Chapter 2: AOS-CX CLI, Configuration Management, and Initial Setup
Learning Objectives
Navigate AOS-CX CLI command modes and use context-sensitive help to discover commands quickly.
Perform initial switch setup, including hostname assignment, management IP configuration, local user creation, and SSH enablement.
Manage running, startup, and checkpoint configurations using AOS-CX-specific workflows like write memory, copy running-config checkpoint, and rollback.
Use diagnostic tools such as show tech-support, event logs, debug commands, and syslog forwarding to troubleshoot effectively.
If Chapter 1 introduced the architecture and platforms of AOS-CX, this chapter is where you put your hands on the keyboard. Think of Chapter 1 as the blueprints of a house and Chapter 2 as the day you walk through the front door, find the light switches, and learn the alarm code. Everything that follows in this book — VLANs, routing, security, virtualization — assumes you can confidently get into a switch, configure it, save your work, and back out gracefully when you make a mistake.
1. AOS-CX CLI Fundamentals
Pre-Quiz: CLI Fundamentals
1. You are six levels deep in a sub-configuration context (e.g., editing an ACL rule inside an ACL inside a configure block) and need to return to the Manager prompt as quickly as possible. Which command does this in a single keystroke?
exitenddisablequit
2. While typing a long command, you press Tab and the CLI shows multiple completion options instead of finishing the word. What does this tell you about your current input?
The command does not exist on this firmware.Your input is ambiguous — multiple valid commands match the prefix.You are in the wrong CLI mode for that command.Tab completion is disabled until you type a space.
3. You want to view only the configuration stanza for a single interface from a 4,000-line running-config without scrolling. Which pipe modifier is best?
| include interface 1/1/24| begin interface 1/1/24| section interface 1/1/24| count interface
4. Why do many regulated environments require a banner motd on AOS-CX management interfaces?
It speeds up SSH login.It encrypts the management session.Frameworks like PCI-DSS and HIPAA require a legal warning before access is granted.It enables MFA on the device.
The AOS-CX command-line interface (CLI) will feel familiar to anyone who has worked with Cisco IOS, Juniper Junos, or HPE's older ProVision/Comware operating systems — but it has its own personality. Aruba designed it to be modern, predictable, and tightly integrated with the underlying database-driven architecture you learned about in Chapter 1.
Operator, Manager, and Configuration Modes
AOS-CX organizes commands into three primary modes, each with its own level of privilege and its own prompt character. You can think of these modes like the floors of a secure office building: the lobby is open to anyone with a badge, the staff floor requires elevated credentials, and the executive suite is locked behind another layer of access.
Mode
Prompt
Purpose
Typical User
Operator
switch>
Read-only commands, basic show, ping
Help-desk operator
Manager (Privileged Exec)
switch#
Full diagnostics, reload, copy, save
Network administrator
Configuration
switch(config)#
Make configuration changes
Configuring engineer
Sub-config (e.g., interface)
switch(config-if)#
Configure a specific feature scope
Configuring engineer
A subtle but important detail: AOS-CX uses configure (or configure terminal) to enter global configuration mode. Both forms work, but configure alone is the documented Aruba shorthand.
The end command is your express elevator: from any depth of sub-configuration, end jumps you all the way back to Manager mode. exit only goes up one level. This distinction will save you from the embarrassment of typing exit six times to escape a deeply nested ACL.
Figure 2.1: AOS-CX CLI mode hierarchy and transitions
Watch each mode activate as the user types enable, configure, interface 1/1/1, then jumps back with end.
Context-Sensitive Help and Command Completion
AOS-CX has one of the most forgiving help systems in the industry. There are three tricks to memorize, and they will carry you through the entire exam:
Question mark (?) — Lists every command or argument valid at the current cursor position.
Tab key — Auto-completes a partially typed command, or shows options if multiple commands match.
Partial commands — As long as your input is unambiguous, AOS-CX accepts shortened keywords (int 1/1/1 for interface 1/1/1).
switch(config)# in?
include-credentials interface ip
switch(config)# inter<TAB>
switch(config)# interface
Command Piping and Filtering
AOS-CX supports Unix-style pipes to filter and format output:
Pipe Modifier
Meaning
include <pattern>
Show only lines matching the pattern
exclude <pattern>
Hide lines matching the pattern
begin <pattern>
Start output at first matching line
count
Display only the line count
section <pattern>
Display the entire stanza beginning with the match
CLI Sessions, Aliases, and Banners
AOS-CX allows multiple concurrent CLI sessions and supports both aliases (custom shorthand commands) and banners (login messages). Banners are not just decorative — many regulatory frameworks (PCI-DSS, HIPAA) require a legal warning banner on management interfaces.
switch(config)# alias shrun show running-config
switch(config)# alias shint show interface brief
switch(config)# banner motd #
Authorized access only. All activity is logged.
#
Key Takeaway
AOS-CX has three primary CLI modes: Operator, Manager, and Configuration (with sub-configs).
configure enters config mode; end jumps back to Manager from any depth; exit goes up one level.
Mastering ?, Tab, and pipe modifiers (include, exclude, begin, section) is the single fastest way to be productive.
Post-Quiz: CLI Fundamentals
1. You are six levels deep in a sub-configuration context (e.g., editing an ACL rule inside an ACL inside a configure block) and need to return to the Manager prompt as quickly as possible. Which command does this in a single keystroke?
exitenddisablequit
2. While typing a long command, you press Tab and the CLI shows multiple completion options instead of finishing the word. What does this tell you about your current input?
The command does not exist on this firmware.Your input is ambiguous — multiple valid commands match the prefix.You are in the wrong CLI mode for that command.Tab completion is disabled until you type a space.
3. You want to view only the configuration stanza for a single interface from a 4,000-line running-config without scrolling. Which pipe modifier is best?
| include interface 1/1/24| begin interface 1/1/24| section interface 1/1/24| count interface
4. Why do many regulated environments require a banner motd on AOS-CX management interfaces?
It speeds up SSH login.It encrypts the management session.Frameworks like PCI-DSS and HIPAA require a legal warning before access is granted.It enables MFA on the device.
2. Initial Switch Provisioning
Pre-Quiz: Initial Provisioning
5. A new engineer configures the OOBM interface using ip address 192.168.50.201/24 and the switch rejects it. Why?
The OOBM interface requires a /32 mask.AOS-CX uses ip static on the management interface, not ip address.The mgmt interface must be configured via the web UI only.The interface needs to be in trunk mode first.
6. You configure ip dns server-address 192.168.50.10 globally without specifying a VRF, and the switch (which only reaches the DNS server through OOBM) silently fails to resolve names. What happened?
DNS lookups were configured for the default (data plane) VRF, which has no path to the management subnet.DNS is disabled by default on AOS-CX.The hostname must be set first.DNS only works after a reboot.
7. Your security policy requires a "VLAN-only" administrator who can create VLANs but cannot reload the switch. Which AOS-CX construct enforces this?
A custom role with rules like permit config command "vlan*", attached to a group.A static ACL on the mgmt interface.A login banner stating restricted access.An NTP-based time-of-day lockout.
8. By default on a freshly provisioned AOS-CX switch, which protocol is enabled on the management VRF and which is disabled?
Telnet enabled, SSH disabledSSH enabled, Telnet disabledBoth enabled by defaultBoth disabled until manually enabled
A factory-default Aruba CX switch ships with no IP address, no users, and SSH disabled. The very first thing you do with one is connect to the console — and that workflow is the same whether you bought a 6300 stack for an IDF closet or an 8400 chassis for a data-center spine.
Console and Out-of-Band Management (OOBM)
Every CX switch has at least two ways to reach it before the network is configured:
Console port — A serial connection (RJ-45 or USB-C on newer models) at 9600 baud, 8N1, no flow control. This is your "always works" lifeline.
OOBM port — A dedicated 1 GbE management interface on the front panel, typically labeled mgmt. It lives in its own dedicated VRF, isolated from production traffic.
The OOBM interface is configured under interface mgmt, and uniquely uses the command ip static rather than ip address. This is one of the most common gotchas for engineers crossing over from Cisco or older Aruba ProVision platforms.
switch(config)# interface mgmt
switch(config-if-mgmt)# no shutdown
switch(config-if-mgmt)# ip static 192.168.50.201/24
switch(config-if-mgmt)# default-gateway 192.168.50.1
switch(config-if-mgmt)# exit
Note that the default gateway is configured inside the interface mgmt context, not at the global level — another departure from traditional CLIs.
Hostname, Domain, and DNS
The hostname is set globally, while DNS settings must specify the management VRF if your name servers are reachable only through OOBM:
switch(config)# hostname ACCESS-IDF1-SW01
ACCESS-IDF1-SW01(config)# ip dns server-address 192.168.50.10 vrf mgmt
ACCESS-IDF1-SW01(config)# ip dns domain-name corp.example.com vrf mgmt
ACCESS-IDF1-SW01(config)# ntp server pool.ntp.org vrf mgmt
If you forget the vrf mgmt keyword, AOS-CX will configure DNS for the default VRF (data plane), which usually has no path to your management subnet, leaving you wondering why name resolution silently fails.
Local User Accounts and RBAC
AOS-CX ships with a single default admin account whose password must be set on first login. AOS-CX supports up to 29 user-defined groups in addition to the predefined ones.
Built-in Group
Privilege
administrators
Full read/write access to all commands
operators
Read-only access (show commands, ping)
auditors
Read-only with audit-log visibility
ACCESS-IDF1-SW01(config)# user netadmin group administrators password plaintext H@rdPass!1
ACCESS-IDF1-SW01(config)# user helpdesk group operators password plaintext View0nly!
Worked Example — Creating a Custom Role:
switch(config)# role vlan-only
switch(config-role)# rule 10 permit config command "vlan*"
switch(config-role)# rule 20 permit exec command "show*"
switch(config-role)# exit
switch(config)# user vlan-jr group operators password plaintext Vlan0nly!
Enabling SSH and Disabling Telnet
By default, SSH is enabled on the management VRF and Telnet is disabled. Verifying and adjusting these settings is a routine hardening task:
ACCESS-IDF1-SW01(config)# ssh server vrf mgmt
ACCESS-IDF1-SW01(config)# ssh server vrf default
ACCESS-IDF1-SW01(config)# no telnet-server vrf mgmt
ACCESS-IDF1-SW01# show ssh server vrf mgmt
For tighter security, apply a control-plane ACL that only permits SSH from your jump-host subnet:
switch(config)# access-list ip MGMT-ACL
switch(config-acl-ip)# 10 permit tcp 10.10.10.0/24 any eq 22
switch(config-acl-ip)# 40 deny tcp any any eq 22
switch(config-acl-ip)# 50 permit any any any
switch(config-acl-ip)# exit
switch(config)# apply access-list ip MGMT-ACL control-plane vrf mgmt
Key Takeaway
OOBM interface mgmt uses ip static (not ip address), and default-gateway is configured inside the interface context.
DNS, NTP, SFTP/TFTP, and SSH commands typically need vrf mgmt to reach servers via OOBM.
Users belong to groups (built-in or up to 29 user-defined), and groups map to roles for fine-grained RBAC.
Post-Quiz: Initial Provisioning
5. A new engineer configures the OOBM interface using ip address 192.168.50.201/24 and the switch rejects it. Why?
The OOBM interface requires a /32 mask.AOS-CX uses ip static on the management interface, not ip address.The mgmt interface must be configured via the web UI only.The interface needs to be in trunk mode first.
6. You configure ip dns server-address 192.168.50.10 globally without specifying a VRF, and the switch (which only reaches the DNS server through OOBM) silently fails to resolve names. What happened?
DNS lookups were configured for the default (data plane) VRF, which has no path to the management subnet.DNS is disabled by default on AOS-CX.The hostname must be set first.DNS only works after a reboot.
7. Your security policy requires a "VLAN-only" administrator who can create VLANs but cannot reload the switch. Which AOS-CX construct enforces this?
A custom role with rules like permit config command "vlan*", attached to a group.A static ACL on the mgmt interface.A login banner stating restricted access.An NTP-based time-of-day lockout.
8. By default on a freshly provisioned AOS-CX switch, which protocol is enabled on the management VRF and which is disabled?
Telnet enabled, SSH disabledSSH enabled, Telnet disabledBoth enabled by defaultBoth disabled until manually enabled
3. Configuration Management
Pre-Quiz: Config Management
9. You make extensive ACL changes in config mode and then the switch loses power before you save. On boot, what configuration loads?
The latest running-config from the previous session.The startup-config — your unsaved running-config changes are lost.The most recent automatic checkpoint.A blank factory-default configuration.
10. You are about to make a risky OSPF area change over SSH from a remote site. Which AOS-CX safety mechanism gives you a deadman-timer rollback if you lock yourself out?
write memory followed by copy startup tftpcheckpoint auto 5 followed by checkpoint confirm after verificationreload in 5show tech-support before changes
11. You run copy running-config tftp://192.168.50.20/sw01.cfg and the transfer fails with no route to host. The TFTP server is reachable only via OOBM. What did you forget?
The vrf mgmt keyword at the end of the command.To prefix the IP with ipv4://.A reboot is required between copies.TFTP is disabled by default and cannot be re-enabled.
12. Which statement best describes the relationship between a named checkpoint and the startup-config?
Named checkpoints are ephemeral and lost on reboot; startup-config is not.Both live in flash and persist across reboots, but only startup-config is loaded at boot; checkpoints are point-in-time named snapshots that you restore manually with rollback.A checkpoint replaces startup-config on every save.Checkpoints can only be created via TFTP transfer.
If initial setup is the blueprint, configuration management is the version-control system. AOS-CX has a richer model than many competing platforms, blending the familiar running-config / startup-config pair with a powerful checkpoint system that acts like a built-in time machine.
Running vs. Startup Configuration
The running-config lives in RAM and reflects every change as it is typed. The startup-config lives in flash and is loaded on boot. Changes made in config mode do not persist across reboots until you save them.
Configuration
Where It Lives
Persists Across Reboot?
Command to View
Running-config
Volatile DB / RAM
No
show running-config
Startup-config
Non-volatile flash
Yes
show startup-config
Checkpoint
Non-volatile flash
Yes (named snapshot)
show checkpoint <name>
To save the running-config to startup-config, AOS-CX gives you two equivalent commands — write memory and the shorter save:
ACCESS-IDF1-SW01# write memory
ACCESS-IDF1-SW01# save
Checkpoints: Snapshots Beyond Startup-Config
A checkpoint is a named, point-in-time snapshot of the running-config — independent of startup. You can create as many as you like, name them meaningfully, and roll back to any one instantly.
switch# copy running-config checkpoint pre-vlan-change
switch# show checkpoints
switch# show checkpoint pre-vlan-change
switch# rollback checkpoint pre-vlan-change
AOS-CX also generates automatic checkpoints, named with a timestamp prefix like CPC202604291843. By default, the system creates one roughly five minutes after the last config change if you have not saved.
Figure 2.2: Configuration management workflow across running, startup, and checkpoint stores
flowchart LR
A["Running-config (RAM)"] -->|"write memory / save"| B["Startup-config (flash)"]
A -->|"copy running-config checkpoint <name>"| C["Named checkpoint (flash)"]
A -.->|"auto checkpoint after ~5 min"| D["Auto checkpoint (CPCyyyymmdd)"]
C -->|"rollback checkpoint <name>"| A
B -->|"loaded at boot"| A
E["TFTP / SFTP / SCP / USB"] -->|"copy ... running-config vrf mgmt"| A
A -->|"copy running-config ... vrf mgmt"| E
Animation: running-config flowing to startup, checkpoint, and back
Watch packets travel from the running-config in RAM to startup (via write memory), to a named checkpoint, and finally a rollback restoring running-config from the checkpoint.
Auto-Checkpoint on Commit (Safe Testing)
The most powerful — and exam-favored — feature is checkpoint auto, which arms a deadman timer between 1 and 60 minutes. If you don't confirm your changes before the timer expires, the switch automatically rolls back to the pre-change state.
switch# checkpoint auto 5
switch# configure
switch(config)# router ospf 1
switch(config-ospf-1)# area 0
switch(config-ospf-1)# exit
switch(config)# end
switch# show ip ospf neighbor
... (verify connectivity)
switch# checkpoint confirm
If, after starting checkpoint auto 5, you fat-finger a command that severs your SSH session, the switch waits five minutes, hears no checkpoint confirm, and rolls back automatically. Five minutes later you are back in.
AOS-CX persistence has three layers — running-config, startup-config, and named checkpoints (plus auto-checkpoints).
write memory and save are equivalent shortcuts for copy running-config startup-config.
checkpoint auto N + checkpoint confirm is a deadman-timer safety net for risky remote changes.
Always include vrf mgmt when copying via TFTP/SFTP/SCP through OOBM.
Post-Quiz: Config Management
9. You make extensive ACL changes in config mode and then the switch loses power before you save. On boot, what configuration loads?
The latest running-config from the previous session.The startup-config — your unsaved running-config changes are lost.The most recent automatic checkpoint.A blank factory-default configuration.
10. You are about to make a risky OSPF area change over SSH from a remote site. Which AOS-CX safety mechanism gives you a deadman-timer rollback if you lock yourself out?
write memory followed by copy startup tftpcheckpoint auto 5 followed by checkpoint confirm after verificationreload in 5show tech-support before changes
11. You run copy running-config tftp://192.168.50.20/sw01.cfg and the transfer fails with no route to host. The TFTP server is reachable only via OOBM. What did you forget?
The vrf mgmt keyword at the end of the command.To prefix the IP with ipv4://.A reboot is required between copies.TFTP is disabled by default and cannot be re-enabled.
12. Which statement best describes the relationship between a named checkpoint and the startup-config?
Named checkpoints are ephemeral and lost on reboot; startup-config is not.Both live in flash and persist across reboots, but only startup-config is loaded at boot; checkpoints are point-in-time named snapshots that you restore manually with rollback.A checkpoint replaces startup-config on every save.Checkpoints can only be created via TFTP transfer.
4. Diagnostics and Logging
Pre-Quiz: Diagnostics
13. TAC asks you for a single comprehensive diagnostic dump from the switch. Which command satisfies this request?
show running-configshow events -s warningshow tech-supportshow core-dump
14. You only want to see OSPF-related events at warning severity or higher. Which command gets you closest in one shot?
show eventsshow events -d ospfd -s warningdebug ospfv2 allshow running-config | include ospf
15. Your auditors require encrypted syslog forwarding to the SIEM. Which transport and port should you configure?
UDP 514TCP 1470TLS 6514HTTP 80
16. Why is daemon-scoped debugging (e.g., debug ospfv2 all) safer than a hypothetical debug all?
Daemon-scoped debug only affects one daemon, so it can't melt the CPU under load like a global debug-everything would.Daemon debug is encrypted; global debug is plaintext.Daemon debug auto-disables after one minute.Daemon debug runs on the data plane, not the control plane.
When something breaks at 2 a.m., your job isn't to remember every command — it's to know where the truth lives. AOS-CX consolidates diagnostic information into a small set of go-to commands that any new engineer should rehearse before they ever need them in anger.
show tech-support and Core Dumps
show tech-support is the kitchen-sink diagnostic dump. It runs hundreds of show commands and concatenates the output into a single file you can hand to TAC.
switch# show tech-support
switch# show tech-support local-file
switch# copy show-tech tftp://192.168.50.20/sw01-tech.txt vrf mgmt
For deeper failures, AOS-CX stores core dumps — memory snapshots of crashed processes:
switch# show core-dump
switch# copy core-dump <id> tftp://192.168.50.20/ vrf mgmt
Event Logs and Severity Levels
The event log is structured and severity-tagged — much friendlier to grep than a free-form syslog stream:
switch# show events
switch# show events -d ospfd
switch# show events -s warning
switch# show events | include link
Severity
Numeric
Meaning
emergency
0
System unusable
alert
1
Immediate action required
critical
2
Critical conditions
error
3
Error conditions
warning
4
Warning conditions
notice
5
Normal but significant
informational
6
Informational messages
debug
7
Debug-level messages
Debug Commands
AOS-CX has per-feature debugging that you can toggle live without affecting other modules. Unlike older OSes where debug all could melt the CPU, CX debugging is daemon-scoped:
switch# debug ospfv2 all
switch# debug bgp updates
switch# show debug
switch# no debug ospfv2 all
switch# no debug all
Syslog Forwarding
For long-term retention and central correlation, forward events to an external syslog server. AOS-CX supports UDP (514), TCP (1470), and TLS (6514) targets:
Figure 2.3: Compliance-grade syslog forwarding flow over TLS
sequenceDiagram
participant D as "Daemon (ospfd, lacpd, ...)"
participant E as "Event log (on-box)"
participant L as "Logging subsystem"
participant N as "NTP server"
participant S as "SIEM / syslog server"
N->>L: "Time sync (vrf mgmt)"
D->>E: "Emit event (severity=warning)"
E->>L: "Forward if >= configured severity"
L->>S: "TLS 6514 (vrf mgmt)"
S-->>L: "TCP/TLS ack"
Note over L,S: "Encrypted in transit; timestamps aligned via NTP"
S->>S: "Correlate, retain, alert auditors"
Each packet is colored by severity — gray (debug), blue (info), amber (warning), red (error). Watch them flow over TLS 6514 to the SIEM.
Key Takeaway
show tech-support is the TAC-grade snapshot; show tech-support local-file writes it to onboard storage.
show events supports -d <daemon> and -s <severity> for surgical filtering.
AOS-CX debug commands are daemon-scoped, so they're safe to enable selectively — but always remember to turn them off.
Syslog supports UDP 514 / TCP 1470 / TLS 6514; use TLS plus NTP-aligned timestamps for compliance pipelines.
Post-Quiz: Diagnostics
13. TAC asks you for a single comprehensive diagnostic dump from the switch. Which command satisfies this request?
show running-configshow events -s warningshow tech-supportshow core-dump
14. You only want to see OSPF-related events at warning severity or higher. Which command gets you closest in one shot?
show eventsshow events -d ospfd -s warningdebug ospfv2 allshow running-config | include ospf
15. Your auditors require encrypted syslog forwarding to the SIEM. Which transport and port should you configure?
UDP 514TCP 1470TLS 6514HTTP 80
16. Why is daemon-scoped debugging (e.g., debug ospfv2 all) safer than a hypothetical debug all?
Daemon-scoped debug only affects one daemon, so it can't melt the CPU under load like a global debug-everything would.Daemon debug is encrypted; global debug is plaintext.Daemon debug auto-disables after one minute.Daemon debug runs on the data plane, not the control plane.