Session Management Commands
Global Configuration Commands
- commit timer
- configure replace
- configure session
- management accounts
- management api eos-sdk-rpc
- management api external-services
- management api gnmi
- management api gnsi
- management api gribi
- management api http-commands
- management api models
- management api netconf
- management api restconf
- management archive
- management cli
- management client
- management console
- management data source
- management defaults
- management dmf
- management file-systems
- management http-server
- management ldap group
- management ldap server
- management package
- management security auto-certificate
- management security entropy
- management security network
- management security password
- management security session
- management security signature-verification
- management security ssl
- management nic profiles
- management ssh
- management telnet
- reset system storage secure
Management Configuration Commands
Display Commands
commit timer
The commit timer command can automatically roll back changes performed during a configuration session if you haven't confirmed them within a preset time interval. This feature can prevent a user from committing configuration changes that could cause a network disruption. The no commit timer command deletes the session.
Command Mode
Configure Session Configuration Mode
Command Syntax
commit timer hh:mm:ss
Parameters
hh:mm:ss - Specify the time interval for the commit session.
Example
switch(config-s-MySession)# commit timer 01:00:00
switch#configure replace
The configure replace command replaces the current configuration with a new configuration from the specified source.
Command Mode
Privileged EXEC
Command Syntax
configure replace source_file_path:source_file_name [ignore-errors] [md5 md5sum] [skip-checkpoint] [vrf instance_name]
- source_file_path:source_file_name replaces the current configuration with the configuration from the specified source file.
- boot-extensions: - Replace the current configuration with the boot extensions configuration.
- certificate: - Replace the current configuration with the certificate configuration.
- checkpoint: - Replace the current configuration with the checkpoint configuration.
- clean-config: - Replace the current configuration with a clean, default configuration.
- extension: - Replace the current extensions configuration with an extensions configuration.
- file: - Replace the current configuration with a configuration from a file location.
- flash: - Replace the current configuration with a configuration from a flash location.
- ftp: - Replace the current configuration with a configuration from a FTP location.
- http: - Replace the current configuration with a configuration from an HTTP location.
- https: - Replace the current configuration with a configuration from an HTTPS location.
- installed-extensions: - Replace the current configuration with the installed extensions status.
- running-config: - Replaces the current configuration with the running configuration.
- scp: - Replace the current configuration with a configuration from an SCP location.
- sftp: - Replace the current configuration with a configuration from an SFTP location.
- snapshot: - Replace the current configuration with a configuration from a snapshot.
- ssh-auth-principals-cmd: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-ca-key: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-key: - Retrieve a configuration from an SSH location and replace the current configuration.
- ssh-revoke-list: - Retrieve a configuration from an SSH location and replace the current configuration.
- startup-config: - Replace the current configuration with the startup configuration.
- system: - Retrieve a configuration from a system location and replace the current configuration.
- terminal: - Retrieve a configuration from a terminal location and replace the current configuration.
- tftpt: - Retrieve a configuration from a TFTP location and replace the current configuration.
- ignore-errors - Replace the configuration and ignore errors while loading the new configuration.
- md5 md5sum - Performs a checksum to validate data integrity with the specified MD5 hashing algorithm.
- skip-checkpoint - Skips creating the checkpoint fileof running-config.
Example
switch(config)# configure replace start-config
! Preserving static routes. Use 'no ip routing delete-static-routes' to clear them.
switch#configure session
The configure session command allows a series of temporary configuration changes and commits to running-config later by issuing the commit command. EOS discards an uncommitted configuration session if the switch reboots and times out after 24 hours.
The no configure session session_name and default configure session session_name commands delete the specified configuration session.
Command Mode
Privileged EXEC
Command Syntax
configure session [session_name] [abort | commit | [description description]]
no configure session session_name
default configure session
Parameter
- session_name -Create a name for the configuration session.
- abort - Ends the configuration sessions and deletes it.
- commit - Commits the changes executed during the session.
- description description - Create a description for the configuration session.
Guidelines
- Creates a session with a name generated by the switch if you do not specify a session name.
- The switch permits up to five uncommitted sessions.
- When the switch reboots, it discards the uncommitted sessions.
- Uncommitted sessions time out after 24 hours.
Example
switch(config)#configure session
switch(config-s-sess-1)#aaa authentication dot1x default group radius
switch(config-s-sess-1)#dot1x system-auth-control
switch(config-s-sess-1)#commit
switch(config-s-sess-1)#idle-timeout (Console Management)
The idle-timeout (Console Management) command configures the idle-timeout period for console connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. By default, setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
ManagementConsole Configuration
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 - Disables the automatic connection timeout.
- 1 to 86400 - Configures the automatic timeout period in minutes.
- These commands configure a console idle-timeout period of three hours, then
return the switch to global configuration
mode.
switch(config)# management console switch(config-mgmt-console)# idle-timeout 180 switch(config-mgmt-console)# exit switch(config)# - These commands disable automatic connection
timeout.
switch(config)# management console switch(config-mgmt-console)# idle-timeout 0 switch(config-mgmt-console)#
idle-timeout (SSH Management)
The idle-timeout (SSH Management) command configures the idle-timeout period for SSH connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
Management SSH Configuration
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 - Disables the automatic connection timeout.
- 1 to 86400 - Configures the automatic timeout period in minutes.
- These commands configure an SSH idle-timeout period of three hours, then
return the switch to global configuration
mode.
switch(config)# management ssh switch(config-mgmt-ssh)# idle-timeout 180 switch(config-mgmt-ssh)# exit switch(config)# - These commands disable automatic connection
timeout.
switch(config)# management ssh switch(config-mgmt-ssh)# idle-timeout 0 switch(config-mgmt-ssh)#
idle-timeout (Telnet Management)
The idle-timeout (Telnet Management) command configures the idle-timeout period for Telnet connection sessions. The idle timeout refers to the length of time that a connection waits after a user's most recent command before shutting down the connection. Setting the idle timeout to zero disables the connection timeout automatically.
The no idle-timeout and default idle-timeout commands disable the automatic connection timeout by removing the idle-timeout statement from running-config.
Command Mode
ManagementTelnet
Command Syntax
idle-timeout idle_period
no idle-timeout
default idle-timeout
Parameters
- 0 - Disables the automatic connection timeout.
- 1 to 86400 - Configures the automatic timeout period in minutes.
- These commands configure a Telnet idle-timeout period of three hours, then
return the switch to global configuration
mode.
switch(config)# management telnet switch(config-mgmt-telnet)# idle-timeout 180 switch(config-mgmt-telnet)# exit switch(config)# - These commands disable automatic connection
timeout.
switch(config)# management telnet switch(config-mgmt-telnet)# idle-timeout 0 switch(config-mgmt-telnet)#
management accounts
The management accounts command enters the Accounts Management Configuration Mode and allows the creation of user accounts on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Accounts Management Configuration
Command Syntax
management accounts
[no | default] management accounts
Parameters
- management accounts - Enters Accounts Management Configuration Mode.
- account - Enters the Account Configuration Mode after adding a user name.
- session limit value - Add the number of allowed sessions from 1 to 100 per user.
- password policy policy_name - Configure password policies.
- session default-limit value - Configure the maximum number of remote sessions per user.
- account - Enters the Account Configuration Mode after adding a user name.
Example
Use the following commands to enter Accounts Management Configuration Mode and add a user tech_support1 with a session limit of 10:
switch(config)# management accounts
switch(config-mgmt-accounts)# account tech_support1
switch(config-mgmt-acct-tech_support1)# session limit 10management api eos-sdk-rpc
The management api eos-sdk-rpc command places the switch in EOS SDK RPC API management configuration mode.
The no management api eos-sdk-rpc and default management api eos-sdk-rpc commands delete the mgmt-api-eos-sdk-rpc configuration mode statements from running-config.
EOS SDK RPC API management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the EOS SDK RPC API management configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api eos-sdk-rpc
no management api eos-sdk-rpc
default management api eos-sdk-rpc
- transport (EOS SDK RPC API Management)
- This command places the switch in EOS SDK RPC API management configuration
mode.
switch(config)# management api eos-sdk-rpc switch(config-mgmt-api-eos-sdk-rpc)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-eos-sdk-rpc)# exit switch(config)#
management api external-services
The management api external-services command places the switch in External Services API configuration mode.
The no management api external-services and default management api external-services commands delete the mgmt-api-external-services configuration mode statements from running-config.
External Services API configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the External Services API configuration mode does not affect the running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api external-services
no management api external-services
default management api external-services
- shutdown (External Services API Management)
- vrf (External Services API Management)
- This command places the switch in External Services API Management
configuration
mode.
switch(config)# management api external-services switch(config-mgmt-api-external-services)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-external-services)# exit switch(config)#
management api gnmi
The management api gnmi command places the switch in GNMI API Management configuration mode.
The no management api gnmi and default management api gnmi commands delete the mgmt-api-gnmi configuration mode statements from running-config.
GNMI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNMI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api gnmi
no management api gnmi
default management api gnmi
- operation (GNMI API Management)
- provider (GNMI API Management)
- transport (GNMI API Management)
- This command places the switch in GNMI API Management configuration
mode.
switch(config)# management api gnmi switch(config-mgmt-api-gnmi)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-gnmi)# exit switch(config)#
management api gnsi
The management api gnsi command places the switch in GNSI API management configuration mode.
The no management api gnsi and default management api gnsi commands delete the mgmt-api-gnsi configuration mode statements from running-config.
GNSI API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting the GNSI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api gnsi
no management api gnsi
default management api gnsi
- service (GNSI API Management)
- transport (GNSI API Management)
- This command places the switch in GNSI API Management configuration
mode.
switch(config)# management api gnsi switch(config-mgmt-api-gnsi)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-gnsi)# exit switch(config)#
management api gribi
The management api gribi command places the switch in gRIBI API Management configuration mode.
The no management api gribi and default management api gribi commands delete the mgmt-api-gribi configuration mode statements from running-config.
gRIBI API Management configuration mode is not a group change mode; running-config changes immediately upon entering commands. Exiting the gRIBI API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api gribi
no management api gribi
default management api gribi
- transport (gRIBI API Management)
- This command places the switch in gRIBI API Management configuration
mode.
switch(config)# management api gribi switch(config-mgmt-api-gribi)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-gribi)# exit switch(config)#
management api http-commands
The management api http-commands command places the switch in HTTP Commands API Management Configuration Mode.
The no management api http-commands and default management api http-commands commands delete the HTTP Commands API Management Configuration Mode statements from running-config.
HTTP Commands API Management Configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting HTTP Commands API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api http-commands
no management api http-commands
default management api http-commands
- This command places the switch in HTTP Commands API Management Configuration
Mode.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# - This command returns the switch to Global Configuration
Mode.
switch(config-mgmt-api-http-cmds)# exit switch(config)#
management api models
The management api models command places the switch in Models API Management configuration mode.
The no management api models and default management api models commands delete the mgmt-api-models configuration mode statements from running-config.
Models API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Models API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api models
no management api models
default management api models
- models (Models API Management)
- modules (Models API Management)
- provider (Models API Management)
- This command places the switch in Models API Management configuration
mode.
switch(config)# management api models switch(config-mgmt-api-models)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-models)# exit switch(config)#
management api netconf
The management api netconf command places the switch in Netconf API Management configuration mode.
The no management api netconf and default management api netconf commands delete the mgmt-api-netconf configuration mode statements from running-config.
Netconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Netconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api netconf
no management api netconf
default management api netconf
- transport (Netconf API Management)
- This command places the switch in Netconf API Management configuration
mode.
switch(config)# management api netconf switch(config-mgmt-api-netconf)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-netconf)# exit switch(config)#
management api restconf
The management api restconf command places the switch in Restconf API Management configuration mode.
The no management api restconf and default management api restconf commands delete the mgmt-api-restconf configuration mode statements from running-config.
Restconf API Management configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting Restconf API Management configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
management api restconf
no management api restconf
default management api restconf
- transport (Restconf API Management)
- This command places the switch in Restconf API Management configuration
mode.
switch(config)# management api restconf switch(config-mgmt-api-restconf)# - This command returns the switch to global management
mode.
switch(config-mgmt-api-restconf)# exit switch(config)#
management archive
The management archive command enters the Archive Management Configuration Mode and allows you to manage log archives and archive space.
Command Mode
Global Configuration
Archive Management Configuration
Command Syntax
management archive [destination flash:] [quotapct percentage] shutdown
Parameters
- management archive - Enters the Archive Management Configuration Mode.
- destination flash: - Configure a destination for the archive files.
- quotapct percentage - Set the quota percentage value from 0 to 100.
- shutdown - Disables log archiving on the switch.
Example
Use the following commands to configure the quota percentage as 50:
switch(config)# management archive
switch(config-mgmt-archive)# quotapct 50
switch(config-mgmt-archive)#management cli
The management cli command places the switch in CLI Management Configuration Mode and allows you to configure command line options.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
CLI Management Configuration
Command Syntax
management cli command deprecated log
[no | default] management cli command deprecated log
Parameters
- management cli - Enters the CLI Management Configuration Mode.
- command - Configure command options.
- deprecated - Configure the CLI behavior for deprecated commands.
- log - Create a syslog message when executing a deprecated command.
Example
Use the following commands to create a syslog message when executing a deprecated command:
switch(config)# management cli
switch(config-mgmt-cli)# command deprecated log
switch(config-mgmt-cli)#management client
The management client command enters the Client Management Configuration Mode and configures remote applications or scripts that utilize the switch powerful eAPI (EOS API) to programmatically send configuration and show commands.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Client Management Configuration
Command Syntax
management client api gnmi [group group_name member server_name] [server server_name]
[no | default] management client api gnmi
Parameters
- management client api gnmi - Configures the switch as a gNMI client.
- group group_name - Configure gNMI server group definitions.
- member server_name - Add a gNMI server to the group.
- server server_name - Add a gNMI server to the configuration.
Example
Use the following commands to add the group, gnmi_group, and the member, gnmi_server1 to the client configuration:
switch(config)# management client api gnmi
switch(config-mgmt-client-api-gnmi)# group gnmi_group member gnmi_server1
switch(config-mgmt-client-api-gnmi)#management console
The management console command places the switch in Console Management Configuration Mode to adjust the idle-timeout period for console connection sessions. The idle-timeout period determines the inactivity interval that terminates a connection session.
The no management console and default management console commands delete the Console Management Configuration Mode statements from running-config.
The Console Management Configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the mgmt-console configuration mode does not affect running-config. The exit command returns the switch to Global Configuration Mode.
Command Mode
Global Configuration
Command Syntax
management console
no management console
default management console
Parameters
- idle-timeout (Console Management)
- login - Configure options related to logging into the switch.
- This command places the switch into Console Management Configuration
Mode:
switch(config)# management console switch(config-mgmt-console)# - This command returns the switch to Global Management
Mode:
switch(config-mgmt-console)# exit switch(config)#
management data source
The management data source command enters the Data Source Management Configuration Mode and allows defining the rules and actions taken on specific data streams.
Command Mode
Global Configuration
Data Source Management Configuration
Command Syntax
management data source [disable] [sensor sensor_name [disabled | ip address ip_address port port] [traffic-policies [disabled] [field-set [ipv4 prefix source_name] [ [ipv6 prefix source_name] [ service source_name]]
Parameters
- management data source - Enters the Data Source Configuration Mode.
- disable - Disable the management data source.
- sensor
sensor_name - Specify the name of a sensor.
- disabled - Disable the sensor.
- ip address ip_address - Specify the IPv4 or IPv6 address of the sensor.
- port port - Specify the port.
- traffic-policies - Configure traffic policies to apply to the data source.
- disabled - Disable traffic policies on the switch.
- field-set - Configure field sets to use with the traffic policies.
- ipv4 prefix source_name - Specify the IPv4 prefix and source name.
- ipv6 prefix source_name - Specify the IPv6 prefix and source name.
- service source_name - Specify the service and source name.
Example
Use the following commands to configure a sensor, sensor_db, with the IPv4 address, 192.168.92.157, and port 443:
switch(config)# managment data source
switch(config-mgmt-ds)# sensor sensor_db
switch(config-mgmt-ds-sensor-sensor_db)# ip 192.168.96.157 port 443
switch(config-mgmt-ds-sensor-sensor_db)#management defaults
The management defaults command enters the Defaults Management Configuration Mode and configures storing secrets on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Defaults Management Configuration
Command Syntax
management defaults secret hash [md5 | scrypt | sha-512 | yescrypt]
[no | default] management defaults
Parameters
- management defaults - Enters the Defaults Management Configuration Mode.
- secret - Configure storing secrets.
- hash- Specify a hash algorithm to use for secrets.
- md5 - Specify Message-Digest Algorithm 5.
- scrypt - Specify scrypt, a password-based key derivation function (KDF) designed specifically to make brute-force attacks against hashed passwords significantly harder, even when attackers use specialized hardware like GPUs or FPGAs.
- sha-512 - Specify SHA-512 a cryptographic hash function that is part of the SHA-2 family, standardized by NIST (National Institute of Standards and Technology). It is a highly secure and widely used algorithm for ensuring data integrity and securing digital operations.
- yescrypt - Specify yescrypt, a modern, highly secure password-based key derivation function (KDF) designed as a successor and alternative to functions like PBKDF2, scrypt, and bcrypt. It was developed by Alexander Peslyak (Solar Designer) and is specifically engineered to achieve the best possible resistance against hardware-accelerated cracking attacks using GPUs, FPGAs, and ASICs.
Example
Use the following commands to add MD5 as the secret hash:
switch(config)# managment defaults
switch(config-mgmt-defaults)# secret hash md5management dmf
The management dmf command in the DANZ Monitoring Fabric (DMF) Configuration Mode allows the configuration of up to two DMF controllers on the network.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
DANZ Monitoring Fabric (DMF) Configuration
Command Syntax
managment dmf [disabled] [controller address ip_address1 controller address ip_address2
[no | default]> managment dmf
Parameters
- disabled - Disables DMF on the switch.
- controller address ip_address1 - Configure the first DMF controller with an IPv4 or IPv6 address.
- controller address ip_address2 - Configure the second DMF controller with an IPv4 or IPv6 address.
Example
Use the following commands to add a DMF controller, 172.16.23.47, to the switch:
switch(config)# manangement dmf
switch(config-mgmt-dmf)# controller 172.16.21.47
switch(config-mgmt-dmf)#management file-systems
The management file-systems command in the File Systems Management Configuration Mode allows the configuration and management of the file system on the switch.
Command Mode
Global Configuration
File Systems Management Configuration
Command Syntax
management file-systems nfs [crash: directory_name] [file: directory_name] [flash: directory_name]
Parameters
- nfs - Specifies the network file system.
- crash: directory_name - Specify the location of the crash files.
- file: directory_name - Specify the location of the files.
- flash: directory_name - Specify the location of the flash files.
Example
Use the following commands to manage the crash files:
switch(config)# management file-systems
switch(config-mgmt-file-systems)# nfs crash:management http-server
The management http-server command enters the HTTP Management Configuration Mode of the switch to allow Application Programming Interface (API) access to the switch for programmatic commands.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
HTTP Management Configuration
Command Syntax
management http-server [cors allowed-origin origin server_address | all | *]
management http-server default-services
management http-server header csp frame-ancestors uri
management http-server log-level [alert | crit | debug | emerg | error | info | notice | warn]
management http-server protocol [http [localhost | port port_number]] [https [port port_number | ssl profile_name]] [unix-socket]
management http-server qos dscp dscp_value
management http-server vrf [default | vrf_name
Parameters
- management http-server cors - Specify Cross-Origin Resource Sharing for the HTTP Server.
- allowed-origin server_address - Specify an allowed origin server IP address.
- [all | *] - Specify all to allow all CORS.
- management http-server default-services - Specify to use default services, capi-doc and tapagg, for the HTTP Server.
- management http-server header - Configure additional headers for the HTTP Server.
- csp - Specify content security policy headers.
- frame-ancestors - Specify CSP directive frame-ancestors.
- uri - Configure the URI for the host.
- management http-server log-level - Specify any of the level parameters to log as a syslog message.
- management http-server protocol - Configure server options.
- http [localhost | port port_number - Configure a local host and port for the HTTPS Server.
- https [port port_number | ssl profile_name - Configure a port and SSL profile name.
- unix-socket - Specify a Unix Domain Socket.
- management http-server qos - Configure Quality of Service (QoS) parameters.
- dscp - exit
- management http-server vrf [default | vrf_name - Specify using the default VRF on the switch or another configured VRF.
Example
Use the following commands to specify using the default services for the HTTP Server:
switch(config)# management http-server
switch(config-mgmt-http-server)# default-services
switch(config-mgmt-http-server)#management ldap group
The management ldap command in the Global Configuration mode enters the switch into LDAP Management Configuration Mode and allows the configuration of an LDAP group and server. This allows the switch to authenticate and authorize users against an external Lightweight Directory Access Protocol (LDAP) server and centralizes user management.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
LDAP Management Configuration
Command Syntax
management ldap [group policy policy_name group group_name rolerole_name [after | before] group_name [privilege level]
Parameters
- management ldap - Configure LDAP options.
- group policy policy_name - Configure a group policy name.
- group group_name - Configure the group name to add to the configuration.
- role role_name - Specify the role name for the group.
- [after | before] group_name - Specify adding the role before or after a rule.
- privilege level - Configure a privilege level between 0 and 15.
Example
Use the following commands to add the policy, policy1, to group, ldap_group, with the role of manager, and privilege level 10:
switch(config)# management ldap
switch(config-mgmt-ldap)# group policy policy1
switch(config-mgmt-ldap-gp-policy1)# group ldap_group role manager privilege 10
switch(config-mgmt-ldap-gp-policy1)#management ldap server
The management ldap server command enters the LDAP Management Configuration Mode and allows the configuration of an LDAP server for authentication on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
LDAP Management Configuration
Command Syntax
management ldap server [defaults [authorization group policy policy_name] [base-dn domain_name] [rdn attribute user attr_name] [search username username password password] [ssl-profile profile_name] [timeout seconds]] [host host_name portport_number vrfvrf_name]
[no | default] management ldap server
Parameters
- management ldap server - Enters the LDAP Management Configuration Mode and allows the configuration of an LDAP server.
- defaults - Configure default LDAP options for all servers.
- authorization group policy policy_name - Configure LDAP options for user authorization using a group policy name.
- base-dn domain_name - Specify a distinguished domain name.
- rdn attribute user attr_name - Add an attribute for a Relative Distinguished Name.
- search username username password password - Configure search options for the LDAP server.
- ssl-profile profile_name - Add an SSL profile to the configuration.
- timeout seconds - Configure the length of time to wait before timing out the session.
- host host_name - Specify a hostname or IP address of the LDAP server.
- port port_number - Specify a port number. The configuration uses port 389 by default.
- vrf vrf_name - Specify the VRF name for the configuration.
Example
Use the following commands to use arista.com as the base Domain Name:
switch(config)# management ldap
switch(config-mgmt-ldap)# server defaults
switch(config-ldap-defaults)# base-dn arista.com
switch(config-ldap-defaults)#management nic profiles
The management nic profiles command enters the Network Interface Card (NIC) Profile Configuration Mode and allow configuration of an interface for an internal service client such as ZTP or an internal monitoring process that needs to reach a provisioning server.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Network Interface Card (NIC) Profile Configuration
Command Syntax
management nic profiles profile profile_name [connection [ssl profile profile_name] [timeout seconds ]] [job job_name metric path path_name] [port port_number] [system auto-discovered]] [polling interval interval
[no | default] management nic profiles profile profile_name
Parameters
- management nic profiles profile profile_name - Configure a name for the NIC profile.
- connection - Configure connection parameters:
- ssl - Add an SSL profile to the connection
- timeout - Configure the length of time, in seconds, before the connection disconnects.
- job job_name - Specifies the type of job to run on the client.
- metric path path_name - Specify the metric path, in the format of a URL, used for the job.
- port port_number - Specify a port between 1 and 65535.
- system auto-discovery - Specify if you want to auto-discover jobs on the switch.
- polling interval interval seconds - Specify a polling interval between 1 and 600 seconds.
Example
Use the following commands to add an SSL profile, secure_1, to the NIC profile, nic_mgmt:
switch(config)# management nic profiles profile nic_mgmt
switch(config-mgmt-nic-profile-nic_mgmt)# connection ssl profile secure_1
switch(config-mgmt-nic-profile-nic_mgmt)# management package
The management package command in the Package Management Configuration Mode configures a remote source for downloading optional software extension packages.
Command Mode
Global Configuration
Package Management Configuration
Command Syntax
management package repository repo_name [description description] [type description] [url url]
Parameters
- management package - Enters the Package Management Configuration Mode on the switch.
- repository repo_name - Specify the repository name.
- description description - Create a description of repository that used in
showcommands. - type yum - Retrieve the files using yum.
- urlurl - Specify the network path to the repository server. The URL defines transport protocol for the files.
Example
Use the following commands to create a repository, prod_ext, with the URL, https://10.11.10.27/arista/extensions/:
switch(config)# management package
switch(config-mgmt-package)# management package repository pProd-Ext type url https://10.11.10.27/arista/extensions/management security auto-certificate
The management security auto-certificate command enters the Auto-Certificate Security Management Configuration Mode and automates the management and renewal of the digital certificates used by the switch for various secure management services such HTTPS for APIs.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Auto-Certificate Security Management Configuration
Command Syntax
management security auto-certificate [profile profile_name [digest [sha256 | sha384 | sha512]] [key key_name ] [ parameters [distinguished-name [common-name name] [country name [email email ] [locality locality] [organizationorganization] [organization-unit unit] [serial-number number ] [state state]] [subject-alternative-name [dns dns_name] [email email] [ip ip_address] [uri uri] ] [protocol instance instance_name] [renewal seconds seconds]]
management security auto-certificate [protocol est profile_name [connection retry [count num_retries] [interval seconds seconds]] [credentials enroll [secret [0 | 7 | 8a] secret] [token [0 | 7 | 8a] token] [username username ]] [disabled] [server [ssl profile profile_name] [url url ] [vrf vrf_name
Parameters
- management security profile_name - Enters the Security Management Configuration Mode.
- auto-certificate profile profile_name - Configure profile options for Automatic Certificate Management.
- digest [sha256 | sha384 | sha512 - Specify the digest algorithm used to sign a Certificate Signing Request (CSR).
- key key_name - Configure a key name used for the certificate.
- parameters - Configure the certificate parameters.
- distinguished-name - Configure a
distinguished name for the certficate.
- common-name name - Specify the common name.
- country name - Specify the country.
- email email - Specify the email address used for the certificate.
- locality locality - Specify the locality.
- organization organization - Add the organization.
- organization-unit unit - Specify the organization unit.
- serial-number number - Specify the serial number.
- state state - Specify the state.
- subject-alternative-name - Configure
thealternative subject nameextension.
- dns dns_name - Add the name of the DNS server.
- email email - Add the email address.
- ip ip_address - Specify the IP address of the DNS server.
- uri uri - Specify the Universal Resource Indicator (URI).
- distinguished-name - Configure a
distinguished name for the certficate.
- auto-certificate protocol est
profile_name - Specify the profile name for
Enrollment over Secure Transport (EST).
- connection retry -Configure the
number of times to retry the connection.
- count num_retries - Specify the number of retries.
- interval seconds - Specify the interval between connection retries.
- seconds - Specify the unit of time.
- credentials
- Configure the credentials used with EST.
- enroll - Enrollwith the
following credentials:
- secret [0 | 7 | 8a secret - Configure a secret.
- token [0 | 7 | 8a token - Configure a JSON token.
- username
username - Configure a
username and secret.
- secret [0 | 7 | 8asecret
- re-enroll - Re-enroll with the
following credentials:
- secret [0 | 7 | 8a secret - Configure a secret.
- token [0 | 7 | 8a token - Configure a JSON token.
- username
username - Configure a
username and secret.
- secret [0 | 7 | 8a secret
- disabled - Temporarily disable sending requests to the EST server.
- server -Configure theEST
server options:
- ssl profile profile_name - Specify an SSL profile.
- url url - Specify the URL of the EST server.
- vrf vrf_name - Specify the VRF used for the EST server.
- enroll - Enrollwith the
following credentials:
- connection retry -Configure the
number of times to retry the connection.
management security entropy
The management security entropy command manages the source of cryptographic entropy (randomness) and provides high quality randomness for SSH keys, SSL/TLS certificates, and random session identifiers.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security entropy source [cpu jitter] [hardware exclusive] [haveged]
[no | default] management security entropy
Parameters
- entropy source - Configure the source used for entropy on the switch.
- cpu jitter - Configure using a CPU-based source with the Jitter RNG algorithm.
- hardware exclusive - Configure using hardware exclusively for entropy.
- haveged - Use the Hardware Volatile Entropy Gathering and Extension (HAVEGED) algorithm to quickly and efficiently generate high quality cryptographic entropy.
Example
Use the following command to use cpu jitter for security entropy:
switch(config)# managment security
switch(config-mgmt-security)# entropy cpu jitter
switch(config-mgmt-security)#
management security network
The management security network command enters the Security Management Configuration mode and then configures security policies that govern the access and behavior of various management applications on the switch. It defines rules to protect the control plane from unauthorized or malicious network activity.
The [no | default] versions of the command return the feature to its default settings.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security network client protocol [ftp | http | tftp] disabled
[no | default] management security network client protocol
Parameters
- network - Configure network protocols.
- client - Specify client traffic.
- protocol - Select a protocol for client traffic.
- [ftp | http | tftp] disabled - Disables the protocol and no longer allows clients to connect over these protocols.
Example
Use the following commands to disable FTP client traffic:
switch(config)# management security
switch(config-mgmt-security)# network client protocol ftp disabled
switch(config-mgmt-security)#management security ocsp
The management security ocsp command enters the Security Online Certificate Status Protocol (OCSP) Configuration Mode and quickly checks the revocations status of digital certificates used by management services such as HTTP or LDAP over TLS.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security ocsp profile profile_name [chain certificate requirement responder [all | leaf | none]] [extension nonce request [disabled | response]] [response validity-time extended-by seconds] [timeout seconds] [url url] [vrf vrf]
[no | default] management security ocsp profile profile_name
Parameters
- ocsp profile profile_name - Configure a name for the OCSP profile.
- chain - Configure a chained certificate for OCSP.
- certificate requirement - Add a check to the certificate for validity.
- responder - Configure the requirements for querying the OCSP responder.
- all - Perform OCSP verification on the whole chain.
- leaf - Specify to only perform OCSP verification on the leaf.
- none - Specify to only perform OCSP verification on certificates with a specified responder.
- extension nonce request - Configure sending a nonce in the OCSP requests.
- disabled - Specify to not send a nonce in the OCSP request.
- response - Specify to require the OCSP nonce in the OCSP response.
- response validity-time extended-by seconds - Configure a leeway time when checking the validity of OCSP responses from 1 to 10800 seconds.
- timeout seconds - Configure the length of time to timeout OCSP queries from 1 to 600 seconds.
- url url - Configure the URL of overriding OSCP responder.
- vrf vrf - Configure the VRF as the location to perform OCSP queries.
- chain - Configure a chained certificate for OCSP.
Example
Use the following commands to add the profile, OCSP_1, with an extension nonce request of disabled
switch(config)# management security
switch(config-mgmt-security)# ocsp profile OCSP_1
switch(config-mgmt-sec-ocsp-profile-OCSP_1)# extension nonce request disabled
switch(config-mgmt-sec-ocsp-profile-OCSP_1)#management security password
The management security password command enters the Security Management Configuration Mode and configures robust password policies for all local user accounts.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security password [encryption reversible aes-256-gcm] [encryption-key common custom key] [minimum length num_char] [policy policy_name [deny last pw_count] [ maximum repetitive num_char sequential num_char] [ minimum [changed num_char] [digits num_char] [length num_char] [lower num_char] [ num_char] [uppernum_char]]
[no | default] management security password
Parameters
- password - Configure password policies for the management interface.
- encryption reversible aes-256-gcm - Configure a common encryption algorithm.
- encryption-key common custom key - Configure a 32-byte customized encryption key.
- minimum length num_char - Configure a minimum length between 1 and 32 characters.
- policy policy_name - Configure password complexity settings for a policy profile.
- deny last pw_count -
- maximum [repetitive |sequential] num_char
- minimum -Configure the following minimum settings:
- changed num_char - Configure the number of positional characters that must change 0 to 65535.
- digits num_char - Configure the number of digits required for the password 0 to 65535.
- length num_char - Configure the number of characters for the password 0 to 65535.
- lower num_char - Configure the number of lower case characters required for the password from 0 to 65535.
- special
num_char - Configure the number of
special characters,
!"#$%&\'()*+,-./:;<=>?@[^]_`{|}~, required for the password from 0 to 65535 - upper num_char - Configure the number of lower case characters required for the password from 0 to 65535.
Example
Use the following commands to create a password policy, ldap_access,
with the minimum length of 15 characters:
switch(config)# management security
switch(config-mgmt-security)# policy ldap_access
switch(config-pwd-policy-ldap_access)# minimum length 15
switch(config-pwd-policy-ldap_access)#management security session
The management security session command enters the Security Management Configuration Mode and configures the session parameters that govern the behavior, timeouts, and security of interactive management sessions.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security session shared-secret profile profile_name secret secret_name [0 | 7 | 8a]password [infinite] [ mm/dd/yyyy hh:mm:ss [infinite | datelocal-time] [receive-lifetime mm/dd/yyyy hh:mm:ss [infinite |date local-time]] [transmit-lifetime [infinite mm/dd/yyyy hh:mm:ss date local-time]]
Parameters
- session shared-secret profile profile_name - Configure a profile for shared secret settings.
- secret secret_name - Configure a name for the secret.
- 0 - Indicates that the key is not encrypted.
- 7 - Specifies that a hidden string follows.
- 8a - Specifies that an AES-256-GCM encrypted key follows.
- password - Specify a password
- infinite - Specify an infinite lifetime for the password.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- mm/dd/yyyy - Specify a date in the month/day/year format.
- receive-lifetime -Configure the lifetime for receiving the key.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- transmit-lifetime - Configure the lifetime for transmitting the key.
- infinite
- mm/dd/yyyy - Specify a date in the month/day/year format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- yyyy-mm-dd - Specify a date in the year-month-day format.
- infinite - Specify an infinite lifetime for the password.
- local-time - Configure secrets using the local timezone from the system clock. By default, the parameter sets to UTC.
Example
Use the following commands to configure a session to use the profile,
mySession, with the secret name, mySecret, and the
secret, qwerty, with an infinite receive-lifetime and
transmit-lifetime, with the default local-time:
switch(config)# management security
switch(config-mgmt-security)# session shared-secret profile mySession
switch(config-mgmt-sec-sh-sec-profile-mySession)# secret mySecret 0 qwerty receive-lifetime infinite
transmit-lifetime infinite local-time
switch(config-mgmt-sec-sh-sec-profile-mySession)#management security signature-verification
The management security signature-verification command enters the Security Management Configuration Mode and apply a named SSL profile that dictates the policies for verifying the integrity of the system files related to secure TLS/SSL communications.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
Security Management Configuration
Command Syntax
management security signature-verification extension ssl profile profile_name
[no | default] management security signature-verification
Parameters
- signature-verification - Configure verifying signatures of files.
- extension - Specifies that the policy applies specifically to SWIX signatures.
- ssl - Specifying using SSL to verify the signatures.
- profile profile_name - Specify an SSL profile name to use for verification. It must contain a trusted root or intermediate CA certificate corresponding to the private key used by the software vendor.
Example
Use the following commands to verify SWIX signatures using the SSL profile,
swix_ca:
switch(config)# management security
switch(config-mgmt-security)# signature-verification extension ssl profile swix_ca
switch(config-mgmt-security)#management security ssl
The management security ssl command enters the SSL Security Management Configuration mode to configure and manage the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) parameters for all secure management services on the switch.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Global Configuration
SSL Security Management Configuration
Command Syntax
management security ssl [monitor expiry time [days | hours] [log interval time [days | hours]]
management security ssl [profile profile_name [certificate cert_name [auto-certificate cert_name] [common-name [key key_name] [username regexp regex]] [local cert_name key cert_name] [policy [expiry-date ignore] [key key_name]] [requirement extended-key-usage [hostname match] [key key_name]] [chain [certificate cert_name] [local cert_name] [policy [expiry-date ignore]] [requirement [basic-constraint ca true] [include root-ca]] [cipher [v1.0 cipher_list] [v1.3 cipher_list] [diffie-hellman parameters [ffdhe2048 | ffdhe3072 | ffdhe4096 | generated]] [dtls version [1.0 | 1.2 | add | remove]] [fips restrictions] [key-establishment-group group_names] [peer certificate [format ip-address exact] [requirement [hostname match subject-alternative-name [common-name]]] [revocation [crl [name crl_name] [policy expiry-date ignore]] [ocsp profile profile_name]] [signature algorithm alg_list] [tls versions [1.0 | 1.1 | 1.2 | 1.3 | add | remove]] [trust [certificate cert_name] [policy expiry-date ignore]] [requirement [basic-constraint ca true] [hostname fqdn]] [system]
[no | default] management security ssl monitor
[no | default] management security ssl profile
Parameters
- ssl monitor - Configure monitoring options for all certificates.
- expiry - Log SSL monitoring warnings for certificates approaching an expiration date.
- time [days | hours] - Configure the amount of time prior to certificate expiration from 1 to 999 in days or hours.
- log interval - Configure logging intervals for sending logs to the syslog server.
- time [days | hours] - Configure the length of time between send log messages from 1 to 999 in days or hours.
- ssl profile profile_name - Configure an SSL profile for SSL Security Management.
- certificate - Configure a certificate for self-authentication.
- cert_name - Specify the name of the certificate.
- auto-certificate profile_name - Specify the name of an auto-certificate profile.
- common-name
- key key_name - Configure the key matching the certificate.
- username regex regex - Configure the REGEX to extract the username.
- local cert_name - Configure a local certificate name.
- key key_name - Configure a key matching the local certificate.
- policy - Configure the policy for the certificate.
- expiry-date ignore - Ignore the expiration date of the certificate.
- key key_name - Configure a key matching the certificate.
- requirement - Add a check to validate the certificate.
- extended-key-usage - Configure extended key usage for the certificate.
- hostname match - Specify to verify and match the hostname for the certificate.
- key key_name - Configure a key matching the certificate.
- chain - Configured chained certificates.
- certificate cert_name - Specify a certificate name.
- local cert_name - Configure a local certificate name.
- policy - Configure the policy for the certificate.
- expiry-date ignore - Ignore the expiration date of the certificate.
- requirement - Add a check to validate the certificate.
- extended-key-usage - Configure extended key usage for the certificate.
- hostname match - Specify to verify and match the hostname for the certificate.
- cipher - Configure TLS ciphers.
- v1.0 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.0, 1.1, and 1.2.
- v1.3 cipher_list - Specify the cipher lists, separated by a colon, for TLS versions 1.3.
- diffie-hellman parameters - Configure Diffie-Hellman parameters:
- ffdhe2048 - Specify from RFC7919.
- ffdhe3072 - Specify from RFC7919.
- ffdhe4096 - Specify from RFC7919.
- generated - Specify 2048-bit parameters generated by the switch.
- dtls version - Configure Datagram Transport Layer Security (DTLS) settings:
- 1.0 - Specify DTLS version 1.0.
- 1.2 - Specify DTLS version 1.2.
- add - Add versions to the list.
- remove - Remove versions from the list.
- fips restrictions - Configure FIPS restrictions.
- key-establishment-group group_names - Configure TLS 1.3 key establishment groups using canonical names recognized by the TLS standards.
- peer certificate - Configure peer-related certificate options:
- format ip-address exact - Specify the format rules for IP addresses to reject wildcards in the IP address.
- requirement hostname match subject-alternative-name [common-name] - Specify a check for certificate validity to include hostname matching for the common name.
- revocation - Configure checking of the revocation status for certificates.
- crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
- policy expiry-date ignore - Configure the policy to ignore certificate expiration dates.
- ocsp profile profile_name - Specify the name of the Online Certificate Status Protocol (OCSP) profile.
- crl name crl_name - Specify the name of the Certificate Revocation List (CRL).
- signature algorithm alg_list - Specify the TLS signature algorithm list.
- tls - Configure TLS settings.
- versions - Specify the TLS version:
- 1.0
- 1.1
- 1.2
- 1.3
- add - Add versions to the list.
- remove - Remove versions from the list.
- versions - Specify the TLS version:
- trust - Configure a trusted certificate.
- certificate cert_name - Specify the name of a certificate.
- policy expiry-date ignore - Configure the policy to ignore expiration dates.
- requirement - Add a check to validate the certificate.
- basic-constraint ca true - Configure the Certificate Authority attribute to true and allow the CA to sign and issue other certificates in the trust chain This certificate is the trust anchor or an intermediate authority.
- hostname fqdn - Specify that the hostname must be a fully qualified domain name without wildcards.
- system - Specify using a system-supplied trust certificate.
- certificate - Configure a certificate for self-authentication.
Example
Use the following commands to set the SSL monitoring of certificates to log warning for certificate expiration to 10 days and log the warning to syslog every 8 hours:
switch(config)# management security
switch(config-mgmt-security)# ssl monitor expiry 10 days log interval 8 hours
switch(config-mgmt-security)#management ssh
The management ssh command places the switch in SSH Management Configuration Mode to adjust SSH session connection parameters.
The no management ssh and default management ssh commands delete the SSH Management Configuration Mode statements from running-config.
The mgmt-ssh configuration mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the SSH Management Configuration Mode does not affect running-config. The exit command returns the switch to Global Configuration Mode.
Command Mode
Global Configuration
Command Syntax
management ssh
no management ssh
default management ssh
- authentication - Change authentication settings.
- authorized-principals - Configure the authorized principals settings.
- cipher - Configure an exclusive list of cryptographic ciphers for SSH.
- client-alive - Set SSH ClientAlive options.
- compression - Configure SSH compression algorithms.
- connection - Configure settings for SSH connections.
- fips restrictions - Configure FIPS settings.
- hostkey - Set SSH hostkey related options.
- idle-timeout - Set idle session timeout (minutes).
- ip access group - Set the SSH IPv4 configuration.
- ipv6 access group - Set the SSH IPv6 configuration.
- key-exchange - Configure an exclusive list of key-exchange methods for SSH.
- log-level - Configure SSH daemon logging level.
- logging - Configure SSH system logging.
- login timeout - Configure options related to logging into SSH.
- mac hmac - Exclusive list of MAC algorithms for SSH.
- qos - Configure QoS parameters.
- rekey - Configure the length of time before rekeying SSH connections.
- server-port - Change the server port.
- shutdown - Disable SSH on the switch.
- trusted-ca - Configure a trusted certficate.
- user-keys - Configure SSH user key settings.
- username - Configure SSH user-specific settings.
- verify - Configure option for SSH verification.
- vrf - Configure the VRF to use for SSH.
- This command places the switch in SSH Management Configuration
Mode:
switch(config)# management ssh switch(config-mgmt-ssh)# - This command returns the switch to Global Configuration
Mode:
switch(config-mgmt-ssh)# exit switch(config)#
management telnet
The management telnet command places the switch in Telnet Management Configuration Mode to adjust Telnet session connection parameters.
The no management telnet and default management telnet commands delete the Telnet ManagementConfiguration Mode statements from running-config.
The Telnet Management Configuration Mode is not a group change mode. The running-config changes immediately upon entering commands. Exiting the Telnet Management Configuration Mode does not affect the running-config. The exit command returns the switch to Global Configuration Mode.
Command Mode
Global Configuration
Command Syntax
management telnet
no management telnet
default management telnet
- idle-timeout - Set the idle session timeout from 0 to 84600 minutes.
- ip access-group in vrf vrf_name - Add an IPv4 access group name.
- ipv6 access-group in vrf vrf_name - Add an IPv6 access group name.
- login user match-list vrf_name invert-result - Add a list of users allowed to access Telnet.
- session-limit sessions [per-host sessions] - Configure the maximum number of sessions.
- shutdown - Disable Telnet.
- vrf vrf_name default - Specify the default Virtual Routing and Forwarding (VRF) instance.
- This command places the switch in Telnet Management Configuration
Mode:
switch(config)# management telnet switch(config-mgmt-telnet)# - This command returns the switch to Global Configuration
Mode:
switch(config-mgmt-telnet)# exit switch(config)#
protocol http (API Management)
The protocol http command enables the hypertext transfer protocol (HTTP) server.
The no protocol http and default protocol http commands disable the HTTP server by removing the protocol http statement from running-config.
Command Mode
Mgmt-API Configuration
Command Syntax
protocol http [TCP_PORT]
no protocol http
default protocol http
- TCP_PORT Port number used for the HTTP server.
Options include:
- no parameter Specifies default port number 80.
- port 1 to 65535 Specifies HTTP server port number. The value ranges from 1 to 65535.
- localhost The name of the server bound on the localhost.
- port The number of the TCP port to serve on.
Related Commands
management api http-commands places the switch in mgmt-api configuration mode.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)#protocol https (API Management)
The protocol https command enables the HTTP secure server. The HTTP secure server is active by default.
The default protocol https command restores the default setting by removing the no protocol https statement from running-config. The no protocol https command disables the HTTP secure server.
Command Mode
API Management Configuration
Command Syntax
protocol https [TCP_PORT]
no protocol https
default protocol https
- TCP_PORT - Port number used for the HTTPS server.
Options include:
- no parameter - Specifies default port number 443.
- port 1 to 65535 - Specifies HTTP server port number. The value ranges from 1 to 65535.
- certificate - The HTTPS key and certificate to use for the switch.
- cipher - Exclusive list of cryptographic ciphers.
- key-exchange - Exclusive list of key-exchange algorithms.
- mac - Exclusive list of MAC algorithms.
- port - The TCP port number to serve on.
- ssl - Configure SSL options.
Related Commands
management api http-commands places the switch in API Management Configuration Mode.
- These commands enables service to the HTTP server. The no
shutdown command allows access to the
service.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# protocol https switch(config-mgmt-api-http-cmds)# no shutdown - These commands specify the port number used for the HTTPS server. The
no shutdown command allows access to the
service.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# protocol https port 52 switch(config-mgmt-api-http-cmds)# no shutdown
protocol https certificate (API Management)
The protocol https certificate command configures the HTTP secure server to request an X.509 certificate from the client. The client then authenticates the certificate with a public key.
The no protocol https certificate and default protocol https certificate commands restore default behavior by removing the protocol https certificate statement from running-config.
Command Mode
API Management Configuration
Command Syntax
protocol https certificate
no protocol https certificate
default protocol https certificate
Related Command
management api http-commands places the switch in API Management Configuration Mode.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)# protocol https certificate
switch(config-mgmt-api-http-cmds)#reset system storage secure
Use the reset system storage secure command to trigger the secure erase mechanism. Secure erase is a command that deliberately, permanently, and irreversibly removes and destroys the data stored on a storage device, rendering that data unrecoverable.
Command Mode
EXEC
Command Syntax
reset system storage secure
- To trigger the secure erase mechanism, use the reset system storage
secure
command.
switch# reset system storage secure WARNING! This will destroy all data and will NOT be recoverable. Device will reboot into Aboot, and execution may take up to one hour. Would you like to proceed? [y/N] - If a particular platform does not support the reset system storage
secure command , the following message
appear:
switch#reset system storage secure % Unavailable command (not supported on this hardware platform)
show inventory
The show inventory command displays the hardware components installed in the switch. Each component has a serial number and a description.
Command Mode
EXEC
Command Syntax
show inventory
Example
switch> show inventory
System information
Model Description
------------------------ ----------------------------------
DCS-7150S-52-CL 52-port SFP+ 10GigE 1RU + Clock
HW Version Serial Number Mfg Date
----------- -------------- ----------
02.00 JPE13120702 2013-03-27
System has 2 power supply slots
Slot Model Serial Number
---- ---------------- ----------------
1 PWR-460AC-F K192KU00241CZ
2 PWR-460AC-F K192L200751CZ
System has 4 fan modules
Module Number of Fans Model Serial Number
------- --------------- ---------------- ----------------
1 1 FAN-7000-F N/A
2 1 FAN-7000-F N/A
3 1 FAN-7000-F N/A
4 1 FAN-7000-F N/A
System has 53 ports
Type Count
---------------- ----
Management 1
Switched 52
System has 52 transceiver slots
Port Manufacturer Model Serial Number Rev
---- ---------------- ---------------- ---------------- ----
1 Arista Networks SFP-10G-SR XCW1225FD753 0002
2 Arista Networks SFP-10G-SR XCW1225FD753 0002
51 Arista Networks SFP-10G-SR XCW1225FD753 0002
52 Arista Networks SFP-10G-SR XCW1225FD753 0002
switch>shutdown (API Management)
The shutdown command disables management over API on the switch in API Management Configuration Mode. EOS disables API Management by default.
The no shutdown command enables the API managementaccess in mgmt-api configuration mode.
The default shutdown command disables the management API access in mgmt-api configuration mode.
Command Mode
Mgmt-API Configuration
Command Syntax
shutdown
no shutdown
default shutdown
Related Command
management api http-commands places the switch in mgmt-api configuration mode.
- These commands disable API access to the HTTP
server.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# shutdown switch(config-mgmt-api-http-cmds)# - These commands enable API access to the HTTP
server.
switch(config)# management api http-commands switch(config-mgmt-api-http-cmds)# no shutdown switch(config-mgmt-api-http-cmds)#
shutdown (Telnet Management)
- To enable Telnet, enter no shutdown at the Telnet Management prompt.
- To disable Telnet, enter shutdown at the Telnet Management prompt.
Command Mode
Telnet Management Configuration
Command Syntax
shutdown
no shutdown
- These commands enable Telnet and return the switch to the Global
Configuration
Mode.
switch(config)# management telnet switch(config-mgmt-telnet)# no shutdown switch(config-mgmt-telnet)# exit switch(config)# - This command disables
Telnet.
switch(config-mgmt-telnet)# shutdown
timeout
The timeout command in the SSH, Telnet, or Console Management Configuration Mode specifies the maximum length of a management session regardless of activity during the session. It prevents sessions from remaining open indefinitely on the switch and provides a separate behavior from the parameter idle-timeout. Both timers operate independently and the timer with the shortest session time ends the session.
The [no | default] versions of the command disable the feature and remove the configuration from the running-config.
Command Mode
Console Management Configuration
SSH Management Configuration
Telnet Management Configuration
Command Syntax
management [console | ssh | telnet]timeout timeout_period
[no | default] management [console | ssh | telnet] timeout
Parameters
- timeout timeout_period - Configure a timeout session from 1 to 86400 minutes. Setting the timeout to 0 disables the timeout session.
Examples
Use the following commands to set the console timeout to 60 minutes.
switch(config)# management console
switch(config-mgmt-console)# timeout 60Use the following commands to set the SSH timeout to 60 minutes.
switch(config)# management ssh
switch(config-mgmt-ssh)# timeout 60Use the following commands to set the Telnet timeout to 60 minutes.
switch(config)# management telnet
switch(config-mgmt-telnet)# timeout 60vrf (API Management)
The vrf command places the switch in the server's VRF configuration mode. If the named VRF does not already exist, this command creates it.
Command Mode
API Management Configuration
Command Syntax
vrf VRF_INSTANCE
Parameters
- default - Instance created in the default VRF.
- vrf_name - Instance created in the specified user-defined VRF.
Related Command
management api http-commands places the switch in API Management Configuration.
Example
switch(config)# management api http-commands
switch(config-mgmt-api-http-cmds)# vrf management-vrf
switch(config-mgmt-api-http-cmds-vrf-management-vrf)#