Enable Portfast with SOHO switches

 I have a 2960G 48 port with portfast enabled.
I have a D-Link SoHo 5 port switch connected to BOTH 0/43 and 0/44 on the 2960G switch.
STP is blocking 0/44 and forwarding 0/43 (this is good)

If you unplug 0/43 (the forwarding port), you will see 0/44 go through the Listening > Learning > Forwarding STP states. After going through all the states, the port will become active and go into the forwarding state.

–

TEST-2960G-SW#sh spanning-tree detail

VLAN0104 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 104, address 001b.5446.5500
  Configured hello time 2, max age 20, forward delay 15
  We are the root of the spanning tree
  Topology change flag not set, detected flag not set
  Number of topology changes 1 last change occurred 00:04:43 ago
          from GigabitEthernet0/44
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 1, topology change 0, notification 0, aging 300

Port 43 (GigabitEthernet0/43) of VLAN0104 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.43.
   Designated root has priority 32872, address 001b.5446.5500
   Designated bridge has priority 32872, address 001b.5446.5500
   Designated port id is 128.43, designated path cost 0
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 152, received 1

Port 44 (GigabitEthernet0/44) of VLAN0104 is blocking
   Port path cost 4, Port priority 128, Port Identifier 128.44.
   Designated root has priority 32872, address 001b.5446.5500
   Designated bridge has priority 32872, address 001b.5446.5500
   Designated port id is 128.43, designated path cost 0
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1, received 143

–

This is what happens when I connect both 0/43 and 0/44 (0/43 is in the forwarding state)
If only one port, 0/43 is connected, I do not get BPDU packets(?)

*Mar  1 01:49:59.418 UTC: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/44  , linktype IEEE_SPANNING , enctype 2, encsize 17
*Mar  1 01:50:06.666 UTC: STP: enc 01 80 C2 00 00 00 00 1B 54 46 55 2B 00 26 42 42 03
*Mar  1 01:50:06.666 UTC: STP: Data     00000000008068001B54465500000000008068001B54465500802B0000140002000F00
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 Gi0/44:0000 00 00 00 8068001B54465500 00000000 8068001B54465500 802B 0000 1400 0200 0F00
*Mar  1 01:50:06.666 UTC: STP(104) port Gi0/44 supersedes -1
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 rx BPDU: config protocol = ieee, packet from GigabitEthernet0/43  , linktype IEEE_SPANNING , enctype 2, encsize 17
*Mar  1 01:50:06.666 UTC: STP: enc 01 80 C2 00 00 00 00 1B 54 46 55 2C 00 26 42 42 03
*Mar  1 01:50:06.666 UTC: STP: Data     00000000008068001B54465500000000008068001B54465500802C0000140002000F00
*Mar  1 01:50:06.666 UTC: STP: VLAN0104 Gi0/43:0000 00 00 00 8068001B54465500 00000000 8068001B54465500 802C 0000 1400 0200 0F00
*Mar  1 01:50:06.674 UTC: STP(104) port Gi0/43 supersedes 1
*Mar  1 01:50:06.909 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/44, changed state to up
*Mar  1 01:50:07.672 UTC: STP: VLAN0104 Gi0/43 tx BPDU: config protocol=ieee

Cisco Nexus Basic Config

 Here are some basic configs for the Cisco Nexus platform. I just started managing Nexus switches and immediately I realized how quickly these switches can scale. You can have just a huge huge data center with tons of 10GB connectivity with basically the same core configs.

Hopefully there will be more blog entries regarding the Cisco Nexus as they are a really cool product.

A couple of things I noticed:

no more wr mem (you can create an alias command)

There isn’t fa0/1, gig0/1, tengig0/1, everything is eth0/1.

———————————————————

vPC - virtual Port-Channel. vPC is just like a regular port-channel, but can span across two different switches.

vPC domain - the domain is between two switches that share the vPC. You can configure switch priority within the domain. Like STP, 8192 and 16384 are common values, the lower the better. You also need to configure the peer-keepalive destination IP address.

——————————————————-

Step 1

Create the vPC domain. Once the vPC domain is created, all the port-channel control data is sent over the vPC domain link. This is why you must create the vPC relationship first.

vpc domain 1
role priority 8192
peer-keepalive destination 172.31.1.254 source 172.31.1.253 vrf vpc-keepalive
peer-gateway

interface port-channel1001
switchport
switchport mode trunk
vpc peer-link
spanning-tree port type network

interface Ethernet1/1
switchport
switchport mode trunk
channel-group 1001 mode active
no shutdown

interface Ethernet1/2
switchport
switchport mode trunk
channel-group 1001 mode active
no shutdown

Step 2

int port-channel 20

vpc 20

In the second step, you create your port-channels as normal, except for the vpc 20 command. The “vpc 20″ tells the port-channel that this is a part of a vPC.

In the Nexus platform, you have to enable features as you need them. This saves memory, performance, less running processes.

———————————————————–

Nexus 5000 switch is a pure Layer 2 switch. You will not find any int vlan commands on the switch. The 5K can manage the Nexus 2K switches, very much like a Cisco 3750 stack configuration. This feature is called Fabric Extenders (FEX).

You still need to create the vPC domain and associate the vPC peer link to another Nexus 5K.

fex 30
pinning max-links 1
description “N2K”

interface port-channel30
switchport mode fex-fabric
vpc 30
fex associate 30

interface Ethernet1/4
fex associate 30
switchport mode fex-fabric
channel-group 30

In port-channel 30, noticed the commands related to the FEX command.

interface Ethernet30/1/1
interface Ethernet30/1/2
interface Ethernet30/1/3

You’ll see Ethernet30 is really FEX 30 and 1/1 is the physical ports belonging to the Nexus 2K switch. In this configuration, you do not need to SSH into the 2K switch. You can assign switchport commands and assign VLANs via int Ethernet30/1/X

In addition, if you created FEX 31 for another 2K switch, then you would refer those interfaces as int Ethernet31.

http://jasonnash.com/2009/08/10/vpc-virtual-port-channel-and-the-nexus-platform/

http://www.luckydragon.net/tech/cisco-nexus-examples.html

 

Cisco TACACS example config

aaa new-model
!
!
aaa authentication login vty group tacacs+ local-case

list of logins, for VTY use tacacs+, then the local (case sensitive user database)

aaa authorization exec vty group tacacs+ local

For executing commands (start a shell), for VTY use tacacs+, then the local user database)

aaa accounting exec vty start-stop group tacacs+
aaa accounting commands 0 vty start-stop group tacacs+
aaa accounting commands 1 vty start-stop group tacacs+
aaa accounting commands 15 vty start-stop group tacacs+

Record when executing commands (start a shell), for VTY use tacacs+. Recording start-stop without waiting (not sure what this is)

aaa session-id common
AAA common session-id (not sure what this means)

tacacs-server host 10.3.3.51 timeout 5
tacacs-server host 10.3.3.52
tacacs-server directed-request
tacacs-server key 7 removed

line con 0
stopbits 1
line vty 0 4
password 7
 authorization exec vty
accounting commands 0 vty
accounting commands 1 vty
accounting commands 15 vty
accounting exec vty
login authentication vty
transport input ssh
line vty 5 15
password 7
authorization exec vty
accounting commands 0 vty
accounting commands 1 vty
accounting commands 15 vty
accounting exec vty
login authentication vty
transport input ssh

Copying IOS images via ROMMON mode

Hopefully you have access to the Internet if you need to copy an IOS image via ROMMON mode, but incase if I am ever really in a jam and the only Internet access I have is my iPhone…

Here are the ROMMON mode commands for some Cisco devices:

On 2800 router:

Sample Output for Recovering the System Image (tftpdnld)

rommon 16 > IP_ADDRESS=171.68.171.0
rommon 17 > IP_SUBNET_MASK=255.255.254.0
rommon 18 > DEFAULT_GATEWAY=171.68.170.3
rommon 19 > TFTP_SERVER=171.69.1.129
rommon 20 > TFTP_FILE=c2801-is-mz.113-2.0.3.Q
rommon 21 > tftpdnld
               IP_ADDRESS: 171.68.171.0
           IP_SUBNET_MASK: 255.255.254.0
          DEFAULT_GATEWAY: 171.68.170.3
              TFTP_SERVER: 171.69.1.129
                TFTP_FILE: c2801-is-mz.113-2.0.3.Q
     Invoke this command for disaster recovery only.
     WARNING: all existing data in all partitions on flash will be lost!
     Do you wish to continue? y/n:  [n]:  y
     Receiving c2801-is-mz.113-2.0.3.Q from 171.69.1.129 !!!!!.!!!!!!!!!!!!!!!!!!!.!!
     File reception completed.
     Copying file c2801-is-mz.113-2.0.3.Q to flash.
     Erasing flash at 0x607c0000
     program flash location 0×60440000
     rommon 22 >
On 2600 router:
confreg
console baud: 115200

reboot and open a new console session with the speed setting to 115200

xmodem -c c2600-is-mz.122-10a.bin

On 3600 router:

1.rommon 2 > confreg
do you wish to change the configuration? y/n [n]:  y
enable  “diagnostic mode”? y/n  [n]: n 
enable  “use net in IP bcast address”? y/n  [n]: n
disable “load rom after netboot fails”? y/n  [n]: n
enable  “use all zero broadcast”? y/n  [n]: n
enable  “break/abort has effect”? y/n  [n]: n
enable  “ignore system config info”? y/n  [n]: n
change console baud rate? y/n  [n]:  y
enter rate: 0 = 9600,  1 = 4800,  2 = 1200,  3 = 2400
            4 = 19200, 5 = 38400, 6 = 57600, 7 = 115200  [7]:  7
change the boot characteristics? y/n  [n]:  y
enter to boot:
 0 = ROM Monitor
 1 = the boot helper image
 2-15 = boot system
    [0]:  0

    Configuration Summary

enabled are:
load rom after netboot fails
console baud: 115200
boot: the ROM Monitor
do you wish to change the configuration? y/n  [n]: n
You must reset or power cycle for new config to take effect
rommom 2 > reset

on a 2900XL switch

copy xmodem: flash:c3500XL-c3h2s-mz.120-5.1.XP.bin
boot flash:c2900XL-hs-mz.112-8.6-SA6.bin

http://www.cisco.com/en/US/products/hw/routers/ps259/products_tech_note09186a008015bfac.shtml

http://www.cisco.com/en/US/products/hw/switches/ps607/products_tech_note09186a0080094955.shtml

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_image.html#wp1052017

Configuring Cisco 3750 sw in stack mode

Some commands:
Sh switch
Remote command (stack-member-number) sh ver

These are the steps I did:

1) Ensure both switches have the same IOS version.

2) On the master switch:

Switch 1 provision ws-c3750-xx
Switch 1 priority 15

3) Console into the second switch:

Write erase
Delete flash:vlan.dat

4) Connect the stack cables.

5) Verify the stack has been formed via the sh switch command.

6) On the second switch:

Switch 1 provision ws-c3750-xx
Switch 1 priority 10

http://www.ehow.com/how_5464290_configure-cisco-stackwise.html

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807811ad.shtml

http://www.thegeekstuff.com/2011/06/upgrade-cisco-ios-image/

http://www.xpresslearn.com/cisco/cisco-3750-access-switch-stacking-quick-reference

Cisco CCNA Security notes

 ACLs using the keyword established are not a substitute of stateful firewall. The ACL only checks whether the established flag bit is turned on in the TCP header, without reference to other prior transmission. In other word, as long as the established bit is turned on and the other filtering criteria mentioned in the ACL entry are valid, the router will allow the traffic. It will not check to determine whether a proper TCP three-way handshake was done. It is therefore easy to fool the router using a packet-crafting tool.

Encryption algorithms like 3DES and AES are all the same so what we protect are the keys.

Transposition cipher exchanges the position of letters

Substitution cipher replaces one letter with another letter based on the secret key.

Symmetric encryption algorithms: Use the same key to encrypt and decrypt data. (DES, 3DES, AES, IDEA, RC2, RC4, RC5, RC6, Blowfish). Symmetric algorithms are based on mathematical operations and can easily be accelerated by hardware (You see some firewalls that have the VPN accelerated chipsets). Much faster than asymmetric algorithms, used for bulk data encryption like VPNs.

Asymmetric encryption algorithms (aka public-private key algorithms): Use a different keys to encrypt and decrypt data. (RSA, ElGamal, elliptic curve algorithms)

Block mode: algorithm can work in only fixed chunks of data

Stream mode: algorithm can process data bit by bit

Key Management is the most difficult part of the crypto algorithm. Attacks are normally aimed at the key management rather than the encryption algorithm itself.

Key Management Components:

Key generation

Key verification

Key storage

Key exchange

Key revocation and destruction.

SSL was developed by Netscape. SSL was the basis used by the IETF to develop TLS.

AES is a better algorithm than 3DES, it is more efficient and faster than 3DES. But AES is a younger algorithm. 3DES has been around for approx. 35 years, so it is more mature and the tried and trusted method.

Hashing provides data integrity – verifying no tempering was done to the message. Hashing algorithms are a one-way process.

Two well-known hash functions are:

MD5 – 128-bit digest

SHA-1 – 168-bit digest

MD5 is considered less secure than SHA-1.

SHA-1 is slightly slower than MD5 due to the larger message digest.

SHA-1 involves 80 steps, MD5 involves 64 steps.

IPSec VPNs rely on HMAC functions to authenticate the origin and provide data integrity checking of every packet.

DH algorithm is the basis for most automatic key exchanges. Internet Key Exchange (IKE) protocol in IPSec VPNs uses the DH algorithm to exchange keys over untrusted channels.

IPSec sits at Layer 3, as a result, IPSec can protect all application traffic. It is more secure that SSL VPN. SSL provides an easier deployment and ease of use.

Authentication Header (AH): IP protocol 51, provides data authentication and integrity, but not confidentiality. It ensures data sent from Router A to Router B has not been modified.

Encapsulating Security Payload (ESP): IP protocol 50, provides confidentiality by encrypting the IP packet.

IPSec Framework       Choices

IPSec Protocol            ESP, ESP+AH, AH

Encryption                   DES, 3DES, AES

Integrity/Authenticity    MD5, SHA

Diffie-Hellman             DH1, DH2, DH5, DH7

Authentication             PSK, Certificate

Cryto ACLs tell what traffic will be encrypted. The permit statements means this traffic will be encrypted. The deny statement means this traffic will NOT be encrypted. Crypto ACLs must be mirror-images because both inbound and outbound traffic is evaluated against the ACL.

IDS captures packets in real time and compares the packets against defined signatures. IDS works in promiscuous mode. IDS works from a copy of the data stream.

IPS works in inline mode. IPS works from the live network traffic.

False positives: the IDS/IPS mistakenly takes legitimate traffic for an attack

False negatives: the IDS/IPS sensor misses an attack

Host-Based IPS (HIPS): HIPS can monitor OS processes and protect OS files. CSA is a HIPS product.

Cisco logging commands template

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

logging buffered 16384 notifications

clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

ntp server 1.1.1.1
ntp upate-calendar 

For the core switch/router:
ntp server 1.1.1.1
ntp server 2.2.2.2 prefer
ntp master 8
ntp upate-calendar

To see when an interface goes up/down on a Cisco 4500 switch:

https://supportforums.cisco.com/thread/2027887

logging event link-status default
or
logging event link-status global

How to read sh process cpu history output

I should have probably known this…

sh processes cpu history
                                                             
    1111111112222211112222211111111111111111111111112222211111
    6666555550000055553333377777555556666666666555552222277777
100                                                          
 90                                                          
 80                                                          
 70                                                          
 60                                                          
 50                                                          
 40                                                          
 30                                                          
 20 **********************************************************
 10 **********************************************************
   0….5….1….1….2….2….3….3….4….4….5….5….
             0    5    0    5    0    5    0    5    0    5   
               CPU% per second (last 60 seconds)

New info on the left, then move to the right. 0 – 60 secs

                                                             
    2232232322223222232222322223222232222322223222232223322233
    3233395434442322240012231114431132111201112001231113321133
100                                                          
 90                                                          
 80                                                          
 70                                                          
 60                                                          
 50                                                          
 40      *                                                   
 30   *  ***    *    *    *    *    *    *    *    *   **   **
 20 ##########################################################
 10 ##########################################################
   0….5….1….1….2….2….3….3….4….4….5….5….
             0    5    0    5    0    5    0    5    0    5   
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%
                                                                         
    6333333344476668997433373444444445463333433333333333333433344333433333
    6656864720511174254538515509083501465655064655569566565042316775654427
100                  *                                                   
 90                 **                                                   
 80                ***                                                   
 70 *          *  *****    *           *                                 
 60 *          ******#*    *           *                                 
 50 *         ******##**   * * * * * * *                        *   *    
 40 ****** *********##** ********************* *************   *******   *
 30 ***********#****##****************************************************
 20 ######################################################################
 10 ######################################################################
   0….5….1….1….2….2….3….3….4….4….5….5….6….6….7.
             0    5    0    5    0    5    0    5    0    5    0    5    0

Here you will see the CPU spike at approx 15-17 hours ago. 0 – 72 hrs.

                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

DNS dig commands

$ dig +trace @4.2.2.2 www.movement3.com

; <<>> DiG 9.8.1 <<>> +trace @4.2.2.2 www.movement3.com
; (1 server found)
;; global options: +cmd
.                       18694   IN      NS      k.root-servers.net.
.                       18694   IN      NS      h.root-servers.net.
.                       18694   IN      NS      d.root-servers.net.
.                       18694   IN      NS      g.root-servers.net.
.                       18694   IN      NS      e.root-servers.net.
.                       18694   IN      NS      m.root-servers.net.
.                       18694   IN      NS      l.root-servers.net.
.                       18694   IN      NS      a.root-servers.net.
.                       18694   IN      NS      c.root-servers.net.
.                       18694   IN      NS      f.root-servers.net.
.                       18694   IN      NS      b.root-servers.net.
.                       18694   IN      NS      j.root-servers.net.
.                       18694   IN      NS      i.root-servers.net.
;; Received 228 bytes from 4.2.2.2#53(4.2.2.2) in 16 ms

com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
;; Received 495 bytes from 202.12.27.33#53(202.12.27.33) in 125 ms

movement3.com.          172800  IN      NS      ns1.zoneedit.com.
movement3.com.          172800  IN      NS      ns3.zoneedit.com.
;; Received 112 bytes from 192.26.92.30#53(192.26.92.30) in 62 ms

www.movement3.com.      1200    IN      A       98.196.98.206
movement3.com.          1200    IN      NS      ns1.zoneedit.com.
movement3.com.          1200    IN      NS      ns3.zoneedit.com.
;; Received 96 bytes from 76.74.236.21#53(76.74.236.21) in 47 ms

.org is handled by:
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

.net is handled by the same global top level domain severs as .com domains.

You’ll see the root servers redirect to the GTLD servers. The GTLD servers will redirect to Zone Edit DNS servers as per the NS records.

Other dig commands:
dig +short @4.2.2.2 www.movement3.com
dig mx @4.2.2.2 movement3.com

http://dnsknowledge.com/whatis/how-domain-name-servers-work/

Cisco EEM high CPU/Memory script

I am just discovering EEM scripts. They are pretty cool! Here are couple of simple scripts for high CPU/Mem. Probably need to tweak the sh commands for the high CPU, I used only the high memory script. Please note, my 2801 router has EEM 3.0 installed. I tried the EEM High CPU script on a 4506 switch with EEM 2.4, but it did not work correctly. Not sure what is happening, haven’t had time to really troubleshoot it.

When the router detects less than 16 MB (16000000) it will run the script and delete itself.
Another value can be 8 MB (8000000)

event manager applet LOW_IO_MEM
event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val “16000000″ poll-interval 60
action 0.0 syslog msg “LOW MEMORY DETECTED. Please wait – logging information to flash:low_mem.txt”
action 0.1 cli command “enable”
action 0.2 cli command “term exec prompt timestamp”
action 1.2 cli command “show memory statistics | append flash:low_mem.txt”
action 1.3 cli command “show process mem sorted | append flash:low_mem.txt”
action 2.3 cli command “show mem all total | append flash:low_mem.txt”
action 3.2 cli command “show log | append flash:low_mem.txt”
action 3.3 cli command “show tech | append flash:low_mem.txt”
action 3.4 cli command “show mem debug leaks summ | append flash:low_mem.txt”
action 5.1 syslog msg “Self-removing applet from configuration…”
action 9.1 cli command “configure terminal”
action 9.2 cli command “no event manager applet LOW_IO_MEM”
action 9.3 cli command “end”

Here are the console messages:
*Jan  5 19:32:18.179: %HA_EM-6-LOG: LOW_IO_MEM: LOW MEMORY DETECTED. Please wait – logging information to flash:low_mem.txt

*Jan  5 19:32:58.267: %HA_EM-6-LOG: LOW_IO_MEM: Self-removing applet from configuration.

5 min avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 min avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 sec avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.6.1

Here are some SNMP strings for older(?) models:
5sec: 1.3.6.1.4.1.9.2.1.56.0
1min: 1.3.6.1.4.1.9.2.1.57.0
5min: 1.3.6.1.4.1.9.2.1.58.0

event manager applet HIGH_CPU
event snmp oid 1.3.6.1.4.1.9.2.1.58.0 get-type exact entry-op lt entry-val “50″ poll-interval 60
action 0.0 syslog msg “HIGH CPU DETECTED. Please wait – logging information to flash:high_cpu.txt”
action 0.1 cli command “enable”
action 0.2 cli command “term exec prompt timestamp”
action 1.2 cli command “show memory statistics | append flash:high_cpu.txt”
action 1.3 cli command “show process mem sorted | append flash:high_cpu.txt”
action 2.3 cli command “show mem all total | append flash:high_cpu.txt”
action 3.2 cli command “show log | append flash:high_cpu.txt”
action 3.3 cli command “show tech | append flash:high_cpu.txt”
action 3.4 cli command “show mem debug leaks summ | append flash:high_cpu.txt”
action 5.1 syslog msg “Self-removing applet from configuration…”
action 9.1 cli command “configure terminal”
action 9.2 cli command “no event manager applet HIGH_CPU”
action 9.3 cli command “end”