Reference Guide
Table Of Contents
- Table of Contents
- Preface
- 1: Using the Command-Line Interface
- 2: Stacking Commands
- 3: Management Commands
- Network Interface Commands
- Console Port Access Commands
- Telnet Commands
- Secure Shell Commands
- Management Security Commands
- Hypertext Transfer Protocol Commands
- ip http accounting exec, ip https accounting exec
- ip http authentication
- ip https authentication
- ip http server
- ip http secure-server
- ip http java
- ip http port
- ip http rest-api port
- ip http rest-api secure-port
- ip http session hard-timeout
- ip http session maxsessions
- ip http session soft-timeout
- ip http secure-session hard-timeout
- ip http secure-session maxsessions
- ip http secure-session soft-timeout
- ip http secure-port
- ip http secure-protocol
- show ip http
- Access Commands
- User Account Commands
- aaa authentication login
- aaa authentication enable
- aaa authorization
- authorization commands
- authorization exec
- authorization exec default
- show authorization methods
- enable authentication
- username (Global Config)
- username nopassword
- username unlock
- username snmpv3 accessmode
- username snmpv3 authentication
- username snmpv3 encryption
- username snmpv3 encryption encrypted
- show users
- show users long
- show users accounts
- show users login-history [long]
- show users login-history [username]
- login authentication
- password
- password (Line Configuration)
- password (User EXEC)
- password (aaa IAS User Config)
- enable password (Privileged EXEC)
- passwords min-length
- passwords history
- passwords aging
- passwords lock-out
- passwords strength-check
- passwords strength maximum consecutive-characters
- passwords strength maximum repeated-characters
- passwords strength minimum uppercase-letters
- passwords strength minimum lowercase-letters
- passwords strength minimum numeric-characters
- passwords strength minimum special-characters
- passwords strength minimum character-classes
- passwords strength exclude-keyword
- show passwords configuration
- show passwords result
- aaa ias-user username
- aaa session-id
- aaa accounting
- password (AAA IAS User Configuration)
- clear aaa ias-users
- show aaa ias-users
- accounting
- show accounting
- show accounting methods
- clear accounting statistics
- show domain-name
- SNMP Commands
- snmp-server
- snmp-server community
- snmp-server community-group
- snmp-server enable traps violation
- snmp-server enable traps
- snmp-server enable traps bgp
- snmp-server enable traps fip-snooping
- snmp-server port
- snmp trap link-status
- snmp trap link-status all
- snmp-server enable traps linkmode
- snmp-server enable traps multiusers
- snmp-server enable traps stpmode
- snmp-server engineID local
- snmp-server filter
- snmp-server group
- snmp-server host
- snmp-server user
- snmp-server view
- snmp-server v3-host
- snmptrap source-interface
- snmptrap ipaddr snmpversion
- snmptrap ip6addr snmpversion
- show snmp
- show snmp engineID
- show snmp filters
- show snmp group
- show snmp-server
- show snmp source-interface
- show snmp user
- show snmp views
- show trapflags
- RADIUS Commands
- aaa server radius dynamic-author
- auth-type
- authorization network radius
- clear radius dynamic-author statistics
- client
- debug aaa coa
- debug aaa pod
- ignore server-key
- ignore session-key
- port
- radius accounting mode
- radius server attribute 4
- radius server host
- radius server key
- radius server msgauth
- radius server primary
- radius server retransmit
- radius source-interface
- radius server timeout
- server-key
- show radius servers
- show radius
- show radius servers
- show radius accounting
- show radius accounting statistics
- show radius source-interface
- show radius statistics
- TACACS+ Commands
- Configuration Scripting Commands
- Prelogin Banner, System Prompt, and Host Name Commands
- 4: Utility Commands
- AutoInstall Commands
- CLI Output Filtering Commands
- Dual Image Commands
- System Information and Statistics Commands
- load-interval
- show arp switch
- show eventlog
- show hardware
- show version
- show platform vpd
- show interface
- show interfaces status
- show interfaces traffic
- show interface counters
- show interface ethernet
- show interface ethernet switchport
- show interface lag
- show fiber-ports optical-transceiver
- show fiber-ports optical-transceiver-info
- show mac-addr-table
- process cpu threshold
- show process app-list
- show process app-resource-list
- show process cpu
- show process proc-list
- show running-config
- show running-config interface
- show
- dir
- show sysinfo
- show tech-support
- length value
- terminal length
- show terminal length
- memory free low-watermark processor
- clear mac-addr-table
- Box Services Commands
- Logging Commands
- logging buffered
- logging buffered wrap
- logging cli-command
- logging console
- logging host
- logging host reconfigure
- logging host remove
- logging protocol
- logging syslog
- logging syslog port
- logging syslog source-interface
- show logging
- show logging buffered
- show logging hosts
- show logging persistent
- show logging traplogs
- clear logging buffered
- Email Alerting and Mail Server Commands
- logging email
- logging email urgent
- logging email message-type to-addr
- logging email from-addr
- logging email message-type subject
- logging email logtime
- logging traps
- logging email test message-type
- show logging email config
- show logging email statistics
- clear logging email statistics
- mail-server
- security
- port
- username (Mail Server Config)
- password
- show mail-server config
- System Utility and Clear Commands
- Power Over Ethernet Commands
- Simple Network Time Protocol Commands
- Time Zone Commands
- DHCP Server Commands
- ip dhcp pool
- client-identifier
- client-name
- default-router
- dns-server
- hardware-address
- host
- lease
- network (DHCP Pool Config)
- bootfile
- domain-name
- domain-name enable
- netbios-name-server
- netbios-node-type
- next-server
- option
- ip dhcp excluded-address
- ip dhcp ping packets
- service dhcp
- ip dhcp bootp automatic
- ip dhcp conflict logging
- clear ip dhcp binding
- clear ip dhcp server statistics
- clear ip dhcp conflict
- show ip dhcp binding
- show ip dhcp global configuration
- show ip dhcp pool configuration
- show ip dhcp server statistics
- show ip dhcp conflict
- DNS Client Commands
- IP Address Conflict Commands
- Serviceability Packet Tracing Commands
- capture file | remote | line
- capture remote port
- capture file size
- capture line wrap
- show capture packets
- cpu-traffic direction interface
- cpu-traffic direction match cust-filter
- cpu-traffic direction match srcip
- cpu-traffic direction match dstip
- cpu-traffic direction match tcp
- cpu-traffic direction match udp
- cpu-traffic mode
- cpu-traffic trace
- show cpu-traffic
- show cpu-traffic interface
- show cpu-traffic summary
- show cpu-traffic trace
- clear cpu-traffic
- exception protocol
- exception dump tftp-server
- exception dump nfs
- exception dump filepath
- exception core-file
- exception switch-chip-register
- exception dump ftp-server
- exception dump compression
- exception dump stack-ip-address protocol
- exception dump stack-ip-address add
- exception dump stack-ip-address remove
- show exception
- show exception core-dump-file
- show exception log
- logging persistent
- mbuf
- show mbuf
- show mbuf total
- show msg-queue
- Support Mode Commands
- Cable Test Command
- sFlow Commands
- Green Ethernet Commands
- Remote Monitoring Commands
- Statistics Application Commands
- 5: Switching Commands
- Port Configuration Commands
- Spanning Tree Protocol Commands
- spanning-tree
- spanning-tree auto-edge
- spanning-tree backbonefast
- spanning-tree bpdufilter
- spanning-tree bpdufilter default
- spanning-tree bpduflood
- spanning-tree bpduguard
- spanning-tree bpdumigrationcheck
- spanning-tree configuration name
- spanning-tree configuration revision
- spanning-tree cost
- spanning-tree edgeport
- spanning-tree forward-time
- spanning-tree guard
- spanning-tree max-age
- spanning-tree max-hops
- spanning-tree mode
- spanning-tree mst
- spanning-tree mst instance
- spanning-tree mst priority
- spanning-tree mst vlan
- spanning-tree port mode
- spanning-tree port mode all
- spanning-tree port-priority
- spanning-tree tcnguard
- spanning-tree transmit
- spanning-tree uplinkfast
- spanning-tree vlan
- spanning-tree vlan cost
- spanning-tree vlan forward-time
- spanning-tree vlan hello-time
- spanning-tree vlan max-age
- spanning-tree vlan root
- spanning-tree vlan port-priority
- spanning-tree vlan priority
- show spanning-tree
- show spanning-tree active
- show spanning-tree backbonefast
- show spanning-tree brief
- show spanning-tree interface
- show spanning-tree mst detailed
- show spanning-tree mst port detailed
- show spanning-tree mst port summary
- show spanning-tree mst port summary active
- show spanning-tree mst summary
- show spanning-tree summary
- show spanning-tree uplinkfast
- show spanning-tree vlan
- Loop Protection Commands
- VLAN Commands
- vlan database
- network mgmt_vlan
- vlan
- vlan acceptframe
- vlan ingressfilter
- vlan internal allocation
- vlan makestatic
- vlan name
- vlan participation
- vlan participation all
- vlan port acceptframe all
- vlan port ingressfilter all
- vlan port pvid all
- vlan port tagging all
- vlan protocol group
- vlan protocol group name
- vlan protocol group add protocol
- protocol group
- protocol vlan group
- protocol vlan group all
- show port protocol
- vlan pvid
- vlan tagging
- vlan association subnet
- vlan association mac
- remote-span
- show vlan
- show vlan internal usage
- show vlan brief
- show vlan port
- show vlan association subnet
- show vlan association mac
- Private VLAN Commands
- Switch Ports
- Voice VLAN Commands
- Provisioning (IEEE 802.1p) Commands
- Asymmetric Flow Control
- Protected Ports Commands
- GARP Commands
- GVRP Commands
- GMRP Commands
- Port-Based Network Access Control Commands
- aaa authentication dot1x default
- clear dot1x statistics
- clear dot1x authentication-history
- clear radius statistics
- dot1x eapolflood
- dot1x dynamic-vlan enable
- dot1x port-control
- dot1x port-control all
- dot1x system-auth-control
- dot1x system-auth-control monitor
- dot1x user
- authentication enable
- authentication order
- authentication priority
- authentication timer restart
- show authentication authentication-history
- show authentication interface
- show authentication methods
- show authentication statistics
- clear authentication statistics
- clear authentication authentication-history
- show dot1x
- show dot1x authentication-history
- show dot1x clients
- show dot1x users
- 802.1X Supplicant Commands
- Task-based Authorization
- Storm-Control Commands
- storm-control broadcast
- storm-control broadcast action
- storm-control broadcast level
- storm-control broadcast rate
- storm-control multicast
- storm-control multicast action
- storm-control multicast level
- storm-control multicast rate
- storm-control unicast
- storm-control unicast action
- storm-control unicast level
- storm-control unicast rate
- show storm-control
- Link Dependency Commands
- Port-Channel/LAG (802.3ad) Commands
- port-channel
- addport
- deleteport (Interface Config)
- deleteport (Global Config)
- lacp admin key
- lacp collector max-delay
- lacp actor admin key
- lacp actor admin state individual
- lacp actor admin state longtimeout
- lacp actor admin state passive
- lacp actor admin state
- lacp actor port priority
- lacp partner admin key
- lacp partner admin state individual
- lacp partner admin state longtimeout
- lacp partner admin state passive
- lacp partner port id
- lacp partner port priority
- lacp partner system id
- lacp partner system priority
- interface lag
- port-channel static
- port lacpmode
- port lacpmode enable all
- port lacptimeout (Interface Config)
- port lacptimeout (Global Config)
- port-channel adminmode
- port-channel linktrap
- port-channel load-balance
- port-channel min-links
- port-channel name
- port-channel system priority
- show hashdest
- show lacp actor
- show lacp partner
- show port-channel brief
- show port-channel
- show port-channel system priority
- show port-channel counters
- clear port-channel counters
- clear port-channel all counters
- Port Mirroring Commands
- Static MAC Filtering Commands
- DHCP L2 Relay Agent Commands
- dhcp l2relay
- dhcp l2relay circuit-id subscription
- dhcp l2relay circuit-id vlan
- dhcp l2relay remote-id subscription
- dhcp l2relay remote-id vlan
- dhcp l2relay vlan
- show dhcp l2relay all
- show dhcp l2relay circuit-id vlan
- show dhcp l2relay interface
- show dhcp l2relay remote-id vlan
- show dhcp l2relay stats interface
- show dhcp l2relay agent-option vlan
- show dhcp l2relay vlan
- clear dhcp l2relay statistics interface
- DHCP Client Commands
- DHCP Snooping Configuration Commands
- ip dhcp snooping
- ip dhcp snooping vlan
- ip dhcp snooping verify mac-address
- ip dhcp snooping database
- ip dhcp snooping database write-delay
- ip dhcp snooping binding
- ip dhcp filtering trust
- ip verify binding
- ip dhcp snooping limit
- ip dhcp snooping log-invalid
- ip dhcp snooping trust
- ip verify source
- show ip dhcp snooping
- show ip dhcp snooping binding
- show ip dhcp snooping database
- show ip dhcp snooping interfaces
- show ip dhcp snooping statistics
- clear ip dhcp snooping binding
- clear ip dhcp snooping statistics
- show ip verify source
- show ip verify interface
- show ip source binding
- IGMP Snooping Configuration Commands
- set igmp
- set igmp header-validation
- set igmp interfacemode
- set igmp fast-leave
- set igmp groupmembership-interval
- set igmp maxresponse
- set igmp mcrtrexpiretime
- set igmp mrouter
- set igmp mrouter interface
- set igmp report-suppression
- show igmpsnooping
- show igmpsnooping mrouter interface
- show igmpsnooping mrouter vlan
- show mac-address-table igmpsnooping
- IGMP Snooping Querier Commands
- MLD Snooping Commands
- set mld
- set mld interfacemode
- set mld fast-leave
- set mld groupmembership-interval
- set mld maxresponse
- set mld mcrtexpiretime
- set mld mrouter
- set mld mrouter interface
- show mldsnooping
- show mldsnooping mrouter interface
- show mldsnooping mrouter vlan
- show mldsnooping ssm entries
- show mac-address-table mldsnooping
- clear mldsnooping
- MLD Snooping Querier Commands
- Port Security Commands
- LLDP (802.1AB) Commands
- lldp transmit
- lldp receive
- lldp timers
- lldp transmit-tlv
- lldp transmit-mgmt
- lldp notification
- lldp notification-interval
- clear lldp statistics
- clear lldp remote-data
- show lldp
- show lldp interface
- show lldp statistics
- show lldp remote-device
- show lldp remote-device detail
- show lldp local-device
- show lldp local-device detail
- LLDP-MED Commands
- Denial of Service Commands
- dos-control all
- dos-control sipdip
- dos-control firstfrag
- dos-control tcpfrag
- dos-control tcpflag
- dos-control l4port
- dos-control smacdmac
- dos-control tcpport
- dos-control udpport
- dos-control tcpflagseq
- dos-control tcpoffset
- dos-control tcpsyn
- dos-control tcpsynfin
- dos-control tcpfinurgpsh
- dos-control icmpv4
- dos-control icmpv6
- dos-control icmpfrag
- show dos-control
- MAC Database Commands
- ISDP Commands
- Interface Error Disable and Auto Recovery
- UniDirectional Link Detection Commands
- 6: Routing Commands
- Address Resolution Protocol Commands
- IP Routing Commands
- routing
- ip routing
- ip address
- ip address dhcp
- ip default-gateway
- ip load-sharing
- ip route
- ip route default
- ip route distance
- ip route net-prototype
- ip netdirbcast
- ip mtu
- release dhcp
- renew dhcp
- renew dhcp network-port
- renew dhcp service-port
- encapsulation
- show dhcp lease
- show ip brief
- show ip interface
- show ip interface brief
- show ip load-sharing
- show ip protocols
- show ip route
- show ip route ecmp-groups
- show ip route hw-failure
- show ip route net-prototype
- show ip route summary
- clear ip route counters
- show ip route preferences
- show ip stats
- show routing heap summary
- Routing Policy Commands
- ip policy route-map
- ip prefix-list
- ip prefix-list description
- ipv6 prefix-list
- route-map
- match as-path
- match community
- match ip address
- match ip address access-list-number | access-list-name
- match ipv6 address
- match length
- match mac-list
- set as-path
- set comm-list delete
- set community
- set interface
- set ip next-hop
- set ip default next-hop
- set ip precedence
- set ipv6 next-hop (BGP)
- set local-preference
- set metric (BGP)
- show ip policy
- show ip prefix-list
- show ipv6 prefix-list
- show route-map
- clear ip prefix-list
- clear ipv6 prefix-list
- Virtual LAN Routing Commands
- DHCP and BOOTP Relay Commands
- IP Helper Commands
- Routing Information Protocol Commands
- router rip
- enable (RIP)
- ip rip
- auto-summary
- default-information originate (RIP)
- default-metric (RIP)
- distance rip
- distribute-list out (RIP)
- ip rip authentication
- ip rip receive version
- ip rip send version
- hostroutesaccept
- split-horizon
- redistribute (RIP)
- show ip rip
- show ip rip interface brief
- show ip rip interface
- 7: IPv6 Management Commands
- IPv6 Management Commands
- Loopback Interface Commands
- IPv6 Routing Commands
- DHCPv6 Snooping Configuration Commands
- 8: Quality of Service Commands
- Class of Service Commands
- classofservice dot1p-mapping
- classofservice ip-dscp-mapping
- classofservice ip-precedence-mapping
- classofservice trust
- cos-queue max-bandwidth
- cos-queue min-bandwidth
- cos-queue random-detect
- cos-queue strict
- random-detect
- random-detect exponential weighting-constant
- random-detect queue-parms
- traffic-shape
- show classofservice dot1p-mapping
- show classofservice ip-dscp-mapping
- show classofservice ip-precedence-mapping
- show classofservice packet-drop-count
- show classofservice trust
- show interfaces cos-queue
- show interfaces random-detect
- show interfaces tail-drop-threshold
- Differentiated Services Commands
- DiffServ Class Commands
- class-map
- class-map rename
- match ethertype
- match any
- match class-map
- match cos
- match secondary-cos
- match destination-address mac
- match dstip
- match dstip6
- match dstl4port
- match ip dscp
- match ip precedence
- match ip tos
- match ip6flowlbl
- match protocol
- match signature
- match srcip
- match srcip6
- match srcl4port
- match src port
- match vlan
- match secondary-vlan
- DiffServ Policy Commands
- DiffServ Service Commands
- DiffServ Show Commands
- MAC Access Control List Commands
- IP Access Control List Commands
- IPv6 Access Control List Commands
- Management Access Control and Administration List
- Time Range Commands for Time-Based ACLs
- Auto-Voice over IP Commands
- Class of Service Commands
- 9: Application Commands
- 10: 200 Series Log Messages
- Glossary
aaa authorization
Use this command to configure command and exec authorization method lists. This list is identified by
default or a user-specified list-name. If tacacs is specified as the authorization method, authorization
commands are notified to a TACACS + server. If none is specified as the authorization method,
command authorization is not applicable. A maximum of five authorization method lists can be created
for the commands type.
Note
Local method is not supported for command authorization. Command authorization with
RADIUS will work if, and only if, the applied authentication method is also radius.
Per-Command Authorization
When authorization is configured for a line mode, the user manager sends information about an
entered command to the AAA server. The AAA server validates the received command, and responds
with either a PASS or FAIL response. If approved, the command is executed. Otherwise, the command is
denied and an error message is shown to the user. The various utility commands like tftp, and ping, and
outbound Telnet should also pass command authorization. Applying the script is treated as a single
command apply script, which also goes through authorization. Startup-config commands applied on
device boot-up are not an object of the authorization process.
The per-command authorization usage scenario is this:
1 Configure Authorization Method List:
aaa authorization commands listname tacacs radius none
2 Apply AML to an Access Line Mode (console, Telnet, SSH):
authorization commands listname
3 Commands entered by the user will go through command authorization via TACACS+ or RADIUS
server and will be accepted or denied.
Exec Authorization
When exec authorization is configured for a line mode, the user may not be required to use the enable
command to enter Privileged EXEC mode. If the authorization response indicates that the user has
sucient privilege levels for Privileged EXEC mode, then the user bypasses User EXEC mode entirely.
The exec authorization usage scenario is this:
1 Configure Authorization Method List:
aaa authorization exec listname method1 [method2....]
2 Apply AML to an Access Line Mode (console, Telnet, SSH):
authorization exec listname
3 When the user logs in, in addition to authentication, authorization will be performed to determine if
the user is allowed direct access to Privileged EXEC mode.
Management Commands
ExtremeSwitching 200 Series: Command Reference Guide for version 01 .02.04.0007 67