CSS alternatives to IOS commands

4 06 2007

Here are some notes I made on the CSS equivalents to commonly-used IOS commands.

Note – this is based on software version 8.1, but is probably fine with versions 7.x of CSS code.

1) TFTP backup of configs (in global privileged mode):
CSS1# copy tftp <destination-file> startup-config

2) Setting TACACS, TFTP, SYSLOG, SNMP and NTP source interface:
There is no way to specify the source interface for TFTP, NTP or SYSLOG. There doesn’t appear to be a way to specify the TACACS source interface. This can be done for RADIUS, however:
CSS1(config)# radius-server source-interface ip_or_host

And for SNMP traps, you have the following options:
CSS1(config)# snmp trap-source egress-port (Use routing table to determine egress)
CSS1(config)# snmp trap-source management (Use management eth port on SCM)
CSS1(config)# snmp trap-source specified <ip addr> (Uses specified VLAN interface)

3) Setting banner:
CSS1(config)# prelogin-banner <filename>

The banner itself doesn’t actually go into the config – it has to be FTPed as an ASCII file to the CSS. Here is the “usage guidelines” section from the command reference:

Create a banner using any text editor (for example, Notepad or Wordpad). Save the file as a text file, and then FTP the file to the CSS script directory. Configure the prelogin-banner command. The next time you connect to the CSS, the pre-login banner appears. For more information, refer to the Cisco Content Services Switch Administration Guide.

4) Setting privileged exec;
There is no concept of privilege levels on a CSS. Users are either created as a standard user or a superuser.

Standard users have access to ping, traceroute and show commands for troubleshooting. They do NOT have access to view the running config (show run) or to log messages to the CLI (term mon).

Superusers enter into privileged mode straight away and have full access to everything.

Users and superusers are created as follows:
CSS1(config)# username <username> password “<password>”
CSS1(config)# username <username> password “<password>” superuser

5) Setting services config:
There is no equivalent of “service timestamps debug datetime localtime show-timezone” or “service timestamps log datetime localtime show-timezone”. Timestamping down to the millisecond is done by default, and log messages are sent to the files “boot.log” and “sys.log”. Traps are sent to the file “traplog”.

Non-US date-stamping format can be enabled by doing the following:
CSS1(config)# date european-date

There is no discernible way to put the timezone into the log messages.

There is no need for “service password-encryption” – passwords are encrypted by default and are never displayed in plain-text format.

There is no equivalent of “service linenumber”. The box doesn’t appear to have the concept of VTYs. If you need to annouce the name of the box on login, this can be done using the “preligin-banner” command mentioned earlier (section 3).

6) Setting SNMP config:
CSS1(config)# no snmp community public
CSS1(config)# no snmp community private
CSS1(config)# snmp contact "contact-me" (Note, this has to be in quotes).
CSS1(config)# snmp trap-type enterprise (enables enterprise and configure trap types)

I don’t believe that it is possible to reload a CSS over SNMP, so there is no need for a “no snmp-server system-shutdown”, but this should be checked in the MIB.

7) Setting logging config:
Logging messages are not produced on either the console or terminal lines.

Logging at level 6 can be configured for all subsystems individually, or the keyword “all” can be used. This will affect the traps and the buffer:

CSS1(config)# logging all info-6

Logging with a certain facility level is only relevant when logging to a remote host:

CSS1(config)# logging facility 7 level info-6

8) CDP:
Note that the CSS can advertise itself via CDP, but does not listen to CDP adverts nor maintain a CDP table
CSS1(config)# cdp timer (defaults to 60)
CSS1(config)# cdp holdtime (defaults to 180)
CSS1(config)# cdp run

There doesn’t appear to be an equivalent for cdp advertise-v2, but I believe the CSS advertises CDPv2 anyway.

9) Turn off HTTP server:
CSS1(config)# restrict web-mgmt

10) Turn off existing AAA configuration:
Not relevant on the CSS

11) Default logins for console, aux and vtys:
On a CSS, a username AND password is used – never just a password (as is possible in IOS). When a username and password is created in the running config, it is relevant for both the console and the telnet sessions. There is also no aux port on a CSS, so there is no need to worry about that:

CSS1(config)# username password [superuser]

Timing out of CLI, telnet sessions is done in minutes (between 0 and 65535) using:
CSS1(config)# idle timeout

There is no concept of “enable mode” in a CSS. If a user has superuser privileges, they are put into what can be considered to be “enable” mode automatically. Users without superuser privileges have no access to this at all.

12) Name server:
CSS1(config)# dns-server

13) SNMP:
Removing the unwanted communities:
CSS1(config)# no snmp community

Add a new community with either RO or RW privileges. Note that there is no way to tie an ACL to a community in a CSS. The best that can be done is to implement a system-wide ACL (see section 14):
CSS1(config)# snmp community [read-only|read-write]

SNMP trap destinations and communities can be specified as follows. Obviously prepending a “no” will remove the commands you don’t want:
CSS1(config)# snmp trap-host [snmpv2]

14) ACL for SNMP access (uDP port 161). Note that this is an untested configuration – we can try this out for you if you need us to. In this ACL we are doing the following:

– Permit the management station’s source ip through to the CSS IP address on UDP/161. If the CSS has multiple IP addresses, multiple clauses like this will be needed.

– Deny anything else to the CSS’s IP address on UDP/161

– Permit all other traffic.

– Applying the ACL to all circuits

– Enable ACLs globally.

Obviously this kind of configuration needs to be tested out carefully before being implemented on a production CSS – there is a danger that the operator might cut himself off the the process of implementation if the statments are incorrect.

CSS1(config)# acl 95
CSS1(config-acl[95])# clause 10 permit udp destination 161
CSS1(config-acl[95])# clause 20 deny udp any destination 161
CSS1(config-acl[95])# clause 20 permit any any destination
CSS1(config-acl[95])# apply all
CSS1(config-acl[95])# exit
CSS1(config)# acl enable

15) NTP Config
The CSS does not support NTP – it does SNTP instead, which will probably be sufficient for most purposes:
CSS1(config)# no sntp server
CSS1(config)# sntp primary-server (Primary server is preferred)
CSS1(config)# sntp secondary-server

There is no equivalent to “ntp broadcastdelay 3000” because as I understand it, SNTP does not use broadcast.

The format of the timezone command is as follows:
clock timezone name hour hours {before-UTC|after-UTC} {minute minutes {before-UTC|after-UTC}

I am interpreting the IOS command given as follows:
CSS1# clock timezone CST hour 6 after-UTC

Setting daylight savings is the same as IOS:
CSS1# clock tummer-time CST recurring last sunday april 02:00 last sunda october 02:00

There is no “ntp update-calendar” equivalent. You can set the date using “clock date”. Time learned from SNTP is kept by the system clock and on-board battery by default between reboots, so the command is not necessary.

16) Logging
As before:
CSS1(config)# logging facility 7 level info-6

Note that there is no “aaa new-model” equivalent. Also note that if TACACS+ is used to authenticate sessions, the server must either permit or deny the “privilege” command. If the server permits the “privilege” command, the user will get superuser-level access. Conversely, if privilege is denied, the user gets non-privileged access only.

CSS1(config)# tacacs-server
CSS1(config)# tacacs-server key ["cleartext key"|des_key]

Tell the CSS to use TACACS to authenticate, and in the event that fails, use the local user database:
CSS1(config)# virtual authentication primary tacacs
CSS1(config)# virtual authentication secondary local

References: CSS Administration Guide (8.1)




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: