Reference Guide
Table Of Contents
- OS10 Enterprise Edition User Guide Release 10.3.1E
- Getting Started
- Download OS10 image and license
- Installation
- Log into OS10
- Install OS10 license
- Remote access
- Upgrade OS10
- CLI Basics
- User accounts
- Key CLI features
- CLI command modes
- CLI command hierarchy
- CLI command categories
- CONFIGURATION Mode
- Command help
- Check device status
- Candidate configuration
- Change to transaction-based configuration
- Back up or restore configuration
- Reload system image
- Filter show commands
- Alias command
- Batch mode commands
- Linux shell commands
- SSH commands
- OS9 environment commands
- Common commands
- alias
- batch
- boot
- commit
- configure
- copy
- delete
- dir
- discard
- do
- feature config-os9-style
- exit
- license
- lock
- management route
- move
- no
- reload
- show alias
- show boot
- show candidate-configuration
- show environment
- show inventory
- show ip management-route
- show ipv6 management-route
- show license status
- show running-configuration
- show startup-configuration
- show system
- show version
- start
- system
- system identifier
- terminal
- traceroute
- unlock
- write
- Interfaces
- Ethernet interfaces
- Unified port groups
- L2 mode configuration
- L3 mode configuration
- Fibre Channel interfaces
- Management interface
- VLAN interfaces
- Loopback interfaces
- Port-channel interfaces
- Create port-channel
- Add port member
- Minimum links
- Assign Port Channel IP Address
- Remove or disable port-channel
- Load balance traffic
- Change hash algorithm
- Configure interface ranges
- Energy-efficient Ethernet
- Forward error correction
- Switch-port profiles
- View interface configuration
- Interface commands
- channel-group
- description (Interface)
- duplex
- fec
- interface breakout
- interface ethernet
- interface loopback
- interface mgmt
- interface null
- interface port-channel
- interface range
- interface vlan
- link-bundle-utilization
- mgmt
- mode
- mtu
- port-group
- show interface
- show link-bundle-utilization
- show port-channel summary
- show port-group
- show switch-port-profile
- show vlan
- shutdown
- speed (Fibre Channel)
- speed (Management)
- switch-port-profile
- switchport access vlan
- switchport mode
- switchport trunk allowed vlan
- Fibre channel
- Layer 2
- 802.1X
- Link aggregation control protocol
- Link layer discovery protocol
- Protocol data units
- Optional TLVs
- Organizationally-specific TLVs
- Media endpoint discovery
- Network connectivity device
- LLDP-MED capabilities TLV
- Network policies TLVs
- Define network policies
- Packet timer values
- Disable and re-enable LLDP
- Advertise TLVs
- Network policy advertisement
- Fast start repeat count
- View LLDP configuration
- Adjacent agent advertisements
- Time to live
- LLDP commands
- Media Access Control
- Multiple spanning-tree protocol
- Rapid per-VLAN spanning-tree plus
- Rapid spanning-tree protocol
- Virtual LANs
- Port monitoring
- Layer 3
- Border gateway protocol
- Sessions and peers
- Route reflectors
- Multiprotocol BGP
- Attributes
- Selection criteria
- Weight and local preference
- Multiexit discriminators
- Origin
- AS path and next-hop
- Best path selection
- More path support
- Advertise cost
- 4-Byte AS numbers
- AS number migration
- Configure border gateway protocol
- Enable BGP
- Configure Dual Stack
- Peer templates
- Neighbor fall-over
- Fast external fallover
- Passive peering
- Local AS
- AS number limit
- Redistribute routes
- Additional paths
- MED attributes
- Local preference attribute
- Weight attribute
- Enable multipath
- Route-map filters
- Route reflector clusters
- Aggregate routes
- Confederations
- Route dampening
- Timers
- Neighbor soft-reconfiguration
- BGP commands
- Equal cost multi-path
- IPv4 routing
- IPv6 routing
- Open shortest path first
- Object tracking manager
- Policy-based routing
- Virtual router redundancy protocol
- Border gateway protocol
- System management
- Access Control Lists
- IP ACLs
- MAC ACLs
- IP fragment handling
- L3 ACL rules
- Assign sequence number to filter
- L2 and L3 ACLs
- Assign and apply ACL filters
- Ingress ACL filters
- Egress ACL filters
- Clear access-list counters
- IP prefix-lists
- Route-maps
- Match routes
- Set conditions
- continue Clause
- ACL flow-based monitoring
- Enable flow-based monitoring
- ACL commands
- clear ip access-list counters
- clear ipv6 access-list counters
- clear mac access-list counters
- deny
- deny (IPv6)
- deny (MAC)
- deny icmp
- deny icmp (IPv6)
- deny ip
- deny ipv6
- deny tcp
- deny tcp (IPv6)
- deny udp
- deny udp (IPv6)
- description
- ip access-group
- ip access-list
- ip as-path deny
- ip as-path permit
- ip community-list standard deny
- ip community–list standard permit
- ip extcommunity-list standard deny
- ip extcommunity-list standard permit
- ip prefix-list description
- ip prefix-list deny
- ip prefix-list permit
- ip prefix-list seq deny
- ip prefix-list seq permit
- ipv6 access-group
- ipv6 access-list
- ipv6 prefix-list deny
- ipv6 prefix-list description
- ipv6 prefix-list permit
- ipv6 prefix-list seq deny
- ipv6 prefix-list seq permit
- mac access-group
- mac access-list
- permit
- permit (IPv6)
- permit (MAC)
- permit icmp
- permit icmp (IPv6)
- permit ip
- permit ipv6
- permit tcp
- permit tcp (IPv6)
- permit udp
- permit udp (IPv6)
- remark
- seq deny
- seq deny (IPv6)
- seq deny (MAC)
- seq deny icmp
- seq deny icmp (IPv6)
- seq deny ip
- seq deny ipv6
- seq deny tcp
- seq deny tcp (IPv6)
- seq deny udp
- seq deny udp (IPv6)
- seq permit
- seq permit (IPv6)
- seq permit (MAC)
- seq permit icmp
- seq permit icmp (IPv6)
- seq permit ip
- seq permit ipv6
- seq permit tcp
- seq permit tcp (IPv6)
- seq permit udp
- seq permit udp (IPv6)
- show access-group
- show access-lists
- show ip as-path-access-list
- show ip community-list
- show ip extcommunity-list
- show ip prefix-list
- Route-map commands
- continue
- match as-path
- match community
- match extcommunity
- match interface
- match ip address
- match ip next-hop
- match ipv6 address
- match ipv6 next-hop
- match metric
- match origin
- match route-type
- match tag
- route-map
- set comm-list delete
- set community
- set extcomm-list delete
- set extcommunity
- set local-preference
- set metric
- set metric-type
- set next-hop
- set origin
- set tag
- set weight
- show route-map
- Quality of service
- Configure quality of service
- Class-map configuration
- Policy-map configuration
- Ingress traffic priorities
- Queue selection
- Strict priority queuing
- Class of service or dot1p classification
- Mark traffic
- Traffic metering
- Bandwidth allocation
- Service-policy rate-shaping
- Policy-based rate-policing
- Control-plane policing
- Congestion avoidance
- Verify configuration
- Egress queue statistics
- QoS commands
- bandwidth
- class
- class-map
- clear interface priority-flow-control
- clear qos statistics
- clear qos statistics type
- control-plane
- flowcontrol
- match
- match cos
- match dscp
- match precedence
- match qos-group
- match vlan
- mtu
- pause
- pfc-cos
- pfc-shared-buffer-size
- police
- policy-map
- priority
- priority-flow-control mode
- qos-group dot1p
- qos-group dscp
- queue-limit
- queue qos-group
- random-detect
- service-policy
- set cos
- set dscp
- set qos-group
- shape
- show class-map
- show control-plane info
- show control-plane statistics
- show interface priority-flow-control
- show qos interface
- show policy-map
- show qos control-plane
- show qos egress bufffers interface
- show egress buffer-stats interface
- show qos ingress buffers interface
- show ingress buffer-stats interface
- show queuing statistics
- show qos system
- show qos system buffers
- show qos maps
- system qos
- trust
- trust dot1p-map
- trust dscp-map
- qos-map traffic-class
- trust-map
- Virtual link trunking
- Converged data center services
- sFlow
- Troubleshoot OS10
- Support resources
The authentication methods in the method list are executed in the order in which they are congured. You can re-enter the methods to
change the order. If a console user logs in with RADIUS authentication, the privilege-level applies from the RADIUS server if you congured
the privilege-level for that user in RADIUS.
NOTE: You must congure the group name (level) on the RADIUS server using the vendor-specic attribute or the
authentication fails.
• Congure the AAA authentication method in CONFIGURATION mode.
aaa authentication [local | radius]
• local — Use the username and password database dened in the local conguration.
• radius — (Optional) Use the RADIUS servers congured with the radius-server host command as the primary
authentication method.
Congure AAA authentication
OS10(config)# aaa authentication radius local
Role-based access control
RBAC provides control for access and authorization. Users are granted permissions based on dened roles — not on their individual system
user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single
role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter
an enable password because you are automatically placed in EXEC mode.
OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add
commands a user can enter, and set the actions the user can perform. This allows greater exibility when assigning permissions for each
command to each role. Using RBAC is easier and more ecient to administer user rights. If a user’s role matches one of the allowed user
roles for that command, command authorization is granted.
A constrained RBAC model provides separation of duty as well as greater security. A constrained model place some limitations on each
role’s permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events,
audits, and security system logs.
RADIUS server host
When conguring a RADIUS server host, you can set dierent communication parameters, such as a user datagram protocol (UDP) port,
key password, number of retries, and timeout.
• Enter the host name or IP address of the RADIUS server host in CONFIGURATION mode.
radius-server host [hostname | ip-address] [auth-port port-number | key authentication-key
The default RADIUS authentication port is 1812.
To congure multiple RADIUS server hosts, congure the radius-server host command multiple times. If you congure multiple
RADIUS server hosts, OS10 attempts to connect with them in the order you congured them. When the system attempts to authenticate a
user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject
response.
If you want to change an optional parameter setting for a specic host, use the radius-server host command.
Congure RADIUS server host
OS10(config)# radius-server host 1.2.4.5
System management
387