- New and Changed Information
- Preface
- A Commands
- Advanced Services Modules Commands
- B Commands
- C Commands
- Caching Services Module Commands
- CLI Overview
- D Commands
- Debug Commands
- E Commands
- F Commands
- G Commands
- H Commands
- I Commands
- J Commands
- K Commands
- L Commands
- M Commands
- N Commands
- O Commands
- P Commands
- Q Commands
- R Commands
- S Commands
- Show Commands
- T Commands
- U Commands
- V Commands
- W Commands
- Z Commands
- callhome
- callhome test
- cd
- cdp
- cfs distribute
- cfs ipv4 distribute
- cfs ipv4 mcast-address
- cfs ipv6 distribute
- cfs ipv6 mcast-address
- cfs region
- cfs static-peers
- channel mode active
- channel-group
- cimserver
- cimserver clearcertificate
- cimserver loglevel
- class
- clear accounting log
- clear arp-cache
- clear asic-cnt
- clear callhome session
- clear cdp
- clear cores
- clear counters (EXEC mode)
- clear counters interface all
- clear counters interface
- clear counters (SAN extension N port configuration mode)
- clear crypto ike domain ipsec sa
- clear crypto sa domain ipsec
- clear debug-logfile
- clear device-alias
- clear dpvm
- clear dpvm merge statistics
- clear fabric-binding statistics
- clear fcanalyzer
- clear fcflow stats
- clear fcns statistics
- clear fcs statistics
- clear fctimer session
- clear fc-redirect config
- clear fc-redirect decommission-switch
- clear ficon
- clear fspf counters
- clear install failure-reason
- clear ip access-list counters
- clear ips arp
- clear ips stats
- clear ips stats fabric interface
- clear ipv6 access-list
- clear ipv6 neighbors
- clear islb session
- clear ivr fcdomain database
- clear ivr service-group database
- clear ivr zone database
- clear license
- clear line
- clear logging
- clear ntp
- clear port-security
- clear processes log
- clear qos statistics
- clear radius-server statistics
- clear radius session
- clear rlir
- clear rmon alarms
- clear rmon all-alarms
- clear rmon hcalarms
- clear rmon log
- clear role session
- clear rscn session vsan
- clear rscn statistics
- clear santap module
- clear ssm-nvram santap module
- clear scheduler logfile
- clear screen
- clear scsi-flow statistics
- clear sdv
- clear snmp hostconfig
- clear ssh hosts
- clear system reset-reason
- clear tacacs-server statistics
- clear tacacs+ session
- clear tlport alpa-cache
- clear user
- clear vrrp
- clear zone
- clear zone smart-zoning
- cli
- cli alias name
- cli var name (EXEC)
- cli var name (configuration)
- clis
- clock
- clock set
- cloud discover
- cloud discovery
- cloud-discovery enable
- cluster
- code-page
- commit
- commit (DMM job configuration submode)
- contract-id
- configure terminal
- copy
- copy licenses
- copy ssm-nvram standby-sup
- counter (port-monitor configuration mode)
- counter (port-group-monitor configuration mode)
- counter tx-slowport-count
- counter tx-slowport-oper-delay
- counter txwait
- CRLLookup
- crypto ca authenticate
- crypto ca crl request
- crypto ca enroll
- crypto ca export
- crypto ca import
- crypto ca test verify
- crypto ca lookup
- crypto ca remote ldap
- crypto ca trustpoint
- crypto certificatemap mapname
- crypto cert ssh-authorize
- crypto global domain ipsec security-association lifetime
- crypto ike domain ipsec
- crypto ike domain ipsec rekey sa
- crypto ike enable
- crypto ipsec enable
- crypto key generate rsa
- crypto key zeroize rsa
- crypto map domain ipsec (configuration mode)
- crypto map domain ipsec (interface configuration submode)
- crypto transform-set domain ipsec
- customer-id
C Commands
The commands in this chapter apply to the Cisco MDS 9000 Family of multilayer directors and fabric switches. All commands are shown here in alphabetical order regardless of command mode. See “About the CLI Command Modes” section to determine the appropriate mode for each command.
callhome
To configure the Call Home function, use the callhome command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The Call Home configuration commands are available in the (config-callhome) submode.
A Call Home message is used to contact a support person or organization in case an urgent alarm is raised.
Once you have configured the contact information, you must enable the Call Home function. The enable command is required for the Call Home function to start operating. When you disable the Call Home function, all input events are ignored.
Note Even if Call Home is disabled, basic information for each Call Home event is sent to syslog.
The user-def-cmd command allows you to define a command whose outputs should be attached to the Call Home message being sent. Only show commands can be specified and they must be associated with an alert group. Five commands can be specified per alert group. Invalid commands are rejected.
Note Customized show commands are only supported for full text and XML alert groups. Short text alert groups (short-txt-destination) do not support customized show commands because they only allow 128 bytes of text.
To assign show commands to be executed when an alert is sent, you must associate the commands with the alert group. When an alert is sent, Call Home associates the alert group with an alert type and attaches the output of the show commands to the alert message.
Note Make sure the destination profiles for the non-Cisco-TAC alert group, with a predefined show command, and the Cisco-TAC alert group are not the same.
The following example assigns contact information:
The following example configures a user-defined show command for an alert-group license:
Note The show command must be enclosed in double quotes.
The following example removes a user-defined show command for an alert-group license:
Related Commands
|
|
---|---|
Customizes a Call Home alert group with user-defined show commands. |
|
Sends a dummy test message to the configured destination(s). |
|
callhome test
To simulate a Call Home message generation, use the callhome test command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can simulate a message generation by entering a callhome test command.
Examples
The following example sends a test message to the configured destinations:
The following example sends a test inventory message to the configured destinations:
Related Commands
|
|
---|---|
cd
To change the default directory or file system, use the cd command.
cd { directory | bootflash: [ directory ] | slot0: [directory ] | volatile: [ directory ]}
Syntax Description
Defaults
The initial default file system is flash:. For platforms that do not have a physical device named flash:, the keyword flash: is aliased to the default flash device.
If you do not specify a directory on a file system, the default is the root directory on that file system.
Command Modes
Command History
|
|
---|---|
Usage Guidelines
For all EXEC commands that have an optional file system argument, the system uses the file system specified by the cd command when you omit the optional file system argument. For example, the dir command, which displays a list of files on a file system, contains an optional file system argument. When you omit this argument, the system lists the files on the file system specified by the cd command.
Examples
The following example sets the default file system to the flash memory card inserted in slot 0:
Related Commands
|
|
---|---|
Recovers a file marked deleted on a Class A or Class B flash file system. |
cdp
To globally configure the Cisco Discovery Protocol parameters, use the cdp command. Use the no form of this command to revert to factory defaults.
cdp { enable | advertise { v1 | v2 } | holdtime holdtime-seconds | timer timer-seconds }
no cdp { enable | advertise | holdtime holdtime-seconds | timer timer-seconds }
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Use the cdp enable command to enable the Cisco Discovery Protocol (CDP) feature at the switch level or at the interface level. Use the no form of this command to disable this feature. When the interface link is established, CDP is enabled by default
CDP version 1 (v1) and version 2 (v2) are supported in Cisco MDS 9000 Family switches. CDP packets with any other version number are silently discarded when received.
Examples
The following example disables the CDP protocol on the switch. When CDP is disabled on an interface, one packet is sent to clear out the switch state with each of the receiving devices:
switch(config)#
no cdp enable
Operation in progress. Please check global parameters
switch(config-console)#
The following example enables (default) the CDP protocol on the switch. When CDP is enabled on an interface, one packet is sent immediately. Subsequent packets are sent at the configured refresh time.
switch(config)# cdp enable
Operation in progress. Please check global parameters
switch(config)#
The following example configures the Gigabit Ethernet interface 8/8 and disables the CDP protocol on this interface. When CDP is disabled on an interface, one packet is sent to clear out the switch state with each of the receiving devices.
switch(config)#
interface gigbitethernet 8/8
switch(config-if)#
no cdp enable
Operation in progress. Please check interface parameters
switch(config-console)#
The following example enables (default) the CDP protocol on the selected interface. When CDP is enabled on this interface, one packet is sent immediately. Subsequent packets are sent at the configured refresh time.
switch(config-if)#
cdp enable
Operation in progress. Please check interface parameters
switch(config)#
The following example globally configures the refresh time interval for the CDP protocol in seconds. The default is 60 seconds and the valid range is from 5 to 255 seconds.
switch#
config terminal
switch(config)#
cdp timer 100
switch(config)#
The following example globally configures the hold time advertised in CDP packet in seconds. The default is 180 seconds and the valid range is from 10 to 255 seconds.
switch#
config terminal
switch(config)#
cdp holdtime 200
switch(config)#
The following example globally configures the CDP version. The default is version 2 (v2). The valid options are v1 and v2.
Related Commands
|
|
---|---|
cfs distribute
To enable or disable Cisco Fabric Services (CFS) distribution on the switch, use the cfs distribute command in configuration mode. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
By default CFS is in the distribute mode. In the distribute mode, fabric wide distribution is enabled. Applications can distribute data/configuration to all CFS-capable switches in the fabric where the application exists. This is the normal mode of operation.
If CFS distribution is disabled, using the no cfs distribute command causes the following to occur:
- CFS and the applications using CFS on the switch are isolated from the rest of the fabric even though there is physical connectivity.
- All CFS operations are restricted to the isolated switch.
- All the CFS commands continue to work similar to the case of a physically isolated switch.
- Other CFS operations (for example, lock, commit, and abort) initiated at other switches do not have any effect at the isolated switch.
- CFS distribution is disabled over both Fibre Channel and IP.
Examples
The following example shows how to disable CFS distribution:
The following example shows how to reenable CFS distribution:
Related Commands
|
|
---|---|
cfs ipv4 distribute
To enable Cisco Fabric Services (CFS) distribution over IPv4 for applications that want to use this feature, use the cfs ipv4 distribute command in configuration mode. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
All CFS over IP enabled switches with similar multicast addresses form one CFS over IP fabric. CFS protocol specific distributions, such as the keep-alive mechanism for detecting network topology changes, use the IP multicast address to send and receive information.
Observe the following guidelines when using this command:
- If a switch is reachable over both IP and Fibre Channel, application data will be distributed over Fibre Channel.
- You can select either an IPv4 or IPv6 distribution when CFS is enabled over IP.
- Both IPv4 and IPv6 distribution cannot be enabled on the same switch.
- A switch that operate IPv4 distribution enabled cannot detect a switch that IPv6 distribution enabled. The switches behave as if they are in two different fabrics even though they are connected to each other.
Examples
The following example shows how to disable CFS IPv4 distribution:
The following example shows how to reenable CFS IPv4 distribution:
Related Commands
|
|
---|---|
Configures an IPv4 multicast address for Cisco Fabric Services (CFS) distribution over IPv4. |
|
cfs ipv4 mcast-address
To configure an IPv4 multicast address for Cisco Fabric Services (CFS) distribution over IPv4, use the cfs ipv4 mcast-address command in configuration mode. To disable this feature, use the no form of the command.
cfs ipv4 mcast-address ipv4-address
no cfs ipv4 mcast-address ipv4-address
Syntax Description
Specifies an IPv4 multicast address for CFS distribution over IPv4. The range of valid IPv4 addresses is 239.255.0.0 through 239.255.255.255, and 239.192.0.0 through 239.251.251.251. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before using this command, enable CFS distribution over IPv4 using the cfs ipv4 distribute command.
All CFS over IP enabled switches with similar multicast addresses form one CFS over IP fabric. CFS protocol specific distributions, such as the keepalive mechanism for detecting network topology changes, use the IP multicast address to send and receive information.
Note CFS distributions for application data use directed unicast.
You can configure a value for a CFS over IP multicast address. The default IPv4 multicast address is 239.255.70.83.
Examples
The following example shows how to configure an IP multicast address for CFS over IPv4:
switch(config)# cfs ipv4 mcast-address 239.255.1.1
Distribution over this IP type will be affected
Change multicast address for CFS-IP ?
Are you sure? (y/n) [n] y
The following example shows how to revert to the default IPv4 multicast address for CFS distribution over IPv4. The default IPv4 multicast address for CFS is 239.255.70.83:
Related Commands
|
|
---|---|
Enables or disables Cisco Fabric Services (CFS) distribution over IPv4. |
|
cfs ipv6 distribute
To enable Cisco Fabric Services (CFS) distribution over IPv6 for applications that want to use this feature, use the cfs ipv6 distribute command in configuration mode. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
All CFS over IP enabled switches with similar multicast addresses form one CFS over IP fabric. CFS protocol specific distributions, such as the keepalive mechanism for detecting network topology changes, use the IP multicast address to send and receive information.
Observe the following guidelines when using this command:
- If a switch is reachable over both IP and Fibre Channel, application data will be distributed over Fibre Channel.
- You can select either an IPv4 or IPv6 distribution when CFS is enabled over IP.
- Both IPv4 and IPv6 distribution cannot be enabled on the same switch.
- A switch that operate IPv4 distribution enabled cannot detect a switch that IPv6 distribution enabled. The switches behave as if they are in two different fabrics even though they are connected to each other.
Examples
The following example shows how to disable CFS IPv6 distribution:
The following example shows how to reenable CFS IPv6 distribution:
Related Commands
|
|
---|---|
Configures an IPv6 multicast address for Cisco Fabric Services (CFS) distribution over IPv6. |
|
cfs ipv6 mcast-address
To configure an IPv6 multicast address for Cisco Fabric Services (CFS) distribution over IPv6, use the cfs ipv6 mcast-address command in configuration mode. To disable this feature, use the no form of the command.
cfs ipv6 mcast-address ipv6-address
no cfs ipv6 mcast-address ipv6-address
Syntax Description
An IPv6 multicast address or CFS distribution over IPv6. The IPv6 Admin scope range is [ff15::/16, ff18::/16]. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before using this command, enable CFS distribution over IPv6 using the cfs ipv6 distribute command.
All CFS over IP enabled switches with similar multicast addresses form one CFS over IP fabric. CFS protocol specific distributions, such as the keepalive mechanism for detecting network topology changes, use the IP multicast address to send and receive information.
Note CFS distributions for application data use directed unicast.
You can configure a CFS over IP multicast address value for IPv6. The default IPv6 multicast address is ff15::efff:4653. Examples of the IPv6 Admin scope range are ff15::0000:0000 to ff15::ffff:ffff and ff18::0000:0000 to ff18::ffff:ffff.
Examples
The following example shows how to configure an IP multicast address for CFS over IPv6:
switch(config)# cfs ipv6 mcast-address
ff13::e244:4754
Distribution over this IP type will be affected
Change multicast address for CFS-IP ?
Are you sure? (y/n) [n] y
The following example shows how to revert to the default IPv6 multicast address for CFS distribution over IPv6. The default IPv6 multicast address for CFS is ff13:7743:4653.
Related Commands
|
|
---|---|
Enables or disables Cisco Fabric Services (CFS) distribution over IPv6. |
|
cfs region
To create a region that restricts the scope of application distribution to the selected switches, use the cfs region command in the configuration mode. To disable this feature, use the no form of this command.
Syntax Description
Assigns an application to a region. A total of 200 regions are supported. |
Defaults
Command History
|
|
---|---|
Usage Guidelines
An application can only be a part of one region on a given switch. By creating the region ID and assigning it to an application, the application distribution is restricted to switches with a similar region ID.
Cisco Fabric Services (CFS) regions provide the ability to create distribution islands within the application scope. Currently, the regions are supported only for physical scope applications. In the absence of any region configuration, the application will be a part of the default region. The default region is region ID 0. This command provides backward compatibility with the earlier release where regions were not supported. If applications are assigned to a region, the configuration check will prevent the downgrade. Fabric Manager supports CFS regions.
Examples
The following example shows how to create a region ID:
The following example shows how to assign an application to a region:
Note The applications assigned to a region have to be registered with CFS.
The following example shows how to remove an application assigned to a region:
The following example shows how to remove all the applications from a region:
Related Commands
|
|
---|---|
cfs static-peers
To enable static peers interface, use the cfs static-peers command. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command enables the static peers with status and all the peers in the physical fabric.
Note The no cfs static-peers displays a warning string, and changes the entire fabric from static to dynamic.
Examples
The following example shows how to enable static peers interface:
Related Commands
|
|
---|---|
channel mode active
To enable channel mode on a PortChannel interface, use the channel mode active command. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Interface configuration submode.
Command History
|
|
Usage Guidelines
This command determines the protocol operate for all the member ports in the channel group associated with the port channel interface.
Examples
The following example shows how to disable channel mode on a PortChannel interface:
Related Commands
|
|
---|---|
channel-group
To add a port to a PortChannel group, use the channel-group command. To remove a port, use the no form of the command.
channel-group { port-channel number force}
no channel-group { port-channel number force}
Syntax Description
Specifies the PortChannel to add a port, without compatibility check of port parameters, port mode and port speed. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
When ports are added to a PortChannel, manager checks for incompatibility in the port mode and port speed. If the ports are being added to the PortChannel, do not have compatible parameters, the ports will not be added to the PortChannel. The force option bypasses, the port parameter compatibility check, and adds the port to a PortChannel. It also forces the individual member interfaces to inherit the port parameters configured on the PortChannel itself. If you configure switchport speed 4000 on the PortChannel then the member inerface is forced to that setting.
force option is used to override the port's parameters. The auto mode support is not available after Release 4.x. To convert auto PortChannel to active mode PortChannel, use the port-channel persistent command. This command needs to be run on both sides of the auto Port Channel.
Examples
The following example shows how to add a port to the PortChannel:
Related Commands
|
|
---|---|
cimserver
To configure the Common Information Models (CIM) parameters, use the cimserver command. Use the no form of this command to revert to factory defaults.
cimserver { certificate { bootflash: filename | slot0: filename | volatile: filename } | clearcertificate filename | enable | enablehttp | enablehttps
no cimserver { certificate { bootflash: filename | slot0: filename | volatile: filename } | clearcertificate filename | enable | enablehttp | enablehttps }
Syntax Description
Specifies the location for the CompactFlash memory or PCMCIA card. |
|
Enables the HTTP (non-secure) protocol for the CIM server (default). |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
A CIM client is required to access the CIM server. The client can be any client that supports CIM.
Examples
The following example installs a Secure Socket Layer (SSL) certificate specified in the file named with a.pem extension:
switch#
config terminal
The following example clears the specified SSL certificate:
cimserver clearCertificateName bootflash:simserver.pem
Related Commands
|
|
---|---|
cimserver clearcertificate
To clear the cimserver certificate, use the cimsever clearcertificate command in configuration mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the cimserver certificate:
Related Commands
|
|
---|---|
cimserver loglevel
To configure the cimserver log level filter, use the cimsever loglevel command in configuration mode.
cimserver loglevel filter value
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example displays the cimserver log level:
Related Commands
|
|
---|---|
class
To select a QoS policy map class for configuration, use the class command in QoS policy map configuration submode. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
QoS policy map configuration submode
Command History
|
|
---|---|
Usage Guidelines
Before you can configure a QoS policy map class you must complete the following:
- Enable the QoS data traffic feature using the qos enable command.
- Configure a QoS class map using the qos class-map command.
- Configure a QoS policy map using the qos policy-map command.
After you configure the QoS policy map class, you can configure the Differentiated Services Code Point (DSCP) and priority for frames matching this class map.
Examples
The following example shows how to select a QoS policy map class to configure:
Related Commands
|
|
---|---|
clear accounting log
To clear the accounting log, use the clear accounting log command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example clears the accounting log:
Related Commands
|
|
---|---|
clear arp-cache
To clear the ARP cache table entries, use the clear arp-cache command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear the arp-cache table entries:
Related Commands
|
|
---|---|
clear asic-cnt
To clear ASCI counters, use the clear asic-cnt command in EXEC mode.
clear asic-cnt {all | device-id | list-all-devices}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear all counters on the module:
The following example shows how to clear the specific counter:
The following example shows how to list all device IDs:
Related Commands
|
|
---|---|
clear callhome session
To clear Call Home Cisco Fabric Services (CFS) session configuration and locks, use the clear callhome session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear the Call Home session configuration and locks:
Related Commands
|
|
---|---|
clear cdp
To delete global or interface-specific CDP configurations, use the clear cdp command.
clear cdp { counters | table } [interface { gigabitethernet slot / port | mgmt 0 } ]
Syntax Description
Specifies the slot number and port number separated by a slash (/). |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can use this command for a specified interface or for all interfaces (management and Gigabit Ethernet interfaces).
Examples
The following example clears CDP traffic counters for all interfaces:
The following example clears CDP entries for the specified Gigabit Ethernet interface:
Related Commands
|
|
---|---|
Configures global or interface-specific CDP settings and parameters. |
|
clear cores
To clear all core dumps for the switch, use the clear cores command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The system software keeps the last few cores per service and per slot and clears all other cores present on the active supervisor module.
Examples
The following example shows how to clear all core dumps for the switch:
Related Commands
|
|
---|---|
clear counters (EXEC mode)
To clear the interface counters, use the clear counters command in EXEC mode.
clear counters {all | interface {fc | mgmt | port-channel | sup-fc | vsan} number}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The following table lists the number ranges interface types:
|
|
|
This command clears counters displayed in the show interface command output.
Examples
The following example shows how to clear counters for a VSAN interface:
Related Commands
|
|
---|---|
clear counters interface all
To clear all interface counters, use the clear counters interface all command.
clear counters interface all snmp
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command clears counter displayed in the show interface command output.
Examples
The following example shows how to clear all SNMP interface counters:
Related Commands
|
|
---|---|
clear counters interface
To clear the aggregate counters for the interface, use the clear counters interface command.
clear counters interface interface snmp
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command clears counter displayed in the show interface command output.
Examples
The following example shows how to clear the aggregate counters for the interface:
Related Commands
|
|
---|---|
clear counters (SAN extension N port configuration mode)
To clear SAN extension tuner N port counters, use the clear counters command.
Syntax Description
Defaults
Command Modes
SAN extension N port configuration submode
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear SAN extension tuner N port counters:
Related Commands
|
|
---|---|
clear crypto ike domain ipsec sa
To clear the IKE tunnels for IPsec, use the clear crypto ike domain ipsec sa command.
clear crypto ike domain ipsec sa [ tunnel-id ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, the IKE protocol must be enabled using the crypto ike enable command.
If the tunnel ID is not specified, all IKE tunnels are cleared.
Note The crypto ikes feature is not supported on the Cisco MDS 9148 and Cisco MDS 9148S Switches.
Examples
The following example shows how to clear all IKE tunnels:
Related Commands
|
|
---|---|
clear crypto sa domain ipsec
To clear the security associations for IPsec, use the clear crypto sa domain ipsec command.
clear crypto sa domain ipsec interface gigabitethernet slot / port { inbound | outbound }
sa sa-index
Syntax Description
Specifies the security association index. The range is 1 to 2147483647. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To clear security associations, IPsec must be enabled using the crypto ipsec enable command.
Examples
The following example shows how to clear a security association for an interface:
Related Commands
|
|
---|---|
clear debug-logfile
To delete the debug log file, use the clear debug-logfile command in EXEC mode.
Syntax Description
The name (restricted to 80 characters) of the log file to be cleared. The maximum size of the log file is 1024 bytes. |
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear the debug logfile:
Related Commands
|
|
---|---|
clear device-alias
To clear device alias information, use the clear device-alias command.
clear device-alias {database | session | statistics }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear the device alias session:
Related Commands
|
|
---|---|
clear dpvm
To clear Dynamic Port VSAN Membership (DPVM) information, use the clear dpvm command.
clear dpvm { auto-learn [ pwwn pwwn-id ] | session }
Syntax Description
(Optional) Specifies the pWWN ID. The format is hh : hh : hh : hh : hh : hh : hh : hh, where h is a hexadecimal number. |
|
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, DVPM must be enabled using the dpvm enable command.
Examples
The following example shows how to clear a single autolearned entry:
The following example shows how to clear all autolearn entries:
The following example shows how to clear a session:
Related Commands
|
|
---|---|
clear dpvm merge statistics
To clear the DPVM merge statistics, use the clear dpvm merge statistics command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear the DPVM merge statistics:
Related Commands
|
|
---|---|
clear fabric-binding statistics
To clear fabric binding statistics in a FICON enabled VSAN, use the clear fabric-binding statistics command in EXEC mode.
clear fabric-binding statistics vsan vsan-id
Syntax Description
Specifies the FICON-enabled VSAN. The ID of the VSAN is from 1 to 4093. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example clears existing fabric binding statistics in VSAN 1:
Related Commands
|
|
---|---|
clear fcanalyzer
To clear the entire list of configured hosts for remote capture, use the clear fcanalyzer command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command clears only the list of configured hosts. Existing connections are not terminated.
Examples
The following example shows how to clear the entire list of configured hosts for remote capture:
Related Commands
|
|
---|---|
clear fcflow stats
To clear Fibre Channel flow statistics, use the clear fcflow stats command in EXEC mode.
clear fcflow stats [ aggregated ] module module-number index flow-number
Syntax Description
(Optional) Clears the Fibre Channel flow aggregated statistics. |
|
Clears the Fibre Channel flow counters for a specified flow index. |
|
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear aggregated Fibre Channel flow statistics for flow index 1 of module 2:
Related Commands
|
|
---|---|
clear fcns statistics
To clear the name server statistics, use the clear fcns statistics command in EXEC mode.
clear fcns statistics vsan vsan-id
Syntax Description
Clears FCS statistics for a specified VSAN ranging from 1 to 4093. |
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear the name server statistics:
Related Commands
|
|
---|---|
clear fcs statistics
To clear the fabric configuration server statistics, use the clear fcs statistics command in EXEC mode.
clear fcs statistics vsan vsan-id
Syntax Description
FCS statistics are to be cleared for a specified VSAN ranging from 1 to 4093. |
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear the fabric configuration server statistics for VSAN 10:
Related Commands
|
|
---|---|
Displays the fabric configuration server statistics information. |
clear fctimer session
To clear fctimer Cisco Fabric Services (CFS) session configuration and locks, use the clear fctimer session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear fctimer session:
Related Commands
|
|
---|---|
clear fc-redirect config
To delete a FC-Redirect configuration on a switch, use the clear fc-redirect config command.
clear fc-redirect config vt vt-pwwn [local-switch-only]
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command is used as a last option if deleting the configuration through the application is not possible.
This command will delete any configuration (including active configurations) on FC-Redirect created by applications such as SME/DMM that may lead to data loss. When you enter this command, the host server communicates to the storage array directly by passing the individual Intelligent Service Applications causing data corruption. Use this command as a last option to clear any leftover configuration that cannot be deleted from the application (DMM/SME). Use this command while decommissioning the switch.
Examples
The following example clears the FC-Redirect configuration on the switch:
Related Commands
|
|
---|---|
clear fc-redirect decommission-switch
To remove all existing FC-Redirect configurations and disable any further FC-Redirect configurations on a switch, use the clear fc-redirect decommission-switch command.
clear fc-redirect decommission-switch
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command is used after write erase. The command is also used to move a switch from a fabric with FC-Redirect configurations to another fabric. After using this command, disconnect the switch from the fabric and reboot the switch before using it in another fabric.
Examples
The following example shows how to decommission FC-Redirect on a switch:
Related Commands
|
|
---|---|
clear ficon
Use the clear ficon command in EXEC mode to clear the FICON information for the specified VSAN.
clear ficon vsan vsan-id [ allegiance | timestamp ]
Syntax Description
Specifies the FICON-enabled VSAN. The ID of the VSAN is from 1 to 4093. |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The clear ficon vsan vsan-id allegiance command aborts the currently executing session.
Examples
The following example clears the current device allegiance for VSAN 1:
The following example clears the VSAN clock for VSAN 20:
Related Commands
|
|
---|---|
clear fspf counters
To clear the Fabric Shortest Path First statistics, use the clear fspf counters command in EXEC mode.
clear fspf counters vsan vsan-id [ interface type ]
Syntax Description
(Optional). The counters are to be cleared for an interface. The interface types are fc for Fibre Channel, and port-channel for PortChannel. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
If the interface is not specified, then all of the counters of a VSAN are cleared. If the interface is specified, then the counters of the specific interface are cleared.
Examples
The following example clears the FSPF t statistics on VSAN 1:
The following example clears FSPF statistics specific to the Fibre Channel interface in VSAN 1, Slot 9 Port 32:
Related Commands
|
|
---|---|
clear install failure-reason
To remove the upgrade failure reason log created during in-service software upgrades (ISSUs) on the Cisco MDS 9124 Fabric Switch, use the clear install failure-reason command.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command is supported only on the Cisco MDS 9124 Fabric Switch.
Examples
The following example removes all upgrade failure reason logs on a Cisco MDS 9124 Fabric Switch:
Related Commands
|
|
---|---|
Displays the reasons why an upgrade cannot proceed in the event of an ISSU failure. |
|
Displays the status of an ISSU on a Cisco MDS 9124 Fabric Switch. |
clear ip access-list counters
To clear IP access list counters, use the clear ip access-list counters command in EXEC mode.
clear ip access-list counters list-name
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example clears the counters for an IP access list:
Related Commands
|
|
---|---|
clear ips arp
To clear ARP caches, use the clear ips arp command in EXEC mode.
clear ips arp {address ip-address | interface gigabitethernet module-number}
Syntax Description
Specifies the slot and port of the Gigabit Ethernet interface. |
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The ARP cache can be cleared in two ways: clearing just one entry or clearing all entries in the ARP cache.
The following example clears one ARP cache entry:
The following example clears all ARP cache entries:
clear ips stats
To clear IP storage statistics, use the clear ips stats command in EXEC mode.
clear ips stats {all [interface gigabitethernet slot/port ] | buffer interface gigabitethernet slot/port | dma-bridge interface gigabitethernet slot/port | icmp interface gigabitethernet slot/port | ip interface gigabitethernet slot/port | ipv6 traffic interface gigabitethernet slot/port | mac interface gigabitethernet slot/port | tcp interface gigabitethernet slot/port }
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example clears all IPS statistics on the specified interface:
clear ips stats fabric interface
To clear the statistics for a given iSCSI or FCIP interface on a Cisco MDS 9000 18/4-Port Multi Service Module IPS linecard, use the clear ips stats fabric interface command.
clear ips stats fabric interface [iscsi slot/port | fcip N]
Syntax Description
(Optional) Clears Data Path Processor (DPP) fabric statistics for the iSCSI interface. |
|
(Optional) Clears DPP fabric statistics for the FCIP interface. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example clears the statistics for a given iSCSI or FCIP interface:
Related Commands
|
|
---|---|
Displays the fabric-related statistics for the given iSCSI or FCIP interface on a Cisco MDS 9000 18/4-Port Multi Service Module IPS linecard. |
clear ipv6 access-list
To clear IPv6 access control list statistics, use the clear ipv6 access-list command.
clear ipv6 access-list [ list-name ]
Syntax Description
(Optional) Specifies the name of the ACL. The maximum size is 64. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You can use the clear ipv6 access-list command to clear IPv6-ACL statistics.
Examples
The following example displays information about an IPv6-ACL:
Related Commands
|
|
---|---|
clear ipv6 neighbors
To clear the IPv6 neighbor cache table, use the clear ipv6 neighbors command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example flushes the IPv6 neighbor cache table:
Related Commands
|
|
---|---|
clear islb session
To clear a pending iSLB configuration, use the clear islb session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You can use the clear islb session command to clear a pending iSLB configuration. This command can be executed from any switch by a user with admin privileges.
Examples
The following example clears a pending iSLB configuration:
Related Commands
|
|
---|---|
clear ivr fcdomain database
To clear the IVR fcdomain database, use the clear ivr fcdomain database command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example clears all IVR fcdomain database information:
Related Commands
|
|
---|---|
clear ivr service-group database
To clear an inter-VSAN routing (IVR) service group database, use the clear ivr service-group database command.
clear ivr service-group database
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example clears the ivr service-group database:
Related Commands
|
|
---|---|
clear ivr zone database
To clear the Inter-VSAN Routing (IVR) zone database, use the clear ivr zone database command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example clears all configured IVR information:
clear license
To uninstall a license, use the clear license command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example clears a specific license:
Related Commands
|
|
---|---|
clear line
To clear VTY sessions, use the clear line command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example clears one ARP cache entry:
Related Commands
|
|
---|---|
clear logging
To delete the syslog information, use the clear logging command in EXEC mode.
clear logging { logfile | nvram | onboard information [module slot ] | session}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Examples
The following example shows how to clear the debug log file:
The following example shows how to clear the onboard system health log file:
Related Commands
|
|
---|---|
clear ntp
To clear Network Time Protocol (NTP) information, use the clear ntp command in EXEC mode.
clear ntp { session | statistics { all-peers | io | local | memory }}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear NTP statistics for all peers:
The following example shows how to clear NTP statistics for I/O devices:
The following example shows how to clear NTP statistics for local devices:
The following example shows how to clear NTP statistics for memory:
Related Commands
|
|
---|---|
clear port-security
To clear the port security information on the switch, use the clear port-security command in EXEC mode.
clear port-security { database auto-learn { interface fc slot/port | port-channel port } | session | statistics } vsan vsan-id
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The active database is read-only and clear port-security database command can be used when resolving conflicts.
Examples
The following example clears all existing statistics from the port security database for a specified VSAN:
The following example clears learnt entries in the active database for a specified interface within a VSAN:
The following example clears learnt entries in the active database up to for the entire VSAN:
Related Commands
|
|
---|---|
clear processes log
To clear the log files on the switch, use the clear processes log command in EXEC mode.
clear processes log {all | pid pid-number}
Syntax Description
Specifies the process ID, which must be from 0 to 2147483647. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear all of the log files on the switch :
Related Commands
|
|
---|---|
Displays the detailed running or log information of processes or high availability applications. |
clear qos statistics
To clear the quality of services statistics counters, use the clear qos statistics command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the quality of service counters:
Related Commands
|
|
---|---|
Displays the current QoS settings, along with a number of frames marked high priority. |
clear radius-server statistics
To clear radius server statistics, use the clear radius-server statistics command.
clear radius-server statistics {name}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the statistics sent or received from the specified server:
Related Commands
|
|
---|---|
clear radius session
To clear RADIUS Cisco Fabric Services (CFS) session configuration and locks, use the clear radius session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear RADIUS session:
Related Commands
|
|
---|---|
clear rlir
To clear the Registered Link Incident Report (RLIR), use the clear rlir command in EXEC mode.
clear rlir { history | recent { interface fc slot/port | portnumber port-number } |
statistics vsan vsan- id }
Note On a Cisco Fabric Switch for HP c-Class BladeSystem and on a Cisco Fabric Switch for IBM BladeCenter, the syntax differs as follows:
interface bay port | ext port
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example clears all existing statistics for a specified VSAN:
The following example clears the link incident history:
The following example clears recent RLIR information for a specified interface:
The following example clears recent RLIR information for a specified port number:
Related Commands
|
|
---|---|
clear rmon alarms
To clear all the 32-bit remote monitoring (RMON) alarms from the running configuration, use the clear rmon alarms command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must save the changes to startup configuration to make them permanent.
Examples
The following example clears all 32-bit RMON alarms from the running configuration:
Related Commands
|
|
---|---|
clear rmon all-alarms
To clear all the 32-bit and 64-bit RMON alarms from the running configuration, use the clear rmon all-alarms command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must save the changes to startup configuration to make them permanent.
Examples
The following example clears all the 32-bit and 64-bit RMON alarms from the running configuration:
Related Commands
|
|
---|---|
clear rmon hcalarms
To clear all the 64-bit RMON alarms from the running configuration, use the clear rmon hcalarms command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must save the changes to startup configuration to make them permanent.
Examples
The following example clears all the 64-bit RMON alarms from the running configuration:
Related Commands
|
|
---|---|
clear rmon log
To clear all entries from RMON log on the switch, use the clear rmon log command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example clears all entries from RMON log on the switch:
Related Commands
|
|
---|---|
clear role session
To clear authentication role Cisco Fabric Services (CFS) session configuration and locks, use the clear role session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear authentication role CFS session:
Related Commands
|
|
---|---|
clear rscn session vsan
To clear a Registered State Change Notification (RSCN) session for a specified VSAN, use the clear rscn session vsan command.
clear rscn session vsan vsan-id
Syntax Description
Specifies a VSAN where the RSCN session should be cleared. The ID of the VSAN is from 1 to 4093. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example clears an RSCN session on VSAN 1:
Related Commands
|
|
---|---|
clear rscn statistics
To clear the registered state change notification RSCN statistics for a specified VSAN, use the clear rscn statistics command in EXEC mode.
clear rscn statistics vsan vsan- id
Syntax Description
The ID for the VSAN for which you want to clear RSCN statistics. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear RSCN statistics for VSAN 1:
Related Commands
|
|
---|---|
clear santap module
To clear SANTap information, use the clear santap module command.
clear santap module slot-number {avt avt-pwwn [lun avt-lun ] | itl target-pwwn host-pwwn | session session-id }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to remove a SANTap session:
Related Commands
|
|
---|---|
Configures the mapping between the Storage Services Module (SSM) and the VSAN where the appliance is configured. |
|
Displays the configuration and statistics of the SANTap feature. |
clear ssm-nvram santap module
To clear the SANTap configuration for a specific slot stored on the supervisor flash, use the clear ssm-nvram santap module command in the configuration mode.
clear ssm-nvram santap module slot
Syntax Description
Displays SANTap configuration for a module in the specified slot. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the SANTap configuration for a slot 2:
Related Commands
|
|
---|---|
clear scheduler logfile
To clear the command scheduler logfile, use the clear scheduler logfile command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example shows how to clear the command scheduler logfile:
Related Commands
|
|
---|---|
clear screen
To clear the terminal screen, use the clear screen command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the terminal screen:
clear scsi-flow statistics
To clear the SCSI flow statistics counters, use the clear scsi-flow statistics command.
clear scsi-flow statistics flow-id flow-id
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the SCSI flow statistics counters for SCSI flow ID 3:
Related Commands
|
|
---|---|
clear sdv
To clear specified SAN device virtualization parameters, use the clear sdv command in EXEC mode.
clear sdv {database vsan vsan-id | session vsan vsan-id | statistics vsan vsan-id }
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear SDV statistics:
Related Commands
|
|
---|---|
clear snmp hostconfig
To clear all SNMP hosts from the running configuration, use the clear snmp hostconfig command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must save the changes to startup configuration to make them permanent:
Examples
The following example clears the SNMP host list.
Related Commands
|
|
---|---|
clear ssh hosts
To clear trusted SSH hosts, use the clear ssh hosts command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear reset-reason information from NVRAM and volatile storage:
Related Commands
|
|
---|---|
clear system reset-reason
To clear the reset-reason information stored in NVRAM and volatile persistent storage, use the clear system reset-reason command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Use this command as follows for these switches:
- In a Cisco MDS 9500 Series switch, this command clears the reset-reason information stored in NVRAM and volatile persistent storage in the active and standby supervisor modules.
- In a Cisco MDS 9200 Series switch, this command clears the reset-reason information stored in NVRAM and volatile persistent storage in the active supervisor module.
Examples
The following example shows how to clear trusted SSH hosts:
Related Commands
|
|
---|---|
clear tacacs-server statistics
To clear TACACS server statistics, use the clear tacacs-server statistics command.
clear tacacs-server statistics {name}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the tacacs server statistics:
Related Commands
|
|
---|---|
clear tacacs+ session
To clear TACACS+ Cisco Fabric Services (CFS) session configuration and locks, use the clear tacacs+ session command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, TACACS+ must be enabled using the tacacs+ enable command.
Examples
The following example shows how to clear the TACACS+ session:
Related Commands
|
|
---|---|
clear tlport alpa-cache
To clear the entire contents of the alpa-cache, use the clear tlport alpa-cache command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear a TL port ALPA cache:
Related Commands
|
|
---|---|
clear user
To clear trusted SSH hosts, use the clear user command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to log out a specified user:
Related Commands
|
|
---|---|
clear vrrp
To clear all the software counters for the specified virtual router, use the clear vrrp command in EXEC mode.
clear vrrp { statistics [ ipv4 | ipv6 ] vr number interface { gigabitethernet slot/port | mgmt 0 | port-channel portchannel-id | vsan vsan-id }}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear all the software counters for virtual router 7 on VSAN 2:
Related Commands
|
|
---|---|
clear zone
To clear all configured information in the zone server for a specified VSAN, use the clear zone command in EXEC mode.
clear zone {database | lock | statistics {lun-zoning | read-only-zoning}} vsan vsan-id
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
After issuing a clear zone database command, you need to explicitly issue the copy running-config startup-config to ensure that the running configuration is used when you next start the switch.
When you issue the clear zone lock command from a remote switch, only the lock on that remote switch is cleared. When you issue the clear zone lock command from the switch where the lock originated, all locks in the VSAN are cleared.
Note The recommended method to clear a session lock on a switch where the lock originated is by issuing the no zone commit vsan command.
Examples
The following example shows how to clear all configured information in the zone server for VSAN 1:
Related Commands
|
|
---|---|
clear zone smart-zoning
To clear the smart zoning configuration, use the clear zone smart-zoning command.
clear zone smart-zoning {fcalias name fcalias-name vsan vsan-id | vsan vsan-id | zone name zone-name vsan vsan-id | zoneset name zoneset-name vsan vsan-id }
Syntax Description
Specifies the fcalias name. The maximum size is 64 characters. |
|
Specifies the zoneset name. The maximum size is 64 characters. |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to clear the smart zoing command for a VSAN:
Related Commands
|
|
---|---|
cli
To execute Cisco NX-OS commands verbosely in Tcl, use the cli command.
Syntax Description
Defaults
Command Modes
Interactive Tcl shell and Tcl script.
Command History
|
|
---|---|
Usage Guidelines
The cli command prints the output of the specified command to the terminal and returns the output as a single string to Tcl. This would be the preferred behavior when using the interactive Tcl shell as it allows the user to verify the output of the executed NX-OS commands.
In a Tcl script, the cli or clis command is required to execute NX-OS commands.
In the Tcl shell interactive mode, the cli and clis commands are optional to execute NX-OS commands; commands that are not recognized by the Tcl shell are passed to the NX-OS shell for execution.
Examples
The following example enables the locator LED for module 1 in an interactive Tcl shell:
The following example shows how to quote a variable and use the pipe in an interactive Tcl shell. It creates a list of Supervisor-3 modules in the system and assigns it to the variable sups. string trimright removes the trailing blank line from the variable added by Tcl, but not from the terminal output:
Related Commands
|
|
---|---|
Open a file or command pipeline and return a channel identifier. |
cli alias name
To define a command alias name, use the cli alias name command in configuration submode. To remove the user-defined command alias, use the no form of the command.
cli alias name command definition
no cli alias name command definition
Syntax Description
Specifies an alias command name. The maximum size is 30 characters. |
|
Specifies the alias command definition. The maximum size is 80 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When defining a command alias follow these guidelines:
- Command aliases are global for all user sessions.
- Command aliases persist across reboots.
- Commands being aliased must be typed in full without abbreviation.
- Command alias translation always takes precedence over any keyword in any configuration mode or submode.
- Command alias support is only available on the supervisor module, not the switching modules.
- Command alias configuration takes effect for other user sessions immediately.
- You cannot override the default command alias alias, which is an alias for show cli alias.
- Nesting of command aliases is permitted to a maximum depth of 1. One command alias can refer to another command alias that refers to a valid command, not to another command alias.
- A command alias always replaces the first command keyword on the command line.
- You can define command aliases in either EXEC mode or configuration submode.
Examples
The following example shows how to define command aliases in configuration submode:
You can display the command aliases defined on the switch using the alias default command alias.
The following example shows how to display the command aliases defined on the switch:
Related Commands
|
|
---|---|
cli var name (EXEC)
To define a CLI session variable that persists only for the duration of a CLI session, use the cli var name command in either EXEC mode or configuration submode. To remove a user-defined session CLI variable, use the no form of the command.
Syntax Description
Specifies a variable name. The maximum size is 31 characters. |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
CLI session variables can be used as follows:
- Entered directly on the command line.
- Passed to the child script and initiated using the run-script command. The variables defined in the parent shell are available for use in the child run-script command process.
- Passed as command-line arguments to the run-script command.
- Referenced using the syntax $(variable).
Examples
The following example creates a user-defined CLI variable for a session:
The following example removes a user-defined CLI variable for a session:
Related Commands
|
|
---|---|
Displays all CLI variables (persistent, session and system). |
cli var name (configuration)
To define a CLI variable that persists across CLI sessions and switch reloads, use the cli var name command in configuration submode. To remove the user-defined persistent CLI variable, use the no form of the command.
Syntax Description
Specifies a variable name. The maximum size is 31 characters. |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
CLI variables can be used as follows:
- Entered directly on the command line.
- Passed to the child script and initiated using the run-script command. The variables defined in the parent shell are available for use in the child run-script command process.
- Passed as command-line arguments to the run-script command.
- Referenced using the syntax $(variable).
Examples
The following example creates a persistent user-defined CLI variable:
Related Commands
|
|
---|---|
Displays all CLI variables (persistent, session and system). |
clis
To execute Cisco NX-OS commands silently in Tcl, use the clis command.
Syntax Description
Defaults
Command Modes
Interactive Tcl shell and Tcl script.
Command History
|
|
---|---|
Usage Guidelines
The clis returns the output as a single string. It does not print any output to the terminal. This is usually the desired behavior when running Tcl scripts. This prevents the terminal from getting flooded with the outputs of the executed NX-OS commands.
In a Tcl script, the cli or clis command is required to execute NX-OS commands.
In the Tcl shell interactive mode, the cli and clis commands are optional to execute NX-OS commands; commands that are not recognized by the Tcl shell are passed to the NX-OS shell for execution.
Examples
The following example shows enables the locator LED for module 1 in a Tcl script:
The following Tcl example shows how to quote a variable and use the pipe in an interactive Tcl shell. It creates a list of Supervisor-3 modules in the system and assigns it to the variable sups. string trimright removes the trailing blank line from the variable added by Tcl:
Related Commands
|
|
---|---|
Open a file or command pipeline and return a channel identifier. |
clock
To configure the time zone or daylight savings time, use the clock command in configuration mode. To disable the daylight saving time adjustment, use the no form of the command.
clock { summer-time summer-time-name start-week start-day start-month start-time end-week end-day end-month end-time offset-minutes | timezone timezone-name hours-offset minute-offset }
no clock { summer-time summer-time-name start-week start-day start-month start-time end-week end-day end-month end-time offset-minutes | timezone timezone-name hours-offset minute-offset }
Syntax Description
Defaults
Coordinated Universal Time (UTC) is the same as Greenwich Mean Time (GMT).
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The appropriate daylight savings time zone name should be specified. If it is not, the default name is used.
Specify the hours-offset argument with a dash before the number; for example, -23 . Specify the minutes-offset argument with a dash before the number; for example, -59 .
Examples
The following example shows how to set Pacific Daylight Time starting on Sunday in the second week of March at 2:00 A.M. and ending on Sunday in the first week of November at 2:00 A.M:
The following example shows how to set the time zone to Pacific Standard Time:
Related Commands
|
|
---|---|
Displays changes made to the time zone configuration along with other configuration information. |
clock set
To change the system time on a Cisco MDS 9000 Family switch, use the clock set command in EXEC mode.
clock set H H : MM:SS DD Month YYYY
Syntax Description
The two-digit time in hours in military format (15 for 3 p.m.). |
|
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Generally, if the system is synchronized by a valid outside timing mechanism, such as an NTP clock source, or if you have a switch with calendar capability, you do not need to set the system clock. Use this command if no other time sources are available. The time specified in this command is relative to the configured time zone.
The clock set command changes are saved across system resets.
Examples
The following example shows how to set the system time:
cloud discover
To initiate manual, on-demand cloud discovery, use the cloud discover command.
cloud discover [interface {gigabitethernet slot/port | port-channel port-channel-number }]
Syntax Description
(Optional) Specifies a PortChannel interface. The range for the PortChannel number is 1 to 256. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command is not supported on the Cisco MDS 9124 switch, the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
Examples
The following example initiates manual, on-demand cloud discovery:
The following example initiates manual, on-demand cloud discovery on Gigabit Ethernet interface 2/2:
Related Commands
|
|
---|---|
cloud discovery
To configure cloud discovery, use the cloud discovery command in configuration mode. To remove the configuration, use the no form of the command.
cloud discovery {auto | fabric distribute | message icmp}
no cloud discovery {auto | fabric distribute | message icmp}
Syntax Description
Configures Internet Control Message Protocol (ICMP) as the method for sending a discovery message. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The iSNS server distributes cloud and membership information across all of the switches using CFS. The cloud view is the same on all of the switches in the fabric.
Note If auto discovery is disabled, interface changes result in new members becoming part of an undiscovered cloud. No new clouds are formed.
Note This command is not supported on the Cisco MDS 9124 switch.
Examples
The following example enables auto cloud discovery:
The following example enables auto cloud discovery fabric distribution:
The following example disables auto cloud discovery fabric distribution:
Related Commands
|
|
---|---|
cloud-discovery enable
To enable discovery of cloud memberships, use the cloud-discovery command in configuration mode. To disable discovery of cloud memberships, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
The following example enables discovery of cloud memberships:
The following example disables discovery of cloud memberships:
Related Commands
|
|
---|---|
cluster
To configure a cluster feature, use the cluster command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Starting from Cisco NX-OS 4.x Release, the cluster command is replaced by the feature command.
Examples
The following example enables the Cisco SME clustering:
code-page
Use the code-page command to configure the EBCDIC format. To disable the configuration or to revert to factory defaults, use the no form of the command.
code-page brazil | france | international-5 | italy | japan | spain-latinamerica | uk | us-canada
no code-page brazil | france | international-5 | italy | japan | spain-latinamerica | uk | us-canada
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This is an optional configuration. If you are not sure of the EBCDIC format to be used, we recommend retaining the us-canada (default) option.
Examples
The following example configures the italy EBCDIC format:
The following example reverts to the factory default of using the us-canada EBCDIC format:
Related Commands
|
|
---|---|
commit
To apply the pending configuration pertaining to the Call Home configuration session in progress, use the commit command in Call Home configuration submode.
Syntax Description
Defaults
Command Modes
Call Home configuration submode
Command History
|
|
---|---|
Usage Guidelines
CFS distribution must be enabled before you can commit the Call Home configuration.
Examples
The following example shows how to commit the Call Home configuration commands:
Related Commands
|
|
---|---|
Sends a dummy test message to the configured destination(s). |
|
commit (DMM job configuration submode)
To commit a DMM job, use the commit command in DMM job configuration submode. To remove the DMM job, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You need to configure server HBA ports, storage ports, and job attributes before you commit the job.
Examples
The following example shows how to commit a data migration job:
Related Commands
|
|
---|---|
contract-id
To configure the service contract ID of the customer with the Call Home function, use the contract-id command in Call Home configuration submode. To disable this feature, use the no form of the command.
Syntax Description
Configures the service contract ID of the customer. Allows up to 64 characters for the contract number. |
Defaults
Command Modes
Call Home configuration submode
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to configure the contract ID in the Call Home configuration:
Related Commands
|
|
---|---|
Sends a dummy test message to the configured destination(s). |
|
configure terminal
To enter the configuration mode, use the configure terminal command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example enters the configuration mode:
The following example enters the configuration mode using an abbreviated format of the command:
copy
To save a backup of the system software, use the copy command in EXEC mode.
copy source-URL destination-URL
Syntax Description
The location URL or alias of the source file or directory to be copied. |
|
The destination URL or alias of the copied file or directory. |
The following table lists the aliases for source and destination URLs.
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command makes the running and the backup copy of the software identical.
A file can only be copied from an active supervisor to a standby supervisor, not from standby to active.
This command does not allow 127.x.x.x IP addresses.
The copy function will not be completed if the required space is not available in the directory. First change to the required directory (for example, cd bootflash:) and verify the available space (for example, dir bootflash:).
The entire copying process may take several minutes.
Do not copy a file from an external source directly to the standby supervisor. You must copy from the external source to the active supervisor, and then copy the saved file to the standby supervisor.
You can save cores (from the active supervisor module, the standby supervisor module, or any switching module) to an external flash (slot 0) or to a TFTP server in one of two ways:
- On demand—to copy a single file based on the provided process ID.
- Periodically—to copy core files periodically as configured by the user.
You copy the logfile to a different location using the copy log:messages command.
The debug partition contains debugging files created by the software for troubleshooting purposes.
The running-config startup-config fabric parameters allow you to use CFS to force every switch in the Fibre Channel fabric to copy their running configuration (source) to their startup configuration (destination).
Note If any remote switch fails to complete the copy running-config startup-config fabric process, the initiator switch also does not complete saving its startup-configuration. This means that both the remote switch and the initiator switch have failed to save their startup-configuration (the old startup-configuration reverts back). All the other switches in the network would have succeeded.
Examples
The following example saves your configuration to the startup configuration:
The following example copies the file called samplefile from the slot0 directory to the mystorage directory:
The following example copies a file from the current directory level:
If the current directory is slot0:mydir, this command copies slot0:mydir/samplefile to slot0:mydir/mystorage/samplefile.
The following example downloads a configuration file from an external CompactFlash to the running configuration:
The following example saves a running configuration file to an external CompactFlash:
The following example saves a startup configuration file to an external CompactFlash:
The following example uses CFS to cause all switches in the fabric to copy their running configuration (source) file to their startup configuration (destination) file:
Note If any remote switch fails to complete the copy running-config startup-config fabric process, the initiator switch also does not complete saving its startup-configuration. This means both the remote switch and the initiator switch have failed to save their startup-configuration (the old startup-configuration reverts back). All the other switches in the network would have succeeded.
Note When you copy a file to an ftp server from a Cisco Fabric Switch for IBM BladeCenter, you must enter the full path. For example: switch# copy running-config ftp://172.25.161.201/mnt/hd2/bch6-inagua-bay3_cfg1.txt, If you do not enter the full path, the command will not succeed.
The following example creates a backup copy of the binary configuration:
The following example copies an image in bootflash on the active supervisor to the bootflash on the standby supervisor:
The following example creates a running configuration copy in bootflash:
The following examples creates a startup configuration copy in bootflash:
Related Commands
|
|
---|---|
copy licenses
To save a backup of the installed license files, use the copy licenses command in EXEC mode.
copy licenses source-URL destination-URL
Syntax Description
The location URL or alias of the source file or directory to be copied. |
|
The destination URL or alias of the copied file or directory. |
The following table lists the aliases for source and destination URLs.
Specifies the location for the CompactFlash memory or PCMCIA card. |
|
Specifies the name of the license file with a.tar extension. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The copy function will not be completed if the required space is not available in the directory. First change to the required directory (for example, cd bootflash:) and verify the available space (for example, dir bootflash:).
We recommend backing up your license files immediately after installing them and just before issuing a write erase command.
Examples
The following example saves a file called Enterprise.tar to the bootflash: directory:
Related Commands
|
|
---|---|
copy ssm-nvram standby-sup
To copy the contents of the Storage Services Module (SSM) NVRAM to the standby Supervisor 2 module when migrating from a Supervisor 1 to Supervisor 2 module, use the copy ssm-nvram standby-sup command in EXEC mode.
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command should only be used for migrating from a Supervisor 1 to a Supervisor 2 module. When both modules in the switch are the same, you should not use this command; use the copy command instead.
Examples
The following example copies the contents of the SSM NVRAM to the standby Supervisor 2 module:
Related Commands
|
|
---|---|
counter (port-monitor configuration mode)
To configure individual counter in a port-monitor policy to use non-default values, use the counter command. To reset the counter to its default values in a Port Monitor policy, use the no form of the command.
counter { credit-loss-reco | err-pkt-from-port | err-pkt-from-xbar | err-pkt-to-xbar | invalid-crc | invalid-words | link-loss | lr-rx | lr-tx | rx-datarate | signal-loss | state-change | sync-loss | timeout-discards | tx-credit-not-available | tx-datarate | tx-discards | tx-slowport-count | tx-slowport-oper-delay | txwait } poll-interval poll-interval seconds { absolute | delta} rising-threshold rising threshold event event-id warning-threshold warning threshold falling-threshold falling threshold event event-id [ portguard { errordisable | flap} ]
no counter { credit-loss-reco | err-pkt-from-port | err-pkt-from-xbar | err-pkt-to-xbar | invalid-crc | invalid-words | link-loss | lr-rx | lr-tx | rx-datarate | signal-loss | state-change | sync-loss | timeout-discards | tx-credit-not-available | tx-datarate | tx-discards | tx-slowport-count | tx-slowport-oper-delay | txwait } poll-interval poll-interval seconds { absolute | delta} rising-threshold rising threshold event event-id warning-threshold warning threshold falling-threshold falling threshold event event-id [ portguard { errordisable | flap} ]
Defaults
Each counter has its own unique defaults. Issue the show port-monitor default command to see all the defaults.
Command Modes
Configuration Port Monitor mode.
Command History
|
|
---|---|
Added tx-slowport-count, tx-slowport-oper-delay, and txwait keywords. |
|
Added err-pkt-from-port, err-pkt-from-xbar, err-pkt-to-xbar keywords. |
|
Usage Guidelines
- The counter command configures the pthresholds and other parameters for the counter. To turn monitoring off or on for a counter within a given port-monitor policy use the no monitor counter countername command.
- Once a port-monitor policy has been configured, the policy must be activated for it to take affect. See the port-monitor activate policyname command for further details.
- This command is available in port-monitor configuration mode.
- It is recommended not to have a port guard action set to the state-change counter when an interface state is changed from down state to up state.
Examples
The following example shows how to configure the credit loss recovery counter within a Port Monitor policy:
The following example shows how to configure the err-pkt-from-port counter:
The following example shows how to configure the state-change counter:
Related Commands
|
|
---|---|
Configures monitoring of a specific counter within a Port Group Monitor policy. |
|
Configures the default slow port monitor timeout value for the specified port type. |
counter (port-group-monitor configuration mode)
To configure individual counter in a port group monitor policy to use non-default values, use the counter command. To reset the counter to its default values in a Port Group Monitor policy, use the no form of the command.
counter {rx-performance | tx-performance} poll-interval interval {delta} rising-threshold rising threshold falling-threshold low threshold
no counter{ rx-performance | tx-performance} poll-interval interval {delta} rising-threshold rising threshold falling-threshold falling-threshold
Syntax Description
Defaults
Command Modes
Configuration Port Group Monitor mode
Command History
|
|
---|---|
Usage Guidelines
This command is available in port-group-monitor configuration mode.
Examples
The following example shows how to configure monitoring of a specific counter within a Port Group Monitor policy:
The following example shows how to turn off the monitoring of a specific counter in the given policy:
Admin status : Not Active
Counter Threshold Interval %ge Rising Threshold %ge Falling Threshold In Use
------- --------- -------- -------------------- ---------------------- ------
RX Performance Delta 60 80 20 Yes
TX Performance Delta 60 80 20 No
------------------------------------------------------------------------
Related Commands
|
|
---|---|
counter tx-slowport-count
To configure the tx-slowport-count counter, use the counter tx-slowport-count command. To reset the counter use the no form of the command.
counter tx-slowport-count poll-interval seconds {absolute | delta} {rising-threshold count1 event event-id [falling-threshold count2 event event-id]}
no counter tx-slowport-count poll-interval seconds {absolute | delta} {rising-threshold count1 event event-id [falling-threshold count2 event event-id]}
Syntax Description
Defaults
Command Modes
Configuration Port Monitor mode.
Command History
|
|
---|---|
Examples
The following example shows how to configure the tx-slowport-count counter within a Port Monitor policy:
The following example shows how to reset to the default values for the tx-slowport-count counter within a Port Monitor policy:
Configuration for this counter are reset to use default values.
Related Commands
|
|
---|---|
counter tx-slowport-oper-delay
To configure the tx-slowport-oper-delay counter, use the counter tx-slowport-oper-delay command. To reset the counter use the no form of the command.
counter tx-slowport-oper-delay poll-interval seconds absolute rising-threshold value event event-id [falling-threshold value event event id ]
no counter tx-slowport-oper-delay poll-interval seconds absolute rising-threshold value event event-id [falling-threshold value event event id ]
Syntax Description
Sets a numerical value (in milliseconds) for the rising-threshold. |
|
Sets a numerical (in milliseconds) for the falling-threshold. |
|
Defaults
Command Modes
Configuration Port Monitor mode
Command History
|
|
---|---|
Examples
The following example shows how to configure the tx-slowport-oper-delay counter within a Port Monitor policy:
The following example shows how to reset to the default values for the tx-slowport-oper-delay counter within a Port Monitor policy:
Related Commands
|
|
---|---|
counter txwait
To configure the txwait counter, use the counter txwait command. To reset the counter use the no form of the command.
counter txwait poll-interval seconds {absolute | delta} {rising-threshold percentage1 event event-id [falling-threshold percentage2 event event-id]}
no counter txwait poll-interval seconds {absolute | delta} {rising-threshold percentage1 event event-id [falling-threshold percentage2 event event-id]}
Syntax Description
Sets a numerical limit (in percentage) for the rising-threshold. |
|
Sets a numerical limit (in percentage) for the rising-threshold. |
|
Defaults
Default values of the different parameters for the counter..
Command Modes
Configuration Port Monitor mode.
Command History
|
|
---|---|
Examples
The following example shows how to configure the txwait counter within a Port Monitor policy:
The following example shows how to reset to the default values for the txwait counter within a Port Monitor policy:
Related Commands
|
|
---|---|
CRLLookup
To set the CRLLookup, use the CRLLookup command. To disable this feature, use the no form of the command.
crllookup attribute-name attribute-name search-filter string base-DN string
no crllookup attribute-name attribute-name search-filter string base-DN string
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
Related Commands
|
|
---|---|
crypto ca authenticate
To associate and authenticate a certificate of the certificate authority (CA) and configure its CA certificate (or certificate chain), use the crypto ca authenticate command in configuration mode. The CA certificate or certificate chain is assumed to already be available in Privacy Enhanced Mail (PEM) (base-64) encoded format.
crypto ca authenticate trustpoint-label
Syntax Description
Specifies the name of the trust point. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command authenticates the CA to the switch by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command.
This command is required when you initially configure certificate authority support for the switch. Before you attempt CA authentication, first create the trust point using the crypto ca trustpoint command. The CA certificate fingerprint (the MD5 or SHA hash of the certificate) is generally published by the CA. When authenticating the CA, the certificate fingerprint is displayed. The administrator needs to compare it with the one published by the CA and accept the CA certificate only if it matches.
If the CA being authenticated is a subordinate CA (meaning that is is not self-signed), then it is certified by another CA which in turn may be certified by yet another CA and so on until there is a self-signed CA. In this case, the subordinate CA in question is said to have a CA certificate chain certifying it. The entire chain must be input during CA authentication. The maximum length that the CA certificate chain supports is ten.
The trust point CA is the certificate authority configured on the switch as the trusted CA. Any peer certificate obtained will be accepted if it is signed by a locally trusted CA or its subordinates.
Note The trust point configuration (created by the crypto ca trustpoint command) is persistent only if saved explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trust point are automatically made persistent if the trust point in question was already saved in the startup configuration. Conversely, if the trust point was not saved in the startup configuration, the certificates and CRL associated to it are not made persistent automatically because they do not exist without the corresponding trust point after the switch reboots.
To ensure that the configured certificates, CRLs and key pairs are made persistent, always save the running configuration to the startup configuration.
Examples
The following example authenticates a CA certificate called admin-ca:
Related Commands
|
|
---|---|
crypto ca crl request
To configure a new certificate revocation list (CRL) downloaded from the certificate authority (CA), use the crypto ca crl request command in configuration mode.
crypto ca crl request trustpoint-label source-file
Syntax Description
Specifies the name of the trust point. The maximum size is 64 characters. |
|
Specifies the location of the CRL in the form bootflash : filename. The maximum size is 512. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Cisco MDS NX-OS allows you to pre-download CRLs for the trust points and cache the CRLs in the cert store using the crypto ca crl request command. During the verification of a peer certificate by IPsec/IKE or SSH, the issuer CA’s CRL will be consulted only if it had already been configured locally, and revocation checking is configured to use CRL. Otherwise, CRL checking is not done and a certificate is considered to be not revoked if no other revocation checking methods are configured. This mode of CRL checking is called CRL optional.
The other modes of revocation checking are called CRL best-effort and CRL mandatory. In these modes, if the CRL is not found locally, there is an attempt to fetch it automatically from the CA. These modes are not supported in MDS SAN-OS release 3.0(1).
The CRL file specified should contain the latest CRL in either Privacy Enhanced Mail (PEM) format or Distinguished Encoding Rules (DER) format.
Note The trust point configuration (created by the crypto ca trustpoint command) is persistent only if saved explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trust point are automatically made persistent if the trust point in question was already saved in the startup configuration. Conversely, if the trust point was not saved in the startup configuration, the certificates and CRL associated to it are not made persistent automatically because they do not exist without the corresponding trust point after the switch reboots.
To ensure that the configured certificates, CRLs and key pairs are made persistent, always save the running configuration to the startup configuration.
Examples
The following example configures a CRL for the trust point or replaces the current CRL:
Related Commands
|
|
---|---|
crypto ca enroll
To request a certificate for the switch’s RSA key pair created for this trust point CA, use the crypto ca enroll command in configuration mode.
crypto ca enroll trustpoint-label
Syntax Description
Specifies the name of the trust point. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
An MDS switch can enroll with the trust point CA to get an identity in the form of a certificate. You can enroll your switch with multiple trust points, thereby getting a separate identity certificate from each.
When enrolling with a trust point, you must specify an RSA key pair to be certified. This key pair must be generated and associated to the trust point before generating the enrollment request. The association between the trust point, key pair, and identity certificate is valid until it is explicitly removed by deleting the identity certificate first, followed by disassociating the key pair, and deleting the CA certificates (in any order), and finally deleting the trust point itself, in that order only.
Use the crypto ca enroll command to generate a request to obtain an identity certificate from each of your trust points corresponding to authenticated CAs. The certificate signing request (CSR) generated is per Public-Key Cryptography Standards (PKCS) #10 standard, and is displayed in PEM format. Cut and paste it and submit it to the corresponding CA through e-mail or the CA website. The CA administrator issues the certificate and makes it available to you either through the website or by sending it in e-mail. You need to import the obtained identity certificate to the corresponding trust point using the crypto ca import trustpoint-label certificate command.
The challenge password is not saved with the configuration. This password is required in the event that your certificate needs to be revoked, so you must remember this password.
Examples
The following example generates a certificate request for an authenticated CA:
Related Commands% The 'show crypto ca certificate' command will also show the fingerprint.
|
|
---|---|
Imports the identity certificate obtained fromthe CA to the trust point. |
|
Configures and associates the RSA key pair details to a trust point. |
|
crypto ca export
To export the RSA key pair and the associated certificates (identity and CA) of a trust point within a Public-Key Cryptography Standards (PKCS) #12 format file to a specified location, use the crypto ca export command in configuration mode.
crypto ca export trustpoint-label pkcs12 destination-file-url pkcs12 - password
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can export the identity certificate along with the associated RSA key pair and CA certificate (or certificate chain) to a PKCS #12 format file for backup purposes. You can later import the certificate and RSA key pair to recover from a system crash on your switch.
Examples
The following example shows how to export a certificate and key pair in PKCS #12 format:
Related Commands
crypto ca import
To import the identity certificate alone in PEM format or the identity certificate and associated RSA key pair and CA certificate (or certificate chain) in Public-Key Cryptography Standards (PKCS) #12 form, use the crypto ca import command in configuration mode.
crypto ca import trustpoint-label { certificate | pkcs12 source-file-url pkcs12-password}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The first form of the command, crypto ca import trustpoint-label certificate, is used to import (by cut and paste means) the identity certificate obtained from the CA, corresponding to the enrollment request generated earlier in the trust point and submitted to the CA. The administrator is prompted to cut and paste the certificate.
The second form of the command, crypto ca import trustpoint-label pkcs12 source-file-url pkcs12-password, is used to import the complete identity information (that is, the identity certficate and associated RSA key pair and CA certificate or certficate chain) into an empty trust point. This command is useful for restoring the configuration after a system goes down.
Note The trust point configuration (created by the crypto ca trustpoint command) is persistent only if saved explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trust point are automatically made persistent if the trust point in question was already saved in the startup configuration. Conversely, if the trust point was not saved in the startup configuration, the certificates and CRL associated to it are not made persistent automatically because they do not exist without the corresponding trust point after the switch reboots.
To ensure that the configured certificates, CRLs and key pairs are made persistent, always save the running configuration to the startup configuration.
Examples
The following example installs an identity certificate obtained from a CA corresponding to an enrollment request made and submitted earlier:
The following example shows how to import a certificate and key pair in a Public-Key Cryptography Standards (PKCS) #12 format file:
Related Commands
|
|
---|---|
Exports the RSA key pair and associated certificates of a trust point. |
|
crypto ca test verify
To verify a certificate file, use the crypto ca test verify command in configuration mode.
crypto ca test verify certificate-file
Syntax Description
Specifies the certificate filename in the form bootflash : filename. The maximum size is 512 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The crypto ca test verify command is only a test command. It verifies the specified certificate in PEM format by using the trusted CAs configured and by consulting the CRL or OCSP if needed, as per the revocation checking configuration.
Examples
The following example shows how to verify a certificate file. Verify status code 0 means the verification is successful.
Related Commands
|
|
---|---|
crypto ca lookup
To configure the type of cretstore that PKI will use for authenticatio, use the crypto ca lookup command in configuration mode. The disable this feature, use the no form of the command.
crypto ca lookup {both | local | remote}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to configure both local and remote certstore:
The following example shows how to configure local certstore:
The following example shows how to configure remote certstore:
Related Commands
|
|
---|---|
crypto ca remote ldap
To configure Ldap certstore, use the crypto ca remote ldap command in configuration mode. The disable this feature, use the no form of the command.
crypto ca remote ldap {crl-refresh-time hours | server-group group-name}
Syntax Description
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to configure timer to fetch crl from remote certstore:
The following example shows how to configure LDAP server group:
Related Commands
|
|
---|---|
crypto ca trustpoint
To create a trust point certificate authority (CA) that the switch should trust, and enter trust point configuration submode (config-trustpoint), use the crypto ca trustpoint command in configuration mode. To remove the trust point, use the no form of the command.
crypto ca trustpoint trustpoint-label
no crypto ca trustpoint trustpoint-label
Syntax Description
Specifies the name of the trust point. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Trust points have the following characteristics:
- A trust point corresponds to a single CA, which an MDS switch trusts for peer certificate verification for any application.
- A CA must be explicitly associated to a trust point using the CA authentication process using the crypto ca authenticate command.
- An MDS switch can have many trust points and all applications on the switch can trust a peer certificate issued by any of the trust point CAs.
- A trust point is not restricted to a specific application.
- The MDS switch can optionally enroll with a trust point CA to get an indemnity certificate for itself.
You do not need to designate one or more trust points to an application. Any application should be able to use any certificate issued by any trust point as long as the certificate purpose satisfies application requirement.
You do not need more than one identity certificate from a trust point or more than one key pair to be associated to a trust point. A CA certifies a given identity (name) only once and does not issue multiple certificates with the same subject name. If you need more than one identity certificate for a CA, define another trust point for the same CA, associate another key pair to it, and have it certified, provided CA allows multiple certificates with same subject name.
Note Before using the no crypto ca trustpoint command to remove the trust point, first delete the identity certificate and CA certificate (or certificate chain) and then disassociate the RSA key pair from the trust point. The switch enforces this behavior to prevent the accidental removal of the trust point along with the certificates.
Examples
The following example declares a trust point CA that the switch should trust and enters trust point configuration submode:
switch#
config terminal
The following example removes the trust point CA:
switch#
config terminal
Related Commands
|
|
---|---|
crypto certificatemap mapname
To configure the certificate map that will be used for filtering the certificate request, use the crypto certificatemap mapname command in configuration mode. To disable this feature, use the no form of the command.
crypto certificatemap mapname mapname
Syntax Description
Specifies the name of the filter map. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to display mapping filters applied for SSH authentication:
Related Commands
|
|
---|---|
crypto cert ssh-authorize
To configure mapping filter for SSH, use the crypto cert ssh-authorize command in configuration mode. To disable this feature, use the no form of the command.
crypto cert ssh-authorize name map map name1 mapname2
Syntax Description
Specifies issuer name of the certificate. The maximum size is 64 characters. |
|
Specifies the name of the mapping filter that is already configured. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to configure mapping filter for SSH:
The following example shows how to configure default mapping filter for SSH:
Related Commands
|
|
---|---|
crypto global domain ipsec security-association lifetime
To configure global parameters for IPsec, use the crypto global domain ipsec security-association lifetime command. To revert to the default, use the no form of the command.
crypto global domain ipsec security-association lifetime { gigabytes number | kilobytes number |
megabytes number | seconds number }
no crypto global domain ipsec security-association lifetime { gigabytes | kilobytes | megabytes | seconds }
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, IPsec must be enabled using the crypto ipsec enable command.
The global security association lifetime value can be overridden for individual IPsec crypto maps using the set command in IPsec crypto map configuration submode.
Examples
The following example shows how to configure the system default before the IPsec:
Related Commands
|
|
---|---|
crypto ike domain ipsec
To enter IKE configuration submode, use the crypto ike domain ipsec command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To configure IKE protocol attributes, IKE must be enabled using the crypto ike enable command.
Note ● This command is not supported on the Cisco MDS 9124 switch, the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
<<Shashi: The above Note has been profiled for 6.2.13 updates (currently suppressed).>>
Examples
The following example shows how enter IKE configuration mode:
Related Commands
|
|
---|---|
crypto ike domain ipsec rekey sa
To rekey an IKE crypto security association (SA) in the IPsec domain, use the crypto ike domain ipsec rekey sa command.
crypto ike domain ipsec rekey sa sa-index
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, IKE must be enabled using the crypto ike enable command.
Note ● This command is not supported on the Cisco MDS 9124 switch.
Examples
The following example rekeys an IKE crypto SA:
Related Commands
|
|
---|---|
crypto ike enable
To enable IKE, use the crypto ike enable command. To disable IKE, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The IKE protocol cannot be disabled unless IPsec is disabled.
The configuration and verification commands for the IKE protocol are only available when the IKE protocol is enabled on the switch. When you disable this feature, all related configurations are automatically discarded.
Note ● This command is not supported on the Cisco MDS 9124 switch.
Examples
The following example shows how to enable the IKE protocol:
Related Commands
|
|
---|---|
crypto ipsec enable
To enable IPsec, use the crypto ipsec enable command. To disable IPsec, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To enable the IPsec, the IKE protocol must be enabled using the crypto ike enable command.
The configuration and verification commands for IPsec are only available when IPsec is enabled on the switch. When you disable this feature, all related configurations are automatically discarded.
Note This command is not supported on the Cisco MDS 9124 switch, the Cisco Fabric Switch for HP c-Class BladeSystem, and the Cisco Fabric Switch for IBM BladeCenter.
Examples
The following example shows how to enable IPsec:
Related Commands
|
|
---|---|
crypto key generate rsa
To generate an RSA key pair, use the crypto key generate rsa command in configuration mode.
crypto key generate rsa [label key-pair-label ] [exportable] [modulus key-pair-size ]
Syntax Description
(Optional) Specifies the name of the key pair. The maximum size is 64 characters. |
|
(Optional) Specifies the size of the key pair. The size ranges from 512 to 2048. |
Defaults
By default, the key is not exportable.
The default label is switch FQDN.
The default modulus is 512.
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can generate one or more RSA key pairs and associate each RSA key pair with a distinct trust point CA, where the MDS switch enrolls to obtain identity certificates. The MDS switch needs only one identity per CA, which consists of one key pair and one identity certificate.
Cisco MDS NX-OS allows you to generate RSA key pairs with a configurable key size (or modulus). The default key size is 512. Valid modulus values are 512, 768, 1024, 1536, and 2048.
You can also configure an RSA key pair label. The default key pair label is FQDN.
Examples
The following example shows how to configure an RSA key pair called newkeypair:
The following example shows how to configure an RSA key pair called testkey, of size 768, that is exportable:
The following example shows how to generate an exportable RSA key with the switch name as the default label and 512 as the default modulus:
Related Commands
|
|
---|---|
crypto key zeroize rsa
To delete an RSA key pair from the switch, use the crypto key zeroize rsa command in configuration mode.
crypto key zeroize rsa key-pair-label
Syntax Description
Specifies the RSA key pair to delete. The maximum size is 64 characters. |
Defaults
Command Modes
Command History
|
|
---|---|
Usage Guidelines
If you believe the RSA key pair on your switch was compromised in some way and should no longer be used, you should delete it.
After you delete the RSA key pair on the switch, ask the CA administrator to revoke your switch’s certificates at the CA. You must supply the challenge password you created when you originally requested the switch’s certificates.
Before deleting a key pair, you should delete the identity certificates corresponding to it in various trust points if the identity certificates exist, and then disassociate the key pair from those trust points. The purpose of this is to prevent accidental deletion of a key pair for which there exists an identity certificate in a trust point.
Note The trust point configuration, certificates, and key pair configurations are made persistent only after saving to the startup configuration. To be consistent with this configuration behavior, the delete behavior is also the same. That is, the deletions are made persistent only after saving to the startup configuration.
Use the copy running-config startup-config command to make the certificate and key pair deletions persistent.
Examples
The following example shows how to delete an RSA key pair called testkey:
Related Commands
|
|
---|---|
crypto map domain ipsec (configuration mode)
To specify an IPsec crypto map and enter IPsec crypto map configuration mode, use the crypto map domain ipsec command. To delete an IPsec crypto map or a specific entry in an IPsec crypto map, use the no form of the command.
crypto map domain ipsec map-name [seq-number]
no crypto map domain ipsec map-name [ seq-number ]
Syntax Description
(Optional) Specifies the sequence number for the map entry. The range is 1 to 65535. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, IPsec must be enabled using the crypto ipsec enable command.
The sequence number determines the order in which IPsec crypto map entries are applied.
Examples
The following example specifies entry 1 for IPsec crypto map IPsecMap and enters IPsec crypto map configuration mode:
The following example deletes an IPsec crypto map entry:
The following example deletes the entire IPsec crypto map:
Related Commands
|
|
---|---|
crypto map domain ipsec (interface configuration submode)
To configure an IPsec crypto map on a Gigabit Ethernet interface, use the crypto map domain ipsec command in interface configuration submode. To remove the IPsec crypto map, use the no form of the command.
crypto map domain ipsec map-name
Syntax Description
Defaults
Command Modes
Interface configuration submode
Command History
|
|
Usage Guidelines
To use this command, IPsec must be enabled using the crypto ipsec enable command.
The sequence number determines the order in which crypto maps are applied.
Examples
The following example shows how to specify an IPsec crypto map for a Gigabit Ethernet interface:
Related Commands
|
|
---|---|
crypto transform-set domain ipsec
To create and configure IPsec transform sets, use the crypto transform-set domain ipsec command. To delete an IPsec transform set, use the no form of the command.
crypto transform-set domain ipsec set-name { esp-3des | esp-des } [ esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac ]
crypto transform-set domain ipsec set-name esp-aes { 128 | 256 } [ ctr { esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac } | esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac ]
no crypto transform-set domain ipsec set-name { esp-3des | esp-des } [ esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac ]
no crypto transform-set domain ipsec set-name esp-aes { 128 | 256 } [ ctr { esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac } | esp-aes-xcbc-mac | esp-md5-hmac | esp-sha1-hmac ]
Syntax Description
Specifies the transform set name. Maximum length is 63 characters. |
|
Specifies ESP transform using the AES cipher (128 or 256 bits). |
|
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, IPsec must be enabled using the crypto ipsec enable command.
You can use this command to modify existing IPsec transform sets. If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change is not applied to existing security associations, but used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database using the clear crypto sa domain ipsec command.
Examples
The following example shows how to configure an IPsec transform set:
Related Commands
|
|
---|---|
customer-id
To configure the customer ID with the Call Home function, use the customer-id command in Call Home configuration submode. To disable this feature, use the no form of the command.
Syntax Description
Specifies the customer ID. The maximum length is 64 alphanumeric characters in free format. |
Defaults
Command Modes
Call Home configuration submode
Command History
|
|
---|---|
Usage Guidelines
Examples
The following example shows how to configure the customer ID in the Call Home configuration submode:
Related Commands
|
|
---|---|
Sends a dummy test message to the configured destination(s). |
|