Configure Boot Flags

Before you begin

If you enable the hsecure flag, you cannot enable the flags for the web server or SSH password-authentication.

Important

After you change certain configuration parameters using the boot config flags command, you must save the changes to the configuration file.

About this task

Configure the boot flags to enable specific services and functions for the chassis.

Note

Flag support can vary across hardware models.

Procedure

Enter Global Configuration mode:

enable

configure terminal
Enable boot config flag(s) on the switch using the boot config flags command.
Enable the following flags, as needed:
- advanced-feature-bandwidth-reservation [low | vim]
- block-snmp
- debug-config [file
- debugmode
- dvr-leaf-mode
- enhancedsecure-mode <jitc|non-jitc>
- factorydefaults
- flow-control-mode
- ftpd
- hsecure
- ipv6-egress-filter
- ipv6–mode
- logging
- macsec
- nni-mstp
- reboot
- spanning-tree-mode <mstp|rstp>
- spbm-config-mode
- spbm-node-scaling
- sshd
- syslog-rfc5424-format
- telnetd
- tftpd
- trace-logging
- urpf-mode
- verify-config
- vrf-scaling
Save the changed configuration.
Restart the switch.

Example

Activate High Secure mode:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#boot config flags hsecure
Switch:1(config)#save config
Switch:1(config)#reset

Variable Definitions

The following table defines parameters for the boot config flags command.


Variable	Value
advanced-feature-bandwidth-reservation [low \| vim] Note: Exception: vim is only supported on 5520 Series.	Enables the switch to support advanced features by reserving ports as loopback ports. When disabled, you can use all ports on the switch, but advanced features do not work. The default varies depending on the platform: The default for 5320 Series and 5420 Series is enabled with low level. The default for 5520 Series is enabled with vim level if Versatile Interface Module (VIM) is not installed, else low level is enabled. The low level means that the switch reserves less bandwidth to support minimum functionality for advanced features. The vim level means that the switch VIM ports as loopback ports and the Universal Ethernet ports for uplinks. If you change this parameter, you must restart the switch.
block-snmp	Activates or disables Simple Network Management Protocol management. The default value is false (disabled), which permits SNMP access.
debug-config [console] \| [file]	Enables you to debug the configuration file during loading configuration at system boot up. The default is disabled. You do not have to restart the switch after you enable debug-config, unless you want to immediately debug the configuration. After you enable debug-config and save the configuration, the debug output either displays on the console or logs to an output file the next time the switch reboots. The options are: debug-config [console]—Displays the line-by-line configuration file processing and result of the execution on the console while the device loads the configuration file. debug-config [file]— Logs the line-by-line configuration file processing and result of the execution to the debug file while the device loads the configuration file. The system logs the debug config output to /intflash/debugconfig_primary.txt for the primary configuration file. The system logs the debug config output to /intflash/debugconfig_backup.txt for the backup configuration, if the backup configuration file loads.
debugmode	Enables a TRACE on any port by prompting the selection on the console during boot up. This allows the user start trace for debugging earlier on specified port. Works on console connection only. The default is disabled. Important: Do not change this parameter unless directed by technical support.
dvr-leaf-mode	Enables an SPB node to be configured as a DvR Leaf. A node that has this flag set cannot be configured as a DvR Controller. The boot flag is disabled by default.
enhancedsecure-mode {jitc \| non-jitc}	Enables enhanced secure mode in either the Joint Interoperability Test Command (JITC) or non-JITC sub-modes. Note: As a best practice, enable the enhanced secure mode in the non-JITC sub-mode, because the JITC sub-mode is more restrictive and prevents the use of some CLI commands that are commonly used for troubleshooting. When you enable enhanced secure mode in either the JITC or non-JITC sub-modes, the switch provides role-based access levels, stronger password requirements, and stronger rules on password length, password complexity, password change intervals, password reuse, and password maximum age use.
factorydefaults	Specifies whether the switch uses the factory default settings at startup. The default value is disabled. This flag is automatically reset to the default setting after the CPU restarts. If you change this parameter, you must restart the switch. Note: The factorydefaults flag deletes the runtime, primary and backup configuration files, local password files, authentication keys, and certificates. After a factory default, you must change the password on first login.
flow-control-mode	Enables or disables flow control globally. When disabled, the system does not generate nor configure the transmission of flow control messages. The system always honors received flow control messages regardless of the flow control mode status. You must enable this mode before you configure an interface to send pause frames. The default is disabled.
ftpd	Activates or disables the FTP server on the switch. The default value is disabled. To enable FTP, ensure that the tftpd flag is disabled.
hsecure	Activates or disables High Secure mode. The hsecure command provides the following password behavior: 10 character enforcement The password must contain a minimum of 2 uppercase characters, 2 lowercase characters, 2 numbers, and 2 special characters. Aging time Failed login attempt limitation The default value is disabled. If you enable High Secure mode, you must restart the switch to enforce secure passwords. If you operate the switch in High Secure mode, the switch prompts a password change if you enter invalid-length passwords.
ipv6-egress-filter	Enables IPv6 egress filters. The default is disabled. If you change this parameter, you must restart the switch. For 5320 Series and 5420 Series platforms, the boot config flags ipv6-egress-filter and boot config flags macsec commands are mutually exclusive.
ipv6–mode	Enables IPv6 mode on the switch.
logging	Activates or disable system logging. The default value is enabled. The system names log files according to the following: The system displays the file names in 8.3 (log.xxxxxxxx.sss) format. The first 6 characters of the file name contain the last three bytes of the chassis base MAC address. The next two characters in the file name specify the slot number of the CPU that generated the logs. The last three characters in the file name are the sequence number of the log file. The system generates multiple sequence numbers for the same chassis and same slot if the system reaches the maximum log file size.
macsec Note: Exception: only required for 5320 Series and 5420 Series.	Enables Media Access Control Security (MACsec) globally. The boot config flags ipv6-egress-filter and boot config flags macsec commands are mutually exclusive.
nni-mstp	Enables MSTP and VLAN configuration on NNI ports. The default is disabled. Note: Spanning Tree is disabled on all NNIs. You cannot add an SPBM NNI port or MLT port to any non SPBM B-VLAN. You cannot add additional C-VLANs to a brouter port.
reboot	Activates or disables automatic reboot on a fatal error. The default value is activated. Important: Do not change this parameter unless directed by technical support.
spanning-tree-mode <mstp\|rstp>	Specifies the Multiple Spanning Tree Protocol or Rapid Spanning Tree Protocol mode. If you do not specify a protocol, the switch uses the default mode. The default mode is mstp. If you change the spanning tree mode, you must save the current configuration and restart the switch.
spbm-config-mode	Enables you to configure SPB and IS-IS, but you cannot configure PIM and IGMP either globally or on an interface. Use the no operator so that you can configure PIM and IGMP. The boot flag is enabled by default. To set this flag to the default value, use the default operator with the command.
spbm-node-scaling Note: Exception: Only supported on 5320 Series and 5420 Series.	Increases the number of supported SPB nodes per area that the switch supports. This flag is disabled by default. Important: If you enable this boot config flag, it impacts the following features: the switch does not support more than 250 SPB nodes per area and sending multicast steams while the local Backbone Edge Bridges (BEB) receives. the number of SPB nodes is also reduced for other features such as Switched UNI (S-UNI) endpoints, Layer 2 and Layer 3 I-SIDs, IP Multicast over Fabric Connect local streams, and Private VLANs. For more information about scaling numbers, see Fabric Engine Release Notes.
sshd	Activates or disables the SSHv2 server service. The default value is disabled.
syslog-rfc5424-format	Controls the format of the syslog output and logging. By default, the switch uses the RFC5424 format. If the RFC based format is disabled, the older format is used.
telnetd	Activates or disables the Telnet server service. The default is disabled.
tftpd	Activates or disables Trivial File Transfer Protocol server service. The default value is disabled.
trace-logging	Activates or disables the creation of trace logs. The default value is disabled. Important: Do not change this parameter unless directed by technical support.
urpf-mode	Enables Unicast Reverse Path Forwarding (uRPF) globally. You must enable uRPF globally before you configure it on a port or VLAN. The default is disabled.
verify-config	Activates syntax checking of the configuration file. The default is enabled. Primary config behavior: When the verifyconfig flag is enabled, the primary config file is pre-checked for syntax errors. If the system finds an error, the primary config file is not loaded, instead the system loads the backup config file. If the verify-config flag is disabled, the system does not pre-check syntax errors. When the verify-config flag is disabled, the system ignores any lines with errors during loading of the primary config file. If the primary config file is not present or cannot be found, the system tries to load the backup file. Backup config behavior: If the system loads the backup config file, the system does not check the backup file for syntax errors. It does not matter if the verify-config flag is disabled or enabled. With the backup config file, the system ignores any lines with errors during the loading of the backup config file. If no backup config file exists, the system defaults to factory defaults. As a best practice, disable the verify-config flag.
vrf-scaling	Increases the maximum number of VRFs and Layer 3 VSNs that the switch supports. This flag is disabled by default. Important: If you enable both this flag and the spbmconfig-mode flag, the switch reduces the number of configurable VLANs. For more information about maximum scaling numbers, see Fabric Engine Release Notes.