1.3 Commands for the CLI

The LCOS command-line interface is operated with the following commands. Some of the available menu commands can be displayed using the HELP command.

Note: Which commands are available depends upon the equipment of the device.

Important: Some commands require special privileges in order to run, and these are listed along with the respective command. Commands that do not specify any rights have no restrictions.

Table 1. Overview of all commands available at the command line
Command	Description
`add\|set [<Path>] <Value(s)>`	Sets a configuration parameter to a particular value. If the configuration parameter is a table value, a value must be specified for each column. Entering the `` character leaves any existing table entry unchanged. Access rights*: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`add\|set [<Path>] ?`	Lists all possible input values for a configuration parameter. If no specific path is entered, the possible input values for all configuration parameters in the current directory are listed. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`beginscript [-u] [-C d]`	Resets the CLI session to script mode. In this state, commands entered are not transferred directly to the device's configuration RAM but initially to its script memory. Possible arguments are: `-u`: Forces the unconditional execution of a script or a configuration. `-C d`: Skips the default "Check for difference. Also applies when the `-u` option is used. Access rights: Supervisor-Write
`bootconfig [-s (1\|2\|all)] [-r (1\|2\|all)]`	Enables you to save and delete boot configurations. Options: `-s`: Stores the current configuration of a device either as a custom default setting (1), rollout configuration (2), or both (all). `-r`: Optionally deletes the current custom default setting (1), the rollout configuration (2), or both (all). Access rights: Supervisor-Write
`ccset`	Sets the device configuration to standards-compliant default values with respect to CC-EAL4+ (such as ISDN=off). Prerequisite for this is that the feature bit (CC-EAL) is set on the device.
`cctest [-s]`	Checks the conformity of the device to CC-EAL4+. Prerequisite for this is that the feature bit (CC-EAL) is set on the device. By adding the parameter s, the results or outputs are displayed in the syslog table.
`cd <Path>`	Switch to the current directory. Various abbreviations can be used, such as replacing `cd ../..` with `cd ...`, etc.
`default [-r] <Path>`	Resets individual parameters, tables or entire menu trees back to their default configuration. If `<PATH>` indicates a branch of the menu tree, then the option `-r` (recursive) must be entered.Access rights: Supervisor-Write
`del\|delete\|rm [<Path>] <Row>\|*`	Deletes the table row `<Row>` in the current table or the table referenced in the branch of the menu tree with `<Path>`. Enter the line number for the `<Row>`. The wildcard symbol `` deletes a table, for example, `del Config/Cron-Table `. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`deletebootlog`	Clears the contents of the persistent boot log memory.
`dir\|list\|ls\|llong\|l [-a] [-r] [-s] [<Path>] [<Filter>]`	Displays the current directory content. Possible arguments are: `-a`: In addition to the content of the query, this also lists the SNMP IDs. The output begins with the SNMP ID of the device followed by the SNMP ID of the current menu. The SNMP IDs of the subordinate items can be read from the individual entries. `-r`: Also lists all subdirectories as well as the tables they contain. `-s`: Sorts the display of the current directory; grouped by sub directories, tables, values, and actions; in ascending alphabetical order.
`do <Path> [<Parameter>]`	Executes the action in the current or the referenced directory, for example, do `Other/Coldstart`. If the action has additional parameters, they can be added at the end.
`echo <Argument>`	Displays the commands on the CLI.
`enable <Parameter>`	Extends the rights of authenticated TACACS+ users. Possible parameters are: `0`: No rights `1`: Read-only `3`: Read-write `5`: Read-only-limited Admin `7`: Read-write-limited Admin `9`: Read-only Admin `11`: Read-write Admin `15`: Supervisor (root)
`exit\|quit\|x`	Ends the terminal session.
`feature <Code>`	Activates the software option with the specified activation code. Access rights: Supervisor-Write
`find <term>`	Looks for the search <term> and outputs all menu items containing it.
`flash yes\|no`	Regulates the storing of configuration changes using the command line. By default, changes to the configuration using commands in the command line are written directly to the boot-resistant Flash memory of the devices (`yes`). If updating the configuration is suppressed in the Flash memory (`no`), changes are only stored in RAM (deleted on booting). Access rights: Supervisor-Write
`getenv <Name>`	Lists the respective environmental variables (without line feed). Please also note the command "printenv".
`history`	Displays a list of recently executed commands. Command `!#` can be used to directly call the list commands using their number (#): For example, `!3` executes the third command in the list.
`iperf [-s\|-c <Host>] [-u] [-p <Port>] [-B <Interface>] [-c] [-b [<Bandw>/]<Bandw>[kKmM]] [-l <Length>] [-t <Time>] [-d] [-r] [-L <Port>] [-h]`	Starts iPerf on the device in order to perform a bandwidth measurement with an iPerf2 remote station. Possible arguments are: Client/server `-u, --udp`: Uses UDP instead of TCP. `-p, --port <Port>`: Connects with or expects data packets on this port (default: 5001). `-B, --bind <Interface>`: Permits the connection only via the specified interface (IP address or interface name). Server specific `-s, --server`: Starts iPerf in server mode and waits for an iPerf client to contact it. Client specific `-c, --client <Host>`: Starts iPerf in client mode and connects with the iPerf server <Host> (IP address or DNS name). `-b, --bandwidth [<Bandw>/]<Bandw>{kKmM}`: Limit the [down]/up-stream bandwidth when analyzing a UDP connection. This Is specified as kilobytes (kK) or megabytes (mM) per second (default: 1 Mbps). `-l, --len <Length>`: Sets the length of the UDP data packets. `-t, --time <Time>`: Sets the duration of the connection in seconds (default: 10 seconds). `-d, --dualtest`: The test is bidirectional: the iPerf server and client send and receive at the same time. `-r, --tradeoff`: The test is sequential: the iPerf server and client send and receive one after the other. `-L, --listenport <Port>`: Specifies the port where the device in bidirectional mode expects to receive data packets from the remote iPerf server (default: 5001). Miscellaneous `-h, --help`: Outputs the help text.
`killscript <Name>`	Deletes the remaining unprocessed content of a script session Select the script session using its name. Access rights: Supervisor-Write
`language`	Selects a language for the CLI display. The command `language ?` lists the available languages.
`lig [[-i <instance>] \| [-m <server>]] [-id <num>] destination-eid [-retries <num>] [-rtg-tag <num>] [-source-eid <num>]`	LIG (Locator/ID Separation Protocol Internet Groper) is a command-line tool specified in RFC 6835 to query LISP mappings on a map resolver. Possible arguments are: `-i <instance>`: Name of the LISP instance used for the destination query `-m <server>`: LISP map server used for the destination query `-id <num>`: LISP Instance ID [0-16777215] used for the destination query `destination-eid`: Requested destination EID `-retries <num>`: LISP retries to the map server [0-10] `-rtg-tag <num>`: Routing tag used `-source-eid <num>`: Source EID used Example: `lig -i LISP-INST 172.16.200.1`
`linktest`	Only available on WLAN devices. It displays the results of the WLAN link test.Access rights: Supervisor-Write Execution right: WLAN link test
`ll2mdetect`	Searches for devices via LL2M in the LAN. Access rights: Supervisor-Write
`ll2mexec`	Sends one command per LL2M to a device in the LAN. Access rights: Supervisor-Write
`loadconfig (-s <server IP address> -f <filename>)\|<URL>`	Uploads a configuration file to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. Note: The cron table works with the user configured for it, meaning that if "loadconfig" is executed via the cron table, it will only be able to read the configuration completely if it is run with the root administrator. Access rights: Supervisor-Write
`loadfile [-a <Address>] [-s <Server-IP-address>] [-n] [-f <File-name>] [-o <File-name>] [-c <File-name>] [-p <File-name>] [-d <Passphrase>] [-C n\|d] [-m <Version>] [-u] [-x <File-name>] [-i]`	Uploads a certificate file to the device. Possible arguments are: `-a`: Specifies the source address of the file: `a.b.c.d`: Source IP address `INT`: Use the address of the first intranet interface as the source address `DMZ`: Use the address of the first DMZ interface as the source address `LBx`: Use the loopback address x (0..f) as the source address `<Interface>`: Use the address of the LAN interface <interface> as the source address `-s`: Address of the TFTP server `-n`: Ignore server name on SSL/TLS connections `-f`: <File name> of the configuration file on the TFTP server `-o`: Destination file <file name>for file download `-c`: File <file name> with the root certificate for HTTPS `-p`: File <file name> with unencrypted PKCS#12 container for HTTPS CA certificates and/or client-side authentication `-d`: <Passphrase> to decrypt downloaded encrypted PKCS#12 containers `-C`: Checks whether firmware is newer than (n) or different from (d) the current firmware `-m`: Set a minimum <version> of the firmware `-u`: Download firmware file unconditionally; skip the version check. `-x`: File <file name> with additional CA certificates for HTTPS checks; the value ' none' prevents the default certificates from being downloaded `-i`: Send Sysinfo as a POST request (for HTTP(S) only) Note: The options [-f] and [-s] and the URL cannot be used simultaneously. For HTTP(S) downloads, you must specify the source by means of a URL. The maximum length of the URL is 252 characters. Access rights: Supervisor-Write
`loadfirmware (-s <server IP address> -f <filename>)\|<URL>`	Uploads firmware to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. Access rights: Supervisor-Write
`loadscript (-s <server IP address> -f <filename>)\|<URL>`	Uploads a configuration script to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. Note: The cron table works with the user configured for it, meaning that if "loadscript" is executed via the cron table, it will only be able to read the configuration completely if it is run with the root administrator. Access rights: Supervisor-Write
`lspci`	Output of information via PCI devices Access rights: Supervisor-Read
`ping <IPv4 address\|hostname>`	Sends an ICMP echo request to the IP address specified. For more information about the command and the specifics of pinging IPv6 addresses, see the section Parameter overview for the ping command.
`ping -6 <IPv6 address>%<scope>`
`printenv`	Shows an overview of all environmental variables and their values.
`readconfig [-h] [-s <password>]`	Shows the complete configuration in the format of the device syntax. `-h`: Adds a checksum to the configuration file. `-s <password>`: Encrypts the configuration file with the use of the specified password. Access rights: Supervisor-Read
`readmib`	Display of the SNMP Management Information Base. Available only on devices without a unified MIB. Access rights: Supervisor-Read,Local-Admin-Read
`readscript [-n] [-d] [-i] [-c] [-m] [-h] [-s <password>] [-o]`	The readscript command generates a text dump of all commands and parameters required to configure the device in its current state. You can use the following option switches for this: `-n`: The text output is only numerical without identifiers. The output only contains the current status values of the configuration as well as the associated SNMP IDs. `-d`: The default values are included in the text output. `-i`: The table designations are included in the text output. `-c`: Includes any comments contained in the script file. `-m`: The text is output to the screen in a compact but difficult to read format (no indentations). `-h`: Adds a checksum to the script file. `-s <password>`: Encrypts the script file with the use of the specified password. `-o`: Replaces the passwords with a "" to obfuscate them in the text output. Access rights*: Supervisor-Read
`readstatus`	Outputs the status of all SNMP IDs for the device.
`release [-x] *\|<Interface_1…Interface_n>`	The DHCPv6 client returns its IPv6 address and/or its prefix to the DHCPv6 server. It then submits a new request for an address or prefix to the DHCPv6 server. Depending on the provider, the server assigns a new address to the client, or reassigns the previous one. Whether the client receives a different address or prefix is determined solely by the server. The option switch `-x` suppresses the confirmation message. The `*` wildcard applies the command on all of the interfaces and prefix delegations. Alternatively, you can specify one or more specific interfaces.
`repeat <Interval> <Command>`	Release IPv6 address: Repeats the specified command every `<Interval>` seconds until the process is ended with new input.
`rollout (-r\|-remove) <RelatedFile>`	Deletes the files of the user-specific rollout wizard from the file system of the device. Possible files are: `wizard`: Deletes the wizard `template`: Deletes the template `logo`: Deletes the logo `all`: Deletes the wizard, the template and the logo Access rights: Supervisor-Write
`setenv <Name> <Value>`	Sets an environmental variable to the specified value.Access rights: Supervisor-Write, Local-Admin-Write, Limited-Admin-Write
`setpass\|passwd [-u <User>][-n <new> <old>]`	Changes the password of the current user account. In order to change the password without a subsequent input prompt, use the option switch `-n` while entering the new and old password. In order to change the password of the local user account when authentication by TACACS+ is enabled, use the option switch `-u` with the name of the corresponding user. If the local user does not exist or the user name is missing, the command aborts. The user must also have supervisor rights, or authorization by TACACS must be enabled.
`show <Options> <Filter>`	Shows selected internal data, such as `admin-distance` – shows the administrative (routing) distance of all internal applications or routing protocols `bootlog` – the last boot processes `filter` – firewall filtering rules `ip-addresses` – displays all IPv4 and IPv6 addresses for the device for the LAN and WAN interfaces, along with advanced status information `ipv4-addresses` – displays all IPv4 addresses for the device for the LAN and WAN interfaces, along with advanced status information `lisp instance` – displays status information about all configured LISP instances `lisp instance [instance]` – displays status information about the LISP instance named [instance] `lisp map-cache` – displays status information about the map cache entries available for all instances `lisp map-cache [instance]` – displays status information about the map cache entries for the instance named [instance] `lisp registrations` – displays status information about the EIDs/RLOCs of all instances registered with the map server `lisp registrations [instance]` – displays status information about the EIDs/RLOCs of the instance named [instance] registered with the map server `mem`, `heap` – memory usage `VLAN` – dynamically added VLANs and VLAN memberships, e.g. added to the static configuration at runtime by CAPWAP or WLAN/802.1X `VPN` – VPN rules With additional filter arguments you can further limit the output. For an overview of all possible options, enter `show ?`. The filters available with an option are displayed by `show <option>?`, For example, `show VPN?` shows the filters available for the VPN rules. For information on displaying IPv6-specific data, read the section Overview of IPv6-specific show commands. Access rights: Supervisor-Read, Local-Admin-Read
`sleep [-u] <Value><Suffix>`	Delays the processing of configuration commands by a particular time or terminates them at a particular time. Applicable values for `<SUFFIX>` are `s`, `m` and `h` for seconds, minutes and hours. If no suffix is defined, the command uses milliseconds. With option switch `-u`, the `sleep` command accepts times in format `MM/DD/YYYY hh:mm:ss` (English) or in format `TT.MM.JJJJ hh:mm:ss` (German). Times will only be accepted if the system time has been set.
`smssend [-s <SMSC-Number>] (-d <Destination>) (-t <Text>)`	Available only on devices with 3G/4G WWAN module: Sends a text message to the destination number entered. `-s <SMSC-Number>`: Alternative SMSC phone number (optional). If you omit this part of the command, the device uses the phone number stored on the USIM card or that configured under SNMP ID 2.83. `-d <Destination>`: Destination phone number `-t <Text>`: Contents of the message with <=160 characters. For an overview of available characters, see the section Character set for sending SMS. Special characters must be in UTF8 encoded form.
`ssh [-?\|h] [-<a\|b> Loopback-Address] [-p Port] [-C] [-j Keepalive-Interval] <Host>`	Establishes an SSH connection to the <Host>. Possible arguments are: `-?\|h`: Outputs the help text. `-a\|b`: Allows a route or loopback address to be specified for the device to use if the destination can be reached via multiple routes. The function of `-a` and `-b` is identical. `-b` is the usual option used by an OpenSSH client on UNIX systems, whereas some other commands integrated into LCOS use `-a` to specify a loopback address. `-p`: Sets the <Port> of the host `-C`: Enforces compressed data transfer `-j`: Specifies how frequently the client sends a keepalive.
`sshcopyid`	To store your SSH public key using SSHAccess rights: Supervisor-Write
`sshkeygen [-h] [-q] [-t dsa\|rsa\|ecdsa] [-b <bits>] [-f <file-name>] [-R <host-name>]`	Creates or deletes the SSH key in the device. Possible arguments are: `-h`: Displays a brief help text about the available parameters `-q`: The device overrides existing keys without a prompt (quiet mode) `-t`: This parameter specifies what type of key is generated. SSH supports the following types of keys: RSA DSA ECDSA `-b`: This parameter sets the length of the RSA key in bits. If you do not specify a length, the command produces a key with a length of 1024 bits by default. `-f`: These parameters specify the mounting point of the generated key file in the device file system. The choice of mounting point depends on the type key you are generating. The choices available to you are: ssh_rsakey for RSA keys ssh_dsakey for DSA keys ssh_ecdsakey for ECDSA keys
`stop`	Ends the PING command
`sysinfo`	Shows the system information (e.g., hardware release, software version, MAC address, serial number, etc.).
`tab`	For use in script files: For the command that follows, this sets the order of the columns for the arguments in the case that the columns in the table differ from the default (e.g. a column was added).Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`telnet <Address>`	Establishes a Telnet connection to the given <address>.
`testmail <From> <To_1…To_n> [<Realname> <Subject> <Body>]`	Sends a test e-mail. A sender address and receiver address are necessary; real name, subject line and message content are optional. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`time <DateTime>`	Sets a time in format `MM/DD/YYYY hh:mm:ss`. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write Execution right: Time Wizard
`trace <Parameter> <Filter>`	Starts a trace command for output of diagnosis data. With additional filter arguments you can further limit the output. For further information on this command refer to the section Parameter overview for the trace command. Access rights: Supervisor-Read,Limited-Admin-Read,Limited-Admin-Write
`unmount [-?][-f] <Volume>`	Outputs the current volume table. `-f`: Releases the specified volume. <Volume> may be the volume ID or any mount point. `-?`: Outputs the help text.
`unsetenv <Name>`	Deletes the specified environmental variable. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`wakeup [MAC]`	Performs a Wake On LAN for the device with the MAC address [MAC].Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`who`	Lists active configuration sessions.
`writeconfig [-u] [-C d]`	Writes a new configuration on the device in the syntax format for the device. The system interprets all of the following lines as configuration values until two empty lines are read. Possible arguments are: `-u`: Forces the unconditional execution of a script or a configuration. `-C d`: Skips the default "Check for difference. Also applies when the `-u` option is used. Access rights: Supervisor-Write
`writeflash`	Load a new firmware file (only via TFTP).Access rights: Supervisor-Write
`!!`	Repeat last command
`!<num>`	Repeat command <num> times
`!<prefix>`	Repeat last command beginning with <prefix>
`#<blank>`	Comment

Legend

Characters and brackets:
- Objects, in this case dynamic or situation-dependent, are in angle brackets.
- Round brackets group command components, for a better overview.
- Vertical lines (pipes) separate alternative inputs.
- Square brackets describe optional switches.
It follows that all command components that are not in square brackets are necessary information.
<Path>:
- Describes the path name for a menu or parameter, separated by "/" or "\".
- .. means: one level higher
- . means: the current level
<Value>:
- Describes a possible input value.
- "" is a blank input value
<Name>:
- Describes a character sequence of [0…9] [A…Z] [a…z] [ _ ].
- The first character cannot be a digit.
- There is no difference between small letters and capital letters.
<Filter>:
- The output of some commands can be restricted by entering a filter expression. Filtering does not occur line by line, but in blocks, depending on the command.
- A filter expression starts with the "@" symbol by itself and ends either at the end of the line or at a ";" (semicolon) to end the current command.
- A filter expression also consists of one or more search patterns, which are separated by blank spaces and preceded either by no operator (OR pattern), a "+" operator (AND pattern) or a "-" operator (NOT pattern).
- For the execution of the command, an information block is output exactly when at least one of the "OR" patterns, all "AND" patterns or none of the "NOT" patterns matches. Capitalization is ignored.
- For a search pattern to contain characters for structuring in the filter syntax (e.g., blank characters), then the entire search pattern can be enclosed in "". Alternatively, the symbol "\" can be placed before the special characters. If you want to search for a quotation mark (") or "\", another "\" symbol has to be placed in front of it.
  Note: Entering the start of the word, if it is unique, is sufficient.

Explanations for addressing, syntax and command input

All commands and directory/parameter names can be entered using their short-forms as long as they are unambiguous. For example, the command sysinfo can be shortened to sys and cd Management to c ma. The input cd /s is not valid, however, since it corresponds to both cd /Setup and cd /Status.
Directories can be addressed with the corresponding SNMP ID. For example, the command cd /2/8/10/2 has the same effect as cd /Setup/IP-router/Firewall/Rules.
Multiple values in a table row can be changed with one command, for example in the rules table of the IPv4 firewall:
- set WINS UDP sets the protocol of the WINS rule to UDP
- set WINS UDP ANYHOST sets the protocol of the WINS rule to UDP and the destination to ANY-HOST
- set WINS * ANYHOST also sets the destination of the WINS rule to ANYHOST; the asterisk means that the protocol remains unchanged
The values in a table row can alternatively be addressed via the column name or the position number in curly brackets. The command set ? in the table shows the name, the possible input values and the position number for each column. For example, in the rules table of the firewall, the destination has the number 4:
- set WINS {4} ANYHOST sets the destination of the WINS rule to ANYHOST
- set WINS {destination} ANYHOST also sets the destination of the WINS rule to ANYHOST
- set WINS {dest} ANYHOST sets the destination of the WINS rule to ANYHOST, because specifying dest here is sufficient to uniquely identify the column name.
Names that contain spaces must be enclosed within quotation marks (““).

Command-specific help

A command-specific help function is available for actions and commands (call the function with a question mark as the argument). For example, ping ? shows the options of the integrated ping command.
Enter help or ? on the command line for a complete listing of the available shell commands.