U Commands

The commands in this chapter apply to the Cisco MDS 9000 Family of multilayer directors and fabric switches. All commands are shown here in alphabetical order regardless of command mode. See “About the CLI Command Modes” section to determine the appropriate mode for each command.

undebug all

To disable all debugging, use the undebug all command.

undebug all

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

None.

 
Command Modes

EXEC mode.

 
Command History

Release
Modification

1.0(2)

This command was introduced.

 
Usage Guidelines

Use this command to turn off all debugging.

Examples

The following example shows how to disable all debugging on the switch:

switch# undebug all
 

 
Related Commands

Command
Description

no debug all

Also disables all debug commands configured on the switch.

show debug

Displays all debug commands configured on the switch.

update license

To update an existing license, use the update license command in EXEC mode.

update license { url | bootflash: | slot0: | volatile: } new_license_file old_license_ file

 
Syntax Description

update license

Updates an installed, expiring license.

url

Specifies the URL for the license file to be uninstalled.

bootflash:

Specifies the license file location in internal bootflash memory.

slot0:

Specifies the license file in the CompactFlash memory or PCMCIA card.

volatile:

Specifies the license file in the volatile file system.

new_license_file

Location or URL of the new license file.

old_license file

Location or URL of the old license file that needs to be updated.

 
Command Modes

EXEC mode.

 
Command History

Release
Modification

1.3(2)

This command was introduced.

Examples

The following example updates a specific license:

switch# update license bootflash:sanextn2.lic sanextn1.lic
Updating sanextn1.lic:
SERVER this_host ANY
VENDOR cisco
# An example fcports license
INCREMENT SAN_EXTN_OVER_IP cisco 1.000 permanent 1 HOSTID=VDH=ABCD \
NOTICE=<LicFileID>san_extn1.lic</LicFileID><LicLineID>0</LicLineID> \
SIGN=33088E76F668
 
with bootflash:/sanextn2.lic:
SERVER this_host ANY
VENDOR cisco
# An example fcports license
INCREMENT SAN_EXTN_OVER_IP cisco 1.000 permanent 1 HOSTID=VDH=ABCD \
NOTICE=<LicFileID>san_extn2.lic</LicFileID><LicLineID>1</LicLineID> \
SIGN=67CB2A8CCAC2
 
Do you want to continue? (y/n) y
Updating license..done
 

use-profile

To bind a profile to the FCIP interface, use the use-profile option. To disable a configured profile, use the no form of the option.

use-profile profile-id

no use-profile profile-id

 
Syntax Description

profile-id

Specifies the profile ID to be used. The range is 1 to 255.

 
Defaults

None.

 
Command Modes

Interface configuration submode.

 
Command History

Release
Modification

1.1(1)

This command was introduced.

 
Usage Guidelines

Access this command from the switch(config-if)# submode.

This command binds the profile with the FCIP interface.

Examples

The following example shows how to bind a profile to the FCIP interface:

 
switch# config terminal
switch(config)# interface fcip 50
switch(config-if)# use-profile 100
switch(config-if)# no use-profile 100

 
Related Commands

Command
Description

show fcip

Displays information about the FCIP profile.

show interface fcip

Displays an interface configuration for a specified FCIP interface.

user-certdn-match

To set the certificate matching, use the user-certdn-match command. To disable this feature, use the no form of the command.

user-certdn-match attribute-name attribute-name search-filter string base-DN string

no user-certdn-match attribute-name attribute-name search-filter string base-DN string

 
Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter. The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

NX-OS 5.0(1a)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to set the certificate matching:
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-certdn-match attribute-name map1 search-filter map1 base-DN a
switch(config-ldap-search-map)#

 
Related Commands

Command
Description

show ldap-server groups

Displays the configured LDAP server groups.

userprofile

To set the userprifile, use the userprofile command. To disable this feature, use the no form of the command.

userprofile attribute-name attribute-name search-filter string base-DN string

no userprofile attribute-name attribute-name search-filter string base-DN string

 
Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter string

Specifies search map search filter. The maximum length is 128 characters.

base-DN string

Specifies search map base-DN name. The maximum length is 128 characters.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

6.2(1)

Added a note.

NX-OS 5.0(1a)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# userprofile attribute-name map1 search-filter map1 base-DN a

 
Usage Guidelines

None.

note.gif

Noteblank.gif Mapping of the local role to LDAP user attribute can be configured on MDS/NEXUS switches running 6.2 or greater.


Examples

The following example shows how to set the CRLLookup:---add the output
switch(config)# ldap search-map map1
switch(config-ldap-search-map)# crllook attribute-name map1 search-filter map1 b
ase-DN DN1
GROUP_NAME: map1
CRL
ATTR_NAME: map1
SEARCH_FLTR: map1
BASE_DN: DN1
Sending the SET_REQ
switch(config-ldap-search-map)#
switch(config-ldap-search-map)#end

 
Related Commands

Command
Description

show crypto ssh-auth-map

displays mapping filters applied for SSH authentication.

 

user-pubkey-match

To set the user-pubkey matching, use the user-pubkey-match command. To disable this feature, use the no form of the command.

user-pubkey-match attribute-name attribute-name search-filter string base-DN string

no user-pubkey-match attribute-name attribute-name search-filter string base-DN string

 
Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter. The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

NX-OS 5.0(1a)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-pubkey-match attribute-name map1 search-filter map1 base-DN a
switch(config-ldap-search-map)#

 
Related Commands

Command
Description

show ldap-server groups

Displays the configured LDAP server groups.

user-switch-bind

To set the user-switch-bind, use the user-switch-bind command. To disable this feature, use the no form of the command.

user-switch-bind attribute-name attribute-name search-filter string base-DN string

no user-switch-bind attribute-name attribute-name search-filter string base-DN string

 
Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter. The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

NX-OS 5.0(1a)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-switch-bind attribute-name a search-filter a base-DN a
switch(config-ldap-search-map)#

 
Related Commands

Command
Description

show ldap-server groups

Displays the configured LDAP server groups.

username

To define a user, use the username command in configuration mode. To undo the configuration or revert to factory defaults. Use the no form of a command

username name [ expire date | Keypair {export uri {dsa | rsa} [force] | generate {dsa | rsa} [force] | import bootflash: uri | volatile: uri {dsa | rsa } [force] { iscsi | password [0 | 5 | 7 ] user-password [ expire date ] [role rolename] | priv-lvl privilege-level | role rolename | ssh-cert-dn distinguished-name {dsa | rsa} | sshkey { key-content | file filename }]

no username name [ expire date | Keypair export bootflash: uri | volatile: uri {dsa | rsa } [force] | generate {dsa | rsa } [force] | import bootflash: uri | volatile: uri {dsa | rsa }[force] iscsi | password [0 | 5 | 7 ] user-password [ expire date ] [role rolename] | | priv-lvl privilege-level | role rolename | ssh-cert-dn distinguished-name {dsa | rsa} | sshkey { key-content | file filename }]

 
Syntax Description

name

Specifies the name of the user. Maximum length is 32 characters.

expire date

(Optional) Specifies the date when this user account expires (in YYYY-MM-DD format).

Keypair

(Optional) Specifies SSH (Secure shell) user keys.

export uri

Exports keypairs to bootflash or remote directory.

dsa

Specifies DSA keys.

rsa

Specifies RSA keys.

force

(Optional) Specifies the generation of keys even if previous ones are present.

generate

Generates SSH key pairs.

import

Import keypair from bootflash or remote directory.

bootflash: uri

Specifies URI or alias of the bootflash or file system to export.

volatile: uri

Specifies URI or alias of the volatile or file system to import.

iscsi

(Optional) Identifies an iSCSI user.

password

(Optional) Configures a password for the user. The password is limited to 64 characters. The minimum length is 8 characters.

0

(Optional) Specifies a clear text password for the user.

5

(Optional) Specifies a strongly encrypted password for the user.

7

(Optional) Specifies an encrypted password for the user.

user-password

Enters the password. Maximum length is 32 characters.

role rolename

(Optional) Specifies the role name of the user. Maximum length is 32 characters.

priv-lvl privilege-level

(Optional) Specifies privilege level. The range is from 1 to 15 characters.

ssh-cert-dn distinguished-name

(Optional) Specifies the SSH X.509 certificate distinguished name. The maximum size is 512.

dsa

(Optional) Specifies the DSA algorithm.

rsa

(Optional) Specifies the RSA algorithm.

sshkey key_content

(Optional) Specifies the actual contents of the SSH public key in OPENSSH format.

file filename

(Optional) Specifies a file containing the SSH public key either in OPENSSH or IETF SECH or Public Key Certificate in PEM format.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

NX-OS 5.0(1a)

Added the keypair and Priv-lvl keyword to the syntax description.

1.0(2)

This command was introduced.

2.0(x)

  • Removed the update_snmpv3 option.
  • Added level 7 for passwords.

3.0(1)

Added the ssh-cert-dn, dsa, and rsa options.

 
Usage Guidelines

To change the SNMP password, a clear text CLI password is required. You must know the SNMPv3 password to change the password using the CLI.

The password specified in the username command is synchronized as the auth and priv passphrases for the SNMP user.

Deleting a user using either command results in the user being deleted for both SNMP and CLI.

User-role mapping changes are synchronized in SNMP and CLI.

The SSH X.509 certificate distinguished name (DN) is the distinguished name in the certificate. You need to extract the distinguished name from the certificate and specify the subject name as the argument to the username command.

The SSHkey is the public key that we use to authorize any remote machine to login to the switch without the need to enter the password. Basically its the passwordless authentication for the user who has that key. These keys are used by the SSH Server of the switch to authenticate a user.

The SSH keys will be used by the SSH client on the switch while doing an SSH/SCP to connect to the remote host from the switch. This keypair can be used to do a passwordless SSH/SCP from the switch to a remote server.

Examples

The following example shows how to configure the privilege level that the user need to assign:

switch(config)# username admin priv-lvl 13
switch(config)#

 

The following example shows how to generate SSH keys:

switch(config)# username admin keypair generate rsa force
generating rsa key(1024 bits).....
.generated rsa key
switch(config)#

 

The following example shows how to delete SSH keys:

switch(config)# no username admin keypair generate rsa force
generating rsa key(1024 bits).....
.generated rsa key
switch(config)#

 

The following example shows how to export a keypair to bootflash or to the volatile directory:

switch(config)# username admin keypair export bootflash:xyz rsa force
Enter Passphrase:
switchg(config)#

 

The user can configure the same set of SSH keypairs on different switches by copying the public and private keypair to that switch and importing them using the following commands.

The following example shows how to import keypair from bootflash or volatile directory:

switch(config)# username admin keypair import bootflash:xyz rsa force
Enter Passphrase:
switchg(config)#
 

The following example shows how to define a user:

switch(config)# username knuckles password testpw role bodega
switch(config)# do show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:knuckles
this user account has no expiry date
roles:bodega
 

The following example configures the name for a user to log in using iSCSI authentication:

switch(config)# username iscsi
 

The following example places you in the mode for the specified role (techdocs). The prompt indicates that you are now in the role configuration submode. This submode is now specific to the techdocs group.

switch(config)# username role name techdocs
switch(config-role)#
 

The following example deletes the role called techdocs:

switch(config)# no username role name techdocs
 

The following example assigns a description to the new role. The description is limited to one line and can contain spaces:

switch(config-role)# description Entire Tech. Docs. group
 

The following example resets the description for the Tech. Docs. group:

switch(config-role)# no description
 

The following example creates or updates the user account (usam) along with a password (abcd) that is set to expire on 2009-05-31:

switch(config)# username usam password abcd expire 2009-05-31
 

The following example creates or updates the user account (msam) along with a password (abcd) specified in clear text (indicated by 0):

switch(config)# username msam password 0 abcd role network-operator
 

The following example specifies an encrypted (specified by 5) password (!@*asdsfsdfjh!@df) for the user account (user1):

switch(config)# username user1 password 5!@*asdsfsdfjh!@df
 

The following example adds the specified user (usam) to the network-admin role:

switch(config)# username usam role network-admin
 

The following example deletes the specified user (usam) from the vsan-admin role:

switch(config)# no username usam role vsan-admin
 

The following example shows how to define a distinguished name on a switch for SSH certificate authentication:

switch# config t
switch(config)# username knuckles ssh-cert-dn /CN=excal-1.cisco.com rsa
switch(config)# do show user-account
user:admin
this user account has no expiry date
roles:network-admin
user:knuckles
this user account has no expiry date
roles:network-operator
ssh cert DN : /CN=excal-1.cisco.com; Algo: x509v3-sign-rsa

 

The following example specifies the SSH X.509 certificate distinguished name and DSA algorithm for an existing user account (usam):

switch(config)# username usam ssh-cert-dn usam-dn dsa
 

The following example specifies the SSH X.509 certificate distinguished name and RSA algorithm for an existing user account:

switch(config)# username user1 ssh-cert-dn user1-dn rsa
 

The following example deletes the SSH X.509 certificate distinguished name for the user account:

switch(config)# no username admin ssh-cert-dnadmin-dn dsa
 

The following example identifies the contents of the SSH key for the specified user (usam):

switch(config)# username usam sshkey fsafsd2344234234ffgsdfg
 

The following example deletes the SSH key content identification for the user (usam):

switch(config)# no username usam sshkey fsafsd2344234234ffgsdfgffsdfsfsfssf
 

The following example updates the SNMPv3 password for the specified user (joe). The local CLI password and the SNMP password are updated. If user Joe does not exist, the command fails:

switch(config)# username joe password wxyz6789 update-snmpv3 abcd1234
 

 
Related Commands

Command
Description

role

Configures user roles.

show username

Displays username information.

 
 

username (iSCSI initiator configuration and iSLB initiator configuration)

To assign a username for iSCSI login authentication, use the username command in iSCSI initiator configuration submode. To assign a username for iSLB login authentication, use the username command in iSLB initiator configuration submode. To disable this feature, use the no form of the command.

username username

no username username

 
Syntax Description

username

Specifies the username for iSCSI or iSLB login authentication.

 
Defaults

None.

 
Command Modes

iSCSI initiator configuration submode.
iSLB initiator configuration submode.

 
Command History

Release
Modification

1.3(2)

This command was introduced.

3.0(1)

Added iSLB initiator configuration submode.

 
Usage Guidelines

None.

Examples

The following example assigns the username for iSCSI login authentication of an iSCSI initiator:

switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# iscsi initiator name iqn.1987-02.com.cisco.initiator
switch(config-iscsi-init)# username iSCSIloginUsername
switch(config-iscsi-init)#
 

The following example assigns the username tester for iSLB login authentication of an iSLB initiator:

switch# config t
switch(config)# islb initiator ip-address 100.10.10.10

switch (config-iscsi-islb-init)# username ?

<WORD> Enter username <Max Size - 32>

switch (config-iscsi-islb-init)# username tester

 

The following example removes the username tester for an iSLB initiator:

switch (config-iscsi-islb-init)# no username tester
 

 
Related Commands

Command
Description

iscsi initiator name

Assigns an iSCSI name and changes to iSCSI initiator configuration submode.

islb initiator

Assigns an iSLB name and IP address to the iSLB initiator and enters iSLB initiator configuration submode.

show iscsi initiator

Displays information about a configured iSCSI initiator.

show iscsi initiator configured

Displays iSCSI initiator information for the configured iSCSI initiator.

show iscsi initiator detail

Displays detailed iSCSI initiator information.

show iscsi initiator summary

Displays iSCSI initiator summary information.

show islb initiator

Displays iSLB initiator information.

show islb initiator configured

Displays iSLB initiator information for the configured iSLB initiator.

show islb initiator detail

Displays detailed iSLB initiator information.

show islb initiator summary

Displays iSLB initiator summary information.

userprofile

To set the userprifile, use the userprofile command. To disable this feature, use the no form of the command.

userprofile attribute-name attribute-name search-filter string base-DN string

no userprofile attribute-name attribute-name search-filter string base-DN string

 
Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter string

Specifies search map search filter. The maximum length is 128 characters.

base-DN string

Specifies search map base-DN name. The maximum length is 128 characters.

 
Defaults

None.

 
Command Modes

Configuration mode.

 
Command History

Release
Modification

NX-OS 5.0(1a)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# userprofile attribute-name map1 search-filter map1 base-DN a

 
Usage Guidelines

None.

Examples

The following example shows how to set the CRLLookup:---add the output
switch(config)# ldap search-map map1
switch(config-ldap-search-map)# crllook attribute-name map1 search-filter map1 b
ase-DN DN1
GROUP_NAME: map1
CRL
ATTR_NAME: map1
SEARCH_FLTR: map1
BASE_DN: DN1
Sending the SET_REQ
switch(config-ldap-search-map)#
switch(config-ldap-search-map)#end

 

Command
Description

show crypto ssh-auth-map

displays mapping filters applied for SSH authentication.