Session Management Commands
Global configuration Commands
- commit timer
- configure replace
- configure session
- management accounts
- management api eos-sdk-rpc
- management api external-services
- management api gnmi
- management api gnsi
- management api gribi
- management api http-commands
- management api models
- management api netconf
- management api restconf
- management archive
- management cli
- management client
- management console
- management data source
- management defaults
- management dmf
- management file-systems
- management http-server
- management ldap group
- management ldap server
- management package
- management security auto-certificate
- management security entropy
- management security network
- management security password
- management security session
- management security signature-verification
- management security ssl
- management nic profiles
- management ssh
- management telnet
- reset system storage secure
Service configuration Commands
- service configuration access-list
- service configuration checkpoint
- service configuration session commit
- service configuration session logging
- service configuration session max
- service configuration terminal
- service configuration verification
- service interface inactive
- service interface shutdown
- service interface unconnected
- service routing configuration
- service running-config
Management configuration Commands
- authentication x509
- authentication
- authorized-principals
- cipher
- compression
- connection
- fips
- hostkey
- idle-timeout (Console Management)
- idle-timeout (SSH Management)
- idle-timeout (Telnet Management)
- ip
- ipv6
- key-exchange
- log-level
- logging
- login
- mac
- protocol http (API Management)
- protocol https (API Management)
- protocol https certificate (API Management)
- qos
- rekey
- server-port
- session-limit
- shutdown (API Management)
- shutdown (Telnet Management)
- timeout
- trusted-ca
- user-keys
- username ssh-key
- username ssh-principal
- username tcp
- verify
- vrf known-hosts
- vrf
- vrf (API Management)
Display Commands
authentication x509
The authentication x509 command in the SSH Management Authentication x509 configuration Mode configures x509 certificates for the SSH connection.
The no version of the command disables the configuration and removes it from the running-config.
Command Mode
SSH Management configuration
Authentication x509 configuration
Command Syntax
authentication x509 [server ssl profile profile_name] [username [domain | omit]]
no authentication x509
Parameters
- authentication x509 - Configure x509 certificate authentication settings.
- server ssl profile profile_name - Specify an SSL profile to use with the SSH connection.
- username - Configure matching the SSH username to a presented X509 certificate Common Name and SAN.
- domain - Configure the treatment of the domain name in a presented X509 certificate Common Name and SAN.
- omit - Ignore the domain name in a presented X509 certificate Common Name and SAN when matching them against the logging in SSH username
Example
Use the following commands to allow SSH authentication match the SSH user name to a presented x509 certificate and ignore the domain presented in the certificate:
switch(config)# management ssh
switch(config-mgmt-ssh)# authentication x509
switch(config-mgmt-ssh-auth-x509)# username domain omit
switch(config-mgmt-ssh-auth-x509)#
authentication
The authentication command in the SSH Management configuration Mode configures authentication parameters for the SSH connection.
The no version of the command disables the configuration and removes it from the running-config.
Command Mode
SSH Management configuration
Command Syntax
authentication [empty-passwords [auto | deny | permit]] [protocol [keyboard-interactive | multi-factor | password | public-key]]
no authentication
Parameters
- authentication - Configure authentication settings.
- empty-passwords [auto | deny | permit] - Specify to permit or deny empty passwords. The configuration uses auto by default to auto-determine if allowing empty passwords or not.
- protocol [keyboard-interactive | multi-factor | password | public-key]
- keyboard-interactive - Enable keyboard interactive authentication.
- multi-factor - Enable multifactor authentication methods.
- password - Enable password authentication.
- public-key - Enable public key authentication.
Example
Use the following commands to allow SSH authentication to use empty passwords:
switch(config)# management ssh
switch(config-mgmt-ssh)# authentication empty-passwords permit
switch(config-mgmt-ssh)#
authorized-principals
The authorized-principals command in the SSH Management configuration Mode allows the configuration of authorized principals for SSH. The authorized-principals mechanism defines which identities or principals within a signed certificate have permission to log in as a specific local user.
The no version of the command disables the feature and removes the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
authorized-principals command WORD ARGUMENTS
no authorized-principals command
Parameters
- authorized-principals - Configure authorized-principals settings.
- command - Configure the authorized principals command.
- WORD - Specify the authorized principals script filename.
- ARGUMENTS - Specify the input data to pass to the authorized principals command.
Example
Use the following commands to run the script, /mnt/flash/scripts/get-principals.py:
switch(config)# management ssh
switch(config-mgmt-ssh)# authorized-principals command /mnt/flash/scripts/get-principals.py
switch(config-mgmt-ssh)#
cipher
The cipher command in the SSH Management configuration Mode defines the specific symmetric encryption algorithms used for SSH sessions. During the SSH handshake, the switch and client compare lists of supported ciphers and must find a common match to establish an encrypted tunnel. If no match found, the switch rejects the connection.
The no version of the command disables the feature and removes the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
cipher algorithm
no cipher
Parameters
- cipher - Add symmetric encryption algorithms.
- algorithm - Add any of the following algorithms to the configuration:
- 3des-cbc - Triple DES (112 bit)
- aes128-cbc - Advanced Encryption Standard (128 bit, CBC mode)
- aes128-ctr - Advanced Encryption Standard (128 bit, counter mode)
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Advanced Encryption Standard (128 bit, Galois/Counter mode)
- aes192-cbc - Advanced Encryption Standard (192 bit, CBC mode)
- aes192-ctr - Advanced Encryption Standard (192 bit, counter mode)
- aes256-cbc - Advanced Encryption Standard (256 bit, CBC mode)
- aes256-ctr - Advanced Encryption Standard (2562 bit, counter mode)
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Advanced Encryption Standard (256 bit, Galois/Counter mode)
- arcfour - Arcfour stream cipher (RC4 like)
- arcfour128 - Arcfour stream cipher (RFC 4345, 128 bit)
- arcfour256 - Arcfour stream cipher (RFC 4345, 256 bit)
- blowfish-cbc - Blowfish block cipher (128 bit, CBC mode)
- cast128-cbc - CAST-128 (RFC 2144, 128 bit, CBC mode
- This email address is being protected from spambots. You need JavaScript enabled to view it. - ChaCha20 stream cipher and Poly1305 authenticator
Example
Use the following commands to add the algorithms, aes192-cbc and blowfish-cbc, to the configuration:
switch(config)# managment ssh
switch(config-mgmt-ssh)# cipher aes192-cbc blowfish-cbc
switch(config-mgmt-ssh)#
client-alive
The client-alive command in the SSH Management configuration Mode manages the SSH session persistence and timeouts. The switch proactively checks if a connected client has an active session.
The no version of the command disables the feature and removes the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
client-alive [count-max number] interval time]
no client-alive
Parameters
- client-alive - Configure SSH Client Alive parameters.
- count-max number - Specify the number of times the switch sends a keepalive request without receiving a response before considering the session dead and terminates it. The default number is 3.
- interval time - Specify the time in seconds that the switch waits before sending a keepalive requests to the client through the encrypted channel. Use a value between 1 and 60 seconds with a default of 0. If configured as 60, the switch pings the client every minute of inactivity.
Example
Use the following commands to configure a maximum count of 5 and an interval of 10 seconds:
switch(config)# management ssh
switch(config-mgmt-ssh)# client-alive count-max 5 interval 10
switch(config-mgmt-ssh)#
commit timer
The commit timer command can automatically roll back changes performed during a configuration session if you haven't confirmed them within a preset time interval. This feature can prevent a user from committing configuration changes that could cause a network disruption. The no commit timer command deletes the session.
Command Mode
Configure Session configuration Mode
Command Syntax
commit timer hh:mm:ss
Parameters
hh:mm:ss - Specify the time interval for the commit session.
Example
switch(config-s-MySession)# commit timer 01:00:00
switch#
compression
The compressionin the SSH Management configuration Mode controls compressing the data stream from the SSH server before encrypting it. This optimizes bandwidth on slow or congested management links such as out-of-band serials consoles over LTE or saturated WAN links.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
compression disable
Parameters
- compression - Configure SSH compression algorithms.
- disabled - Disable SSH compression algorithms.
Example
Use the following commands to disable SSH compression algorithms:
switch(config)# management ssh
switch(config-mgmt-ssh)# compression disable
switch(config-mgmt-ssh)#
configure replace
The configure replace command replaces the current configuration with a new configuration from the specified source.
Command Mode
Privileged EXEC
Command Syntax
configure replace source_file_path:source_file_name [ignore-errors] [md5 md5sum] [skip-checkpoint] [vrf instance_name]
- source_file_path:source_file_name replaces the current configuration with the configuration from the specified source file.
- boot-extensions: - Replace the current configuration with the boot extensions configuration.
- certificate: - Replace the current configuration with the certificate configuration.
- checkpoint: - Replace the current configuration with the checkpoint configuration.
- clean-config: - Replace the current configuration with a clean, default configuration.
- extension: - Replace the current extensions configuration with an extensions configuration.
- file: - Replace the current configuration with a configuration from a file location.
- flash: - Replace the current configuration with a configuration from a flash location.
- ftp: - Replace the current configuration with a configuration from a FTP location.
- http: - Replace the current configuration with a configuration from an HTTP location.
- https: - Replace the current configuration with a configuration from an HTTPS location.
- installed-extensions: - Replace the current configuration with the installed extensions status.
- running-config: - Replaces the current configuration with the running configuration.
- scp: - Replace the current configuration with a configuration from an SCP location.
- sftp: - Replace the current configuration with a configuration from an SFTP location.
- snapshot: - Replace the current configuration with a configuration from a snapshot.
- ssh-auth-principals-cmd: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-ca-key: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-key: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-revoke-list: - Retrieve a configuration from an SSH location and replace the current configuration.
- startup-config: - Replace the current configuration with the startup configuration.
- system: - Retrieve a configuration from a system location and replace the current configuration.
- terminal: - Retrieve a configuration from a terminal location and replace the current configuration.
- tftpt: - Retrieve a configuration from a TFTP location and replace the current configuration.
- ignore-errors - Replace the configuration and ignore errors while loading the new configuration.
- md5 md5sum - Performs a checksum to validate data integrity with the specified MD5 hashing algorithm.
- skip-checkpoint - Skips creating the checkpoint fileof running-config.
Example
switch(config)# configure replace start-config
! Preserving static routes. Use 'no ip routing delete-static-routes' to clear them.
switch#
configure session
The configure session command allows a series of temporary configuration changes and commits to running-config later by issuing the commit command. eos discards an uncommitted configuration session if the switch reboots and times out after 24 hours.
The no configure session session_name and default configure session session_name commands delete the specified configuration session.
Command Mode
Privileged EXEC
Command Syntax
configure session [session_name] [abort | commit | [description description]]
no configure session session_name
default configure session
Parameter
- session_name -Create a name for the configuration session.
- abort - Ends the configuration sessions and deletes it.
- commit - Commits the changes executed during the session.
- description description - Create a description for the configuration session.
Guidelines
- Creates a session with a name generated by the switch if you do not specify a session name.
- The switch permits up to five uncommitted sessions.
- When the switch reboots, it discards the uncommitted sessions.
- Uncommitted sessions time out after 24 hours.
Example
switch(config)#configure session
switch(config-s-sess-1)#aaa authentication dot1x default group radius
switch(config-s-sess-1)#dot1x system-auth-control
switch(config-s-sess-1)#commit
switch(config-s-sess-1)#
connection
The connection command in the SSH Management configuration Mode configures session-handling and security for SSH connections.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
connection [limit number_sessions] per-host [ number_sessions]
no connection
default connection
Parameters
- connection - Configure settings for SSH connections.
- limit number_sessions - Configure the maximum number of concurrent SSH sessions.
- per-host number_sessions - Configure the maximum number of concurrent SSH sessions from a single host.
Example
Use the following commands to configure a limit of 50 concurrent SSH sessions:
switch(config)# management ssh
switch(config-mgmt-ssh)# connection limit 50
switch(config-mgmt-ssh)#
fips
The fips command in the SSH Management configuration Mode configures the switch to strictly enforce FIPS 140-2/140-3 compliance for all incoming connections. When enabled, the switch disables all cryptographic algorithms not officially validated by Federal Information Processing Standards (FIPS).
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
fips restrictions
no fips restrictions
default fips restrictions
Parameters
- fips - Configure FIPS settings.
- restrictions - Enable FIPS algorithms for SSH connections.
Example
Use the following commands to enable FIPS algorithms for SSH connections on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# fips restrictions
switch(config-mgmt-ssh)#
hostkey
The hostkey command in the SSH Management configuration Mode configures the client connections and server connections host keys on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
hostkey [client strict-checking] [server [cert hostkey_filename] [ dsa | ecdsa-nistp256 | ecdsa-nistp521 | ed25519 | rsa] [ssh-key filename]
no hostkey
default hostkey
Parameters
- hostkey - Configure host key settings.
- restrictions - Enable FIPS algorithms for SSH connections.
- client strict-checking - Enforce strict host key checking for SSH clients.
- server - Configure the switch SSH host key settings:
- cert hostkey_filename - Specify the certificate filename for SSH on the host.
- dsa - Specify a Digital Signature Algorithm.
- ecdsa-nistp256 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P256.
- ecdsa-nistp521 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P521.
- ed25519 - Specify the Edwards-curve Digital Signature Algorithm 2551.
- rsa - Specify the RSA Encryption Algorithm.
- ssh-key: filename - Specify the SSH private key file name.
Example
Use the following commands to enable the client strict host key checking for SSH connections on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# hostkey client strict-checking
switch(config-mgmt-ssh)#
idle-timeout (Console Management)
The idle-timeout (Console Management) command configures the idle-timeout period for console connection sessions, and optionally, configure a warning to indicate the end of a session. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. By default, setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
ManagementConsole configuration
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 to 86400 - Configures the automatic timeout period in minutes. Setting the timer to 0 disables the idle-timeout.
- These commands configure a console idle-timeout period of three hours, then return the switch to global configuration mode.
switch(config)# management console switch(config-mgmt-console)# idle-timeout 180 switch(config-mgmt-console)# exit switch(config)# - These commands disable automatic connection timeout.
switch(config)# management console switch(config-mgmt-console)# idle-timeout 0 switch(config-mgmt-console)#
idle-timeout (SSH Management)
The idle-timeout (SSH Management) command configures the idle-timeout period for SSH connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
Management SSH configuration
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 - Disables the automatic connection timeout.
- 1 to 86400 - Configures the automatic timeout period in minutes.
- These commands configure an SSH idle-timeout period of three hours, then return the switch to global configuration mode.
switch(config)# management ssh switch(config-mgmt-ssh)# idle-timeout 180 switch(config-mgmt-ssh)# exit switch(config)# - These commands disable automatic connection timeout.
switch(config)# management ssh switch(config-mgmt-ssh)# idle-timeout 0 switch(config-mgmt-ssh)#
idle-timeout (Telnet Management)
The idle-timeout (Telnet Management) command in the Telenet Management configuration Mode configures the idle-timeout period for Telnet connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
ManagementTelnet
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 - Disables the automatic connection timeout.
- 1 to 86400 - Configures the automatic timeout period in minutes.
- These commands configure a Telnet idle-timeout period of three hours, then return the switch to global configuration mode.
switch(config)# management telnet switch(config-mgmt-telnet)# idle-timeout 180 switch(config-mgmt-telnet)# exit switch(config)# - These commands disable automatic connection timeout.
switch(config)# management telnet switch(config-mgmt-telnet)# idle-timeout 0 switch(config-mgmt-telnet)#
ip
The ip command in the SSH or Telnet Management configuration Mode configures the IPv4 access group parameters for an SSH or Telnet session.
The [no | default] versions of the command disables the configuration and removes it from the running-config.
Command Mode
SSH Management configuration
Telnet Management configuration
Command Syntax
ip access-group list_name in [vrf vrf_name]
no access-group list_name
default access-group list_name
Parameters
- access-group list_name - Specify a name for the IPv4 access control list.
- in - Apply the access control list to inbound packets.
- vrf vrf_name - Specify the VRF to apply the IP access group list. If not specified, the configuration applies to the default VRF.
Example
Use the following commands to apply the IPv6 access group list, MyAGL, to inbound packets on VRF, bluengreen, Telnet management sessions:
switch(config)# management telnet
switch(config-mgmt-telnet)# ip access-group MyAGL in vrf bluengreen
switch(config-mgmt-telnet)#
ipv6
The ipv6 command in the SSH or Telnet Management configuration Mode configures the IPv6 access group parameters for an SSH or Telnet session.
The [no | default] versions of the command disables the configuration and removes it from the running-config.
Command Mode
SSH Management configuration
Telnet Management configuration
Command Syntax
ipv6 access-group list_name in [vrf vrf_name]
no access-group list_name
default access-group list_name
Parameters
- access-group list_name - Specify a name for the IPv6 access control list.
- in - Apply the access control list to inbound packets.
- vrf vrf_name - Specify the VRF to apply the IP access group list. If not specified, the configuration applies to the default VRF.
Example
Use the following commands to apply the IPv6 access group list, MyAGL, to inbound packets on VRF, bluengreen, Telnet management sessions:
switch(config)# management telnet
switch(config-mgmt-telnet)# ipv6 access-group MyAGL in vrf bluengreen
switch(config-mgmt-telnet)#
key-exchange
The key-exchange command in the SSH Management configuration Mode specifies the mathematical algorithms used by the switch to securely negotiate a shared session key with an SSH peer. The command applies to client and server connections.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
key-exchange [This email address is being protected from spambots. You need JavaScript enabled to view it. | diffie-hellman-group-exchange-sha1 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group1-sha1 | diffie-hellman-group14-sha | diffie-hellman-group14-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | gss-curve25519-sha256- |gss-gex-sha1- | gss-group1-sha1- | gss-group14-sha1- | gss-group14-sha256- | gss-group16-sha512- | gss-nistp256-sha256- | mlkem768x25519-sha25 | sntrup761x25519-sha512 | This email address is being protected from spambots. You need JavaScript enabled to view it.]
no key-exchange
default key-exchange
Parameters
- key-exchange -Select algorithms from the following list:
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Elliptic Curve 255519 with SHA-256 algorithm.
- diffie-hellman-group-exchange-sha1 - Specify the Negotiated Group Exchange with SHA-1 algorithm.
- diffie-hellman-group-exchange-sha256 - Specify the Negotiated Group Exchange with SHA-256 algorithm.
- diffie-hellman-group1-sha1 - Specify the Oakley Group 2 with SHA-1 algorithm.
- diffie-hellman-group14-sha - Specify the Oakley Group 14 with SHA-1 algorithm.
- diffie-hellman-group14-sha256 - Specify the Oakley Group 14 with SHA-256 algorithm.
- diffie-hellman-group16-sha512 - Specify the Oakley Group 16 with SHA-512 algorithm.
- diffie-hellman-group18-sha512 - Specify the Oakley Group 18 with SHA-512 algorithm.
- ecdh-sha2-nistp256 - Specify the Elliptic Curve NIST P256 algorithm.
- ecdh-sha2-nistp384 - Specify the Elliptic Curve NIST P384 algorithm.
- ecdh-sha2-nistp521 - Specify the Elliptic Curve NIST P521 algorithm.
- gss-curve25519-sha256-Generic Security Service ECDH over Curve25519 with SHA-256 algorithm
- gss-gex-sha1- - Specify the Generic Security Service DH with SHA-1 algorithm.
- gss-group1-sha1- - Specify the Generic Security Service DH using Oakley Group 2 with SHA-1 algorithm.
- gss-group14-sha1- - Specify the Generic Security Service DH using Oakley Group 14 with SHA-1 algorithm.
- gss-group14-sha256- - Specify the Generic Security Service DH using Oakley Group 14 with SHA-256 algorithm.
- gss-group16-sha512- - Specify the Generic Security Service DH using Oakley Group 16 with SHA-256 algorithm.
- gss-nistp256-sha256- - Specify the Generic Security Service ECDH over NIST P256 with SHA-256 algorithm.
- mlkem768x25519-sha25 - Specify the Hybrid Module Lattice mlkem768 and X25519 with SHA-256 algorithm.
- sntrup761x25519-sha512 - Specify the Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 algorithm.
Example
Use the following commands to select the algorithm, ecdh-sha2-nistp256, for key exchange for SSH connections on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# key-exchange ecdh-sha2-nistp256
switch(config-mgmt-ssh)#
log-level
The log-level command in the SSH Management configuration Mode defines the verbosity of the SSH service messages sent to the system logs.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
log-level [debug | debug1 | debug2 | debug3 | error | fatal | info | quiet | verbose]
no log-level
default default
Parameters
- log-level - Select from the following list to add a log-level to the SSH service messages:
- [debug | debug1 | debug2 | debug3] - Progressively detailed troubleshooting logs.
debug3logs sensitive information and should only be used during active troubleshooting sessions. - error - Log significant errors that prevent a command or session from proceeding normally.
- fatal - Log only fatal errors that cause the SSH session or process to crash.
- info - Log standard events such as logins, logouts, and standard operational events. (Default)
- quiet - No logging for the SSH service.
- verbose - Logs detailed information about authentication and connection progress.
- [debug | debug1 | debug2 | debug3] - Progressively detailed troubleshooting logs.
Example
Use the following commands to set the log level for SSH connections on the switch to error:
switch(config)# management ssh
switch(config-mgmt-ssh)# log-level error
switch(config-mgmt-ssh)#
logging
The logging command in the SSH Management configuration Mode directs SSH service log events to the eos system logging facility (syslog).
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
logging target system
no logging
default logging
Parameters
- logging - Configure logging for the SSH service.
- target - Specify the target for the SSH/SSHD service logs.
- system - Set the target destination for the SSH log messages to the system log buffer.
Example
Use the following commands to set the log messages destination to the syslogs on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# logging target system
switch(config-mgmt-ssh)#
login
The login command in the Console, SSH, or Telnet Management configuration Mode allows the configuration of login parameters for the sessions.
The [no | default] versions of the command disables the configuration and removes it from the running-config.
Command Mode
Console Management configuration
SSH Management configuration
Telnet Management configuration
Command Syntax
login user match-list list_name [invert-result]
no login user match-list list_name
default login user match-list list_name
Parameters
- login user match-list list_name - Specify a list of users to match.
- [invert-result] - Invert the match list results.
Example
Use the following commands to match the user list, MyUsers, for a console management session:
switch(config)# managment console
switch(config-mgmt-console)# login user match-list MyUsers
switch(config-mgmt-console)#
mac
The mac command in the SSH Management configuration Mode specifies the algorithms the switch uses to verify the data integrity of SSH packets, ensuring that traffic has not been tampered with in transit.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
mac [hmac-md5-96 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-ripemd160 | hmac-sha1 | hmac-sha1-96 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-sha2-256 | This email address is being protected from spambots. You need JavaScript enabled to view it. | hmac-sha2-512 | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it. | This email address is being protected from spambots. You need JavaScript enabled to view it.]
no mac
default mac
Parameters
- mac - Specify algorithms from the following list.
- hmac-md5-96 - Specify the Hash Message Authentication Code MD5 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hash Message Authentication Code MD5 for use in ESP and AH algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC MD5-96 algorithm.
- hmac-ripemd160 - Specify the Hash Message Authentication Code RIPEMD-160 algorithm.
- hmac-sha1 - Specify the Hash Message Authentication Code SHA-1 algorithm.
- hmac-sha1-96 - Specify the Hash Message Authentication Code SHA-1 for use in ESP and AH algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA1-96 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA1 algorithm.
- hmac-sha2-256 - Specify the Encrypt-Then-Mac HMAC SHA1 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Elliptic Curve NIST P384 algorithm.
- hmac-sha2-512 - Specify the Hash Message Authentication Code SHA2-512 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC SHA2-512 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-128 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Hash Message Authentication Code UMAC-128 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-64 algorithm.
- This email address is being protected from spambots. You need JavaScript enabled to view it. - Specify the Encrypt-Then-Mac HMAC UMAC-646 algorithm.
Example
Use the following commands to add the MAC algorithm, hmac-sha2-256, on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# mac hmac-sha2-256
switch(config-mgmt-ssh)#
management accounts
The management accounts command enters the Accounts Management configuration Mode and allows the creation of user accounts on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Accounts Management configuration
Command Syntax
management accounts
[no | default] management accounts
Parameters
- management accounts - Enters Accounts Management configuration Mode.
- account - Enters the Account configuration Mode after adding a user name.
- session limit value - Add the number of allowed sessions from 1 to 100 per user.
- password policy policy_name - Configure password policies.
- session default-limit value - Configure the maximum number of remote sessions per user.
- account - Enters the Account configuration Mode after adding a user name.
Example
Use the following commands to enter Accounts Management configuration Mode and add a user tech_support1 with a session limit of 10:
switch(config)# management accounts
switch(config-mgmt-accounts)# account tech_support1
switch(config-mgmt-acct-tech_support1)# session limit 10
management api eos-sdk-rpc
The management api eos-sdk-rpc command places the switch in eos SDK RPC API Management configuration Mode.
The no management api eos-sdk-rpc and default management api eos-sdk-rpc commands delete the eos SDK RPC API Management configuration statements from running-config.
eos SDK RPC API management configuration mode does not invoke a group change mode. The running-config changes immediately upon entering commands. Exiting the eos SDK RPC API Management configuration Mode does not affect the running-config. The exit command returns the switch to Global configuration Mode.
Command Mode
Global configuration
Command Syntax
management api eos-sdk-rpc
no management api eos-sdk-rpc
default management api eos-sdk-rpc
- transport (eos SDK RPC API Management)
- This command places the switch in eos SDK RPC API management configuration mode.
switch(config)# management api eos-sdk-rpc switch(config-mgmt-api-eos-sdk-rpc)# - This command returns the switch to global management mode.
switch(config-mgmt-api-eos-sdk-rpc)# exit switch(config)#
management api external-services
The management api external-services command places the switch in External Services API configuration mode.
The no management api external-services and default management api external-services commands delete the mgmt-api-external-services configuration mode statements from running-config.
External Services API configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the External Services API configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api external-services
no management api external-services
default management api external-services
- shutdown (External Services API Management)
- vrf (External Services API Management)
- This command places the switch in External Services API Management configuration mode.
switch(config)# management api external-services switch(config-mgmt-api-external-services)# - This command returns the switch to global management mode.
switch(config-mgmt-api-external-services)# exit switch(config)#
management api gnmi
The management api gnmi command places the switch in GNMI API Management configuration mode.
The no management api gnmi and default management api gnmi commands delete the mgmt-api-gnmi configuration mode statements from running-config.
GNMI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNMI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api gnmi
no management api gnmi
default management api gnmi
- operation (GNMI API Management)
- provider (GNMI API Management)
- transport (GNMI API Management)
- This command places the switch in GNMI API Management configuration mode.
switch(config)# management api gnmi switch(config-mgmt-api-gnmi)# - This command returns the switch to global management mode.
switch(config-mgmt-api-gnmi)# exit switch(config)#
management api gnsi
The management api gnsi command places the switch in GNSI API management configuration mode.
The no management api gnsi and default management api gnsi commands delete the mgmt-api-gnsi configuration mode statements from running-config.
GNSI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNSI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api gnsi
no management api gnsi
default management api gnsi
- service (GNSI API Management)
- transport (GNSI API Management)
- This command places the switch in GNSI API Management configuration mode.
switch(config)# management api gnsi switch(config-mgmt-api-gnsi)# - This command returns the switch to global management mode.
switch(config-mgmt-api-gnsi)# exit switch(config)#
management api gribi
The management api gribi command places the switch in gRIBI API Management configuration mode.
The no management api gribi and default management api gribi commands delete the mgmt-api-gribi configuration mode statements from running-config.
gRIBI API Management configuration mode is not a group change mode; running-config changes immediately upon entering commands. Exiting the gRIBI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api gribi
no management api gribi
default management api gribi
- transport (gRIBI API Management)
- This command places the switch in gRIBI API Management configuration mode.
switch(config)# management api gribi switch(config-mgmt-api-gribi)# - This command returns the switch to global management mode.
switch(config-mgmt-api-gribi)# exit switch(config)#
management api http-commands
The management api http-commands command places the switch in HTTP Commands API Management configuration Mode.
The no management api http-commands and default management api http-commands commands delete the HTTP Commands API Management configuration Mode statements from running-config.
HTTP Commands API Management configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting HTTP Commands API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api http-commands
no management api http-commands
default management api http-commands
- This command places the switch in HTTP Commands API Management configuration Mode.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# - This command returns the switch to Global configuration Mode.
switch(config-mgmt-api-http-cmds)# exit switch(config)#
management api models
The management api models command places the switch in Models API Management configuration mode.
The no management api models and default management api models commands delete the Models API Management configuration statements from running-config.
Models API Management configuration mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting Models API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api models
no management api models
default management api models
- models (Models API Management)
- modules (Models API Management)
- provider (Models API Management)
- This command places the switch in Models API Management configuration mode.
switch(config)# management api models switch(config-mgmt-api-models)# - This command returns the switch to global management mode.
switch(config-mgmt-api-models)# exit switch(config)#
management api netconf
The management api netconf command places the switch in Netconf API Management configuration mode.
The no management api netconf and default management api netconf commands delete the mgmt-api-netconf configuration mode statements from running-config.
Netconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Netconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api netconf
no management api netconf
default management api netconf
- transport (Netconf API Management)
- This command places the switch in Netconf API Management configuration mode.
switch(config)# management api netconf switch(config-mgmt-api-netconf)# - This command returns the switch to global management mode.
switch(config-mgmt-api-netconf)# exit switch(config)#
management api restconf
The management api restconf command places the switch in Restconf API Management configuration mode.
The no management api restconf and default management api restconf commands delete the mgmt-api-restconf configuration mode statements from running-config.
Restconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Restconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global configuration
Command Syntax
management api restconf
no management api restconf
default management api restconf
- transport (Restconf API Management)
- This command places the switch in Restconf API Management configuration mode.
switch(config)# management api restconf switch(config-mgmt-api-restconf)# - This command returns the switch to global management mode.
switch(config-mgmt-api-restconf)# exit switch(config)#
management archive
The management archive command enters the Archive Management configuration Mode and allows you to manage log archives and archive space.
Command Mode
Global configuration
Archive Management configuration
Command Syntax
management archive [destination flash:] [quotapct percentage] shutdown
Parameters
- management archive - Enters the Archive Management configuration Mode.
- destination flash: - Configure a destination for the archive files.
- quotapct percentage - Set the quota percentage value from 0 to 100.
- shutdown - Disables log archiving on the switch.
Example
Use the following commands to configure the quota percentage as 50:
switch(config)# management archive
switch(config-mgmt-archive)# quotapct 50
switch(config-mgmt-archive)#
management cli
The management cli command places the switch in CLI Management configuration Mode and allows you to configure command line options.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
CLI Management configuration
Command Syntax
management cli command deprecated log
[no | default] management cli command deprecated log
Parameters
- management cli - Enters the CLI Management configuration Mode.
- command - Configure command options.
- deprecated - Configure the CLI behavior for deprecated commands.
- log - Create a syslog message when executing a deprecated command.
Example
Use the following commands to create a syslog message when executing a deprecated command:
switch(config)# management cli
switch(config-mgmt-cli)# command deprecated log
switch(config-mgmt-cli)#
management client
The management client command enters the Client Management configuration Mode and configures remote applications or scripts that utilize the switch powerful eAPI (eos API) to programmatically send configuration and show commands.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Client Management configuration
Command Syntax
management client api gnmi [group group_name member server_name] [server server_name]
[no | default] management client api gnmi
Parameters
- management client api gnmi - Configures the switch as a gNMI client.
- group group_name - Configure gNMI server group definitions.
- member server_name - Add a gNMI server to the group.
- server server_name - Add a gNMI server to the configuration.
Example
Use the following commands to add the group, gnmi_group, and the member, gnmi_server1 to the client configuration:
switch(config)# management client api gnmi
switch(config-mgmt-client-api-gnmi)# group gnmi_group member gnmi_server1
switch(config-mgmt-client-api-gnmi)#
management console
The management console command places the switch in Console Management configuration Mode to adjust the idle-timeout period for console connection sessions. The idle-timeout period determines the inactivity interval that terminates a connection session.
The no management console and default management console commands delete the Console Management configuration Mode statements from running-config.
The Console Management configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the Console Management configuration Mode does not affect running-config. The exit command returns the switch to Global configuration Mode.
Command Mode
Global configuration
Command Syntax
management console [idle-timeout minutes] [login prompt hostname fqdn] timeout minutes warningminutes]
no management console
default management console
Parameters
- idle-timeout minutes - Configure the time a login can be idle before timing out on the switch.
- login - Configure options related to logging into the switch.
- prompt hostname fqdn - Configure the login prompt to use the hostname.
- timeout minutes warningminutes - Configure the session timeout from 0 to 86400 minutes and generate a warning message about the impending timeout. The warning value must be less than the configured timeout value.
- The following command places the switch into Console Management configuration Mode:
switch(config)# management console switch(config-mgmt-console)# - This command returns the switch to Global Management Mode:
switch(config-mgmt-console)# exit switch(config)#
management data source
The management data source command enters the Data Source Management configuration Mode and allows defining the rules and actions taken on specific data streams.
Command Mode
Global configuration
Data Source Management configuration
Command Syntax
management data source [disable] [sensor sensor_name [disabled | ip address ip_address port port] [traffic-policies [disabled] [field-set [ipv4 prefix source_name] [ [ipv6 prefix source_name] [ service source_name]]
Parameters
- management data source - Enters the Data Source configuration Mode.
- disable - Disable the management data source.
- sensor sensor_name - Specify the name of a sensor.
- disabled - Disable the sensor.
- ip address ip_address - Specify the IPv4 or IPv6 address of the sensor.
- port port - Specify the port.
- traffic-policies - Configure traffic policies to apply to the data source.
- disabled - Disable traffic policies on the switch.
- field-set - Configure field sets to use with the traffic policies.
- ipv4 prefix source_name - Specify the IPv4 prefix and source name.
- ipv6 prefix source_name - Specify the IPv6 prefix and source name.
- service source_name - Specify the service and source name.
Example
Use the following commands to configure a sensor, sensor_db, with the IPv4 address, 192.168.92.157, and port 443:
switch(config)# managment data source
switch(config-mgmt-ds)# sensor sensor_db
switch(config-mgmt-ds-sensor-sensor_db)# ip 192.168.96.157 port 443
switch(config-mgmt-ds-sensor-sensor_db)#
management defaults
The management defaults command enters the Defaults Management configuration Mode and configures storing secrets on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Defaults Management configuration
Command Syntax
management defaults secret hash [md5 | scrypt | sha-512 | yescrypt]
[no | default] management defaults
Parameters
- management defaults - Enters the Defaults Management configuration Mode.
- secret - Configure storing secrets.
- hash- Specify a hash algorithm to use for secrets.
- md5 - Specify Message-Digest Algorithm 5.
- scrypt - Specify scrypt, a password-based key derivation function (KDF) designed specifically to make brute-force attacks against hashed passwords significantly harder, even when attackers use specialized hardware like GPUs or FPGAs.
- sha-512 - Specify SHA-512 a cryptographic hash function that is part of the SHA-2 family, standardized by NIST (National Institute of Standards and Technology). It is a highly secure and widely used algorithm for ensuring data integrity and securing digital operations.
- yescrypt - Specify yescrypt, a modern, highly secure password-based key derivation function (KDF) designed as a successor and alternative to functions like PBKDF2, scrypt, and bcrypt. It was developed by Alexander Peslyak (Solar Designer) and is specifically engineered to achieve the best possible resistance against hardware-accelerated cracking attacks using GPUs, FPGAs, and ASICs.
Example
Use the following commands to add MD5 as the secret hash:
switch(config)# managment defaults
switch(config-mgmt-defaults)# secret hash md5
management dmf
The management dmf command in the DANZ Monitoring Fabric (DMF) configuration Mode allows the configuration of up to two DMF controllers on the network.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
DANZ Monitoring Fabric (DMF) configuration
Command Syntax
managment dmf [disabled] [controller address ip_address1 controller address ip_address2
[no | default]> managment dmf
Parameters
- disabled - Disables DMF on the switch.
- controller address ip_address1 - Configure the first DMF controller with an IPv4 or IPv6 address.
- controller address ip_address2 - Configure the second DMF controller with an IPv4 or IPv6 address.
Example
Use the following commands to add a DMF controller, 172.16.23.47, to the switch:
switch(config)# manangement dmf
switch(config-mgmt-dmf)# controller 172.16.21.47
switch(config-mgmt-dmf)#
management file-systems
The management file-systems command in the File Systems Management configuration Mode allows the configuration and management of the file system on the switch.
Command Mode
Global configuration
File Systems Management configuration
Command Syntax
management file-systems nfs [crash: directory_name] [file: directory_name] [flash: directory_name]
Parameters
- nfs - Specifies the network file system.
- crash: directory_name - Specify the location of the crash files.
- file: directory_name - Specify the location of the files.
- flash: directory_name - Specify the location of the flash files.
Example
Use the following commands to manage the crash files:
switch(config)# management file-systems
switch(config-mgmt-file-systems)# nfs crash:
management http-server
The management http-server command enters the HTTP Management configuration Mode of the switch to allow Application Programming Interface (API) access to the switch for programmatic commands.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
HTTP Management configuration
Command Syntax
management http-server [cors allowed-origin origin server_address | all | *]
management http-server default-services
management http-server header csp frame-ancestors uri
management http-server log-level [alert | crit | debug | emerg | error | info | notice | warn]
management http-server protocol [http [localhost | port port_number]] [https [port port_number | ssl profile_name]] [unix-socket]
management http-server qos dscp dscp_value
management http-server vrf [default | vrf_name
Parameters
- management http-server cors - Specify Cross-Origin Resource Sharing for the HTTP Server.
- allowed-origin server_address - Specify an allowed origin server IP address.
- [all | *] - Specify all to allow all CORS.
- management http-server default-services - Specify to use default services, capi-doc and tapagg, for the HTTP Server.
- management http-server header - Configure additional headers for the HTTP Server.
- csp - Specify content security policy headers.
- frame-ancestors - Specify CSP directive frame-ancestors.
- uri - Configure the URI for the host.
- management http-server log-level - Specify any of the level parameters to log as a syslog message.
- management http-server protocol - Configure server options.
- http [localhost | port port_number - Configure a local host and port for the HTTPS Server.
- https [port port_number | ssl profile_name - Configure a port and SSL profile name.
- unix-socket - Specify a Unix Domain Socket.
- management http-server qos - Configure Quality of Service (QoS) parameters.
- dscp - exit
- management http-server vrf [default | vrf_name - Specify using the default VRF on the switch or another configured VRF.
Example
Use the following commands to specify using the default services for the HTTP Server:
switch(config)# management http-server
switch(config-mgmt-http-server)# default-services
switch(config-mgmt-http-server)#
management ldap group
The management ldap command in the Global configuration mode enters the switch into LDAP Management configuration Mode and allows the configuration of an LDAP group and server. This allows the switch to authenticate and authorize users against an external Lightweight Directory Access Protocol (LDAP) server and centralizes user management.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
LDAP Management configuration
Command Syntax
management ldap [group policy policy_name group group_name rolerole_name [after | before] group_name [privilege level]
Parameters
- management ldap - Configure LDAP options.
- group policy policy_name - Configure a group policy name.
- group group_name - Configure the group name to add to the configuration.
- role role_name - Specify the role name for the group.
- [after | before] group_name - Specify adding the role before or after a rule.
- privilege level - Configure a privilege level between 0 and 15.
Example
Use the following commands to add the policy, policy1, to group, ldap_group, with the role of manager, and privilege level 10:
switch(config)# management ldap
switch(config-mgmt-ldap)# group policy policy1
switch(config-mgmt-ldap-gp-policy1)# group ldap_group role manager privilege 10
switch(config-mgmt-ldap-gp-policy1)#
management ldap server
The management ldap server command enters the LDAP Management configuration Mode and allows the configuration of an LDAP server for authentication on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
LDAP Management configuration
Command Syntax
management ldap server [defaults [authorization group policy policy_name] [base-dn domain_name] [rdn attribute user attr_name] [search username username password password] [ssl-profile profile_name] [timeout seconds]] [host host_name portport_number vrfvrf_name]
[no | default] management ldap server
Parameters
- management ldap server - Enters the LDAP Management configuration Mode and allows the configuration of an LDAP server.
- defaults - Configure default LDAP options for all servers.
- authorization group policy policy_name - Configure LDAP options for user authorization using a group policy name.
- base-dn domain_name - Specify a distinguished domain name.
- rdn attribute user attr_name - Add an attribute for a Relative Distinguished Name.
- search username username password password - Configure search options for the LDAP server.
- ssl-profile profile_name - Add an SSL profile to the configuration.
- timeout seconds - Configure the length of time to wait before timing out the session.
- host host_name - Specify a hostname or IP address of the LDAP server.
- port port_number - Specify a port number. The configuration uses port 389 by default.
- vrf vrf_name - Specify the VRF name for the configuration.
Example
Use the following commands to use arista.com as the base Domain Name:
switch(config)# management ldap
switch(config-mgmt-ldap)# server defaults
switch(config-ldap-defaults)# base-dn arista.com
switch(config-ldap-defaults)#
management nic profiles
The management nic profiles command enters the Network Interface Card (NIC) Profile configuration Mode and allow configuration of an interface for an internal service client such as ZTP or an internal monitoring process that needs to reach a provisioning server.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Network Interface Card (NIC) Profile configuration
Command Syntax
management nic profiles profile profile_name [connection [ssl profile profile_name] [timeout seconds ]] [job job_name metric path path_name] [port port_number] [system auto-discovered]] [polling interval interval
[no | default] management nic profiles profile profile_name
Parameters
- management nic profiles profile profile_name - Configure a name for the NIC profile.
- connection - Configure connection parameters:
- ssl - Add an SSL profile to the connection
- timeout - Configure the length of time, in seconds, before the connection disconnects.
- job job_name - Specifies the type of job to run on the client.
- metric path path_name - Specify the metric path, in the format of a URL, used for the job.
- port port_number - Specify a port between 1 and 65535.
- system auto-discovery - Specify if you want to auto-discover jobs on the switch.
- polling interval interval seconds - Specify a polling interval between 1 and 600 seconds.
Example
Use the following commands to add an SSL profile, secure_1, to the NIC profile, nic_mgmt:
switch(config)# management nic profiles profile nic_mgmt
switch(config-mgmt-nic-profile-nic_mgmt)# connection ssl profile secure_1
switch(config-mgmt-nic-profile-nic_mgmt)#
management package
The management package command in the Package Management configuration Mode configures a remote source for downloading optional software extension packages.
Command Mode
Global configuration
Package Management configuration
Command Syntax
management package repository repo_name [description description] [type description] [url url]
Parameters
- management package - Enters the Package Management configuration Mode on the switch.
- repository repo_name - Specify the repository name.
- description description - Create a description of repository that used in
showcommands. - type yum - Retrieve the files using yum.
- urlurl - Specify the network path to the repository server. The URL defines transport protocol for the files.
Example
Use the following commands to create a repository, prod_ext, with the URL, https://10.11.10.27/arista/extensions/:
switch(config)# management package
switch(config-mgmt-package)# management package repository pProd-Ext type url https://10.11.10.27/arista/extensions/
management security auto-certificate
The management security auto-certificate command enters the Auto-Certificate Security Management configuration Mode and automates the management and renewal of the digital certificates used by the switch for various secure management services such HTTPS for APIs.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Auto-Certificate Security Management configuration
Command Syntax
management security auto-certificate [profile profile_name [digest [sha256 | sha384 | sha512]] [key key_name ] [ parameters [distinguished-name [common-name name] [country name [email email ] [locality locality] [organizationorganization] [organization-unit unit] [serial-number number ] [state state]] [subject-alternative-name [dns dns_name] [email email] [ip ip_address] [uri uri] ] [protocol instance instance_name] [renewal seconds seconds]]
management security auto-certificate [protocol est profile_name [connection retry [count num_retries] [interval seconds seconds]] [credentials enroll [secret [0 | 7 | 8a] secret] [token [0 | 7 | 8a] token] [username username ]] [disabled] [server [ssl profile profile_name] [url url ] [vrf vrf_name
Parameters
- management security profile_name - Enters the Security Management configuration Mode.
- auto-certificate profile profile_name - Configure profile options for Automatic Certificate Management.
- digest [sha256 | sha384 | sha512 - Specify the digest algorithm used to sign a Certificate Signing Request (CSR).
- key key_name - Configure a key name used for the certificate.
- parameters - Configure the certificate parameters.
- distinguished-name - Configure a distinguished name for the certficate.
- common-name name - Specify the common name.
- country name - Specify the country.
- email email - Specify the email address used for the certificate.
- locality locality - Specify the locality.
- organization organization - Add the organization.
- organization-unit unit - Specify the organization unit.
- serial-number number - Specify the serial number.
- state state - Specify the state.
- subject-alternative-name - Configure thealternative subject nameextension.
- dns dns_name - Add the name of the DNS server.
- email email - Add the email address.
- ip ip_address - Specify the IP address of the DNS server.
- uri uri - Specify the Universal Resource Indicator (URI).
- distinguished-name - Configure a distinguished name for the certficate.
- auto-certificate protocol est profile_name - Specify the profile name for Enrollment over Secure Transport (EST).
- connection retry -Configure the number of times to retry the connection.
- count num_retries - Specify the number of retries.
- interval seconds - Specify the interval between connection retries.
- seconds - Specify the unit of time.
- credentials - Configure the credentials used with EST.
- enroll - Enrollwith the following credentials:
- secret [0 | 7 | 8a secret - Configure a secret.
- token [0 | 7 | 8a token - Configure a JSON token.
- username username - Configure a username and secret.
- secret [0 | 7 | 8asecret
- re-enroll - Re-enroll with the following credentials:
- secret [0 | 7 | 8a secret - Configure a secret.
- token [0 | 7 | 8a token - Configure a JSON token.
- username username - Configure a username and secret.
- secret [0 | 7 | 8a secret
- disabled - Temporarily disable sending requests to the EST server.
- server -Configure theEST server options:
- ssl profile profile_name - Specify an SSL profile.
- url url - Specify the URL of the EST server.
- vrf vrf_name - Specify the VRF used for the EST server.
- enroll - Enrollwith the following credentials:
- connection retry -Configure the number of times to retry the connection.
management security entropy
The management security entropy command manages the source of cryptographic entropy (randomness) and provides high quality randomness for SSH keys, SSL/TLS certificates, and random session identifiers.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security entropy source [cpu jitter] [hardware exclusive] [haveged]
[no | default] management security entropy
Parameters
- entropy source - Configure the source used for entropy on the switch.
- cpu jitter - Configure using a CPU-based source with the Jitter RNG algorithm.
- hardware exclusive - Configure using hardware exclusively for entropy.
- haveged - Use the Hardware Volatile Entropy Gathering and Extension (HAVEGED) algorithm to quickly and efficiently generate high quality cryptographic entropy.
Example
Use the following command to use cpu jitter for security entropy:
switch(config)# managment security
switch(config-mgmt-security)# entropy cpu jitter
switch(config-mgmt-security)#
management security network
The management security network command enters the Security Management configuration mode and then configures security policies that govern the access and behavior of various management applications on the switch. It defines rules to protect the control plane from unauthorized or malicious network activity.
The [no | default] versions of the command return the feature to its default settings.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security network client protocol [ftp | http | tftp] disabled
[no | default] management security network client protocol
Parameters
- network - Configure network protocols.
- client - Specify client traffic.
- protocol - Select a protocol for client traffic.
- [ftp | http | tftp] disabled - Disables the protocol and no longer allows clients to connect over these protocols.
Example
Use the following commands to disable FTP client traffic:
switch(config)# management security
switch(config-mgmt-security)# network client protocol ftp disabled
switch(config-mgmt-security)#
management security ocsp
The management security ocsp command enters the Security Online Certificate Status Protocol (OCSP) configuration Mode and quickly checks the revocations status of digital certificates used by management services such as HTTP or LDAP over TLS.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security ocsp profile profile_name [chain certificate requirement responder [all | leaf | none]] [extension nonce request [disabled | response]] [response validity-time extended-by seconds] [timeout seconds] [url url] [vrf vrf]
[no | default] management security ocsp profile profile_name
Parameters
- ocsp profile profile_name - Configure a name for the OCSP profile.
- chain - Configure a chained certificate for OCSP.
- certificate requirement - Add a check to the certificate for validity.
- responder - Configure the requirements for querying the OCSP responder.
- all - Perform OCSP verification on the whole chain.
- leaf - Specify to only perform OCSP verification on the leaf.
- none - Specify to only perform OCSP verification on certificates with a specified responder.
- extension nonce request - Configure sending a nonce in the OCSP requests.
- disabled - Specify to not send a nonce in the OCSP request.
- response - Specify to require the OCSP nonce in the OCSP response.
- response validity-time extended-by seconds - Configure a leeway time when checking the validity of OCSP responses from 1 to 10800 seconds.
- timeout seconds - Configure the length of time to timeout OCSP queries from 1 to 600 seconds.
- url url - Configure the URL of overriding OSCP responder.
- vrf vrf - Configure the VRF as the location to perform OCSP queries.
- chain - Configure a chained certificate for OCSP.
Example
Use the following commands to add the profile, OCSP_1, with an extension nonce request of disabled
switch(config)# management security
switch(config-mgmt-security)# ocsp profile OCSP_1
switch(config-mgmt-sec-ocsp-profile-OCSP_1)# extension nonce request disabled
switch(config-mgmt-sec-ocsp-profile-OCSP_1)#
management security password
The management security password command enters the Security Management configuration Mode and configures robust password policies for all local user accounts.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security password [encryption reversible aes-256-gcm] [encryption-key common custom key] [minimum length num_char] [policy policy_name [deny last pw_count] [ maximum repetitive num_char sequential num_char] [ minimum [changed num_char] [digits num_char] [length num_char] [lower num_char] [ num_char] [uppernum_char]]
[no | default] management security password
Parameters
- password - Configure password policies for the management interface.
- encryption reversible aes-256-gcm - Configure a common encryption algorithm.
- encryption-key common custom key - Configure a 32-byte customized encryption key.
- minimum length num_char - Configure a minimum length between 1 and 32 characters.
- policy policy_name - Configure password complexity settings for a policy profile.
- deny last pw_count -
- maximum [repetitive |sequential] num_char
- minimum -Configure the following minimum settings:
- changed num_char - Configure the number of positional characters that must change 0 to 65535.
- digits num_char - Configure the number of digits required for the password 0 to 65535.
- length num_char - Configure the number of characters for the password 0 to 65535.
- lower num_char - Configure the number of lower case characters required for the password from 0 to 65535.
- special num_char - Configure the number of special characters,
!"#$%&\'()*+,-./:;<=>?@[^]_`{|}~, required for the password from 0 to 65535 - upper num_char - Configure the number of lower case characters required for the password from 0 to 65535.
Example
Use the following commands to create a password policy, ldap_access, with the minimum length of 15 characters:
switch(config)# management security
switch(config-mgmt-security)# policy ldap_access
switch(config-pwd-policy-ldap_access)# minimum length 15
switch(config-pwd-policy-ldap_access)#
management security session
The management security session command enters the Security Management configuration Mode and configures the session parameters that govern the behavior, timeouts, and security of interactive management sessions.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security session shared-secret profile profile_name secret secret_name [0 | 7 | 8a]password [infinite] [ mm/dd/yyyy hh:mm:ss [infinite | datelocal-time] [receive-lifetime mm/dd/yyyy hh:mm:ss [infinite |date local-time]] [transmit-lifetime [infinite mm/dd/yyyy hh:mm:ss date local-time]]
Parameters
- session shared-secret profile profile_name - Configure a profile for shared secret settings.
- secret secret_name - Configure a name for the secret.
- 0 - Indicates that the key is not encrypted.
- 7 - Specifies that a hidden string follows.
- 8a - Specifies that an AES-256-GCM encrypted key follows.
- password - Specify a password
- infinite - Specify an infinite lifetime for the password.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- mm/dd/yyyy - Specify a date in the month/day/year format.
- receive-lifetime -Configure the lifetime for receiving the key.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- transmit-lifetime - Configure the lifetime for transmitting the key.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- infinite - Specify an infinite lifetime for the password.
- local-time - Configure secrets using the local timezone from the system clock. By default, the parameter sets to UTC.
Example
Use the following commands to configure a session to use the profile, mySession, with the secret name, mySecret, and the secret, qwerty, with an infinite receive-lifetime and transmit-lifetime, with the default local-time:
switch(config)# management security
switch(config-mgmt-security)# session shared-secret profile mySession
switch(config-mgmt-sec-sh-sec-profile-mySession)# secret mySecret 0 qwerty receive-lifetime infinite
transmit-lifetime infinite local-time
switch(config-mgmt-sec-sh-sec-profile-mySession)#
management security signature-verification
The management security signature-verification command enters the Security Management configuration Mode and apply a named SSL profile that dictates the policies for verifying the integrity of the system files related to secure TLS/SSL communications.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Security Management configuration
Command Syntax
management security signature-verification extension ssl profile profile_name
[no | default] management security signature-verification
Parameters
- signature-verification - Configure verifying signatures of files.
- extension - Specifies that the policy applies specifically to SWIX signatures.
- ssl - Specifying using SSL to verify the signatures.
- profile profile_name - Specify an SSL profile name to use for verification. It must contain a trusted root or intermediate CA certificate corresponding to the private key used by the software vendor.
Example
Use the following commands to verify SWIX signatures using the SSL profile, swix_ca:
switch(config)# management security
switch(config-mgmt-security)# signature-verification extension ssl profile swix_ca
switch(config-mgmt-security)#
management security ssl
The management security ssl command enters the SSL Security Management configuration mode to configure and manage the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) parameters for all secure management services on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
SSL Security Management configuration
Command Syntax
management security ssl [monitor expiry time [days | hours] [log interval time [days | hours]]
management security ssl [profile profile_name [certificate cert_name [auto-certificate cert_name] [common-name [key key_name] [username regexp regex]] [local cert_name key cert_name] [policy [expiry-date ignore] [key key_name]] [requirement extended-key-usage [hostname match] [key key_name]] [chain [certificate cert_name] [local cert_name] [policy [expiry-date ignore]] [requirement [basic-constraint ca true] [include root-ca]] [cipher [v1.0 cipher_list] [v1.3 cipher_list] [diffie-hellman parameters [ffdhe2048 | ffdhe3072 | ffdhe4096 | generated]] [dtls version [1.0 | 1.2 | add | remove]] [fips restrictions] [key-establishment-group group_names] [peer certificate [format ip-address exact] [requirement [hostname match subject-alternative-name [common-name]]] [revocation [crl [name crl_name] [policy expiry-date ignore]] [ocsp profile profile_name]] [signature algorithm alg_list] [tls versions [1.0 | 1.1 | 1.2 | 1.3 | add | remove]] [trust [certificate cert_name] [policy expiry-date ignore]] [requirement [basic-constraint ca true] [hostname fqdn]] [system]
[no | default] management security ssl monitor
[no | default] management security ssl profile
Parameters
- ssl monitor - Configure monitoring options for all certificates.
- expiry - Log SSL monitoring warnings for certificates approaching an expiration date.
- time [days | hours] - Configure the amount of time prior to certificate expiration from 1 to 999 in days or hours.
- log interval - Configure logging intervals for sending logs to the syslog server.
- time [days | hours] - Configure the length of time between send log messages from 1 to 999 in days or hours.
- ssl profile profile_name - Configure an SSL profile for SSL Security Management.
- certificate - Configure a certificate for self-authentication.
- cert_name - Specify the name of the certificate.
- auto-certificate profile_name - Specify the name of an auto-certificate profile.
- common-name
- key key_name - Configure the key matching the certificate.
- username regex regex - Configure the REGEX to extract the username.
- local cert_name - Configure a local certificate name.
- key key_name - Configure a key matching the local certificate.
- policy - Configure the policy for the certificate.
- expiry-date ignore - Ignore the expiration date of the certificate.
- key key_name - Configure a key matching the certificate.
- requirement - Add a check to validate the certificate.
- extended-key-usage - Configure extended key usage for the certificate.
- hostname match - Specify to verify and match the hostname for the certificate.
- key key_name - Configure a key matching the certificate.
- chain - Configured chained certificates.
- certificate cert_name - Specify a certificate name.
- local cert_name - Configure a local certificate name.
- policy - Configure the policy for the certificate.
- expiry-date ignore - Ignore the expiration date of the certificate.
- requirement - Add a check to validate the certificate.
- extended-key-usage - Configure extended key usage for the certificate.
- hostname match - Specify to verify and match the hostname for the certificate.
- cipher - Configure TLS ciphers.
- v1.0 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.0, 1.1, and 1.2.
- v1.3 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.3.
- diffie-hellman parameters - Configure Diffie-Hellman parameters:
- ffdhe2048 - Specify from RFC7919.
- ffdhe3072 - Specify from RFC7919.
- ffdhe4096 - Specify from RFC7919.
- generated - Specify 2048-bit parameters generated by the switch.
- dtls version - Configure Datagram Transport Layer Security (DTLS) settings:
- 1.0 - Specify DTLS version 1.0.
- 1.2 - Specify DTLS version 1.2.
- add - Add versions to the list.
- remove - Remove versions from the list.
- fips restrictions - Configure FIPS restrictions.
- key-establishment-group group_names - Configure TLS 1.3 key establishment groups using canonical names recognized by the TLS standards.
- peer certificate - Configure peer-related certificate options:
- format ip-address exact - Specify the format rules for IP addresses to reject wildcards in the IP address.
- requirement hostname match subject-alternative-name [common-name] - Specify a check for certificate validity to include hostname matching for the common name.
- revocation - Configure checking of the revocation status for certificates.
- crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
- policy expiry-date ignore - Configure the policy to ignore certificate expiration dates.
- ocsp profile profile_name - Specify the name of the Online Certificate Status Protocol (OCSP) profile.
- crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
- signature algorithm alg_list - Specify the TLS signature algorithm list.
- tls - Configure TLS settings.
- versions - Specify the TLS version:
- 1.0
- 1.1
- 1.2
- 1.3
- add - Add versions to the list.
- remove - Remove versions from the list.
- versions - Specify the TLS version:
- trust - Configure a trusted certificate.
- certificate cert_name - Specify the name of a certificate.
- policy expiry-date ignore - Configure the policy to ignore expiration dates.
- requirement - Add a check to validate the certificate.
- basic-constraint ca true - Configure the Certificate Authority attribute to true and allow the CA to sign and issue other certificates in the trust chain This certificate is the trust anchor or an intermediate authority.
- hostname fqdn - Specify that the hostname must be a fully qualified domain name without wildcards.
- system - Specify using a system-supplied trust certificate.
- certificate - Configure a certificate for self-authentication.
Example
Use the following commands to set the SSL monitoring of certificates to log warning for certificate expiration to 10 days and log the warning to syslog every 8 hours:
switch(config)# management security
switch(config-mgmt-security)# ssl monitor expiry 10 days log interval 8 hours
switch(config-mgmt-security)#
management ssh
The management ssh command places the switch in SSH Management configuration Mode to adjust SSH session connection parameters.
The no management ssh and default management ssh commands delete the SSH Management configuration Mode statements from running-config.
The mgmt-ssh configuration mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the SSH Management configuration Mode does not affect running-config. The exit command returns the switch to Global configuration Mode.
Command Mode
Global configuration
Command Syntax
management ssh
no management ssh
default management ssh
- authentication - Change authentication settings.
- authorized-principals - Configure the authorized principals settings.
- cipher - Configure an exclusive list of cryptographic ciphers for SSH.
- client-alive - Set SSH ClientAlive options.
- compression - Configure SSH compression algorithms.
- connection - Configure settings for SSH connections.
- fips restrictions - Configure FIPS settings.
- hostkey - Set SSH hostkey related options.
- idle-timeout - Set idle session timeout (minutes).
- ip access group - Set the SSH IPv4 configuration.
- ipv6 access group - Set the SSH IPv6 configuration.
- key-exchange - Configure an exclusive list of key-exchange methods for SSH.
- log-level - Configure SSH daemon logging level.
- logging - Configure SSH system logging.
- login timeout - Configure options related to logging into SSH.
- mac hmac - Exclusive list of MAC algorithms for SSH.
- qos - Configure QoS parameters.
- rekey - Configure the length of time before rekeying SSH connections.
- server-port - Change the server port.
- shutdown - Disable SSH on the switch.
- trusted-ca - Configure a trusted certficate.
- user-keys - Configure SSH user key settings.
- username - Configure SSH user-specific settings.
- verify - Configure option for SSH verification.
- vrf - Configure the VRF to use for SSH.
- This command places the switch in SSH Management configuration Mode:
switch(config)# management ssh switch(config-mgmt-ssh)# - This command returns the switch to Global configuration Mode:
switch(config-mgmt-ssh)# exit switch(config)#
management telnet
The management telnet command places the switch in Telnet Management configuration Mode to adjust Telnet session connection parameters.
The no management telnet and default management telnet commands delete the Telnet Managementconfiguration Mode statements from running-config.
The Telnet Management configuration Mode does not provide a group change mode. The running-config changes immediately upon entering commands. Exiting the Telnet Management configuration Mode does not affect the running-config. The exit command returns the switch to Global configuration Mode.
Command Mode
Global configuration
Command Syntax
management telnet
no management telnet
default management telnet
- This command places the switch in Telnet Management configuration Mode:
switch(config)# management telnet switch(config-mgmt-telnet)# - This command returns the switch to Global configuration Mode:
switch(config-mgmt-telnet)# exit switch(config)#
management timeout
The management timeout command in the Console, SSH, or Telnet configuration Mode allows the configuration of the SSH, Telnet, and Console timeout parameter.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Console configuration
SSH configuration
Telnet configuration
Command Syntax
management [console | ssh | telnet] timeout minutes warning minutes]
no management [console | ssh | telnet] timeout
default management [console | ssh | telnet]
Parameters
- timeout minutes warning minutes - Configure the session timeout from 0 to 86400 minutes and generate a warning message about the impending timeout. The warning value must be less than the configured timeout value..
Example
Specify a console timeout of 30 minutes and issue a warning 5 minutes before closing the session:
switch(config)# management console
switch(config-mgmt-console)# timeout 30 warning 25
protocol http (API Management)
The protocol http command enables the hypertext transfer protocol (HTTP) server.
The no protocol http and default protocol http commands disable the HTTP server by removing the protocol http statement from running-config.
Command Mode
Mgmt-API configuration
Command Syntax
protocol http [TCP_PORT]
no protocol http
default protocol http
- TCP_PORT Port number used for the HTTP server. Options include:
- no parameter Specifies default port number 80.
- port 1 to 65535 Specifies HTTP server port number. The value ranges from 1 to 65535.
- localhost The name of the server bound on the localhost.
- port The number of the TCP port to serve on.
Related Commands
management api http-commands places the switch in mgmt-api configuration mode.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)#
protocol https (API Management)
The protocol https command enables the HTTP secure server. The HTTP secure server is active by default.
The default protocol https command restores the default setting by removing the no protocol https statement from running-config. The no protocol https command disables the HTTP secure server.
Command Mode
API Management configuration
Command Syntax
protocol https [TCP_PORT]
no protocol https
default protocol https
- TCP_PORT - Port number used for the HTTPS server. Options include:
- no parameter - Specifies default port number 443.
- port 1 to 65535 - Specifies HTTP server port number. The value ranges from 1 to 65535.
- certificate - The HTTPS key and certificate to use for the switch.
- cipher - Exclusive list of cryptographic ciphers.
- key-exchange - Exclusive list of key-exchange algorithms.
- mac - Exclusive list of MAC algorithms.
- port - The TCP port number to serve on.
- ssl - Configure SSL options.
Related Commands
management api http-commands places the switch in API Management configuration Mode.
- These commands enables service to the HTTP server. The no shutdown command allows access to the service.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# protocol https switch(config-mgmt-api-http-cmds)# no shutdown - These commands specify the port number used for the HTTPS server. The no shutdown command allows access to the service.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# protocol https port 52 switch(config-mgmt-api-http-cmds)# no shutdown
protocol https certificate (API Management)
The protocol https certificate command configures the HTTP secure server to request an X.509 certificate from the client. The client then authenticates the certificate with a public key.
The no protocol https certificate and default protocol https certificate commands restore default behavior by removing the protocol https certificate statement from running-config.
Command Mode
API Management configuration
Command Syntax
protocol https certificate
no protocol https certificate
default protocol https certificate
Related Command
management api http-commands places the switch in API Management configuration Mode.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)# protocol https certificate
switch(config-mgmt-api-http-cmds)#
qos
The qos command in the SSH Management configuration Mode applies the Differentiated Services Code Point (DSCP) markings to SSH traffic and ensures prioritizing packets on the network.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
qos dscp dscp_value
no qos dscp
default qos dscp
Parameters
- qos dscpdscp_value - Apply a QoS DSCP value between 0 and 63 to SSH traffic. Using 0 applies a Best Effort tag to the traffic.
Example
Use the following commands to set the QoS DSCP value to 16 (Network Management) on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# qos dscp 16
switch(config-mgmt-ssh)#
rekey
The rekey command in the SSH Management configuration Mode forces the SSH session to renegotiate new symmetric encryption keys after meeting a specific threshold.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
rekey [frequency data_amount [gbytes | kbytes | mbytes]] [interval time [days | hours | minutes | seconds | weeks]]
no qos dscp
default qos dscp
Parameters
- rekey frequency data_amount - Specify the quantity of data sent through the SSH session before triggering a rekey. Use one of the following units:
- gbytes - Specify Gigabytes.
- kbytes - Specify Kilobytes.
- mbytes - Specify Megabytes.
- interval time - Specify an interval in time using one of the following units:
- days - Specify the interval in days.
- hours - Specify the interval in hours.
- minutes - Specify the interval in minutes.
- seconds - Specify the interval in seconds.
- weeks - Specify the interval in weeks.
Examples
Use the following commands to set the rekey frequency to 10 Gigabytes on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# rekey frequency 10 gbytes
switch(config-mgmt-ssh)#
Use the following commands to set the rekey interval to 8 hours on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# rekey interval 8 hours
switch(config-mgmt-ssh)#
reset system storage secure
Use the reset system storage secure command to trigger the secure erase mechanism. Secure erase is a command that deliberately, permanently, and irreversibly removes and destroys the data stored on a storage device, rendering that data unrecoverable.
Command Mode
EXEC
Command Syntax
reset system storage secure
- To trigger the secure erase mechanism, use the reset system storage secure command.
switch# reset system storage secure WARNING! This will destroy all data and will NOT be recoverable. Device will reboot into Aboot, and execution may take up to one hour. Would you like to proceed? [y/N] - If a particular platform does not support the reset system storage secure command , the following message appear:
switch#reset system storage secure % Unavailable command (not supported on this hardware platform)
show inventory
The show inventory command displays the hardware components installed in the switch. Each component has a serial number and a description.
Command Mode
EXEC
Command Syntax
show inventory
Example
switch> show inventory
System information
Model Description
------------------------ ----------------------------------
DCS-7150S-52-CL 52-port SFP+ 10GigE 1RU + Clock
HW Version Serial Number Mfg Date
----------- -------------- ----------
02.00 JPE13120702 2013-03-27
System has 2 power supply slots
Slot Model Serial Number
---- ---------------- ----------------
1 PWR-460AC-F K192KU00241CZ
2 PWR-460AC-F K192L200751CZ
System has 4 fan modules
Module Number of Fans Model Serial Number
------- --------------- ---------------- ----------------
1 1 FAN-7000-F N/A
2 1 FAN-7000-F N/A
3 1 FAN-7000-F N/A
4 1 FAN-7000-F N/A
System has 53 ports
Type Count
---------------- ----
Management 1
Switched 52
System has 52 transceiver slots
Port Manufacturer Model Serial Number Rev
---- ---------------- ---------------- ---------------- ----
1 Arista Networks SFP-10G-SR XCW1225FD753 0002
2 Arista Networks SFP-10G-SR XCW1225FD753 0002
51 Arista Networks SFP-10G-SR XCW1225FD753 0002
52 Arista Networks SFP-10G-SR XCW1225FD753 0002
switch>
server-port
The server-port command in the SSH Management configuration Mode defines the TCP port or ports that SSH servers listen for incoming connections.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
server-port port_number
no server-port
default server-port
Parameters
- server-portport_number - Specify a port number from 1 to 32767 with a default of 22 to listen for incoming SSH connections on the switch.
Example
Use the following commands to set the port number to 80 on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# server-port 80
switch(config-mgmt-ssh)#
service configuration access-list
The service configuration access-list command configures how the switch compiles, stages, or validates access lists when the lists receive modifications or pushed to the hardware ASICs.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration access-list symbols
no service configuration access-list symbols
default service configuration access-list symbols
Parameters
- access-list - Specify access list configuration parameters.
- symbols - When enabled, if you configure an ACL using port numbers, the switch automatically translates recognizable ports into symbolic names when issuing the show ip access-lists command.
When disabled, the switch removes human-readable text and forces all entries to display the literal numeric values.
Example
When the switch has symbols enabled, and you configure an access list with port 80, the display output for an access list has the following output:
switch(config-acl-TEST)# permit tcp any any eq 80
switch# show running-config section TEST
ip access-list TEST
10 permit tcp any any eq www
When the switch has symbols disabled, the output removes human-readable text and all entries display literal numeric values:
switch# show running-config section TEST
ip access-list TEST
10 permit tcp any any eq 80
service configuration checkpoint
The service configuration checkpoint command configures the number of system configuration checkpoints on the switch. By default, eos tracks and retains a maximum of 20 system configuration checkpoints.
If you make frequent configuration changes or want a deeper historical safety net of snapshots, you can increase or decrease the retention limits.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration checkpoint max saved max_number
no service configuration checkpoint max
default service configuration checkpoint max
Parameters
- checkpoint - Create a new checkpoint limit on the switch.
- max - Configure the maximum number of checkpoints.
- saved max_number - Configure the number of saved checkpoints on the switch.
Example
Use the following command to increase the number of saved checkpoints to 50:
switch(config)# service configuration checkpoint max saved 50
switch(config)#
To display the new limit, use the show configuration checkpoints command:
switch# show configuration checkpoints
Maximum number of checkpoints: 50
Hash Name Date User
------- ---- -------------------- -----
b8ad7c5 2025-01-06 23:11:28 eos
04fc850 2025-03-25 00:07:47 eos
a4d90e4 2025-03-25 00:07:48 admin
62e76ba 2025-03-25 01:36:30 eos
c812e22 2025-03-25 01:36:32 admin
932c042 2025-03-25 01:37:06 admin
dfbb566 2025-04-04 05:56:06 eos
e09ea3a 2025-04-04 05:56:07 admin
263fa99 2025-04-24 15:51:25 eos
3cfd199 2025-04-24 15:51:25 admin
278367f 2025-05-22 13:28:27 eos
f25f264 2025-05-22 13:28:28 admin
ce72f7f 2025-06-10 11:36:27 eos
889fe0e 2025-06-10 11:36:29 admin
If you decrease the saved checkpoint limit from your current limit, eos purges the extra saved checkpoint files to meet your new limit.
service configuration session commit
The service configuration session command manages the system limits for configuration sessions. configuration sessions allow you to stage, review, and test commands in a temporary workspace before committing them to the active running configuration. Use this command to configure the number of saved sessions in the switch memory.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration session [commit [merge [save startup-config] [timer default hh:mm:ss interactive
no service configuration session
default service configuration session
Parameters
- session - Configure session settings.
- merge - Perform a three-way merge on the commit.
- save startup-config - Autosave the session to the startup configuration.
- timer default hh:mm:ssinteractive - Commit the session with a timeout. If not committed within the time limit, the configuration reverts to the original configuration.
Example
Use the following command to configure a default timer of 1 hour apply it to the current running configuration:
switch(config)# service configuration session commit timer default 01:00:00 interactive
switch(config)#
service configuration session logging
The service configuration session logging command configures the switch to print the results, verification checks, or error logs of the session to the screen as the switch processes a commit.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration session logging terminal
no service configuration session logging terminal
default service configuration session logging terminal
Parameters
- terminal - Print to the console any configuration session state changes.
Example
Use the following command to enable the feature:
switch(config)# service configuration session logging terminal
switch(config)#
service configuration session max
The service configuration session max command sets the retention and concurrency limits for system configuration sessions. Configure the limit for pending and completed sessions.
Command Mode
Global configuration
Command Syntax
service configuration session max completed num_sessions pending num_sessions
no service configuration session max
default service configuration session max
Parameters
- session max - Configure the maximum number of configuration sessions on the switch.
- completed num_sessions - Specify the maximum number of completed sessions kept in memory from 0 to 20 sessions. After staging and committing a session, eos saves a record of that session for auditing and rollback purposes. By default, eos retains a limited number of historical commits, 1 by default, and increasing the limit creates a deeper audit trail.
- pending num_sessions - Specify the maximum number of pending sessions kept in memory from 1 to 20 sessions. By default, eos limits the sessions to 1 pending session to prevent multiple administrators from staging conflicting changes at the same time. Once reaching the limit, the switch blocks creation of new sessions until committing or aborting an old one.
Examples
Use the following command to increase the number of pending sessions from 1 to 5:
switch(config)# service configuration session max pending 5
switch(config)#
Use the following command to increase the number of completed sessions from 1 to 15:
switch(config)# service configuration session max completed 15
switch(config)#
To display the configured maximums, use the show configuration sessions command:
switch# show configuration sessions
Maximum number of completed sessions: 50
Maximum number of pending sessions: 5
Name State User Terminal Time
----------- --------------- ---------- ----------- -------------------
BGP_PEER pending admin vty3 2026-04-28 11:45:12
OSPF_TUNE completed automation vty1 2026-04-27 09:12:45
service configuration terminal
The service configuration terminal command disables standard live configuration mode and dictates the use of configuration sessions instead. Before disabling the terminal feature, administrators can make immediate changes to the running configuration and alter the forwarding plane of the switch. When disabled, administrators must create configuration sessions to build a staged workplace to make changes and then explicitly use commit to add the configuration changes to the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration terminal disabled
no service configuration terminal
default service configuration terminal
Parameters
- terminal disabled- Disable the standard terminal behavior on the switch.
Examples
Use the following command to disable the standard terminal behavior on the switch:
switch(config)# service configuration terminal disabled
switch(config)#
service configuration verification
The service configuration verification command dictates if the switch pre-validates the Quality of Service (QoS) configuration against the hardware physical capabilities before allowing you to successfully commit the change.
The physical silicon on the switch has deep ties to the QoS capabilities. When you create QoS policies, such as policy maps, class maps, or port shaping rates, the CLI may accept the commands, but the underlying hardware might not have enough TCAM space, hardware queues, or buffer memory to support it.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service configuration verification qos
no service configuration verification qos
default service configuration verification qos
Parameters
- verification qos - Enable strict QoS verification on the hardware during commits.
Examples
Use the following command to enable the strict QoS verification on the switch:
switch(config)# service configuration verification qos
switch(config)#
service interface inactive
The service interface inactive command forces system level visibility and default state toggles to expose subordinate lanes.
By default, if you configure a port for breakout mode but have not physically plugged in the cable yet, eos suppresses the inactive subordinate lanes.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service interface inactive expose [port-id allocation disabled]
no service interface inactive
default service interface inactive
Parameters
- inactive expose - Expose subordinate lanes in the CLI even if physically down or missing the proper cabling.
- port-id allocation disabled - Specify to stop assigning port IDs to inactive interfaces and dynamically allocate port IDs only to actively linked ports or participating in the forwarding plane.
Examples
Use the following command to expose subordinate lanes in the CLI:
switch(config)# service interface inactive expose
switch(config)#
Use the following command to free up unused IDs on the switch:
switch(config)# service interface inactive port-id allocation disabled
switch(config)#
service interface shutdown
The service interface shutdown command introduces a global, system-wide buffer window between entering a shutdown command and physically shutting down the link. During the delay, the physical link stays alive just long enough for the control plane to warn the connected neighbor of the intentional shutdown.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service interface shutdown delay milliseconds
no service interface shutdown delay
default service interface shutdown delay
Parameters
- interface shutdown delay milliseconds - Specify the time to delay shutting down the interface. Configure a value from 1 to 1000 milliseconds.
Example
Use the following command to configure a shutdown delay of 10 milliseconds:
switch(config)# service interface shutdown delay 10
switch(config)#
service interface unconnected
The service interface unconnected command exposes ethernet interfaces that do not physically exist on the switch, but instead exist as internally hardwired loopback ports. In eos, the interfaces have the designation Unconnected ethernet (Ue) ports and used by the hardware ASIC for packet recirculation. By default, eos does not display these interfaces, but in some cases, exposing them may assist with troubleshooting hardware recirculation and identify interfaces dropping packets on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service interface unconnected expose
no service interface shutdown delay
default service interface shutdown delay
Parameters
- interface unconnected expose - Expose unconnected interfaces on the switch.
Example
Use the following command to expose unconnected interfaces:
switch(config)# service interface unconnected expose
switch(config)#
Use the show interfaces status command to display the interface status:
switch# show interfaces status
Port Name Status Vlan Duplex Speed Type
...
Et48 notconnect 1 auto auto 10GBASE-CR
Ue1 connected 1 full 10G Unconnected
Ue2 connected 1 full 10G Unconnected
service routing configuration
The service routing configuration command dictates the backend architecture of the routing daemon and determines how the switch parser compiles control-plane logic.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global configuration
Command Syntax
service routing configuration[bgp no-equals-default] [route-map [no-set-community explicit-members] [set-operations [merged | sequential]
no service routing configuration
default service routing configuration
Parameters
- verification qos - Enable strict QoS verification on the hardware during commits.
- bgp no-equals-default - Removes the default behavior from the running configuration output and displays only configured behavior.
- route-map - Configures route map behavior on the switch.
- no-set-community explicit-members - Negates specific community values from an existing list and cleans up the running-configuration output.
- set-operations [merged | sequential] - If selecting sequential, eos enforces the execution of the set commands in strict top to bottom sequence.
Examples
Use the following command to remove BGP default behavior from the running configuration output:
switch(config)# service routing configuration bgp no-equals-default
switch(config)#
service routing protocols
The service routing protocols command dictates the underlying software architecture that the switch uses to process all Layer 3 routing protocols.
Command Mode
Global configuration
Command Syntax
service routing protocols model multi-agent
default routing protocols
Parameters
- routing protocols - Enable the underlying software to process all Layer 3 routing protocols.
- model multi-agent - Enable using the ArBGP architecture to completely decouple the routing stack into independent, multi-threaded processes. Each protocol uses a separate process to provide significantly faster convergence and natively supports multi-tenant architectures such as EVPN, VXLAN overlays, and IPv6 underlays.
Example
Use the following command to enable multi-agent processing for routing protocols:
switch(config)# service routing protocols model multi-agent
switch(config)#
service running-config
The service running-config command manages how the switch generates, processes, and displays the running configuration file. Executing the running configuration file on switches with very large configurations impacts the switch performance by spiking the CPU usage. Use this command to manage the running configuration file.
The [no | default] versions of the command cause the switch to dynamically compile the running configuration file for every request.
Command Mode
Global configuration
Command Syntax
service running-config [cache disabled] [copy use-config-session] [timestamp]
no service running-config
default service running-config
Parameters
- cache [disabled] - Enable caching of the running configuration file by instructing the switch to generate and hold a pre-compiled text version of the configuration in memory. Once enabled, use the disabled parameter to dynamically generate the configuration when requested.
- copy use-config-session - Enable this parameter to override the default merge behavior and enforce a strict replace or enforce session-based validations before applying the copied file.
- timestamp - Enable to inject a timestamp in the header of the running-config file.
Example
Use the following command to enable caching of the running-config file:
switch(config)# service running-config cache
switch(config)#
session-limit
The session-limit command in the Telnet Management configuration Mode configures the maximum number of Telnet sessions from a single host and the maximum number of sessions.
The no version of the command removes the configuration from the running-config.
Command Mode
Telnet Management configuration
Command Syntax
session-limit num_sessions[per-host num_sessions]
no session-limit
default session
Parameters
- session-limit num_sessions - Configure the maximum number of global Telnet sessions. Sets it to 20 by default.
- per-host num_sessions - Configure the maximum number of global Telnet sessions per host. Sets it to 20 by default.
Example
Use the following commands to configure a global Telnet sessions limit of 25:
switch(config)# managment telnet
switch(config-mgmt-telnet)# session-limit 25
switch(config-mgmt-telnet)#
show configuration checkpoints
The show configuration checkpoints command displays a high level table of all saved configuration snapshots currently stored on the switch.
Command Mode
EXEC
Command Syntax
show configuration checkpoints
Example
Use the following command to display all saved configuration snapshots:
switch# show configuration checkpoints
Maximum number of checkpoints: 20
Filename Date User
------------------------------- -------------------- ------
ckp-20231024-0 2023-10-24 14:00:01 admin
ckp-20231024-1 2023-10-24 15:30:22 admin
PRE_BGP_CHANGE 2023-10-25 09:15:00 automation
The output displays the following information:
- Maximum number of checkpoints - Indicates the current system limit for the number of historical snapshots allowed for retention in memory. By default, eos limits 20 snapshots, but you can adjust it using the command service configuration checkpoint max. If the switch reaches the limit of snapshots, eos begins automatically purging the oldest checkpoints using a First-In, First-Out (FIFO) method.
- Filename - Displays the name of the checkpoint file stored in the flash memory.
- Auto-generated checkpoints - If the switch creates the checkpoint automatically, for example, during a configuration session commit or an automated rollback, the file uses a standard naming convention of
ckp-YYYYMMDD-X - Manual checkpoints - If an administrator or automated script generated the snapshot, eos uses a custom string as the filename.
- Auto-generated checkpoints - If the switch creates the checkpoint automatically, for example, during a configuration session commit or an automated rollback, the file uses a standard naming convention of
- Date - The exact system timestamp in the format
YYYY-MM-DD HH:MM:SSwhen created. - User - Identifies the specific username or script name that executed the command or triggered the automated process to create the snapshot.
show configuration sessions
The show configuration sessions command displays information about configuration sessions created on the switch. If you rely on configuration sessions instead of live terminal configuration, use the output to manage the lifecycle of your staged configuration workspaces.
Command Mode
EXEC
Command Syntax
show configuration sessions [detail]
Example
Use the following command to display all saved configuration snapshots:
switch# show configuration sessions
Maximum number of completed sessions: 10
Maximum number of pending sessions: 5
Name State User Terminal
------------------ --------------- ---------- -----------
ADD_BGP_PEER pending admin vty1
vlan-changes completed admin vty1
ansible_10928 completed automation eAPI
sess-20260430-1 aborted jdoe vty3
- Maximum number of completed sessions - Displays the number of historical committed session diffs allowed in memory before overwriting the oldest ones (FIFO).
- Maximum number of pending sessions - Displays the number of active and uncommitted staging workspaces open concurrently on the switch.
- Name - Displays the identifier for the session. If using a name for the session, the output displays that information. By default, eos generates a name with the format
sess-YYYMMDD-X. - State - Displays the current lifecycle of the session:
pending- Session currently open with actively staged commands but not applied to the control plane yet.completed- Session successfully committed and applied to the running-config.aborted- Session manually canceled or failed a pre-check validation. Changes discarded.
- User - The specific local or TACACs/RADIUS username that created the session.
- Terminal - Displays the entry point used to connect to the switch.
vtyx- Indicates a standard SSH session.console- Indicates a physical serial connection.eAPI- Indicates the session built programmatically using the Arista eAPI.
shutdown (API Management)
The shutdown command disables management over API on the switch in API Management configuration Mode. eos disables API Management by default.
The no shutdown command enables the API managementaccess in mgmt-api configuration mode.
The default shutdown command disables the management API access in mgmt-api configuration mode.
Command Mode
Mgmt-API configuration
Command Syntax
shutdown
no shutdown
default shutdown
Related Command
management api http-commands places the switch in mgmt-api configuration mode.
- These commands disable API access to the HTTP server.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# shutdown switch(config-mgmt-api-http-cmds)# - These commands enable API access to the HTTP server.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# no shutdown switch(config-mgmt-api-http-cmds)#
shutdown (Telnet Management)
- To enable Telnet, enter no shutdown at the Telnet Management prompt.
- To disable Telnet, enter shutdown at the Telnet Management prompt.
Command Mode
Telnet Management configuration
Command Syntax
shutdown
no shutdown
- These commands enable Telnet and return the switch to the Global configuration Mode.
switch(config)# management telnet switch(config-mgmt-telnet)# no shutdown switch(config-mgmt-telnet)# exit switch(config)# - This command disables Telnet.
switch(config-mgmt-telnet)# shutdown
shutdown
The shutdown command in the SSH or Telnet Management configuration Mode disables the SSH or Telnet service on the switch.
Command Mode
SSH Management configuration
Telnet Management configuration
Command Syntax
shutdown
Parameters
- shutdown - Disable the SSH or Telnet service on the switch.
Example
Use the following commands to disable the SSH service.
switch(config)# management ssh
switch(config-mgmt-ssh)# shutdown
switch(config-mgmt-ssh)#
shutdown
The shutdown command in the SSH Management configuration Mode and SSH VRF configuration Mode shuts down the SSH service on the switch.
Command Mode
SSH Management configuration
SSH VRF configuration
Command Syntax
shutdown
Parameters
- shutdown - Shuts down the SSH service.
Example
Use the following commands to shut down the SSH service on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# shutdown
switch(config-mgmt-ssh)#
Use the following commands to shut down the SSH service for VRF bluengreen on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)# shutdown
timeout
The timeout command in the SSH, Telnet, or Console Management configuration Mode specifies the maximum length of a management session regardless of activity during the session. It prevents sessions from remaining open indefinitely on the switch and provides a separate behavior from the parameter idle-timeout. Both timers operate independently and the timer with the shortest session time ends the session.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Console Management configuration
SSH Management configuration
Telnet Management configuration
Command Syntax
management [console | ssh | telnet]timeout timeout_period warning warning_time
[no | default] management [console | ssh | telnet] timeout
Parameters
- timeout timeout_period - Configure a timeout session from 1 to 86400 minutes. Setting the timeout to 0 disables the timeout session.
- warning warning_time - Configure a warning that notifies you that the session ends at a specific time. Configure from 0 to 3599 minutes and setting the timeout to 0 disables the warning.
Examples
Use the following commands to set the console timeout to 60 minutes.
switch(config)# management console
switch(config-mgmt-console)# timeout 60
switch(config-mgmt-console)#
Use the following commands to set the SSH timeout to 60 minutes.
switch(config)# management ssh
switch(config-mgmt-ssh)# timeout 60
switch(config-mgmt-ssh)#
Use the following commands to set the Telnet timeout to 60 minutes.
switch(config)# management telnet
switch(config-mgmt-telnet)# timeout 60
switch(config-mgmt-telnet)#
trusted-ca
The trusted-ca command in the SSH Management configuration Mode allows the switch to validate the identity of connections using standard X.509 PKI certificates.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
trusted-ca key public cert_filename
no trusted-ca
default trusted-ca
Parameters
- trusted-ca - Configure trusted CA parameters.
- key - Configure a CA public key.
- public cert_filename - Add the CA public key filename.
Example
Use the following commands to add the CA certificate, MyCert, on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# trusted-ca key public MyCert
switch(config-mgmt-ssh)#
user-keys
The user-keys command in the SSH Management configuration Mode globally manages external files for user authentication and security.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
user-keys revoke-list list_name
no user-keys revoke-list
default user-keys revoke-list
Parameters
- user-keys - Configure user keys settings.
- revoke-list cert_filename - Specify a list of revoked SSH user keys.
Example
Use the following commands to add the revoked list, NoAccess, on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# user-keys revoke-list NoAccess
switch(config-mgmt-ssh)#
username ssh-key
The username ssh-key command in the SSH Management configuration Mode enters the Username configuration Mode and allows the application of specific SSH key to a user when they connect to SSH.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
SSH Username configuration
SSH Authorized Key configuration
Command Syntax
username username [ssh-key key_name] [option [agent-forwarding | cert-authority | command | environment | expiry-time | from | no-agent-forwarding | no-port-forwarding | no-pty | no-touch-required | no-user-rc | no-x11-forwarding | permit-listen | permit-open | port-forwarding | principals | pty | restrict | tunnel | user-rc | verify-required | x11-forwarding]] [public-key ssh_keystring
no username ssh-key
default username ssh-key
Parameters
- username username - Specify a username to apply the SSH policies.
- ssh-key key_name - Specify an SSH key name.
- option - Specify any of the following options:
- agent-forwarding ssh_options_value - Specify a value to enable authentication agent forwarding.
- cert-authority ssh_options_value - Specify a value for the certificate authority.
- command ssh_options_value - Specify a command to execute during authentication.
- environment ssh_options_value - Specify a value to add a string to the environment during authentication.
- expiry-time ssh_options_value - Specify a value for the expiration time of the key.
- from ssh_options_value - Specify a value for patterns.
- no-agent-forwarding ssh_options_value - Specify a value to forbid agent forwarding.
- no-port-forwarding ssh_options_value - Specify a value to forbid port forwarding.
- no-pty ssh_options_value - Specify a value to prevent TTY allocation.
- no-touch-required ssh_options_value - Specify a value to not require demonstration of user presence.
- no-user-rc ssh_options_value - Specify a value to prevent execution on
~/.ssh/rc. - no-x11-forwarding ssh_options_value - Specify a value to prevent .X11 forwarding.
- permit-listen ssh_options_value - Specify a value to permit listening only on a specified host and port.
- permit-open ssh_options_value - Specify a value to connect only to a specified host and port.
- port-forwarding - Specify a value to enable port forwarding.
- principals - Specify allowed principals for certificate authentication.
- pty - Specify to permit PTY allocation.
- restrict - Specify to enable all restrictions.
- tunnel - Specify to force a tunnel device on the server.
- user-rc - Specify to enable execution on
~/.ssh/rc - verify-required - Specify to require users to verify signatures using this key.
- x11-forwarding - Specify a value to allow .X11 forwarding.
- public-key ssh_keystring - Specify a public SSH key string.
Example
Use the following commands to apply the SSH key to a user admin on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# ssh-key mykey
switch(config-mgmt-ssh-user-admin-mykey)#
username ssh-principal
The username ssh-principal command in the SSH Management configuration Mode enters the Username configuration Mode and defines which principals in a presented SSH certificate can login as the local user.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
SSH Username configuration
SSH Authorized Principal configuration
Command Syntax
username username [ssh-principal key_name] [option [agent-forwarding | cert-authority | command | environment | expiry-time | from | no-agent-forwarding | no-port-forwarding | no-pty | no-touch-required | no-user-rc | no-x11-forwarding | permit-listen | permit-open | port-forwarding | principals | pty | restrict | tunnel | user-rc | verify-required | x11-forwarding]]
no username ssh-principal
default username ssh-principal
Parameters
- username username - Specify a username to add SSH principals.
- ssh-principal key_name - Specify SSH one or more SSH principals.
- option - Specify any of the following options:
- agent-forwarding ssh_options_value - Specify a value to enable authentication agent forwarding.
- cert-authority ssh_options_value - Specify a value for the certificate authority.
- command ssh_options_value - Specify a command to execute during authentication.
- environment ssh_options_value - Specify a value to add a string to the environment during authentication.
- expiry-time ssh_options_value - Specify a value for the expiration time of the key.
- from ssh_options_value - Specify a value for patterns.
- no-agent-forwarding ssh_options_value - Specify a value to forbid agent forwarding.
- no-port-forwarding ssh_options_value - Specify a value to forbid port forwarding.
- no-pty ssh_options_value - Specify a value to prevent TTY allocation.
- no-touch-required ssh_options_value - Specify a value to not require demonstration of user presence.
- no-user-rc ssh_options_value - Specify a value to prevent execution on
~/.ssh/rc. - no-x11-forwarding ssh_options_value - Specify a value to prevent .X11 forwarding.
- permit-listen ssh_options_value - Specify a value to permit listening only on a specified host and port.
- permit-open ssh_options_value - Specify a value to connect only to a specified host and port.
- port-forwarding - Specify a value to enable port forwarding.
- principals - Specify allowed principals for certificate authentication.
- pty - Specify to permit PTY allocation.
- restrict - Specify to enable all restrictions.
- tunnel - Specify to force a tunnel device on the server.
- user-rc - Specify to enable execution on
~/.ssh/rc - verify-required - Specify to require users to verify signatures using this key.
- x11-forwarding - Specify a value to allow .X11 forwarding.
Example
Use the following commands to add the SSH principal admin on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# ssh-principal myprincipal
switch(config-mgmt-ssh-user-admin-myprincipal)#
username tcp
The username tcp command in the SSH Management configuration Mode enters the SSH Username configuration Mode and controls if a specific user has permission to use the switch as a jump host or a tunnel endpoint using SSH Port Forwarding. It allows a user to tunnel a TCP connection through the encrypted SSH session and access devices that may otherwise be inaccessible. eos disables TCP forwarding by default.
The [no] version of the command disables the feature and removes the configuration from the running-config.
Command Mode
SSH Management configuration
SSH Username configuration
Command Syntax
username username tcp forwarding [all | local | remote]
no username tcp forwarding
default username tcp forwarding
Parameters
- username username - Specify a username and enter the SSH Username configuration Mode.
- tcp forwarding - Configure TCP forwarding options.
- all - Specify to allow TCP forwarding for local and remote SSH servers.
- local - Specify to allow TCP forwarding for local SSH servers only.
- remote - Specify to allow TCP forwarding for remote SSH servers only.
Example
Use the following commands for the user, admin, to allow TCP forwarding for local and remote SSH servers on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# username admin
switch(config-mgmt-ssh-user-admin)# tcp forwarding all
verify
The verify command in the SSH Management configuration Mode implements the SSH Fingerprint (SSHFP) verification mechanism and allows the switch to use DNS records to validate the identify of a remote server.
The [no] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
Command Syntax
verify dns
no verify dns
Parameters
- verify - Set options related to SSHD verification..
- dns - Configure the SSH Daemon to verify the DNS check.
Example
Use the following commands to implement SSH Fingerprint verification on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# verify dns
switch(config-mgmt-ssh)#
vrf
The vrf command in the SSH or Telnet Management configuration Mode applies the SSH or Telnet service to a specific VRF or the default VRF on the switch.
Command Mode
SSH Management configuration
Telnet Management configuration
Command Syntax
vrf [default | vrf_name]
Parameters
- default - Apply the SSH or Telnet service to the default VRF on the switch.
- vrf_name - Apply the SSH or Telnet service to a specific VRF on the switch.
Example
Use the following commands to apply the SSH service to the VRF, bluengreen:
switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh)#
vrf known-hosts
The vrf known-hosts command in the SSH VRF configuration Mode allows you to define a specific trusted host key file for each routing domain. By assigning a unique known hosts file to a VRF, the switch trusts that only specific identities of servers within that network segment.
The [no] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH VRF configuration
Command Syntax
known-hosts hostname_ip [dsa | ecdsa-nistp256 | ecdsa-nistp521 | ed25519 | rsa] base64_string
no vrf known-hosts
Parameters
- known-hosts hostname_ip - Specify the known host using a hostname or an IPv4 or IPv6 address.
- dsa - Specify the Digital Signature Algorithm algorithm.
- ecdsa-nistp256 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P256.
- ecdsa-nistp521 - Specify the Elliptic Curve Digital Signature Algorithm NIST-P521.
- ed25519 - Specify the Edwards-curve Digital Signature Algorithm 25519.
- rsa - Specify the RSA Encryption Algorithm.
- base64_string - Specify a base64 string.
Example
Use the following commands to add the host, 172.16.21.23, and the algorithm, dsa, to the VRF, bluengreen, on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)# known-hosts 172.16.1.23 dsa SGVsbG8gV29ybGQh
switch(config-mgmt-ssh-vrf-bluengreen)#
vrf
The vrf command in the SSH Management configuration Mode enters the SSH VRF configuration mode and allows the configuration of specific VRF parameters.
The [no] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
SSH Management configuration
SSH VRF configuration
Command Syntax
vrf [default | vrf_name] [tunnel vrf_name]
no vrf
Parameters
- vrf [default | vrf_name - Specify the default VRF or a specific VRF.
Example
Use the following commands to enter the SSH VRF configuration Mode for the VRF, bluengreen, on the switch:
switch(config)# management ssh
switch(config-mgmt-ssh)# vrf bluengreen
switch(config-mgmt-ssh-vrf-bluengreen)#
vrf (API Management)
The vrf command places the switch in the server's VRF configuration mode. If the named VRF does not already exist, this command creates it.
Command Mode
API Management configuration
Command Syntax
vrf VRF_INSTANCE
Parameters
- default - Instance created in the default VRF.
- vrf_name - Instance created in the specified user-defined VRF.
Related Command
management api http-commands places the switch in API Management configuration.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)# vrf management-vrf
switch(config-mgmt-api-http-cmds-vrf-management-vrf)#
