Now the router will execute the configuration backup every 25th at AM. As shown in this article, configuration files are very important in day to day operations.
For that reason we need to save them in external servers to mitigate failure times and other problems. Other interesting features are also available in the Archive feature, but that is topic for another blog.
PS: A special thanks to Paul for the guidance on my first blog. Martin L. Wonderful and very interesting blog; thanks for writing! Is there something similar on Cisco Wireless controllers? I meant, to backup the configuration automatically on ftp server when saving the current configuration. I can see the on Wireless controllers: commands, upload file, put the server ip address, file path, file name, username and password information and the press upload button.
But this must be done manually. My switches are archiving to my TFTP server a file with a date and time zone stamp using this command. R1 config-archive path t null.
I would prefer a date and time. My switches are set up to use a time zone and synch to a time server. Is there a way to get actual time out of a similar command? I probably don't need it. The date parameter is enough By default Cisco devices show the time in the debugs or logging in terms of "Uptime" of the device the time past since the device was turned on instead of "Datetime".
Good trick as long as you don't have a configuration management software. Is there a similar command in NX-OS? Archive only works in IOS. If you execute the command, it will always run, but you could check it with the show proc cpu command as follows:.
R1 config archive. R1 config-archive path flash:. If you encounter a technical issue on the site, please open a support case. Communities: Chinese Japanese Korean. All Rights Reserved. The Cisco Learning Network. Table info File Description. Specifies the Cisco IOS image version string suffix. Specifies the name of the Cisco IOS image in the file. Specifies the size of all the images the Cisco IOS image and the web management files in the file, which is an approximate measure of the flash memory needed.
Specifies the minimum amount of DRAM needed to run this image. Describes the family of products on which the software can be installed. You download a switch image file from a server to upgrade the switch software.
You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes; this uploaded image can be used for future downloads to the same or another switch of the same type.
For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can only be used through the stack master. Software images downloaded to the stack master are automatically downloaded to the rest of the stack members. Before you begin downloading or uploading an image file by using TFTP, do these tasks:. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command on the SunOS 4. For more information on the TFTP daemon, see the documentation for your workstation.
You can download a new image file and replace the current image or keep the current image. To keep the current image, follow Step 2. Optional Downloads the image files from the TFTP server to the switch, and overwrites the current image. The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error.
If there is not enough space to install the new image and keep the current running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image on the system board flash device flash:. The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image. For filesystem , use flash: for the system board flash device.
For file-url , enter the directory name of the old image. All the files in the directory and the directory are removed. You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with Device Manager have been installed with the existing image.
Uploads the currently running switch image to the TFTP server. The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files.
After these files are uploaded, the upload algorithm creates the file format. You upload a switch image file to a server for backup purposes. You can use this uploaded image for future downloads to the switch or another switch of the same type. You can copy images files to or from an FTP server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list:.
The switch sends the first valid password in this list:. The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from you.
Optional Assign a member number to the cluster command switch of the cluster. The member number is 0 when the switch is the cluster command switch. Enter this command on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster. You must name the cluster when you enable the cluster command switch.
If the switch is already configured as the cluster command switch, this command changes the cluster name if it is different from the previous cluster name. This example shows how to enable the cluster command switch, name the cluster, and set the cluster command switch member number to 4.
You can verify your setting by entering the show cluster privileged EXEC command on the cluster command switch. Use the cluster holdtime global configuration command on the cluster command switch to set the duration in seconds before a switch either the command or cluster member switch declares the other switch down after not receiving heartbeat messages.
Use the no form of this command to set the duration to the default value. Duration in seconds before a switch either a command or cluster member switch declares the other switch down. The range is 1 to seconds. Enter this command with the cluster timer global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the interval timer cluster timer. For example, it takes holdtime-in-secs divided by the interval-in-secs number of heartbeat messages to be missed in a row to declare a switch down. This example shows how to change the interval timer and the duration on the cluster command switch. Use the cluster member global configuration command on the cluster command switch to add candidates to a cluster. Use the no form of the command to remove members from the cluster.
H [ password enable-password ] [ vlan vlan-id ]. The number that identifies a cluster member. MAC address of the cluster member switch in hexadecimal format.
Enable password of the candidate switch. The password is not required if there is no password on the candidate switch. A newly enabled cluster command switch has no associated cluster members. Enter this command only on the cluster command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the cluster command switch, the switch rejects the command and displays an error message.
You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration.
After a candidate switch becomes a member of the cluster, its password becomes the same as the cluster command-switch password. If a switch does not have a configured hostname, the cluster command switch appends a member number to the cluster command-switch hostname and assigns it to the cluster member switch. This example shows how to add a switch as member 2 with MAC address 00E0.
The cluster command switch adds the candidate to the cluster through VLAN 3. This example shows how to add a switch with MAC address 00E0. This switch does not have a password. You can verify your settings by entering the show cluster members privileged EXEC command on the cluster command switch. Use the cluster outside-interface global configuration command on the cluster command switch to configure the outside interface for cluster Network Address Translation NAT so that a member without an IP address can communicate with devices outside the cluster.
Interface to serve as the outside interface. Valid interfaces include physical interfaces, port-channels, or VLANs. The default outside interface is automatically selected by the cluster command switch. Enter this command only on the cluster command switch. If you enter this command on a cluster member switch, an error message appears. This example shows how to set the outside interface to VLAN You can verify your setting by entering the show running-config privileged EXEC command.
Use the cluster run global configuration command to enable clustering on a switch. Use the no form of this command to disable clustering on a switch. When you enter the no cluster run command on a cluster command switch, the cluster command switch is disabled. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a cluster member switch, it is removed from the cluster. When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch. This example shows how to disable clustering on the cluster command switch:.
Use the cluster standby-group global configuration command to enable cluster command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol HSRP. Entering the routing-redundancy keyword enables the same HSRP group to be used for cluster command-switch redundancy and routing redundancy. Name of the HSRP group that is bound to the cluster.
The group name is limited to 32 characters. Optional Enable the same HSRP standby group to be used for cluster command-switch redundancy and routing redundancy. If you enter it on a cluster member switch, an error message appears. The HSRP group name must be a valid standby group; otherwise, the command exits with an error. The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster.
When not binding a cluster to an HSRP group, you can use different names on the cluster commander and the members. This example shows the error message when this command is executed on a cluster command switch and the specified HSRP standby group does not exist:. This example shows the error message when this command is executed on a cluster member switch:. The output shows whether redundancy is enabled in the cluster. Use the cluster timer global configuration command on the cluster command switch to set the interval in seconds between heartbeat messages.
Use the no form of this command to set the interval to the default value. Interval in seconds between heartbeat messages. Enter this command with the cluster holdtime global configuration command only on the cluster command switch.
The holdtime is typically set as a multiple of the heartbeat interval timer cluster timer. This example shows how to change the heartbeat interval timer and the duration on the cluster command switch:. Use the copy logging onboard privileged EXEC command on the switch stack or on a standalone switch to copy on-board failure logging OBFL data to the local network or a specific file system.
Specify the stack member number. If the switch is a standalone switch, the switch number is 1. If the switch is in a stack, the range is 1 to 4, depending on the switch member numbers in the stack. Specify the location on the local network or file system to which the system messages are copied.
For destination, specify t he destination on the local or network file system and the filename. Use the number parameter to specify the stack member number of the stack master. The range for number is 1 to 4. For information about OBFL, see the hw-module command. Use the define interface-range global configuration command to create an interface-range macro.
Use the no form of this command to delete the defined macro. Name of the interface-range macro; up to 32 characters. The macro name is a character maximum character string. All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range , use this format:. Valid values for type and interface :. VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges. When you define a range, you must enter a space before the hyphen - , for example:. You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma ,. The space after the comma is optional, for example:.
This example shows how to create a multiple-interface macro:. Executes a command on multiple ports at the same time. Displays the current operating configuration, including defined macros. Use the delete privileged EXEC command to delete a file or directory on the flash memory device. Optional Suppress the prompt that confirms the deletion.
Optional Delete the named directory and all subdirectories and the files contained in it. The syntax for the local flash file system on the stack member or the stack master: flash:. From the stack master, the syntax for the local flash file system on a stack member: flash member number :. The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. This example shows how to remove the directory that contains the old software image after a successful download of a new image:.
You can verify that the directory was removed by entering the dir filesystem : privileged EXEC command. Downloads a new image to the switch and overwrites or keeps the existing image. Use the no form of this command to remove the specified access control entry ACE from the access list. Optional Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets.
Deny the specified range of sender MAC addresses. Deny the specified range of target MAC addresses. There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command. You can add deny clauses to drop ARP packets based on matching criteria. Use the deny MAC access-list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched.
Use the no form of this command to remove a deny condition from the named MAC access list. Keyword to specify to deny any source or destination MAC address. Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied. Define a destination MAC address and optional subnet mask.
If the destination address for a packet matches the defined address, non-IP traffic to that address is denied. The type is 0 to , specified in hexadecimal. Optional Select a class of service CoS number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware.
A warning message reminds the user if the cos option is configured. Note Though visible in the command-line help strings, appletalk is not supported as a matching condition. To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used.
This command has no defaults. You enter MAC-access list configuration mode by using the mac access-list extended global configuration command. If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask. When an access control entry ACE is added to an access control list, an implied deny - any - any condition exists at the end of the list.
That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets. For more information about named MAC extended access lists, see the software configuration guide for this release.
Traffic matching this list is denied. This example shows how to remove the deny condition from the named MAC extended access list:. This example denies all packets with Ethertype 0x You can verify your settings by entering the show access-lists privileged EXEC command. Permits non-IP traffic to be forwarded if conditions are matched.
Displays access control lists configured on a switch. Use the diagnostic monitor global configuration command to configure the health-monitoring diagnostic testing. Use the no form of this command to disable testing and return to the default settings. Specify the module number.
Specify the time in milliseconds; valid values are 0 to Enable the generation of a syslog message when a health-monitoring test fails. Note If you are running a diagnostic test that has the reload attribute on a switch in a stack, you could potentially partition the stack depending on your cabling configuration. To avoid partitioning your stack, you should enter the show switch detail privileged EXEC command to verify the stack configuration.
This example shows how to configure the specified test to run every 2 minutes:. This example shows how to run the test on the specified switch if health monitoring has not previously been enabled:. This example shows how to set the failure threshold for test monitoring on a switch:. This example shows how to enable generating a syslog message when any health monitoring test fails:. Use the diagnostic schedule privileged EXEC command to configure the scheduling of diagnostic testing. Use the no form of this command to remove the scheduling and return to the default setting.
Specify the switch number. This command has no default settings. This example shows how to schedule diagnostic testing on a specific date and time for a specific switch:. This example shows how to schedule diagnostic testing to occur weekly at a certain time for a specific switch:. Use the diagnostic start user command to run the specified diagnostic test.
Enter the show diagnostic content command to display the test ID list. Enter the test-id-range as integers separated by a comma and a hyphen for example, 1, specifies test IDs 1, 3, 4, 5, and 6. This example shows how to start a diagnostic test on a specific switch:. This example shows how to start diagnostics test 2 on a switch that will disrupt normal system operation:. This message appears if the test can cause the switch to lose stack connectivity:.
This message appears if the test will cause a stack partition:. Use the dot1x global configuration command to globally enable IEEE Note Though visible in the command-line help strings, the credentials name keywords are not supported.
Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical global configuration command.
Enable optional guest VLAN behavior globally on the switch. IEEE You must enable authentication, authorization, and accounting AAA and specify the authentication method list before globally enabling IEEE A method list describes the sequence and authentication methods to be used to authenticate a user. Before globally enabling IEEE You can use the guest-vlan supplicant keywords to enable the optional IEEE For more information, see the dot1x guest-vlan command.
This example shows how to globally enable IEEE This example shows how to globally enable the optional guest VLAN behavior on a switch:. You can verify your settings by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the parameters for the inaccessible authentication bypass feature on the switch.
Enables manual control of the authorization state of the port. Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum allowable authentication attempts before a port is moved to the restricted VLAN.
Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3. If you reconfigure the maximum number of authentication attempts allowed by the VLAN, the change takes effect after the re-authentication timer expires. This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on port Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. You can configure a restricted VLAN on ports configured as follows:. You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if it is disabled. If a host is connected through a hub, the port might never receive a link-down event when that host is disconnected, and, as a result, might not detect any new hosts until the next re-authentication attempt occurs.
Because the supplicant is not notified of the actual authentication failure, there might be confusion about this restricted network access. An EAP success message is sent for these reasons:. A supplicant might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication.
Until the supplicant sends the correct username and password combination, the port remains in the restricted VLAN. If you do this, a syslog message is generated. When a restricted VLAN port is moved to an unauthorized state, the authentication process restarts. If the supplicant fails the authentication process again, the authenticator waits in the held state.
After the supplicant has correctly re-authenticated, all IEEE The authenticator does not wait in a held state because the restricted VLAN configuration still exists. This example shows how to configure a restricted VLAN on port You can verify your configuration by entering the show dot1x [ interface interface-id ] privileged EXEC command. Configures the number of authentication attempts allowed before assigning a supplicant to the restricted VLAN.
Use the dot1x control-direction interface configuration command to enable the IEEE Use the both keyword or the no form of this command to return to the default setting, bidirectional mode. This example shows how to enable unidirectional control:.
This example shows how to enable bidirectional control:. You can verify your settings by entering the show dot1x all privileged EXEC command. The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:. If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:.
If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:.
Displays control-direction port setting status for the specified interface. Use the dot1x credentials global configuration command to configure a profile on a supplicant switch. You must have another switch set up as the authenticator for this switch to be the supplicant.
This example shows how to configure a switch as a supplicant:. Use the dot1x critical global configuration command to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy. To return to default settings, use the no form of this command.
Specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state. Set the recovery delay period in milliseconds. The range is from 1 to milliseconds.
The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state. The recovery delay period is milliseconds 1 second. Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is milliseconds. A port can be re-initialized every second.
To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.
This example shows how to set as the recovery delay period on the switch:. You can verify your configuration by entering the show dot1x privileged EXEC command. Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature. Use the dot1x critical interface configuration command to enable the inaccessible-authentication-bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting AAA fail policy.
You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command. Enable the inaccessible-authentication-bypass recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available.
Specify the access VLAN to which the switch can assign a critical port. The range is from 1 to The inaccessible-authentication-bypass feature is disabled. To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords.
The specified type of VLAN must match the type of port, as follows:. If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated. You can configure the inaccessible bypass feature and port security on the same switch port.
This example shows how to enable the inaccessible authentication bypass feature on a port:. Use the dot1x default interface configuration command to reset the IEEE This example shows how to reset the IEEE Use the dot1xfallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE Specify a fallback profile for clients that do not support IEEE You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.
To download the AP image, use the archive command. To copy a file, use the copy command. To delete a file, use the delete command. To turn off privileged commands, use the disable command. To turn on privileged commands, use the enable command. To set the exec-timeout, use the exec-timeout command. To log commands, use the logging command. To display a file, use the more command. To halt the access point or perform a reboot, use the reload command. This keyword takes the hour, minute, day of the month, month, and year as parameters; valid values for the keywords are as follows:.
Reload after a time interval, which you should specify in terms of minutes; valid values are between 1 to minutes. To configure terminal parameters, use the terminal command. Speficies the number of lines on the screen. Valid values are between 0 to Enter 0 if you do not want the outputs to pause. Specifies the debug output to the current terminal line.
0コメント