Commands for the CLI

The LCOS command-line interface is operated with the following commands. Some of the available menu commands can be displayed using the HELP command.

Note: Which commands are available depends upon the equipment of the device.

Important: Some commands require special privileges in order to run, and these are listed along with the respective command. Commands that do not specify any rights have no restrictions.

Table 1. Overview of all commands available at the command line
Command	Description
`add\|set [<Path>] <Value(s)>`	Sets a configuration parameter to a particular value. If the configuration parameter is a table value, a value must be specified for each column. Entering the `` character leaves any existing table entry unchanged. Access rights*: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`add\|set [<Path>] ?`	Lists all possible input values for a configuration parameter. If no specific path is entered, the possible input values for all configuration parameters in the current directory are listed. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`beginscript [-u] [-C d] [-s <password>]`	Resets the CLI session to script mode. In this state, commands entered are not transferred directly to the device's configuration RAM but initially to its script memory. Possible arguments are: `-u`: Forces the unconditional execution of a script or a configuration. `-C d`: Skips the default "Check for difference. Also applies when the `-u` option is used. `-s`: Decrypts the script with the password used for `readscript -s`. Access rights: Supervisor-Write
`bootconfig [-s (1\|2\|all)] [-r (1\|2\|all)]`	Enables you to save and delete boot configurations. Options: `-s`: Stores the current configuration of a device either as a custom default setting (1), rollout configuration (2), or both (all). `-r`: Optionally deletes the current custom default setting (1), the rollout configuration (2), or both (all). Access rights: Supervisor-Write Note: For further information on boot configurations refer to the chapter Alternative boot config
`ccset`	Sets the device configuration to standards-compliant default values with respect to CC-EAL4+ (such as ISDN=off). Prerequisite for this is that the feature bit (CC-EAL) is set on the device.
`cctest [-s]`	Checks the conformity of the device to CC-EAL4+. Prerequisite for this is that the feature bit (CC-EAL) is set on the device. By adding the parameter s, the results or outputs are displayed in the syslog table.
`cd <Path>`	Switch to the current directory. Various abbreviations can be used, such as replacing `cd ../..` with `cd ...`, etc.
`clear`	Clears the current CLI output. All previously entered commands can be viewed by means of the log.
`default [-r] [<Path>]`	Resets individual parameters, tables or entire menu trees back to their default configuration. If `<PATH>` indicates a branch of the menu tree, then the option `-r` (recursive) must be entered. Access rights: Supervisor-Write
`del\|delete\|rm [<Path>] <Row>\|*`	Deletes the table row `<Row>` in the current table or the table referenced in the branch of the menu tree with `<Path>`. Enter the line number for the `<Row>`. The wildcard symbol `` deletes a table, for example, `del Config/Cron-Table `. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`deletebootlog`	Clears the contents of the persistent boot log memory.
`dir\|list\|ls\|llong\|l [-a] [-r] [-s] [<Path>] [<Filter>]`	Displays the current directory content. Possible arguments are: `-a`: In addition to the content of the query, this also lists the SNMP IDs. The output begins with the SNMP ID of the device followed by the SNMP ID of the current menu. The SNMP IDs of the subordinate items can be read from the individual entries. `-r`: Also lists all subdirectories as well as the tables they contain. `-s`: Sorts the display of the current directory; grouped by sub directories, tables, values, and actions; in ascending alphabetical order.
`dnsquery [-t <type>] [-d <destination>] name[@rtg-tag]`	Resolves DNS requests. Possible parameters: `name`: The DNS name to resolve. `@rtg-tag`: Optional routing tag for reaching the DNS server. `-t <type>`: Type: A, AAAA, PTR, SRV, NAPTR `-d <destination>`: Destination used for reaching the DNS servers. As in the forwarding table, a routing tag can also be specified if the forwarding destination is an IP address (e.g. 8.8.8.8@4095). You can also specify two comma-separated IP addresses (with an optional routing tag) (e.g. 8.8.4.4@4095,8.8.8.8@4095). The DNS client switches between servers if one does not respond If the command is entered without options, i.e. with the mandatory domain name only, then a request of type AAAA as well as a request of type A will be issued. Example: > dnsquery www.lancom.de DNS result: =========== www.lancom.de: type A, class IN, ttl 1 hour, addr 176.9.82.168 www.lancom.de: type AAAA, class IN, ttl 1 hour, addr 2a01:4f8:151:20a3::2 Note: The AAAA-type response is only issued if the IPv6 address can also be reached. The type can also be specified explicitly using the option `-t`. The available types are AAAA, A, PTR, SRV and NAPTR. In the case of a PTR request, the requested IP address must be specified directly and may not be converted in the "ARPA" string: > dnsquery -tptr 176.9.82.168 DNS result: =========== 168.82.9.176.in-addr.arpa: type PTR, class IN, ttl 5 hours, 32 minutes, 30 seconds, www.lancom-systems.de Because the dnsquery command uses the DNS client of the LANCOM device, its behavior is determined by the DNS configuration of the device (i.e. forwarding, loopback addresses, etc.). Since the DNS configuration may differ depending on the routing tag, the dnsquery command can be used to append the requested name (or to the requested address in the case of PTR requests) by means of an @ extension: > dnsquery www.lancom.de@4095 DNS result: =========== www.lancom.de: type A, class IN, ttl 1 hour, addr 176.9.82.168 www.lancom.de: type AAAA, class IN, ttl 1 hour, addr 2a01:4f8:151:20a3::2 It is also possible to send the requests while bypassing the forwarding configuration by specifying the -d parameter. Anything that can be specified as a destination in the forwarding table can also be specified as a destination here. With the destination set manually, the loopback address is set according to the loopback configuration. Example: AAAA+A request via WAN connection INTERNET > dnsquery -dinternet www.lancom.de DNS result: =========== www.lancom.de: type A, class IN, ttl 1 hour, addr 176.9.82.168 www.lancom.de: type AAAA, class IN, ttl 1 hour, addr 2a01:4f8:151:20a3::2 Note: To do this, a DNS server must of course have been assigned to the INTERNET WAN connection, e.g. via PPP, DHCP, or manually in the IP parameter list. Example: PTR request via Google server > dnsquery -d8.8.8.8 -tptr 176.9.82.168 DNS result: =========== 168.82.9.176.in-addr.arpa: type PTR, class IN, ttl 5 hours, 32 minutes, 30 seconds, www.lancom-systems.de If no server responds, the client retries three times at increasing intervals, i.e. after each request, it waits 1, 2, 4, and finally 8 seconds. If there is no answer by then, the request is canceled. Pressing <CR> while a request is ongoing causes it to be canceled.
`do <Path> [<Parameter>]`	Executes the action in the current or the referenced directory, for example, do `Other/Coldstart`. If the action has additional parameters, they can be added at the end.
`echo <Argument>`	Displays the commands on the CLI.
`enable <Parameter>`	Extends the rights of authenticated TACACS+ users. Possible parameters are: `0`: No rights `1`: Read-only `3`: Read-write `5`: Read-only-limited Admin `7`: Read-write-limited Admin `9`: Read-only Admin `11`: Read-write Admin `15`: Supervisor (root)
`exit\|quit\|x`	Ends the terminal session.
`feature <Code>`	Activates the software option with the specified activation code. Access rights: Supervisor-Write Command line options: Feature <activation-code> Activation using activation code Feature -Q Query status of current and past remote activation requests Feature -q <query-id> Query status of a single request Feature -l <license-key> -t <license-type> [-i <license-index>] [-a <source-address>] [-u <server-url>] [-c <contact-data>] start a new remote activation request. Progress can be tracked using -q/-Q -a <source-address> source IP address or interface, e.g. INT, DMZ, LBx -l <license-key> 16/19 character license key -t <license-type> type of license, e.g. VPN25 -i <license-index> index of existing license for extension, 0 for additional license -u <server-url> URL of the license server -c <contact-data> comma separated list of contact details
`find <term>`	Looks for the search <term> and outputs all menu items containing it.
`flash yes\|no`	Regulates the storing of configuration changes using the command line. By default, changes to the configuration using commands in the command line are written directly to the boot-resistant Flash memory of the devices (`yes`). If updating the configuration is suppressed in the Flash memory (`no`), changes are only stored in RAM (deleted on booting). Access rights: Supervisor-Write
`getenv <Name>`	Lists the respective environmental variables (without line feed). Please also note the command "printenv".
`history`	Displays a list of recently executed commands. Command `!#` can be used to directly call the list commands using their number (#): For example, `!3` executes the third command in the list.
`ikectl [-[r\|d\|D] <peer-name-list>] [-[e\|r\|d] <ipsec-name-list>] [-[r\|d] [<ike-cookies-list>\|<esp-spi-list>]] [-R <peer-name-list> <redirect-target>]`	This command widens the range of analysis options, for example by executing targeted actions to isolate the problem in the event of an error. This function allows you to quickly and automatically modify and test a VPN, among other things. `-e <ipsec-name-list>`: Creates a Phase 2-SA/CHILD_SA when entered with the VPN rule name `-r <peer-name-list>`: Performs a rekeying of the Phase 1-SA/IKE_SA when entered with the name of the VPN remote peer `-r <ike-cookies-list>`: Performs rekeying when entered with the IKE cookie `-r <ipsec-name-list>`: Performs a rekeying of the Phase 2-SA/Child_SA when entered with the name of the VPN rule `-r <esp-spi-list>`: Performs a rekeying of the Phase 2-SA/Child_SA when entered with the incoming or outgoing ESP-SPI `-d <peer-name-list>`: Deletes a Phase 1-SA/IKE_SA when entered with the name of the VPN remote peer `-d <ike-cookies-list>`: Deletes a Phase 1-SA / IKE_SA when entered with IKEv1 cookies / IKEv2 SPIs `-d <ipsec-name-list>`: Deletes a Phase 2-SA/CHILD_SA when entered with the VPN rule name `-d <esp-spi-list>`: Deletes a Phase 2-SA/Child_SA when entered with the incoming or outgoing ESP-SPI `-D <peer-name-list>`: Starts the liveness check (Dead Peer Detection – DPD) when entered with the name of the VPN remote peer `-R <peer-name-list> <redirect-target`: Redirects IKEv2 remote sites to a new destination using the IKEv2 redirect. If the list of remote sites is empty, all remote sites are redirected. This command can be used for maintenance purposes to move VPN remote sites from the current VPN gateway to another gateway securely. `<peer-name-list>`: List of remote peer names separated by spaces and consisting of max. 16 characters `<ipsec-name-list>`: Space-separated list of VPN rule names, as displayed in "show vpn" as ipsec-0-PEER-pr0-l0-r0. Important: To find a certain CHILD_SA/Phase 2-SA for a road warrior, it is important to also specify the remote station name as follows: `"peer-name ipsec-name"`. `<ike-cookies-list>`: Consists of a list of 16 hexadecimal values separated by spaces, e.g 0x000102030405060708090A0B0C0D0E0F `<esp-spi-list>`: Consists of a list of 4 hexadecimal values separated by spaces, e.g. 0x00010203 `<redirect-target>`: Target to which the remote site(s) are to be redirected. The target can be an IPv4 address, IPv6 address or a DNS name Example: `ikectl ‑r peer ipsec-name-peer-2 ‑D peer3 ‑d peer4 0x12345678 ‑e "RoadWarrior IPSEC-0-DEFAULT-PR0-L0-R0"`
`importfile -a <application> [-p <passphrase>] [-n] [-h <Hash> -f <Fingerprint>] [-c] [-r]`	Your device supports the loading of files into file slots from the console and also by means of a script. This offers the convenience of using a script to roll-out files together with the configuration or, for example, to import SSH keys and VPN certificates. Required parameters: -a <application> <application> specifies the storage location and thus the usage for the entered data. For a complete list of the storage locations on your device, enter importfile -?. Optional parameters: -n -n starts the non-interactive mode. There are no prompts or other outputs on the CLI. The non-interactive mode is intended for use with scripts. -p <passphrase> <passphrase> is the password required to decrypt an entered private key. -h <hash> The hash algorithm used to determine the fingerprint of the root CA certificate. -f <fingerprint> The fingerprint of the root CA certificate, created with –h. The fingerprint can be entered either with or without colons. -c Only CA certificates are uploaded. -r Uploaded CA certificates replace any existing ones.
`iperf [-s\|-c <Host>] [-u] [-p <Port>] [-B <Interface>] [-c] [-b [<Bandw>/]<Bandw>[kKmM]] [-l <Length>] [-t <Time>] [-d] [-r] [-L <Port>] [-h]`	Starts iPerf on the device in order to perform a bandwidth measurement with an iPerf2 remote station. Possible arguments are: Client/server `-u, --udp`: Uses UDP instead of TCP. `-p, --port <Port>`: Connects with or expects data packets on this port (default: 5001). `-B, --bind <Interface>`: Permits the connection only via the specified interface (IP address or interface name). Server specific `-s, --server`: Starts iPerf in server mode and waits for an iPerf client to contact it. Client specific `-c, --client <Host>`: Starts iPerf in client mode and connects with the iPerf server <Host> (IP address or DNS name). `-b, --bandwidth [<Bandw>/]<Bandw>{kKmM}`: Limit the [down]/up-stream bandwidth when analyzing a UDP connection. This Is specified as kilobytes (kK) or megabytes (mM) per second (default: 1 Mbps). `-l, --len <Length>`: Sets the length of the UDP data packets. `-t, --time <Time>`: Sets the duration of the connection in seconds (default: 10 seconds). `-d, --dualtest`: The test is bidirectional: the iPerf server and client send and receive at the same time. `-r, --tradeoff`: The test is sequential: the iPerf server and client send and receive one after the other. `-L, --listenport <Port>`: Specifies the port where the device in bidirectional mode expects to receive data packets from the remote iPerf server (default: 5001). Miscellaneous `-h, --help`: Outputs the help text.
`killscript <Name>`	Deletes the remaining unprocessed content of a script session Select the script session using its name.Access rights: Supervisor-Write
`language`	Selects a language for the CLI display. The command `language ?` lists the available languages.
`lig [[-i <instance>] \| [-m <server>]] [-id <num>] destination-eid [-retries <num>] [-rtg-tag <num>] [-source-eid <num>]`	LIG (Locator/ID Separation Protocol Internet Groper) is a command-line tool specified in RFC 6835 to query LISP mappings on a map resolver. Possible arguments are: `-i <instance>`: Name of the LISP instance used for the destination query `-m <server>`: LISP map server used for the destination query `-id <num>`: LISP Instance ID [0-16777215] used for the destination query `destination-eid`: Requested destination EID `-retries <num>`: LISP retries to the map server [0-10] `-rtg-tag <num>`: Routing tag used `-source-eid <num>`: Source EID used Example: `lig -i LISP-INST 172.16.200.1`
`linktest`	Only available on WLAN devices. It displays the results of the WLAN link test.Access rights: Supervisor-Write Execution right: WLAN link test
`ll2mdetect`	Searches for devices via LL2M in the LAN. For further information on this command refer to the section Commands for the LL2M client.Access rights: Supervisor-Write
`ll2mexec`	Sends one command per LL2M to a device in the LAN. For further information on this command refer to the section Commands for the LL2M client.Access rights: Supervisor-Write
`loadconfig (-s <server IP address> -f <filename>)\|<URL>`	Uploads a configuration file to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. For further information on this command refer to the section File download from a TFTP or HTTP(S) server. Important: The cron table works with the user configured for it, meaning that if "loadconfig" is executed via the cron table, it will only be able to read the configuration completely if it is run with the root administrator. Access rights: Supervisor-Write
`loadfile [-a <Address>] [-s <Server-IP-address>] [-n] [-f <File-name>] [-o <File-name>] [-c <File-name>] [-p <File-name>] [-d <Passphrase>] [-C n\|d] [-m <Version>] [-u] [-x <File-name>] [-i]`	Uploads a certificate file to the device. Possible arguments are: `-a`: Specifies the source address of the file: `a.b.c.d`: Source IP address `INT`: Use the address of the first intranet interface as the source address `DMZ`: Use the address of the first DMZ interface as the source address `LBx`: Use the loopback address x (0..f) as the source address `<Interface>`: Use the address of the LAN interface <interface> as the source address `-s`: Address of the TFTP server `-n`: Ignore server name on SSL/TLS connections `-f`: <File name> of the configuration file on the TFTP server `-o`: Destination file <file name>for file download `-c`: File <file name> with the root certificate for HTTPS `-p`: File <file name> with unencrypted PKCS#12 container for HTTPS CA certificates and / or client-side authentication `-d`: <Passphrase> to decrypt downloaded encrypted PKCS#12 containers `-C`: Checks whether firmware is newer than (n) or different from (d) the current firmware `-m`: Set a minimum <version> of the firmware `-u`: Download firmware file unconditionally; skip the version check. `-x`: File <file name> with additional CA certificates for HTTPS checks; the value ' none' prevents the default certificates from being downloaded `-i`: Send Sysinfo as a POST request (for HTTP(S) only) Note: The options [-f] and [-s] and the URL cannot be used simultaneously. For HTTP(S) downloads, you must specify the source by means of a URL. The maximum length of the URL is 252 characters. Access rights: Supervisor-Write
`loadfirmware [-e] (-s <server IP address> -f <filename>)\|<URL>`	Uploads firmware to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. The `-e` option switch causes the firmware file to be saved completely in the local file system first before the firmware update starts. For further information on this command refer to the section File download from a TFTP or HTTP(S) server. Access rights: Supervisor-Write
`loadscript (-s <server IP address> -f <filename>)\|<URL>`	Uploads a configuration script to the device via TFTP. You can optionally enter the server address and the file name, or the entire URL. For further information on this command refer to the section File download from a TFTP or HTTP(S) server. Important: The cron table works with the user configured for it, meaning that if "loadscript" is executed via the cron table, it will only be able to read the configuration completely if it is run with the root administrator. Access rights: Supervisor-Write
`lspci`	Output of information via PCI devices Access rights: Supervisor-Read
`ping <IPv4-Address\|Hostname>` `ping -6 <IPv6-Address>%<Scope>`	Sends an ICMP echo request to the IP address specified. For more information about the command and the specifics of pinging IPv6 addresses, see the section Parameter overview for the ping command.
`printenv`	Shows an overview of all environmental variables and their values.
`readconfig [-h] [-s <password>]`	Shows the complete configuration in the format of the device syntax. `-h`: Adds a checksum to the configuration file. `-s <password>`: Encrypts the configuration file with the use of the specified password. Access rights: Supervisor-Read
`readmib`	Display of the SNMP Management Information Base. Available only on devices without a unified MIB. Access rights: Supervisor-Read,Local-Admin-Read
`readscript [-n] [-d] [-i] [-c] [-m] [-h] [-s <password>] [-o]`	The readscript command generates a text dump of all commands and parameters required to configure the device in its current state. You can use the following option switches for this: `-n`: The text output is only numerical without identifiers. The output only contains the current status values of the configuration as well as the associated SNMP IDs. `-d`: The default values are included in the text output. `-i`: The table designations are included in the text output. `-c`: Includes any comments contained in the script file. `-m`: The text is output to the screen in a compact but difficult to read format (no indentations). `-h`: Adds a checksum to the script file. `-s <password>`: Encrypts the script file with the use of the specified password. `-o`: Replaces the passwords with a "" to obfuscate them in the text output. Access rights*: Supervisor-Read
`readstatus`	Outputs the status of all SNMP IDs for the device.
`release [-x] *\|<Interface_1…Interface_n>`	The DHCPv6 client returns its IPv6 address and / or its prefix to the DHCPv6 server. It then submits a new request for an address or prefix to the DHCPv6 server. Depending on the provider, the server assigns a new address to the client, or reassigns the previous one. Whether the client receives a different address or prefix is determined solely by the server. The option switch `-x` suppresses the confirmation message. The `*` wildcard applies the command on all of the interfaces and prefix delegations. Alternatively, you can specify one or more specific interfaces.
`repeat <Interval> <Command>`	IPv6 address release: Repeats the specified command every `<Interval>` seconds until the process is ended with new input.
`rollout (-r\|-remove) <RelatedFile>`	Deletes the files of the user-specific rollout wizard from the file system of the device. Possible files are: `wizard`: Deletes the wizard `template`: Deletes the template `logo`: Deletes the logo `all`: Deletes the wizard, the template and the logo Access rights: Supervisor-Write
`setenv <Name> <Value>`	Sets an environmental variable to the specified value. Access rights: Supervisor-Write, Local-Admin-Write, Limited-Admin-Write
`setpass\|passwd [-u <User>][-n <new> <old>]`	Changes the password of the current user account. In order to change the password without a subsequent input prompt, use the option switch `-n` while entering the new and old password. Note: The password can have a maximum of 128 characters and use the following characeter set: #ABCDEFGHIJKLMNOPQRSTUVWXYZ@{\|}~!$%&'()*+-,/:;<=>?[\]^_.0123456789abcdefghijklmnopqrstuvwxyz ` If the command `passwd` is deployed in a script and a `$` is used in the password, an additional `$` has to be prepended, as it would otherwise be interpreted as a variable and setting the password would fail. In order to change the password of the local user account when authentication by TACACS+ is enabled, use the option switch `-u` with the name of the corresponding user. If the local user does not exist or the user name is missing, the command aborts. The user must also have supervisor rights, or authorization by TACACS must be enabled.
`show <Options> <Filter>`	Shows selected internal data, such as `admin-distance` – shows the administrative (routing) distance of all internal applications or routing protocols `bootlog` – the last boot processes `filter` – firewall filtering rules `Fw-dns-destinations` – Optionally accepts a space-separated list of names of the firewall's DNS destinations. All DNS destinations or the ones specified in the parameter are listed sequentially. For each destination, the counter from Status > Firewall > DNS-Database > Destination-Usage is displayed, followed by the list of wildcard expressions. For each wildcard expression, the currently resolved addresses and the data records that are a direct or indirect match are displayed. `ip-addresses` – displays all IPv4 and IPv6 addresses for the device for the LAN and WAN interfaces, along with advanced status information `ipv4-addresses` – displays all IPv4 addresses for the device for the LAN and WAN interfaces, along with advanced status information `lisp instance` – displays status information about all configured LISP instances `lisp instance [instance]` – displays status information about the LISP instance named [instance] `lisp map-cache` – displays status information about the map cache entries available for all instances `lisp map-cache [instance]` – displays status information about the map cache entries for the instance named [instance] `lisp registrations` – displays status information about the EIDs/RLOCs of all instances registered with the map server `lisp registrations [instance]` – displays status information about the EIDs/RLOCs of the instance named [instance] registered with the map server `lta` – shows information about groups or users of the LANCOM Trusted Access. This is set up and managed via the LANCOM Management Cloud. `mem`, `heap` – memory usage `netflow collectors` – displays information about the configured NetfFlow collectors `netflow interfaces` – displays information about interfaces and the corresponding NetFlow parameters `netflow metering-profiles` – displays information about the metering profiles of NetFlow/IPFIX Note: For more information about NetFlow/IPFIX, please see Netflow / IPFIX. `VLAN` – dynamically added VLANs and VLAN memberships, e.g. added to the static configuration at runtime by CAPWAP or WLAN/802.1X `VPN` – VPN rules With additional filter arguments you can further limit the output. For an overview of all possible options, enter `show ?`. The filters available with an option are displayed by `show <option> ?`. For example, `show VPN ?` shows the filters available for the VPN rules. For information on displaying IPv6-specific data, read the section Overview of IPv6-specific show commands. Access rights: Supervisor-Read, Local-Admin-Read
`sleep [-u] <Value><Suffix>`	Delays the processing of configuration commands by a particular time or terminates them at a particular time. Applicable values for `<SUFFIX>` are `s`, `m` and `h` for seconds, minutes and hours. If no suffix is defined, the command uses milliseconds. With option switch `-u`, the `sleep` command accepts times in format `MM/DD/YYYY hh:mm:ss` (English) or in format `TT.MM.JJJJ hh:mm:ss` (German). Times will only be accepted if the system time has been set.
`smssend [-s <SMSC-Number>] (-d <Destination>) (-t <Text>)`	Available only on devices with 3G/4G WWAN module: Sends a text message to the destination number entered. `-s <SMSC-Number>`: Alternative SMSC phone number (optional). If you omit this part of the command, the device uses the phone number stored on the USIM card or that configured under SNMP ID 2.83. `-d <Destination>`: Destination phone number `-t <Text>`: Contents of the message with <=160 characters. For an overview of available characters, see the section Character set for sending SMS. Special characters must be in UTF8 encoded form.
`ssh [-?\|h] [-o "option=value"] [-<a\|b> Loopback-Address] [-p Port] [-C] [-j Keepalive-Interval] <Host>`	Establishes an SSH connection to the <Host>. Possible arguments are: `-?\|h`: Outputs the help text. `-o "option=value"`: additional options with corresponding values can be specified. `-a\|b`: Allows a route or loopback address to be specified for the device to use if the destination can be reached via multiple routes. The function of `-a` and `-b` is identical. `-b` is the usual option used by an OpenSSH client on UNIX systems, whereas some other commands integrated into LCOS use `-a` to specify a loopback address. `-p`: Sets the <Port> of the host `-C`: Enforces compressed data transfer `-j`: Specifies how frequently the client sends a keepalive.
`sshcopyid`	To store your SSH public key using SSH Access rights: Supervisor-Write
`sshkeygen [-h] [-q] [-t dsa\|rsa\|ecdsa] [-b <bits>] [-f <file-name>] [-R <host-name>]`	Creates or deletes the SSH key in the device. Possible arguments are: `-h`: Displays a brief help text about the available parameters `-q`: The device overrides existing keys without a prompt (quiet mode) `-t`: This parameter specifies what type of key is generated. SSH supports the following types of keys: RSA DSA ECDSA `-b`: This parameter sets the length of the RSA key in bits. If you do not specify a length, the command produces a key with a length of 1024 bits by default. `-f`: These parameters specify the mounting point of the generated key file in the device file system. The choice of mounting point depends on the type key you are generating. The choices available to you are: ssh_rsakey for RSA keys ssh_dsakey for DSA keys ssh_ecdsakey for ECDSA keys Note: For further information on SSH / SSL keys used in the device refer to the chapter Device-internal SSH/SSL keys
`ssldefaults [-y]`	This command resets the SSL / TLS settings in all submenus of the current configuration to the default values after a security prompt. In LCOS, each module comes with its own submenu for SSL / TLS settings. This provides a way to reset all settings in these various submenus to the current secure default settings. The parameter `-y` ensures that the security prompt is automatically answered so that the command can be used non-interactively in scripts.
`stop`	Ends the ping command
`sysinfo`	Shows the system information (e.g., hardware release, software version, MAC address, serial number, etc.).
`tab`	For use in script files: For the command that follows, this sets the order of the columns for the arguments in the case that the columns in the table differ from the default (e.g. a column was added).Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`telnet <Address>`	Establishes a Telnet connection to the given <address>.
`testmail <From> <To_1…To_n> [<Realname> <Subject> <Body>]`	Sends a test e‑mail. A sender address and receiver address are necessary; real name, subject line and message content are optional. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`time <DateTime>`	Sets a time in format `MM/DD/YYYY hh:mm:ss`. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write Execution right: Time Wizard
`trace <Parameter> <Filter>`	Starts a trace command for output of diagnosis data. With additional filter arguments you can further limit the output. For further information on this command refer to the section Parameter overview for the trace command.Access rights: Supervisor-Read,Limited-Admin-Read,Limited-Admin-Write
`unmount [-?][-f] <Volume>`	Outputs the current volume table. `-f`: Releases the specified volume. <Volume> may be the volume ID or any mount point. `-?`: Outputs the help text.
`unsetenv <Name>`	Deletes the specified environmental variable. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`wakeup [MAC]`	Performs a Wake On LAN for the device with the MAC address [MAC]. Access rights: Supervisor-Write,Local-Admin-Write,Limited-Admin-Write
`who`	Lists active configuration sessions.
`writeconfig [-u] [-C d] [-s password] [-b index]`	Writes a new configuration on the device in the syntax format for the device. The system interprets all of the following lines as configuration values until two empty lines are read. Possible arguments are: `-u`: Forces the unconditional execution of a script or a configuration. `-C d`: Skips the default "Check for difference. Also applies when the `-u` option is used. `-s password`: Decrypts the configuration file with the use of the specified password. `-b index`: Writes the configuration as an alternative boot configuration. Index must be `1`, `2` or `all`. Access rights: Supervisor-Write
`writeflash`	Load a new firmware file (only via TFTP). Access rights: Supervisor-Write
`!!`	Repeat last command
`!<num>`	Repeat command <num> times
`!<prefix>`	Repeat last command beginning with <prefix>
`#<blank>`	Comment

Legend

Characters and brackets:
- Objects, in this case dynamic or situation-dependent, are in angle brackets.
- Round brackets group command components, for a better overview.
- Vertical lines (pipes) separate alternative inputs.
- Square brackets describe optional switches.
It follows that all command components that are not in square brackets are necessary information.
<Path>:
- Describes the path name for a menu or parameter, separated by "/" or "\".
- .. means: one level higher
- . means: the current level
<Value>:
- Describes a possible input value.
- "" is a blank input value
<Name>:
- Describes a character sequence of [0…9] [A…Z] [a…z] [ _ ].
- The first character cannot be a digit.
- There is no difference between small letters and capital letters.
<Filter>:
- The output of some commands can be restricted by entering a filter expression. Filtering does not occur line by line, but in blocks, depending on the command.
- A filter expression starts with the "@" symbol by itself and ends either at the end of the line or at a ";" (semicolon) to end the current command.
- A filter expression also consists of one or more search patterns, which are separated by blank spaces and preceded either by no operator (OR pattern), a "+" operator (AND pattern) or a "-" operator (NOT pattern).
- For the execution of the command, an information block is output exactly when at least one of the "OR" patterns, all "AND" patterns or none of the "NOT" patterns matches. Capitalization is ignored.
- For a search pattern to contain characters for structuring in the filter syntax (e.g., blank characters), then the entire search pattern can be enclosed in "". Alternatively, the symbol "\" can be placed before the special characters. If you want to search for a quotation mark (") or "\", another "\" symbol has to be placed in front of it.
  Note: Entering the start of the word, if it is unique, is sufficient.
- For examples of the usage of the output filter, see the section Filtering trace output.

Explanations for addressing, syntax and command input

All commands and directory/parameter names can be entered using their short-forms as long as they are unambiguous. For example, the command sysinfo can be shortened to sys and cd Management to c ma. The input cd /s is not valid, however, since it corresponds to both cd /Setup and cd /Status.
Directories can be addressed with the corresponding SNMP ID. For example, the command cd /2/8/10/2 has the same effect as cd /Setup/IP-router/Firewall/Rules.
Multiple values in a table row can be changed with one command, for example in the rules table of the IPv4 firewall:
- set WINS UDP sets the protocol of the WINS rule to UDP
- set WINS UDP ANYHOST sets the protocol of the WINS rule to UDP and the destination to ANY-HOST
- set WINS * ANYHOST also sets the destination of the WINS rule to ANYHOST; the asterisk means that the protocol remains unchanged
The values in a table row can alternatively be addressed via the column name or the position number in curly brackets. The command set ? in the table shows the name, the possible input values and the position number for each column. For example, in the rules table of the firewall, the destination has the number 4:
- set WINS {4} ANYHOST sets the destination of the WINS rule to ANYHOST
- set WINS {destination} ANYHOST also sets the destination of the WINS rule to ANYHOST
- set WINS {dest} ANYHOST sets the destination of the WINS rule to ANYHOST, because specifying dest here is sufficient to uniquely identify the column name.
Names that contain spaces must be enclosed within quotation marks (““).

Command-specific help

A command-specific help function is available for actions and commands (call the function with a question mark as the argument). For example, ping ? shows the options of the integrated ping command.
Enter help or ? on the command line for a complete listing of the available shell commands.