Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.3.0 - Page 797

Privilege levels overview, Con privilege levels for users

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 797 highlights

To disable login statistics, use the no login-statistics enable command. Privilege levels overview Providing terminal access control to a switch is one method of securing the device and network. To increase security, you can allow users to access a subset of commands using privilege levels. With OS10, you can configure privilege levels, add commands to them, and restrict access to the terminal line with passwords. The system supports 16 privilege levels. The following lists the privilege levels: • Level 0-Provides users the least privilege, restricting access to basic commands. • Level 1-Provides access to a set of show commands and certain operations such as ping, traceroute, and so on. • Level 15-Provides access to all available commands for a particular user role. • Levels 0, 1, and 15-System configured privilege levels with a predefined command set. • Levels 2 to 14-Not configured. You can customize these levels for different users and access rights. Privilege levels inherit all permitted commands from all lower levels. For example, a user logged in with a particular privilege level has access to commands assigned for that privilege level and lower privilege levels as permitted by the user role. You cannot configure a privilege level lower than 2 for users assigned to the sysadmin, netadmin, and secadmin roles. You can configure users assigned to the netoperator role with privilege levels 0 or 1. After you assign commands to privilege levels, you can assign the privilege to users with the username command. Users can access those commands by switching to that privilege level using the enable command. Users can use the enable privilege-level command to switch between privilege levels. The disable command takes the user to a lower level. When a remote user logs in, OS10 checks for a match in the local system. If there is a local user as the remote user, the privilege level of the local user is applied to the remote user for the login session. If there is no match in the local system, depending on the role of the remote user, OS10 assigns default privilege levels. For sysadmin, secadmin, and netadmin roles, OS10 assigns level 15 and for the netoperator role, OS10 assigns level 1. NOTE: The role of a local user and the corresponding remote user should be the same at both remote and local ends. Configure privilege levels for users To restrict CLI access for users, create the required privilege levels, assign commands, and then assign privilege levels to users. 1 Configure privilege levels. CONFIGURATION privilege mode priv-lvl privilege-level command-string • mode-Enter the privilege mode where you are configuring the specific command. The following table lists the available privilege modes and their corresponding command modes: Privilege mode CLI mode Exec exec configure class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, or alias interface Ethernet, FC, Loopback, mgmt, null, port-group, lag, breakout, range, port-channel, VLAN route-map route-map Security 797

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.3.0	3
Getting Started	29
Supported Hardware	29
Download OS10 image and license	30
Installation using ONIE	31
Automatic installation	32
Manual installation	33
Log into OS10	34
Install OS10 license	35
Zero-touch deployment	37
ZTD DHCP server configuration	39
ZTD provisioning script	39
ZTD CLI batch file	40
Post-ZTD script	41
ZTD commands	41
Remote access	42
Configure Management IP address	43
Management Route Configuration	43
Configure user name and password	44
CLI Basics	44
User accounts	44
Key CLI features	45
CLI command modes	45
CLI command hierarchy	46
CLI command categories	46
CONFIGURATION Mode	46
Command help	46
Check device status	48
Candidate configuration	50
Change to transaction-based configuration mode	54
Copy running configuration	55
Restore startup configuration	55
Reload system image	56
Filter show commands	56
Alias command	56
Batch mode	60
Linux shell commands	61
SSH commands	61
OS9 environment commands	62
Common commands	62
alias	62
alias (multi-line)	64
batch	64
boot	65
commit	65
configure	65
copy	66
default (alias)	67
delete	67
description (alias)	68
dir	69
discard	69
do	70
feature config-os9-style	70
exit	70
hostname	71
license	71
line (alias)	72
lock	72
management route	72
move	73
no	74
reload	74
show alias	74
show boot	75
show candidate-configuration	76
show environment	78
show inventory	79
show ip management-route	79
show ipv6 management-route	80
show license status	80
show running-configuration	81
show startup-configuration	83
show system	84
show version	86
start	87
system	87
system-cli disable	87
system identifier	88
terminal	88
traceroute	88
unlock	90
write	90
System management	91
OS10 upgrade	91
Boot system partition	92
Upgrade commands	93
System banners	97
Login banner	97
MOTD banner	97
System banner commands	98
User session management	99
User session management commands	99
Telnet server	101
Telnet commands	101
Simple Network Management Protocol	102
MIBs	102
SNMP security models and levels	103
SNMPv3	104
SNMP engine ID	104
SNMP groups and users	104
SNMP views	104
Configure SNMP	104
SNMP commands	107
System clock	117
System Clock commands	117
Network Time Protocol	119
Enable NTP	120
Broadcasts	120
Source IP address	121
Authentication	121
Sample NTP configuration	122
NTP commands	125
Dynamic Host Configuration Protocol	130
Packet format and options	130
DHCP server	131
Automatic address allocation	132
Hostname resolution	133
Manual binding entries	134
Configuring a DHCP client on a non-default VRF instance	135
DHCP relay agent	136
View DHCP Information	137
System domain name and list	137
DHCP commands	138
DNS commands	144
IPv4 DHCP limitations	146
Interfaces	148
Ethernet interfaces	148
Unified port groups	148
Z9264F-ON port-group profiles	149
L2 mode configuration	151
L3 mode configuration	151
Fibre Channel interfaces	152
Management interface	153
VLAN interfaces	154
User-configured default VLAN	154
VLAN scale profile	155
Loopback interfaces	155
Port-channel interfaces	156
Create port-channel	156
Add port member	156
Minimum links	157
Assign Port Channel IP Address	157
Remove or disable port-channel	158
Load balance traffic	158
Change hash algorithm	159
Configure interface ranges	159
Switch-port profiles	160
S4148-ON Series port profiles	161
S4148U-ON port profiles	161
Configure breakout mode	163
Breakout auto-configuration	163
Forward error correction	164
Energy-efficient Ethernet	165
Enable energy-efficient Ethernet	165
Clear EEE counters	166
View EEE status/statistics	166
EEE commands	167
View interface configuration	170
Digital optical monitoring	173
Enable DOM and DOM traps	174
Interface commands	175
channel-group	175
default vlan-id	175
description (Interface)	176
duplex	176
enable dom	177
enable dom traps	177
feature auto-breakout	178
fec	178
interface breakout	179
interface ethernet	179
interface loopback	179
interface mgmt	180
interface null	180
interface port-channel	181
interface range	181
interface vlan	182
link-bundle-utilization	182
mode	182
mode l3	183
mtu	184
port mode Eth	184
port-group	185
profile	185
scale-profile vlan	186
show interface	186
show inventory media	188
show link-bundle-utilization	188
show port-channel summary	189
show port-group	190
show switch-port-profile	191
show system	191
show vlan	192
shutdown	192
speed (Fibre Channel)	193
speed (Management)	193
switch-port-profile	194
switchport access vlan	196
switchport mode	196
switchport trunk allowed vlan	197
Fibre Channel	198
Terminology	199
Virtual fabric	199
Fibre Channel zoning	202
F_Port on Ethernet	203
Pinning FCoE traffic to a specific port of a port-channel	204
Sample FSB configuration on VLT network	206
Sample FC Switch configuration on VLT network	208
Sample FSB configuration on non-VLT network	209
Sample FC Switch configuration on non-VLT network	211
Multi-hop FIP-snooping bridge	212
Configuration notes	213
Configure multi-hop FSB	213
Verify multi-hop FSB configuration	218
Sample Multi-hop FSB configuration	219
Configuration guidelines	232
F_Port commands	232
fc alias	232
fc zone	232
fc zoneset	233
feature fc	233
member (alias)	233
member (zone)	234
member (zoneset)	234
show fc alias	235
show fc interface-area-id mapping	235
show fc ns switch	235
show fc zone	236
show fc zoneset	237
zone default-zone permit	238
zoneset activate	238
NPG commands	239
fc port-mode F	239
feature fc npg	239
show npg devices	239
F_Port and NPG commands	240
clear fc statistics	240
fcoe	241
name	241
show fc statistics	242
show fc switch	242
show running-config vfabric	243
show vfabric	243
vfabric	244
vfabric (interface)	244
vlan	244
FIP-snooping commands	245
feature fip-snooping	245
fip-snooping enable	245
fip-snooping fc-map	246
fip-snooping port-mode	246
FCoE commands	247
clear fcoe database	247
clear fcoe statistics	247
fcoe-pinned-port	248
fcoe max-sessions-per-enodemac	248
fcoe priority-bits	248
lldp tlv-select dcbxp-appln fcoe	249
show fcoe enode	249
show fcoe fcf	250
show fcoe pinned-port	250
show fcoe sessions	251
show fcoe statistics	251
show fcoe system	252
show fcoe vlan	252
Layer 2	253
802.1X	253
Port authentication	254
EAP over RADIUS	255
Configure 802.1X	255
Enable 802.1X	256
Identity retransmissions	257
Failure quiet period	258
Port control mode	258
Reauthenticate port	259
Configure timeouts	260
802.1X commands	261
Far-end failure detection	265
Enable FEFD globally	267
Enable FEFD on interface	268
Reset FEFD err-disabled interface	268
Display FEFD information	268
FEFD Commands	269
Link Aggregation Control Protocol	272
Modes	272
Configuration	273
Interfaces	273
Rates	274
Sample configuration	274
LACP fallback	278
LACP commands	280
Link Layer Discovery Protocol	287
Protocol data units	288
Optional TLVs	289
Organizationally-specific TLVs	289
Media endpoint discovery	292
Network connectivity device	292
LLDP-MED capabilities TLV	293
Network policies TLVs	294
Define network policies	294
Packet timer values	295
Disable and re-enable LLDP	295
Disable and re-enable LLDP on management ports	296
Advertise TLVs	297
Network policy advertisement	297
Fast start repeat count	298
View LLDP configuration	298
Adjacent agent advertisements	299
Time to live	300
LLDP commands	301
Media Access Control	312
Static MAC Address	313
MAC Address Table	313
Clear MAC Address Table	313
MAC Commands	314
Multiple Spanning-Tree	316
Configure MSTP	317
Create instances	318
Root selection	319
Non-Dell EMC hardware	320
Region name or revision	320
Modify parameters	320
Interface parameters	321
EdgePort Forward traffic	322
Spanning-tree extensions	322
Recover BPDU guard error disabled ports	324
Setting spanning-tree link type for rapid state transitions	325
MAC flush optimization	325
MST commands	327
Rapid per-VLAN spanning-tree plus	339
Load balance and root selection	340
Enable RPVST+	340
Select root bridge	341
Root assignment	342
Loop guard	343
Global parameters	343
Setting spanning-tree link type for rapid state transitions	344
MAC flush optimization	344
RPVST+ commands	344
Rapid Spanning-Tree Protocol	353
Enable globally	353
Global parameters	355
Interface parameters	356
Root bridge selection	357
EdgePort forward traffic	357
Spanning-tree extensions	358
Setting spanning-tree link type for rapid state transitions	359
MAC flush optimization	360
RSTP commands	360
Virtual LANs	367
Default VLAN	367
Create or remove VLANs	368
Access mode	369
Trunk mode	370
Assign IP address	370
View VLAN configuration	371
VLAN commands	373
Port monitoring	374
Local port monitoring	374
Remote port monitoring	375
Encapsulated remote port monitoring	377
Flow-based monitoring	378
Remote port monitoring on VLT	379
Port monitoring commands	381
Layer 3	386
Virtual routing and forwarding	386
Configure management VRF	386
Configure non-default VRF instances	388
VRF configuration	391
View VRF instance information	395
Static route leaking	396
VRF commands	399
Bidirectional Forwarding Detection	407
BFD session states	408
BFD three-way handshake	409
BFD configuration	410
Configure BFD globally	410
BFD for BGP	411
BFD for OSPF	415
BFD for Static route	420
BFD commands	422
Border Gateway Protocol	429
Sessions and peers	430
Route reflectors	430
Multiprotocol BGP	431
Attributes	431
Selection criteria	432
Weight and local preference	433
Multiexit discriminators	433
Origin	434
AS path and next-hop	434
Best path selection	434
More path support	435
Advertise cost	436
4-Byte AS numbers	436
AS number migration	436
Configure Border Gateway Protocol	437
Enable BGP	438
Configure Dual Stack	440
Configure administrative distance	440
Peer templates	441
Neighbor fall-over	445
Configure password	446
Fast external fallover	448
Passive peering	449
Local AS	450
AS number limit	451
Redistribute routes	452
Additional paths	452
MED attributes	452
Local preference attribute	453
Weight attribute	454
Enable multipath	454
Route-map filters	454
Route reflector clusters	455
Aggregate routes	456
Confederations	456
Route dampening	457
Timers	458
Neighbor soft-reconfiguration	459
BGP commands	459
Equal cost multi-path	493
Load balancing	493
Maximum ECMP groups and paths	497
ECMP commands	497
IPv4 routing	502
Assign interface IP address	502
Configure static routing	503
Address Resolution Protocol	504
IPv4 routing commands	504
IPv6 routing	509
Enable or disable IPv6	509
IPv6 addresses	510
Stateless autoconfiguration	512
Neighbor Discovery	512
Duplicate address discovery	514
Static IPv6 routing	514
IPv6 destination unreachable	515
IPv6 hop-by-hop options	515
View IPv6 information	515
IPv6 commands	516
Open shortest path first	528
Autonomous system areas	528
Areas, networks, and neighbors	529
Router types	529
Designated and backup designated routers	530
Link-state advertisements	531
Router priority	532
Shortest path first throttling	532
OSPFv2	534
OSPFv3	567
Object tracking manager	587
Interface tracking	588
Host tracking	589
Set tracking delays	590
Object tracking	590
View tracked objects	590
OTM commands	591
Policy-based routing	594
Policy-based route-maps	594
Access-list to match route-map	594
Set address to match route-map	594
Assign route-map to interface	595
View PBR information	595
Policy-based routing per VRF	596
Configuring PBR per VRF	596
Sample configuration	597
Track route reachability	597
Use PBR to permit and block specific traffic	598
View PBR configuration	599
PBR commands	599
Virtual Router Redundancy Protocol	603
Configuration	603
Create virtual router	604
Group version	604
Virtual IP addresses	605
Configure virtual IP address	605
Configure virtual IP address in a VRF	606
Set group priority	607
Authentication	608
Disable preempt	608
Advertisement interval	609
Interface/object tracking	610
Configure tracking	610
VRRP commands	611
Multicast	617
Important notes	617
Configure multicast routing	617
Unknown multicast flood control	618
Enable multicast flood control	619
Multicast Commands	619
multicast snooping flood-restrict	619
Internet Group Management Protocol	620
Standards compliance	620
Important notes	621
Supported IGMP versions	621
Query interval	621
Last member query interval	621
Maximum response time	621

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101
1,102
1,103
1,104
1,105
1,106
1,107
1,108
1,109
1,110
1,111
1,112
1,113
1,114
1,115
1,116
1,117
1,118
1,119
1,120
1,121
1,122
1,123
1,124
1,125
1,126
1,127
1,128
1,129
1,130
1,131
1,132
1,133
1,134
1,135
1,136
1,137
1,138
1,139
1,140
1,141
1,142
1,143
1,144
1,145
1,146
1,147
1,148
1,149
1,150
1,151
1,152
1,153
1,154
1,155
1,156
1,157
1,158
1,159
1,160
1,161
1,162
1,163
1,164
1,165
1,166
1,167
1,168
1,169
1,170
1,171
1,172
1,173
1,174
1,175
1,176
1,177
1,178
1,179
1,180
1,181
1,182
1,183
1,184
1,185
1,186
1,187
1,188
1,189
1,190
1,191
1,192
1,193
1,194
1,195
1,196
1,197
1,198
1,199
1,200
1,201
1,202
1,203

Match case Limit results 1 per page

To disable login statistics, use the

no login-statistics enable

command.

Privilege levels overview

Providing terminal access control to a switch is one method of securing the device and network. To increase security, you can allow users

to access a subset of commands using privilege levels.

With OS10, you can

conﬁgure

privilege levels, add commands to them, and restrict access to the terminal line with passwords. The system

supports 16 privilege levels. The following lists the privilege levels:

•

Level 0—Provides users the least privilege, restricting access to basic commands.

•

Level 1—Provides access to a set of show commands and certain operations such as ping, traceroute, and so on.

•

Level 15—Provides access to all available commands for a particular user role.

•

Levels 0, 1, and 15—System

conﬁgured

privilege levels with a

predeﬁned

command set.

•

Levels 2 to 14—Not

conﬁgured.

You can customize these levels for

diﬀerent

users and access rights.

Privilege levels inherit all permitted commands from all lower levels. For example, a user logged in with a particular privilege level has access

to commands assigned for that privilege level and lower privilege levels as permitted by the user role.

You cannot

conﬁgure

a privilege level lower than 2 for users assigned to the

sysadmin

netadmin

, and

secadmin

roles. You can

conﬁgure

users assigned to the

netoperator

role with privilege levels 0 or 1.

After you assign commands to privilege levels, you can assign the privilege to users with the

username

command. Users can access those

commands by switching to that privilege level using the

enable

command.

Users can use the

enable privilege-level

command to switch between privilege levels. The

disable

command takes the user to

a lower level.

When a remote user logs in, OS10 checks for a match in the local system. If there is a local user as the remote user, the privilege level of

the local user is applied to the remote user for the login session. If there is no match in the local system, depending on the role of the

remote user, OS10 assigns default privilege levels. For

sysadmin

secadmin

, and

netadmin

roles, OS10 assigns level 15 and for the

netoperator

role, OS10 assigns level 1.

NOTE:

The role of a local user and the corresponding remote user should be the same at both remote and local ends.

Conﬁgure

privilege levels for users

To restrict CLI access for users, create the required privilege levels, assign commands, and then assign privilege levels to users.

Conﬁgure

privilege levels.

CONFIGURATION

privilege

mode

priv-lvl

privilege-level

command-string

•

mode

—Enter the privilege mode where you are

conﬁguring

the

speciﬁc

command. The following table lists the available privilege

modes and their corresponding command modes:

Privilege mode

CLI mode

Exec

exec

conﬁgure

class-map, DHCP, logging, monitor,

openﬂow,

policy-map, QOS, support-assist, telemetry, CoS, Tmap,

UFD, VLT, VN, VRF, WRED, or alias

interface

Ethernet, FC, Loopback, mgmt, null, port-group, lag, breakout, range, port-channel, VLAN

route-map

Security

797