IOS Commands

Overview

The netapi ios command group provides CLI access to Cisco IOS and IOS-XE switches via SSH (Netmiko).

Prerequisites

Load secrets before using IOS commands:

dsource d000 dev/network

Required environment variables depend on the target switch:

Variable Description

Variable	Description
`SWITCH_3560CX_IP`	Catalyst 3560-CX IP
`SWITCH_3560CX_USER`	SSH username
`SWITCH_3560CX_PASS`	SSH password
`SWITCH_9300_IP`	Catalyst 9300 IP
`SWITCH_9300_USER`	SSH username
`SWITCH_9300_PASS`	SSH password

SWITCH_3560CX_IP

Catalyst 3560-CX IP

SWITCH_3560CX_USER

SSH username

SWITCH_3560CX_PASS

SSH password

SWITCH_9300_IP

Catalyst 9300 IP

SWITCH_9300_USER

SSH username

SWITCH_9300_PASS

SSH password

Show Commands

show

Show switch resources (version, interfaces, etc.):

# Show version
netapi ios show version

# Show interfaces
netapi ios show interfaces

# Show running config
netapi ios show running-config

exec

Execute a show command on the switch:

netapi ios exec "show ip interface brief"
netapi ios exec "show vlan brief"
netapi ios exec "show authentication sessions"

run

Execute a raw exec-level command:

netapi ios run "show access-session"
netapi ios run "show authentication sessions interface Gi1/0/1"

Configuration Commands

config

Send configuration commands to the switch:

# Single command
netapi ios config "interface Gi1/0/1" "description Client Port"

# Multiple commands
netapi ios config "interface Gi1/0/1" "switchport mode access" "switchport access vlan 10"

save

Save running configuration to startup:

netapi ios save

bounce

Bounce an interface (shutdown then no shutdown):

netapi ios bounce Gi1/0/1
netapi ios bounce Gi1/0/1 --delay 5  # 5 second delay between shutdown/no shutdown

RADIUS / AAA Commands

test-aaa

Test AAA authentication against RADIUS server group:

netapi ios test-aaa --group ISE-GROUP --user testuser --pass testpass

add-radius-server

Add a RADIUS server to the switch:

netapi ios add-radius-server --name ISE-01 --ip 10.50.1.21 \
    --key "RadiusSecret" --aaa-group ISE-GROUP --save

remove-radius-server

Remove a RADIUS server from the switch:

netapi ios remove-radius-server --name ISE-01 --save

802.1X / MAB Configuration

Example: Configure Access Port for 802.1X

# Configure interface for 802.1X
netapi ios config \
    "interface Gi1/0/1" \
    "description Dot1X Access Port" \
    "switchport mode access" \
    "switchport access vlan 10" \
    "authentication host-mode multi-auth" \
    "authentication order dot1x mab" \
    "authentication priority dot1x mab" \
    "authentication port-control auto" \
    "dot1x pae authenticator" \
    "mab"

# Save configuration
netapi ios save

Example: Bounce Port After Config Change

# After changing 802.1X config, bounce the port
netapi ios bounce Gi1/0/1

# Verify authentication status
netapi ios run "show authentication sessions interface Gi1/0/1"

Targeting Specific Switches

Use the --host option to target a specific switch:

# Target 3560-CX
netapi ios --host 10.50.1.10 show version

# Target 9300
netapi ios --host 10.50.1.11 exec "show vlan brief"

Or set environment variables to switch between devices:

# Use 3560-CX
export IOS_IP=$SWITCH_3560CX_IP
export IOS_USER=$SWITCH_3560CX_USER
export IOS_PASS=$SWITCH_3560CX_PASS
netapi ios show version

# Use 9300
export IOS_IP=$SWITCH_9300_IP
export IOS_USER=$SWITCH_9300_USER
export IOS_PASS=$SWITCH_9300_PASS
netapi ios show version

Integration with ISE

Check Authentication Sessions

# Show all sessions
netapi ios run "show access-session"

# Show session details for specific port
netapi ios run "show authentication sessions interface Gi1/0/1 details"

# Show session by MAC
netapi ios run "show authentication sessions mac 14f6.d87b.3180"

Clear Authentication Session

# Clear session on interface
netapi ios run "clear authentication sessions interface Gi1/0/1"

# Clear session by MAC
netapi ios run "clear authentication sessions mac 14f6.d87b.3180"

Verify RADIUS Connectivity

# Show RADIUS server status
netapi ios run "show aaa servers"

# Test RADIUS authentication
netapi ios test-aaa --group ISE-GROUP --user testuser --pass testpass

Configuration Backup

backup

Backup running configuration to local storage or NAS.

# Backup single switch (uses SWITCH_3560CX_* vars)
netapi ios backup --prefix SWITCH_3560CX

# Backup and upload to NAS
netapi ios backup --prefix SWITCH_3560CX --upload-nas

# Backup all switches
netapi ios backup --all

# Backup all switches and upload to NAS
netapi ios backup --all --upload-nas

Sample Output

╭──────────────────────────────────────────────────╮
│            Switch Configuration Backup           │
╰──────────────────────────────────────────────────╯
  Host: 10.50.1.10
  Prefix: SWITCH_3560CX
  Output: /home/user/backups/switch/switch_3560cx-10-50-1-10-20260124-185506.cfg

✓ Backup completed successfully
  Saved to: /home/user/backups/switch/switch_3560cx-10-50-1-10-20260124-185506.cfg
  Timestamp: 2026-01-24T18:55:06.643026

Uploading to Synology NAS...
✓ Uploaded to NAS: /switch_backups/switch_3560cx-10-50-1-10-20260124-185506.cfg

Options:

Option Short Description

Option	Short	Description
`--prefix`	`-p`	Switch prefix (default: SWITCH_3560CX)
`--all`	`-a`	Backup all discovered switches
`--upload-nas`	`-u`	Upload to Synology NAS
`--nas-folder`		NAS destination folder

--prefix

-p

Switch prefix (default: SWITCH_3560CX)

--all

-a

Backup all discovered switches

--upload-nas

-u

Upload to Synology NAS

--nas-folder

NAS destination folder

Multi-Switch Backup with --all

The --all flag discovers switches from environment variables matching SWITCH_*_IP:

netapi ios backup --all --upload-nas

Sample Output

╭──────────────────────────────────────────────────╮
│         Switch Configuration Backup (All)        │
╰──────────────────────────────────────────────────╯
  Found 2 switches: SWITCH_3560CX, SWITCH_9300

  ✓ SWITCH_3560CX (10.50.1.10)
  ✗ SWITCH_9300: Connection timeout

✓ Backed up 1/2 switches

dsec Configuration for Multi-Switch

In your dev/network dsec config:

# Site-specific switch definitions
SWITCH_3560CX_HQ_01_IP=10.50.1.10
SWITCH_3560CX_HQ_01_USER=admin
SWITCH_3560CX_HQ_01_PASS=secretpass

SWITCH_9300_HQ_01_IP=10.50.1.11
SWITCH_9300_HQ_01_USER=apiuser
SWITCH_9300_HQ_01_PASS=secretpass

# Active targets (used by netapi ios backup)
SWITCH_3560CX_IP={{SWITCH_3560CX_HQ_01_IP}}
SWITCH_3560CX_USER={{SWITCH_3560CX_HQ_01_USER}}
SWITCH_3560CX_PASS={{SWITCH_3560CX_HQ_01_PASS}}

SWITCH_9300_IP={{SWITCH_9300_HQ_01_IP}}
SWITCH_9300_USER={{SWITCH_9300_HQ_01_USER}}
SWITCH_9300_PASS={{SWITCH_9300_HQ_01_PASS}}

NAS Upload Requirements

For --upload-nas to work, load storage secrets:

dsource d000 dev/storage

Required variables in dev/storage:

Variable Description

Variable	Description
`SYNOLOGY_IP`	NAS IP address
`SYNOLOGY_USER`	API username
`SYNOLOGY_PASS`	API password
`SWITCH_BACKUP_PATH`	Destination folder (default: /switch_backups)

SYNOLOGY_IP

NAS IP address

SYNOLOGY_USER

API username

SYNOLOGY_PASS

API password

SWITCH_BACKUP_PATH

Destination folder (default: /switch_backups)