Command line reference

After logging into the system, the user has access to all available commands, grouped into four menus, as follows:

Configuration
Statistics
Status
System

Each menu can be selected by typing its name in the console, e.g.:

.> configuration

Useful commands to navigate the console:

ls or help to list available branches (or by hitting TAB from keyboards)
. returns to the initial branch
.. returns to the previous branch
CTRL+D cancels a running command

Commands residing in cascading menus can also be executed from any location, outside their normal context menu, using the [.] prefix, provided the path and the command name is known, e.g.:

.status.device.> .configuration.interface.01
.configuration.interface.01.>

The Configuration menu is used for the administration of all the interfaces (ports) in the system. An interface must first be selected (from 01 to 32, 54 or 64 depending on the model) before configuring it:

.configuration.> interface.01
.configuration.interface.01.>

The following commands are available:

.configuration.interface.01.enable [on/off]

on enables the selected interface.
off disables the selected interface.

.configuration.interface.01.label [show/set/reset]

show displays the port label.
set sets the port label.
reset resets the port label.

.configuration.interface.01.reset

Deletes all configurations made for the selected interface and restores it to a default state. After issuing the command, the user must confirm it [yes / no].

.configuration.interface.01.show

Displays the configuration associated with the selected interface and its current status regarding the link, whether it is enabled or not, speed and duplex mode.

.configuration.interface.01.speed [value]

Sets the port speed. Available values (depending on the port): 1G, 10G, 25G, 40G, 100G, AUTO.

.configuration.interface.01.split [on/off]

This option is only available for QSFP+/QSFP28 interfaces. If set to on, the interface will be split into 4 interfaces totaling the original speed of the port before the split. If for example, the interface [50] needs to be split and its speed is set to 100G, the following 25G interfaces will be created after the split: 50.1, 50.2, 50.3, 50.4.

.configuration.interface.01.transceiver

Displays information about the SFP/QSFP transceiver present in the interface. Key metrics here are the Tx and Rx dB levels which can offer insight on whether the fiber lines are experiencing faults or even intrusion attempts.

.configuration.interface.01.tx_disable [on/off/show]

Controls the state of the TX_DISABLE SFP feature, useful in scenarios where BiDi SFP and QSFP modules are used to only receive traffic from an optic tap.

on stops the TX signal on the SFP module.
off restarts the TX signal on the SFP module.
show displays the current state of the TX_DISABLE functionality.

.configuration.interface.01.vlan [set/show/disable]

set allows the user to set an additional header tag to the frames received on the selected interface, particularly useful for aggregation purposes where it is important to know the identity of frames coming from different interfaces which are then aggregated to a single interface. If “Activate VLAN ID match check on INGRESS” is enabled by answering with “Y”, all frames received through the selected interface will be dropped at the INGRESS level (before the routing stage), except those having this tag in their header.
show displays the tag status for the selected interface.
disable removes the tag on the selected interface. After issuing the command, the user must confirm it [yes / no].

Note: Enabling tags will momentarily restart the filtering engine and will have as effect a brief brake in the output flow.

The Statistics menu is used for displaying or resetting network traffic related statistics.

.> statistics

The following commands are available:

.statistics.counter [show/reset] [port_number/all]

show displays the counters enabled in Traffic Management → Match counter id feature for the specified port number, or for all ports if all is specified.
reset resets the counter for the specified port number, or for all ports if all is specified.

.statistics.global [show/reset]

show displays the following global statistics: bytes received, bytes sent, packets received, packets sent.
reset resets the global statistics.

.statistics.interface [show/reset] [port_number/all]

show displays the full statistics for a specified interface, or, if all is specified, displays the full statistics for all interfaces.
reset resets the full statistics for a specified interface, or, if all is specified, resets the full statistics for all interfaces.

The Status menu is used for displaying the status of the main functionalities and the system itself.

.> status

The following commands are available:

.status.device.show

Displays information about the system, system temperature, PSU, and fan functionality.

.status.interface [show/tx_disable.show/vlan.show] [port_number/all]

show displays the configuration associated with the specified interface (or all interfaces if all is specified) and its current status regarding link, whether it is enabled or not, speed and duplex mode.
tx_disable.show displays the status of the TX_DISABLE functionality for the specified interface, or for all interfaces if all is specified.
vlan.show displays the current VLAN tagging configuration for the specified interface, or for all interfaces if all is specified.

.status.active_ruleset.show

Displays information about the current active rule set, giving a view of the traffic rules, filters, and load-balancing groups currently active on the device.

.status.asset_information.show

Displays the user-defined asset information for the device.

The System menu is used for administrative changes.

.> system

The following commands are available:

.system.aaa.tacacs+ [add/edit/remove/show]

XX-Series devices support remote authentication, authorization and accounting services for networked access control through a centralized server, a protocol called TACACS+. The aaa menu allows users to configure this type of access.

add allows the user to add a new TACACS+ server. Follow the prompt, using the following details:
- server: the TACACS+ server hostname or IP address. The default expected port is 49. In case this port is different, specify it using the following format: hostname:port
- login type: the type of login used in the server. Possible options are PAP, CHAP and LOGIN.
- priority: the server priority (1-5) in the user selection within the device. A server with a lower value have higher priority, so their users will be selected first in case of duplicates. Selecting 1 will configure the current server to be the first one used for authentication. Selecting 5 will configure the current server to be the last one used for authentication.
  Note: There cannot be 2 specified servers sharing the same priority.
- secret: key string used to encrypt the communication between the server and the client.
- admin minimum level: value between 15 and 0 that defines what priv_lvl is requested for an user in order to be granted admin privileges.
- user minimum level: value between 15 and 0 that defines what priv_lvl is requested for an user in order to be granted normal privileges.
  Note: this value needs to be smaller than the value used for admin minimum level.
edit allows modifying one of the previously configured TACACS+ server entries.
remove allows removing one of the previously configured TACACS+ server entries.
show allows displaying the previously configured TACACS+ server entries.
Note: Enabling TACACS+ server authentication applies for all login methods: serial, SSH and XX-Manager.

.system.asset_information [edit/reset]

edit edits the device's custom asset information.
reset removes the currently stored asset information. This operation cannot be undone.

.system.configuration [export/import]

export allows the exporting of the unit's configuration to a file, encrypted with a passphrase.
import allows the importing of a previously exported configuration file.

.system.date [ntp_server/set/show/time_mode/time_zone]

ntp_server controls the list of NTP servers that the device can use to synchronize its clock.
- add: Add a new NTP server.
- edit: Edit an existing NTP server.
- delete: Delete an existing NTP server.
- disable: Disable an existing NTP server.
- enable: Enable an existing NTP server.
- show: Display the current available NTP servers.
set allows the user to set the date and time.
show displays the date.
time_mode
- set selects how the system clock should be set. The “ntp” option will enable the NTP service to synchronize the clock from a network time server.
- show displays the current mode.
time_zone
- set controls the time zone used by the device to display its time.
- show displays the current time zone.

.system.factory_reset

Should the system become corrupted or the main parameters need to be restored to their default values, this option resets the device to the factory state and reboots the system. After issuing the command, the user must confirm it [yes / no].

Warning: In case of a factory reset, all stored Rule Set data and the Users database will be deleted.

.system.legal

Displays the product's legal information.

.system.licence [install/show]

install is used for installing a new license. The new license can be installed from USB, HTTP(S), or FTP server. In the two latter cases, the server credentials need to be passed as part of the url in the form:
```
`ftp://user:password@server/file`
```
If the username or password include special characters that cannot be expressed in the URL format, they will need to be replaced with their entity codes (e.g `@` will be `%40`). A list is available at https://dev.w3.org/html5/html-author/charref
show displays the currently installed license.

.system.network [acl/disable/set/status]

acl.policy
- set controls the device's ACL firewall's default policy. This can be set as “Whitelist” (deny any request not matching) or “Blacklist” (allow any request not matching).
- show displays the current policy.
acl.rules is used to configure the ACL entries defining the source IPv4 addresses that can or cannot access the device’s services.
- add: Create a new ACL entry on the device;
- delete: Delete an existing ACL entry on the device;
- disable: Disable an existing ACL entry on the device;
- edit: Modify an existing ACL entry on the device or its priority;
- enable: Enable an existing ACL entry on the device;
- show: Display the current ACL entries.
disable disables the Ethernet management port. The serial management port will still be operating. After issuing the command, the user must confirm it [yes].
Note: if connected through the Ethernet management port, after issuing the disable command, the session will be lost.
set allows the user to set the IP acquisition mode of the unit to either DHCP or STATIC. In case STATIC is selected, the user has to input the IPv4, network mask, gateway and DNS address.
status displays the network parameters of the unit: IP mode, link status, IP, mask, gateway and DNS.

.system.reboot

Reboots the system, keeping all configurations intact. After issuing the command, the user must confirm it [yes].

Note: Rebooting the unit will temporarily disrupt the data flow.

.system.snmp [community/enable/disable/show/trapsink/users]

Allows the user to configure the Simple Network Management Protocol.

community allows users to add or delete SNMP communities, used for establishing trust without standard credentials (only for SNMP v2c).
enable enables the feature.
disable disables the feature.
show displays whether the feature is enabled or disabled.
trapsink allows the user to add or delete hosts which SNMP notifications (traps) will be sent to (v2c and v3 support).
users is used to configure SNMPv3 users for accessing the device or creating traps.

.system.ssl_cert [renew/import]

renew creates a new SSL certificate for the XX-Manager web interface. After issuing the command, the user must confirm it [yes / no].
import allows the user to import a pre-generated SSL certificate and key to the device, required for the HTTPS web interface. After the command is issued, the user can upload from a chosen URL or from a USB device, first the new key and then the related certificate.
Note: Both key and certificate files are expected to be in PEM format. After both files have been uploaded, the system checks their validity, replaces the current versions, and restarts the web interface.

.system.syslog [clean/remote/show]

clean removes all syslogs from the system.
remote allows the configuration of remote log collection servers.
show displays all syslogs and their timestamps.

.system.update.install

This command is used for installing a new firmware image. The new image can be installed from USB, HTTP(S), or FTP server. In the two latter cases, the server credentials need to be passed as part of the url in the form:

`ftp://user:password@server/file`

If the username or password include special characters that cannot be expressed in the URL format, they will need to be replaced with their entity codes (e.g `@` will be `%40`). A list is available at https://dev.w3.org/html5/html-author/charref

.system.users [activate/block/edit/new/passwd/reset/rm/show]

activate activates an existing login user.
block prevents an existing user from login in.
edit edits the details of an existing user (username, full name, email address and role).
new creates a new user.
The following properties will be required: username, full name, email, role (viewer [default], admin, user). Depending on the selected role, the user has the following privileges:
- admin - full control, limitless administration and system update
- user - creates and sets rules, aggregate and filter traffic
- viewer - (default) view only: settings, statistics, active rules.
passwd followed by the desired username changes the login password for a certain user.
reset resets the users database.
rm followed by the desired username deletes a certain user from the user database.
show followed by either the desired username, or 'all', displays all the information for that user, or for all users: full name, email, role, and whether the user is active or not.