CLI Reference Guide
Table Of Contents
- Command Groups
- Introduction
- Command Groups
- Mode Types
- Layer 2 Commands
- Management ACL Commands
- User Interface Commands
- AAA Commands
- Address Table Commands
- Clock Commands
- Denial of Service Commands
- DHCP Filtering Commands
- Ethernet Configuration Commands
- GVRP Commands
- IGMP Snooping Commands
- IGMP Snooping Querier Commands
- LACP Commands
- Link Dependency Commands
- LLDP Commands
- Password Management
- Port Monitor Commands
- PHY Diagnostics Commands
- System Management Commands
- ACL Commands
- Line Commands
- IP Addressing Commands
- 802.1x Commands
- Configuration and Image Files Commands
- QoS Commands
- Radius Commands
- RMON Commands
- SNMP Commands
- Port Channel Commands
- Spanning Tree Commands
- SSH Commands
- Syslog Commands
- TACACS+ Commands
- Telnet Server Commands
- VLAN Commands
- Web Server Commands
- Layer 3 Commands
- ARP Commands
- DHCP and BOOTP Relay Commands
- DHCPv6 Commands
- DVMRP Commands
- IGMP Commands
- IGMP Proxy Commands
- IP Routing Commands
- IPv6 Routing Commands
- Loopback Interface Commands
- Multicast Commands
- OSPF Commands
- OSPFv3 Commands
- PIM-DM Commands
- PIM-SM Commands
- Router Discovery Protocol Commands
- Routing Information Protocol (RIP) Commands
- Tunnel Interface Commands
- Virtual LAN Routing Commands
- Virtual Router Redundancy Commands
- Using the CLI
- Layer 2 Commands
- Management ACL Commands
- User Interface Commands
- AAA Commands
- Address Table Commands
- bridge address
- bridge aging-time
- bridge multicast address
- bridge multicast filtering
- bridge multicast forbidden address
- bridge multicast forbidden forward-unregistered
- bridge multicast forward-all
- bridge multicast forward-unregistered
- clear bridge
- port security
- port security max
- show bridge address-table
- show bridge address-table count
- show bridge address-table static
- show bridge multicast address-table
- show bridge multicast filtering
- show ports security
- show ports security addresses
- Clock Commands
- show clock
- show sntp configuration
- show sntp status
- sntp authenticate
- sntp authentication-key
- sntp broadcast client enable
- sntp client poll timer
- sntp server
- sntp trusted-key
- sntp unicast client enable
- clock timezone hours-offset
- no clock timezone
- clock summer-time recurring
- clock summer-time date
- no clock summer-time recurring
- show clock
- Denial of Service Commands
- DHCP Filtering Commands
- Ethernet Configuration Commands
- clear counters
- description
- duplex
- flowcontrol
- interface ethernet
- interface range ethernet
- mdix
- mtu
- negotiation
- show interfaces advertise
- show interfaces configuration
- show interfaces counters
- show interfaces description
- show interfaces status
- show statistics ethernet
- show storm-control
- shutdown
- speed
- storm-control broadcast
- storm-control multicast
- storm-control unicast
- GVRP Commands
- IGMP Snooping Commands
- ip igmp snooping (global)
- ip igmp snooping (interface)
- ip igmp snooping host-time-out
- ip igmp snooping leave-time-out
- ip igmp snooping mrouter-time-out
- show ip igmp snooping groups
- show ip igmp snooping interface
- show ip igmp snooping mrouter
- ip igmp snooping (VLAN)
- ip igmp snooping fast-leave
- ip igmp snooping groupmembership-interval
- ip igmp snooping maxresponse
- ip igmp snooping mcrtrexpiretime
- IGMP Snooping Querier Commands
- LACP Commands
- Link Dependency Commands
- LLDP Commands
- Password Management Commands
- Port Monitor Commands
- PHY Diagnostics Commands
- System Management Commands
- asset-tag
- cut-through mode
- hostname
- ip address
- ip address none
- ip address
- member
- movemanagement
- no cut-through mode
- no standby
- ping
- reload
- set description
- show boot-version
- show cut-through mode
- show ip interface out-of-band
- show memory cpu
- show process cpu
- show sessions
- show stack-port
- show stack-port counters
- show stack-port diag
- show stack standby
- show supported switchtype
- show switch
- show system
- show system id
- show users
- show version
- stack
- standby
- switch priority
- switch renumber
- telnet
- traceroute
- ACL Commands
- Line Commands
- IP Addressing Commands
- 802.1x Commands
- aaa authentication dot1x
- dot1x max-req
- dot1x port-control
- dot1x re-authenticate
- dot1x re-authentication
- dot1x system-auth-control
- dot1x timeout quiet-period
- dot1x timeout re-authperiod
- dot1x timeout server-timeout
- dot1x timeout supp-timeout
- dot1x timeout tx-period
- show dot1x
- show dot1x statistics
- show dot1x users
- dot1x auth-not-req
- dot1x guest-vlan
- dot1x guest-vlan enable
- dot1x multiple-hosts
- dot1x single-host-violation
- show dot1x advanced
- Configuration and Image File Commands
- QoS Commands
- assign-queue
- class
- class-map
- class-map rename
- classofservice dot1p-mapping
- classofservice ip-dscp-mapping
- classofservice trust
- conform-color
- cos-queue min-bandwidth
- cos-queue strict
- diffserv
- drop
- mark cos
- mark ip-dscp
- mark ip-precedence
- match class-map
- match cos
- match destination-address mac
- match dstip
- match dstl4port
- match ethertype
- match ip dscp
- match ip precedence
- match ip tos
- match protocol
- match source-address mac
- match srcip
- match srcl4port
- match vlan
- mirror
- police-simple
- policy-map
- redirect
- service-policy
- show class-map
- show classofservice dot1p-mapping
- show classofservice ip-dscp-mapping
- show classofservice trust
- show diffserv
- show diffserv service interface ethernet in
- show diffserv service interface port-channel in
- show diffserv service brief
- show interfaces cos-queue
- show policy-map
- show policy-map interface
- show service-policy
- traffic-shape
- Radius Commands
- RMON Commands
- SNMP Commands
- show snmp
- show snmp engineID
- show snmp filters
- show snmp groups
- show snmp users
- show snmp views
- snmp-server community
- snmp-server community-group
- snmp-server contact
- snmp-server enable traps
- snmp-server engineID local
- snmp-server filter
- snmp-server group
- snmp-server host
- snmp-server location
- snmp-server trap authentication
- snmp-server user
- snmp-server view
- snmp-server v3-host
- Port Channel Commands
- Spanning Tree Commands
- abort (mst)
- clear spanning-tree detected-protocols
- exit (mst)
- instance (mst)
- name (mst)
- revision (mst)
- show (mst)
- show spanning-tree
- spanning-tree
- spanning-tree bpdu
- spanning-tree bpdu-protection
- spanning-tree cost
- spanning-tree disable
- spanning-tree forward-time
- spanning-tree hello-time
- spanning-tree max-age
- spanning-tree mode
- spanning-tree mst configuration
- spanning-tree mst cost
- spanning-tree mst max-hops
- spanning-tree mst port-priority
- spanning-tree mst priority
- spanning-tree portfast
- spanning-tree port-priority
- spanning-tree priority
- spanning-tree root-protection
- SSH Commands
- Syslog Commands
- TACACS+ Commands
- Telnet Server Commands
- VLAN Commands
- dvlan-tunnel ethertype
- interface vlan
- interface range vlan
- mode dvlan-tunnel
- name
- protocol group
- protocol vlan group
- protocol vlan group all
- show dvlan-tunnel
- show dvlan-tunnel interface
- show interfaces switchport
- show port protocol
- show switchport protected
- show vlan
- show vlan association mac
- show vlan association subnet
- switchport access vlan
- switchport forbidden vlan
- switchport general acceptable-frame-type tagged-only
- switchport general allowed vlan
- switchport general ingress-filtering disable
- switchport general pvid
- switchport mode
- switchport protected
- switchport protected name
- switchport trunk allowed vlan
- vlan
- vlan association mac
- vlan association subnet
- vlan database
- vlan makestatic
- vlan protocol group
- vlan protocol group add protocol
- vlan protocol group remove
- Web Server Commands
- Layer 3 Commands
- ARP Commands
- DHCP and BOOTP Relay Commands
- DHCPv6 Commands
- DVMRP Commands
- IGMP Commands
- ip igmp
- ip igmp last-member-query-count
- ip igmp last-member-query-interval
- ip igmp query-interval
- ip igmp query-max-response-time
- ip igmp robustness
- ip igmp startup-query-count
- ip igmp startup-query-interval
- ip igmp version
- show ip igmp
- show ip igmp groups
- show ip igmp interface
- show ip igmp interface membership
- show ip igmp interface stats
- ip igmp router-alert-optional
- IGMP Proxy Commands
- IP Routing Commands
- IPv6 Routing Commands
- clear ipv6 neighbors
- clear ipv6 statistics
- ipv6 address
- ipv6 enable
- ipv6 forwarding
- ipv6 mtu
- ipv6 nd dad attempts
- ipv6 nd managed-config-flag
- ipv6 nd ns-interval
- ipv6 nd other-config-flag
- ipv6 nd prefix
- ipv6 nd ra-interval
- ipv6 nd ra-lifetime
- ipv6 nd reachable-time
- ipv6 nd suppress-ra
- ipv6 route
- ipv6 route distance
- ipv6 unicast-routing
- ping ipv6
- ping ipv6 interface
- show ipv6 brief
- show ipv6 interface
- show ipv6 neighbors
- show ipv6 route
- show ipv6 route preferences
- show ipv6 route summary
- show ipv6 traffic
- show ipv6 vlan
- traceroute ipv6
- Loopback Interface Commands
- Multicast Commands
- ip mcast boundary
- ip multicast
- ip multicast staticroute
- ip multicast ttl-threshold
- mrinfo
- mstat
- mtrace
- no ip mcast mroute
- show ip mcast
- show ip mcast boundary
- show ip mcast interface
- show ip mcast mroute
- show ip mcast mroute group
- show ip mcast mroute source
- show ip mcast mroute static
- show mrinfo
- show mstat
- show mtrace
- OSPF Commands
- area default-cost
- area nssa
- area nssa default-info-originate
- area nssa no-redistribute
- area nssa no-summary
- area nssa translator-role
- area nssa translator-stab-intv
- area range
- area stub
- area stub no-summary
- area virtual-link
- area virtual-link authentication
- area virtual-link dead-interval
- area virtual-link hello-interval
- area virtual-link retransmit-interval
- area virtual-link transmit-delay
- default-information originate
- default-metric
- distance ospf
- distribute-list out
- enable
- exit-overflow-interval
- external-lsdb-limit
- ip ospf
- ip ospf areaid
- ip ospf authentication
- ip ospf cost
- ip ospf dead-interval
- ip ospf hello-interval
- ip ospf mtu-ignore
- ip ospf priority
- ip ospf retransmit-interval
- ip ospf transmit-delay
- maximum-paths
- redistribute
- router-id
- router ospf
- show ip ospf
- show ip ospf abr
- show ip ospf area
- show ip ospf asbr
- show ip ospf database
- show ip ospf database database-summary
- show ip ospf interface
- show ip ospf interface brief
- show ip ospf interface stats
- show ip ospf neighbor
- show ip ospf range
- show ip ospf statistics
- show ip ospf stub table
- show ip ospf virtual-link
- show ip ospf virtual-link brief
- timers spf
- trapflags
- 1583compatibility
- OSPFv3 Commands
- area default-cost
- area nssa
- area nssa default-info-originate
- area nssa no-redistribute
- area nssa no-summary
- area nssa translator-role
- area nssa translator-stab-intv
- area range
- area stub
- area stub no-summary
- area virtual-link
- area virtual-link dead-interval
- area virtual-link hello-interval
- area virtual-link retransmit-interval
- area virtual-link transmit-delay
- default-information originate
- default-metric
- distance ospf
- enable
- exit-overflow-interval
- external-lsdb-limit
- ipv6 ospf
- ipv6 ospf areaid
- ipv6 ospf cost
- ipv6 ospf dead-interval
- ipv6 ospf hello-interval
- ipv6 ospf mtu-ignore
- ipv6 ospf network
- ipv6 ospf priority
- ipv6 ospf retransmit-interval
- ipv6 ospf transmit-delay
- ipv6 router ospf
- maximum-paths
- redistribute
- router-id
- show ipv6 ospf
- show ipv6 ospf abr
- show ipv6 ospf area
- show ipv6 ospf asbr
- show ipv6 ospf database
- show ipv6 ospf database database-summary
- show ipv6 ospf interface
- show ipv6 ospf interface brief
- show ipv6 ospf interface stats
- show ipv6 ospf interface vlan
- show ipv6 ospf neighbor
- show ipv6 ospf range
- show ipv6 ospf stub table
- show ipv6 ospf virtual-link
- show ipv6 ospf virtual-link brief
- trapflags
- PIM-DM Commands
- PIM-SM Commands
- ip pimsm
- ip pimsm cbsrhashmasklength
- ip pimsm cbsrpreference
- ip pimsm crppreference
- ip pimsm message-interval
- ip pimsm mode
- ip pimsm query-interval
- ip pimsm register-rate-limit
- ip pimsm spt-threshold
- ip pimsm staticrp
- ip pim-trapflags
- show ip pimsm
- show ip pimsm componenttable
- show ip pimsm interface
- show ip pimsm interface stats
- show ip pimsm neighbor
- show ip pimsm rp
- show ip pimsm rphash
- show ip pimsm staticrp
- Router Discovery Protocol Commands
- Routing Information Protocol (RIP) Commands
- Tunnel Interface Commands
- Virtual LAN Routing Commands
- Virtual Router Redundancy Protocol Commands
Using the CLI 73
User Access Control
In addition to authenticating a user, the CLI also assigns the user access to one of two security
levels. Level 1 has read-only access. This level allow the user to read information but not configure
the switch. The access to this level cannot be modified. Level 15 is the special access level assigned
to the superuser of the switch. This level has full access to all functions within the switch and can
not be modified.
If the user account is created and maintained locally, each user is given an access level at the time
of account creation. If the user is authenticated through remote authentication servers, the
authentication server is configured to pass the user access level to the CLI when the user is
authenticated. When Radius is used, the
Vendor-Specific Option
field returns the access level for
the user. Two vendor specific options are supported. These are CISCO-AV-Pairs(Shell:priv-lvl=x)
and Dell Radius VSA (user-group=x). TACACS+ provides the appropriate level of access.
The following rules and specifications apply:
• The user determines whether remote authentication servers or locally defined user
authentication accounts are used.
• If authentication servers are used, the user can identify at least two remote servers (the
user may choose to configure only one server) and what protocol to use with the server,
TACACS+ or Radius. One of the servers is primary and the other is the secondary server
(the user is not required to specify a secondary server). If the primary server fails to
respond in a configurable time period, the CLI automatically attempts to authenticate
the user with the secondary server.
• The user is able to specify what happens when both primary and secondary servers fail to
respond. In this case, the user is able to indicate that the CLI should either use the local
user accounts or reject all requests.
• Even if the user configures the CLI to fail login when the remote authentication servers
are down, the CLI allows the user to log in to the serial interface authenticated by locally
managed account data.
Syslogs
The CLI uses syslog support to send logging messages to a remote syslog server. The user configures
the switch to generate all logging messages to a remote log server. If no remote log server exists,
then the CLI maintains a rolling log of at most the last 1000 critical system events.
The following rules and specifications apply:
• The CLI permits the user to configure a remote syslog server to which all system logging
messages are sent.
• Log messages are implementation-dependent but may contain debug messages, security
or fault events.
• If a log server is not specified by the user, the CLI maintains at most the last 1000 critical
system events. In this case, less important events are not recorded.