Friday, September 1, 2017

Cisco Nexus Switch Basic CLI Commands

I recently visited Perth Western Australia for a core switch upgrade project and it was cold and rainy during my stay there. After my project was done, I went to the Bell Tower (or Swan Bells) which is near the Swan River. The twelve bells (there's a total of eighteen) were donated by St Martin-in-the-Fields church in Trafalgar Square London and it was traced to have existed before the 14th century. I also took a tour of the Perth Mint which has the world's biggest gold coin, the Australian Kangaroo One Tonne Gold Coin, and I was able to watch a live gold pour held inside the museum.




I've downloaded the free Cisco Nexus Simulator and posted the basics functions. The simulator has limited support on most Nexus features such as TACACS+, SNMPv3, etc. So I've used Nexus Titanium in VirtualBox/GNS3 instead. The Nexus 7K series switch CLI command reference can be found on this link. The Nexus OS (NX-OS) CLI syntax have similarities with Catalyst IOS switch (i.e. hostname, ACL, etc) but here are some differences. Below are some "hardening" commands I’ve used on our Nexus switches.


NX-OS# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
  loader:    version N/A
  kickstart: version 5.1(2) [gdb]
  system:    version 5.1(2) [gdb]
  kickstart image file is: bootflash:/titanium-d1-kickstart.5.1.2.gbin
  kickstart compile time:  12/25/2020 12:00:00 [12/18/2010 09:53:29]
  system image file is:    bootflash:/titanium-d1.5.1.2.gbin
  system compile time:     11/29/2010 12:00:00 [12/18/2010 11:47:03]

Hardware
  cisco Unknown MDS Chassis ("Unknown Module")
  Intel(R) Xeon(R) CPU         with 2066696 kB of memory.
  Processor Board ID T0027265940

  Device name: NX-OS
  bootflash:          0 kB
Kernel uptime is 0 day(s), 0 hour(s), 37 minute(s), 21 second(s)

plugin
  Core Plugin, Ethernet Plugin




You assign a user role (RBAC) when configuring a local admin account on a Nexus OS (NX-OS) switch. You can't delete the admin user account and can only change the password.

NX-OS# show run | inc username
username adminbackup password 5 !  role network-operator
username admin password 5 $1$ek7G4QLQ$YqLUwOCmeIaQFjFRPaznZ0  role network-admin
username all password 5 !!  role network-operator
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NX-OS(config)# username new-admin ?
  <CR>        
  expire       Expiry date for this user account(in YYYY-MM-DD format)
  keypair      Generate SSH User Keys
  password     Password for the user
  role         Role which the user is to be assigned to
  ssh-cert-dn  Update cert dn
  sshkey       Update ssh key for the user for ssh authentication

NX-OS(config)# username new-admin password ?
  0     Indicates that the password that follows should be in clear text
  5     Indicates that the password that follows should be encrypted
  WORD  Password for the user (clear text) (Max Size 64)

NX-OS(config)# username new-admin password cisco ?
  <CR>   
  expire  Expiry date for this user account(in YYYY-MM-DD format)
  role    Role which the user is to be assigned to

NX-OS(config)# username new-admin password cisco role ?
  network-admin     System configured role
  network-operator  System configured role
  priv-0            Privilege role
  priv-1            Privilege role
  priv-10           Privilege role
  priv-11           Privilege role
  priv-12           Privilege role
  priv-13           Privilege role
  priv-14           Privilege role
  priv-15           Privilege role
  priv-2            Privilege role
  priv-3            Privilege role
  priv-4            Privilege role
  priv-5            Privilege role
  priv-6            Privilege role
  priv-7            Privilege role
  priv-8            Privilege role
  priv-9            Privilege role
  vdc-admin         System configured role
  vdc-operator      System configured role

NX-OS(config)# username new-admin password cisco role network-admin
NX-OS(config)# username admin password cisco role network-admin    
NX-OS(config)# no username admin     // CAN'T DELETE admin; CAN ONLY CHANGE ITS PW
cannot delete user admin


You can enable or disable a feature on a Nexus switch. Issue a show feature to list all supported features. To configure enable secret on a Nexus switch you "enable" the feature privilege.

NX-OS# show feature
Feature Name          Instance  State  
--------------------  --------  --------
amt                   1         disabled
bfd                   1         disabled
bfd_app               1         disabled
bgp                   1         disabled
cts                   1         disabled
dhcp                  1         disabled
dot1x                 1         disabled
eigrp                 1         disabled
eigrp                 2         disabled
eigrp                 3         disabled
eigrp                 4         disabled
eou                   1         disabled
eth_port_sec          1         disabled
fex                   1         disabled
fipsm                 1         disabled
glbp                  1         disabled
hsrp_engine           1         enabled
interface-vlan        1         disabled
isis                  1         disabled
isis                  2         disabled
isis                  3         disabled
isis                  4         disabled
ldap                  1         disabled
lisp                  1         disabled
msdp                  1         disabled
netflow               1         disabled
ospf                  1         enabled (not-running)
ospf                  2         enabled (not-running)
ospf                  3         enabled (not-running)
ospf                  4         enabled (not-running)
ospfv3                1         disabled
ospfv3                2         disabled
ospfv3                3         disabled
ospfv3                4         disabled
otv                   1         disabled
pbr                   1         disabled
pim                   1         disabled
pim6                  1         disabled
private-vlan          1         disabled
privilege             1         disabled
rip                   1         disabled
rip                   2         disabled
rip                   3         disabled
rip                   4         disabled
scheduler             1         disabled
scpServer             1         disabled
sftpServer            1         disabled
sshServer             1         enabled
tacacs                1         disabled
telnetServer          1         enabled
tunnel                1         disabled
udld                  1         disabled
vpc                   1         disabled
vrrp                  1         disabled
vtp                   1         enabled
wccp                  1         disabled
NX-OS#
NX-OS# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NX-OS(config)# enable ?
                            ^
% Invalid parameter detected at '^' marker.
NX-OS(config)# feature ?
  bfd             Bfd
  bgp             Enable/Disable Border Gateway Protocol (BGP)
  cts             Enable/Disable CTS
  dhcp            Enable/Disable DHCP Snooping
  dot1x           Enable/Disable dot1x
  eigrp           Enable/Disable Enhanced Interior Gateway Routing Protocol
                  (EIGRP)
  eou             Enable/Disables feature l2nac(eou)
  fip-snooping    Enable/Disable fip-snooping(FCoE Initializtion Protocol)
  glbp            Enable/Disable Gateway Load Balancing Protocol (GLBP)
  hsrp            Enable/Disable Hot Standby Router Protocol (HSRP)
  interface-vlan  Enable/Disable interface vlan
  isis            Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
  lacp            Enable/Disable LACP
  ldap            Enable/Disable ldap
  lldp            Enable/Disable LLDP
  msdp            Enable/Disable Multicast Source Discovery Protocol (MSDP)
  netflow         Enable/Disable NetFlow
  ospf            Enable/Disable Open Shortest Path First Protocol (OSPF)
  ospfv3          Enable/Disable Open Shortest Path First Version 3 Protocol
                  (OSPFv3)
  otv             Enable/Disable Overlay Transport Virtualization (OTV)
  pbr             Enable/Disable Policy Based Routing(PBR)
  pim             Enable/Disable Protocol Independent Multicast (PIM)
  pim6            Enable/Disable Protocol Independent Multicast (PIM) for IPv6
  port-security   Enable/Disable port-security
  private-vlan    Enable/Disable private-vlan
  privilege       Enable/Disable IOS type privilege level support
  rip             Enable/Disable Routing Information Protocol (RIP)
  scheduler       Enable/Disable scheduler
  scp-server      Enable/Disable SCP server
  sftp-server     Enable/Disable SFTP server
  ssh             Enable/Disable ssh
  tacacs+         Enable/Disable tacacs+
  telnet          Enable/Disable telnet
  tunnel          Enable/Disable Tunnel Manager
  udld            Enable/Disable UDLD
  vpc             Enable/Disable VPC (Virtual Port Channel)
  vrrp            Enable/Disable Virtual Router Redundancy Protocol (VRRP)
  vtp             Enable/Disable VTP
  wccp            Enable/Disable Web Cache Communication Protocol (WCCP)

NX-OS(config)# feature privilege
NX-OS(config)# ?
  aaa                  Configure aaa functions
  access-list          Configure access control list parameters
  acllog               Configure ACL logging
  arp                  ARP access-list configuration commands
  banner               Configure banner message
  boot                 Configure boot variables
  callhome             Enter the callhome configuration mode
  cdp                  Configure CDP parameters
  cfs                  CFS configuration commands
  class-map            Configure a class map
  cli                  Configure CLI commands
  clock                Manage the system clock
  control-plane        Enter to control-plane sub-mode
  copp                 Control-plane config
  crypto               Set crypto settings
  cts                  Config commands for CTS
  default              Rollback to default configuration
  enable               Create secret for privilege escalation
  errdisable           Error disable
  event                Event Manager commands
  fabricpath           Fabricpath configuration
  feature              Command to enable/disable features
  feature-set          Enable feature-set
  fips                 Enable/Disable FIPS mode
  hardware             Hardware Internal Information
  hostname             Configure system's host name
  hsrp                 HSRP interface configuration commands
  install              Install a feature-set
  interface            Configure interfaces
  ip                   Configure IP features
  ipv4                 Configure IP features
  ipv6                 Configure IPv6 features
  key                  Key Management
  l2                   Layer2
  l2protocol           Layer 2 Protocol
  l3vm                 Debug L3VM information
  license              Modify license features
  line                 Configure a terminal line
  logging              Modify message logging facilities
  m2rib                Configure m2rib
  mac                  MAC configuration commands
  mac-list             Build a mac list
  no                   Negate a command or set its defaults
  ntp                  NTP Configuration
  object-group         Configure ACL object groups
  password             Password for the user
  policy-map           Configure a policy map
  port-channel         Configure port channel parameters
  port-profile         Configure a port-profile
  power                Configure power supply
  poweroff             Power off a module in the switch
  promiscuous-mode     Turn ON promiscuous mode for all the interfaces
  qos                  QoS Global Commands
  radius               Configure RADIUS configuration
  radius-server        Configure RADIUS related parameters
  rate-limit           Set packet per second rate limit
  resequence           Resequence a list with sequence numbers
  rmon                 Remote Monitoring
  role                 Configure roles
  route-map            Create route-map or enter route-map command mode
  router               Enable a routing process
  snmp-server          Configure snmp server
  software-forwarding  Software forwarding
  spanning-tree        Spanning Tree Subsystem
  ssh                  SSH to another system
  switchname           Configure system's host name
  system               System configuration commands
  table-map            Configure a table map
  terminal             Configure terminal settings
  this                 Shows info about current object (mode's instance)
  time-range           Define time range entries
  track                Object tracking configuration commands
  username             Configure user information.
  vdc                  Manage Virtual Device Context
  vlan                 Vlan commands
  vrf                  Configure VRF parameters
  vtp                  Configure global VTP state
  xml                  Xml agent
  end                  Go to exec mode
  exit                 Exit from command interpreter
  pop                  Pop mode from stack or restore from name
  push                 Push current mode to stack or save it under name
  where                Shows the cli context you are in

NX-OS(config)# enable ?
  secret  Create secret for privilege escalation (defaults to highest priv-lvl 14/15)

NX-OS(config)# enable secret ?
  0     Indicates that the secret that follows should be in clear text
  5     Indicates that the secret that follows should be encrypted
  WORD  Secret for user privilege escalation (clear text) (Max Size 64)

NX-OS(config)# enable secret cisco



Type q to “quit” displaying the output. You can issue show commands from global config mode without the do at the beginning. SSH (sshServer) is enabled by default on a Nexus switch while Telnet is disabled by default. If SSH was disabled, you can re-enable it by issuing the feature ssh in global config.

NX-OS(config)#  show feature | inc ssh
sshServer             1         enabled

NX-OS# show ssh ?
  key     Show ssh keys
  names   Name of pre-established master ssh connections
  server  Show whether ssh server is enabled or not

NX-OS# show ssh server    
ssh version 2 is enabled
NX-OS(config)# feature ?
  bfd             Bfd
  bgp             Enable/Disable Border Gateway Protocol (BGP)
  cts             Enable/Disable CTS
  dhcp            Enable/Disable DHCP Snooping
  dot1x           Enable/Disable dot1x
  eigrp           Enable/Disable Enhanced Interior Gateway Routing Protocol
                  (EIGRP)
  eou             Enable/Disables feature l2nac(eou)
  fip-snooping    Enable/Disable fip-snooping(FCoE Initializtion Protocol)
  glbp            Enable/Disable Gateway Load Balancing Protocol (GLBP)
  hsrp            Enable/Disable Hot Standby Router Protocol (HSRP)
  interface-vlan  Enable/Disable interface vlan
  isis            Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
  lacp            Enable/Disable LACP
  ldap            Enable/Disable ldap
  lldp            Enable/Disable LLDP
  msdp            Enable/Disable Multicast Source Discovery Protocol (MSDP)
  netflow         Enable/Disable NetFlow
  ospf            Enable/Disable Open Shortest Path First Protocol (OSPF)
  ospfv3          Enable/Disable Open Shortest Path First Version 3 Protocol
                  (OSPFv3)
  otv             Enable/Disable Overlay Transport Virtualization (OTV)
  pbr             Enable/Disable Policy Based Routing(PBR)
  pim             Enable/Disable Protocol Independent Multicast (PIM)
  pim6            Enable/Disable Protocol Independent Multicast (PIM) for IPv6
  port-security   Enable/Disable port-security
  private-vlan    Enable/Disable private-vlan
  privilege       Enable/Disable IOS type privilege level support
  rip             Enable/Disable Routing Information Protocol (RIP)
  scheduler       Enable/Disable scheduler
  scp-server      Enable/Disable SCP server
  sftp-server     Enable/Disable SFTP server
  ssh             Enable/Disable ssh
  tacacs+         Enable/Disable tacacs+
  telnet          Enable/Disable telnet
  tunnel          Enable/Disable Tunnel Manager
  udld            Enable/Disable UDLD
  vpc             Enable/Disable VPC (Virtual Port Channel)
  vrrp            Enable/Disable Virtual Router Redundancy Protocol (VRRP)
  vtp             Enable/Disable VTP
  wccp            Enable/Disable Web Cache Communication Protocol (WCCP)

NX-OS(config)# feature ssh

NX-OS(config)# show feature | inc telnet
telnetServer          1         enabled
NX-OS(config)# no feature telnet         // DISABLE TELNET (DISABLED BY DEFAULT)
NX-OS(config)# show feature | inc telnet
telnetServer          1         disabled




The Nexus switch uses a 1024 RSA key by default. To generate a stronger RSA modulus key, issue a ssh key rsa 2048 in global config.

NX-OS# show ssh key ?
  <CR>  
  >      Redirect it to a file
  >>     Redirect it to a file in append mode
  dsa    Show dsa ssh keys
  rsa    Show rsa ssh keys
  |      Pipe command output to filter

NX-OS# show ssh key rsa
**************************************
rsa Keys generated:Fri Jan  7 00:55:31 2011

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDlALbWtWUIpeG9bQ9+I2sj6j/zvaRcM8BTzBt8z35d
OAe5RvzuuvuUcDec0hi1ILjIPCNKLvCS/n145oSGMW+y7bA6k7DhyFJgriwMF9RpdCSTWrBwG+VvY3HL
Mas630XP9eeY8pkqSPWw3dXpnn5Wje5LkwH/0XCBAt34uqZMKQ==

bitcount:1024  
fingerprint:
1d:b1:33:e7:e3:6d:54:2c:10:31:df:46:98:a6:78:1c
**************************************

X-OS(config)# ssh ?
  key             Generate SSH Key
  login-attempts  Set maximum login attempts from ssh

NX-OS(config)# ssh key ?
  dsa  Generate DSA keys
  rsa  Generate RSA keys

NX-OS(config)# ssh key rsa ?
  <CR>        
  <1024-2048>  Enter number of bits (in multiples of 8)

NX-OS(config)# ssh key rsa 2048
rsa keys already present, use force option to overwrite them
NX-OS(config)# ssh key rsa 2048 ?
  <CR>  
  force  Force the generation of keys even if previous ones are present

NX-OS(config)# ssh key rsa 2048 force     // GENERATE A 2048 RSA KEY
deleting old rsa key.....



TACACS+ is disabled by default. Issue a feature tacacs in global configuration mode in order to enable it.


NX-OS(config)# show feature | inc tacacs
tacacs                1         disabled
NX-OS(config)# feature ?
  bfd             Bfd
  bgp             Enable/Disable Border Gateway Protocol (BGP)
  cts             Enable/Disable CTS
  dhcp            Enable/Disable DHCP Snooping
  dot1x           Enable/Disable dot1x
  eigrp           Enable/Disable Enhanced Interior Gateway Routing Protocol
                  (EIGRP)
  eou             Enable/Disables feature l2nac(eou)
  fip-snooping    Enable/Disable fip-snooping(FCoE Initializtion Protocol)
  glbp            Enable/Disable Gateway Load Balancing Protocol (GLBP)
  hsrp            Enable/Disable Hot Standby Router Protocol (HSRP)
  interface-vlan  Enable/Disable interface vlan
  isis            Enable/Disable IS-IS Unicast Routing Protocol (IS-IS)
  lacp            Enable/Disable LACP
  ldap            Enable/Disable ldap
  lldp            Enable/Disable LLDP
  msdp            Enable/Disable Multicast Source Discovery Protocol (MSDP)
  netflow         Enable/Disable NetFlow
  ospf            Enable/Disable Open Shortest Path First Protocol (OSPF)
  ospfv3          Enable/Disable Open Shortest Path First Version 3 Protocol
                  (OSPFv3)
  otv             Enable/Disable Overlay Transport Virtualization (OTV)
  pbr             Enable/Disable Policy Based Routing(PBR)
  pim             Enable/Disable Protocol Independent Multicast (PIM)
  pim6            Enable/Disable Protocol Independent Multicast (PIM) for IPv6
  port-security   Enable/Disable port-security
  private-vlan    Enable/Disable private-vlan
  privilege       Enable/Disable IOS type privilege level support
  rip             Enable/Disable Routing Information Protocol (RIP)
  scheduler       Enable/Disable scheduler
  scp-server      Enable/Disable SCP server
  sftp-server     Enable/Disable SFTP server
  ssh             Enable/Disable ssh
  tacacs+         Enable/Disable tacacs+
  telnet          Enable/Disable telnet
  tunnel          Enable/Disable Tunnel Manager
  udld            Enable/Disable UDLD
  vpc             Enable/Disable VPC (Virtual Port Channel)
  vrrp            Enable/Disable Virtual Router Redundancy Protocol (VRRP)
  vtp             Enable/Disable VTP
  wccp            Enable/Disable Web Cache Communication Protocol (WCCP)

NX-OS(config)# feature tacacs+


To configure TACACS+ server and key issue the tacacs-server <HOST> <KEY> in global config.

NX-OS(config)# tacacs-server ?
  deadtime          Duration for which non-reachable server is skipped
  directed-request  Enable direct authentication requests to server
  host              TACACS+ server's DNS name or its IP address
  key               Global TACACS+ server shared secret
  test              Parameters to send test packets
  timeout           Global TACACS+ server timeout period in seconds

NX-OS(config)# tacacs-server host ?
  A.B.C.D|A:B::C:D|WORD  IPV4/IPV6 address or DNS name

NX-OS(config)# tacacs-server host 192.168.1.100 ?
  <CR>   
  key      TACACS+ shared secret
  port     TACACS+ server port
  test     Parameters to send test packets
  timeout  TACACS+ server timeout period in seconds

NX-OS(config)# tacacs-server host 192.168.1.100 key ?
  0     TACACS+ shared secret(clear text)
  7     TACACS+ shared secret(encrypted)
  WORD  TACACS+ shared secret(clear text) (Max Size 63)

NX-OS(config)# tacacs-server host 192.168.1.100 key cisco


The ACL syntax on the Nexus switch is identical with a traditional IOS switch. Nexus only support IP (Name) ACL and able to use the /nn subnet mask or prefix notation.

NX-OS(config)# access-list ?
  cleanup-unused-policies  Enable implicit cleanup of ACL policies on shutdown
                           ports

NX-OS(config)# ip access-list ?
  WORD                             List name (Max Size 64)
  match-local-traffic (no abbrev)  Enable access-list matching for locally
                                   generated traffic

NX-OS(config)# ip access-list VTY-ACL
NX-OS(config-acl)# ?
  <1-4294967295>  Sequence number
  deny            Specify packets to reject
  fragments       Optimize fragments rule installation
  no              Negate a command or set its defaults
  permit          Specify packets to forward
  remark          Access list entry comment
  statistics      Enable per-entry statistics for the ACL
  this            Shows info about current object (mode's instance)
  end             Go to exec mode
  exit            Exit from command interpreter
  pop             Pop mode from stack or restore from name
  push            Push current mode to stack or save it under name
  where           Shows the cli context you are in

NX-OS(config-acl)# permit ?
  <0-255>  A protocol number
  ahp      Authentication header protocol
  eigrp    Cisco's EIGRP routing protocol
  esp      Encapsulation security payload
  gre      Cisco's GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Group Management Protocol
  ip       Any IP protocol
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload compression protocol
  pim      Protocol independent multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

NX-OS(config-acl)# permit ip ?
  A.B.C.D      Source network address
  A.B.C.D/LEN  Source network prefix
  addrgroup    Source address group
  any          Any source address
  host         A single source host

NX-OS(config-acl)# permit ip host ?
  A.B.C.D  Source address

NX-OS(config-acl)# permit ip host 192.168.1.50 ?
  A.B.C.D      Destination network address
  A.B.C.D/LEN  Destination network prefix
  addrgroup    Destination address group
  any          Any destination address
  host         A single destination host

NX-OS(config-acl)# permit ip host 192.168.1.50 any
NX-OS(config-acl)# permit ip 10.1.100.0/24 any


There's no VTY line numbers in a Nexus switch. It still uses the access-class command to allow specific IPs on the VTY lines.



NX-OS(config)# line vty ?
  <CR> 

NX-OS(config)# line vty
NX-OS(config-line)# ?
  absolute-timeout  Configure absolute timeout
  access-class      Specify IPv4 access control for packets
  exec-timeout      Configure exec timeout
  ip                Configure IP features
  ipv6              Configure IPv6 features
  logout-warning    Configure logout warning
  no                Negate a command or set its defaults
  session-limit     Set the max no of concurrent vsh sessions
  this              Shows info about current object (mode's instance)
  end               Go to exec mode
  exit              Exit from command interpreter
  pop               Pop mode from stack or restore from name
  push              Push current mode to stack or save it under name
  where             Shows the cli context you are in

NX-OS(config-line)# access-class ?
  WORD  List name (Max Size 64)

NX-OS(config-line)# access-class VTY-ACL ?
  in   Inbound packets
  out  Outbound packets

NX-OS(config-line)# access-class VTY-ACL in



There's only banner motd option in a Nexus switch.

NX-OS(config)# banner ?
  motd  Configure banner motd message

NX-OS(config)# banner motd ?
  LINE  Delimiter char (Very first char is delimiter char) followed by message
        ending with delimiter

NX-OS(config)# banner motd $
Enter TEXT message. End with the character '$'.
> *** CISCO NEXUS LAB ***
> $
Can't send notification for banner change to other services.
Banner change may not be effective at other places.
NX-OS(config)#
NX-OS(config)# show run | beg banner
banner motd $
*** CISCO NEXUS LAB ***
$

<OUTPUT TRUNCATED>



Below is the minimum SNMP version3 configuration that I've used and worked with Solarwinds NPM.You can't use or bind an ACL to SNMPv3 but it's still supported in SNMP version 2 (v2c).

NX-OS(config)# snmp-server ?
  aaa-user           Set duration for which aaa-cached snmp user exists
  community          Set community string and access privs
  contact            Modify sysContact
  context            SNMP context to be mapped
  counter            Configure port counter configuration
  enable             Enable SNMP Traps
  globalEnforcePriv  Globally enforce privacy for all the users
  host               Specify hosts to receive SNMP notifications
  location           Modify sysLocation
  mib                Mib access parameters
  protocol           Snmp protocol operations
  source-interface   Source interface to be used for sending out SNMP
                     notifications
  system-shutdown    Configure snmp-server for reload(2)
  tcp-session        Enable one time authentication for snmp over tcp session.
  user               Define a user who can access the SNMP engine

NX-OS(config)# snmp-server user ?
  WORD  Name of the user (Max Size 28)

NX-OS(config)# snmp-server user admin ?
  <CR>  
  WORD   Group name (ignored for notif target user) (Max Size 28)
  auth   Authentication parameters for the user

NX-OS(config)# snmp-server user admin auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication

NX-OS(config)# snmp-server user admin auth md5 ?
  WORD  Authentication password for user (Max Size 130)

NX-OS(config)# snmp-server user admin auth md5 cisco
user password must be atleast 8 characters
NX-OS(config)# snmp-server user admin auth md5 cisco123    // MINIMUM SNMP CONFIG FOR SNMPv3, NO ACL OPTION AVAILABLE

NX-OS(config)# snmp-server user admin auth md5 cisco123 ?
  <CR>         
  engineID      EngineID for configuring notif target user (for V3 informs)
  localizedkey  Specifies whether the passwords are in localized key format
  priv          Encryption parameters for the user


NX-OS(config)# snmp-server community ?
  WORD  SNMP community string (Max Size 32)

NX-OS(config)# snmp-server community cisco ?
  <CR>    
  group    Group to which the community belongs
  ro       Read-only access with this community string
  rw       Read-write access with this community string
  use-acl  Acl name to filter snmp requests

NX-OS(config)# snmp-server community cisco use-acl ?    // SNMPv2c CAN USE ACL
  WORD  Acl name to filter snmp requests (Max Size 32)


Below is the diffence between the show interface brief and show interface status command output. There's no interface range command in a Nexus switch.

NX-OS# show interface ?
  <CR>                  
  >                      Redirect it to a file
  >>                     Redirect it to a file in append mode
  brief                  Show brief info of interface
  capabilities           Show interface capabilities information
  counters               Show interface counters
  debounce               Show interface debounce time information
  description            Show interface description
  ethernet               Ethernet IEEE 802.3z
  flowcontrol            Show interface flowcontrol information
  loopback               Loopback interface
  mac-address            Show interface MAC address
  mgmt                   Management interface
  port-channel           Port Channel interface
  priority-flow-control  Show interface PFC information
  pruning                Show interface trunk VTP pruning information
  snmp-ifindex           Show snmp ifindex list
  status                 Show interface line status
  switchport             Show interface switchport information
  transceiver            Show interface transceiver information
  trunk                  Show interface trunk information
  |                      Pipe command output to filter

NX-OS# show interface brief  
--------------------------------------------------------------------------------
Port   VRF          Status IP Address                              Speed    MTU
--------------------------------------------------------------------------------
mgmt0  --           up     192.168.1.101                           100      1500

--------------------------------------------------------------------------------
Ethernet      VLAN    Type Mode   Status  Reason                   Speed     Por
t
Interface                                                                    Ch
#
--------------------------------------------------------------------------------
Eth2/1        --      eth  routed down    Administratively down      auto(D) --
Eth2/2        --      eth  routed down    Administratively down      auto(D) --
Eth2/3        --      eth  routed down    Administratively down      auto(D) --
Eth2/4        --      eth  routed down    Administratively down      auto(D) --
Eth2/5        --      eth  routed down    Administratively down      auto(D) --
Eth2/6        --      eth  routed down    Administratively down      auto(D) --
Eth2/7        --      eth  routed down    Administratively down      auto(D) --
Eth2/8        --      eth  routed down    Administratively down      auto(D) --
Eth2/9        --      eth  routed down    Administratively down      auto(D) --


NX-OS# show interface status

--------------------------------------------------------------------------------
Port          Name               Status    Vlan      Duplex  Speed   Type
--------------------------------------------------------------------------------
mgmt0         --                 connected routed    full    100     --        
Eth2/1        --                 disabled  routed    auto    auto              
Eth2/2        --                 disabled  routed    auto    auto              
Eth2/3        --                 disabled  routed    auto    auto              
Eth2/4        --                 disabled  routed    auto    auto              
Eth2/5        --                 disabled  routed    auto    auto              
Eth2/6        --                 disabled  routed    auto    auto              
Eth2/7        --                 disabled  routed    auto    auto              
Eth2/8        --                 disabled  routed    auto    auto              
Eth2/9        --                 disabled  routed    auto    auto  
NX-OS# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
NX-OS(config)# interface eth2/1-9     // NO RANGE COMMAND
NX-OS(config-if-range)# ?
  bandwidth              Set bandwidth informational parameter
  beacon                 Disable/enable the beacon for an interface
  cdp                    Configure CDP interface parameters
  channel-group          Configure port channel parameters
  delay                  Specify interface throughput delay
  description            Enter description of maximum 80 characters
  duplex                 Enter the port duplex mode
  fabricpath             Fabricpath configuration
  fabricpath             Data Center Intermediate System to Intermediate System
                         (L2MP-IS-IS)
  flowcontrol            Configure interface flowcontrol
  hsrp                   HSRP interface configuration commands
  inherit                Inherit a port-profile
  ip                     Configure IP features
  ipv6                   Configure IPv6 features
  l2protocol             Layer 2 Protocol
  link                   Configure link
  load-interval          Specify interval for load calculation for an interface
  logging                Configure logging for interface
  mac                    MAC configuration commands
  mac-address            Configure interface mac address
  mdix                   Enable auto mdix mode
  medium                 Configure Interface medium mode
  mtu                    Configure mtu for the port
  no                     Negate a command or set its defaults
  priority-flow-control  Enable/Disable PFC
  rate-limit             Set packet per second rate limit
  rate-mode              Enter the rate mode
  service-policy         Configure service policy for an interface
  shutdown               Enable/disable an interface
  snmp                   Modify SNMP interface parameters
  spanning-tree          Spanning Tree Subsystem
  speed                  Enter the port speed
  storm-control          Configure Interface storm control
  switchport             Configure switchport parameters
  this                   Shows info about current object (mode's instance)
  vrf                    Configure VRF parameters
  vtp                    Enable VTP on this interface
  end                    Go to exec mode
  exit                   Exit from command interpreter
  pop                    Pop mode from stack or restore from name
  push                   Push current mode to stack or save it under name
  where                  Shows the cli context you are in



There’s no write memory command on a Nexus switch. You use the copy run start command to save the configuration to NVRAM.

NX-OS# write ?
  erase  Destroys the configuration on persistent media

NX-OS# copy ?
  bootflash:      Select source filesystem
  core:           Select source filesystem
  debug:          Select source filesystem
  ftp:            Select source filesystem
  licenses        Backup license files
  log:            Select source filesystem
  modflash:       Select source filesystem
  nvram:          Select source filesystem
  running-config  Copy running configuration to destination
  scp:            Select source filesystem
  sftp:           Select source filesystem
  startup-config  Copy startup configuration to destination
  system:         Select source filesystem
  tftp:           Select source filesystem
  volatile:       Select source filesystem

NX-OS# copy running-config ?
  bootflash:      Select destination filesystem
  ftp:            Select destination filesystem
  nvram:          Select destination filesystem
  scp:            Select destination filesystem
  sftp:           Select destination filesystem
  startup-config  Copy from source to startup configuration
  tftp:           Select destination filesystem
  volatile:       Select destination filesystem

NX-OS# copy running-config startup-config
[########################################] 100%
Copy complete, now saving to disk (please wait)..

No comments:

Post a Comment