Cisco:NX-OS
From Cheatsheet
Jump to navigationJump to search
Some commands don't exist on older versions of Cisco software, and other commands may be deprecated in newer versions.
- https://www.firewall.cx/cisco-technical-knowledgebase/cisco-data-center/1206-nexus-nx-os-commands-scripting-hints-and-tips.html
- https://www.packetswitch.co.uk/cisco-nexus-useful-commands/
Basics
Connecting via Console [Windows]
- Plug a Console cable into the Cisco switch and connect the cable to your laptop/whatever. Best type of cable to use is USB to Console;
- Check Windows "Device Manager" - "Ports (COM & LPT)" to view what COM port is in use;
- Use a Serial client (such as Putty) to connect to the switch by filling in the correct COM port;
- In the opened CLI, you may have to press Enter to see the first CLI output.
You may have to modify the Serial interface settings in your Serial client depending on the switch you're connecting with.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp52980 Cisco Catalyst 3750 needs: - 9600 baud - 8 data bits - no parity - 1 stop bit - no flow control
Commandline
Basics
# User EXEC mode is the default mode you Console/SSH into. Switch> # Enter Privileged EXEC mode from User EXEC mode enable # Privileged EXEC mode is used for checking configuration Switch# # Enter Global configuration mode from Privileged EXEC mode configure terminal # Global configuration mode is used to configure the switch and to enter other configuration-modes Switch(config)# # While in Global configuration mode, type in a 'vlan vlan-id' command to enter VLAN configuration mode Switch(config-vlan)# # While in Global configuration mode, type in a 'interface [interface-name]' command to enter Interface configuration mode Switch(config-if)# # While in Global configuration mode, type in a 'line console' or 'line vty' command to enter Line configuration mode Switch(config-line)# # Exit to the 'previous' mode from any mode, or exit the session when in User EXEC mode exit # Exit to Privileged EXEC mode from any configuration mode end
Use the TAB key for command auto-completion when you have typed in sufficient keys. Use the UP and DOWN keys to 'scroll' through any previous commands you've executed.
# Use "?" to list all available commands in any EXEC mode sw1-cisco#? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-template Create a temporary Access-List entry archive manage archive files # Also use the "?" key to show available parameters to any command sw1-cisco#show running-config ? all Configuration with defaults brief configuration without certificate data full full configuration
Pipe
# Use the | modifier to pipe/filter input
sw1-thuis#show interfaces | ?
append Append redirected output to URL (URLs supporting append operation only)
begin Begin with the line that matches
etc
# Filter the input so only anything containing "SSH" is shown
sw1-thuis#show logging | include SSH
000012: *Mar 1 00:01:14.851: %SSH-5-ENABLED: SSH 1.99 has been enabled
000040: *Mar 1 00:13:22.698: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.0.20 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000041: *Mar 1 00:13:26.096: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from 192.168.178.115 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
# List output starting from any line containing "GigabitEthernet"
sw1-thuis#show running-config | begin GigabitEthernet
interface GigabitEthernet1/0/1
description Core: Internet-router Ethernet0/1 [100000Mbit] {0001} (Uplink)
switchport access vlan 666
switchport mode access
# Filter out any line containing "Hello" from the given input
sw1-thuis#show spanning-tree | exclude Hello
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 32868
Address 0017.e04b.2780
This bridge is the root
Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 0017.e04b.2780
Aging Time 300
Resetting a switch
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp46478 Press and hold the Mode button. The switch LEDs begin blinking after about 3 seconds. Continue holding down the Mode button. The LEDs stop blinking after 7 more seconds, and then the switch reboots.
# Wipe a switches configuration completely erase nvram: erase startup-config delete vlan.dat
Update via USB
https://networkproguide.com/how-update-cisco-router-using-usb-drive/
# Plug your USB containing Cisco firmware into the Ciso device. # Note the name of your internal flash storage: show file systems # Copy the firmware from your USB to local flash storage: copy usbflash0:c2900-universalk9-mz.SPA.157-3.M3.bin flash:c2900-universalk9-mz.SPA.157-3.M3.bin # Verify existence of copied file: dir flash: # Inform device to boot from new firmware file: boot system flash:c2900-universalk9-mz.SPA.157-3.M3.bin # Save configuration: copy running-config startup-config # Reload device: reload # Check version after boot show version
Checks
Common
# Show all logs show logging # Show current time show clock # Show users show user-account # Show active user sessions show users # Show commands that were executed in any configuration mode show accounting log
Configuration
# Show current configuration show running-config # Show current configuration but most verbose show running-config all # Show configuration for an interface show running-config interface GigabitEthernet1/0/25 # Show configuration for a vlan interface show running-config interface vlan 10 # Show configuration for a port-channel interface show running-config interface port-channel 48 # Show the current saved configuration show startup-config
Network
# Show all known MAC-adresses and associated IP-addresses + Interfaces show ip arp # Show the MAC-address of a known IP show ip arp 192.168.7.7 # Show current routes show ip route # Show uptime show system uptime # Show the reason why a port is in a disabled state (Global configuration mode) errdisable detect cause all
Interfaces
# Show interfaces, VLANs, speed and status show interface status # Show summary of all interfaces show interface brief # Show detailed information for all interfaces show interfaces # Show detailed interface information for Ethernet1/4 show interface Ethernet1/4 # Show detailed for port-channel interface 1 show interface port-channel 1 # Show detailed information for vlan interface 21 show interface vlan 21 # Show all trunk interfaces and their configured VLANs show interface trunk # List all interfaces' descriptions show interfaces description
Spanning Tree
# Show all interfaces with active Spanning Tree instances show spanning-tree active # Show verbose Spanning Tree information for all interfaces show spanning-tree detail # Show Spanning Tree instances on interface gigabitEthernet1/0/25 show spanning-tree interface gigabitEthernet1/0/25 # Show Spanning Tree instances for vlan 10 show spanning-tree vlan 10 # Show ports where Spanning Tree is being triggered show spanning-tree inconsistentports # Show ports blocked by Spanning Tree show spanning-tree blockedports
Access lists
# Show all access lists show access-lists # Show access list 110 show access-lists 110
Hardware
# Show hardware information such as inserted optics and modules. show inventory
Common configuration
Common
# Configure the hostname of your machine hostname sw1-myswitch # Configure this switches' domain ip domain-name mydomain.nl # Set DNS servers ip name-server 1.1.1.1 8.8.8.8
Uncommon
# Configure a static MAC-adres and in which direction it's located mac address-table static 0005.aabb.ccdd vlan 125 interface Ethernet1/24
Authentication
Users & passwords
username admin password 0 myp4ssw0rd
SSH
https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
Prerequisites:
hostname sw1-myswitch ip domain-name mydomain.nl username admin password 0 myp4ssw0rd
# Generate an SSH key to be used with SSH. ssh key rsa ip ssh time-out 60 ip ssh authentication-retries 2
line vty 0 4 transport input ssh
Radius
radius-server host 192.168.25.3 key 0 "MyPassword" radius-server directed-request ip radius source-interface vlan 30 aaa group server radius MyRadiusGroup server 192.168.25.3 deadtime 30 source-interface vlan 30 use-vrf management aaa authentication login default group MyRadiusGroup local aaa authentication login error-enable aaa authentication login default fallback error local aaa accounting default group MyRadiusGroup
NTP
clock timezone MET 1 0 clock summer-time METDST 5 Sun Mar 02:00 5 Sun Oct 03:00 60 ntp server 128.118.25.3 ntp server 129.132.2.21 ntp server 192.36.143.150 ntp server 193.67.79.202
SNMP v2c Authentication
snmp-server location NL;Zuid-Holland;Rotterdam, 78 MyStreet;2nd Floor;Server Room;Rack snmp-server user MyUser MyGroupName auth sha MyAuthP4ssword priv aes-128 MyCryptoP4ssword snmp-server community MyCommun1ty group MyGroupName
Banner
banner motd % *************************************************************\ *========================= COMPANY =========================*\ * *\ * UNAUTHORISED ACCESS PROHIBITED ! *\ * *\ * *\ **************************************************************%
Syslog
- https://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_1/Cisco_Nexus_5000_Series_Switch_CLI_Software_Configuration_Guide_chapter26.html#task_5793349949823830091
- Authpriv 5 fuckery: https://community.cisco.com/t5/switching/nexus-5000-version-5-1-3-n2-1-message/td-p/1911201
- https://kyletk.com/post/2/cisco-ios-and-nexus-log-all-configuration-commands
service timestamps log datetime logging level local7 6 login on-failure log login on-success log logging origin-id hostname logging level authpriv 5 logging server 10.22.0.2 6 use-vrf management facility local7 logging level aaa 6
Network
Create VLAN
# VLAN-Interfaces & Interfaces containing VLANs will not come up unless VLANs have been defined beforehand. vlan 283 name MyVlan
Interfaces
Management
interface mgmt0 ip address 10.0.27.5/24 vrf member management
vrf context management ip route 0.0.0.0/0 10.0.27.1 ip domain-name MyDomain.nl
VLAN
vrf context mgmt69
vrf context mgmt69 ip route 0.0.0.0/0 10.0.69.1 ip domain-name MyDomain.nl
interface Vlan69 no shutdown management vrf member mgmt69 no ip redirects ip address 192.168.69.11/24 no ipv6 redirects
Common
Access
interface Ethernet1/28
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Any note such as PROVIDER PROVIDER-CID or whatever)
switchport access vlan 73
Trunk
interface Ethernet1/22
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Any note such as PROVIDER PROVIDER-CID or whatever)
switchport mode trunk
switchport trunk allowed vlan 113,114,200
Port-channel
Configure all interfaces first and keep them shutdown. After configuration is finished, bring online the port-channel first and then the physical interface(s) afterwards. Port-channels available are 1-48 for IOS.
interface Ethernet1/15
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Any note such as PROVIDER PROVIDER-CID or whatever)
switchport mode trunk
channel-group 48 mode active
no cdp enable
shutdown
interface Ethernet1/16
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (Any note such as PROVIDER PROVIDER-CID or whatever)
switchport mode trunk
channel-group 48 mode active
no cdp enable
shutdown
interface port-channel48
description Core: [xxxMbit] (Any note such as PROVIDER PROVIDER-CID or whatever)
switchport mode trunk
switchport trunk allowed vlan 200,300
logging event port link-status
logging event port trunk-status
shutdown
Interface to provider
# Interface facing providers' router
interface Ethernet1/17
description Core: TheConnectedRouter01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (PROVIDER PROVIDER-CID)
switchport mode access
switchport access vlan 283
no lldp transmit
spanning-tree bpduguard enable
spanning-tree guard root
spanning-tree bpdufilter enable
storm-control broadcast level 0.50
storm-control multicast level 0.50
no cdp enable
shutdown
Virtual Port Channels (vPC)
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/217274-understand-virtual-port-channel-vpc-en.html
- https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/503_n2_1/503_n2_1nw/Cisco_n5k_layer2_config_gd_rel_503_N2_1_chapter8.html
- https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/218333-understand-and-configure-nexus-9000-vpc.html
Before enabling the vPC Peer Switch enhancement, Spanning Tree priority configuration for all vPC VLANs must be modified so that it is identical between both vPC peers.
Switch #1
# role priority 1 - Set this switch as the boss of this vpc # peer-keepalive destination - Set the other switch as peer # peer-gateway - Enables Layer 3 forwarding for packets destined to the gateway MAC address of the virtual Port Channel # auto-recovery - Enables the auto-recovery feature and sets the reload delay period. vpc domain 2 peer-switch role priority 1 peer-keepalive destination 192.168.0.2 peer-gateway auto-recovery ip arp synchronize
interface port-channel25 description Core: (VPC domain 2) switchport mode trunk switchport trunk allowed vlan 7,300-302,1000 spanning-tree port type network vpc peer-link
interface Ethernet1/1
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (VPC Domain: 2)
switchport mode trunk
switchport trunk allowed vlan 7,300-302,1000
channel-group 25 mode active
interface Ethernet1/2
description Core: TheConnectedDevice01 FastEthernet0/1 [xxxMbit] {CIRCUIT-ID} (VPC Domain: 2)
switchport mode trunk
switchport trunk allowed vlan 7,300-302,1000
channel-group 25 mode active
Switch #2
# role priority 2 - Set this switch as secondary of this vpc # peer-keepalive destination - Set the other switch as peer # peer-gateway - Enables Layer 3 forwarding for packets destined to the gateway MAC address of the virtual Port Channel # auto-recovery - Enables the auto-recovery feature and sets the reload delay period. vpc domain 2 peer-switch role priority 2 peer-keepalive destination 192.168.0.1 peer-gateway auto-recovery ip arp synchronize
interface port-channel25 description Core: (VPC domain 2) switchport mode trunk switchport trunk allowed vlan 7,300-302,1000 spanning-tree port type network vpc peer-link
interface Ethernet1/1
description Core: TheConnectedDevice01 FastEthernet0/0 [xxxMbit] {CIRCUIT-ID} (VPC Domain: 2)
switchport mode trunk
switchport trunk allowed vlan 7,300-302,1000
channel-group 25 mode active
interface Ethernet1/2
description Core: TheConnectedDevice01 FastEthernet0/1 [xxxMbit] {CIRCUIT-ID} (VPC Domain: 2)
switchport mode trunk
switchport trunk allowed vlan 7,300-302,1000
channel-group 25 mode active
Spanning Tree
Configuration
# Make this switch the boss for a VLAN spanning-tree vlan 335 root primary # Make this switch the backup-boss for a VLAN spanning-tree vlan 335 root secondary # Set this switches' priority to 4096 for a VLAN spanning-tree vlan 335 priority 4096 # Activate spanning-tree for a VLAN spanning-tree vlan 335 # Set priority for a range of VLANs spanning-tree vlan 10-100,125,150 priority 4096
Interface configuration
# Dump any packages related to BPDUs spanning-tree bpdufilter enable # Shutdown the port upon receiving a BPDU. Only works on portfast ports(??) spanning-tree bpduguard enable # If someone on the other side wants to become root, shutdown the port spanning-tree guard root
Bridge Priorities
# Bridge Priority must be in increments of 4096. # Allowed values are: 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440
