-mgmt-dmf)# controller 172.16.21.47
switch(config-mgmt-dmf)#

 

management file-systems

The management file-systems command in the File Systems Management configuration Mode allows the configuration and management of the file system on the switch.

 

Command Mode

Global configuration

File Systems Management configuration

 

Command Syntax

management file-systems nfs [crash: directory_name] [file: directory_name] [flash: directory_name]

 

Parameters

  • nfs - Specifies the network file system.
  • crash: directory_name - Specify the location of the crash files.
  • file: directory_name - Specify the location of the files.
  • flash: directory_name - Specify the location of the flash files.

 

Example

Use the following commands to manage the crash files:

switch(config)# management file-systems
            switch(config-mgmt-file-systems)# nfs crash:

 

management http-server

The management http-server command enters the HTTP Management configuration Mode of the switch to allow Application Programming Interface (API) access to the switch for programmatic commands.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

HTTP Management configuration

 

Command Syntax

management http-server [cors allowed-origin origin server_address | all | *]

management http-server default-services

management http-server header csp frame-ancestors uri

management http-server log-level [alert | crit | debug | emerg | error | info | notice | warn]

management http-server protocol [http [localhost | port port_number]] [https [port port_number | ssl profile_name]] [unix-socket]

management http-server qos dscp dscp_value

management http-server vrf [default | vrf_name

 

Parameters

  • management http-server cors - Specify Cross-Origin Resource Sharing for the HTTP Server.
    • allowed-origin server_address - Specify an allowed origin server IP address.
    • [all | *] - Specify all to allow all CORS.
  • management http-server default-services - Specify to use default services, capi-doc and tapagg, for the HTTP Server.
  • management http-server header - Configure additional headers for the HTTP Server.
    • csp - Specify content security policy headers.
    • frame-ancestors - Specify CSP directive frame-ancestors.
    • uri - Configure the URI for the host.
  • management http-server log-level - Specify any of the level parameters to log as a syslog message.
  • management http-server protocol - Configure server options.
    • http [localhost | port port_number - Configure a local host and port for the HTTPS Server.
    • https [port port_number | ssl profile_name - Configure a port and SSL profile name.
    • unix-socket - Specify a Unix Domain Socket.
  • management http-server qos - Configure Quality of Service (QoS) parameters.
    • dscp - exit
  • management http-server vrf [default | vrf_name - Specify using the default VRF on the switch or another configured VRF.

 

Example

Use the following commands to specify using the default services for the HTTP Server:

switch(config)# management http-server
switch(config-mgmt-http-server)# default-services
switch(config-mgmt-http-server)#

 

management ldap group

The management ldap command in the Global configuration mode enters the switch into LDAP Management configuration Mode and allows the configuration of an LDAP group and server. This allows the switch to authenticate and authorize users against an external Lightweight Directory Access Protocol (LDAP) server and centralizes user management.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

LDAP Management configuration

 

Command Syntax

management ldap [group policy policy_name group group_name rolerole_name [after | before] group_name [privilege level]

 

Parameters

  • management ldap - Configure LDAP options.
    • group policy policy_name - Configure a group policy name.
    • group group_name - Configure the group name to add to the configuration.
    • role role_name - Specify the role name for the group.
    • [after | before] group_name - Specify adding the role before or after a rule.
    • privilege level - Configure a privilege level between 0 and 15.

 

Example

Use the following commands to add the policy, policy1, to group, ldap_group, with the role of manager, and privilege level 10:

switch(config)# management ldap
switch(config-mgmt-ldap)# group policy policy1
switch(config-mgmt-ldap-gp-policy1)# group ldap_group role manager privilege 10
switch(config-mgmt-ldap-gp-policy1)#

 

management ldap server

The management ldap server command enters the LDAP Management configuration Mode and allows the configuration of an LDAP server for authentication on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

LDAP Management configuration

 

Command Syntax

management ldap server [defaults [authorization group policy policy_name] [base-dn domain_name] [rdn attribute user attr_name] [search username username password password] [ssl-profile profile_name] [timeout seconds]] [host host_name portport_number vrfvrf_name]

[no | default] management ldap server

 

Parameters

  • management ldap server - Enters the LDAP Management configuration Mode and allows the configuration of an LDAP server.
  • defaults - Configure default LDAP options for all servers.
    • authorization group policy policy_name - Configure LDAP options for user authorization using a group policy name.
    • base-dn domain_name - Specify a distinguished domain name.
    • rdn attribute user attr_name - Add an attribute for a Relative Distinguished Name.
    • search username username password password - Configure search options for the LDAP server.
    • ssl-profile profile_name - Add an SSL profile to the configuration.
    • timeout seconds - Configure the length of time to wait before timing out the session.
  • host host_name - Specify a hostname or IP address of the LDAP server.
    • port port_number - Specify a port number. The configuration uses port 389 by default.
    • vrf vrf_name - Specify the VRF name for the configuration.

 

Example

Use the following commands to use arista.com as the base Domain Name:

switch(config)# management ldap
switch(config-mgmt-ldap)# server defaults
switch(config-ldap-defaults)# base-dn arista.com
switch(config-ldap-defaults)#

management nic profiles

The management nic profiles command enters the Network Interface Card (NIC) Profile configuration Mode and allow configuration of an interface for an internal service client such as ZTP or an internal monitoring process that needs to reach a provisioning server.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Network Interface Card (NIC) Profile configuration

 

Command Syntax

management nic profiles profile profile_name [connection [ssl profile profile_name] [timeout seconds ]] [job job_name metric path path_name] [port port_number] [system auto-discovered]] [polling interval interval

[no | default] management nic profiles profile profile_name

 

Parameters

  • management nic profiles profile profile_name - Configure a name for the NIC profile.
  • connection - Configure connection parameters:
    • ssl - Add an SSL profile to the connection
    • timeout - Configure the length of time, in seconds, before the connection disconnects.
  • job job_name - Specifies the type of job to run on the client.
    • metric path path_name - Specify the metric path, in the format of a URL, used for the job.
    • port port_number - Specify a port between 1 and 65535.
    • system auto-discovery - Specify if you want to auto-discover jobs on the switch.
  • polling interval interval seconds - Specify a polling interval between 1 and 600 seconds.

 

Example

Use the following commands to add an SSL profile, secure_1, to the NIC profile, nic_mgmt:

switch(config)# management nic profiles profile nic_mgmt
switch(config-mgmt-nic-profile-nic_mgmt)# connection ssl profile secure_1
switch(config-mgmt-nic-profile-nic_mgmt)#       

 

management package

The management package command in the Package Management configuration Mode configures a remote source for downloading optional software extension packages.

 

Command Mode

Global configuration

Package Management configuration

 

Command Syntax

management package repository repo_name [description description] [type description] [url url]

 

Parameters

  • management package - Enters the Package Management configuration Mode on the switch.
  • repository repo_name - Specify the repository name.
  • description description - Create a description of repository that used in show commands.
  • type yum - Retrieve the files using yum.
  • urlurl - Specify the network path to the repository server. The URL defines transport protocol for the files.

 

Example

Use the following commands to create a repository, prod_ext, with the URL, https://10.11.10.27/arista/extensions/:

switch(config)# management package
            switch(config-mgmt-package)# management package repository pProd-Ext type url https://10.11.10.27/arista/extensions/

 

management security auto-certificate

The management security auto-certificate command enters the Auto-Certificate Security Management configuration Mode and automates the management and renewal of the digital certificates used by the switch for various secure management services such HTTPS for APIs.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Auto-Certificate Security Management configuration

 

Command Syntax

management security auto-certificate [profile profile_name [digest [sha256 | sha384 | sha512]] [key key_name ] [ parameters [distinguished-name [common-name name] [country name [email email ] [locality locality] [organizationorganization] [organization-unit unit] [serial-number number ] [state state]] [subject-alternative-name [dns dns_name] [email email] [ip ip_address] [uri uri] ] [protocol instance instance_name] [renewal seconds seconds]]

management security auto-certificate [protocol est profile_name [connection retry [count num_retries] [interval seconds seconds]] [credentials enroll [secret [0 | 7 | 8a] secret] [token [0 | 7 | 8a] token] [username username ]] [disabled] [server [ssl profile profile_name] [url url ] [vrf vrf_name

 

Parameters

  • management security profile_name - Enters the Security Management configuration Mode.
  • auto-certificate profile profile_name - Configure profile options for Automatic Certificate Management.
    • digest [sha256 | sha384 | sha512 - Specify the digest algorithm used to sign a Certificate Signing Request (CSR).
    • key key_name - Configure a key name used for the certificate.
    • parameters - Configure the certificate parameters.
      • distinguished-name - Configure a distinguished name for the certficate.
        • common-name name - Specify the common name.
        • country name - Specify the country.
        • email email - Specify the email address used for the certificate.
        • locality locality - Specify the locality.
        • organization organization - Add the organization.
        • organization-unit unit - Specify the organization unit.
        • serial-number number - Specify the serial number.
        • state state - Specify the state.
      • subject-alternative-name - Configure thealternative subject nameextension.
        • dns dns_name - Add the name of the DNS server.
        • email email - Add the email address.
        • ip ip_address - Specify the IP address of the DNS server.
        • uri uri - Specify the Universal Resource Indicator (URI).
    • auto-certificate protocol est profile_name - Specify the profile name for Enrollment over Secure Transport (EST).
      • connection retry -Configure the number of times to retry the connection.
        • count num_retries - Specify the number of retries.
        • interval seconds - Specify the interval between connection retries.
        • seconds - Specify the unit of time.
      • credentials - Configure the credentials used with EST.
        • enroll - Enrollwith the following credentials:
          • secret [0 | 7 | 8a secret - Configure a secret.
          • token [0 | 7 | 8a token - Configure a JSON token.
          • username username - Configure a username and secret.
            • secret [0 | 7 | 8asecret
        • re-enroll - Re-enroll with the following credentials:
          • secret [0 | 7 | 8a secret - Configure a secret.
          • token [0 | 7 | 8a token - Configure a JSON token.
          • username username - Configure a username and secret.
            • secret [0 | 7 | 8a secret
        • disabled - Temporarily disable sending requests to the EST server.
        • server -Configure theEST server options:
          • ssl profile profile_name - Specify an SSL profile.
          • url url - Specify the URL of the EST server.
          • vrf vrf_name - Specify the VRF used for the EST server.

 

management security entropy

The management security entropy command manages the source of cryptographic entropy (randomness) and provides high quality randomness for SSH keys, SSL/TLS certificates, and random session identifiers.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security entropy source [cpu jitter] [hardware exclusive] [haveged]

[no | default] management security entropy

 

Parameters

  • entropy source - Configure the source used for entropy on the switch.
  • cpu jitter - Configure using a CPU-based source with the Jitter RNG algorithm.
  • hardware exclusive - Configure using hardware exclusively for entropy.
  • haveged - Use the Hardware Volatile Entropy Gathering and Extension (HAVEGED) algorithm to quickly and efficiently generate high quality cryptographic entropy.

 

Example

Use the following command to use cpu jitter for security entropy:

switch(config)# managment security
switch(config-mgmt-security)# entropy cpu jitter
switch(config-mgmt-security)#
        

 

management security network

The management security network command enters the Security Management configuration mode and then configures security policies that govern the access and behavior of various management applications on the switch. It defines rules to protect the control plane from unauthorized or malicious network activity.

The [no | default] versions of the command return the feature to its default settings.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security network client protocol [ftp | http | tftp] disabled

[no | default] management security network client protocol

 

Parameters

  • network - Configure network protocols.
  • client - Specify client traffic.
  • protocol - Select a protocol for client traffic.
  • [ftp | http | tftp] disabled - Disables the protocol and no longer allows clients to connect over these protocols.

 

Example

Use the following commands to disable FTP client traffic:

switch(config)# management security
switch(config-mgmt-security)# network client protocol ftp disabled
switch(config-mgmt-security)#

 

management security ocsp

The management security ocsp command enters the Security Online Certificate Status Protocol (OCSP) configuration Mode and quickly checks the revocations status of digital certificates used by management services such as HTTP or LDAP over TLS.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security ocsp profile profile_name [chain certificate requirement responder [all | leaf | none]] [extension nonce request [disabled | response]] [response validity-time extended-by seconds] [timeout seconds] [url url] [vrf vrf]

[no | default] management security ocsp profile profile_name

Parameters

  • ocsp profile profile_name - Configure a name for the OCSP profile.
    • chain - Configure a chained certificate for OCSP.
      • certificate requirement - Add a check to the certificate for validity.
      • responder - Configure the requirements for querying the OCSP responder.
        • all - Perform OCSP verification on the whole chain.
        • leaf - Specify to only perform OCSP verification on the leaf.
        • none - Specify to only perform OCSP verification on certificates with a specified responder.
    • extension nonce request - Configure sending a nonce in the OCSP requests.
      • disabled - Specify to not send a nonce in the OCSP request.
      • response - Specify to require the OCSP nonce in the OCSP response.
    • response validity-time extended-by seconds - Configure a leeway time when checking the validity of OCSP responses from 1 to 10800 seconds.
    • timeout seconds - Configure the length of time to timeout OCSP queries from 1 to 600 seconds.
    • url url - Configure the URL of overriding OSCP responder.
    • vrf vrf - Configure the VRF as the location to perform OCSP queries.

 

Example

Use the following commands to add the profile, OCSP_1, with an extension nonce request of disabled

switch(config)# management security
switch(config-mgmt-security)# ocsp profile OCSP_1
switch(config-mgmt-sec-ocsp-profile-OCSP_1)# extension nonce request disabled
switch(config-mgmt-sec-ocsp-profile-OCSP_1)#

 

management security password

The management security password command enters the Security Management configuration Mode and configures robust password policies for all local user accounts.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security password [encryption reversible aes-256-gcm] [encryption-key common custom key] [minimum length num_char] [policy policy_name [deny last pw_count] [ maximum repetitive num_char sequential num_char] [ minimum [changed num_char] [digits num_char] [length num_char] [lower num_char] [ num_char] [uppernum_char]]

[no | default] management security password

 

Parameters

  • password - Configure password policies for the management interface.
  • encryption reversible aes-256-gcm - Configure a common encryption algorithm.
  • encryption-key common custom key - Configure a 32-byte customized encryption key.
  • minimum length num_char - Configure a minimum length between 1 and 32 characters.
  • policy policy_name - Configure password complexity settings for a policy profile.
    • deny last pw_count -
    • maximum [repetitive |sequential] num_char
    • minimum -Configure the following minimum settings:
      • changed num_char - Configure the number of positional characters that must change 0 to 65535.
      • digits num_char - Configure the number of digits required for the password 0 to 65535.
      • length num_char - Configure the number of characters for the password 0 to 65535.
      • lower num_char - Configure the number of lower case characters required for the password from 0 to 65535.
      • special num_char - Configure the number of special characters, !"#$%&\'()*+,-./:;<=>?@[^]_`{|}~, required for the password from 0 to 65535
      • upper num_char - Configure the number of lower case characters required for the password from 0 to 65535.

 

Example

Use the following commands to create a password policy, ldap_access, with the minimum length of 15 characters:

switch(config)# management security
switch(config-mgmt-security)# policy ldap_access
switch(config-pwd-policy-ldap_access)# minimum length 15
switch(config-pwd-policy-ldap_access)#

management security session

The management security session command enters the Security Management configuration Mode and configures the session parameters that govern the behavior, timeouts, and security of interactive management sessions.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security session shared-secret profile profile_name secret secret_name [0 | 7 | 8a]password [infinite] [ mm/dd/yyyy hh:mm:ss [infinite | datelocal-time] [receive-lifetime mm/dd/yyyy hh:mm:ss [infinite |date local-time]] [transmit-lifetime [infinite mm/dd/yyyy hh:mm:ss date local-time]]

 

 

 

Parameters

  • session shared-secret profile profile_name - Configure a profile for shared secret settings.
  • secret secret_name - Configure a name for the secret.
    • 0 - Indicates that the key is not encrypted.
    • 7 - Specifies that a hidden string follows.
    • 8a - Specifies that an AES-256-GCM encrypted key follows.
    • password - Specify a password
      • infinite - Specify an infinite lifetime for the password.
        • infinite
        • mm/dd/yyyy - Specify a date in the month/day/year format.
        • yyyy-mm-dd - Specify a date in the year-month-day format.
      • mm/dd/yyyy - Specify a date in the month/day/year format.
      • receive-lifetime -Configure the lifetime for receiving the key.
        • infinite
        • mm/dd/yyyy - Specify a date in the month/day/year format.
        • yyyy-mm-dd - Specify a date in the year-month-day format.
      • transmit-lifetime - Configure the lifetime for transmitting the key.
        • infinite
        • mm/dd/yyyy - Specify a date in the month/day/year format.
        • yyyy-mm-dd - Specify a date in the year-month-day format.
      • yyyy-mm-dd - Specify a date in the year-month-day format.
    • local-time - Configure secrets using the local timezone from the system clock. By default, the parameter sets to UTC.

 

Example

Use the following commands to configure a session to use the profile, mySession, with the secret name, mySecret, and the secret, qwerty, with an infinite receive-lifetime and transmit-lifetime, with the default local-time:

switch(config)# management security
switch(config-mgmt-security)# session shared-secret profile mySession
switch(config-mgmt-sec-sh-sec-profile-mySession)# secret mySecret 0 qwerty receive-lifetime infinite 
transmit-lifetime infinite local-time
switch(config-mgmt-sec-sh-sec-profile-mySession)#

 

management security signature-verification

The management security signature-verification command enters the Security Management configuration Mode and apply a named SSL profile that dictates the policies for verifying the integrity of the system files related to secure TLS/SSL communications.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

Security Management configuration

 

Command Syntax

management security signature-verification extension ssl profile profile_name

[no | default] management security signature-verification

 

Parameters

  • signature-verification - Configure verifying signatures of files.
  • extension - Specifies that the policy applies specifically to SWIX signatures.
  • ssl - Specifying using SSL to verify the signatures.
  • profile profile_name - Specify an SSL profile name to use for verification. It must contain a trusted root or intermediate CA certificate corresponding to the private key used by the software vendor.

 

Example

Use the following commands to verify SWIX signatures using the SSL profile, swix_ca:

switch(config)# management security
switch(config-mgmt-security)# signature-verification extension ssl profile swix_ca
switch(config-mgmt-security)#

 

management security ssl

The management security ssl command enters the SSL Security Management configuration mode to configure and manage the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) parameters for all secure management services on the switch.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

SSL Security Management configuration

 

Command Syntax

management security ssl [monitor expiry time [days | hours] [log interval time [days | hours]]

management security ssl [profile profile_name [certificate cert_name [auto-certificate cert_name] [common-name [key key_name] [username regexp regex]] [local cert_name key cert_name] [policy [expiry-date ignore] [key key_name]] [requirement extended-key-usage [hostname match] [key key_name]] [chain [certificate cert_name] [local cert_name] [policy [expiry-date ignore]] [requirement [basic-constraint ca true] [include root-ca]] [cipher [v1.0 cipher_list] [v1.3 cipher_list] [diffie-hellman parameters [ffdhe2048 | ffdhe3072 | ffdhe4096 | generated]] [dtls version [1.0 | 1.2 | add | remove]] [fips restrictions] [key-establishment-group group_names] [peer certificate [format ip-address exact] [requirement [hostname match subject-alternative-name [common-name]]] [revocation [crl [name crl_name] [policy expiry-date ignore]] [ocsp profile profile_name]] [signature algorithm alg_list] [tls versions [1.0 | 1.1 | 1.2 | 1.3 | add | remove]] [trust [certificate cert_name] [policy expiry-date ignore]] [requirement [basic-constraint ca true] [hostname fqdn]] [system]

[no | default] management security ssl monitor

[no | default] management security ssl profile

 

Parameters

  • ssl monitor - Configure monitoring options for all certificates.
    • expiry - Log SSL monitoring warnings for certificates approaching an expiration date.
    • time [days | hours] - Configure the amount of time prior to certificate expiration from 1 to 999 in days or hours.
    • log interval - Configure logging intervals for sending logs to the syslog server.
    • time [days | hours] - Configure the length of time between send log messages from 1 to 999 in days or hours.
  • ssl profile profile_name - Configure an SSL profile for SSL Security Management.
    • certificate - Configure a certificate for self-authentication.
      • cert_name - Specify the name of the certificate.
      • auto-certificate profile_name - Specify the name of an auto-certificate profile.
      • common-name
        • key key_name - Configure the key matching the certificate.
        • username regex regex - Configure the REGEX to extract the username.
      • local cert_name - Configure a local certificate name.
        • key key_name - Configure a key matching the local certificate.
      • policy - Configure the policy for the certificate.
        • expiry-date ignore - Ignore the expiration date of the certificate.
        • key key_name - Configure a key matching the certificate.
      • requirement - Add a check to validate the certificate.
        • extended-key-usage - Configure extended key usage for the certificate.
        • hostname match - Specify to verify and match the hostname for the certificate.
        • key key_name - Configure a key matching the certificate.
    • chain - Configured chained certificates.
      • certificate cert_name - Specify a certificate name.
      • local cert_name - Configure a local certificate name.
      • policy - Configure the policy for the certificate.
        • expiry-date ignore - Ignore the expiration date of the certificate.
      • requirement - Add a check to validate the certificate.
        • extended-key-usage - Configure extended key usage for the certificate.
        • hostname match - Specify to verify and match the hostname for the certificate.
    • cipher - Configure TLS ciphers.
      • v1.0 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.0, 1.1, and 1.2.
      • v1.3 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.3.
    • diffie-hellman parameters - Configure Diffie-Hellman parameters:
      • ffdhe2048 - Specify from RFC7919.
      • ffdhe3072 - Specify from RFC7919.
      • ffdhe4096 - Specify from RFC7919.
      • generated - Specify 2048-bit parameters generated by the switch.
    • dtls version - Configure Datagram Transport Layer Security (DTLS) settings:
      • 1.0 - Specify DTLS version 1.0.
      • 1.2 - Specify DTLS version 1.2.
      • add - Add versions to the list.
      • remove - Remove versions from the list.
    • fips restrictions - Configure FIPS restrictions.
    • key-establishment-group group_names - Configure TLS 1.3 key establishment groups using canonical names recognized by the TLS standards.
    • peer certificate - Configure peer-related certificate options:
      • format ip-address exact - Specify the format rules for IP addresses to reject wildcards in the IP address.
      • requirement hostname match subject-alternative-name [common-name] - Specify a check for certificate validity to include hostname matching for the common name.
    • revocation - Configure checking of the revocation status for certificates.
      • crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
        • policy expiry-date ignore - Configure the policy to ignore certificate expiration dates.
      • ocsp profile profile_name - Specify the name of the Online Certificate Status Protocol (OCSP) profile.
    • signature algorithm alg_list - Specify the TLS signature algorithm list.
    • tls - Configure TLS settings.
      • versions - Specify the TLS version:
        • 1.0
        • 1.1
        • 1.2
        • 1.3
        • add - Add versions to the list.
        • remove - Remove versions from the list.
    • trust - Configure a trusted certificate.
      • certificate cert_name - Specify the name of a certificate.
      • policy expiry-date ignore - Configure the policy to ignore expiration dates.
      • requirement - Add a check to validate the certificate.
        • basic-constraint ca true - Configure the Certificate Authority attribute to true and allow the CA to sign and issue other certificates in the trust chain This certificate is the trust anchor or an intermediate authority.
        • hostname fqdn - Specify that the hostname must be a fully qualified domain name without wildcards.
      • system - Specify using a system-supplied trust certificate.

 

Example

Use the following commands to set the SSL monitoring of certificates to log warning for certificate expiration to 10 days and log the warning to syslog every 8 hours:

switch(config)# management security
switch(config-mgmt-security)# ssl monitor expiry 10 days log interval 8 hours
switch(config-mgmt-security)#

 

management ssh

The management ssh command places the switch in SSH Management configuration Mode to adjust SSH session connection parameters.

The no management ssh and default management ssh commands delete the SSH Management configuration Mode statements from running-config.

The mgmt-ssh configuration mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the SSH Management configuration Mode does not affect running-config. The exit command returns the switch to Global configuration Mode.

 

Command Mode

Global configuration

 

Command Syntax

management ssh

no management ssh

default management ssh

 

Parameters
  • authentication - Change authentication settings.
  • authorized-principals - Configure the authorized principals settings.
  • cipher - Configure an exclusive list of cryptographic ciphers for SSH.
  • client-alive - Set SSH ClientAlive options.
  • compression - Configure SSH compression algorithms.
  • connection - Configure settings for SSH connections.
  • fips restrictions - Configure FIPS settings.
  • hostkey - Set SSH hostkey related options.
  • idle-timeout - Set idle session timeout (minutes).
  • ip access group - Set the SSH IPv4 configuration.
  • ipv6 access group - Set the SSH IPv6 configuration.
  • key-exchange - Configure an exclusive list of key-exchange methods for SSH.
  • log-level - Configure SSH daemon logging level.
  • logging - Configure SSH system logging.
  • login timeout - Configure options related to logging into SSH.
  • mac hmac - Exclusive list of MAC algorithms for SSH.
  • qos - Configure QoS parameters.
  • rekey - Configure the length of time before rekeying SSH connections.
  • server-port - Change the server port.
  • shutdown - Disable SSH on the switch.
  • trusted-ca - Configure a trusted certficate.
  • user-keys - Configure SSH user key settings.
  • username - Configure SSH user-specific settings.
  • verify - Configure option for SSH verification.
  • vrf - Configure the VRF to use for SSH.

 

Examples
  • This command places the switch in SSH Management configuration Mode:
    switch(config)# management ssh
    switch(config-mgmt-ssh)#
  • This command returns the switch to Global configuration Mode:
    switch(config-mgmt-ssh)# exit
    switch(config)#

management telnet

The management telnet command places the switch in Telnet Management configuration Mode to adjust Telnet session connection parameters.

The no management telnet and default management telnet commands delete the Telnet Managementconfiguration Mode statements from running-config.

The Telnet Management configuration Mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the Telnet Management configuration Mode does not affect the running-config. The exit command returns the switch to Global configuration Mode.

 

Command Mode

Global configuration

 

Command Syntax

management telnet

no management telnet

default management telnet

 

Examples
  • This command places the switch in Telnet Management configuration Mode:
    switch(config)# management telnet
    switch(config-mgmt-telnet)#
  • This command returns the switch to Global configuration Mode:
    switch(config-mgmt-telnet)# exit
    switch(config)#

management timeout

The management timeout command in the Console, SSH, or Telnet configuration Mode allows the configuration of the SSH, Telnet, and Console timeout parameter.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Console configuration

SSH configuration

Telnet configuration

 

Command Syntax

management [console | ssh | telnet] timeout minutes warning minutes]

no management [console | ssh | telnet] timeout

default management [console | ssh | telnet]

 

Parameters

  • timeout minutes warning minutes - Configure the session timeout from 0 to 86400 minutes and generate a warning message about the impending timeout. The warning value must be less than the configured timeout value..

 

Example

Specify a console timeout of 30 minutes and issue a warning 5 minutes before closing the session:

switch(config)# management console
switch(config-mgmt-console)# timeout 30 warning 25

 

protocol http (API Management)

The protocol http command enables the hypertext transfer protocol (HTTP) server.

The no protocol http and default protocol http commands disable the HTTP server by removing the protocol http statement from running-config.

 

Command Mode

Mgmt-API configuration

 

Command Syntax

protocol http [TCP_PORT]

no protocol http

default protocol http

 

Parameters
  • TCP_PORT Port number used for the HTTP server. Options include:
    • no parameter Specifies default port number 80.
    • port 1 to 65535 Specifies HTTP server port number. The value ranges from 1 to 65535.

     

  • localhost The name of the server bound on the localhost.
  • port The number of the TCP port to serve on.

     

Related Commands

management api http-commands places the switch in mgmt-api configuration mode.

 

Example

These commands enables the management API for the HTTP server.
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)#

protocol https (API Management)

The protocol https command enables the HTTP secure server. The HTTP secure server is active by default.

The default protocol https command restores the default setting by removing the no protocol https statement from running-config. The no protocol https command disables the HTTP secure server.

 

Command Mode

API Management configuration

 

Command Syntax

protocol https [TCP_PORT]

no protocol https

default protocol https

 

Parameters
  • TCP_PORT - Port number used for the HTTPS server. Options include:
    • no parameter - Specifies default port number 443.
    • port 1 to 65535 - Specifies HTTP server port number. The value ranges from 1 to 65535.
  • certificate - The HTTPS key and certificate to use for the switch.
  • cipher - Exclusive list of cryptographic ciphers.
  • key-exchange - Exclusive list of key-exchange algorithms.
  • mac - Exclusive list of MAC algorithms.
  • port - The TCP port number to serve on.
  • ssl - Configure SSL options.

 

Related Commands

management api http-commands places the switch in API Management configuration Mode.

 

Examples
  • These commands enables service to the HTTP server. The no shutdown command allows access to the service.
    switch(config)# management api http-commands 
    switch(config-mgmt-api-http-cmds)# protocol https
    switch(config-mgmt-api-http-cmds)# no shutdown
  • These commands specify the port number used for the HTTPS server. The no shutdown command allows access to the service.
    switch(config)# management api http-commands 
    switch(config-mgmt-api-http-cmds)# protocol https port 52
    switch(config-mgmt-api-http-cmds)# no shutdown

protocol https certificate (API Management)

The protocol https certificate command configures the HTTP secure server to request an X.509 certificate from the client. The client then authenticates the certificate with a public key.

The no protocol https certificate and default protocol https certificate commands restore default behavior by removing the protocol https certificate statement from running-config.

 

Command Mode

API Management configuration

 

Command Syntax

protocol https certificate

no protocol https certificate

default protocol https certificate

 

Related Command

management api http-commands places the switch in API Management configuration Mode.

 

Example

These commands configure the HTTP secure server to request an X.509 certificate from the client for authentication.
switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# protocol https certificate
switch(config-mgmt-api-http-cmds)#

qos

The qos command in the SSH Management configuration Mode applies the Differentiated Services Code Point (DSCP) markings to SSH traffic and ensures prioritizing packets on the network.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

qos dscp dscp_value

no qos dscp

default qos dscp

 

Parameters

  • qos dscpdscp_value - Apply a QoS DSCP value between 0 and 63 to SSH traffic. Using 0 applies a Best Effort tag to the traffic.

 

Example

Use the following commands to set the QoS DSCP value to 16 (Network Management) on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# qos dscp 16
switch(config-mgmt-ssh)#

 

rekey

The rekey command in the SSH Management configuration Mode forces the SSH session to renegotiate new symmetric encryption keys after meeting a specific threshold.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

rekey [frequency data_amount [gbytes | kbytes | mbytes]] [interval time [days | hours | minutes | seconds | weeks]]

no qos dscp

default qos dscp

 

Parameters

  • rekey frequency data_amount - Specify the quantity of data sent through the SSH session before triggering a rekey. Use one of the following units:
    • gbytes - Specify Gigabytes.
    • kbytes - Specify Kilobytes.
    • mbytes - Specify Megabytes.
  • interval time - Specify an interval in time using one of the following units:
    • days - Specify the interval in days.
    • hours - Specify the interval in hours.
    • minutes - Specify the interval in minutes.
    • seconds - Specify the interval in seconds.
    • weeks - Specify the interval in weeks.

 

Examples

Use the following commands to set the rekey frequency to 10 Gigabytes on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# rekey frequency 10 gbytes
            switch(config-mgmt-ssh)#

 

Use the following commands to set the rekey interval to 8 hours on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# rekey interval 8 hours
switch(config-mgmt-ssh)#

 

reset system storage secure

Use the reset system storage secure command to trigger the secure erase mechanism. Secure erase is a command that deliberately, permanently, and irreversibly removes and destroys the data stored on a storage device, rendering that data unrecoverable.

 

Command Mode

EXEC

 

Command Syntax

reset system storage secure

 

Examples
  • To trigger the secure erase mechanism, use the reset system storage secure command.
    switch# reset system storage secure
    WARNING! This will destroy all
    data and will NOT be recoverable.
    Device will reboot into Aboot, and
    execution may take up to one hour.
    Would you like to proceed? [y/N]
  • If a particular platform does not support the reset system storage secure command , the following message appear:
    switch#reset system storage secure
    % Unavailable command (not supported on this hardware platform)

show inventory

The show inventory command displays the hardware components installed in the switch. Each component has a serial number and a description.

 

Command Mode

EXEC

 

Command Syntax

show inventory

 

Example

This command displays the hardware installed in a DCS-7150S-52 switch.
switch> show inventory
System information
  Model                    Description
  ------------------------ ----------------------------------
  DCS-7150S-52-CL          52-port SFP+ 10GigE 1RU + Clock

  HW Version  Serial Number  Mfg Date
  ----------- -------------- ----------
  02.00       JPE13120702    2013-03-27

System has 2 power supply slots
  Slot Model            Serial Number
  ---- ---------------- ----------------
  1    PWR-460AC-F      K192KU00241CZ
  2    PWR-460AC-F      K192L200751CZ

System has 4 fan modules
  Module  Number of Fans  Model            Serial Number
  ------- --------------- ---------------- ----------------
  1       1               FAN-7000-F       N/A
  2       1               FAN-7000-F       N/A
  3       1               FAN-7000-F       N/A
  4       1               FAN-7000-F       N/A

System has 53 ports
  Type             Count
  ---------------- ----
  Management       1
  Switched         52

System has 52 transceiver slots
  Port Manufacturer     Model            Serial Number    Rev
  ---- ---------------- ---------------- ---------------- ----
  1    Arista Networks  SFP-10G-SR       XCW1225FD753     0002
  2    Arista Networks  SFP-10G-SR       XCW1225FD753     0002

  51   Arista Networks  SFP-10G-SR       XCW1225FD753     0002
  52   Arista Networks  SFP-10G-SR       XCW1225FD753     0002

switch>

server-port

The server-port command in the SSH Management configuration Mode defines the TCP port or ports that SSH servers listen for incoming connections.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

server-port port_number

no server-port

default server-port

 

Parameters

  • server-portport_number - Specify a port number from 1 to 32767 with a default of 22 to listen for incoming SSH connections on the switch.

 

Example

Use the following commands to set the port number to 80 on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# server-port 80
switch(config-mgmt-ssh)#

 

service configuration access-list

The service configuration access-list command configures how the switch compiles, stages, or validates access lists when the lists receive modifications or pushed to the hardware ASICs.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

 

Command Syntax

service configuration access-list symbols

no service configuration access-list symbols

default service configuration access-list symbols

 

Parameters

  • access-list - Specify access list configuration parameters.
  • symbols - When enabled, if you configure an ACL using port numbers, the switch automatically translates recognizable ports into symbolic names when issuing the show ip access-lists command.

    When disabled, the switch removes human-readable text and forces all entries to display the literal numeric values.

 

Example

When the switch has symbols enabled, and you configure an access list with port 80, the display output for an access list has the following output:

switch(config-acl-TEST)# permit tcp any any eq 80
switch# show running-config section TEST
ip access-list TEST
    10 permit tcp any any eq www

 

When the switch has symbols disabled, the output removes human-readable text and all entries display literal numeric values:

switch# show running-config section TEST
ip access-list TEST
   10 permit tcp any any eq 80

service configuration checkpoint

The service configuration checkpoint command configures the number of system configuration checkpoints on the switch. By default, eos tracks and retains a maximum of 20 system configuration checkpoints.

If you make frequent configuration changes or want a deeper historical safety net of snapshots, you can increase or decrease the retention limits.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

 

Command Syntax

service configuration checkpoint max saved max_number

no service configuration checkpoint max

default service configuration checkpoint max

 

Parameters

  • checkpoint - Create a new checkpoint limit on the switch.
  • max - Configure the maximum number of checkpoints.
  • saved max_number - Configure the number of saved checkpoints on the switch.

 

Example

Use the following command to increase the number of saved checkpoints to 50:

switch(config)# service configuration checkpoint max saved 50
switch(config)#

 

To display the new limit, use the show configuration checkpoints command:

 

switch# show configuration checkpoints
Maximum number of checkpoints: 50
Hash    Name  Date                 User 
------- ---- -------------------- -----
b8ad7c5      2025-01-06 23:11:28  eos  
04fc850      2025-03-25 00:07:47  eos  
a4d90e4      2025-03-25 00:07:48  admin
62e76ba      2025-03-25 01:36:30  eos  
c812e22      2025-03-25 01:36:32  admin
932c042      2025-03-25 01:37:06  admin
dfbb566      2025-04-04 05:56:06  eos  
e09ea3a      2025-04-04 05:56:07  admin
263fa99      2025-04-24 15:51:25  eos  
3cfd199      2025-04-24 15:51:25  admin
278367f      2025-05-22 13:28:27  eos  
f25f264      2025-05-22 13:28:28  admin
ce72f7f      2025-06-10 11:36:27  eos  
889fe0e      2025-06-10 11:36:29  admin

 

If you decrease the saved checkpoint limit from your current limit, eos purges the extra saved checkpoint files to meet your new limit.

service configuration session commit

The service configuration session command manages the system limits for configuration sessions. configuration sessions allow you to stage, review, and test commands in a temporary workspace before committing them to the active running configuration. Use this command to configure the number of saved sessions in the switch memory.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

 

Command Syntax

service configuration session [commit [merge [save startup-config] [timer default hh:mm:ss interactive

no service configuration session

default service configuration session

 

Parameters

  • session - Configure session settings.
  • merge - Perform a three-way merge on the commit.
  • save startup-config - Autosave the session to the startup configuration.
  • timer default hh:mm:ssinteractive - Commit the session with a timeout. If not committed within the time limit, the configuration reverts to the original configuration.

 

Example

Use the following command to configure a default timer of 1 hour apply it to the current running configuration:

switch(config)# service configuration session commit timer default 01:00:00 interactive
switch(config)#

 

service configuration session logging

The service configuration session logging command configures the switch to print the results, verification checks, or error logs of the session to the screen as the switch processes a commit.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

 

Command Syntax

service configuration session logging terminal

no service configuration session logging terminal

default service configuration session logging terminal

 

Parameters

  • terminal - Print to the console any configuration session state changes.

 

Example

Use the following command to enable the feature:

switch(config)# service configuration session logging terminal
switch(config)#

 

service configuration session max

The service configuration session max command sets the retention and concurrency limits for system configuration sessions. Configure the limit for pending and completed sessions.

 

Command Mode

Global configuration

 

Command Syntax

service configuration session max completed num_sessions pending num_sessions

no service configuration session max

default service configuration session max

 

Parameters

  • session max - Configure the maximum number of configuration sessions on the switch.
  • completed num_sessions - Specify the maximum number of completed sessions kept in memory from 0 to 20 sessions. After staging and committing a session, eos saves a record of that session for auditing and rollback purposes. By default, eos retains a limited number of historical commits, 1 by default, and increasing the limit creates a deeper audit trail.
  • pending num_sessions - Specify the maximum number of pending sessions kept in memory from 1 to 20 sessions. By default, eos limits the sessions to 1 pending session to prevent multiple administrators from staging conflicting changes at the same time. Once reaching the limit, the switch blocks creation of new sessions until committing or aborting an old one.

 

Examples

Use the following command to increase the number of pending sessions from 1 to 5:

switch(config)# service configuration session max pending 5
switch(config)#

 

Use the following command to increase the number of completed sessions from 1 to 15:

switch(config)# service configuration session max completed 15
switch(config)#

 

To display the configured maximums, use the show configuration sessions command:

switch# show configuration sessions
Maximum number of completed sessions: 50
Maximum number of pending sessions: 5

Name        State           User       Terminal    Time 
----------- --------------- ---------- ----------- -------------------
BGP_PEER    pending         admin      vty3        2026-04-28 11:45:12
OSPF_TUNE   completed       automation vty1        2026-04-27 09:12:45

service configuration terminal

The service configuration terminal command disables standard live configuration mode and dictates the use of configuration sessions instead. Before disabling the terminal feature, administrators can make immediate changes to the running configuration and alter the forwarding plane of the switch. When disabled, administrators must create configuration sessions to build a staged workplace to make changes and then explicitly use commit to add the configuration changes to the switch.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

 

Command Mode

Global configuration

 

Command Syntax

service configuration terminal disabled

no service configuration terminal

default service configuration terminal

 

Parameters

  • terminal disabled- Disable the standard terminal behavior on the switch.

 

Examples

Use the following command to disable the standard terminal behavior on the switch:

switch(config)# service configuration terminal disabled
switch(config)#

service configuration verification

The service configuration verification command dictates if the switch pre-validates the Quality of Service (QoS) configuration against the hardware physical capabilities before allowing you to successfully commit the change.

 

The physical silicon on the switch has deep ties to the QoS capabilities. When you create QoS policies, such as policy maps, class maps, or port shaping rates, the CLI may accept the commands, but the underlying hardware might not have enough TCAM space, hardware queues, or buffer memory to support it.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

 

Command Mode

Global configuration

 

Command Syntax

service configuration verification qos

no service configuration verification qos

default service configuration verification qos

 

Parameters

  • verification qos - Enable strict QoS verification on the hardware during commits.

 

Examples

Use the following command to enable the strict QoS verification on the switch:

switch(config)# service configuration verification qos
switch(config)#

service interface inactive

The service interface inactive command forces system level visibility and default state toggles to expose subordinate lanes.

By default, if you configure a port for breakout mode but have not physically plugged in the cable yet, eos suppresses the inactive subordinate lanes.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

 

Command Mode

Global configuration

 

Command Syntax

service interface inactive expose [port-id allocation disabled]

no service interface inactive

default service interface inactive

 

Parameters

  • inactive expose - Expose subordinate lanes in the CLI even if physically down or missing the proper cabling.
  • port-id allocation disabled - Specify to stop assigning port IDs to inactive interfaces and dynamically allocate port IDs only to actively linked ports or participating in the forwarding plane.

 

Examples

Use the following command to expose subordinate lanes in the CLI:

switch(config)# service interface inactive expose
switch(config)#

 

Use the following command to free up unused IDs on the switch:

switch(config)# service interface inactive port-id allocation disabled
switch(config)#

service interface shutdown

The service interface shutdown command introduces a global, system-wide buffer window between entering a shutdown command and physically shutting down the link. During the delay, the physical link stays alive just long enough for the control plane to warn the connected neighbor of the intentional shutdown.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

 

Command Mode

Global configuration

 

Command Syntax

service interface shutdown delay milliseconds

no service interface shutdown delay

default service interface shutdown delay

 

Parameters

  • interface shutdown delay milliseconds - Specify the time to delay shutting down the interface. Configure a value from 1 to 1000 milliseconds.

 

Example

Use the following command to configure a shutdown delay of 10 milliseconds:

switch(config)# service interface shutdown delay 10
switch(config)#

 

service interface unconnected

The service interface unconnected command exposes ethernet interfaces that do not physically exist on the switch, but instead exist as internally hardwired loopback ports. In eos, the interfaces have the designation Unconnected ethernet (Ue) ports and used by the hardware ASIC for packet recirculation. By default, eos does not display these interfaces, but in some cases, exposing them may assist with troubleshooting hardware recirculation and identify interfaces dropping packets on the switch.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Global configuration

 

Command Syntax

service interface unconnected expose

no service interface shutdown delay

default service interface shutdown delay

 

Parameters

  • interface unconnected expose - Expose unconnected interfaces on the switch.

 

Example

Use the following command to expose unconnected interfaces:

switch(config)# service interface unconnected expose
switch(config)#

 

Use the show interfaces status command to display the interface status:

switch# show interfaces status
Port       Name        Status       Vlan     Duplex Speed  Type
...
Et48                   notconnect   1        auto   auto   10GBASE-CR
Ue1                    connected    1        full   10G    Unconnected
Ue2                    connected    1        full   10G    Unconnected

service routing configuration

The service routing configuration command dictates the backend architecture of the routing daemon and determines how the switch parser compiles control-plane logic.

 

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

 

Command Mode

Global configuration

 

Command Syntax

service routing configuration[bgp no-equals-default] [route-map [no-set-community explicit-members] [set-operations [merged | sequential]

no service routing configuration

default service routing configuration

 

Parameters

  • verification qos - Enable strict QoS verification on the hardware during commits.
  • bgp no-equals-default - Removes the default behavior from the running configuration output and displays only configured behavior.
  • route-map - Configures route map behavior on the switch.
    • no-set-community explicit-members - Negates specific community values from an existing list and cleans up the running-configuration output.
    • set-operations [merged | sequential] - If selecting sequential, eos enforces the execution of the set commands in strict top to bottom sequence.

 

Examples

Use the following command to remove BGP default behavior from the running configuration output:

switch(config)# service routing configuration bgp no-equals-default
switch(config)#

service routing protocols

The service routing protocols command dictates the underlying software architecture that the switch uses to process all Layer 3 routing protocols.

The default version of the command causes the switch to use the underlying software architecture.
Warning: Enabling this feature requires a reboot of the switch. If you commit the command, the running-config updates immediately, but the changes do not take effect until the switch completes a full system reload.

 

Command Mode

Global configuration

 

Command Syntax

service routing protocols model multi-agent

default routing protocols

 

Parameters

  • routing protocols - Enable the underlying software to process all Layer 3 routing protocols.
  • model multi-agent - Enable using the ArBGP architecture to completely decouple the routing stack into independent, multi-threaded processes. Each protocol uses a separate process to provide significantly faster convergence and natively supports multi-tenant architectures such as EVPN, VXLAN overlays, and IPv6 underlays.

 

Example

Use the following command to enable multi-agent processing for routing protocols:

switch(config)# service routing protocols model multi-agent
switch(config)#

service running-config

The service running-config command manages how the switch generates, processes, and displays the running configuration file. Executing the running configuration file on switches with very large configurations impacts the switch performance by spiking the CPU usage. Use this command to manage the running configuration file.

The [no | default] versions of the command cause the switch to dynamically compile the running configuration file for every request.

 

Command Mode

Global configuration

 

Command Syntax

service running-config [cache disabled] [copy use-config-session] [timestamp]

no service running-config

default service running-config

 

Parameters

  • cache [disabled] - Enable caching of the running configuration file by instructing the switch to generate and hold a pre-compiled text version of the configuration in memory. Once enabled, use the disabled parameter to dynamically generate the configuration when requested.
  • copy use-config-session - Enable this parameter to override the default merge behavior and enforce a strict replace or enforce session-based validations before applying the copied file.
  • timestamp - Enable to inject a timestamp in the header of the running-config file.
Note: eos disables timestamp by default as constantly updating the timestamp breaks idempotency in certain environments. If enabled, using tools such as Ansible, Terraform, or Git flags the configuration as changed every time polling the switch occurs even if no changes occur on the switch.

 

Example

Use the following command to enable caching of the running-config file:

switch(config)# service running-config cache
switch(config)#

session-limit

The session-limit command in the Telnet Management configuration Mode configures the maximum number of Telnet sessions from a single host and the maximum number of sessions.

The no version of the command removes the configuration from the running-config.

 

Command Mode

Telnet Management configuration

 

Command Syntax

session-limit num_sessions[per-host num_sessions]

no session-limit

default session

 

Parameters

  • session-limit num_sessions - Configure the maximum number of global Telnet sessions. Sets it to 20 by default.
  • per-host num_sessions - Configure the maximum number of global Telnet sessions per host. Sets it to 20 by default.

 

Example

Use the following commands to configure a global Telnet sessions limit of 25:

switch(config)# managment telnet
switch(config-mgmt-telnet)# session-limit 25
switch(config-mgmt-telnet)#

show configuration checkpoints

The show configuration checkpoints command displays a high level table of all saved configuration snapshots currently stored on the switch.

 

Command Mode

EXEC

 

Command Syntax

show configuration checkpoints

 

Example

Use the following command to display all saved configuration snapshots:

switch# show configuration checkpoints
Maximum number of checkpoints: 20
Filename                        Date                 User
------------------------------- -------------------- ------
ckp-20231024-0                  2023-10-24 14:00:01  admin
ckp-20231024-1                  2023-10-24 15:30:22  admin
PRE_BGP_CHANGE                  2023-10-25 09:15:00  automation

 

The output displays the following information:

  • Maximum number of checkpoints - Indicates the current system limit for the number of historical snapshots allowed for retention in memory. By default, eos limits 20 snapshots, but you can adjust it using the command service configuration checkpoint max. If the switch reaches the limit of snapshots, eos begins automatically purging the oldest checkpoints using a First-In, First-Out (FIFO) method.
  • Filename - Displays the name of the checkpoint file stored in the flash memory.
    • Auto-generated checkpoints - If the switch creates the checkpoint automatically, for example, during a configuration session commit or an automated rollback, the file uses a standard naming convention of ckp-YYYYMMDD-X
    • Manual checkpoints - If an administrator or automated script generated the snapshot, eos uses a custom string as the filename.
  • Date - The exact system timestamp in the format YYYY-MM-DD HH:MM:SS when created.
  • User - Identifies the specific username or script name that executed the command or triggered the automated process to create the snapshot.

show configuration sessions

The show configuration sessions command displays information about configuration sessions created on the switch. If you rely on configuration sessions instead of live terminal configuration, use the output to manage the lifecycle of your staged configuration workspaces.

 

Command Mode

EXEC

 

Command Syntax

show configuration sessions [detail]

 

Example

Use the following command to display all saved configuration snapshots:

switch# show configuration sessions
Maximum number of completed sessions: 10
Maximum number of pending sessions: 5

  Name               State           User       Terminal    
  ------------------ --------------- ---------- ----------- 
  ADD_BGP_PEER       pending         admin      vty1        
  vlan-changes       completed       admin      vty1        
  ansible_10928      completed       automation eAPI        
  sess-20260430-1    aborted         jdoe       vty3
The output displays the following information:
  • Maximum number of completed sessions - Displays the number of historical committed session diffs allowed in memory before overwriting the oldest ones (FIFO).
  • Maximum number of pending sessions - Displays the number of active and uncommitted staging workspaces open concurrently on the switch.
  • Name - Displays the identifier for the session. If using a name for the session, the output displays that information. By default, eos generates a name with the format sess-YYYMMDD-X.
  • State - Displays the current lifecycle of the session:
    • pending - Session currently open with actively staged commands but not applied to the control plane yet.
    • completed - Session successfully committed and applied to the running-config.
    • aborted - Session manually canceled or failed a pre-check validation. Changes discarded.
  • User - The specific local or TACACs/RADIUS username that created the session.
  • Terminal - Displays the entry point used to connect to the switch.
    • vtyx - Indicates a standard SSH session.
    • console - Indicates a physical serial connection.
    • eAPI - Indicates the session built programmatically using the Arista eAPI.

shutdown (API Management)

The shutdown command disables management over API on the switch in API Management configuration Mode. eos disables API Management by default.

The no shutdown command enables the API managementaccess in mgmt-api configuration mode.

The default shutdown command disables the management API access in mgmt-api configuration mode.

 

Command Mode

Mgmt-API configuration

 

Command Syntax

shutdown

no shutdown

default shutdown

 

Related Command

management api http-commands places the switch in mgmt-api configuration mode.

 

Examples
  • These commands disable API access to the HTTP server.
    switch(config)# management api http-commands 
    switch(config-mgmt-api-http-cmds)# shutdown
    switch(config-mgmt-api-http-cmds)#
  • These commands enable API access to the HTTP server.
    switch(config)# management api http-commands 
    switch(config-mgmt-api-http-cmds)# no shutdown
    switch(config-mgmt-api-http-cmds)#

shutdown (Telnet Management)

The shutdown command disables or enables Telnet on the switch. eos disables by default. The management telnet command places the switch in the Telnet Management configuration Mode.
  • To enable Telnet, enter no shutdown at the Telnet Management prompt.
  • To disable Telnet, enter shutdown at the Telnet Management prompt.

     

Command Mode

Telnet Management configuration

 

Command Syntax

shutdown

no shutdown

 

Examples
  • These commands enable Telnet and return the switch to the Global configuration Mode.
    switch(config)# management telnet
    switch(config-mgmt-telnet)# no shutdown
    switch(config-mgmt-telnet)# exit
    switch(config)#

     

  • This command disables Telnet.
    switch(config-mgmt-telnet)# shutdown

shutdown

The shutdown command in the SSH or Telnet Management configuration Mode disables the SSH or Telnet service on the switch.

 

Command Mode

SSH Management configuration

Telnet Management configuration

 

Command Syntax

shutdown

 

Parameters

  • shutdown - Disable the SSH or Telnet service on the switch.

 

Example

Use the following commands to disable the SSH service.

switch(config)# management ssh
switch(config-mgmt-ssh)# shutdown
switch(config-mgmt-ssh)#

shutdown

The shutdown command in the SSH Management configuration Mode and SSH VRF configuration Mode shuts down the SSH service on the switch.

 

Command Mode

SSH Management configuration

SSH VRF configuration

 

Command Syntax

shutdown

 

Parameters

  • shutdown - Shuts down the SSH service.

 

Example

Use the following commands to shut down the SSH service on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# shutdown
switch(config-mgmt-ssh)#

Use the following commands to shut down the SSH service for VRF bluengreen on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)# shutdown

 

timeout

The timeout command in the SSH, Telnet, or Console Management configuration Mode specifies the maximum length of a management session regardless of activity during the session. It prevents sessions from remaining open indefinitely on the switch and provides a separate behavior from the parameter idle-timeout. Both timers operate independently and the timer with the shortest session time ends the session.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

Console Management configuration

SSH Management configuration

Telnet Management configuration

 

Command Syntax

management [console | ssh | telnet]timeout timeout_period warning warning_time

[no | default] management [console | ssh | telnet] timeout

 

Parameters

  • timeout timeout_period - Configure a timeout session from 1 to 86400 minutes. Setting the timeout to 0 disables the timeout session.
  • warning warning_time - Configure a warning that notifies you that the session ends at a specific time. Configure from 0 to 3599 minutes and setting the timeout to 0 disables the warning.

 

Examples

Use the following commands to set the console timeout to 60 minutes.

switch(config)# management console
switch(config-mgmt-console)# timeout 60
switch(config-mgmt-console)#

Use the following commands to set the SSH timeout to 60 minutes.

switch(config)# management ssh
switch(config-mgmt-ssh)# timeout 60
switch(config-mgmt-ssh)#

Use the following commands to set the Telnet timeout to 60 minutes.

switch(config)# management telnet
switch(config-mgmt-telnet)# timeout 60
switch(config-mgmt-telnet)#

 

trusted-ca

The trusted-ca command in the SSH Management configuration Mode allows the switch to validate the identity of connections using standard X.509 PKI certificates.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

trusted-ca key public cert_filename

no trusted-ca

default trusted-ca

 

Parameters

  • trusted-ca - Configure trusted CA parameters.
  • key - Configure a CA public key.
  • public cert_filename - Add the CA public key filename.

 

Example

Use the following commands to add the CA certificate, MyCert, on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# trusted-ca key public MyCert
switch(config-mgmt-ssh)#

 

user-keys

The user-keys command in the SSH Management configuration Mode globally manages external files for user authentication and security.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

user-keys revoke-list list_name

no user-keys revoke-list

default user-keys revoke-list

 

Parameters

  • user-keys - Configure user keys settings.
  • revoke-list cert_filename - Specify a list of revoked SSH user keys.

 

Example

Use the following commands to add the revoked list, NoAccess, on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# user-keys revoke-list NoAccess
switch(config-mgmt-ssh)#

 

username ssh-key

The username ssh-key command in the SSH Management configuration Mode enters the Username configuration Mode and allows the application of specific SSH key to a user when they connect to SSH.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

SSH Username configuration

SSH Authorized Key configuration

 

Command Syntax

username username [ssh-key key_name] [option [agent-forwarding | cert-authority | command | environment | expiry-time | from | no-agent-forwarding | no-port-forwarding | no-pty | no-touch-required | no-user-rc | no-x11-forwarding | permit-listen | permit-open | port-forwarding | principals | pty | restrict | tunnel | user-rc | verify-required | x11-forwarding]] [public-key ssh_keystring

no username ssh-key

default username ssh-key

 

Parameters

  • username username - Specify a username to apply the SSH policies.
  • ssh-key key_name - Specify an SSH key name.
  • option - Specify any of the following options:
    • agent-forwarding ssh_options_value - Specify a value to enable authentication agent forwarding.
    • cert-authority ssh_options_value - Specify a value for the certificate authority.
    • command ssh_options_value - Specify a command to execute during authentication.
    • environment ssh_options_value - Specify a value to add a string to the environment during authentication.
    • expiry-time ssh_options_value - Specify a value for the expiration time of the key.
    • from ssh_options_value - Specify a value for patterns.
    • no-agent-forwarding ssh_options_value - Specify a value to forbid agent forwarding.
    • no-port-forwarding ssh_options_value - Specify a value to forbid port forwarding.
    • no-pty ssh_options_value - Specify a value to prevent TTY allocation.
    • no-touch-required ssh_options_value - Specify a value to not require demonstration of user presence.
    • no-user-rc ssh_options_value - Specify a value to prevent execution on ~/.ssh/rc.
    • no-x11-forwarding ssh_options_value - Specify a value to prevent .X11 forwarding.
    • permit-listen ssh_options_value - Specify a value to permit listening only on a specified host and port.
    • permit-open ssh_options_value - Specify a value to connect only to a specified host and port.
    • port-forwarding - Specify a value to enable port forwarding.
    • principals - Specify allowed principals for certificate authentication.
    • pty - Specify to permit PTY allocation.
    • restrict - Specify to enable all restrictions.
    • tunnel - Specify to force a tunnel device on the server.
    • user-rc - Specify to enable execution on ~/.ssh/rc
    • verify-required - Specify to require users to verify signatures using this key.
    • x11-forwarding - Specify a value to allow .X11 forwarding.
  • public-key ssh_keystring - Specify a public SSH key string.

 

Example

Use the following commands to apply the SSH key to a user admin on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# ssh-key mykey
switch(config-mgmt-ssh-user-admin-mykey)#

username ssh-principal

The username ssh-principal command in the SSH Management configuration Mode enters the Username configuration Mode and defines which principals in a presented SSH certificate can login as the local user.

The [no | default] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

SSH Username configuration

SSH Authorized Principal configuration

 

Command Syntax

username username [ssh-principal key_name] [option [agent-forwarding | cert-authority | command | environment | expiry-time | from | no-agent-forwarding | no-port-forwarding | no-pty | no-touch-required | no-user-rc | no-x11-forwarding | permit-listen | permit-open | port-forwarding | principals | pty | restrict | tunnel | user-rc | verify-required | x11-forwarding]]

no username ssh-principal

default username ssh-principal

 

Parameters

  • username username - Specify a username to add SSH principals.
  • ssh-principal key_name - Specify SSH one or more SSH principals.
  • option - Specify any of the following options:
    • agent-forwarding ssh_options_value - Specify a value to enable authentication agent forwarding.
    • cert-authority ssh_options_value - Specify a value for the certificate authority.
    • command ssh_options_value - Specify a command to execute during authentication.
    • environment ssh_options_value - Specify a value to add a string to the environment during authentication.
    • expiry-time ssh_options_value - Specify a value for the expiration time of the key.
    • from ssh_options_value - Specify a value for patterns.
    • no-agent-forwarding ssh_options_value - Specify a value to forbid agent forwarding.
    • no-port-forwarding ssh_options_value - Specify a value to forbid port forwarding.
    • no-pty ssh_options_value - Specify a value to prevent TTY allocation.
    • no-touch-required ssh_options_value - Specify a value to not require demonstration of user presence.
    • no-user-rc ssh_options_value - Specify a value to prevent execution on ~/.ssh/rc.
    • no-x11-forwarding ssh_options_value - Specify a value to prevent .X11 forwarding.
    • permit-listen ssh_options_value - Specify a value to permit listening only on a specified host and port.
    • permit-open ssh_options_value - Specify a value to connect only to a specified host and port.
    • port-forwarding - Specify a value to enable port forwarding.
    • principals - Specify allowed principals for certificate authentication.
    • pty - Specify to permit PTY allocation.
    • restrict - Specify to enable all restrictions.
    • tunnel - Specify to force a tunnel device on the server.
    • user-rc - Specify to enable execution on ~/.ssh/rc
    • verify-required - Specify to require users to verify signatures using this key.
    • x11-forwarding - Specify a value to allow .X11 forwarding.

 

Example

Use the following commands to add the SSH principal admin on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# ssh-principal myprincipal
switch(config-mgmt-ssh-user-admin-myprincipal)#

username tcp

The username tcp command in the SSH Management configuration Mode enters the SSH Username configuration Mode and controls if a specific user has permission to use the switch as a jump host or a tunnel endpoint using SSH Port Forwarding. It allows a user to tunnel a TCP connection through the encrypted SSH session and access devices that may otherwise be inaccessible. eos disables TCP forwarding by default.

The [no] version of the command disables the feature and removes the configuration from the running-config.

 

Command Mode

SSH Management configuration

SSH Username configuration

 

Command Syntax

username username tcp forwarding [all | local | remote]

no username tcp forwarding

default username tcp forwarding

 

Parameters

  • username username - Specify a username and enter the SSH Username configuration Mode.
  • tcp forwarding - Configure TCP forwarding options.
    • all - Specify to allow TCP forwarding for local and remote SSH servers.
    • local - Specify to allow TCP forwarding for local SSH servers only.
    • remote - Specify to allow TCP forwarding for remote SSH servers only.

 

Example

Use the following commands for the user, admin, to allow TCP forwarding for local and remote SSH servers on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# tcp forwarding all

verify

The verify command in the SSH Management configuration Mode implements the SSH Fingerprint (SSHFP) verification mechanism and allows the switch to use DNS records to validate the identify of a remote server.

The [no] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

 

Command Syntax

verify dns

no verify dns

 

Parameters

  • verify - Set options related to SSHD verification..
  • dns - Configure the SSH Daemon to verify the DNS check.

 

Example

Use the following commands to implement SSH Fingerprint verification on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# verify dns
switch(config-mgmt-ssh)#

vrf

The vrf command in the SSH or Telnet Management configuration Mode applies the SSH or Telnet service to a specific VRF or the default VRF on the switch.

 

Command Mode

SSH Management configuration

Telnet Management configuration

 

Command Syntax

vrf [default | vrf_name]

 

Parameters

  • default - Apply the SSH or Telnet service to the default VRF on the switch.
  • vrf_name - Apply the SSH or Telnet service to a specific VRF on the switch.

 

Example

Use the following commands to apply the SSH service to the VRF, bluengreen:

switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh)#

vrf known-hosts

The vrf known-hosts command in the SSH VRF configuration Mode allows you to define a specific trusted host key file for each routing domain. By assigning a unique known hosts file to a VRF, the switch trusts that only specific identities of servers within that network segment.

The [no] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH VRF configuration

 

Command Syntax

known-hosts hostname_ip [dsa | ecdsa-nistp256 | ecdsa-nistp521 | ed25519 | rsa] base64_string

no vrf known-hosts

 

Parameters

  • known-hosts hostname_ip - Specify the known host using a hostname or an IPv4 or IPv6 address.
  • dsa - Specify the Digital Signature Algorithm algorithm.
  • ecdsa-nistp256 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P256.
  • ecdsa-nistp521 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P521.
  • ed25519 - Specify the Edwards-curve Digital Signature Algorithm 25519.
  • rsa - Specify the RSA Encryption Algorithm.
  • base64_string - Specify a base64 string.

 

Example

Use the following commands to add the host, 172.16.21.23, and the algorithm, dsa, to the VRF, bluengreen, on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)# known-hosts 172.16.1.23 dsa SGVsbG8gV29ybGQh
switch(config-mgmt-ssh-vrf-bluengreen)#

vrf

The vrf command in the SSH Management configuration Mode enters the SSH VRF configuration mode and allows the configuration of specific VRF parameters.

The [no] versions of the command disable the feature and remove the configuration from the running-config.

 

Command Mode

SSH Management configuration

SSH VRF configuration

 

Command Syntax

vrf [default | vrf_name] [tunnel vrf_name]

no vrf

 

Parameters

  • vrf [default | vrf_name - Specify the default VRF or a specific VRF.

 

Example

Use the following commands to enter the SSH VRF configuration Mode for the VRF, bluengreen, on the switch:

switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)#

vrf (API Management)

The vrf command places the switch in the server's VRF configuration mode. If the named VRF does not already exist, this command creates it.

 

Command Mode

API Management configuration

 

Command Syntax

vrf VRF_INSTANCE

 

Parameters

VRF_INSTANCE - Specifies the VRF instance.
  • default - Instance created in the default VRF.
  • vrf_name - Instance created in the specified user-defined VRF.

     

Related Command

management api http-commands places the switch in API Management configuration.

 

Example

This command creates a VRF named management-vrf and places the switch in VRF configuration mode for the new VRF.
switch(config)# management api http-commands 
switch(config-mgmt-api-http-cmds)# vrf management-vrf
switch(config-mgmt-api-http-cmds-vrf-management-vrf)#