sanspire.

com

Cisco CLI
By
sanaswati

Switch Configuration
Set a user password
switch# username admin password NEWPASSWORD

Set the clock and timezone

switch# clock timezone GMT 0 0
switch# clock summer-time BST 5 Sunday march 02:00 5 Sunday October 03:00 60

Set NTP server

switch# ntp server 192.168.1.1

Set name server (DNS)

switch# ip name-server DNS_SERVER_IP

Set domain name

switch# ip domain-name DOMAIN.COM

Set banner
switch# banner motd #
**********************************************************************
** YOUR MESSAGE **
**********************************************************************
#

Define VSANs
switch# vsan database
switch# vsan 1 suspend
switch# vsan 111 name FABRIC_A
switch# vsan 111 interface bay 1-16

Configure TACACS and AAA

http://www.sanspire.com/cisco-cli/

switch# tacacs+ enable

switch# tacacs-server key secret_key (Define the secret key to access TACACS+ server. Messages will be send
in clear text)
switch# tacacs-server key 7 secret_key (Define the secret key to access TACACS+ server. Messages will be
send in encrypted format 7)
switch# tacacs-server timeout 30 (timeout of 30 servers)
switch# tacacs-server host 10.140.75.19 (Define TACACS+ servers IP address)
switch# aaa group server tacacs+ AUTHGROUP (Define a server group AUTHGROUP)
switch# server 10.140.75.19 (Define first server within server group AUTHGROUP)
switch# aaa authentication login default group AUTHGROUP (Define group for default authentication)
switch# aaa authentication login console group AUTHGROUP (Define group for console authentication)
switch# aaa accounting default group AUTHGROUP local (Define mode for accounting)
switch# aaa authentication login error-enable (Show the message if remote AAA server is not available)

Configure SNMP
switch# snmp-server community eccuser group network-admin
switch# snmp-server community onaro group network-operator
switch# logging server 192.168.1.50 facility local0
switch# no logging console
switch# snmp-server enable traps
switch# snmp-server host 192.168.2.1 traps version 2c public udp-port 162

Zone Maintenance
Creating zone
Basic Zoning
switch# zone name servername_arrayname_portname vsan 111
switch# member pwwn 10:00:00:00:00:00:00:00
switch# member pwwn 50:00:00:80:50:A0:0B:40
switch# zoneset name FABRIC_A vsan 111
switch# member servername_arrayname_portname
switch# zoneset distribute vsan 111
switch# zoneset activate name FABRIC_A vsan 111

Enhanced Zoning
switch# zone name servername_arrayname_portname vsan 111
switch# member pwwn 10:00:00:00:00:00:00:00
switch# member pwwn 50:06:04:84:52:A9:0B:43
switch# zoneset name FABRIC_A vsan 111
switch# member servername_arrayname_portname
switch# zoneset activate name FABRIC_A vsan 111
switch# zone commit vsan 111

Differences between Enhanced and Basic Zoning

* Enhanced zoning prevents overwriting of changes made by one administrator by another Once

configuration session for the entire fabric to ensure consistency

* For a zone being member of multiple zonesets, only a single instance is created, thereby reducing
payload size
* Reports the activation results per switch rather than a combined status. this enhanced error
reporting eases the troubleshooting process.

To discard the changes to enhanced zone database and close the session
switch# no zone commit vsan
111

To forcefully apply the changes to enhanced zone database and close the vsan session
created by another user
switch# zone commit vsan 3
force

To forcefully discard the changes to enhanced zone database and close the vsan session
created by another user
switch# no zone commit vsan 3
force

To clear the lock on remote switches, if sesson locks remain on remote swtiches even after
using no zone commit vsan
switch# clear zone lock vsan
2

To check who locked the VSAN session

switch# show accounting
log

To see on which switches the session is open

switch# show zone status vsan
111

Creating IVR zoneset

switch# ivr zone name servername_array1_portname_array2_portname
switch# member pwwn 50:06:04:84:52:A9:0B:43 vsan 121
switch# member pwwn 50:06:04:84:52:A9:0B:AB vsan 111
switch# ivr zoneset name IVR_FABRIC_A
switch# member servername_array1_portname_array2_portname
switch# ivr zoneset activate name IVR_FABRIC_A
switch# ivr commit

Show the status of active zone

switch# show zone status vsan 111

To see all the zonesets on a fabric

switch# show zoneset | inc zoneset

To see all the zonesets active on a fabric

switch# show zoneset active | inc zoneset

To see zoneset/zones in vsan 111

switch# show zoneset active vsan 111

To see the status of IVR zoneset (it will tell you whether a zone is being activated at the
moment)
switch# show ivr zoneset status

To see the existing zones within IVR zoneset

switch# show ivr zoneset | inc servername

To see what WWNs are logged in

switch# show flogi database

To rename a zone
switch# zone rename old_name new_name vsan 111
switch# zone distribute vsan 111
switch# zone activate name FABRIC_A vsan 111

To disable the alerts from switch

switch# no snmp-server host 192.168.2.1 traps version 2c public udp-port 162

To change the WWN of a zone member or add/remove new WWN

switch # zone name servername_arrayname_portname vsan 111
switch # no member pwwn 10:00:00:00:C9:7D:27:DA
switch # member pwwn 10:00:00:00:C9:6E:E7:C8
switch # zoneset name FABRIC_A vsan 111

switch # zoneset distribute vsan 111

switch # zoneset activate name FABRIC_A vsan 111

HP Chassis with Cisco Switches

To check PWWN for blades on HP Chassis
hpchassis# show flex-attach virtual-pwwn | inc bay
all bay6 22:06:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay13 22:0d:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay5 22:05:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay14 22:0e:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay15 22:0f:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay7 22:07:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay4 22:04:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay3 22:03:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay11 22:0b:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay12 22:0c:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay2 22:02:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay1 22:01:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay10 22:0a:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay9 22:09:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay16 22:10:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011
all bay8 22:08:00:0d:ec:9e:8d:42 TRUE Thu Sep 22 11:49:39 2011

To check status of interconnects

hpchassis# show interconnect list

To check IP address config of interconnects

hpchassis# show ebipa interconnect
hpchassis# show oa network all

To connect to an interconnect 3
hpchassis# connect interconnect 3

Enable virtual pwwn on all interfaces

hpchassis# flex-attach virtual-pwwn auto interface bay 1-16
hpchassis# flex-attach commit

Switch Maintenance
To check time out drops recorded in switch
switch# show logging onboard timeoutdrops

To check if a part was removed from within the switch

show logging log | i "FCOT not
present"
<h5>To check the status of port whether it is online</h5>
slot 2 show hard internal fc-mac port 1 all-registers | i DATAPATH
0x00000601 IP_FCMAC_CTL_DATAPATH_ID
0x0021031e => 31e indicates port is
online, 0x00210320 = offline

To see the status of FCIP connections

switch# show fcip summary

To set indefinite autologout

switch# line vty

switch# exec-timeout 0

To suspend a VSAN

switch# vsan database

switch# vsan 130
suspend
switch# show vsan 130

To see whether the route to virtual domain is flapping Output below shows it is flapping
every 2 seconds or so

switch# show system internal rib sync-log unicast

Idx Seq (H)
Oper
Action VSAN FC ID/Mask(H)
--- -------- ------ ------ ---- ------ -----126 0000ff7f update delete 130
cb0000 ff0000
2012
127 0000ff80 update add
130
cb0000 ff0000
2012
0
0000ff81 update delete 130
cb0000 ff0000
2012
1
0000ff82 update add
130
cb0000 ff0000
2012
2
0000ff83 update delete 130
cb0000 ff0000
2012
3
0000ff84 update add
130
cb0000 ff0000
2012
4
0000ff85 update delete 130
cb0000 ff0000
2012
5
0000ff86 update add
130
cb0000 ff0000
2012
6
0000ff87 update delete 130
cb0000 ff0000
2012

Time
---Mon Jan 16 00:54:36
Mon Jan 16 00:54:38
Mon Jan 16 00:54:40
Mon Jan 16 00:54:42
Mon Jan 16 00:54:44
Mon Jan 16 00:54:46
Mon Jan 16 00:54:47
Mon Jan 16 00:54:49
Mon Jan 16 00:54:51

To show vsan/domain list

switch#
switch#
switch#
usage
switch#
switch#
switch#
switch#
switch#
switch#
switch#

show systyem internal rib domain

show system internal rib unicast vsan 130
show system internal rib internal memory-poolshow
show
show
show
show
show
show

system
system
system
system
system
system
system

internal
internal
internal
internal
internal
internal
internal

rib
rib
rib
rib
rib
rib
rib

multicast
summary
sync-log label
sync-log multicast
sync-log unicast
vsan-attributes
vsan-rewrite

To see domain id for a VLAN on a switch

switch# show fspf database

switch# show fspf database vsan 130 domain
203

To see fibre domain

switch# show fcdomain domainlist

To show which domains are allowed

switch# show fcdomain

allowed

To show which FCIDs are allocated in which domain/vlan

switch# show fcdomain addressallocation

show fcdomain fcid persistent

To see the details about VLAN

switch# show vsan

switch# show vsan
130

To see which ports are part of which VSAN

switch# show vsan membership

To show IVR topology on VSAN

switch# show ivr

switch# show ivr vsan-topology

To find out chassis connected to main switch

switch# show fcns database detail | i chassisname prev 6 | i 'portwwn|ext'

To check LSR owner for the virtual domain representing VSAN 111 in VSAN 130

switch#
switch#
switch#
count
switch#

show ivr internal vdri-fsm summary

show ivr internal dep vsan 130
show ivr internal pvm | I RSCN_OFFLINE |
show fcns data vsan 130

Look for stale domains or domain mismatch

switch# show zone
internal

To check status of management interface

switch# show interface mgmt0

To check version of NX-OS and hardware info

switch# show version

To see modules installed in the switch

switch# show
module

To check the status of power supply on supervisor

switch# show module internal
exceptionlog

To check the status of hardware

switch# show
environment

To check status of sprom backplanes

switch# show sprom backplane
[1|2]

To check clock
switch# show clock

To show callhome config

switch# show
callhome

To show status of interfaces in brief

switch# show interface fc1/1
[brief|detail]

To see SNMP details

switch# show snmp

To see accounting log login by different users

switch# show accounting

log

To see whcih processes are running

switch# show process

To see the processes that are currently consuming more than 0% CPU on the switch. As
this command provides a snapshot of the moment it is executed, it is often necessary to
run this command multiple times for several minutes (depending on the frequency of CPU
spikes)
switch# show process cpu | ex
0.0%

To produce graphical output showing CPU usage history over the last 60 secs, 60 mins,
and last 72 hrs
switch# show processes CPU
history

To see memory utilisation by processes

switch# show process memory

switch# show system internal platform internal memstats

To see memory stats for ports

switch# show port internal mem-stats
detail

To see statys of IVR merging

switch# show cfs merge status name
ivr

To show licensed hostid

switch# show license hostid

To show license installed

switch# show license

To show usage of license

switch# show license
usage

To show history/reason for reset of system/supervisor

switch# show system resetreason

To see the status of OS upgrade/last install

switch# show install all status

switch# show system internal log install
[detail]

To see how long the system has been up since

switch# show system
uptime

To check the status of internal xbar communication links between system and modules
switch# show system internal xbar
all

To show details of hardware/ipc channel

switch#
switch#
switch#
switch#
log
switch#
switch#
switch#

show
show
show
show

hardware
hardware internal version
hardware ipc-channel status
hardware internal ipc-channel event-

show hardware internal ipc-channel info

show hardware internal platform event-log
show hardware internal sprom event-log

To show status of features such as ivr

switch# show system internal feature-mgr feature
state

To check filesystems mounted and their sizes

switch# show system internal
flash

To check status of services such as ftp/core/debug/bootflash etc

switch# show system internal urifs

switch# show system internal sysmgr service
all

To check the status of suprevisors

switch# show redundancy status

switch# show system internal redundancy
status

To show product id/serial number of modules installed

switch# show inventory

To show internal counters

switch# show int counter
brief

To show health stats

switch# show system health
statistics

To show VSAN topology

switch# show
topology

To show fcroute details

switch# show fcroute
unicase

To show local FCS database (shows doamin id, vsan id)

switch# show fcs
database

To show fcs IE
switch# show fcs
ie

To show internal information about flogi database

switch# show flogi internal
info

To show details about fspf

switch#
switch#
switch#
switch#
info

show
show
show
show

fspf
fspf database
fspf interface
fspf internal

To See zone analysis a bit more than zone status

switch# show zone analysis active vsan

111
switch# show zone statistics vsan 111

To see event history of changes in vsans

switch# show zone internal change event-history vsan
111

To see ifindex-table in vsans

switch# show zone internal change event-history vsan
111

To set up the description of a port

switch# interface ext 1

switch# switchport description
<hostname>

To set the beacon on a port?

switch# interface fc1/1

switch# switchport
beacon

To turn it off

switch# no switchport
beacon

To change buffer to buffer credit

switch# switchport fcrxbbcredit
18

To confirm the valid power status of a power supply

switch# system internal platform internal
info
For a MDS9513 Enterprise Switch a value of volt 42 indicates that the a power supply is working correctly

To check port-channel (ISL) info

# show port-channel
database
# show port-channel summary

How to reload (power cycle) a line card

# poweroff module 1
# no poweroff module 1
OR
# reload module
1

To reset FCIP profile

# show fcip profile all

# interface fcip 1
# shut
# no shut
# show interface gigabitethernet
1/1
# interface gigabitethernet 1/1
# shut
# no shut

Situations
Resolving enhanced zoning lock issues
Step 1

Use the show zone status vsan command to determine the lock holder. If the lock holder is on this
switch, the command output shows the user. If the lock holder is on a remote switch, the command output shows
the domain ID of the remote switch.
switch# show zone status vsan 6 </h5>
VSAN: 6 default-zone: deny distribute: active only Interop: default
mode: enhanced merge-control: allow session: cli [admin] <---- user admin has
lock
hard-zoning: enabled
if not on this switch:
VSAN: 6 default-zone: deny distribute: active only Interop: default
session: remote [dom: 239][ip: 192.168.1.1] ? <---- Switch with the lock

Step 2:
Log on to the switch > 192.168.1.1. Use the no zone commit vsan command on the switch that holds the lock to
release the lock if you are the holder of the lock.
switch# zone commit vsan
6

Step 3:
Use the no zone commit vsan force command on the switch that holds the lock to release the lock if another user
holds the lock.
switch# no zone commit vsan 6
force
Note Verify that no valid configuration change is in progress before you clear a lock.

Step 4:
If problems persist, use the clear zone lock command to remove the lock from the switch. This should
only be done on the switch that holds the lock.
switch# clear zone lock vsan
6

Resetting admin password on HP Chassis Cisco MDS 9124e switch

You will need a gui (web browser to switchname-m to reset the switch as well as CLI session to hit control C.
Have 2 windows side by side web browser and putty session to switchname-m. As soon as you login to putty, it
will log you off from web browser and vice versa.

Step 1
So first login to web browser of switchname-m.
Click on Interconnect Bay -> 3. Cisco MDS 9124e 24-Port blah -> Virtual Buttons tab on the right -> Reset

Step 2
As soon as you click, okay rush to putty and login to switchname-m, run connect interconnect 3 and hit enter

twice to see console and hit entering control+C like there is no tomorrow. Let someone else do this if you are
slow. Once at loader prompt, type the following commands:
loader> dir
bootflash:

Step 3
Boot the kickstart image.
loader> boot kickstart_image (eg: boot m9100-s2ek9-kickstartmz.3.1.3a.bin)

Step 4
Verify that you now see the boot prompt, switch(boot)#.

Step 5
Enter configuration mode:
switch(boot)# config
t

Step 6
Enter a new admin password.
switch(boot)(config)# admin-password <new
password>
switch(boot)(config)# exit

Step 7
View the system image in bootflash
switch(boot)# dir bootflash:
For example: m9100-s2ek9mz.3.1.3a.bin

Step 8
Load the system image.
switch(boot)# load bootflash:system_image
For example: load bootflash:m9100-s2ek9mz.3.1.3a.bin

Step 9

Verify that you now see the Cisco MDS 9124e Switch login prompt, switch login#.
If the switch comes up and admin password still doesnt work, you will need to follow up to step 10 again. Reset
the admin-password again but instead of exit, run do write erase this will erase all the configuration. And then
carry on with steps 7, 8, and 9.

While configuring the switch, if you get error message Fabric is already locked what to
do?
Check current locks
switch# show cfs lock
Application: flex-attach
Scope
: Physical-fc-ip
-------------------------------------------------------------------------------Switch WWN
IP Address
User Name
User Type
-------------------------------------------------------------------------------20:00:54:7f:ee:68:18:40 172.17.233.57
admin
CLI/SNMP
v3
Total number of entries = 1
switch# clear flex-attach session
switch# show cfs lock
switch#

switch(config)# vsan database

switch(config-vsan-db)# vsan 214
1
switch(config-vsan-db)# vsan 214
2
switch(config-vsan-db)# vsan 214
3
switch(config-vsan-db)# vsan 214
4

interface ext
interface ext
interface ext
interface ext

How to switch over (failover) from active or standby supervisor and viceversa?
For high availability, you need to connect the ethernet port for both active and standby supervisors to the same
network or virtual LAN. The active supervisor owns the one IP address used by these ethernet connections. On a
switchover, the newly activated supervisor takes over this IP address.
switch# show module
Mod Ports Module-Type
--- ----- -------------------------------1
48
1/2/4/8 Gbps FC Module
2
48
1/2/4/8 Gbps FC Module
7
0
Supervisor/Fabric-2a
standby
8
0
Supervisor/Fabric-2a

Module 8 is active as per the output

Model
-----------------DS-X9248-96K9
DS-X9248-96K9
DS-X9530-SF2AK9

Status
-----------ok
ok
ha-

DS-X9530-SF2AK9

active *

switch# show ip interface mgmt 0

mgmt0 is up
Internet address is
10.139.152.40/24
Broadcast address is 10.139.152.255

Making Module 7 active

switch# attach module 7

Attaching to module 7 ...
switch(standby)# show ip interface mgmt
0
mgmt0
Internet address is 10.139.152.40/24
Broadcast address is 10.139.152.255

After enabling the flex-attach, vpwwn doesnt come up as you would have expected.
Instead of coming up with 20:01, 20:02 etc it shows 10:00s. Exact reason for this is not
known but below mentioned work around works.
You will have to disable cfs when it couldnt connect automatically to its cfs peers you can see this by checking
if it picks up other 9124e peer ips.
switchA(config)# show cfs peers name flex-attach
Scope
: Physical-fc-ip
------------------------------------------------------------------------Switch WWN
IP Address
------------------------------------------------------------------------20:00:54:7f:ee:0c:f4:d8 192.168.1.1
[Local]
switchA
Total number of entries = 1
Workaround is to disable cfs and then down the bay interfaces and commit flex-attach. However you dont have
the reassurance that the WWNs selected for the switch are unique on the fabric which is what the cfs peer
distribute is checking. This wont be an issue unless we are merging with another fabric in the future.
So here are the commands to do it;
switch# no cfs distribute (and select Y)
switchA# show cfs status
switchA# interface bay 1-16
switchA# shutdown
switchA# flex-attach virtual-pwwn auto interface bay 116
switchA# flex-attach commit
switchA# show flex-attach pending
SANSPIRE 2014. All Rights Reserved.