U Commands

undebug all

To disable all debugging, use the undebug all command.

undebug all

Syntax Description

This command has no arguments or keywords.

Command Default

None.

Command Modes


EXEC mode.

Command History

Release

Modification

1.0(2)

This command was introduced.

Usage Guidelines

Use this command to turn off all debugging.

Examples

The following example shows how to disable all debugging on the switch: 


switch# undebug all

Related Commands

Command

Description

no debug all

Also disables all debug commands configured on the switch.

show debug

Displays all debug commands configured on the switch.

update license

To update an existing license, use the update license command in EXEC mode.

update license {url | bootflash: | slot0: | volatile: } new_license_file old_license_ file

Syntax Description

update license

Updates an installed, expiring license.

url

Specifies the URL for the license file to be uninstalled.

bootflash:

Specifies the license file location in internal bootflash memory.

slot0:

Specifies the license file in the CompactFlash memory or PCMCIA card.

volatile:

Specifies the license file in the volatile file system.

new_license_file

Location or URL of the new license file.

old_license file

Location or URL of the old license file that needs to be updated.

Command Modes


EXEC mode.

Command History

Release

Modification

1.3(2)

This command was introduced.

Examples

The following example updates a specific license: 


switch# update license bootflash:sanextn2.lic sanextn1.lic
Updating sanextn1.lic:
SERVER this_host ANY
VENDOR cisco
# An example fcports license
INCREMENT SAN_EXTN_OVER_IP cisco 1.000 permanent 1 HOSTID=VDH=ABCD \
        NOTICE=<LicFileID>san_extn1.lic</LicFileID><LicLineID>0</LicLineID> \
        SIGN=33088E76F668
 
with bootflash:/sanextn2.lic:
SERVER this_host ANY
VENDOR cisco
# An example fcports license
INCREMENT SAN_EXTN_OVER_IP cisco 1.000 permanent 1 HOSTID=VDH=ABCD \
        NOTICE=<LicFileID>san_extn2.lic</LicFileID><LicLineID>1</LicLineID> \
        SIGN=67CB2A8CCAC2
 
Do you want to continue? (y/n) y
Updating license ..done

use-profile

To bind a profile to the FCIP interface, use the use-profile option. To disable a configured profile, use the no form of the option.

use-profile profile-id

no use-profile profile-id

Syntax Description

profile-id

Specifies the profile ID to be used. The range is 1 to 255.

Command Default

None.

Command Modes


Interface configuration submode.

Command History

Release

Modification

1.1(1)

This command was introduced.

Usage Guidelines

Access this command from the switch(config-if)# submode.

This command binds the profile with the FCIP interface.

Examples

The following example shows how to bind a profile to the FCIP interface: 


switch# config terminal
switch(config)# interface fcip 50 
switch(config-if)# use-profile 100 
switch(config-if)# no use-profile 100

Note

Explicitly shutdown the FCIP interface using the no use-profile profile-id command before unbinding the interface.

Related Commands

Command

Description

show fcip

Displays information about the FCIP profile.

show interface fcip

Displays an interface configuration for a specified FCIP interface.

use-retry

To specify send retry details for the gRPC transport protocol, use the use-retry command. To remove the send retry details, use the no form of this command.

use-retry size buffer_size

no use-retry size

Syntax Description

size buffer_size

Send retry buffer size. Buffer size is in Mb and ranges from 10 to 1500.

Command Default

No send retry is specified.

Command Modes


Telemetry destination configuration mode (conf-tm-dest-profile)

Command History

Release

Modification

8.3(1)

This command was introduced.

Examples

This example shows how to specify send retry details for the gRPC transport protocol:


switch# configure
switch(config)# telemetry 
switch(config-telemetry)# destination-profile
switchconf-tm-dest-profile)# use-retry size 50

This example shows how to remove the send retry details:


switch# configure
switch(config)# telemetry 
switch(config-telemetry)# destination-profile
switchconf-tm-dest-profile)# no use-retry

Related Commands

Command

Description

destination-group

Creates a destination group and enters destination group configuration mode.

feature telemetry

Enables the SAN Telemetry Streaming feature.

show running-config telemetry

Displays the existing telemetry configuration.

show telemetry

Displays telemetry configuration.

telemetry

Enters SAN Telemetry Streaming configuration mode.

user-certdn-match

To set the certificate matching, use the user-certdn-match command. To disable this feature, use the no form of the command.

user-certdn-match attribute-name attribute-name search-filter string base-DN string

nouser-certdn-match attribute-name attribute-name search-filter string base-DN string

Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter . The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

Command Default

None.

Command Modes


Configuration mode.

Command History

Release

Modification

NX-OS 5.0(1a)

This command was introduced.

Usage Guidelines

None.

Examples


The following example shows how to set the certificate matching:
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-certdn-match attribute-name map1 search-filter map1 base-DN a
switch(config-ldap-search-map)#

Related Commands

Command

Description

show ldap-server groups

Displays the configured LDAP server groups.

username

To define a user, use the username command in configuration mode. To undo the configuration or revert to factory defaults. Use the no form of the command

username name [expire date | Keypair {export uri {dsa | rsa} [force] | generate {dsa | rsa} [force]} | import bootflash: uri | volatile: uri {dsa | rsa} [force] {iscsi | password [0 | 5 | 7] user-password [expire date] [role rolename] | priv-lvl privilege-level | role rolename | ssh-cert-dn distinguished-name {dsa | rsa} | sshkey {key-content | file filename}}]

no username name [expire date | Keypair export bootflash: uri | volatile: uri {dsa | rsa} [force] | generate {dsa | rsa} [force] | import bootflash: uri | volatile: uri {dsa | rsa} [force] iscsi | password [0 | 5 | 7] user-password [expire date] [role rolename] | priv-lvl privilege-level | role rolename | ssh-cert-dn distinguished-name {dsa | rsa} | sshkey {key-content | file filename}]

Syntax Description

name

Specifies the name of the user. Maximum length is 32 characters.

expire date

(Optional) Specifies the date when this user account expires (in YYYY-MM-DD format).

Keypair

(Optional) Specifies SSH (Secure shell) user keys.

export uri

Exports keypairs to bootflash or remote directory.

dsa

Specifies DSA keys.

rsa

Specifies RSA keys.

force

(Optional) Specifies the generation of keys even if previous ones are present.

generate

Generates SSH key pairs.

import

Import keypair from bootflash or remote directory.

bootflash: uri

Specifies URI or alias of the bootflash or file system to export.

volatile: uri

Specifies URI or alias of the volatile or file system to import.

iscsi

(Optional) Identifies an iSCSI user.

password

(Optional) Configures a password for the user. The password is limited to 80 characters. The minimum length is 8 characters.

0

(Optional) Specifies a clear text password for the user.

Note

 

From Cisco MDS NX-OS Release 8.4(1) and later, the password length is limited to 127 characters.

Note

 

From Cisco MDS NX-OS Release 8.4(2), the "?" character is supported in the clear text password, hence help option will not be available in the password. After typing the password, if you type ?, you can see the help option.

5

(Optional) Specifies a strongly encrypted password for the user.

7

(Optional) Specifies an encrypted password for an ISCSI user. The encrypted password length is limited to 64 characters.

Note

 

From Cisco MDS NX-OS Release 8.3(1) and later, the description for the keyword 7 is modified from Encrypted password to Encrypted password for ISCSI user.

user-password

Enters the password. Maximum length is 32 characters.

role rolename

(Optional) Specifies the role name of the user. Maximum length is 32 characters.

priv-lvl privilege-level

(Optional) Specifies privilege level. The range is from 1 to 15 characters.

ssh-cert-dn distinguished-name

(Optional) Specifies the SSH X.509 certificate distinguished name. The maximum size is 512.

dsa

(Optional) Specifies the DSA algorithm.

rsa

(Optional) Specifies the RSA algorithm.

sshkey key_content

(Optional) Specifies the actual contents of the SSH public key in OPENSSH format.

file filename

(Optional) Specifies a file containing the SSH public key either in OPENSSH or IETF SECH or Public Key Certificate in PEM format.

Command Default

None.

Command Modes


Configuration mode.

Command History

Release

Modification

1.0(2)

This command was introduced.

2.0(x)

  • Removed the update_snmpv3 option.

  • Added level 7 for passwords.

3.0(1)

Added the ssh-cert-dn , dsa , and rsa options.

5.0(1a)

Added the keypair and Priv-lvl keyword to the syntax description.

8.3(1)

Description for the keyword 7 was modified from Encrypted password to Encrypted password for ISCSI user.

8.4(1)

The password character limit was modified from 80 to 127 characters.

8.4(2)

Added support to add "?" character in the clear text password.

Usage Guidelines

To change the SNMP password, a clear text CLI password is required. You must know the SNMPv3 password to change the password using the CLI.

The password specified in the username command is synchronized as the auth and priv passphrases for the SNMP user.

Deleting a user using either command results in the user being deleted for both SNMP and CLI.

User-role mapping changes are synchronized in SNMP and CLI.

The SSH X.509 certificate distinguished name (DN) is the distinguished name in the certificate. You need to extract the distinguished name from the certificate and specify the subject name as the argument to the username command.

The SSHkey is the public key that we use to authorize any remote machine to log in to the switch without the need to enter the password. Basically it is the passwordless authentication for the user who has that key. These keys are used by the SSH Server of the switch to authenticate a user.

The SSH keys will be used by the SSH client on the switch while doing an SSH/SCP to connect to the remote host from the switch. This keypair can be used to do a passwordless SSH/SCP from the switch to a remote server.

Examples

The following example shows how to configure the privilege level that the user need to assign: 


switch(config)# username admin priv-lvl 13
switch(config)#

The following example shows how to generate SSH keys: 


switch(config)# username admin keypair generate rsa force
generating rsa key(1024 bits).....
.generated rsa key
switch(config)#

The following example shows how to delete SSH keys: 


switch(config)# no username admin keypair generate rsa force
generating rsa key(1024 bits).....
.generated rsa key
switch(config)#

The following example shows how to export a keypair to bootflash or to the volatile directory: 


switch(config)# username admin keypair export bootflash:xyz rsa force
Enter Passphrase:
switchg(config)#

The user can configure the same set of SSH keypairs on different switches by copying the public and private keypair to that switch and importing them using the following commands.

The following example shows how to import keypair from bootflash or volatile directory: 


switch(config)# username admin keypair import bootflash:xyz rsa force
Enter Passphrase:
switchg(config)#

The following example shows how to define a user: 


switch(config)# username knuckles password testpw role bodega
switch(config)# do show user-account 
user:admin
        this user account has no expiry date
        roles:network-admin 
user:knuckles
        this user account has no expiry date
        roles:bodega

The following example configures the name for a user to log in using iSCSI authentication: 


switch(config)# username iscsi

The following example places you in the mode for the specified role (techdocs). The prompt indicates that you are now in the role configuration submode. This submode is now specific to the techdocs group. 


switch(config)# username role name techdocs 
switch(config-role)#

The following example deletes the role called techdocs: 


switch(config)# no username role name techdocs

The following example assigns a description to the new role. The description is limited to one line and can contain spaces: 


switch(config-role)# description Entire Tech. Docs. group

The following example resets the description for the Tech. Docs. group: 


switch(config-role)# no description

The following example creates or updates the user account (usam) along with a password (abcd) that is set to expire on 2009-05-31: 


switch(config)# username usam password abcd expire 2009-05-31

The following example creates or updates the user account (msam) along with a password (abcd) specified in clear text (indicated by 0): 


switch(config)# username msam password 0 abcd role network-operator

The following example specifies an encrypted (specified by 5) password (!@*asdsfsdfjh!@df) for the user account (user1): 


switch(config)# username user1 password 5!@*asdsfsdfjh!@df

The following example adds the specified user (usam) to the network-admin role: 


switch(config)# username usam role network-admin

The following example deletes the specified user (usam) from the vsan-admin role: 


switch(config)# no username usam role vsan-admin

The following example shows how to define a distinguished name on a switch for SSH certificate authentication: 


switch# config t
switch(config)# username knuckles ssh-cert-dn /CN=excal-1.cisco.com rsa
 
switch(config)# do show user-account
 
user:admin
        this user account has no expiry date
        roles:network-admin
user:knuckles
        this user account has no expiry date
        roles:network-operator
        ssh cert DN : /CN=excal-1.cisco.com; Algo: x509v3-sign-rsa

The following example specifies the SSH X.509 certificate distinguished name and DSA algorithm for an existing user account (usam): 


switch(config)# username usam ssh-cert-dn usam-dn dsa

The following example specifies the SSH X.509 certificate distinguished name and RSA algorithm for an existing user account: 


switch(config)# username user1 ssh-cert-dn user1-dn rsa

The following example deletes the SSH X.509 certificate distinguished name for the user account: 


switch(config)# no username admin ssh-cert-dnadmin-dn dsa

The following example identifies the contents of the SSH key for the specified user (usam): 


switch(config)# username usam sshkey fsafsd2344234234ffgsdfg

The following example deletes the SSH key content identification for the user (usam): 


switch(config)# no username usam sshkey fsafsd2344234234ffgsdfgffsdfsfsfssf

The following example updates the SNMPv3 password for the specified user (joe). The local CLI password and the SNMP password are updated. If user Joe does not exist, the command fails: 


switch(config)# username joe password wxyz6789 update-snmpv3 abcd1234

Related Commands

Command

Description

role

Configures user roles.

show username

Displays username information.

username (iSCSI initiator configuration and iSLB initiator configuration)

To assign a username for iSCSI login authentication, use the username command in iSCSI initiator configuration submode. To assign a username for iSLB login authentication, use the username command in iSLB initiator configuration submode. To disable this feature, use the no form of the command.

username username

no username username

Syntax Description

username

Specifies the username for iSCSI or iSLB login authentication.

Command Default

None.

Command Modes


iSCSI initiator configuration submode.iSLB initiator configuration submode.

Command History

Release

Modification

1.3(2)

This command was introduced.

3.0(1)

Added iSLB initiator configuration submode.

Usage Guidelines

None.

Examples

The following example assigns the username for iSCSI login authentication of an iSCSI initiator: 


switch# config terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# iscsi initiator name iqn.1987-02.com.cisco.initiator
switch(config-iscsi-init)# username iSCSIloginUsername
switch(config-iscsi-init)#

The following example assigns the username tester for iSLB login authentication of an iSLB initiator: 


switch# config t
switch(config)# islb initiator ip-address 100.10.10.10

switch(config-iscsi-islb-init)# username ?

<WORD> Enter username <Max Size - 128>

switch(config-iscsi-islb-init)# username tester

The following example removes the username tester for an iSLB initiator: 


switch (config-iscsi-islb-init)# no
 username tester

Related Commands

Command

Description

iscsi initiator name

Assigns an iSCSI name and changes to iSCSI initiator configuration submode.

islb initiator

Assigns an iSLB name and IP address to the iSLB initiator and enters iSLB initiator configuration submode.

show iscsi initiator

Displays information about a configured iSCSI initiator.

show iscsi initiator configured

Displays iSCSI initiator information for the configured iSCSI initiator.

show iscsi initiator detail

Displays detailed iSCSI initiator information.

show iscsi initiator summary

Displays iSCSI initiator summary information.

show islb initiator

Displays iSLB initiator information.

show islb initiator configured

Displays iSLB initiator information for the configured iSLB initiator.

show islb initiator detail

Displays detailed iSLB initiator information.

show islb initiator summary

Displays iSLB initiator summary information.

userprofile

To set the userprifile, use the userprofile command. To disable this feature, use the no form of the command.

userprofile attribute-name attribute-name search-filter string base-DN string

no userprofile attribute-name attribute-name search-filter string base-DN string

Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter string

Specifies search map search filter. The maximum length is 128 characters.

base-DN string

Specifies search map base-DN name. The maximum length is 128 characters.

Command Default

None.

Command Modes


Configuration mode.

Command History

Release

Modification

NX-OS 5.0(1a)

This command was introduced.

Usage Guidelines

None.

Examples


The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# userprofile attribute-name map1 search-filter map1 base-DN a

Usage Guidelines

None.

Examples


The following example shows how to set the CRLLookup:---add the output
switch(config)# ldap search-map map1
switch(config-ldap-search-map)# crllook attribute-name map1 search-filter map1 b
ase-DN DN1
GROUP_NAME: map1
CRL
ATTR_NAME: map1
SEARCH_FLTR: map1
BASE_DN: DN1
Sending the SET_REQ
switch(config-ldap-search-map)#
switch(config-ldap-search-map)#end

Command

Description

show crypto ssh-auth-map

displays mapping filters applied for SSH authentication.

user-pubkey-match

To set the user-pubkey matching, use the user-pubkey-match command. To disable this feature, use the no form of the command.

user-pubkey-match attribute-name attribute-name search-filter string base-DN string

nouser-pubkey-match attribute-name attribute-name search-filter string base-DN string

Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter . The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

Command Default

None.

Command Modes


Configuration mode.

Command History

Release

Modification

NX-OS 5.0(1a)

This command was introduced.

Usage Guidelines

None.

Examples


The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-pubkey-match attribute-name map1 search-filter map1 base-DN a
switch(config-ldap-search-map)#

Related Commands

Command

Description

show ldap-server groups

Displays the configured LDAP server groups.

user-switch-bind

To set the user-switch-bind, use the user-switch-bind command. To disable this feature, use the no form of the command.

user-switch-bind attribute-name attribute-name search-filter string base-DN string

nouser-switch-bind attribute-name attribute-name search-filter string base-DN string

Syntax Description

attribute-name attribute-name

Specifies LDAP attribute name. The maximum size is 128 characters.

search-filter

Specifies LDAP search filter. The maximum length is 128 characters.

string

Specifies search map search filter . The maximum length is 128 characters.

base-DN

Configure base DN to be used for search operation. The Maximum length is 63 characters.

string

Specifies search map base DN name. The Maximum length is 63 characters.

Command Default

None.

Command Modes


Configuration mode.

Command History

Release

Modification

NX-OS 5.0(1a)

This command was introduced.

Usage Guidelines

None.

Examples


The following example shows how to set the pubkey matching :
switch(config)#ldap search-map s1
switch(config-ldap-search-map)# user-switch-bind attribute-name a search-filter a base-DN a
switch(config-ldap-search-map)#

Related Commands

Command

Description

show ldap-server groups

Displays the configured LDAP server groups.