Page 1 CLI GUIDE Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3...
Page 3: Table Of Contents
REVIEW DRAFT — CISCO CONFIDENTIAL Contents Table of Contents Introduction....................... 21 User Interface Commands ................36 enable ................. . 36 disable .
Page 4 REVIEW DRAFT — CISCO CONFIDENTIAL Contents telnet ..................92 resume .
Page 5 REVIEW DRAFT — CISCO CONFIDENTIAL Contents sntp broadcast client enable ............142 sntp anycast client enable .
Page 6 REVIEW DRAFT — CISCO CONFIDENTIAL Contents show management access-list ............194 show management access-class .
Page 7 REVIEW DRAFT — CISCO CONFIDENTIAL Contents line ..................240 speed .
Page 8 REVIEW DRAFT — CISCO CONFIDENTIAL Contents show tacacs ................286 show tacacs key .
Page 9 REVIEW DRAFT — CISCO CONFIDENTIAL Contents clear dot1x statistics ..............335 dot1x host-mode .
Page 10 REVIEW DRAFT — CISCO CONFIDENTIAL Contents power inline usage-threshold ............378 power inline traps enable .
Page 11 REVIEW DRAFT — CISCO CONFIDENTIAL Contents port security ................429 port security mode .
Page 12 REVIEW DRAFT — CISCO CONFIDENTIAL Contents abort (MST) ................473 show spanning-tree .
Page 13 REVIEW DRAFT — CISCO CONFIDENTIAL Contents voice vlan cos ................535 voice vlan aging-timeout .
Page 14 REVIEW DRAFT — CISCO CONFIDENTIAL Contents cdp device-id format ..............584 cdp timer .
Page 15 REVIEW DRAFT — CISCO CONFIDENTIAL Contents ip igmp snooping vlan static ............639 ip igmp snooping vlan multicast-tv .
Page 16 REVIEW DRAFT — CISCO CONFIDENTIAL Contents show gvrp configuration ............. . . 677 show gvrp statistics .
Page 17 REVIEW DRAFT — CISCO CONFIDENTIAL Contents clear arp-cache ............... . 716 show arp .
Page 18 REVIEW DRAFT — CISCO CONFIDENTIAL Contents deny ( IP ) ................773 ipv6 access-list (IPv6 extended) .
Page 19 REVIEW DRAFT — CISCO CONFIDENTIAL Contents qos trust (Global) ............... 828 qos trust (Interface) .
Page 20 REVIEW DRAFT — CISCO CONFIDENTIAL Contents lease ................. . . 878 client-name .
Page 21: Introduction
Introduction This section describes how to use the Command Line Interface (CLI). It contains the following topics: • User (Privilege) Levels • CLI Command Modes • Accessing the CLI • CLI Command Conventions • Editing Features • Interface Naming Conventions •...
Page 22 Introduction • Level 15 — Users with this level can run all commands. Only users at this level can access the web GUI. A system administrator (user with level 15) can create passwords that allow a lower level user to temporarily become a higher level user. For example, the user may go from level 1 to level 7, level 1 to 15, or level 7 to level 15.
Page 23: Cli Command Modes
Introduction Example 3— Switch between Level 1 to Level 15. The user must know the password: switchxxxxxx# switchxxxxxx# enable Enter Password: ****** (this is the password for level 15 - level15@abc) switchxxxxxx# If authentication of passwords is performed on RADIUS or TACACS+ servers, the NOTE passwords assigned to user level 7 and user level 15 must be configured on the external server and associated with the $enable7$ and $enable15$ user names,...
Page 24: Privileged Exec Mode
Introduction The user-level prompt consists of the switch host name followed by a #. The default host name is switchxxxxxx where xxxxxx is the last six digits of the device’s MAC address, as shown below switchxxxxxx# The default host name can be changed via the hostname command in Global Configuration mode.
Page 25 Introduction The following example shows how to access Global Configuration mode and return to Privileged EXEC mode: switchxxxxxx# switchxxxxxx# configure switchxxxxxx(config)# exit switchxxxxxx# Interface or Line Configuration Modes Various submodes may be entered from Global Configuration mode. These submodes enable performing commands on a group of interfaces or lines. For instance to perform several operations on a specific port or range of ports, you can enter the Interface Configuration mode for that interface.
Page 26: Accessing The Cli
Introduction Configuration mode. The interface Global Configuration command is used to enter this mode. • Line Interface — Contains commands used to configure the management connections for the console, Telnet and SSH. These include commands such as line timeout settings, etc. The line Global Configuration command is used to enter the Line Configuration command mode.
Page 27 Introduction • Running a Telnet session from a command prompt on a computer with a network connection to the switch. • Using SSH. Telnet and SSH are disabled by default on the switch. NOTE If access is via a Telnet connection, ensure that the following conditions are met before using CLI commands: •...
Page 28 Set the serial port settings, then click OK. STEP 5 User Name When the appears, enter cisco at the prompt and press Enter. STEP 6 The switchxxxxxx# prompt is displayed. You can now enter CLI commands to manage the switch. For detailed information on CLI commands, refer to the appropriate chapter(s) of this reference guide.
Page 29: Cli Command Conventions
Introduction CLI Command Conventions When entering commands there are certain command entry standards that apply to all commands. The following table describes the command conventions. Description Convention In a command line, square brackets indicate an optional entry. In a command line, curly brackets indicate a selection of compulsory parameters separated the | character.
Page 30: Editing Features
Introduction Editing Features Entering Commands A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the show interfaces status command show interfaces status Gigabitethernet 1, are keywords, Gigabitethernet is an argument that specifies the interface type, specifies the port.
Page 31: Command Completion
Introduction Keyword Description Up-Arrow key Recalls commands in the history buffer, beginning with the most recent command. Ctrl+P Repeat the key sequence to recall successively older commands. Down-Arrow key Returns to more recent commands in the history buffer after recalling commands with the up-arrow key.
Page 32: Keyboard Shortcuts
Introduction Keyboard Shortcuts The CLI has a range of keyboard shortcuts to assist in editing the CLI commands. The following table describes the CLI shortcuts. Description Keyboard Key Up-arrow Recalls commands from the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
Page 33 Introduction Interface Naming Conventions Interface ID Within the CLI, interfaces are denoted by concatenating the following elements: • Type of interface: The following types of interfaces are found on the various types of devices: GigabitEthernet ports (10/100/1000 bits) — This can be written as either GigabitEthernet or gi or GE.
Page 34 Introduction A sample of this command is shown in the example below: console#configure console(config-if)#interface range gi1-5, vlan 1-2 IPv6z Address Conventions The following describes how to write an IPv6z address, which is a link-local IPv6 address. The format is: % where: egress-interface (also known as zone) = vlan...
Page 35 Introduction If Router system mode is selected, the user can manage the device on any IP interface configured on the device, as long as a default route is configured. In Router system mode, the switch routes traffic between IP VLANs, and bridges traffic with VLANs.
Page 36: User Interface Commands
User Interface Commands enable The enable EXEC mode command enters the Privileged EXEC mode. Syntax privilege-level enable [ Parameters privilege-level—Specifies the privilege level at which to enter the system. (Range: 1, 7, 15) Default Configuration The default privilege level is 15. Command Mode EXEC mode Example...
Page 37: Disable
User Interface Commands disable The disable Privileged EXEC mode command leaves the Privileged EXEC mode and returns to the User EXEC mode. Syntax privilege-level disable [ Parameters privilege-level—Reduces the privilege level to the specified privileged level. If privilege level is left blank, the level is reduce to 1. Default Configuration The default privilege level is 1.
Page 38: Configure
User Interface Commands Default Configuration Command Mode EXEC mode Example The following example enters Privileged EXEC mode and logs in with the required username ‘bob’. switchxxxxxx# login User Name:bob Password:***** switchxxxxxx# configure The configure Privileged EXEC mode command enters the Global Configuration mode.
Page 39: Exit (Configuration)
User Interface Commands exit (Configuration) The exit command exits any mode and brings the user to the next higher mode in the CLI mode hierarchy. Syntax exit Parameters Default Configuration Command Mode All. Examples The following examples change the configuration mode from Interface Configuration mode to Privileged EXEC mode.
Page 40: End
User Interface Commands Default Configuration Command Mode EXEC mode Example The following example closes an active terminal session. switchxxxxxx# exit The end command ends the current configuration session and returns to the Privileged EXEC mode. Syntax Parameters Default Configuration Command Mode Example The following example ends the Global Configuration mode session and returns to the Privileged EXEC mode.
Page 41: Help
User Interface Commands help The help command displays a brief description of the Help system. Syntax help Parameters Default Configuration Command Mode Example The following example describes the Help system. switchxxxxxx# help Help may be requested at any point in a command by entering a question mark '.
Page 42: History
User Interface Commands history The history Line Configuration mode command enables saving commands that have been entered. Use the no form of this command to disable the command. Syntax history no history Parameters Default Configuration Enabled. Command Mode Line Configuration mode User Guidelines This command enables saving user-entered commands for a specified line.
Page 43: History Size
User Interface Commands 2.10 history size The history size Line Configuration mode command changes the maximum number of user commands that are saved in the history buffer for a particular line. Use the no form of this command to reset the command history buffer size to the default value.
Page 44: Terminal History
User Interface Commands 2.11 terminal history The terminal history EXEC mode command enables the command history function for the current terminal session, meaning it is not stored in the Running Configuration file. Use the no form of this command to disable the command. Syntax terminal history terminal no history...
Page 45: Terminal Datadump
User Interface Commands terminal no history size Parameters number-of-commands—Specifies the number of commands the system maintains in its history buffer. (Range: 10–207) Default Configuration The default configuration for all terminal sessions is defined by the history size Line Configuration mode command. Command Mode EXEC mode User Guidelines...
Page 46: Terminal Width
User Interface Commands Default Configuration When printing, dumping is disabled and printing is paused every 24 lines. Command Mode EXEC mode User Guidelines By default, a More prompt is displayed when the output contains more than 24 lines. Pressing the Enter key displays the next line; pressing the Spacebar displays the next screen of output.
Page 47: Terminal Prompt
User Interface Commands Parameters number-of-characters - Specifies the number of characters to be displayed for the echo output of the CLI commands and the configuration file,'0' means endless number of characters on a screen line. (Range: 0, 70-512) Default Configuration The default number of characters is 77.
Page 48: Show History
User Interface Commands Example The following example disables the terminal prompts switchxxxxxx# terminal no prompt 2.16 show history The show history EXEC mode command lists commands entered in the current session. Syntax show history Parameters Default Configuration Command Mode EXEC mode User Guidelines The buffer includes executed and unexecuted commands.
Page 49: Show Privilege
User Interface Commands 15:29:03 Jun 17 2005 switchxxxxxx# show history show version show clock show history 3 commands were logged (buffer size is 10) 2.17 show privilege The show privilege EXEC mode command displays the current privilege level. Syntax show privilege Parameters Default Configuration Command Mode...
Page 50: Banner Login
User Interface Commands Syntax command Parameters command—Specifies the EXEC-level command to execute. Command Mode All configuration modes Example The following example executes the show vlan Privileged EXEC mode command from Global Configuration mode. Example switchxxxxxx(config)# do show vlan Vlan Name Ports Type Authorization...
Page 51 User Interface Commands and also on the WEB GUI. Use the no form of this command to delete the existing login banner. Syntax d message-text d banner login no banner login Parameters • d—Delimiting character of user’s choice—a pound sign (#), for example. You cannot use the delimiting character in the banner message.
Page 52: Show Banner
User Interface Commands Token Information displayed in the banner $(contact) Displays the system contact string. $(location) Displays the system location string. $(mac-address) Displays the base MAC address of the device. Use the no banner login Line Configuration command to disable the Login banner on a particular line or lines.
Page 53 User Interface Commands switchxxxxxx# show banner login ------------------------------------------------------------- Banner: Login Line SSH: Enabled Line Telnet: Enabled Line Console: Enabled 78-21075-01 Command Line Interface Reference Guide...
Page 54: Macro Commands
Macro Commands macro name Use the macro name Global Configuration mode command to define a macro. There are two types of macros that can be defined: • Global macros define a group of CLI commands that can be run at any time. •...
Page 55 Macro Commands • A macro can contain up to three keywords. • All matching occurrences of the keyword are replaced by the corresponding value specified in macro. • Keyword matching is case-sensitive • Applying a macro with keywords does not change the state of the original macro definition.
Page 56 Macro Commands Example 2 and 3 below for a description of how this command is used in the CLI. The syntax for this preprocessor command is as follows: keyword1 keyword2 keyword3 #macro keywords $ where $keywordn is the name of the keyword. Editing a Macro Macros cannot be edited.
Page 57: Macro
Macro Commands and SPEED must be provided by the user. The #macro keywords command enables the user to receive help for the macro as shown in Example 3. switchxxxxxx(config) # macro name duplex Enter macro commands one per line. End with the character ‘@’. duplex $DUPLEX no negotiation speed $SPEED...
Page 58 Macro Commands Syntax apply | trace} macro-name [parameter-name1 {value}] [parameter-name2 macro { {value}] [parameter-name3 {value} Parameters • apply—Apply a macro to the specific interface. • trace—Apply and trace a macro to the specific interface. • macro-name—Name of the macro. • value parameter-name —(Optional) For each parameter defined in the...
Page 59: Macro Description
Macro Commands appended to the macro history of the interface. The show parser macro command displays the macro history of an interface. A macro applied to an interface range behaves the same way as a macro applied to a single interface. When a macro is applied to an interface range, it is applied sequentially to each interface within the range.
Page 60 Macro Commands macro is applied to an interface, the switch automatically generates a macro description command with the macro name. As a result, the name of the macro is appended to the macro history of the interface. Syntax text macro description no macro description Parameters text—Description text.
Page 61: Macro Global
Macro Commands Interface Macro Description(s) ------------ -------------------------------------------------- duplex | dup | duplex -------------------------------------------------------------- switchxxxxxx#configure switchxxxxxx(config)#interface gi2 switchxxxxxx(config-if)#no macro description switchxxxxxx(config-if)#end switchxxxxxx#show parser macro description Global Macro(s): Interface Macro Description(s) --------- ----------------------------------------------------- duplex | dup | duplex -------------------------------------------------------------- switchxxxxxx# macro global Use the macro global Global Configuration command to apply a macro to a switch (with or without the trace option).
Page 62 Macro Commands keyword matching is case sensitive. All matching occurrences of the parameters are replaced with the corresponding value. Default Configuration The command has no default setting. Command Mode Global Configuration mode User Guidelines If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the switch.
Page 63: Macro Global Description
Macro Commands Applying command… ‘line console’ Applying command… ‘exec-timeout 100’ switchxxxxxx(config)# macro global description Use the macro global description Global Configuration command to enter a description which is used to indicate which macros have been applied to the switch. Use the no form of this command to remove the description. Syntax text macro global description...
Page 64: Show Parser Macro
Example 1 - This is a partial output example from the show parser macro command. switchxxxxxx# show parser macro Total number of macros = 6 -------------------------------------------------------------- Macro name : cisco-global Macro type : default global 78-21075-01 Command Line Interface Reference Guide...
Page 65 # Enable dynamic port error recovery for link state # failures -------------------------------------------------------------- Macro name : cisco-desktop Macro type : default interface # macro keywords $AVID # Basic interface - Enable data VLAN only # Recommended value for access vlan (AVID) should not be 1...
Page 66: Interface Command
Macro Commands default interface: cisco-phone default interface: cisco-switch default interface: cisco-router customizable : snmp This is an example of output from the show parser macro description command. switchxxxxxx# show parser macro description Global Macro(s): cisco-global Example 4 - This is an example of output from the show parser macro description interface command.
Page 67: Rsa And Certificate Commands
RSA and Certificate Commands Keys and Certificates The device automatically generates default RSA/DSA keys and certificates at following times: • When the device is booted following a software upgrade. • When the device is booted with an empty configuration. • When user-defined keys/certificates are deleted.
Page 68: Crypto Key Generate Dsa
RSA and Certificate Commands Table 2 describes how keys/certificates can be copied from one type of configuration file to another (using the copy command).. Table 2: Copying Keys/Certificates Destination File Type Copy from Running Copy from Copy from Remote/Local Config. Startup Config.
Page 69: Crypto Key Generate Rsa
RSA and Certificate Commands User Guidelines DSA keys are generated in pairs - one public DSA key and one private DSA key. If the device already has DSA keys default or user defined, a warning is displayed with a prompt to replace the existing keys with new keys. Erasing of the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization.
Page 70: Crypto Key Import
RSA and Certificate Commands User Guidelines RSA keys are generated in pairs - one public RSA key and one private RSA key. If the device already has RSA keys, a warning is displayed with a prompt to replace the existing keys with new keys. RSA keys are generated in pairs - one public RSA key and one private RSA key.
Page 71: Command Mode
RSA and Certificate Commands Command Mode Global Configuration mode User Guidelines DSA/RSA keys are imported in pairs - one public DSA/RSA key and one private DSA/RSA key. If the device already has DSA/RSA keys, a warning is displayed with a prompt to replace the existing keys with new keys.
Page 72 RSA and Certificate Commands -----BEGIN RSA PUBLIC KEY----- MIGHAoGBAMzd9X7ueikhDmXaxlTyCR6QLPBvDQyJAXamdqtED4igpyz8NF7JPbU1Smh2UO YyW15/NUGaaJWjyySCB9wdXHPeg+yBX1ZGz2zEW89uHablpj1VS1JUMuZwinQwrouSilQ+ s494KboS4TCaK+wIwALuXgayItiLsDFSbmpOTNPfAgEj -----END RSA PUBLIC KEY----- Example 2 - Import encrypted key encrypted crypto key import rsa ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ---- Comment: RSA Private Key 84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH Fpt1aECZi7HfGLcp1pMZwjn1+HaXBtQjPDiEtbpScXqrg6ml1/OEnwpFK2TrmUy0Iifwk8 E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz +RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4 VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs...
Page 73: Show Crypto Key
RSA and Certificate Commands OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7 7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE= ---- END SSH2 PUBLIC KEY ---- show crypto key The show crypto key Privileged EXEC mode command displays the device’s SSH private and public keys for both default and user-defined keys. Syntax mypubkey [rsa | dsa] show crypto key [ Parameters •...
Page 74: Crypto Certificate Generate
RSA and Certificate Commands VkbPbMRbz24dpuWmPVVLUlQy5nCKdDCui5KKVD6zj3gpuhLhMJor7AjAAu5e BrIi2IuwMVJuak5M098= ---- END SSH2 PUBLIC KEY ---- Public Key Fingerprint: 6f:93:ca:01:89:6a:de:6e:ee:c5:18:82:b2:10:bc:1e crypto certificate generate The crypto certificate generate Global Configuration mode command generates a self-signed certificate for HTTPS. Syntax number [key-generate [length]] [cn common- name] [ou crypto certificate generate organization-unit] [or organization] [loc location] [st state] [cu country] [duration...
Page 75: Crypto Certificate Request
RSA and Certificate Commands • days duration —Specifies the number of days a certification is valid. (Range: 30–3650) Default Configuration The default SSL’s RSA key length is 1024. common- name If cn is not specified, it defaults to the device’s lowest static IPv6 address (when the certificate is generated), or to the device’s lowest static IPv4 address if there is no static IPv6 address, or to 0.0.0.0 if there is no static IP address.
Page 76 RSA and Certificate Commands Syntax number [cn common- name] [ou organization-unit] [or crypto certificate request organization] [loc location] [st state] [cu country] Parameters • number—Specifies the certificate number. (Range: 1–2) • The following elements can be associated with the key. When the key is displayed, they are also displayed.
Page 77: Crypto Certificate Import
RSA and Certificate Commands After receiving the certificate from the Certification Authority, use the crypto certificate import Global Configuration mode command to import the certificate into the device. This certificate replaces the self-signed certificate. Keys and Certificates for information on how to display and copy these certificates.
Page 78 RSA and Certificate Commands Parameters number—Specifies the certificate number. (Range: 1–2) Default Configuration Command Mode Global Configuration mode User Guidelines To end the session (return to the command line to enter the next command), enter a blank line. The imported certificate must be based on a certificate request created by the crypto certificate request privileged EXEC command.
Page 79 RSA and Certificate Commands OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38 7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA 6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7 Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW WVZd0n1fXhMacoflgnnEmweIzmrqXBs= -----END CERTIFICATE----- Certificate imported successfully. Issued by : C= , ST= , L= , CN=0.0.0.0, O= , OU= Valid From: Jan 24 18:41:24 2011 GMT Valid to: Jan 24 18:41:24 2012 GMT Subject: C=US , ST= , L= , CN= router.gm.com , O=...
Page 80 RSA and Certificate Commands ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4= -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2 Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a+7043wfVmH+QOXf TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0/nwsXDAgEj -----END RSA PUBLIC KEY----- -----BEGIN CERTIFICATE----- MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38 7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA 6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7 Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW WVZd0n1fXhMacoflgnnEmweIzmrqXBs= -----END CERTIFICATE----- Certificate imported successfully. Issued by : C= , ST= , L= , CN=0.0.0.0, O= , OU= Valid From: Jan 24 18:41:24 2011 GMT Valid to: Jan 24 18:41:24 2012 GMT...
Page 81 RSA and Certificate Commands CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoVQwD7RqKpL9wo3+YVFVS6XCB7pDb7iPePefa6 GD/crN28vTLGf/NpyKoOhdAMRuwEQoapMo0Py2Cvy+sqLiv4ZKck1FPlsVFV7X7sh+zVa3 We84pmzyjGiY9S0tPdBSGhJ2xDNcqTyvUpffFEJJYrdGKGybqD0o3tD/ioUQ3UJgxDbGYw aLlLoavSjMYiWkdPjfcbn5MVRdU5iApCQJXWv3MYC8GQ4HDa6UDN6aoUBalUhqjT+REwWO DXpJmvmX4T/u5W4DPvELqTHyETxgQKNErlO7gRi2yyLcybUokh+SP+XuRkG4IKnn8KyHtz XeoDojSe6OYOQww2R0nAqnZsZPgrDzj0zTDL8qvykurfW4jWa4cv1Sc1hDEFtHH7NdDLjQ FkPFNAKvFMcYimidapG+Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP CZM927oxkb41g+U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB+4PW Qmy4fTF4wQdvCLy+WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz+LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF +yAI5xABZdTPqz0l7FNMzhIrXvCqcCCCx+JbgP1PwYTDyD+m2H5v8Yv6sT3y7fZC9+5/Sn Vf8jpTLMWFgVF9U1Qw9bA8HA7K42XE3R5Zr1doOeUrXQUkuRxLAHkifD7ZHrE7udOmTiP9 W3PqtJzbtjjvMjm5/C+hoC6oLNP6qp0TEn78EdfaHpMMutMF0leKuzizenZQ== -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAMoCaK+b9hTgrzEeWjdz55FoWwV8s54k5VpuRtv1e5r1zp7kzIL6mvCCXk6J9c kkr+TMfX63b9t5RgwGPgWeDHw3q5QkaqInzz1h7j2+A++mwCsHui1BhpFNFY/gmENiGq9f puukcnoTvBNvz7z3VOxv6hw1UHMTOeO+QSbe7WwVAgMBAAE= -----END RSA PUBLIC KEY----- -----BEGIN CERTIFICATE----- MIICHDCCAYUCEFCcI4/dhLsUhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl Wm5G2/V7mvXOnuTMgvqa8IJeTon1ySSv5Mx9frdv23lGDAY+BZ4MfDerlCRqoifP PWHuPb4D76bAKwe6LUGGkU0Vj+CYQ2Iar1+m66RyehO8E2/PvPdU7G/qHDVQcxM5...
Page 82: Show Crypto Certificate
RSA and Certificate Commands dkB/761PpeKkUtgyPHfTzfSMcJdBOPPnpQcqbxCFh9QSNa4ENSXqC5pND02RHXFx wS1XJGrhMUoNGz1BY5DJWw== -----END CERTIFICATE----- Certificate imported successfully. Issued by : C= , ST= , L= , CN=0.0.0.0, O= , OU= Valid From: Jan 24 18:41:24 2011 GMT Valid to: Jan 24 18:41:24 2012 GMT Subject: C=US , ST= , L= , CN= router.gm.com , O= General Motors...
Page 83 RSA and Certificate Commands Certificate 1: Certificate Source: Default -----BEGIN CERTIFICATE----- dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4HS nnH/xQSGA2ffkRBwU2XIxb7n8VPsTm1xyJ1t11a1GaqchfMqqe0kmfhcoHSWr yf1FpD0MWOTgDAwIDAQABo4IBojCCAZ4wEwYJKwYBBAGCNxQCBAYeBABDAEEw CwR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAf4MT9BRD47 ZvKBAEL9Ggp+6MIIBNgYDVR0fBIIBLTCCASkwgdKggc+ggcyGgclsZGFwOi8v L0VByb3h5JTIwU29mdHdhcmUlMjBSb290JTIwQ2VydGlmaWVyLENOPXNlcnZl -----END CERTIFICATE----- Issued by: www.verisign.com Valid from: 8/9/2003 to 8/9/2004 Subject: CN= router.gm.com, 0= General Motors, C= US Fingerprint: DC789788 DC88A988 127897BC BB789788 Certificate 2: Certificate Source: User-Defined -----BEGIN CERTIFICATE-----...
Page 84 RSA and Certificate Commands The following example displays SSL certificate # 1 present on the device and the key-pair. switchxxxxxx# show crypto certificate 1 Certificate 1: Certificate Source: Default -----BEGIN CERTIFICATE----- dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4HS nnH/xQSGA2ffkRBwU2XIxb7n8VPsTm1xyJ1t11a1GaqchfMqqe0kmfhcoHSWr yf1FpD0MWOTgDAwIDAQABo4IBojCCAZ4wEwYJKwYBBAGCNxQCBAYeBABDAEEw CwR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAf4MT9BRD47 ZvKBAEL9Ggp+6MIIBNgYDVR0fBIIBLTCCASkwgdKggc+ggcyGgclsZGFwOi8v L0VByb3h5JTIwU29mdHdhcmUlMjBSb290JTIwQ2VydGlmaWVyLENOPXNlcnZl -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh 2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C...
Page 85 RSA and Certificate Commands -----END RSA PUBLIC KEY----- Issued by: www.verisign.com Valid from: 8/9/2003 to 8/9/2004 Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: DC789788 DC88A988 127897BC BB78978 78-21075-01 Command Line Interface Reference Guide...
Page 86: System Management Commands
System Management Commands ping Use the ping EXEC mode command to send ICMP echo request packets to another node on the network. Syntax {ipv4-address | hostname} [size packet_size] [count packet_count] ping [ip] [timeout time_out] {ipv6-address | hostname} [size packet_size] [count packet_count] ping ipv6 [timeout time_out] Parameters...
Page 87 System Management Commands Command Mode EXEC mode User Guidelines Press Esc to stop pinging. Following are sample results of the ping command: • Destination does not respond—If the host does not respond, a “no answer from host” appears within 10 seconds. •...
Page 88 System Management Commands Example 2 - Ping a site. switchxxxxxx# ping ip yahoo.com Pinging yahoo.com [66.218.71.198] with 64 bytes of data: 64 bytes from 10.1.1.1: icmp_seq=0. time=11 ms 64 bytes from 10.1.1.1: icmp_seq=1. time=8 ms 64 bytes from 10.1.1.1: icmp_seq=2. time=8 ms 64 bytes from 10.1.1.1: icmp_seq=3.
Page 89: Traceroute
System Management Commands 64 bytes from 3003::33: icmp_seq=3. time=70 ms 64 bytes from 3003::11: icmp_seq=4. time=0 ms 64 bytes from 3003::55: icmp_seq=3. time=1050 ms 64 bytes from 3003::33: icmp_seq=4. time=70 ms 64 bytes from 3003::55: icmp_sq=4. time=1050 ms ---- FF02::1 PING Statistics---- 4 packets transmitted, 12 packets received traceroute To display the routes that packets will take when traveling to their destination, use...
Page 90 System Management Commands • time_out timeout —The number of seconds to wait for a response to a probe packet. The default is 3 seconds. (Range: 1–60) • ip-address source —One of the interface addresses of the device to use as a source address for the probes.
Page 91 System Management Commands 2 STAN.POS.calren2.NET (171.64.1.213) 0 msec 0 msec 0 msec 3 SUNV--STAN.POS.calren2.net (198.32.249.73) 1 msec 1 msec 1 msec 4 Abilene--QSV.POS.calren2.net (198.32.249.162) 1 msec 1 msec 1 msec 5 kscyng-snvang.abilene.ucaid.edu (198.32.8.103) 33 msec 35 msec 35 msec 6 iplsng-kscyng.abilene.ucaid.edu (198.32.8.80) 47 msec 45 msec 45 msec 7 so-0-2-0x1.aa1.mich.net (192.122.183.9) 56 msec...
Page 92: Telnet
System Management Commands Field Description Source route failed. Port unreachable. telnet The telnet EXEC mode command logs on to a host that supports Telnet. Syntax telnet { ip-address hostname port keyword ...] Parameters • ip-address — Specifies the destination host IP address (IPv4 or IPv6). •...
Page 93 System Management Commands Special Telnet Sequences Telnet Sequence Purpose Ctrl-shift-6-b Break Ctrl-shift-6-c Interrupt Process (IP) Ctrl-shift-6-h Erase Character (EC) Ctrl-shift-6-o Abort Output (AO) Ctrl-shift-6-t Are You There? (AYT) Ctrl-shift-6-u Erase Line (EL) At any time during an active Telnet session, available Telnet commands can be listed by pressing the keys at the system prompt.
Page 94 System Management Commands Keywords Table Options Description /echo Enables local echo. /quiet Prevents onscreen display of all messages from the software. /source-interface Specifies the source interface. /stream Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UNIX-to-UNIX Copy Program (UUCP) and other non-Telnet protocols.
Page 95: Resume
System Management Commands Keyword Description Port Number pop2 Post Office Protocol v2 pop3 Post Office Protocol v3 smtp Simple Mail Transport Protocol sunrpc Sun Remote Procedure Call syslog Syslog tacacs TAC Access Control System talk Talk telnet Telnet time Time uucp Unix-to-Unix Copy Program whois...
Page 96: Hostname
System Management Commands Example The following command switches to open Telnet session number 1. switchxxxxxx# resume hostname The hostname Global Configuration mode command specifies or modifies the device host name. Use the no form of the command to remove the existing host name.
Page 97: Reload
System Management Commands reload The reload Privileged EXEC mode command reloads the operating system at a user-specified time. Syntax day month reload [[in [hhh:mm | mmm] | at ]] | cancel] Parameters • in hhh:mm | mmm—Schedules a reload of the software to take effect in the specified minutes or hours and minutes.
Page 98 System Management Commands current day (if the specified time is later than the current time), or on the next day (if the specified time is earlier than the current time). Specifying 00:00 schedules the reload for midnight. The reload must take place within 24 days. To display information about a scheduled reload, use the show reload command.
Page 99: Show Reload
System Management Commands This command will reset the whole system and disconnect your current session. Reload is scheduled to occur in 10 minutes. Do you want to continue ? (Y/N)[N] Y switchxxxxxx#reload at 17:12 Jun 6 Schedule-Reload is already set to occur in 9 minutes. Do you wish to override? (Y/N)[N] Y To use the 'reload at' command please set the system clock time first.
Page 100: Service Cpu-Utilization
System Management Commands Default Usage Command Mode Privileged EXEC mode User Guidelines You can use this command to display a pending software reload. To cancel a pending reload, use the privileged EXEC command with the cancel parameter. Example The following example displays that a reboot is scheduled for 00:00 on Saturday, April-20.
Page 101: Show Cpu Utilization
System Management Commands Command Mode Global Configuration mode User Guidelines Use the service cpu utilization command to measure information on CPU utilization. Example The following example enables measuring CPU utilization. switchxxxxxx(config)# service cpu-utilization show cpu utilization The show cpu utilization Privileged EXEC mode command displays information about CPU utilization.
Page 102: Show Users
System Management Commands switchxxxxxx# show cpu utilization CPU utilization service is on. CPU utilization -------------------------------------------------- five seconds: 5%; one minute: 3%; five minutes: 3% 5.10 show users The show users EXEC mode command displays information about the active users. Syntax show users Parameters Default Usage...
Page 103: Show Sessions
System Management Commands 5.11 show sessions The show sessions EXEC mode command displays open Telnet sessions. Syntax show sessions Parameters Default Usage Command Mode EXEC mode User Guidelines The show sessions command displays Telnet sessions to remote hosts opened by the current Telnet session to the local device.
Page 104: Show Version
System Management Commands Field Description Address The remote host IP address. Port The Telnet TCP port number. Byte The number of unread bytes for the user to see on the connection. show system The show system EXEC mode command displays various items of information about the device.
Page 105: Show Environment
System Management Commands Parameters Default Usage Command Mode EXEC mode Example The following example displays system version information. switchxxxxxx# show version SW Version 1.1.0.5 ( date 15-Sep-2010 time 10:31:33 ) Boot Version 1.1.0.2 ( date 04-Sep-2010 time 21:51:53 ) HW Version 5.13 show environment This command is only relevant for devices that have...
Page 106: Show Version Md5
System Management Commands Command Mode EXEC mode User Guidelines The fan and temperature status parameters are available only on devices on which FAN and/or temperature sensor are installed. Examples Example 1 - The following example displays the general environment status of a device The temperature status is OK if the temperature sensors status in the device is OK, and if the temperature of all the device is below the threshold.
Page 107: Set System
System Management Commands Parameters Default Usage Command Mode EXEC mode Example switchxxxxxx# show version md5 Filename Status Digest -------- ------- ---------------------------------- image1 Active 23FA000012857D8855AABC7577AB5562 image2 Not Active 23FA000012857D8855AABEA7451265456 boot 23FA000012857D8855AABC7577AB8999 image1 Not Active 23FA000012857D8855AABC757FE693844 image2 Active 23FA000012857D8855AABC7577AB5562 boot 23FA000012857D8855AABC7577AC9999 5.15 set system The set system mode Privileged EXEC mode command puts the device into switch mode (Layer 2 mode) or router mode (Layer 3 mode).
Page 108: Show System Mode
System Management Commands Command Mode Privileged EXEC mode User Guidelines The System mode appears in the configuration file header to specify the system mode. It appears even if it specifies the default system mode. If this command is entered manually and the configured system mode does not match the current system mode, the Startup Configuration file is deleted and the device is rebooted.
Page 109: Show System Languages
System Management Commands Parameters Default Usage Command Mode EXEC mode Example The following example displays system mode information. switchxxxxxx# show system mode Feature State ------------------- --------- Mode: Router 5.17 show system languages The show system languages EXEC mode command displays the list of supported languages.
Page 110: Show System Tcam Utilization
System Management Commands Example The following example displays the languages configured on the device. Number of Sections indicates the number of languages permitted on the device. switchxxxxxx# show system languages Language Name Unicode Name Code Num of Sections --------------- -------------- ------ ------------- English English en-US...
Page 111: Show Services Tcp-Udp
System Management Commands 5.19 show services tcp-udp Use the show services tcp-udp Privileged EXEC mode command to display information about the active TCP and UDP services. Syntax show services tcp-udp Parameters This command has no arguments or keywords. Command Mode Privileged EXEC mode User Guidelines The output does not show sessions where the device is a TCP/UDP client.
Page 112: Show Tech-Support
System Management Commands 5.20 show tech-support Use the show tech-support EXEC mode command to display system and configuration information that can be provided to the Technical Assistance Center when reporting a problem. Syntax config memory show tech-support [ Parameters • Memory—Displays memory and processor state data.
Page 113 System Management Commands If you specify the config keyword, the show tech-support command displays the output of the following commands (depending on the commands supported on the device). • show clock • show system • show version • show system mode •...
Page 114: Show System Id
System Management Commands • show cdp traffic • show cdp neighbors • show voice vlan • show users • show sessions • show logging file • show logging If the user specifies the memory keyword, the show tech-support command displays the following output: •...
Page 115: Show Cpu Input Rate
System Management Commands Example The following example displays the system identity information. switchxxxxxx# show system id serial number 114 5.22 show cpu input rate The show cpu input rate EXEC mode command displays the rate of input frames to the CPU in packets per seconds (pps). Syntax show cpu input rate Command Mode...
Page 116: Disable Ports Leds
System Management Commands switchxxxxxx# menu 5.24 disable ports leds Use the disable ports leds Global Configuration mode command to turn off the LEDs of all the ports on a device (depending on the actual port status, e.g. link up, port speed etc). Use no disable ports leds command to set the LEDs of all the ports on the device to their current operational status.
Page 117: Show System Fans
System Management Commands Syntax show ports leds configuration Command Mode EXEC mode Examples Example 1 - The following example displays the status of the ports LEDs when the port LEDs are turned on. show ports leds configuration Port leds are not disabled Example 2: The following example displays the status of the ports LEDs when the port LEDs are turned off.
Page 118: Show System Sensors
System Management Commands Example If the device does not support controlled fan direction, the column Fan Direction is not displayed. switchxxxxxx# show system fans Unit Speed Admin State Oper State Fan Direction (RPM) -------- ----------- ----------- -------------- auto back to front 5.27 show system sensors Use the show system sensors EXEC mode command to view the temperature...
Page 119: System Recovery
System Management Commands 5.28 system recovery This command is only relevant for devices that have temperature sensors. Note Use the system recovery Global Configuration command to set the system to automatically recover from temperature that reached the critical threshold. Use the no form of the command to return to disable automatic recovery. Syntax system recovery no system recovery...
Page 120: Ssh Client Commands
SSH Client Commands ip ssh-client authentication Use the ip ssh-client authentication command in Global Configuration mode to define the SSH client authentication method used by the local SSH clients to be authenticated by remote SSH servers. To return to default, use the no format of the command. Syntax ip ssh-client authentication {password | public-key {rsa | dsa}} no ip ssh-client authentication...
Page 121: Ip Ssh-Client Change Server Password
SSH Client Commands Example The following example specifies that, username and public key are used for authentication: switchxxxxxx(config) # ip ssh-client authentication public-key rsa ip ssh-client change server password Use the ip ssh-client change server password command in Global Configuration mode to change a password of an SSH client on a remote SSH server.
Page 122: Ip Ssh-Client Key
SSH Client Commands Example The following example changes a password of the local SSH clients: switchxxxxxx(config) # ip ssh-client change server password server 10.7.50.155 username john old-password &&&@@@aaff new-password &&&@@@aaee ip ssh-client key Use the ip ssh-client key command in Global Configuration mode to create a key pair for SSH client authentication by public key (either by generating a key or by importing a key).
Page 123 SSH Client Commands User Guidelines When using the keyword generate, a private key and a public key of the given type (RSA/DSA) are generated for the SSH client. Downloading a configuration file with a Key Generating command is not allowed, and such download will fail. When using the keyword key-pair, the user can import a key-pair created by another device.
Page 124 SSH Client Commands This may take a few minutes, depending on the key size. Example 2. In the following example, both public and private keys of the RSA type are imported (private key as plaintext): switchxxxxxx (config)#ip ssh-client key rsa key-pair Please paste the input now, add a period (.) on a separate line after the input -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDH6CU/2KYRl8rYrK5+TIvwS4zvhBmiC4I31m9cR/1iRTFViMRuJ++TEr...
Page 125: Ip Ssh-Client Password
SSH Client Commands (Need to encrypted SSH client RSA key pair, for example:) -----BEGIN RSA ENCRYPTED PRIVATE KEY----- gxeOjs6OzGRtL4qstmQg1B/4gexQblfa56RdjgHAMejvUT02elYmNi+m4aTu6mlyXPHmYP lXlXny7jZkHRvgg8EzcppEB0O3yQzq3kNi756cMg4Oqbkm7TUOtdqYFEz/h8rJJ0QvUFfh BsEQ3e16E/OPitWgK43WTzedsuyFeOoMXR9BCuxPUJc2UeqQVM2IJt5OM0FbVt0S6oqXhG sEEdoTlhlDwHWg97FcV7x+bEnPfzFGrmbrUxcxOxlkFsuCNo3/94PHK8zEXyWtrx2KoCDQ qFRuM8uecpjmDh6MO2GURUVstctohEWEIVCIOr5SBCbciaxv5oS0jIzXMrJA== -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGHAoGBALLOeh3css8tBL8ujFt3trcX0XJyJLlxxt4sGp8Q3ExlSRN25+Mcac6togpIEg tIzk6t1IEJscuAih9Brwh1ovgMLRaMe25j5YjO4xG6Fp42nhHiRcie+YTS1o309EdZkiXa QeJtLdnYL/r3uTIRVGbXI5nxwtfWpwEgxxDwfqzHAgEj -----END RSA PUBLIC KEY----- Example 4 - In the following example, a DSA key pair is removed: switchxxxxxx(config) # no ip ssh-client key dsa Example 5 - In the following example, all key pairs (RSA and DSA types) are...
Page 126: Ip Ssh-Client Server Authentication
SSH Client Commands no ip ssh-client password Parameters • string— Password for the SSH clients (1 - 70 characters). The username cannot include the characters "@" and ":". • encrypted-string - Password for the SSH client in encrypted form. Default Configuration The default password is anonymous.
Page 127: Ip Ssh-Client Server Fingerprint
SSH Client Commands no ip ssh-client server authentication Parameters None Default Configuration SSH server authentication is disabled Command Mode Global configuration User Guidelines When remote SSH server authentication is disabled, any remote SSH server is accepted (even if there is no entry for the remote SSH server in the SSH Trusted Remote Server table).
Page 128: Ip Ssh-Client Username
SSH Client Commands • ip-address—Specifies the address of a SSH server. The IP address can be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions. • fingerprint—FIngerprint of the SSH server public key (32 Hex characters). Default Configuration The Trusted Remote SSH Server table is empty. Command Mode Global configuration User Guidelines...
Page 129: Show Ip Ssh-Client
SSH Client Commands Syntax string ip ssh-client username no ip ssh-client username Parameters string— Username of the SSH client.The length is 1 - 70 characters. The username cannot include the characters "@" and ":". Default Configuration The default username is anonymous Command Mode Global configuration User Guidelines...
Page 130 SSH Client Commands • rsa— Specifies displaying the RSA key type. • mypubkey— Specifies that only the public key is selected to be displayed. Command Mode Privileged EXEC mode User Guidelines Use the command with a specific key-type to display the SSH client key; You can either specify display of public key or private key, or with no parameter to display both private and public keys.
Page 131 SSH Client Commands Username: john Key Source: User Defined Public Key Fingerprint: 77:C7:19:85:98:19:27:96:C9:CC:83:C5:78:89:F8:86 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: RSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- ---- BEGIN SSH2 PRIVATE KEY ---- Comment: DSA Private Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH...
Page 132: Show Ip Ssh-Client Server
SSH Client Commands Authentication method: password (default) Username: anonymous (default) password(Encrypted): KzGgzpYa7GzCHhaveSJDehGJ6L3Yf9ZBAU5nsxSxwic= show ip ssh-client server Use the show ip ssh-client server command in Privilege EXEC Configuration mode to display the SSH remote server authentication method and the Trusted Remote SSH Server table.
Page 133 SSH Client Commands Server Key Fingerprint: 5a:8d:1d:b5:37:a4:16:46:23:59:eb:44:13:b9:33:e9 server address: 192.165.204.111 Server Key Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9 server address: 4002:0011::12 Server Key Fingerprint: a5:34:44:44:27:8d:1d:b5:37:59:eb:44:13:b9:33:e9 78-21075-01 Command Line Interface Reference Guide...
Page 134: Clock Commands
Clock Commands clock set The clock set Privileged EXEC mode command manually sets the system clock. Syntax day month month day year clock set ] | [ Parameters • —Specifies the current time in hours (military format), minutes, hh:mm:ss and seconds. (Range: hh: 0-23, mm: 0-59, ss: 0-59) •...
Page 135: Clock Timezone
Clock Commands Syntax clock source [sntp | browser] no clock source Parameters • sntp—Specifies that an SNTP server is the external clock source. • browser—Specifies that if the system clock is not already set (either manually or by SNTP) and a user logs on to the device using a WEB browser (either via HTTP or HTTPS), the system clock will be set according to the browser’s time information.
Page 136: Clock Summer-Time
Clock Commands Parameters • zone—The acronym of the time zone.(Range: Up to 4 characters) • hours-offset—Hours difference from UTC. (Range: (-12)–(+13)) • minutes-offset—Minutes difference from UTC. (Range: 0–59) Default Configuration Offsets are 0. Acronym is empty. Command Mode Global Configuration mode User Guidelines The system internally keeps time in UTC, so this command is used only for display purposes and when the time is manually set.
Page 137 Clock Commands no clock summer-time Parameters • zone—The acronym of the time zone to be displayed when summer time is in effect. (Range: up to 4 characters) • recurring—Indicates that summer time starts and ends on the corresponding specified days every year. •...
Page 138: Clock Dhcp Timezone
Clock Commands USA rules for Daylight Saving Time: • From 2007: Start: Second Sunday in March End: First Sunday in November Time: 2 AM local time • Before 2007: Start: First Sunday in April End: Last Sunday in October Time: 2 AM local time EU rules for Daylight Saving Time: •...
Page 139: Sntp Authentication-Key
Clock Commands Default Configuration Disabled Command Mode Global Configuration mode User Guidelines The TimeZone taken from the DHCP server has precedence over the static TimeZone. If the TimeZone does not exist in the DHCP-TimeZone option, the static configuration will be active. The Summer Time taken from the DHCP server has precedence over static SummerTime.
Page 140: Sntp Authenticate
Clock Commands Syntax key-number key-value sntp authentication-key key-number key-value encrypted sntp authentication-key md5 encrypted- key-number no sntp authentication-key Parameters • key-number—Specifies the key number. (Range: 1–4294967295) • key-value —Specifies the key value. (Length: 1–8 characters) • encrypted-key-value —Specifies the key value in encrypted format. Default Configuration No authentication key is defined.
Page 141: Sntp Trusted-Key
Clock Commands Parameters Default Configuration Authentication is disabled. Command Mode Global Configuration mode User Guidelines The command is relevant for both Unicast and Broadcast. Examples The following example enables authentication for received SNTP traffic and sets the key and encryption key. switchxxxxxx(config)# sntp authenticate switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey...
Page 142: Sntp Broadcast Client Enable
Clock Commands Default Configuration No keys are trusted. Command Mode Global Configuration mode User Guidelines The command is relevant for both received unicast and broadcast. Examples The following example authenticates key 8. switchxxxxxx(config)# sntp trusted-key switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey switchxxxxxx(config)# sntp trusted-key 8 switchxxxxxx(config)# sntp authenticate sntp broadcast client enable...
Page 143: Sntp Anycast Client Enable
Clock Commands User Guidelines Use the sntp broadcast client enable Interface Configuration mode command to enable the SNTP Broadcast client on a specific interface. After entering this command, you must enter clock source snmp for the command to be run. If this command is not run, the switch will not synchronize with Broadcast servers.
Page 144: Sntp Client Enable
Clock Commands Example The following example enables SNTP Anycast clients. switchxxxxxx(config)# sntp anycast client enable 7.11 sntp client enable The sntp client enable Global Configuration mode command enables the SNTP Broadcast and Anycast client on an interface when the device is in Router mode (Layer 3).
Page 145: Sntp Client Enable (Interface)
Clock Commands Example The following example enables the SNTP Broadcast and Anycast client on port gi3. switchxxxxxx(config)# sntp client enable gi3 7.12 sntp client enable (Interface) To enable the SNTP Broadcast and Anycast client on an interface, use the sntp client enable Interface Configuration command.
Page 146: Sntp Unicast Client Enable
Clock Commands 7.13 sntp unicast client enable The sntp unicast client enable Global Configuration mode command enables the device to use Simple Network Time Protocol (SNTP)-predefined Unicast clients. Use the no form of this command to disable the SNTP Unicast clients. Syntax sntp unicast client enable no sntp unicast client enable...
Page 147: Sntp Server
Clock Commands Default Configuration Polling is disabled. Command Mode Global Configuration mode Example The following example enables polling for SNTP predefined unicast clients. switchxxxxxx(config)# sntp unicast client poll 7.15 sntp server The sntp server Global Configuration mode command configures the device to use the SNTP to request and accept Network Time Protocol (NTP) traffic from a specified server (meaning to accept system time from an SNTP server).
Page 148: Show Clock
Clock Commands Command Mode Global Configuration mode User Guidelines Up to 8 SNTP servers can be defined. sntp unicast client enable Global Configuration mode command enables predefined Unicast clients. sntp unicast client poll Global Configuration mode command globally enables polling. Example The following example configures the device to accept SNTP traffic from the server on 192.1.1.1 with polling.
Page 149: Show Sntp Configuration
Clock Commands Time source is SNTP Example 2 - The following example displays the system time and date along with the time zone and summer time configuration. switchxxxxxx# show clock detail 15:29:03 PDT(UTC-7) Jun 17 2002 Time source is SNTP Time zone: Acronym is PST Offset is UTC-8...
Page 150: Show Sntp Status
Clock Commands Command Mode Privileged EXEC mode Example The following example displays the device’s current SNTP configuration. switchxxxxxx# show sntp configuration SNTP port : 123 . Polling interval: 1024 seconds. MD5 authentication keys ----------------------------------- John123 Alice456 ----------------------------------- Authentication is not required for synchronization. No trusted keys.
Page 151: Default Configuration
Clock Commands Syntax show sntp status Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays the SNTP servers status. switchxxxxxx# show sntp status Clock is synchronized, stratum 4, reference is 176.1.1.8, unicast Reference time is afe2525e.70597b34 (00:10:22.438 PDT Jul 5 1993) Unicast servers: Server Status...
Page 152 Clock Commands Broadcast: Server Interface Last response --------- --------- ----------------- 176.9.1.1 VLAN 119 19:17:59.792 PDT Feb 19 2002 78-21075-01 Command Line Interface Reference Guide...
Page 153: Dns Client Commands
DNS Client Commands clear host Use the clear host command in privileged EXEC mode to delete dynamic host-name-to-address mapping entries from the DNS client name-to-address cache. Syntax hostname | clear host { Parameters • hostname—Name of the host for which host-name-to-address mappings are to be deleted from the DNS client name-to-address cache.
Page 154: Ip Domain Lookup
DNS Client Commands Example The following example deletes all dynamic entries from the DNS client name-to-address cache. clear host * ip domain lookup Use the ip domain lookup command in Global Configuration mode to enable the IP Domain Naming System (DNS)-based host-name-to-address translation. Use the no form of this command to disable the DNS.
Page 155: Ip Domain Polling-Interval
DNS Client Commands Use the no form of this command to delete the static defined default domain name. Syntax hostname ip domain name no ip domain name Parameters hostname—Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name.
Page 156: Ip Domain Retry
DNS Client Commands Use the no form of this command to return to the default behavior. Syntax seconds ip domain polling-interval no ip domain polling-interval Parameters seconds—Polling interval in seconds. The range is from (2*(R+1)*T) to 3600. Default Configuration The default value is 2 * (R+1) * T, where R is a value configured by the ip domain retry command.
Page 157: Ip Domain Timeout
DNS Client Commands Syntax number ip domain retry no ip domain retry Parameters number—Number of times to retry sending a DNS query to the DNS server. The range is from 0 to 16. Default Configuration The default value is 2. Command Mode Global Configuration mode User Guidelines...
Page 158: Ip Host
DNS Client Commands Parameters seconds—Time, in seconds, to wait for a response to a DNS query. The range is from 1 to 60. Default Configuration The default value is 3 seconds. Command Mode Global Configuration mode User Guidelines Use the command to change the default time out value. Use the no form of this command to return to the default time out value.
Page 159: Ip Name-Server
DNS Client Commands • address2...address8—Up to seven additional associated IP addresses, delimited by a single space (IPv4 or IPv6, if IPv6 stack is supported). Default Configuration No host is defined. Command Mode Global Configuration mode User Guidelines Host names are restricted to ASCII letters A through Z (case-insensitive), the digits 0 through 9, the underscore and the hyphen symbols.
Page 160: Show Hosts
DNS Client Commands Parameters • server-address1—IPv4 or IPv6 addresses of a single name server. • server-address2...server-address8—IPv4 or IPv6 addresses of additional name servers. Default Configuration No name server IP addresses are defined. Command Mode Global Configuration mode User Guidelines The preference of the servers is determined by the order in which they were entered.
Page 161 -------------------------------------------- ------- --------- ---------- a222 static gren1 DHCPv6 vlan 1 unit1 DHCPv6 vlan 1 exp1 DHCPv6 vlan 1 cisco.com DHCPv4 gi2/1/24 Name Server Table IP Address Source Interface Preference -------------------------------------------- ------- --------- ---------- 4.4.4.1 static 78-21075-01 Command Line Interface Reference Guide...
Page 162 IPv4 DYN,OK 0000:01:14 google.com 173.194.34.97 IPv4 DYN,OK 0000:01:14 google.com 173.194.34.99 IPv4 DYN,OK 0000:01:06 pt-lt0109.a222 no resolution IPv4 DYN,NE 0000:14:37 pt-lt0109.gren1 no resolution IPv4 DYN,NE 0000:14:38 pt-lt0109.unit1 no resolution IPv4 DYN,NE 0000:14:37 pt-lt0109.cisco.com 10.5.80.50 IPv4 DYN,OK 0000:19:37 78-21075-01 Command Line Interface Reference Guide...
Page 163: Configuration And Image File Commands
Configuration and Image File Commands copy The copy Privileged EXEC mode command copies a source file to a destination file. Syntax source-url destination-url exclude include-encrypted include-plaintext copy Parameters • source-url—Specifies the source file URL or source file reserved keyword to be copied. (Length: 1–160 characters) •...
Page 164 Configuration and Image File Commands Source and/or Destination URL Source or Destination boot Boot file. tftp:// Source or destination URL for a TFTP network server. The syntax for this alias is tftp://host/[directory]/filename . The host can be either an IP address or a host name. scp:// Source or destination URL for a Secure Copy Protocol (SCP) network server.
Page 165 Configuration and Image File Commands Source and/or Destination URL Source or Destination member unit:// /localization The secondary language file on one of the units. To copy to all units, specify * in the member field. Example: copy tftp://10.5.234.203/french.txt unit:// /localization. logging Specifies the SYSLOG file.
Page 166 Configuration and Image File Commands The following are invalid combinations of source and destination files: • The source file and destination file are the same file. • xmodem: is the destination file. The source file can be copied to image, boot and null: only.
Page 167 Configuration and Image File Commands destination-url Use the copy startup-config command to copy the startup configuration file to a network server. • Saving the Running Configuration to the Startup Configuration Use the copy running-config startup-config command to copy the running configuration to the startup configuration file.
Page 168 Configuration and Image File Commands Example 1 - The following example copies system image file1 from the TFTP server 172.16.101.101 to the non-active image file. switchxxxxxx# //172.16.101.101/file1 copy tftp: image Accessing file 'file1' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! [OK]...
Page 169 Configuration and Image File Commands The following example copies file1 to the Startup Configuration file. The username and password used for SCP session authentication are: jeff and admin1. The IP address of the server containing file1 is 102.1.2.2. switchxxxxxx# copy scp://jeff:[email protected]/file1 startup-config 78-21075-01 Command Line Interface Reference Guide...
Page 170: Write
Configuration and Image File Commands write Use the write Privileged EXEC mode command to save the running configuration to the startup configuration file. Syntax write [memory] Parameters Default Configuration Command Mode Privileged EXEC mode Examples The following example shows how to overwrite the startup-config file with the running-config file with the write command.
Page 171: Dir
Configuration and Image File Commands Parameters url—Specifies the location URL or reserved keyword of the file to be deleted. (Length: 1–160 characters) "Flash://" is the source or destination URL scheme that specifies the access method to the local flash memory. It simply stands for the root directory of the local flash. It is the default scheme for a URL that does not explicitly contain a scheme/access method (e.g.
Page 172 Configuration and Image File Commands Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays the list of files on a flash file system Total size of flash: 33292288 bytes Free size of flash: 20708893 bytes switchxxxxxx# dir Directory of flash: File Name Permission...
Page 173: More
Configuration and Image File Commands more The more Privileged EXEC mode command displays a file. Syntax more Parameters url—Specifies the location URL or reserved keyword of the source file to be displayed. (Length: 1–160 characters). "Flash://" is the source or destination URL scheme that specifies the access method to the local flash memory.
Page 174: Boot System
Configuration and Image File Commands no spanning-tree interface range gi1-48 speed 1000 exit no lldp run line console exec-timeout 0 boot system The boot system Privileged EXEC mode command specifies the active system image file that will be loaded by the device at startup. Syntax {image-1 | image-2} boot system...
Page 175: Rename
Configuration and Image File Commands Example The following example specifies that image-1 is the active system image file loaded by the device at startup. The results of this command is displayed in rename. switchxxxxxx# boot system image-1 switchxxxxxx#show bootvar Image Filename Version Date...
Page 176: Show Bootvar
Configuration and Image File Commands Default Configuration Command Mode Privileged EXEC mode User Guidelines mirror-config, *.sys and *.prv files cannot be renamed. Example The following example renames the configuration backup file. switchxxxxxx# rename backup-config m-config.bak show bootvar Use the show bootvar EXEC mode command to display the active system image file that was loaded by the device at startup, and to display the system image file that will be loaded after rebooting the switch.
Page 177: Show Running-Config
Configuration and Image File Commands Example The following example displays the active system image file that was loaded by the device at startup and the system image file that will be loaded after rebooting the switch. switchxxxxxx# show bootvar Image filename Version Date...
Page 178 Configuration and Image File Commands User Guidelines The Running Configuration file does not contain all the information that can be displayed in the output. Only non-default configurations are displayed. Examples The following example displays the Running Configuration file contents. Example 1 - Show the entire Running Configuration file. switchxxxxxx# show running-config no spanning-tree interface range gi1-48...
Page 179 Configuration and Image File Commands description "Hello World String" lacp timeout short lacp port-priority 1234 port security max 111 port security mode max-addresses spanning-tree disable spanning-tree portfast auto spanning-tree link-type point-to-point spanning-tree cost 200000 spanning-tree port-priority 224 spanning-tree guard root spanning-tree mst 2 port-priority 64 spanning-tree mst 2 cost 2222 spanning-tree mst 4 port-priority 80...
Page 180: Show Startup-Config
Configuration and Image File Commands switchport general acceptable-frame-type untagged-only switchport general pvid 111 switchport trunk native vlan 22 9.10 show startup-config The show startup-config Privileged EXEC mode command displays the startup configuration file contents. Syntax [interface interface-id-list] show startup-config Parameters •...
Page 181 Configuration and Image File Commands no lldp run interface vlan 1 ip address 1.1.1.1 255.0.0.0 exit line console exec-timeout 0 exit switchxxxxxx# Example 2 - The following example displays the Startup Configuration file contents for ports 1 and 2. switchxxxxxx# show startup-config interface gi1-2 interface gi1 back-pressure duplex half...
Page 182: Service Mirror-Configuration
Configuration and Image File Commands spanning-tree mst 2 cost 2222 spanning-tree mst 4 port-priority 80 qos cos 6 traffic-shape 12345 switchport mode general switchport general allowed vlan add 12,14-20 tagged switchport general allowed vlan add 2-11,13,100,3000,3002,3004,3006,3008 untagged switchport general map macs-group 1 vlan 111 switchport general ingress-filtering disable switchport general acceptable-frame-type untagged-only switchport general pvid 111...
Page 183: Show Mirror-Configuration Service
Configuration and Image File Commands Parameters Default Configuration The default configuration is mirror-configuration service enabled. Command Mode Global Configuration mode User Guidelines The mirror-configuration service automatically keeps a copy of the last known stable configuration (startup configuration that wasn’t modified for 24H). The mirror-configuration file is not deleted when restoring to factory defaults.
Page 184 Configuration and Image File Commands Syntax show mirror-configuration service Command Mode EXEC mode Example The following example displays the status of the mirror-configuration service show mirror-configuration service Mirror-configuration service is enabled 78-21075-01 Command Line Interface Reference Guide...
Page 185: Auto-Configuration
Auto-Configuration 10.1 boot host auto-config Use the boot host auto-config Global Configuration mode command to enable DHCP auto configuration via either the TFTP or SCP protocols. Use the no form of this command to disable DHCP auto configuration. Syntax extension boot host auto-config [tftp | scp | auto [ no boot host auto-config Parameters...
Page 186: Show Boot
Auto-Configuration Example 2 - The following example specifies the auto mode and does not provide an SCP extension. In this case "scp" is used. boot host auto-config auto Example 3. The following example specifies that only the SCP protocol will be used: boot host auto-config scp 10.2...
Page 187: Ip Dhcp Tftp-Server Ip Address
Auto-Configuration 10.3 ip dhcp tftp-server ip address Use the ip dhcp tftp-server ip address Global Configuration mode command to set the TFTP or SCP server’s IP address. This address server as the default address used by a switch when it has not been received from the DHCP server. Use the no form of this command to remove the address.
Page 188: Show Ip Dhcp Tftp-Server
Auto-Configuration no ip dhcp tftp-server file Parameters file-path—Full file path and name of the configuration file on TFTP server Default Configuration No file name Command Mode Global Configuration mode User Guidelines The path/file name, used in the download process, can be received from DHCP or this command as well.
Page 189 Auto-Configuration Example switchxxxxxx# show ip dhcp tftp server tftp server address server address active 1.1.1.1 from sname manual 2.2.2.2 file path on tftp server file path on server active conf/conf-file from option 67 78-21075-01 Command Line Interface Reference Guide...
Page 190: Management Acl Commands
Management ACL Commands 11.1 management access-list The management access-list Global Configuration mode command configures a management access list (ACL) and enters the Management Access-List Configuration command mode. Use the no form of this command to delete an ACL Syntax name management access-list name no management access-list...
Page 191: Permit (Management)
Management ACL Commands Examples Example 1 - The following example creates a management access list called mlist, configures management gi1 and gi9, and makes the new access list the active list. switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)# permit gi1 switchxxxxxx(config-macl)# permit gi9 switchxxxxxx(config-macl)# exit switchxxxxxx(config)#...
Page 192: Deny (Management)
Management ACL Commands Parameters • interface-id:—Specify an interface ID. The interface ID can be one of the following types: Ethernet port, Port-channel or VLAN • service service — Specifies the service type. Possible values are: Telnet, SSH, HTTP, HTTPS and SNMP. •...
Page 193 Management ACL Commands Syntax [interface-id] [service service] deny {ipv4-address | ipv6-address/ipv6-prefix-length} [mask {mask | deny ip-source prefix-length}] [interface-id] [service service] Parameters • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, Port-channel or VLAN •...
Page 194: Management Access-Class
Management ACL Commands 11.4 management access-class The management access-class Global Configuration mode command restricts management connections by defining the active management access list (ACL). To disable management connection restrictions, use the no form of this command. Syntax name management access-class {console-only | no management access-class Parameters •...
Page 195: Show Management Access-Class
Management ACL Commands Parameters name—Specifies the name of a management access list to be displayed. (Length: 1–32 characters) Default Configuration All management ACLs are displayed. Command Mode Privileged EXEC mode Example The following example displays the mlist management ACL. switchxxxxxx# mlist show management access-list -only...
Page 196 Management ACL Commands Command Mode Privileged EXEC mode Example The following example displays the active management ACL information. switchxxxxxx# show management access-class Management access-class is enabled, using access list mlist 78-21075-01 Command Line Interface Reference Guide...
Page 197: Network Management Protocol (Snmp) Commands
Network Management Protocol (SNMP) Commands 12.1 snmp-server server Use the snmp-server server Global Configuration mode command to enable the device to be configured by the SNMP protocol. Use the no form of this command to disable this function. Syntax snmp-server server no snmp-server server Parameters Default Configuration...
Page 198 Network Management Protocol (SNMP) Commands Syntax community string [ro | rw | su] ip-address | ipv6-address snmp-server community mask prefix-length] [ view-name] mask | prefix view community-string [ip-address] no snmp-server community Parameters • community-string—Define the password that permits access to the SNMP protocol.
Page 199: Snmp-Server Community-Group
Network Management Protocol (SNMP) Commands User Guidelines The logical key of the command is the pair (community, ip-address). If ip-address is omitted then the key is (community, All-IPs). This means that there cannot be two commands with the same community, ip address pair. view-name is used to restrict the access rights of a community string.
Page 200: Snmp-Server View
Network Management Protocol (SNMP) Commands • mask—Specifies the mask of the IPv4 address. This is not a network mask, but rather a mask that defines which bits of the packet’s source address are compared to the configured IP address. If unspecified, it defaults to 255.255.255.255.
Page 201 Network Management Protocol (SNMP) Commands Syntax view-name oid-tree {included | excluded} snmp-server view view-name oid-tree no snmp-server view Parameters • view-name—Specifies the name for the view that is being created or updated. (Length: 1–30 characters) • oid-tree—Specifies the ASN.1 subtree object identifier to be included or excluded from the view.
Page 202: Show Snmp Views
Network Management Protocol (SNMP) Commands Example The following example creates a view that includes all objects in the MIB-II system group except for sysServices (System 7) and all objects for interface 1 in the MIB-II interface group (this format is specified on the parameters specified in ifEntry).
Page 203: Snmp-Server Group
Network Management Protocol (SNMP) Commands 12.6 snmp-server group Use the snmp-server group Global Configuration mode command to configure an SNMP group. Groups are used to map SNMP users to SNMP views (using snmp-server user). Use the no form of this command to remove an SNMP group. Syntax groupname v1 | v2 | v3 {noauth | auth | priv} [notify notifyview]}...
Page 204: Show Snmp Groups
Network Management Protocol (SNMP) Commands notifyview is not specified, the notify view is not defined. readview is not specified, all objects except for the community-table and SNMPv3 user and access tables are available for retrieval. writeview is not specified, the write view is not defined. Command Mode Global Configuration mode User Guidelines...
Page 205: Snmp-Server User
Network Management Protocol (SNMP) Commands Default Configuration Display all groups. Command Mode Privileged EXEC mode Example The following example displays the configured SNMP groups. switchxxxxxx# show snmp groups Name Security Views Model Level Read Write Notify ------------- ----- ---- ------- ------- ------- user-group...
Page 206 Network Management Protocol (SNMP) Commands Syntax username groupname {v1 | v2c | [ host] v3[ { md5 | snmp-server user remote auth sha} auth-password [priv priv-password] ]} username groupname {v1 | v2c | [ host] v3[ encrypted snmp-server user remote auth { md5 | sha} encrypted-auth-password [priv encrypted-priv-password] ]} username [remote host]...
Page 207 Network Management Protocol (SNMP) Commands Default Configuration No group entry exists. Command Mode Global configuration User Guidelines For SNMP v1 and v2, this performs the same actions as snmp-server community-group, except that snmp-server community-group configures both v1 and v2 at the same time. With this command, you must perform it once for v1 and once for v2.
Page 208: Show Snmp Users
Network Management Protocol (SNMP) Commands Example abcd This example assigns user to group using SNMP v1 and v2c. The default abcd is assigned as the engineID. User is assigned to group using SNMP v1 and v2c switchxxxxxx(config)# snmp-server user tom acbd v1 switchxxxxxx(config)# snmp-server user tom acbd v2c switchxxxxxx(config)# snmp-server user tom acbd v3 12.9...
Page 209 Network Management Protocol (SNMP) Commands Privacy Algorithm : None Remote :11223344556677 Auth Password Priv Password User name : qqq Group name : www Authentication Algorithm : MD5 Privacy Algorithm : None Remote Auth Password : helloworld1234567890987665 Priv Password User name : hello Group name : world...
Page 210: Snmp-Server Filter
Network Management Protocol (SNMP) Commands Priv Password (encrypted) : User name : u1OnlyAuth Group name : group1 Authentication Algorithm : SHA Privacy Algorithm : None Remote Auth Password (encrypted): 8nPzy2hzuba9pG3iiC/q0451RynUn7kq94L9WORFrRM= Priv Password (encrypted) : 12.10 snmp-server filter The snmp-server filter Global Configuration mode command creates or updates an SNMP server notification filter.
Page 211: Show Snmp Filters
Network Management Protocol (SNMP) Commands Default Configuration No view entry exists. Command Mode Global Configuration mode User Guidelines This command can be entered multiple times for the same filter. If an object identifier is included in two or more lines, later lines take precedence.The command's logical key is the pair (filter-name, oid-tree).
Page 212: Snmp-Server Host
Network Management Protocol (SNMP) Commands Example The following example displays the configured SNMP filters. switchxxxxxx# show snmp filters user-filter Name OID Tree Type ------------ --------------------- --------- user-filter 1.3.6.1.2.1.1 Included user-filter 1.3.6.1.2.1.1.7 Excluded user-filter 1.3.6.1.2.1.2.2.1.*.1 Included 12.12 snmp-server host Use the snmp-server host Global Configuration mode command to configure the host for SNMP notifications: (traps/informs).
Page 213 Network Management Protocol (SNMP) Commands • community-string—Password-like community string sent with the notification operation. (Range: 1–20 characters). For v1 and v2, any community string can be entered here. For v3, the community string must match the user name defined in snmp-server user for v3.
Page 214: Snmp-Server Engineid Remote
Network Management Protocol (SNMP) Commands When configuring SNMP v1 or v2 notifications recipient, the software automatically generates a notification view for that recipient for all MIBs. For SNMPv3 the software does not automatically create a user or a notify view. Use the commands snmp-server user snmp-server group...
Page 215: Snmp-Server Engineid Local
Network Management Protocol (SNMP) Commands User Guidelines A remote engine ID is required when an SNMP version 3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. 12.14 snmp-server engineID local The snmp-server engineID local Global Configuration mode command specifies the SNMP engineID on the local device for SNMP v3.
Page 216: Show Snmp Engineid
Network Management Protocol (SNMP) Commands User Guidelines To use SNMPv3, an engine ID must be specified for the device. Any ID can be specified or the default string, which is generated using the device MAC address, can be used. Since the engineID should be unique within an administrative domain, use the default keyword to configure the Engine ID.
Page 217: Snmp-Server Enable Traps
Network Management Protocol (SNMP) Commands Example The following example displays the SNMP engine ID. switchxxxxxx # show snmp engineID Local SNMP engineID: 08009009020C0B099C075878 IP address Remote SNMP engineID ----------- ------------------------------- 172.16.1.1 08009009020C0B099C075879 12.16 snmp-server enable traps Use the snmp-server enable traps Global Configuration mode command to enable the device to send all SNMP traps.
Page 218: Snmp-Server Trap Authentication
Network Management Protocol (SNMP) Commands 12.17 snmp-server trap authentication Use the snmp-server trap authentication Global Configuration mode command to enable the device to send SNMP traps when authentication fails. Use the no form of this command to disable SNMP failed authentication traps. Syntax snmp-server trap authentication no snmp-server trap authentication...
Page 219: Snmp-Server Location
Network Management Protocol (SNMP) Commands Syntax text snmp-server contact no snmp-server contact Parameters text—Specifies system contact information. (Length: 1–168 characters) Default Configuration Command Mode Global Configuration mode Example The following example sets the system contact information to Technical_Support. switchxxxxxx(config)# snmp-server contact Technical_Support 12.19 snmp-server location Use the snmp-server location Global Configuration mode command to set the...
Page 220: Snmp-Server Set
Network Management Protocol (SNMP) Commands Command Mode Global Configuration mode Example The following example sets the device location to New_York. switchxxxxxx(config)# snmp-server location New_York 12.20 snmp-server set Use the snmp-server set Global Configuration mode command to define SNMP MIB commands in the configuration file if a MIB performs an action for which there is no corresponding CLI command.
Page 221: Show Snmp
Network Management Protocol (SNMP) Commands Example The following example configures the scalar MIB sysName with the value TechSupp. switchxxxxxx(config)# sysName sysname TechSupp snmp-server set 12.21 show snmp Use the show snmp Privileged EXEC mode command to display the SNMP status. Syntax show snmp Parameters...
Page 222: Target Address
Network Management Protocol (SNMP) Commands Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Address Type Community Version Filter Retries Port Name ----------- ---- -------- ------- ---- ------ ------- 192.122.173.42 Trap public 192.122.173.42 Inform public Version 3 notifications Target Address Type Username...
Page 223: Web Server Commands
Web Server Commands 13.1 ip http server Use the ip http server Global Configuration mode command to enable configuring and monitoring the device from a web browser. Use the no form of this command to disable this function. Syntax ip http server no ip http server Parameters Default Configuration...
Page 224: Ip Http Timeout-Policy
Web Server Commands no ip http port Parameters port-number port —For use by the HTTP server. (Range: 0–65534) Default Configuration The default port number is 80. Command Mode Global Configuration mode Example The following example configures the http port number as 100. switchxxxxxx(config)# ip http port 13.3...
Page 225: Ip Http Secure-Server
Web Server Commands Command Mode Global Configuration mode User Guidelines To specify no timeout, enter the ip http timeout-policy 0 command. Example The following example configures the http timeout to be 1000 seconds. switchxxxxxx(config)# ip http timeout-policy 1000 13.4 ip http secure-server Use the ip http secure-server Global Configuration mode command to enable the device to be configured or monitored securely from a browser.
Page 226: Ip Https Certificate
Web Server Commands switchxxxxxx(config)# ip http secure-server 13.5 ip https certificate Use the ip https certificate Global Configuration mode command to configure the active certificate for HTTPS. Use the no form of this command to restore the default configuration. Syntax number ip https certificate no ip https certificate...
Page 227: Show Ip Https
Web Server Commands Syntax show ip http Command Mode EXEC mode Example The following example displays the HTTP server configuration. switchxxxxxx# show ip http HTTP server enabled Port: 80 Interactive timeout: 10 minutes 13.7 show ip https The show ip https Privileged EXEC mode command displays the HTTPS server configuration.
Page 228 Web Server Commands Valid from: 8/9/2003 to 8/9/2004 Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: DC789788 DC88A988 127897BC BB789788 Certificate 2 is inactive Issued by: self-signed Valid from: 8/9/2003 to 8/9/2004 Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: 1873B936 88DC3411 BC8932EF 782134BA 78-21075-01 Command Line Interface Reference Guide...
Page 229: Telnet, Secure Shell (Ssh) And Secure Login (Slogin) Commands
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 14.1 ip telnet server Use the ip telnet server Global Configuration mode command to enable the device as a Telnet server that accepts connection requests from remote Telnet clients. Remote Telnet clients can configure the device through the Telnet connections. Use the no form of this command to disable the Telnet server functionality on the device.
Page 230: Ip Ssh Server
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 14.2 ip ssh server The ip ssh server Global Configuration mode command enables the device to be an SSH server and so to accept connection requests from remote SSH clients. Remote SSH clients can manage the device through the SSH connection. Use the no form of this command to disable the SSH server functionality from the device.
Page 231: Ip Ssh Pubkey-Auth
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands no ip ssh port Parameters port-number—Specifies the port number to be used by the SSH server. (Range: 1–65535) Default Configuration The default port number is 22. Command Mode Global Configuration mode Example The following example specifies that port number 8080 is used by the SSH server.
Page 232: Ip Ssh Password-Auth
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands Command Mode Global Configuration mode User Guidelines This command enables public key authentication by a local SSH server of remote SSH clients. The local SSH server advertises all enabled SSH authentication methods and remote SSH clients are responsible for selecting one of them.
Page 233: Crypto Key Pubkey-Chain Ssh
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands Use the no form of this command to disable this function. Syntax ip ssh password-auth no ip ssh password-auth Default Configuration Password authentication of incoming SSH sessions is disabled. Command Mode Global Configuration mode User Guidelines This command enables password authentication by a local SSH server of remote...
Page 234 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands Syntax crypto key pubkey-chain ssh Default Configuration Keys do not exist. Command Mode Global Configuration mode User Guidelines Use this command when you want to manually specify SSH client’s public keys. Example The following example enters the SSH Public Key-chain Configuration mode and manually configures the RSA key pair for SSH public key-chain to the user ‘bob’.
Page 235: User-Key
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 14.7 user-key The user-key SSH Public Key-string Configuration mode command associates a username with a manually-configured SSH public key. Use the no user-key command to remove an SSH user and the associated public key.
Page 236: Key-String
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl 14.8 key-string The key-string SSH Public Key-string Configuration mode command manually specifies an SSH public key. Syntax [row key-string key-string Parameters • row—Specifies the SSH public key row by row. The maximum length of a row is 160 characters.
Page 237: Show Ip Ssh
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands switchxxxxxx(config-pubkey-chain)# user-key switchxxxxxx(config-pubkey-key)# key-string AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+ ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+ Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq muSn/Wd05iDX2IExQWu08licglk02LYciz +Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY 0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA 6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+ Rmt5nhhqdAtN/4oJfce166DqVX1gWmN zNR4DYDvSzg0lDnwCAC8Qh Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9 switchxxxxxx(config)# crypto key pubkey-chain ssh switchxxxxxx(config-pubkey-chain)# user-key switchxxxxxx(config-pubkey-key)# key-string row AAAAB3Nza switchxxxxxx(config-pubkey-key)# C1yc2 key-string row 14.9 show ip ssh The show ip ssh Privileged EXEC mode command displays the SSH server...
Page 238: Show Crypto Key Pubkey-Chain Ssh
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands Example The following example displays the SSH server configuration. switchxxxxxx# show ip ssh SSH server enabled. Port: 22 RSA key was generated. DSA (DSS) key was generated. SSH Public Key Authentication is enabled with auto-login. SSH Password Authentication is enabled.
Page 239 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands Parameters • username username —Specifies the remote SSH client username. (Length: 1–48 characters) • fingerprint {bubble-babble | hex}—Specifies the fingerprint display format. The possible values are: bubble-babble—Specifies that the fingerprint is displayed in Bubble Babble format.
Page 240: Line Commands
Line Commands 15.1 line The line Global Configuration mode command identifies a specific line for configuration and enters the Line Configuration command mode. Syntax {console | telnet | ssh} line Parameters • console—Enters the terminal line mode. • telnet—Configures the device as a virtual terminal for remote access (Telnet).
Page 241: Autobaud
Line Commands Syntax speed no speed Parameters bps—Specifies the baud rate in bits per second (bps). Possible values are 4800, 9600, 19200, 38400, 57600, and 115200. Default Configuration The default speed is 115200 bps. Command Mode Line Configuration mode User Guidelines The configured speed is only applied when autobaud is disabled.
Page 242: Exec-Timeout
Line Commands Command Mode Line Configuration mode User Guidelines When this command is enabled, it is activated as follows: connect the console to the device and press the Enter key twice. The device detects the baud rate automatically. Example The following example enables autobaud. switchxxxxxx(config)# line console switchxxxxxx(config-line)#...
Page 243: Show Line
Line Commands Example The following example sets the telnet session idle time interval before automatic logoff to 20 minutes and 10 seconds. switchxxxxxx(config)# line telnet switchxxxxxx(config-line)# exec-timeout 20 10 15.5 show line The show line EXEC mode command displays line parameters. Syntax | telnet | ssh] show line...
Page 244 Line Commands Databits: 8 Parity: none Stopbits: 1 Telnet configuration: Telnet is enabled. Interactive timeout: 10 minutes 10 seconds History: 10 SSH configuration: SSH is enabled. Interactive timeout: 10 minutes 10 seconds History: 10 78-21075-01 Command Line Interface Reference Guide...
Page 245: Bonjour Commands
Bonjour Commands 16.1 bonjour enable Use the bonjour enable Global Configuration mode command to enable Bonjour globally. Use the no format of the command to disable globally. Syntax bonjour enable no bonjour enable. Default Configuration Enable Command Mode Global Configuration mode Examples switchxxxxxx (config)# bonjour enable...
Page 246: Show Bonjour
Bonjour Commands • VLAN Default Configuration The list is empty. Command Mode Global Configuration mode User Guidelines This command can only be used if the device is in Layer 3 (router) mode. Examples switchxxxxxx (config)# bonjour interface range gi1-3 16.3 show bonjour Use the show bonjour Privileged EXEC mode command to display Bonjour information...
Page 247 Bonjour Commands Examples Layer 2: # show bonjour switchxxxxxx Bonjour status: enabled L2 interface status: Up IP Address: 10.5.226.46 Service Admin Status Oper Status ------- ------------ -------------- csco-sb enabled enabled http enabled enabled https enabled disabled enabled disabled telnet enabled disabled Layer 3: # show bonjour...
Page 248: Authentication, Authorization And Accounting (Aaa) Commands
Authentication, Authorization and Accounting (AAA) Commands 17.1 aaa authentication login Use the aaa authentication login Global Configuration mode command to set one or more authentication methods to be applied during login. A list of authentication methods may be assigned a list name, and this list name can be used in authentication enable.
Page 249: Aaa Authentication Enable
Authentication, Authorization and Accounting (AAA) Commands radius Uses the list of all RADIUS servers for authentication. tacacs Uses the list of all TACACS+ servers for authentication. Default Configuration If no methods are specified, the default are the locally-defined users and passwords.
Page 250 Authentication, Authorization and Accounting (AAA) Commands logons with a lower privilege level, must pass these authentication methods to access a higher level. To restore the default authentication method, use the no form of this command. Syntax | list-name method method2 aaa authentication enable {default ...]} | list-name...
Page 251: Login Authentication
Authentication, Authorization and Accounting (AAA) Commands Command Mode Global Configuration mode User Guidelines list-name method1 Create a list by entering the aaa authentication enable [method2...] list-name command where is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
Page 252: Enable Authentication
Authentication, Authorization and Accounting (AAA) Commands no login authentication Parameters • default—Uses the default list created with the aaa authentication login command. • list-name—Uses the specified list created with aaa authentication login. Default Configuration The default is the aaa authentication login command default.
Page 253: Ip Http Authentication
Authentication, Authorization and Accounting (AAA) Commands Syntax {default | list-name} enable authentication no enable authentication Parameters • default—Uses the default list created with the aaa authentication enable command. • list-name—Uses the specified list created with the aaa authentication enable command. Default Configuration The default is the aaa authentication enable...
Page 254 Authentication, Authorization and Accounting (AAA) Commands Syntax method1 [method2...] ip http authentication aaa login-authentication no ip http authentication aaa login-authentication Parameters method [method2...]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails.
Page 255: Show Authentication Methods
Authentication, Authorization and Accounting (AAA) Commands 17.6 show authentication methods The show authentication methods Privileged EXEC mode command displays information about the authentication methods. Syntax show authentication methods Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays the authentication configuration. switchxxxxxx # show authentication methods Login Authentication Method Lists...
Page 256: Password
Authentication, Authorization and Accounting (AAA) Commands 17.7 password Use the password Line Configuration mode command to specify a password on a line (also known as an access method, such as a console or Telnet). Use the no form of this command to return to the default password. Syntax password [encrypted] password...
Page 257 Authentication, Authorization and Accounting (AAA) Commands If the administrator wants to manually copy a password that was configured on one switch (for instance, switch B) to another switch (for instance, switch A), the administrator must add encrypted in front of this encrypted password when entering the enable command in switch A.
Page 258: Service Password-Recovery
Authentication, Authorization and Accounting (AAA) Commands The second command sets a password that has already been encrypted. It will copied to the configuration file just as it is entered. To use it, the user must know its unencrypted form. switchxxxxxx (config)# enable password level 7 let-me-in switchxxxxxx (config)# enable password level 15 encrypted...
Page 259: Username
Authentication, Authorization and Accounting (AAA) Commands • If password recovery is disabled, the user can access the boot menu and trigger the password recovery in the boot menu. The configuration files and user files are removed. • If a device is configured to protect its sensitive data with a user-defined passphrase for (Secure Sensitive Data), then the user cannot trigger the password recovery from the boot menu even if password recovery is enabled.
Page 260: Show Users Accounts
Authentication, Authorization and Accounting (AAA) Commands • privilege-level privilege —Privilege level for which the password applies. If not specified the level is 15. (Range: 1–15). Default Configuration No user is defined. Command Mode Global Configuration mode Usage Guidelines User (Privilege) Levelsfor an explanation of privilege levels.
Page 261: Aaa Accounting Login
Authentication, Authorization and Accounting (AAA) Commands Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays information about the users local database. switchxxxxxx # show users accounts Username Privilege -------- --------- Robert Smith The following table describes the significant fields shown in the display: Field Description Username...
Page 262 Authentication, Authorization and Accounting (AAA) Commands Parameters • radius—Uses a RADIUS server for accounting. • tacacs+—Uses a TACACS+ server for accounting. Default Configuration Disabled Command Mode Global Configuration mode User Guidelines This command enables the recording of device management sessions (Telnet, serial and WEB but not SNMP).
Page 263: Aaa Accounting Dot1X
Authentication, Authorization and Accounting (AAA) Commands Name Description Sent in Sent in Start Stop Message Message Calling-Station-ID (31) The user IP address. Acct-Session-ID (44) A unique accounting identifier. Acct-Authentic (45) Indicates how the supplicant was authenticated. Acct-Session-Time (46) Indicates how long the user was logged in.
Page 264 Authentication, Authorization and Accounting (AAA) Commands Syntax start-stop group radius aaa accounting dot1x start-stop group radius no aaa accounting dot1x Parameters Default Configuration Disabled Command Mode Global Configuration mode User Guidelines This command enables the recording of 802.1x sessions. If accounting is activated, the device sends a “start”/“stop” messages to a Radius server when a user logs in / logs out to the network, respectively.
Page 265: Show Accounting
Authentication, Authorization and Accounting (AAA) Commands NAS-IP-Address (4) The switch IP address that is used for the session with the Radius server. NAS-Port (5) The switch port from where the supplicant has logged in. Class (25) Arbitrary value is included in all accounting packets for a specific session.
Page 266: Passwords Complexity Enable
Authentication, Authorization and Accounting (AAA) Commands Default Configuration Command Mode EXEC mode Example The following example displays information about the accounting status. switchxxxxxx# show accounting Login: TACACS+ 802.1x: Disabled 17.15 passwords complexity enable Use the passwords complexity enable Global Configuration mode command to enforce minimum password complexity.
Page 267 Authentication, Authorization and Accounting (AAA) Commands • Contains characters from at least 3 character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). • Are different from the current password. • Contains no character that is repeated more than 3 times consecutively. •...
Page 268: Passwords Complexity
Authentication, Authorization and Accounting (AAA) Commands 17.16 passwords complexity Use the passwords complexity Global Configuration mode commands to control the minimum requirements from a password when password complexity is enabled. Use the no form of these commands to return to default.
Page 269: Passwords Aging
Authentication, Authorization and Accounting (AAA) Commands • not-username—Specifies that the password cannot repeat or reverse the user name or any variant reached by changing the case of the characters. • not-manufacturer-name—Specifies that the password cannot repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters.
Page 270: Show Passwords Configuration
Authentication, Authorization and Accounting (AAA) Commands Default Configuration Enabled and the number of days is 180. Command Mode Global Configuration mode User Guidelines Aging is relevant only to users of the local database with privilege level 15 and to “enable” a password of privilege level 15. To disable password aging, use passwords aging 0.
Page 271 Authentication, Authorization and Accounting (AAA) Commands switchxxxxxx#show passwords configuration Passwords aging is enabled with aging time 180 days. Passwords complexity is enabled with the following attributes: Minimal length: 3 characters Minimal classes: 3 New password must be different than the current: Enabled Maximum consecutive same characters: 3 New password must be different than the user name: Enabled New password must be different than the manufacturer name: Enabled...
Page 272: Radius Commands
RADIUS Commands 18.1 radius-server host Use the radius-server host Global Configuration mode command to configure a RADIUS server host. Use the no form of the command to delete the specified RADIUS server host. Use the encrypted form of the command to enter a key in its encrypted form. Syntax {ip-address | hostname} [auth-port auth-port-number] radius-server host...
Page 273 RADIUS Commands • deadtime deadtime —Specifies the length of time in minutes during which a RADIUS server is skipped over by transaction requests. (Range: 0–2000) • key-string —Specifies the authentication and encryption key for all RADIUS communications between the device and the RADIUS server. This key must match the encryption used on the RADIUS daemon.
Page 274: Radius-Server Key
RADIUS Commands If a parameter was not set in one of the above commands, the default for that command is used. For example, if a timeout value was not set in the current command or in radius-server timeout, the default timeout for radius-server timeout is used.
Page 275: Radius-Server Retransmit
RADIUS Commands match the encryption used on the RADIUS daemon. (Range: 0–128 characters) • encrypted-key-string—Same as the key-string parameter, but the key is in encrypted form. Default Configuration The key-string is an empty string. Command Mode Global Configuration mode Example The following example defines the authentication and encryption key for all RADIUS communications between the device and the RADIUS daemon.
Page 276: Radius-Server Source-Ip
RADIUS Commands Example The following example configures the number of times the software searches all RADIUS server hosts as 5. switchxxxxxx(config)# radius-server retransmit 18.4 radius-server source-ip Use the radius-server source-ip Global Configuration mode command to specify the source IP address used for communication with RADIUS servers. Use the no form of this command to restore the default configuration.
Page 277: Radius-Server Source-Ipv6
RADIUS Commands 18.5 radius-server source-ipv6 Use the radius-server source-ipv6 Global Configuration mode command to specify the source IPv6 address used for communication with RADIUS servers. Use the no form of this command to restore the default configuration. Syntax source radius-server source-ipv6 { source no radius-server source-ipv6 { Parameters...
Page 278: Radius-Server Deadtime
RADIUS Commands Syntax timeout-seconds radius-server timeout no radius-server timeout Parameters timeout-seconds timeout —Specifies the timeout value in seconds. (Range: 1–30) Default Configuration The default timeout value is 3 seconds. Command Mode Global Configuration mode Example The following example sets the timeout interval on all RADIUS servers to 5 seconds.
Page 279: Show Radius-Servers
RADIUS Commands Command Mode Global Configuration mode Example The following example sets all RADIUS server deadtimes to 10 minutes. switchxxxxxx(config)# radius-server deadtime 18.8 show radius-servers Use the show radius-servers Privileged EXEC mode command to display the RADIUS server settings. Syntax show radius-servers Command Mode Privileged EXEC mode...
Page 280: Show Radius-Servers Key
RADIUS Commands 18.9 show radius-servers key Use the show radius-servers key Privileged EXEC mode command to display the RADIUS server key settings. Syntax show radius-servers key Command Mode Privileged EXEC mode Example The following example displays RADIUS server key settings. switchxxxxxx# show radius-servers key IP address Key (Encrypted)
Page 281: Tacacs+ Commands
TACACS+ Commands 19.1 tacacs-server host Use the tacacs-server host Global Configuration mode command to specify a TACACS+ host. Use the no form of this command to delete the specified TACACS+ host. Syntax ip-address hostname [single-connection] [port port-number] tacacs-server host { [timeout timeout] [key key-string] [source {source-ip}] [priority priority] ip-address hostname...
Page 282: Tacacs-Server Key
TACACS+ Commands • encrypted-key-string —Same as key-string, but the key is in encrypted format. • source-ip source —Specifies the source IPv4 or IPv6 address to use for communication. 0.0.0.0 is interpreted as a request to use the IP address of the outgoing IP interface.
Page 283: Tacacs-Server Timeout
TACACS+ Commands device and the TACACS+ daemon. Use the no form of this command to disable the key. Syntax key-string tacacs-server key encrypted-key-string encrypted tacacs-server key no tacacs-server key Parameters • key-string—Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon.
Page 284: Tacacs-Server Source-Ip
TACACS+ Commands no tacacs-server timeout Parameters timeout—Specifies the timeout value in seconds. (Range: 1-30) Default Configuration The default timeout value is 5 seconds. Command Mode Global Configuration mode Example The following example sets the timeout value to 30 for all TACACS+ servers. switchxxxxxx(config)# tacacs-server timeout 19.4...
Page 285: Tacacs-Server Source-Ipv6
TACACS+ Commands User Guidelines If the configured IP source address has no available IP interface, an error message is issued when attempting to communicate with the IP address. Example The following example specifies the source IP address for all TACACS+ servers. switchxxxxxx(config)# 172.16.8.1 tacacs-server source-ip...
Page 286: Show Tacacs
TACACS+ Commands Example The following example specifies the source IP address for all TACACS+ servers. switchxxxxxx(config)# tacacs-server source-ipv6 3ffe:1900:4545:3:200:f8ff:fe21:67cf 19.6 show tacacs Use the show tacacs Privileged EXEC mode command to display configuration and statistical information for a TACACS+ server. Syntax show tacacs [ ip-address...
Page 287: Show Tacacs Key
TACACS+ Commands 19.7 show tacacs key Use the show tacacs key Privileged EXEC mode command to display the configured key of the TACACS+ server. Syntax ip-address show tacacs key [ Parameters ip-address—Specifies the TACACS+ server name or IP address. Default Configuration If ip-address is not specified, information for all TACACS+ servers is displayed.
Page 288: Syslog Commands
Syslog Commands 20.1 logging on Use the logging on Global Configuration mode command to control error message logging. This command sends debug or error messages asynchronously to designated locations. Use the no form of this command to disable the logging. Syntax logging on no logging on...
Page 289: Logging Host
Syslog Commands 20.2 logging host Use the logging host Global Configuration command to log messages to the specified SYSLOG server. Use the no form of this command to delete the SYSLOG server with the specified address from the list of SYSLOG servers. Syntax {ip-address | ipv6-address | hostname} [port port] [severity level] logging host...
Page 290: Logging Console
Syslog Commands User Guidelines You can use multiple SYSLOG servers. Examples switchxxxxxx(config)# logging host 1.1.1.121 switchxxxxxx(config)# logging host 3000::100/SYSLOG1 20.3 logging console Use the logging console Global Configuration mode command to limit messages logged to the console to messages to a specific severity level. Use the no form of this command to restore the default.
Page 291: Logging Buffered
Syslog Commands 20.4 logging buffered Use the logging buffered Global Configuration mode command to limit the SYSLOG message display to messages with a specific severity level, and to define the buffer size (number of messages that can be stored). Use the no form of this command to cancel displaying the SYSLOG messages, and to return the buffer size to default.
Page 292: Clear Logging
Syslog Commands switchxxxxxx(config)# logging buffered debugging switchxxxxxx(config)# logging buffered 100 7 20.5 clear logging Use the clear logging Privileged EXEC mode command to clear messages from the internal logging buffer. Syntax clear logging Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example clears messages from the internal logging buffer.
Page 293: Clear Logging File
Syslog Commands Parameters level—Specifies the severity level of SYSLOG messages sent to the logging file. The possible values are: emergencies, alerts, critical, errors, warnings, notifications, informational and debugging. Default Configuration The default severity level is errors. Command Mode Global Configuration mode Example The following example limits SYSLOG messages sent to the logging file to messages with severity level alerts.
Page 294: Aaa Logging
Syslog Commands Example The following example clears messages from the logging file. switchxxxxxx# clear logging file Clear Logging File [y/n] 20.8 aaa logging Use the aaa logging Global Configuration mode command to enable logging of the logins of authenticated users. Use the no form of this command to disable logging of authenticated users.
Page 295: File-System Logging
Syslog Commands 20.9 file-system logging Use the file-system logging Global Configuration mode command to enable logging file system events. Use the no form of this command to disable logging file system events. Syntax {copy | delete-rename} file-system logging {copy | delete-rename} no file-system logging Parameters •...
Page 296: Logging Aggregation Aging-Time
Syslog Commands no logging aggregation on Parameters Default Configuration Enabled. Command Mode Global Configuration mode Example To turn off aggregation of SYSLOG messages: switchxxxxxx(config)# no logging aggregation on 20.11 logging aggregation aging-time Use the logging aggregation aging-time Global Configuration mode command to configure the aging time of the aggregated SYSLOG messages.
Page 297: Logging Origin-Id
Syslog Commands Example switchxxxxxx(config)# logging aggregation aging-time 300 20.12 logging origin-id Use the logging origin-id Global Configuration mode command to configure the origin field of the SYSLOG message packet headers sent to the SYSLOG server. Use the no form of this command to return to the default. Syntax hostname IPv6...
Page 298: Show Logging
Syslog Commands 20.13 show logging Use the show logging Privileged EXEC mode command to display the logging status and SYSLOG messages stored in the internal buffer. Syntax show logging Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays the logging status and the SYSLOG messages stored in the internal buffer.
Page 299: Show Logging File
Syslog Commands Management ACL Deny Enabled Aggregation: Disabled. Aggregation aging time: 300 Sec 01-Jan-2010 05:29:46 :%INIT-I-Startup: Warm Startup 01-Jan-2010 05:29:02 :%LINK-I-Up: Vlan 1 01-Jan-2010 05:29:02 :%LINK-I-Up: SYSLOG6 01-Jan-2010 05:29:02 :%LINK-I-Up: SYSLOG7 01-Jan-2010 05:29:00 :%LINK-W-Down: SYSLOG8 20.14 show logging file Use the show logging file Privileged EXEC mode command to display the logging status and the SYSLOG messages stored in the logging file.
Page 300: Show Syslog-Servers
Syslog Commands File Logging: Level error. File Messages: 898 Logged, 64 Dropped. 4 messages were not logged Application filtering control Application Event Status ----------------- ---------------- --------- Login Enabled File system Copy Enabled File system Delete-Rename Enabled Management ACL Deny Enabled Aggregation: Disabled.
Page 301 Syslog Commands Default Configuration Command Mode Privileged EXEC mode Example The following example provides information about the SYSLOG servers. switchxxxxxx# show syslog-servers Device Configuration IP address Port Facility Severity Description ------------- ---- --------- -------- -------------- 1.1.1.121 local7 info 3000::100 local7 info 78-21075-01 Command Line Interface Reference Guide...
Page 302: Remote Network Monitoring (Rmon) Commands
Remote Network Monitoring (RMON) Commands 21.1 show rmon statistics Use the show rmon statistics EXEC mode command to display RMON Ethernet statistics. Syntax {interface-id} show rmon statistics Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
Page 303 Remote Network Monitoring (RMON) Commands The following table describes the significant fields displayed. Field Description Dropped Total number of events in which packets were dropped by the probe due to lack of resources. Note that this number is not necessarily the number of packets dropped.
Page 304: Rmon Collection Stats
Remote Network Monitoring (RMON) Commands Field Description Jabbers Total number of packets received, longer than 1518 octets (excluding framing bits, but including FCS octets), and either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
Page 305: Show Rmon Collection Stats
Remote Network Monitoring (RMON) Commands Parameters • index—The requested group of statistics index.(Range: 1–65535) • ownername owner —Records the name of the owner of the RMON group of statistics. If unspecified, the name is an empty string. (Range: Valid string) •...
Page 306: Show Rmon History
Remote Network Monitoring (RMON) Commands Example The following example displays all RMON history group statistics. switchxxxxxx# show rmon collection stats Index Interface Interval Requested Granted Owner Samples Samples ----- -------- --------- ------- ------- --------- 1800 Manager The following table describes the significant fields shown in the display. Field Description Index...
Page 307 Remote Network Monitoring (RMON) Commands • seconds period —Specifies the period of time in seconds to display. (Range: 1–2147483647) Command Mode EXEC mode Example The following examples display RMON Ethernet history statistics for index 1 switchxxxxxx# show rmon history 1 throughput Sample Set: 1 Owner: CLI Interface:...
Page 308 Remote Network Monitoring (RMON) Commands switchxxxxxx# show rmon history other Sample Set: 1 Owner: Me Interface: gi1 Interval: 1800 Requested samples: 50 Granted samples: 50 Maximum table size: 500 Time Dropped Collisions -------------------- ------ ---------- Jan 18 2005 21:57:00 Jan 18 2005 21:57:30 The following table describes significant fields shown in the display: Field Description...
Page 309: Rmon Alarm
Remote Network Monitoring (RMON) Commands Field Description Oversize Number of packets received during this sampling interval that were longer than 1518 octets (excluding framing bits but including FCS octets) but were otherwise well formed. Fragments Total number of packets received during this sampling interval that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad Frame Check Sequence...
Page 310 Remote Network Monitoring (RMON) Commands • mib-object-id—Specifies the object identifier of the variable to be sampled. (Valid OID) • interval—Specifies the interval in seconds during which the data is sampled and compared with rising and falling thresholds. (Range: 1–4294967295) • rising-threshold—Specifies the rising threshold value.
Page 311: Show Rmon Alarm-Table
Remote Network Monitoring (RMON) Commands Default Configuration The default method type is absolute. The default startup direction is rising-falling. If the owner name is not specified, it defaults to an empty string. Command Mode Global Configuration mode Example The following example configures an alarm with index 1000, MIB object ID D-Link, sampling interval 360000 seconds (100 hours), rising threshold value 1000000, falling threshold value 1000000, rising threshold event index 10, falling threshold event index 10, absolute method type and rising-falling alarm.
Page 312: Show Rmon Alarm
Remote Network Monitoring (RMON) Commands Example The following example displays the alarms table. switchxxxxxx# show rmon alarm-table Index Owner ----- ---------------------- ------- 1.3.6.1.2.1.2.2.1.10.1 1.3.6.1.2.1.2.2.1.10.1 Manager 1.3.6.1.2.1.2.2.1.10.9 The following table describes the significant fields shown in the display: Field Description Index An index that uniquely identifies the entry.
Page 313 Remote Network Monitoring (RMON) Commands ------- OID: 1.3.6.1.2.1.2.2.1.10.1 Last sample Value: 878128 Interval: 30 Sample Type: delta Startup Alarm: rising Rising Threshold: 8700000 Falling Threshold: 78 Rising Event: 1 Falling Event: 1 Owner: CLI The following table describes the significant fields shown in the display: Field Description Alarm...
Page 314: Rmon Event
Remote Network Monitoring (RMON) Commands Field Description Startup Alarm Alarm that is sent when this entry is first set. If the first sample is greater than or equal to the rising threshold, and startup alarm is equal to rising or rising-falling, then a single rising alarm is generated.
Page 315: Show Rmon Events
Remote Network Monitoring (RMON) Commands • log—Specifies that a notification entry is generated in the log table by the device for this event. • trap—Specifies that an SNMP trap is sent to one or more management stations by the device for this event. •...
Page 316: Show Rmon Log
Remote Network Monitoring (RMON) Commands Command Mode EXEC mode Example The following example displays the RMON event table. switchxxxxxx# show rmon events Index Description Type Community Owner Last time sent ----- ----------- ------ --------- ------ ------------------ Errors router Jan 18 2006 23:58:17 High Manager Jan 18 2006 23:59:48...
Page 317: Rmon Table-Size
Remote Network Monitoring (RMON) Commands Parameters event—Specifies the event index. (Range: 0–65535) Command Mode EXEC mode Example The following example displays event 1 in the RMON log table. switchxxxxxx# show rmon log 1 Maximum table size: 500 (800 after reset) Event Description Time...
Page 318 Remote Network Monitoring (RMON) Commands Default Configuration The default history table size is 270 entries. The default log table size is 200 entries. Command Mode Global Configuration mode User Guidelines The configured table size takes effect after the device is rebooted. Example The following example configures the maximum size of RMON history tables to 100 entries.
Page 319: Commands
802.1X Commands 22.1 aaa authentication dot1x Use the aaa authentication dot1x Global Configuration mode command to specify how ports are authenticated when 802.1X is enabled. You can select either authentication by a RADIUS server, no authentication, or both methods. Use the no form of this command to restore the default configuration.
Page 320: Dot1X System-Auth-Control
802. 1 X Commands Example The following example sets the 802.1X authentication mode to RADIUS server authentication. If no response is received, no authentication is performed. switchxxxxxx(config)# aaa authentication dot1x default radius none 22.2 dot1x system-auth-control Use the dot1x system-auth-control Global Configuration mode command to enable 802.1X globally.
Page 321 802. 1 X Commands Syntax {auto | force-authorized | force-unauthorized}[time-range dot1x port-control time-range-name] no dot1x port-control Parameters • auto—Enables 802.1X authentication on the port and causes it to transition to the authorized or unauthorized state, based on the 802.1X authentication exchange between the device and the client.
Page 322: Dot1X Reauthentication
802. 1 X Commands switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# dot1x port-control auto 22.4 dot1x reauthentication Use the dot1x reauthentication Interface Configuration mode command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting. Syntax dot1x reauthentication no dot1x reauthentication...
Page 323: Dot1X Re-Authenticate
802. 1 X Commands Parameters seconds reauth-period —Number of seconds between re-authentication attempts. (Range: 300-4294967295) Default Configuration 3600 Command Mode Interface Configuration (Ethernet) mode Example switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# dot1x timeout reauth-period 5000 22.6 dot1x re-authenticate The dot1x re-authenticate Privileged EXEC mode command manually initiates re-authentication of all 802.1X-enabled ports or the specified 802.1X-enabled port.
Page 324: Dot1X Timeout Quiet-Period
802. 1 X Commands Example The following command manually initiates re-authentication of 802.1X-enabled gi15. switchxxxxxx# dot1x re-authenticate gi15 22.7 dot1x timeout quiet-period Use the dot1x timeout quiet-period Interface Configuration (Ethernet) mode command to set the time interval that the device remains in a quiet state following a failed authentication exchange (for example, the client provided an invalid password).
Page 325: Dot1X Timeout Tx-Period
802. 1 X Commands Example The following example sets the time interval that the device remains in the quiet state following a failed authentication exchange to 10 seconds. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# dot1x timeout quiet-period 22.8 dot1x timeout tx-period Use the dot1x timeout tx-period Interface Configuration (Ethernet) mode command to set the time interval during which the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the client before resending the request.
Page 326: Dot1X Max-Req
802. 1 X Commands Example The following command sets the time interval during which the device waits for a response to an EAP request/identity frame to 60 seconds. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# dot1x timeout tx-period 22.9 dot1x max-req Use the dot1x max-req Interface Configuration mode command to set the maximum number of times that the device sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client before restarting the authentication process.
Page 327: Dot1X Timeout Supp-Timeout
802. 1 X Commands Example The following example sets the maximum number of times that the device sends an EAP request/identity frame to 6 switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# dot1x max-req 22.10 dot1x timeout supp-timeout Use the dot1x timeout supp-timeout Interface Configuration (Ethernet) mode command to set the time interval during which the device waits for a response to an Extensible Authentication Protocol (EAP) request frame from the client before resending the request.
Page 328: Dot1X Timeout Server-Timeout
802. 1 X Commands Example The following example sets the time interval during which the device waits for a response to an EAP request frame from the client before resending the request to 3600 seconds. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# 3600 dot1x timeout supp-timeout 22.11 dot1x timeout server-timeout Use the dot1x timeout server-timeout Interface Configuration (Ethernet) mode...
Page 329: Show Dot1X
802. 1 X Commands Example The following example sets the time interval between retransmission of packets to the authentication server to 3600 seconds. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# dot1x timeout server-timeout 3600 22.12 show dot1x Use the show dot1x Privileged EXEC mode command to display the 802.1X interfaces or specified interface status.
Page 330: Ethernet Ports
802. 1 X Commands Examples Example 1 - The following example displays the status of a single 802.1X-enabled Ethernet ports. switchxxxxxx# show dot1x interface 802.1X is enabled. Port Admin Oper Reauth Reauth Username Mode Mode Control Period ---- ---------- ------------ ------- ------ --------...
Page 331 802. 1 X Commands Port Admin Oper Reauth Reauth Username Mode Mode Control Period ---- ---------- ------------ ------- ------ -------- Auto Authorized 3600 Auto Authorized 3600 John Auto Unauthorized 3600 Clark Force-auth Authorized 3600 Force-auth Unauthorized 3600 * Port is down or not present. The following table describes the significant fields shown in the display.
Page 332: Show Dot1X Users
802. 1 X Commands Field Description Server timeout Number of seconds that the device waits for a response from the authentication server before resending the request. Session Time Amount of time (HH:MM:SS) that the user is logged in. MAC address Supplicant MAC address.
Page 333: Show Dot1X Statistics
802. 1 X Commands Example The following example displays 802.1X user with supplicant username Bob. switchxxxxxx# show dot1x users username Bob Port Username Session Auth VLAN Time Method Address --------- ------------------------------ ----------- ---- 1d 09:07:38 Remote 0008.3b79.8787 22.14 show dot1x statistics Use the show dot1x statistics Privileged EXEC mode command to display 802.1X statistics for the specified port.
Page 334 802. 1 X Commands EapolRespFramesRx: 6 EapolReqIdFramesTx: 3 EapolReqFramesTx: 6 InvalidEapolFramesRx: 0 EapLengthErrorFramesRx: 0 LastEapolFrameVersion: 1 LastEapolFrameSource: 00:08:78:32:98:78 The following table describes the significant fields shown in the display: Field Description EapolFramesRx Number of valid EAPOL frames of any type that have been received by this Authenticator.
Page 335: Clear Dot1X Statistics
802. 1 X Commands Field Description EapLengthErrorFramesR Number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid. LastEapolFrameVersion Protocol version number carried in the most recently received EAPOL frame. LastEapolFrameSource Source MAC address carried in the most recently received EAPOL frame.
Page 336: Dot1X Host-Mode
802. 1 X Commands 22.16 dot1x host-mode Use the dot1x host-mode Interface Configuration mode command to allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port. Use the no form of this command to return to the default setting. Syntax {multi-host | single-host | multi-sessions} dot1x host-mode...
Page 337: Dot1X Auth-Not-Req
802. 1 X Commands switchxxxxxx(config-if)# dot1x host-mode multi-host switchxxxxxx(config-if)# dot1x host-mode single-host switchxxxxxx(config-if)# dot1x host-mode multi-sessions 22.17 dot1x auth-not-req Use the dot1x auth-not-req Interface Configuration (VLAN) mode command to enable unauthorized devices access to the VLAN. Use the no form of this command to disable access to the VLAN.
Page 338: Dot1X Violation-Mode
802. 1 X Commands 22.18 dot1x violation-mode Use the dot1x violation-mode Interface Configuration (Ethernet) mode command to configure the action to be taken, when a station whose MAC address is not the supplicant MAC address, attempts to access the interface. Use the no form of this command to return to default.
Page 339: Dot1X Guest-Vlan
802. 1 X Commands Example switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# dot1x violation-mode protect 22.19 dot1x guest-vlan Use the dot1x guest-vlan Interface Configuration (VLAN) mode command to define a guest VLAN. Use the no form of this command to restore the default configuration.
Page 340: Dot1X Guest-Vlan Timeout
802. 1 X Commands switchxxxxxx(config-if)# dot1x guest-vlan 22.20 dot1x guest-vlan timeout Use the dot1x guest-vlan timeout Global Configuration mode command to set the time delay between enabling 802.1X (or port up) and adding a port to the guest VLAN. Use the no form of this command to restore the default configuration. Syntax timeout dot1x guest-vlan timeout...
Page 341: Dot1X Guest-Vlan Enable
802. 1 X Commands 22.21 dot1x guest-vlan enable Use the dot1x guest-vlan enable Interface Configuration (Ethernet) mode command to enable unauthorized users on the interface access to the guest VLAN. Use the no form of this command to disable access. Syntax dot1x guest-vlan enable no dot1x guest-vlan enable...
Page 342: Dot1X Radius-Attributes Vlan
802. 1 X Commands Syntax mac-only mac-and-802.1x dot1x mac-authentication { no dot1x mac-authentication Parameters • mac-only—Enables authentication based on the station's MAC address only. 802.1X frames are ignored. • mac-and-802.1x—Enables 802.1X authentication and MAC address authentication on the interface. Default Configuration Authentication based on the station's MAC address is disabled.
Page 343 802. 1 X Commands Use the no form of this command to disable user-based VLAN assignment. Syntax vlan-id dot1x radius-attributes vlan [reject | no dot1x radius-attributes vlan Parameters • reject—If the RADIUS server authenticated the supplicant, but did not provide a supplicant VLAN, the supplicant is rejected. If the parameter is omitted, this option is applied by default.
Page 344: Show Dot1X Advanced
802. 1 X Commands Example Example 1—The example enables user-based VLAN assignment. If the RADIUS server authenticated the supplicant but did not provide a supplicant VLAN, the supplicant is rejected. switchxxxxxx(config)# interface 151 switchxxxxxx(config-if)# dot1x radius-attributes vlan switchxxxxxx(config-if)# exit Example 2—The example enables user-based VLAN assignment. If the RADIUS server authenticated the supplicant but did not provide a supplicant VLAN the supplicant is accepted and VLAN 100 is assigned to the supplicant.
Page 345 802. 1 X Commands Command Mode Privileged EXEC mode Examples The following example displays the 802.1x advanced features for the device. Notice that port 3 has a user-defined alternative VLAN (1023). switchxxxxxx# show dot1x advanced Guest VLAN: 3978 Guest VLAN Timeout: Unauthenticated VLANs: 91, 92 Interface Multiple Guest VLAN...
Page 346: Ethernet Configuration Commands
Ethernet Configuration Commands 23.1 interface Use the interface Global Configuration mode command to enter Interface configuration mode in order to configure an interface. Syntax interface-id interface Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, Port-channel, VLAN, range, IP interface or tunnel. Default Configuration Command Mode Interface Configuration (Ethernet, Port-channel, VLAN, range, IP interface or tunnel)
Page 347: Interface Range
Ethernet Configuration Commands 23.2 interface range Use the interface range command to execute a command on multiple ports at the same time. Syntax interface-id-list interface range Parameters interface-id-list—Specify list of interface IDs. The interface ID can be one of the following types: Ethernet port, VLAN, or Port-channel Default Configuration Command Mode...
Page 348: Operation Time
Ethernet Configuration Commands Parameters Default Configuration The interface is enabled. Command Mode Interface Configuration (Ethernet, Port-channel) mode Examples Example 1 - The following example disables gi5 operations. switchxxxxxx (config)# interface gi5 (config-if)# switchxxxxxx shutdown switchxxxxxx (config-if)# Example 2 - The following example restarts the disabled Ethernet port. (config)# switchxxxxxx interface gi5...
Page 349: Description
Ethernet Configuration Commands Parameters • time-range-name—Specifies a time range the port operates (in up state). When the Time Range is not in effect, the port is shutdown. (Range: 1–32 characters) Default Configuration There is no time range configured on the port authorized state. Command Mode Interface Configuration (Ethernet) mode User Guidelines...
Page 350: Speed
Ethernet Configuration Commands Parameters string—Specifies a comment or a description of the port to assist the user. (Length: 1–64 characters). Default Configuration The interface does not have a description. Command Mode Interface Configuration (Ethernet, Port-channel) mode Example The following example adds the description ‘SW#3’ to gi5. (config)# switchxxxxxx interface gi5...
Page 351: Duplex
Ethernet Configuration Commands Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines The no speed command in a port-channel context returns each port in the port-channel to its maximum capability. Example The following example configures the speed of gi5 to 100 Mbps operation. (config)# switchxxxxxx interface gi5...
Page 352: Negotiation
Ethernet Configuration Commands Example The following example configures gi5 to operate in full duplex mode. switchxxxxxx (config)# interface gi5 (config-if)# switchxxxxxx duplex full 23.8 negotiation Use the negotiation Interface Configuration (Ethernet, Port-channel) mode command to enable auto-negotiation operation for the speed and duplex parameters and master-slave mode of a given interface.
Page 353: Flowcontrol
Ethernet Configuration Commands Command Mode Interface Configuration (Ethernet, Port-channel) mode Example The following example enables auto-negotiation on gi5. switchxxxxxx (config)# interface gi5 (config-if)# switchxxxxxx negotiation 23.9 flowcontrol Use the flowcontrol Interface Configuration (Ethernet, Port-channel) mode command to configure the Flow Control on a given interface. Use the no form of this command to disable Flow Control.
Page 354: Mdix
Ethernet Configuration Commands Example The following example enables Flow Control on port switchxxxxxx (config)# interface gi1 (config-if)# switchxxxxxx flowcontrol on 23.10 mdix Use the mdix Interface Configuration (Ethernet) mode command to enable cable crossover on a given interface. Use the no form of this command to disable cable crossover.
Page 355: Back-Pressure
Ethernet Configuration Commands 23.11 back-pressure Use the back-pressure Interface Configuration (Ethernet) mode command to enable back pressure on a specific interface. Use the no form of this command to disable back pressure. Syntax back-pressure no back-pressure Default Configuration Back pressure is disabled. Command Mode Interface Configuration (Ethernet) mode User Guidelines...
Page 356: Clear Counters
Ethernet Configuration Commands Default Configuration Jumbo frames are disabled on the device. Command Mode Global Configuration mode User Guidelines This command takes effect only after resetting the device. Example The following example enables jumbo frames on the device. switchxxxxxx (config)# port jumbo-frame 23.13 clear counters Use the clear counters EXEC mode command to clear counters on all or on a...
Page 357: Set Interface Active
Ethernet Configuration Commands switchxxxxxx clear counters gi5. 23.14 set interface active Use the set interface active EXEC mode command to reactivate an interface that was shut down. Syntax {interface-id} set interface active Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
Page 358: Show Interfaces Status
Ethernet Configuration Commands • detailed—Displays information for non-present ports in addition to present ports. Default Configuration Display all interfaces. If detailed is not used, only present ports are displayed. Command Mode EXEC mode Example The following example displays the configuration of all configured interfaces: switchxxxxxx# show interfaces configuration Flow Admin...
Page 359: Show Interfaces Advertise
Ethernet Configuration Commands • detailed—Displays information for non-present ports in addition to present ports. Command Mode EXEC mode Default Configuration Display for all interfaces. If detailed is not used, only present ports are displayed. Example The following example displays the status of all configured interfaces. switchxxxxxx# show interfaces status Flow Link...
Page 360 Ethernet Configuration Commands • detailed—Displays information for non-present ports in addition to present ports. Default Configuration Display for all interfaces. If detailed is not used, only present ports are displayed. Command Mode EXEC mode Examples The following examples display auto-negotiation information switchxxxxxx# show interfaces advertise Port Type...
Page 361: Show Interfaces Description
Ethernet Configuration Commands 23.18 show interfaces description Use the show interfaces description EXEC mode command to display the description for all configured interfaces or for a specific interface. Syntax [interface-id | detailed show interfaces description Parameters • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
Page 362: Show Interfaces Counters
Ethernet Configuration Commands 23.19 show interfaces counters Use the show interfaces counters EXEC mode command to display traffic seen by all the physical interfaces or by a specific interface. Syntax [interface-id | detailed show interfaces counters Parameters • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
Page 363 Ethernet Configuration Commands Multiple Collision Frames: 0 SQE Test Errors: 0 Deferred Transmissions: 0 Late Collisions: 0 Excessive Collisions: 0 Carrier Sense Errors: 0 Oversize Packets: 0 Internal MAC Rx Errors: 0 Symbol Errors: 0 Received Pause Frames: 0 Transmitted Pause Frames: 0 78-21075-01 Command Line Interface Reference Guide...
Page 364 Ethernet Configuration Commands The following table describes the fields shown in the display. Field Description InOctets Number of received octets. InUcastPkts Number of received unicast packets. InMcastPkts Number of received multicast packets. InBcastPkts Number of received broadcast packets. OutOctets Number of transmitted octets. OutUcastPkts Number of transmitted unicast packets.
Page 365: Show Ports Jumbo-Frame
Ethernet Configuration Commands Field Description Received Pause Number of MAC Control frames received Frames with an opcode indicating the PAUSE operation. Transmitted Pause Number of MAC Control frames Frames transmitted on this interface with an opcode indicating the PAUSE operation. 23.20 show ports jumbo-frame Use the show ports jumbo-frame EXEC mode command to display the whether jumbo frames are enabled on the device.
Page 366: Show Errdisable Interfaces
Ethernet Configuration Commands 23.21 show errdisable interfaces Use the show errdisable interfaces EXEC mode command to display the Err-Disable state of all interfaces or of a specific interface. Syntax [interface-id] show errdisable interfaces Parameters • interface—Interface number • port-channel-number—Port channel index. Default Configuration Display for all interfaces.
Page 367: Storm-Control Broadcast Level
Ethernet Configuration Commands Parameters This command has no arguments or keywords. Default Configuration Disabled Command Mode Interface Configuration mode (Ethernet) User Guidelines Use the storm-control include-multicast Interface Configuration command to count Multicast packets and optionally unknown Unicast packets in the storm control calculation.
Page 368: Storm-Control Include-Multicast
Ethernet Configuration Commands Default Configuration • level—10% • kbps—10% of port speed in Kbps Command Mode Interface Configuration mode (Ethernet) User Guidelines Use the storm-control broadcast enable Interface Configuration command to enable storm control. The calculated rate includes the 20 bytes of Ethernet framing overhead (preamble+SFD+IPG).
Page 369: Show Storm-Control
Ethernet Configuration Commands Example switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# storm-control include-multicast 23.25 show storm-control Use the show storm-control EXEC mode command to display the configuration of storm control for a port. Syntax [interface-id] show storm-control Parameters interface-id—Specifies the Ethernet port. Default Configuration Display for all interfaces.
Page 370: Phy Diagnostics Commands
PHY Diagnostics Commands 24.1 test cable-diagnostics tdr Use the test cable-diagnostics tdr Privileged EXEC mode command to use Time Domain Reflectometry (TDR) technology to diagnose the quality and characteristics of a copper cable attached to a port. Syntax interface-id test cable-diagnostics tdr interface Parameters interface-id—Specifies an Ethernet port ID.
Page 371: Show Cable-Diagnostics Tdr
PHY Diagnostics Commands 24.2 show cable-diagnostics tdr Use the show cable-diagnostics tdr EXEC mode command to display information on the last Time Domain Reflectometry (TDR) test performed on all copper ports or on a specific copper port. Syntax [interface interface-id | detailed show cable-diagnostics tdr Parameters •...
Page 372: Show Cable-Diagnostics Cable-Length
PHY Diagnostics Commands 24.3 show cable-diagnostics cable-length Use the show cable-diagnostics cable-length EXEC mode command to display the estimated copper cable length attached to all ports or to a specific port. Syntax [interface interface-id | detailed show cable-diagnostics cable-length Parameters •...
Page 373: Show Fiber-Ports Optical-Transceiver
PHY Diagnostics Commands 24.4 show fiber-ports optical-transceiver Use the show fiber-ports optical-transceiver EXEC mode command to display the optical transceiver diagnostics. Syntax [interface interface-id | detailed show iber-ports optical-transceiver Parameters • interface-id—Specify an Ethernet port ID. • detailed—Displays information for non-present ports in addition to present ports.
Page 374 PHY Diagnostics Commands N/A - Not Available, N/S - Not Supported, W - Warning, E - Error switchxxxxxx# show fiber-ports optical-transceiver Port Temp Voltage Current Output Input [Volt] [mA] Power Power [mWatt] [mWatt] ----------- ------ ------- ------- ------- ------- --- Copper Copper 3.32...
Page 375: Power Over Ethernet (Poe) Commands
Power over Ethernet (PoE) Commands 25.1 power inline Use the power inline Interface Configuration mode command to configure the power on an interface. Syntax {auto | never} [time-range time-range-name] power inline Parameters • auto—Turns on the device discovery protocol and applies power to the device.
Page 376: Power Inline Powered-Device
Power over Ethernet (PoE) Commands Examples Exercise 1—The following example turns on the inline power administrative mode on an interface. switchxxxxxx(config)# interface 154 switchxxxxxx(config-if)# power inline auto Exercise 2—The following example shows defining a time range called morning, and then applying it to the power administrative mode. switchxxxxxx (config)#time-range morning switchxxxxxx...
Page 377: Power Inline Priority
Power over Ethernet (PoE) Commands Example The following example adds the description ‘ip phone’ of the device connected to port 4. switchxxxxxx(config)# interface switchxxxxxx(config-if)# power inline powered-device ip_phone 25.3 power inline priority Use the power inline priority Interface Configuration (Ethernet) mode command to configure the interface inline power management priority.
Page 378: Power Inline Usage-Threshold
Power over Ethernet (PoE) Commands 25.4 power inline usage-threshold Use the power inline usage-threshold Global Configuration mode command to configure the threshold for initiating inline power usage alarms. Use the no form of this command to restore the default configuration. Syntax percent power inline usage-threshold...
Page 379: Power Inline Limit
Power over Ethernet (PoE) Commands Default Configuration Inline power traps are disabled. Command Mode Global Configuration mode Example The following example enables inline power traps. switchxxxxxx(config)# power inline traps enable 25.6 power inline limit Use the power inline limit Interface Configuration mode command to configure the power limit per port on an interface.
Page 380: Power Inline Limit-Mode
Power over Ethernet (PoE) Commands Example The following example sets inline power on a port. switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# power inline limit 2222 25.7 power inline limit-mode Use the power inline limit-mode Global Configuration mode command to set the power limit mode of the system. Use the no form of this command to return to default.
Page 381 Power over Ethernet (PoE) Commands Syntax interface-id | detailed show power inline [ Parameters • interface-id—Specifies an interface ID. The interface ID must be an Ethernet port. • detailed—Displays information for non-present ports in addition to present ports. Default Configuration Show information for all ports.
Page 382 Power over Ethernet (PoE) Commands Example The following example displays information about the inline power for a specific port. switchxxxxxx(config)# show power inline gi1 Power limit: 15 W Power limit (for port based power-limit mode): 15 W Port Powered Device State Status Priority...
Page 383: Show Power Inline Consumption
Power over Ethernet (PoE) Commands Field Description Short Counter Counts the number of short conditions detected. Denied Counter Counts the number of times power was denied. Absent Counter Counts the number of times power was removed because powered device dropout was detected.
Page 384 Power over Ethernet (PoE) Commands Default Configuration Show information for all ports. If detailed is not used, only present ports are displayed. Command Mode EXEC mode Example The following example displays information about the inline power consumption. switchxxxxxx# show power inline consumption Port Power Limit(W) Power (W)
Page 385: Eee Commands
EEE Commands 26.1 eee enable (global) Use the eee enable Global Configuration command to enable the EEE mode globally. Use the no format of the command to disable the mode. Syntax eee enable no eee enable Default Configuration EEE is enabled. Command Mode Global Configuration mode User Guidelines...
Page 386: Eee Lldp Enable
EEE Commands Syntax eee enable no eee enable Parameters Default Configuration EEE is enabled. Command Mode Interface Configuration mode (Ethernet) User Guidelines If Auto-Negotiation is not enabled on the port and its speed is 1 Giga, the EEE Operational status is disabled. Example witchxxxxxx(config)#interface gi1 witchxxxxxx(config-if)#eee enable...
Page 387: Show Eee
EEE Commands Default Configuration Enabled Command Mode Interface Configuration mode (Ethernet) User Guidelines Enabling EEE LLDP advertisement enables devices to choose and change system wake-up times in order to get the optimal energy saving mode. Example witchxxxxxx(config)#interface gi1 witchxxxxxx(config-if)#eee lldp enable 26.4 show eee Use the show eee EXEC command to display EEE information.
Page 388 EEE Commands EEE Administrate status is enabled on ports: gi1-6, gi7 EEE Operational status is enabled on ports: gi1, gi3-6, gi2, gi5 EEE LLDP Administrate status is enabled on ports: gi1-5 EEE LLDP Operational status is enabled on ports: gi1-5 Example 2 - The following is the information displayed when a port is in state not Present;...
Page 389 EEE Commands EEE LLDP Administrate status: enabled Example 5 - The following is the information displayed when the neighbor does not support EEE. switchxxxxxx>show eee gi5 Port Status: UP EEE capabilities: Speed 10M: EEE not supported Speed 100M: EEE supported Speed 1G: EEE supported Current port speed: 1Gbps EEE Remote status: disabled...
Page 390 EEE Commands Port Status: UP EEE capabilities: Speed 10M: EEE not supported Speed 100M: EEE supported Speed 1G: EEE supported Current port speed: 1Gbps EEE Remote status: enabled EEE Administrate status: enabled EEE Operational status: enabled EEE LLDP Administrate status: disabled EEE LLDP Operational status: disabled Resolved Tx Timer: 10usec Local Tx Timer: 10 usec...
Page 391 EEE Commands Resolved Timer: 25 usec Local Rx Timer: 20 usec Remote Tx Timer: 25 usec Example 9 - The following is the information displayed when EEE is running on the port, EEE LLDP is enabled but not synchronized with remote link partner. switchxxxxxx>show eee gi9 Port Status: up EEE capabilities:...
Page 392 EEE Commands EEE Administrate status: enabled EEE Operational status: enabled EEE LLDP Administrate status: enabled EEE LLDP Operational status: enabled Resolved Tx Timer: 10usec Local Tx Timer: 10 usec Remote Rx Timer: 5 usec Resolved Timer: 25 usec Local Rx Timer: 20 usec Remote Tx Timer: 25 usec 78-21075-01 Command Line Interface Reference Guide...
Page 393: Green Ethernet
Green Ethernet 27.1 green-ethernet energy-detect (global) Use the green-ethernet energy-detect Global Configuration mode command to enable Green-Ethernet Energy-Detect mode globally. Use the no form of this command to disabled it. Syntax green-ethernet energy-detect no green-ethernet energy-detect Parameters Default Configuration Disabled. Command Mode Global Configuration mode Example...
Page 394: Green-Ethernet Short-Reach (Global)
Green Ethernet Parameters Default Configuration Enabled Command Mode Interface configuration mode (Ethernet) User Guidelines Energy-Detect can work only when the port is a copper port. When a port is enabled for auto selection, copper/fiber Energy-Detect cannot work. It takes the PHY ~5 seconds to fall into sleep mode when the link is lost after normal operation.
Page 395: Green-Ethernet Short-Reach (Interface)
Green Ethernet Command Mode Global Configuration mode Example switchxxxxxx(config)# green-ethernet short-reach 27.4 green-ethernet short-reach (interface) Use the green-ethernet short-reach Interface Configuration mode command to enable green-ethernet short-reach mode on a port. Use the no form of this command to disable it on a port. Syntax green-ethernet short-reach no green-ethernet short-reach...
Page 396: Green-Ethernet Power-Meter Reset
Green Ethernet Example switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# green-ethernet short-reach 27.5 green-ethernet power-meter reset Use the green-ethernet power meter reset Privileged EXEC mode command to reset the power save meter. Syntax green-ethernet power-meter reset Parameters Default Configuration Command Mode Privileged EXEC mode. Example switchxxxxxx(config)# green-ethernet power-meter reset 27.6...
Page 397 Green Ethernet • detailed—Displays information for non-present ports in addition to present ports. Default Configuration Display for all ports. If detailed is not used, only present ports are displayed. Command Mode Privileged EXEC mode User Guidelines The power savings displayed only includes the power saved by short reach, energy detect and the power saved by disabling the ports LEDs;...
Page 398 Green Ethernet Example (If a mode is not supported, its columns are removed from the output). switchxxxxxx# show green-ethernet Energy-Detect mode: Enabled Short-Reach mode: Disabled Disable Port LEDs mode: Enabled Power Consumption: 76% (3.31W out of maximum 4.33W) Cumulative Energy Saved: 33 [Watt*Hour] Short-Reach cable length threshold: 50m Port Energy-Detect...
Page 399: Port Channel Commands
Port Channel Commands 28.1 channel-group Use the channel-group Interface Configuration (Ethernet) mode command to associate a port with a port-channel. Use the no form of this command to remove a port from a port-channel. Syntax port-channel mode {on | auto} channel-group no channel-group Parameters...
Page 400: Port-Channel Load-Balance
Port Channel Commands 28.2 port-channel load-balance Use the port-channel load-balance Global Configuration mode command to configure the load balancing policy of the port channeling. Use the no form of this command to reset to default. Syntax {src-dst-mac| src-dst-mac-ip} port-channel load-balance no port-channel load-balance Parameters •...
Page 401 Port Channel Commands Parameters interface-id—Specify an interface ID. The interface ID must be a Port Channel. Command Mode EXEC mode Examples Example 1 - The following example displays information on all port-channels. switchxxxxxx# show interfaces port-channel Load balancing: src-dst-mac. Gathering information... Channel Ports -------...
Page 402 Port Channel Commands General Egress Tagged VLANs Enabled: none General Forbidden VLANs: none General Ingress Filtering: enabled General Acceptable Frame Type: all General GVRP status: disabled Customer Mode VLAN: none Private-vlan promiscuous-association primary VLAN: none Private-vlan promiscuous-association Secondary VLANs Enabled: none Private-vlan host-association primary VLAN: none Private-vlan host-association Secondary VLAN Enabled: none DVA: disable...
Page 403: Address Table Commands
Address Table Commands 29.1 bridge multicast filtering Use the bridge multicast filtering Global Configuration mode command to enable the filtering of Multicast addresses. Use the no form of this command to disable Multicast address filtering. Syntax bridge multicast filtering no bridge multicast filtering Default Configuration Multicast address filtering is disabled.
Page 404: Bridge Multicast Mode
Address Table Commands 29.2 bridge multicast mode Use the bridge multicast mode Interface Configuration (VLAN) mode command to configure the Multicast bridging mode. Use the no form of this command to return to the default configuration. Syntax {mac-group | ip-group | ip-src-group} bridge multicast mode no bridge multicast mode Parameters...
Page 405 Address Table Commands For each Forwarding Data Base (FDB) mode, use different CLI commands to configure static entries in the FDB, as described in the following table: FDB Mode CLI Commands mac-group bridge multicast bridge multicast address forbidden address ipv4-group bridge multicast bridge multicast ip-address...
Page 406: Bridge Multicast Address
Address Table Commands 29.3 bridge multicast address Use the bridge multicast address Interface Configuration (VLAN) mode command to register a MAC-layer Multicast address in the bridge table and statically add or remove ports to or from the group. Use the no form of this command to unregister the MAC address.
Page 407: Bridge Multicast Forbidden Address
Address Table Commands You can execute the command before the VLAN is created. Examples Example 1 - The following example registers the MAC address to the bridge table: switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# 01:00:5e:02:02:03 bridge multicast address Example 2 - The following example registers the MAC address and adds ports statically.
Page 408: Bridge Multicast Ip-Address
Address Table Commands • port-channel-list port-channel —Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces. Use a hyphen to designate a range of port channels. Default Configuration No forbidden addresses are defined. Default option is add. Command Mode Interface Configuration (VLAN) mode User Guidelines...
Page 409 Address Table Commands Parameters • ip-multicast-address—Specifies the group IP Multicast address. • add—Adds ports to the group. • remove—Removes ports from the group. • interface-list ethernet —Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports.
Page 410: Bridge Multicast Forbidden Ip-Address
Address Table Commands switchxxxxxx(config-if)# bridge multicast ip-address 239.2.2.2 29.6 bridge multicast forbidden ip-address Use the bridge multicast forbidden ip-address Interface Configuration (VLAN) mode command to forbid adding or removing a specific IP Multicast address to or from specific ports. Use the no form of this command to restore the default configuration.
Page 411: Bridge Multicast Source Group
Address Table Commands Example The following example registers IP address 239.2.2.2, and forbids the IP address on port within VLAN 8. switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# bridge multicast ip-address 239.2.2.2 switchxxxxxx(config-if)# 239.2.2.2 bridge multicast forbidden ip-address 29.7 bridge multicast source group Use the bridge multicast source group Interface Configuration (VLAN) mode command to register a source IP address - Multicast IP address pair to the bridge table, and statically add or remove ports to or from the source-group.
Page 412: Bridge Multicast Forbidden Source Group
Address Table Commands The default option is add. Command Mode Interface Configuration (VLAN) mode User Guidelines You can execute the command before the VLAN is created. Example The following example registers a source IP address - Multicast IP address pair to the bridge table: switchxxxxxx(config)# interface vlan...
Page 413: Bridge Multicast Ipv6 Mode
Address Table Commands • interface list ethernet —Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports. • port-channel-list port-channel —Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces;...
Page 414 Address Table Commands Parameters • mac-group—Specifies that Multicast bridging is based on the packet's VLAN and MAC destination address. • ip-group—Specifies that Multicast bridging is based on the packet's VLAN and IPv6 destination address for IPv6 packets. • ip-src-group—Specifies that Multicast bridging is based on the packet's VLAN, IPv6 destination address and IPv6 source address for IPv6 packets.
Page 415: Bridge Multicast Ipv6 Ip-Address
Address Table Commands Note that (*,G) cannot be written to the FDB if the mode is ip-src-group. In that case, no new FDB entry is created, but the port is added to the (S,G) entries (if they exist) that belong to the requested group. If an application on the device requests (*,G), the operating FDB mode is changed to ip-group.
Page 416: Bridge Multicast Ipv6 Forbidden Ip-Address
Address Table Commands Default Configuration No Multicast addresses are defined. The default option is add. Command Mode Interface Configuration (VLAN) mode User Guidelines To register the group in the bridge database without adding or removing ports or port channels, specify the ipv6-multicast-address parameter only. Static Multicast addresses can be defined on static VLANs only.
Page 417 Address Table Commands Syntax ipv6-multicast-address {add | bridge multicast ipv6 forbidden ip-address { remove} {ethernet interface-list | port-channel port-channel-list} ipv6-multicast-address no bridge multicast ipv6 forbidden ip-address { Parameters • ipv6-multicast-address—Specifies the group IPv6 Multicast address. • add—Forbids adding ports to the group. •...
Page 418: Bridge Multicast Ipv6 Source Group
Address Table Commands switchxxxxxx(config-if)# bridge multicast ipv6 forbidden ip-address FF00:0:0:0:4:4:4:1 29.12 bridge multicast ipv6 source group Use the bridge multicast ipv6 source group Interface Configuration (VLAN) mode command to register a source IPv6 address - Multicast IPv6 address pair to the bridge table, and statically add or remove ports to or from the source-group.
Page 419: Bridge Multicast Ipv6 Forbidden Source Group
Address Table Commands Example The following example registers a source IPv6 address - Multicast IPv6 address pair to the bridge table: switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# bridge multicast source 2001:0:0:0:4:4:4 group FF00:0:0:0:4:4:4:1 29.13 bridge multicast ipv6 forbidden source group Use the bridge multicast ipv6 forbidden source group Interface Configuration (VLAN) mode command to forbid adding or removing a specific IPv6 source address - Multicast address pair to or from specific ports.
Page 420: Bridge Multicast Unregistered
Address Table Commands Default Configuration No forbidden addresses are defined. Command Mode Interface Configuration (VLAN) mode User Guidelines Before defining forbidden ports, the Multicast group should be registered. You can execute the command before the VLAN is created. Example The following example registers a source IPv6 address - Multicast IPv6 address pair to the bridge table, and forbids adding the pair to gi9 on VLAN 8: switchxxxxxx(config)# interface vlan...
Page 421: Bridge Multicast Forward-All
Address Table Commands Default Configuration Unregistered Multicast addresses are forwarded. Command Mode Interface Configuration (Ethernet, Port-Channel) mode User Guidelines Do not enable unregistered Multicast filtering on ports that are connected to routers, because the 224.0.0.x address range should not be filtered. Note that routers do not necessarily send IGMP reports for the 224.0.0.x range.
Page 422: Bridge Multicast Forbidden Forward-All
Address Table Commands • interface-list ethernet —Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports. • port-channel-list port-channel —Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces.
Page 423: Bridge Unicast Unknown
Address Table Commands • port-channel port-channel-list —Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces; use a hyphen to designate a range of port channels. Default Configuration Ports are not forbidden to dynamically join Multicast groups. The default option is add.
Page 424: Mac Address-Table Static
Address Table Commands Parameters • filtering— Filter unregistered Unicast packets. • forwarding— Forward unregistered Unicast packets. Default Configuration Forwarding. Command Mode Interface Configuration mode Example The following example drops Unicast packets on VLAN 2 when the destination is unknown. switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# bridge unicast unknown filtering...
Page 425 Address Table Commands • permanent— The permanent static MAC address. The keyword is applied by the default. • delete-on-reset— The delete-on-reset static MAC address. • delete-on-timeout— The delete-on-timeout static MAC address. • secure—The secure MAC address. May be used only in a secure mode. Default Configuration No static addresses are defined.
Page 426: Clear Mac Address-Table
Address Table Commands • secure— A MAC address added manually or learned in a secure mode. Use the mac address-table static command with the secure keyword to add a secure MAC address. The MAC address cannot be relearned. A secure MAC address may be added only in a secure port mode. •...
Page 427: Show Bridge Unicast Unknown
Address Table Commands Syntax dynamic [interface interface-id] clear mac address-table secure interface interface-id clear mac address-table Parameters • interface-id dynamic interface —Delete all dynamic (learned) addresses on the specified interface.The interface ID can be one of the following types: Ethernet port or port-channel. If interface ID is not supplied, all dynamic addresses are deleted.
Page 428: Mac Address-Table Aging-Time
Address Table Commands Syntax show bridge unicast unknown [interface-id] Parameters interface-id—Specify an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel Default Command Mode EXEC Example switchxxxxxx # show bridge unicast unknown Port Unregistered ------ -------------...
Page 429: Port Security
Address Table Commands Default Configuration Command Mode Global Configuration mode Example switchxxxxxx(config)# mac address-table aging-time 600 29.22 port security Use the port security Interface Configuration (Ethernet, Port-channel) mode command to enable port security learning mode on an interface. Use the no form of this command to disable port security learning mode on an interface.
Page 430: Port Security Mode
Address Table Commands Command Mode Interface Configuration (Ethernet, port-channel) mode User Guidelines The command may be used only when the interface in the regular (non-secure with unlimited MAC learning) mode. See the bridge unicast unknown command for information about MAC address attributes (type and time-to-live) definitions.
Page 431 Address Table Commands no port security mode Parameters • max-addresses— Non secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the bridge unicast unknown command. • lock— Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the bridge unicast unknown...
Page 432: Port Security Max
Address Table Commands switchxxxxxx(config-if)port security mode lock switchxxxxxx(config-if)port security switchxxxxxx(config-if)exit 29.24 port security max Use the port security max Interface Configuration (Ethernet, Port-channel) mode command to configure the maximum number of addresses that can be learned on the port while the port is in port, max-addresses or secure mode. Use the no form of this command to restore the default configuration.
Page 433: Show Mac Address-Table
Address Table Commands switchxxxxxx(config-if) port security max 20 switchxxxxxx(config-if) port security switchxxxxxx(config-if) exit 29.25 show mac address-table Use the show mac address-table EXEC command to view entries in the MAC address table. Syntax [dynamic | static| secure] [vlan vlan] [interface show mac address-table interface-id] [address mac-address] Parameters...
Page 434: Show Mac Address-Table Count
Address Table Commands Examples Example 1 - Displays entire address table. switchxxxxxx# show mac address-table Aging time is 300 sec VLAN MAC Address Port Type -------- --------------------- ---------- ---------- 00:00:26:08:13:23 self 00:3f:bd:45:5a:b1 static 00:a1:b0:69:63:f3 dynamic 00:a1:b0:69:63:f3 dynamic Example 2 - Displays address table entries containing the specified MAC address. switchxxxxxx# show mac address-table 00:3f:bd:45:5a:b1 Aging time is 300 sec VLAN...
Page 435: Show Bridge Multicast Mode
Address Table Commands Command Mode EXEC mode Example switchxxxxxx# show mac address-table count Capacity: 8192 Free: 8083 Used: 109 Secure Dynamic : 25 Static Internal : 0 29.27 show bridge multicast mode Use the show bridge multicast mode EXEC mode command to display the Multicast bridging mode for all VLANs or for a specific VLAN.
Page 436: Show Bridge Multicast Address-Table
Address Table Commands VLAN IPv4 Multicast Mode IPv6 Multicast Mode Admin Oper Admin Oper ---------- ----------- ----------- ----------- MAC-GROUP MAC-GROUP MAC-GROUP MAC-GROUP IPv4-GROUP IPv6-GROUP IPv4-GROUP IPv6-GROUP IPv4-SRC-GROUP IPv6-SRC-GROUP IPv4-SRC-GROUP IPv6-SRC-GROUP 29.28 show bridge multicast address-table Use the show bridge multicast address-table EXEC mode command to display Multicast MAC addresses or IP Multicast address table information.
Page 437 Address Table Commands Default Configuration If the format is not specified, it defaults to mac (only if mac-multicast-address was entered). If VLAN ID is not entered, entries for all VLANs are displayed. If MAC or IP address is not supplied, entries for all addresses are displayed. Command Mode EXEC mode User Guidelines...
Page 438 Address Table Commands 224.0.0.251 Dynamic Forbidden ports for Multicast addresses: Vlan MAC Address Ports ---- ----------------- ----- 232.5.6.5 233.22.2.6 Multicast address table for VLANs in IPv4-SRC-GROUP bridging mode: Vlan Group Address Source address Type Ports ---- --------------- --------------- -------- ----- 224.2.2.251 11.2.2.3 Dynamic...
Page 439: Show Bridge Multicast Address-Table Static
Address Table Commands ---- --------------- --------------- ---------- ff02::4:4:4 ff02::4:4:4 fe80::200:7ff:f e00:200 29.29 show bridge multicast address-table static Use the show bridge multicast address-table static EXEC mode command to display the statically configured Multicast addresses. Syntax [vlan vlan-id] [address show bridge multicast address-table static mac-multicast-address | ipv4-multicast-address | ipv6-multicast-address] [source ipv4-source-address | ipv6-source-address] [all | mac | ip Parameters...
Page 440 Address Table Commands Example The following example displays the statically configured Multicast addresses. switchxxxxxx# show bridge multicast address-table static MAC-GROUP table Vlan MAC Address Ports ---- -------------- -------- 0100.9923.8787 Forbidden ports for multicast addresses: Vlan MAC Address Ports ---- -------------- -------- IPv4-GROUP Table Vlan...
Page 441: Show Bridge Multicast Filtering
Address Table Commands Forbidden ports for multicast addresses: Vlan IP Address Ports ---- ----------------- --------- FF12::3 FF12::8 IPv6-SRC-GROUP Table: Vlan Group Address Source Ports address ---- --------------- ------ --------------- FF12::8 gi1-8 FE80::201:C9A9:FE40: 8988 Forbidden ports for multicast addresses: Vlan Group Address Source Ports address...
Page 442: Show Bridge Multicast Unregistered
Address Table Commands Example The following example displays the Multicast configuration for VLAN 1. switchxxxxxx# show bridge multicast filtering 1 Filtering: Enabled VLAN: 1 Port Forward-All ----- Static Status --------- ------ Forbidden Filter Forward Forward(s) Forward(d) 29.31 show bridge multicast unregistered Use the show bridge multicast unregistered EXEC mode command to display the unregistered Multicast filtering configuration.
Page 443: Show Ports Security
Address Table Commands Example The following example displays the unregistered Multicast configuration. switchxxxxxx# show bridge multicast unregistered Port Unregistered ------- ------------- Forward Filter Filter 29.32 show ports security Use the show ports security Privileged EXEC mode command to display the port-lock status.
Page 444: Show Ports Security Addresses
Address Table Commands Port Status Learning Action Maximum Trap Frequency ------- -------- --------- ------ ------- -------- Enabled Max- Discard Enabled 100 Addresses Disabled Max- Addresses Enabled Lock Discard, 8 Disabled - Shutdown The following table describes the fields shown above. Field Description Port...
Page 445: Bridge Multicast Reserved-Address
Address Table Commands Default Configuration Display for all interfaces. If detailed is not used, only present ports are displayed. Command Mode Privileged EXEC mode Example The following example displays dynamic addresses in all currently locked port: Port Status Learning Current Maximum ------- -------- --------------- ---------- ----------...
Page 446 Address Table Commands Parameters • mac-multicast-address—MAC Multicast address in the reserved MAC addresses range.(Range: 01-80-C2-00-00-00, 01-80-C2-00-00-02–01-80-C2-00-00-2F) • ethtype ethernet-v2 —Specifies that the packet type is Ethernet v2 and the Ethernet type field (16 bits in hexadecimal format).(Range: 0x0600–0xFFFF) • —Specifies that the packet type is LLC and the DSAP-SSAP field (16 bits in hexadecimal format).(Range: 0xFFFF) •...
Page 447: Show Bridge Multicast Reserved-Addresses
Address Table Commands Example bridge multicast reserved-address switchxxxxxx(config)# 00:3f:bd:45:5a:b1 29.35 show bridge multicast reserved-addresses Use the show bridge multicast reserved-addresses EXEC mode command to display the Multicast reserved-address rules. Syntax show bridge multicast reserved-addresses Command Mode EXEC mode Example switchxxxxxx # show bridge multicast reserved-addresses MAC Address Frame Type Protocol...
Page 448: Port Monitor Commands
Port Monitor Commands 30.1 port monitor Use the port monitor Interface Configuration (Ethernet) mode command to start a port monitoring session (mirroring). Use the no form of this command to stop a port monitoring session. Syntax src-interface-id [rx | tx] port monitor src-interface-id no port monitor...
Page 449 Port Monitor Commands The analyzer port for port ingress traffic mirroring should be the same port for all mirrored ports. The analyzer port for port egress traffic mirroring should be the same port for all mirrored ports. The analyzer port for VLAN mirroring should be the same for all the mirrored VLANs, and should be the same port as the analyzer port for port ingress mirroring traffic.
Page 450: Show Ports Monitor
Port Monitor Commands 3. Mirrored traffic is exposed to STP state, i.e. if the port is in STP blocking, it will not egress any mirrored traffic. Example The following example copies traffic for both directions (Tx and Rx) from the source port 2 to destination port switchxxxxxx(config)# interface gi1...
Page 451: Spanning-Tree Commands
Spanning-Tree Commands 31.1 spanning-tree Use the spanning-tree Global Configuration mode command to enable spanning-tree functionality. Use the no form of this command to disable the spanning-tree functionality. Syntax spanning-tree no spanning-tree Parameters Default Configuration Spanning-tree is enabled. Command Mode Global Configuration mode Example The following example enables spanning-tree functionality.
Page 452: Spanning-Tree Forward-Time
Spanning-Tree Commands no spanning-tree mode Parameters • stp—Specifies that STP is enabled. • rstp—Specifies that the Rapid STP is enabled. • mst—Specifies that the Multiple STP is enabled. Default Configuration The default is RSTP. Command Mode Global Configuration mode User Guidelines In RSTP mode, the device uses STP when the neighbor device uses STP.
Page 453: Spanning-Tree Hello-Time
Spanning-Tree Commands Parameters seconds—Specifies the spanning-tree forward time in seconds. (Range: 4–30) Default Configuration 15 seconds. Command Mode Global Configuration mode User Guidelines When configuring the forwarding time, the following relationship should be maintained: 2*(Forward-Time - 1) >= Max-Age Example The following example configures the spanning tree bridge forwarding time to 25 seconds.
Page 454: Spanning-Tree Max-Age
Spanning-Tree Commands Command Mode Global Configuration mode User Guidelines When configuring the Hello time, the following relationship should be maintained: Max-Age >= 2*(Hello-Time + 1) Example The following example configures the spanning-tree bridge hello time to 5 seconds. switchxxxxxx(config)# spanning-tree hello-time 31.5 spanning-tree max-age Use the spanning-tree max-age Global Configuration mode command to configure...
Page 455: Spanning-Tree Priority
Spanning-Tree Commands 2*(Forward-Time - 1) >= Max-Age Max-Age >= 2*(Hello-Time + 1) Example The following example configures the spanning-tree bridge maximum age to 10 seconds. switchxxxxxx(config)# spanning-tree max-age 31.6 spanning-tree priority Use the spanning-tree priority Global Configuration mode command to configure the device STP priority, which is used to determine which bridge is selected as the root bridge.
Page 456: Spanning-Tree Disable
Spanning-Tree Commands Example The following example configures the spanning-tree priority to 12288. switchxxxxxx(config)# spanning-tree priority 12288 31.7 spanning-tree disable Use the spanning-tree disable Interface Configuration (Ethernet, port-channel) mode command to disable the spanning tree on a specific port. Use the no form of this command to enable the spanning tree on a port.
Page 457: Spanning-Tree Port-Priority
Spanning-Tree Commands Syntax cost spanning-tree cost no spanning-tree cost Parameters cost—Specifies the port path cost. (Range: 1–200000000) Default Configuration Default path cost is determined by port speed and path cost method (long or short) as shown below: Interface Long Short Port-channel 20,000 Gigabit Ethernet (1000 Mbps)
Page 458: Spanning-Tree Portfast
Spanning-Tree Commands Parameters priority—Specifies the port priority. (Range: 0–240) Default Configuration The default port priority is 128. Command Mode Interface Configuration (Ethernet, port-channel) mode User Guidelines The priority value must be a multiple of 16. Example The following example configures the spanning priority on gi15 to 96 switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# spanning-tree port-priority 96 31.10 spanning-tree portfast...
Page 459: Spanning-Tree Link-Type
Spanning-Tree Commands Default Configuration PortFast mode is disabled. Command Mode Interface Configuration (Ethernet, port-channel) mode Example The following example enables the PortFast mode on gi15. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# spanning-tree portfast 31.11 spanning-tree link-type Use the spanning-tree link-type Interface Configuration (Ethernet, port-channel) mode command to override the default link-type setting determined by the port duplex mode, and enable RSTP transitions to the Forwarding state.
Page 460: Spanning-Tree Pathcost Method
Spanning-Tree Commands Example The following example enables shared spanning-tree on gi15. switchxxxxxx(config)# interface gi15 switchxxxxxx(config-if)# spanning-tree link-type shared 31.12 spanning-tree pathcost method Use the spanning-tree pathcost method Global Configuration mode command to set the default path cost method. Use the no form of this command to return to the default configuration.
Page 461: Spanning-Tree Bpdu (Global)
Spanning-Tree Commands Example The following example sets the default path cost method to Long. switchxxxxxx(config)# spanning-tree pathcost method long 31.13 spanning-tree bpdu (Global) Use the spanning-tree bpdu Global Configuration mode command to define Bridge Protocol Data Unit (BPDU) handling when the spanning tree is disabled globally or on a single interface.
Page 462: Spanning-Tree Bpdu (Interface)
Spanning-Tree Commands Example The following example defines the BPDU packet handling mode as flooding when the spanning tree is disabled on an interface switchxxxxxx(config)# spanning-tree bpdu flooding 31.14 spanning-tree bpdu (Interface) Use the spanning-tree bpdu Interface Configuration (Ethernet, Port-channel) mode command to define BPDU handling when the spanning tree is disabled on a single interface.
Page 463: Spanning-Tree Guard Root
Spanning-Tree Commands 31.15 spanning-tree guard root use the spanning-tree guard root Interface Configuration (Ethernet, Port-channel) mode command to enable Root Guard on all spanning-tree instances on the interface. Root guard prevents the interface from becoming the root port of the device.
Page 464: Clear Spanning-Tree Detected-Protocols
Spanning-Tree Commands Syntax {enable | disable} spanning-tree bpduguard no spanning-tree bpduguard Parameters enable bpduguard —Enables BPDU Guard. disable bpduguard —Disables BPDU Guard. Default Configuration BPDU Guard is disabled. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines The command can be enabled when the spanning tree is enabled (useful when the port is in the PortFast mode) or disabled.
Page 465: Spanning-Tree Mst Priority
Spanning-Tree Commands Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel. Default Configuration All interfaces. Command Mode Privileged EXEC mode User Guidelines This feature can only be used when working in RSTP or MSTP mode. Example This restarts the STP migration process on all interfaces.
Page 466: Spanning-Tree Mst Max-Hops
Spanning-Tree Commands Default Configuration The default priority is 32768. Command Mode Global Configuration mode User Guidelines The priority value must be a multiple of 4096. The switch with the lowest priority is the root of the spanning tree. Example The following example configures the spanning tree priority of instance 1 to 4096. switchxxxxxx(config)# spanning-tree mst priority...
Page 467: Spanning-Tree Mst Port-Priority
Spanning-Tree Commands Example The following example configures the maximum number of hops that a packet travels in an MST region before it is discarded to 10. switchxxxxxx(config)# spanning-tree mst max-hops 31.20 spanning-tree mst port-priority Use the spanning-tree mst port-priority Interface Configuration (Ethernet, port-channel) mode command to configure the priority of a port.
Page 468: Spanning-Tree Mst Cost
Spanning-Tree Commands 31.21 spanning-tree mst cost Use the spanning-tree mst cost Interface Configuration (Ethernet, Port-channel) mode command to configure the path cost for MST calculations. If a loop occurs, the spanning tree considers path cost when selecting an interface to put in the Forwarding state.
Page 469: Spanning-Tree Mst Configuration
Spanning-Tree Commands switchxxxxxx(config-if)# spanning-tree mst cost 31.22 spanning-tree mst configuration Use the spanning-tree mst configuration Global Configuration mode command to enable configuring an MST region by entering the MST mode. Syntax spanning-tree mst configuration Command Mode Global Configuration mode User Guidelines For two or more switches to be in the same MST region, they must contain the same VLAN mapping, the same configuration revision number, and the same name.
Page 470: Name (Mst)
Spanning-Tree Commands Parameters • instance-id—MST instance (Range: 1–15) • vlan-range—The specified range of VLANs is added to the existing ones. To specify a range, use a hyphen. To specify a series, use a comma. (Range: 1–4094) Default Configuration All VLANs are mapped to the common and internal spanning tree (CIST) instance (instance 0).
Page 471: Revision (Mst)
Spanning-Tree Commands Parameters string—Specifies the MST instance name. (Length: 1–32 characters) Default Configuration The default name is the bridge MAC address. Command Mode MST Configuration mode Example The following example defines the instance name as Region1. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)# region1 name...
Page 472: Show (Mst)
Spanning-Tree Commands Example The following example sets the configuration revision to 1. switchxxxxxx(config) # spanning-tree mst configuration switchxxxxxx(config-mst) # revision 31.26 show (MST) Use the show MST Configuration mode command to display the current or pending MST region configuration. Syntax {current | pending} show Parameters...
Page 473: Exit (Mst)
Spanning-Tree Commands 1-4094 Disabled switchxxxxxx(config-mst)# 31.27 exit (MST) Use the exit MST Configuration mode command to exit the MST region Configuration mode and apply all configuration changes. Syntax exit Parameters Default Configuration Command Mode MST Configuration mode Example The following example exits the MST Configuration mode and saves changes. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)#...
Page 474: Show Spanning-Tree
Spanning-Tree Commands Parameters Default Configuration Command Mode MST Configuration mode Example The following example exits the MST Configuration mode without saving changes. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)# abort 31.29 show spanning-tree Use the show spanning-tree Privileged EXEC mode command to display the spanning-tree configuration.
Page 475 Spanning-Tree Commands Default Configuration If no interface is specified, the default is all interfaces. Command Mode Privileged EXEC mode User Guidelines This command only works when MST is enabled. Example The following examples display spanning-tree information in various configurations: switchxxxxxx# show spanning-tree Spanning tree enabled mode RSTP Default port cost method: long Loopback guard: Disabled...
Page 476 Spanning-Tree Commands Interfaces Name State Prio. No Cost Role PortFast Type ------ ------ ------ ----- ---- ------- ---------- 128.1 Enabled 20000 Root P2p (RSTP) 128.2 Enabled 20000 Desg Shared (STP) 128.3 Disabled 20000 128.4 Enabled 20000 Altn Shared (STP) 128.5 Enabled 20000 switchxxxxxx# show spanning-tree...
Page 477 Spanning-Tree Commands Interfaces Name State Prio.Nb Cost Role PortFast Type --------- -------- ------- ----- ---- -------- ---------- Enabled 128.1 20000 Enabled 128.2 20000 Disabled 128.3 20000 Enabled 128.4 20000 Enabled 128.5 20000 switchxxxxxx# show spanning-tree active Spanning tree enabled mode RSTP Default port cost method: long Root ID Priority...
Page 478 Spanning-Tree Commands Bridge ID Priority 36864 Address 00:02:4b:29:7a:00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name State Prio.Nbr Cost Role PortFast Type --------- ------- ------ ----- ---- -------- ---------- Enabled 128.4 Altn Shared (STP) switchxxxxxx# show spanning-tree detail Spanning tree enabled mode RSTP Default port cost method: long...
Page 479 Spanning-Tree Commands Port 2 (gi2) enabled State: Forwarding Role: Designated Port id: 128.2 Port cost: 20000 Type: Shared (configured: auto) STP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Guard root: Disabled BPDU guard: Disabled Number of transitions to forwarding state: 1 BPDU: sent 2, received 170638...
Page 480 Spanning-Tree Commands switchxxxxxx# show spanning-tree ethernet gi1 Port 1 (gi1) enabled State: Forwarding Role: Root Port id: 128.1 Port cost: 20000 Type: P2p (configured: auto) RSTP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:01:42:97:e0:00 Designated port id: 128.25 Designated path cost: 0 Guard root: Disabled BPDU guard: Disabled...
Page 481 Spanning-Tree Commands Name State Prio.Nbr Cost Role PortFast Type ---- ------- -------- ----- ---- -------- ------------- Enabled 128.1 20000 Root P2p Bound (RSTP) Enabled 128.2 20000 Desg Shared Bound Enabled 128.3 20000 Desg (STP) Enabled 128.4 20000 Desg ###### MST 1 Vlans Mapped: 10-20 Root ID Priority 24576...
Page 482 Spanning-Tree Commands This switch is the IST master. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 Number of topology changes 2 last change occurred 2d18h Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Port 1 (gi1) enabled State: Forwarding...
Page 483 Spanning-Tree Commands Port 4 (gi4) enabled State: Forwarding Role: Designated Port id: 128.4 Port cost: 20000 Type: Shared (configured: auto) Internal Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Number of transitions to forwarding state: 1 BPDU: sent 2, received 170638 ###### MST 1 Vlans Mapped: 10-20 Root ID...
Page 484 Spanning-Tree Commands Port 2 (gi2) enabled State: Forwarding Role: Designated Port id: 128.2 Port cost: 20000 Type: Shared (configured: auto) Boundary STP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Number of transitions to forwarding state: 1 BPDU: sent 2, received 170638 Port 3 (gi3) disabled...
Page 485: Show Spanning-Tree Bpdu
Spanning-Tree Commands IST Master ID Priority 32768 Address 00:02:4b:19:7a:00 Path Cost 10000 Rem hops Bridge ID Priority 32768 Address 00:02:4b:29:7a:00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 switchxxxxxx# show spanning-tree Spanning tree enabled mode MSTP Default port cost method: long ###### MST 0 Vlans Mapped: 1-9 CST Root ID...
Page 486 Spanning-Tree Commands Default Configuration Show information for all interfaces. If detailed is not used, only present ports are displayed. Command Mode EXEC mode Example The following examples display spanning-tree BPDU information: switchxxxxxx# show spanning-tree bpdu The following is the output if the global BPDU handling command is not supported.
Page 487: Virtual Local Area Network (Vlan) Commands
Virtual Local Area Network (VLAN) Commands 32.1 vlan database Use the vlan database Global Configuration mode command to enter the VLAN Configuration mode. This mode is used to create VLAN(s) and define the default VLAN. Use the exit command to return to Global Configuration mode. Syntax vlan database Parameters...
Page 488: Vlan
Virtual Local Area Network (VLAN) Commands 32.2 vlan Use the vlan VLAN Configuration mode command to create a VLAN. Use the no form of this command to delete the VLAN(s). To assign the VLAN a name, use the Interface Configuration (VLAN) mode name command.
Page 489 Virtual Local Area Network (VLAN) Commands • Ports on the VLAN • Whether the VLAN was is dynamic or permanent • Whether authorization is required on the VLAN Syntax tag vlan-id | name vlan-name show vlan [ Parameters • vlan-id —Specifies a VLAN ID.
Page 490 Virtual Local Area Network (VLAN) Commands Examples Example 1 - The following example displays information for all VLANs:. switchxxxxxx# show vlan VLAN Name Ports Type Authorization ---- --------- -------- ------- ------------- default Default Required Marketing 3-14 Required Static 5-16 Static Required 7-18 Required...
Page 491: Default-Vlan Vlan
Virtual Local Area Network (VLAN) Commands Example 3 - The following example displays information for the VLAN named Marketing: switchxxxxxx# show vlan name Marketing VLAN Name Ports Type Authorization ---- --------- -------- ------- ------------- 3-14 Required Marketing static 32.4 default-vlan vlan Use the default-vlan vlan VLAN Configuration mode command to define the default VLAN.
Page 492: Show Default-Vlan-Membership
Virtual Local Area Network (VLAN) Commands New Default VLAN ID will be active after save configuration and reboot device. 32.5 show default-vlan-membership Use the show default-vlan-membership privileged EXEC command to view the default VLAN membership. Syntax [interface-id | detailed show default-vlan-membership Parameters •...
Page 493: Interface Range Vlan
Virtual Local Area Network (VLAN) Commands Syntax vlan-id interface vlan Parameters vlan-id vlan —Specifies the VLAN to be configured. Default Configuration Command Mode Global Configuration mode Example The following example configures VLAN 1 with IP address 131.108.1.27 and subnet mask 255.255.255.0. switchxxxxxx (config)# interface vlan switchxxxxxx (config-if)#...
Page 494: Name
Virtual Local Area Network (VLAN) Commands User Guidelines Commands under the interface VLAN range context are executed independently on each VLAN in the range. If the command returns an error on one of the VLANs, an error message is displayed, and the system attempts to configure the remaining VLANs.
Page 495: Switchport Protected-Port
Virtual Local Area Network (VLAN) Commands Example The following example assigns VLAN 19 the name Marketing. switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# Marketing name 32.9 switchport protected-port Use the switchport protected-port Interface Configuration mode command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2 from other protected ports on the same switch.
Page 496: Show Interfaces Protected-Ports
Virtual Local Area Network (VLAN) Commands 32.10 show interfaces protected-ports Use the show interfaces protected-ports EXEC mode command to display protected ports configuration. Syntax [interface-id | detailed show interfaces protected-ports Parameters • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.
Page 497 Virtual Local Area Network (VLAN) Commands customer) of a port. Use the no form of this command to restore the default configuration. Syntax {access | trunk | general | customer} switchport mode no switchport mode Parameters • access—Specifies an untagged layer 2 VLAN port. •...
Page 498: Switchport Access Vlan
Virtual Local Area Network (VLAN) Commands switchxxxxxx(config-if)# switchport access vlan 32.12 switchport access vlan An interface in access mode can belong to only one VLAN. Use the switchport access vlan Interface Configuration command to reassign an interface to a different VLAN than it currently belongs to. Use the no form of this command to restore the default configuration.
Page 499 Virtual Local Area Network (VLAN) Commands switchxxxxxx(config-if)# switchport mode access switchxxxxxx(config-if)# switchport access vlan switchxxxxxx #show vlan Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- gi1-28,Po1-8 Default Required Example 2—The following example shows a case where a macro is defined that adds ports to VLANs.
Page 500: Switchport Trunk Allowed Vlan
Virtual Local Area Network (VLAN) Commands Vlan Name Ports Type Authorization ---- ----------------- --------------------------- ------------ ------------- 151-28,Po1-8 Default Required 153-4 static Required 153-4 static Required 151-4 static Required 151-4 32.13 switchport trunk allowed vlan A trunk interface is an untagged member of a single VLAN, and, in addition, it may be an tagged member of one or more VLANs.
Page 501: Switchport Trunk Native Vlan
Virtual Local Area Network (VLAN) Commands once.") and the command continues to execute if there are more VLANs in the VLAN list. See the example in switchport access vlan. Example To add VLANs 2,3 and 100 to trunk ports 1 to 13: switchxxxxxx(config)# interface range 151-13 switchxxxxxx(config-if)# switchport mode trunk switchxxxxxx(config-if)# switchport trunk allowed vlan add 2-3,100...
Page 502 Virtual Local Area Network (VLAN) Commands displayed ("An interface cannot become a member of a forbidden VLAN. This message will only be displayed once.") and the command continues to execute if there are more VLANs in the VLAN list. See the example in switchport access vlan.
Page 503: Switchport General Allowed Vlan
Virtual Local Area Network (VLAN) Commands 32.15 switchport general allowed vlan General ports can receive tagged or untagged packets. Use the switchport general allowed vlan Interface Configuration mode command to add/remove VLANs to/from a general port and configure whether packets on the egress are tagged or untagged.
Page 504: Switchport General Pvid
Virtual Local Area Network (VLAN) Commands message will only be displayed once.") and the command continues to execute if there are more VLANs in the VLAN list. See the example in switchport access vlan. Example Sets port 1 to general mode and adds VLAN 2 and 3 to it. Packets are tagged on the egress.
Page 505 Virtual Local Area Network (VLAN) Commands Examples Example 1 - The following example configures port 2 as a general port and sets its PVID to 234. switchxxxxxx(config)# interface gi2 switchxxxxxx(config-if)# switchport mode general switchxxxxxx(config-if)# switchport general pvid Example 2 - Performs the following: •...
Page 506: Switchport General Ingress-Filtering Disable
Virtual Local Area Network (VLAN) Commands Example 4 - Configures VLAN on port 21 as untagged on input and tagged on output: switchxxxxxx(config)# interface gi21 switchxxxxxx(config-if)# switchport mode general switchxxxxxx(config-if)# switchport general pvid 2 switchxxxxxx(config-if)# switchport general allowed vlan add 2 tagged switchxxxxxx(config-if)# Example 5 - Configures VLAN on port 14 as tagged on input and tagged on output: switchxxxxxx(config)# interface gi14...
Page 507: Switchport General Acceptable-Frame-Type
Virtual Local Area Network (VLAN) Commands Parameters Default Configuration Ingress filtering is enabled. Command Mode Interface Configuration (Ethernet, port-channel) mode Example The following example disables port ingress filtering on gi1. switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# switchport mode general switchxxxxxx(config-if)# switchport general ingress-filtering disable 32.18 switchport general acceptable-frame-type The switchport general acceptable-frame-type Interface Configuration mode command configures the types of packets (tagged/untagged) that are filtered...
Page 508: Switchport Customer Vlan
Virtual Local Area Network (VLAN) Commands Default Configuration All frame types are accepted at ingress (all). Command Mode Interface Configuration (Ethernet, port-channel) mode Example The following example configures port gi3 to be in general mode and to discard untagged frames at ingress. switchxxxxxx(config)# interface gi3 switchxxxxxx(config-if)#...
Page 509: Map Mac Macs-Group
Virtual Local Area Network (VLAN) Commands Example The following example defines gi5 as a member of customer VLAN 5. switchxxxxxx(config)# interface gi5 switchxxxxxx(config-if)# switchport mode customer switchxxxxxx(config-if)# switchport customer vlan 32.20 map mac macs-group Forwarding of packets based on their MAC address requires setting up groups of MAC addresses and then mapping these groups to VLANs.
Page 510: Switchport General Map Macs-Group Vlan
Virtual Local Area Network (VLAN) Commands Example The following example creates two groups of MAC addresses, sets a port to general mode and maps the groups of MAC addresses to specific VLANs. switchxxxxxx(config)# vlan database switchxxxxxx(config-vlan)# map mac 0000.1111.0000 32 macs-group 1 switchxxxxxx(config-vlan)# map mac 0000.0000.2222 host macs-group 2 switchxxxxxx(config-vlan)# exit switchxxxxxx(config)# interface gi11...
Page 511: Show Vlan Macs-Groups
Virtual Local Area Network (VLAN) Commands User Guidelines MAC-based VLAN rules cannot contain overlapping ranges on the same interface. The VLAN classification rule priorities are: 1. MAC-based VLAN (Best match among the rules). Subnet-based VLAN (Best match among the rules). Protocol-based VLAN.
Page 512: Switchport Forbidden Default-Vlan
Virtual Local Area Network (VLAN) Commands Command Mode EXEC mode Example The following example displays macs-groups information. switchxxxxxx# show vlan macs-groups MAC Address Mask Group ID --------------------- --------------------- --------------------- 00:12:34:56:78:90 00:60:70:4c:73:ff 32.23 switchport forbidden default-vlan Use the switchport forbidden default-vlan Interface Configuration command to forbid a port from being added to the default VLAN.
Page 513: Switchport Forbidden Vlan
Virtual Local Area Network (VLAN) Commands The no command does not add the port to the default VLAN, it only defines an interface as permitted to be a member of the default VLAN, and the port will be added only when conditions are met. Example The following example forbids the port gi 1 from being added to the default VLAN.
Page 514: Switchport Default-Vlan Tagged
Virtual Local Area Network (VLAN) Commands Example The following example forbids adding VLAN IDs 234 to 256 to gi7. switchxxxxxx(config)# interface gi7 switchxxxxxx(config-if)# switchport mode trunk switchxxxxxx(config-if)# switchport forbidden vlan add 234-256 32.25 switchport default-vlan tagged Use the switchport default-vlan tagged Interface Configuration command to configure the port as a tagged port in the default VLAN.
Page 515 Virtual Local Area Network (VLAN) Commands Note: If the native VLAN of a port is the default VLAN when the port is added to the default VLAN as tagged, the native VLAN is set by the system to 4095. When a general port is a member in the default VLAN as a tagged port then: •...
Page 516: Show Interfaces Switchport
Virtual Local Area Network (VLAN) Commands 32.26 show interfaces switchport Use the show interfaces switchport Privileged EXEC command to display the administrative and operational status of all interfaces or a specific interface. Syntax [interface-id] show interfaces switchport Parameters interface-id—Specify an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel Default Configuration Displays information for all interfaces.
Page 517 Virtual Local Area Network (VLAN) Commands IPv6VLAN untagged Static untagged Static Forbidden VLANS: VLAN Name ---- --------- Classification rules: Mac based VLANs: Group ID Vlan ID Example 2 - The following example displays the output for a general port: switchxxxxxx# show interfaces switchport Port VLAN Membership mode: General Operating Parameters:...
Page 518: Ip Internal-Usage-Vlan
Virtual Local Area Network (VLAN) Commands ---- --------- Example 3 - The following example displays the command output for an access port: switchxxxxxx# show interfaces switchport Port Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Port is member in: Vlan...
Page 519: Show Vlan Internal Usage
Virtual Local Area Network (VLAN) Commands Parameters vlan-id—Specifies the internal usage VLAN ID. Default Configuration No VLAN is reserved as an internal usage VLAN by default (using this command). Command Mode Interface Configuration (Ethernet, Port-channel) mode. It cannot be configured for a range of interfaces (range context).
Page 520: Switchport Access Multicast-Tv Vlan
Virtual Local Area Network (VLAN) Commands Syntax show vlan internal usage Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays VLANs used internally by the device. switchxxxxxx# show vlan internal usage Usage VLAN Reserved IP address -------- -------- ----------...
Page 521: Switchport Customer Multicast-Tv Vlan
Virtual Local Area Network (VLAN) Commands Default Configuration Receiving Multicast transmissions is disabled. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines The user cannot transmit Multicast transmissions on the Multicast TV VLAN. A Multicast TV VLAN cannot be enabled if a Guest VLAN is enabled on the interface.
Page 522: Show Vlan Multicast-Tv
Virtual Local Area Network (VLAN) Commands Command Mode Interface Configuration (Ethernet, port-channel) mode User Guidelines The user cannot transmit Multicast transmissions on Multicast TV VLANs. A Multicast TV VLAN cannot be enabled if a Guest VLAN is enabled on the interface.
Page 523: Vlan Prohibit-Internal-Usage
Virtual Local Area Network (VLAN) Commands Example The following example displays information on the source and receiver ports of Multicast-TV VLAN 1000. switchxxxxxx# 1000 show vlan multicast-tv vlan Source Ports Receiver Ports ------------ ---------------------- gi8, gi9 gi1-18 32.32 vlan prohibit-internal-usage Use the vlan prohibit-internal-usage command in Global configuration mode to specify VLANs that cannot be used by the switch as internal VLANs.
Page 524: Show Vlan Internal Usage
Virtual Local Area Network (VLAN) Commands • For each IPv6 tunnel, if IPv6 Routing is supported by the switch. When a switch requires an internal VLAN, it takes a free VLAN with the highest VLAN_ID. Use the vlan prohibit-internal-usage command to define a list of VLANs that cannot be selected as internal VLANs after reload.
Page 525 Virtual Local Area Network (VLAN) Commands Example The following example displays the VLANs that are used internally by the switch: show vlan internal usage User Reserved VLAN list after reset: 4080-4094 Current User Reserved VLAN list: 4090-4094 VLAN Usage ---- -------- 4094 gi12...
Page 526: Voice Vlan Commands
Voice VLAN Commands 33.1 voice vlan state The voice vlan state Global Configuration mode command sets the type of voice VLAN that is functional on the device or disables voice VLAN entirely. The no format of the command returns to the default. Syntax oui-enabled auto-enabled...
Page 527 A Voice Service Discovery Protocol (VSDP) message was received from a neighbor switch. VSDP is a Cisco Small Business proprietary protocol for SF and SG series managed switches.
Page 528: Voice Vlan Refresh
Voice VLAN Commands Example 2 — The following example disables the Voice VLAN state. All auto Smartport configuration on ports are removed. switchxxxxxx(config)#voice vlan state disabled All interfaces with Auto Smartport dynamic type will be set to default. Are you sure you want to continue? (Y/N)[Y] Y switchxxxxxx(config)#30-Apr-2011 00:04:41 %LINK-W-Down: Vlan 5 30-Apr-2011 00:04:41 %LINK-W-Down:...
Page 529 Voice VLAN Commands Default Configuration Command Mode Global Configuration mode Example switchxxxxxx(config)# voice vlan refresh switchxxxxxx( config)# 30-Apr-2011 02:01:02 %VLAN-I-ReceivedFromVSDP: Voice VLAN updated by VSDP. Voice VLAN-ID 100, VPT 5, DSCP 46 (Notification that Agreed Voice VLAN is updated) (Auto Smartport configuration is changed) 30-Apr-2011 02:01:05 %LINK-W-Down: Vlan 50 30-Apr-2011 02:01:05 %LINK-W-Down:...
Page 530: Voice Vlan Id
Voice VLAN Commands 33.3 voice vlan id Use the voice vlan id Global Configuration mode command to statically configure the VLAN identifier of the voice VLAN. The no format of the command returns the voice VLAN to the default VLAN (1). Syntax vlan-id voice vlan id...
Page 531: Voice Vlan Vpt
Voice VLAN Commands 33.4 voice vlan vpt Use the voice vlan vpt Global Configuration mode command to specify a value of VPT (802.1p VLAN priority tag) that will be advertised by LLDP in the Network Policy TLV. The no format of the command returns the value to the default. Syntax vpt-value voice vlan vpt...
Page 532: Voice Vlan Dscp
Voice VLAN Commands 33.5 voice vlan dscp Use the voice vlan dscp Global Configuration mode command to specify a value of DSCP that will be advertised by LLDP in the Network Policy TLV. The no format of the command returns the value to the default. Syntax dscp-value voice vlan dscp...
Page 533: Voice Vlan Oui-Table
MAC address to the voice VLAN OUI table (length: 1–32 characters). Default Configuration The default voice VLAN OUI table is: Description 00:e0:bb 3COM Phone 00:03:6b Cisco Phone 00:e0:75 Veritel Polycom Phone 00:d0:1e Pingtel Phone 00:01:e3 Siemens AG Phone 00:60:b9...
Page 534: Voice Vlan Cos Mode
Voice VLAN Commands User Guidelines The classification of a packet from VoIP equipment/phones is based on the packet’s OUI in the source MAC address. OUIs are globally assigned (administered) by the IEEE. In MAC addresses, the first three bytes contain a manufacturer ID (Organizationally Unique Identifiers (OUI)) and the last three bytes contain a unique station ID.
Page 535: Voice Vlan Cos
Voice VLAN Commands Command Mode Global Configuration mode Example The following example applies QoS attributes to voice packets. switchxxxxxx(config)# voice vlan cos mode 33.8 voice vlan cos Use the voice vlan cos Global Configuration mode command to set the OUI Voice VLAN Class of Service (CoS).
Page 536: Voice Vlan Aging-Timeout
Voice VLAN Commands 33.9 voice vlan aging-timeout Use the voice vlan aging-timeout Global Configuration mode command to set the OUI Voice VLAN aging timeout interval. Use the no form of this command to restore the default configuration. Syntax minutes voice vlan aging-timeout no voice vlan aging-timeout Parameters minutes...
Page 537: Show Voice Vlan
Voice VLAN Commands Default Configuration Disabled Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines This command is applicable only if the voice VLAN state is globally configured as OUI voice VLAN (using voice vlan state). The port is added to the voice VLAN if a packet with a source MAC address OUI address (defined by voice vlan oui-table) is trapped on the port.
Page 538 Voice VLAN Commands • interface-id—Specifies an Ethernet port ID. Relevant only for the OUI type. • detailed—Displays information for non-present ports in addition to present ports. Only valid when type is oui. Default Configuration If the type parameter is omitted the current Voice VLAN type is used. If the interface-id parameter is omitted then information about all interfaces is displayed.
Page 539 Voice VLAN Commands Agreed VPT is 5 Agreed DSCP is 46 Agreed Voice VLAN Last Change is 11-Jul-11 15:52:51 switchxxxxxx# Example 2—Displays the current voice VLAN parameters when the voice VLAN state is auto-enabled. switch>show voice vlan Administrate Voice VLAN state is auto-enabled Operational Voice VLAN state is auto-enabled Best Local Voice VLAN-ID is 5 Best Local VPT is 5 (default)
Page 540 Voice VLAN Commands operational voice vlan state is auto admin state is auto triggered switchxxxxxx#show voice vlan Administrate Voice VLAN state is auto-triggered Operational Voice VLAN state is auto-enabled Best Local Voice VLAN-ID is 5 Best Local VPT is 5 (default) Best Local DSCP is 46 (default) Agreed Voice VLAN is received from switch 00:24:01:30:10:00 Agreed Voice VLAN priority is...
Page 541: Show Voice Vlan Local
Best Local VPT is 4 Best Local DSCP is 1 Aging timeout: 1440 minutes CoS: 6 Remark: Yes OUI table MAC Address - Prefix Description -------------------- ------------------ 00:E0:BB 3COM 00:03:6B Cisco 00:E0:75 Veritel 00:D0:1E Pingtel 00:01:E3 Simens 00:60:B9 NEC/Philips 00:0F:E2 Huawei-3COM 00:09:6E Avaya...
Page 542 Voice VLAN Commands Parameters Default Configuration Command Mode EXEC mode Examples Example 1 - A CDP device is connected to an interface and a conflict is detected: 30-Apr-2011 00:39:24 %VLAN-W-ConflictingCDPDetected: conflict detected between operational VLAN and new CDP device 00:1e:13:73:3d:62 on interface gi7. Platform TLV is -4FXO-K9, Voice VLAN-ID is 100...
Page 543 Voice VLAN Commands *100 00:23:56:1a:dc:68 gi11 00:44:55:44:55:4d gi11 The character "*" marks the best local voice VLAN. Example 3—Displays the local voice VLAN configuration when the voice VLAN state is OUI. switchxxxxxx#show voice vlan local Administrate Voice VLAN state is auto-OUI Operational Voice VLAN state is OUI The character '*;...
Page 544: Ssd Commands
SSD Commands 34.1 ssd config Use ssd config in Global Configuration to enter the Secure Sensitive Data (SSD) command mode. In this command mode, an administrator can configure how the sensitive data on the device, such as keys and passwords, is to be protected. Syntax ssd config Command Mode...
Page 545: Ssd Rule
SSD Commands Parameters • passphrase-New system passphrase. • encrypted-passphrase-The passphrase in its encrypted form. Default Usage If this command is not entered, the default passphrase is used. Command Mode SSD Command Mode User Guidelines To user this command, enter passphrase and Enter, a confirmation message is displayed and the user must confirm the intention to change the passphrase.
Page 546 SSD Commands Syntax level-15 default-user user user-name [encrypted] SSD rule { secure insecure secure-xml-snmp insecure-xml-snmp} permission encrypted-only exclude | plaintext-only | both | default read encrypted plaintext exclude level-15 default-user user user-name no ssd rule [ { secure insecure secure-xml-snmp insecure-xml-snmp Command Mode SSD command mode.
Page 547 The following is the order in which SSD rules are applied: • users The SSD rules for specified • The SSD rule for the default-user (cisco). • The SSD rules for level-15 users. • The remaining SSD rules for all.
Page 548: Show Ssd
SSD Commands 34.4 show SSD Use show ssd rules in SSD Command mode to present the current SSD rules; the rules will be displayed as plaintext. Syntax rules brief show SSD [ Parameters • rules - Display only the SSD rules. •...
Page 549: Ssd Session Read
SSD Commands Level-15 secure Both Encrypted Default Level-15 insecure Both Encrypted Default secure Encrypted-Only Encrypted Default insecure Encrypted-Only Encrypted Default insecure-xml-snmp Plaintext-Only Plaintext *Default * Modified default entry Example 2 - The following example displays the SSD rules. switchxxxxxx(ssd-config)#show ssd rules User Type User Name Channel...
Page 550: Show Ssd Session
SSD Commands Syntax encrypted plaintext | exclude ssd session read { no ssd session read Parameters • encrypted - Override the SSD default option to encrypted • plaintext - Override the SSD default option to plaintext • exclude - Override the SSD default option to exclude Command Mode Global configuration mode.
Page 551: Ssd File Passphrase Control
SSD Commands Command Mode EXEC mode. Default Examples switchxxxxxx# show ssd session User Name/Level: James / Level 15 User Read Permission: Both Current Session Read mode: Plaintext 34.7 ssd file passphrase control Use ssd file passphrase control in SSD Command mode to provide an additional level of protection when copying configuration files to the startup configuration file.
Page 552: Ssd File Integrity Control
SSD Commands Command Mode SSD Command mode. User Guidelines To revert to the default state, use the no ssd file passphrase control command. Note that after a device is reset to the factory default, its local passphrase is set to the default passphrase.
Page 553 SSD Commands Default The default file input control is disable. Command Mode SSD Command Mode. User Guidelines TA user can protect a configuration file from being tampered by creating the file with File Integrity Control enabled. It is recommended that File Integrity Control be enabled when a devices users a user-defined passphrase with Unrestricted Configuration File Passphrase Control.
Page 554: Smartport Commands
Smartport Commands 35.1 macro auto (Global) The macro auto Global Configuration mode command sets the Auto Smartports administrative global state. The no format of the command returns to the default. Syntax enabled disabled controlled macro auto { no macro auto Parameters •...
Page 555: Macro Auto Smartport (Interface)
Smartport Commands • Auto Smartport Operational state is enabled when the Auto Voice VLAN is enabled. A user cannot enable Auto Smartport globally if the OUI Voice VLAN is enabled. Example This example shows an attempt to enable the Auto Smartport feature globally in the controlled mode.
Page 556: Macro Auto Trunk Refresh
Smartport Commands Parameters Default Configuration Enabled. Command Mode Interface Configuration mode (Ethernet Interface, Port Channel) User Guidelines This command is effective only when Auto Smartport is globally enabled. Example Enables the Auto Smartport feature on port 1: switchxxxxxx(config)#interface gi1 switchxxxxxx(config-if)# macro auto smartport 35.3 macro auto trunk refresh The macro auto trunk refresh Global Configuration command reapplies the...
Page 557: Macro Auto Resume
Smartport Commands Command Mode Global Configuration mode User Guidelines The macro auto smartport command becomes effective only when the Auto Smartport is globally enabled. smartport-type interface-id If both are defined, the attached Smartport macro is executed on the interface if it has the given Smartport type. smartport-type If only is defined, the attached Smartport macro is executed on all...
Page 558: Macro Auto Persistent
Smartport Commands Default Configuration Command Mode Interface Configuration mode (Ethernet Interface, Port Channel) User Guidelines When a Smartport macro fails at an interface, the Smartport type of the interface becomes Unknown. You must diagnose the reason for the failure on the interface and/or Smartport macro, and correct the error.
Page 559: Macro Auto Smartport Type
Smartport Commands Command Mode Interface Configuration mode (Ethernet Interface, Port Channel) User Guidelines A Smartport’s persistent interface retains its dynamic configuration in the following cases: link down/up, the attaching device ages out, and reboot. Note that for persistence and the Smartport configuration to be effective across reboot, the Running Configuration file must be saved to the Startup Configuration file.
Page 560 Smartport Commands Default Configuration parameter-name value —Parameter default value. For instance, if the parameter is the voice VLAN, the default value is the default voice VLAN. Command Mode Interface Configuration mode (Ethernet Interface, Port Channel) User Guidelines A static type set by the command cannot be changed by a dynamic type. Example This example shows an attempt to set the Smartport type of port 1 to printer (statically).
Page 561: Macro Auto Processing Cdp
Smartport Commands 10. switchport mode access 11. switchport access vlan $native_vlan 12. # 13. #single host 14. port security max 1 15. port security mode max-addresses 16. port security discard trap 60 17. # 18. smartport storm-control broadcast level 10 19.
Page 562: Macro Auto Processing Lldp
Smartport Commands Example To enable CDP globally: switchxxxxxx(config)#macro auto processing cdp 35.8 macro auto processing lldp The macro auto processing lldp Global Configuration mode command enables using the LLDP capability information to identify the type of an attached device. When Auto Smartport is enabled on an interface and this command is run, the switch automatically applies the corresponding Smartport type to the interface based on the LLDP capabilities advertised by the attaching device(s).
Page 563: Macro Auto Processing Type
Smartport Commands 35.9 macro auto processing type The macro auto processing type Global Configuration mode command enables or disables automatic detection of devices of given type. The no format of the command returns to the default. Syntax smartport-type enabled disabled macro auto processing type smartport-type no macro auto processing type...
Page 564: Macro Auto User Smartport Macro
Smartport Commands 35.10 macro auto user smartport macro The macro auto user smartport macro Global Configuration mode command links user-defined Smartport macros to a Smartport type. This is done by replacing the link to the built-in macro with the link to the user-defined macro. The no format of the command returns the link to the default built-in Smartport macro.
Page 565: Macro Auto Built-In Parameters
Smartport Commands remove the configuration. The macros are paired by their name. The name of the anti macro is the concatenation of no_ with the name of the corresponding macro. Please refer to the Macro Command section for details about defining macro. Example To link the user-defined macro: my_ip_phone_desktop to the Smartport type: ip_phone_desktop and provide values for its two parameters:...
Page 566: Show Macro Auto Processing
Smartport Commands Command Mode Global Configuration User Guidelines By default, each Smartport type is associated with a pair of built-in macros: a macro that applies the configuration and the anti macro (no macro) to remove the configuration. The Smartport types are the same as the name of the corresponding built-in Smartport macros, with the anti macro prefixed with no_.
Page 567: Show Macro Auto Smart-Macros
Smartport Commands CDB: enabled LLDP: enabled host :disabled ip_phone :enabled ip_phone_desktop:enabled switch :enabled router :disabled :enabled 35.13 show macro auto smart-macros The show macro auto smart-macros EXEC mode command displays the name of Smartport macros, their type (built-in or user-defined) and their parameters. This information is displayed for all Smartport types or for the specified one.
Page 568 Smartport Commands SmartPort type : desktop Parameters : $max_hosts=10 $native_vlan=1 SmartPort Macro: desktop (Built-In) SmartPort type : guest Parameters : $native_vlan=1 SmartPort Macro: guest (Built-In) SmartPort type : server Parameters : $max_hosts=10 $native_vlan=1 SmartPort Macro: server (Built-In) SmartPort type : host Parameters : $max_hosts=10 $native_vlan=1 SmartPort Macro: host (Built-In)
Page 569: Show Macro Auto Ports
Smartport Commands 35.14 show macro auto ports The show macro auto ports EXEC mode command displays information about all Smartport ports or a specific one. If a macro was run on the port and it failed, the type of the port is displayed as Unknown. Syntax interface-id | detailed show macro auto ports [...
Page 570 Smartport Commands enabled enabled switch enabled enabled unknown Example 2 - Disabling auto SmartPort on gi2: switchxxxxxx(config-if)#interface gi2 switchxxxxxx(config-if)#no macro auto smartport switchxxxxxx(config-if)#end switchxxxxxx#show macro auto ports gi2 SmartPort is Enabled Administrative Globally Auto SmartPort is controlled Operational Globally Auto SmartPort is enabled Auto SmartPort is disabled on gi2 Persistent state is not-persistent Interface type is default...
Page 571: Smartport Switchport Trunk Allowed Vlan
Smartport Commands 35.15 smartport switchport trunk allowed vlan The smartport switchport trunk allowed vlan Interface Configuration (Ethernet, port-channel) mode command adds/removes VLANs to/from a trunk port. Syntax vlan-list | all vlan-list | all smartport switchport trunk allowed vlan {add [ ] | remove [ Parameters •...
Page 572: Smartport Switchport Trunk Native Vlan
Smartport Commands switchxxxxxx(config-if)#smartport switchport trunk allowed vlan add 1-5 35.16 smartport switchport trunk native vlan Use the smartport switchport trunk native vlan Interface Configuration (Ethernet, port-channel) mode command to define the native VLAN when the interface is in trunk mode. Use the no form of this command to restore the default configuration. Syntax native vlan-id...
Page 573: Smartport Storm-Control Broadcast Level
Smartport Commands Syntax smartport storm-control broadcast enable Parameters Default Configuration Command Mode Interface Configuration (Ethernet, port-channel) mode Example switchxxxxxx(config)interface gi1 switchxxxxxx(config-if)#smartport storm-control broadcast enable 35.18 smartport storm-control broadcast level Use the smartport storm-control broadcast level Interface Configuration (Ethernet, port-channel) mode command to control the amount of Broadcast traffic allowed on an interface.
Page 574: Smartport Storm-Control Include-Multicast
Smartport Commands Command Mode Interface Configuration (Ethernet, port-channel) mode Examples Example 1 - Set the maximum number of kilobits per second of Broadcast traffic on port 1 to 10000. switchxxxxxx(config)interface gi1 switchxxxxxx(config-if)#smartport storm-control broadcast level kpbs 10000 Example 2 - Set the maximum percentage of kilobits per second of Broadcast traffic on port 1 to 30%.
Page 575 Smartport Commands Example switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# smartport storm-control include-multicast 78-21075-01 Command Line Interface Reference Guide...
Page 576: Cdp Commands
CDP Commands 36.1 cdp run The cdp run Global Configuration mode command enables CDP globally. The no format of this command disabled CDP globally. Syntax cdp run no cdp run Parameters Default Configuration Enabled. Command Mode Global Configuration mode User Guidelines CDP is a link layer protocols for directly-connected CDP/LLDP-capable devices to advertise themselves and their capabilities.
Page 577: Cdp Enable
CDP Commands switchxxxxxx (config) cdp run 36.2 cdp enable The cdp enable Interface Configuration mode command enables CDP on interface. The no format of the CLI command disables CDP on an interface. Syntax cdp enable Parameters Default Configuration Enabled Command Mode Ethernet Interface User Guidelines For CDP to be enabled on an interface, it must first be enabled globally using...
Page 578: Cdp Advertise-V2
CDP Commands no cdp pdu Parameters • filtering—Specify that when CDP is globally disabled, CDP packets are filtered (deleted). • bridging—Specify that when CDP is globally disabled, CDP packets are bridged as regular data packets (forwarded based on VLAN). • flooding—Specify that when CDP is globally disabled, CDP packets are flooded to all the ports in the product that are in STP forwarding state, ignoring the VLAN filtering rules.
Page 579: Cdp Appliance-Tlv Enable
CDP Commands Parameters Default Configuration Version 2. Command Mode Global Configuration mode Example switchxxxxxx (config) cdp run switchxxxxxx (config)cdp advertise-v2 36.5 cdp appliance-tlv enable The cdp appliance-tlv enable Global Configuration mode command enables sending of the Appliance TLV. The no format of this command disables the sending of the Appliance TLV.
Page 580: Cdp Mandatory-Tlvs Validation
CDP Commands • 0 - The CDP packets transmitting through this port would contain Appliance VLAN-ID TLV with value of 0. VoIP and related packets are expected to be sent and received with VLAN-id=0 and an 802.1p priority. • 1..4094 - The CDP packets transmitting through this port would contain Appliance VLAN-ID TLV with N.
Page 581: Cdp Source-Interface
CDP Commands Example Turns off mandatory TLV validation: switchxxxxxx (config) no cdp mandatory-tlvs validation 36.7 cdp source-interface The cdp source-interface Global Configuration mode command specifies the CDP source port used for source IP address selection. The no format of this command deletes the source interface.
Page 582: Cdp Log Mismatch Duplex
CDP Commands 36.8 cdp log mismatch duplex Use the cdp log mismatch duplex Global and Interface Configuration mode command to enable validating that the duplex status of a port received in a CDP packet matches the ports actual configuration. If not, a SYSLOG duplex mismatch message is generated.
Page 583: Cdp Log Mismatch Native
CDP Commands no cdp log mismatch voip Parameters Default Configuration The switch reports voip mismatches from all ports. Command Mode Global Configuration mode Ethernet Interface Example switchxxxxxx (config) interface gi1 switchxxxxxx (config-if) cdp log mismatch voip 36.10 cdp log mismatch native Use the cdp log mismatch native Global and Interface Configuration mode command to enable validating that the native VLAN received in a CDP packet matches the actual native VLAN of the port.
Page 584: Cdp Device-Id Format
CDP Commands Command Mode Global Configuration mode Ethernet Interface Example switchxxxxxx (config) interface gi1 switchxxxxxx (config-if) cdp log mismatch native 36.11 cdp device-id format The cdp device-id format Global Configuration mode command specifies the format of the Device-ID TLV. The no format of this command returns to default. Syntax cdp device-id format {mac | serial-number} no cdp device-id format...
Page 585: Cdp Timer
CDP Commands 36.12 cdp timer The cdp timer Global Configuration mode command specifies how often CDP packets are transmitted. The no format of this command returns to default. Syntax seconds cdp timer no cdp timer Parameters seconds—Value of the Transmission Timer in seconds. Range: 5-254 seconds. Default Configuration 60 seconds.
Page 586: Clear Cdp Counters
CDP Commands Parameters range seconds—10 - 255. Default Configuration 180 seconds. Command Mode Global Configuration mode Example switchxxxxxx (config) cdp holdtime 100 36.14 clear cdp counters The clear cdp counters Global Configuration mode command resets the CDP traffic counters to 0. Syntax clear cdp counters Parameters...
Page 587: Show Cdp
CDP Commands Syntax clear cdp table Parameters Command Mode Global Configuration mode Example switchxxxxxx (config) clear cdp table 36.16 show cdp The show cdp Privileged EXEC mode command displays the interval between advertisements, the number of seconds the advertisements are valid and version of the advertisements.
Page 588: Show Cdp Entry
• version—Limits the display to information about the version of software running on the neighbors. Default Configuration Version Command Mode Privileged EXEC mode Example switchxxxxxx#show cdp entry device.cisco.com Device ID: device.cisco.com 78-21075-01 Command Line Interface Reference Guide...
Page 589: Show Cdp Interface
Version: Cisco Internetwork Operating System Software IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Mon 07-Apr-97 19:51 by dschwart switchxxxxxx#show cdp entry device.cisco.com protocol Protocol information for device.cisco.com: IP address: 192.168.68.18 CLNS address: 490001.1111.1111.1111.00...
Page 590: Show Cdp Neighbors
CDP Commands Parameters interface-id—Port ID. Command Mode Privileged EXEC mode Example switchxxxxxx#show cdp interface gi1 CDP is globally enabled CDP log duplex mismatch Globally is enabled Per interface is enabled CDP log voice VLAN mismatch Globally is enabled Per interface is enabled CDP log native VLAN mismatch Globally is disabled Per interface is enabled...
Page 591 S I M ESW-520-8P ESW-540-8P gi48 S I M ESW-540-8P 003106131611 gi48 Cisco fa2/2/1 SG500-28P (PID:SG500-2 8P-K9)-VSD 001828100211 gi48 Cisco SF fa20 200-48P (PID:SLM248P T)-VSD c47d4fed9302 gi48 Cisco SF fa12 200-48 switchxxxxxx#show cdp neighbors detail 78-21075-01 Command Line Interface Reference Guide...
Page 592 Port ID (outgoing port): fa1/1/0 Time To Live : 123 sec Version : Cisco Internetwork Operating System Software IOS (tm) 5800 Software (C5800-P4-M), Version 12.1(2) Copyright (c) 1986-2002 by Cisco Systems, Inc. Duplex: half ------------------------- Device ID: lab-as5300-1 Entry address(es): IP address: 172.19.169.87...
Page 593 CDP Commands switchxxxxxx#show cdp neighbors secondary Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone,M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay Local Interface Mac Address TimeToLive...
Page 594 CDP Commands transmitted by a stub router, it is a list of network prefixes of stub networks to which the sending stub router can forward IP packets. • Management Address—When present, it contains a list of all the addresses at which the device will accept SNMP messages, including those it will only accept when received on interface(s) other than the one over which the CDP packet is being sent.
Page 595: Show Cdp Tlv
CDP Commands • Time To Live—The remaining amount of time, in seconds, the current device will hold the CDP advertisement from a transmitting router before discarding it. • Version—The software version running on the neighbor device. • Voice VLAN-ID—The Voice VLAN-ID. •...
Page 596 CDP Commands cdp globally is disabled Example 2 - In this example, CDP is globally enabled but disabled on the port and no information is displayed. switchxxxxxx#show cdp tlv gi2 cdp globally is enabled Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone,M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay...
Page 597 CDP Commands Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone,M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay Interface TLV: gi1 CDP is enabled Ethernet...
Page 598: Show Cdp Traffic
CDP Commands CDP is enabled Ethernet 1 is up, Device ID TLV: type is MAC address; Value is 00:11:22:22:33:33:44:44 Address TLV: IPv4: 1.2.2.2 IPv6: Port_ID TLV: gis1 Capabilities: S, I Version TLV: 1 and 2 Platform TLV: VSD Ardd Native VLAN TLV: 1 Full/Half Duplex TLV: full-duplex Appliance VLAN_ID TLV: Appliance-ID is 1;...
Page 599 CDP Commands • interaface-id—Port for which counters should be displayed. Default Configuration If interface-id is not specified, global counters are displayed for all ports on which CDP is enabled and who are up. Command Mode Privileged EXEC mode User Guidelines Use the show cdp traffic global to display only the global counters.
Page 600 CDP Commands CDP version 2 advertisements output: 81784, Input Field Definition: • Total packets output—The number of CDP advertisements sent by the local device. Note that this value is the sum of the CDP Version 1 advertisements output and CDP Version 2 advertisements output fields. •...
Page 601: Link Layer Discovery Protocol (Lldp) Commands
Link Layer Discovery Protocol (LLDP) Commands 37.1 lldp run Use the lldp run Global Configuration mode command to enable LLDP. To disable LLDP, use the no form of this command. Syntax lldp run no lldp run Parameters N/A. Default Configuration Enabled Command Mode Global Configuration mode...
Page 602: Lldp Receive
Link Layer Discovery Protocol (LLDP) Commands Parameters Default Configuration Enabled Command Mode Interface Configuration (Ethernet) mode User Guidelines LLDP manages LAG ports individually. LLDP sends separate advertisements on each port in a LAG. LLDP operation on a port is not dependent on the STP state of a port. I.e. LLDP frames are sent on blocked ports.
Page 603: Lldp Timer
Link Layer Discovery Protocol (LLDP) Commands Command Mode Interface Configuration (Ethernet) mode User Guidelines LLDP manages LAG ports individually. LLDP data received through LAG ports is stored individually per port. LLDP operation on a port is not dependent on the STP state of a port. I.e. LLDP frames are received on blocked ports.
Page 604: Lldp Hold-Multiplier
Link Layer Discovery Protocol (LLDP) Commands Example The following example sets the interval for sending LLDP updates to 60 seconds. switchxxxxxx(config)# lldp timer 37.5 lldp hold-multiplier Use the lldp hold-multiplier Global Configuration mode command to specify how long the receiving device holds a LLDP packet before discarding it. Use the no form of this command to restore the default configuration.
Page 605: Lldp Reinit
Link Layer Discovery Protocol (LLDP) Commands Example The following example sets the LLDP packet hold time interval to 90 seconds. switchxxxxxx(config)# lldp timer switchxxxxxx(config)# lldp hold-multiplier 37.6 lldp reinit Use the lldp reinit Global Configuration mode command to specify the minimum time an LLDP port waits before reinitializing LLDP transmission.
Page 606: Lldp Optional-Tlv
Link Layer Discovery Protocol (LLDP) Commands Syntax seconds lldp tx-delay no lldp tx-delay Parameters seconds tx-delay —Specifies the delay in seconds between successive LLDP frame transmissions initiated by value/status changes in the LLDP local systems MIB (range: 1-8192 seconds). Default Configuration The default LLDP frame transmission delay is 2 seconds.
Page 607: Lldp Optional-Tlv 802.1
Link Layer Discovery Protocol (LLDP) Commands Parameters • tlv—Specifies the TLVs to be included. Available optional TLVs are: 802.1, port-desc, sys-name, sys-desc, sys-cap, 802.1, 802.3-mac-phy, 802.3-lag, 802.3-max-frame-size. • none—Clear all optional TLVs from the interface If the 802.1 protocol is selected, see the command below. Default Configuration No optional TLV is transmitted.
Page 608: Lldp Management-Address
Link Layer Discovery Protocol (LLDP) Commands add {stp | rstp | mstp | pause | 802.1x | lacp | gvrp} lldp optional-tlv 802.1 protocol The protocols selected are advertised. remove {stp | rstp | mstp | pause | 802.1x | lacp | gvrp} lldp optional-tlv 802.1 protocol - The protocols selected are not advertised.
Page 609 Link Layer Discovery Protocol (LLDP) Commands Parameters • ip-address—Specifies the static management address to advertise. • none—Specifies that no address is advertised. • automatic—Specifies that the software automatically selects a management address to advertise from all the IP addresses of the product. In case of multiple IP addresses, the software selects the lowest IP address among the dynamic IP addresses.
Page 610: Lldp Notifications
Link Layer Discovery Protocol (LLDP) Commands 37.11 lldp notifications Use the lldp notifications Interface Configuration (Ethernet) mode command to enable/disable sending LLDP notifications on an interface. Use the no form of this command to restore the default configuration. Syntax {enable | disable} lldp notifications no lldp notifications Parameters...
Page 611: Lldp Lldpdu
Link Layer Discovery Protocol (LLDP) Commands Parameters seconds interval —The device does not send more than a single notification in the indicated period (range: 5–3600). Default Configuration 5 seconds Command Mode Global Configuration mode Example switchxxxxxx (config)# lldp notifications interval 10 37.13 lldp lldpdu The lldp lldpdu Global Configuration mode command defines LLDP packet handling when LLDP is globally disabled.
Page 612: Lldp Med
Link Layer Discovery Protocol (LLDP) Commands User Guidelines If the STP mode is MSTP, the LLDP packet handling mode cannot be set to flooding. The STP mode cannot be set to MSTP if the LLDP packet handling mode is flooding. If LLDP is globally disabled, and the LLDP packet handling mode is flooding, LLDP packets are treated as data packets with the following exceptions: •...
Page 613: Lldp Med Notifications Topology-Change
Link Layer Discovery Protocol (LLDP) Commands • tlv—Specifies the TLV that should be included. Available TLVs are: network-policy, location, and poe-pse, inventory. The capabilities TLV is always included if LLDP-MED is enabled. • disable - disable LLDP MED on the port Default Configuration Enabled with network-policy TLV Command Mode...
Page 614: Lldp Med Fast-Start Repeat-Count
Link Layer Discovery Protocol (LLDP) Commands Command Mode Interface Configuration (Ethernet) mode Example The following example enables sending LLDP MED topology change notifications on gi2. switchxxxxxx(config)# interface gi2 switchxxxxxx(config-if)# lldp med notifications topology-change enable 37.16 lldp med fast-start repeat-count When a port comes up, LLDP can send packets more quickly than usual using its fast-start mechanism.
Page 615: Lldp Med Network-Policy (Global)
Link Layer Discovery Protocol (LLDP) Commands 37.17 lldp med network-policy (global) Use the lldp med network-policy Global Configuration mode command to define a LLDP MED network policy. For voice applications, it is simpler to use lldp med network-policy voice auto. The lldp med network-policy command creates the network policy, which is attached to a port by lldp med network-policy...
Page 616: Lldp Med Network-Policy (Interface)
Link Layer Discovery Protocol (LLDP) Commands • value dscp —DSCP value to be used for the specified application. Default Configuration No network policy is defined. Command Mode Global Configuration mode User Guidelines Use the lldp med network-policy Interface Configuration command to attach a network policy to a port.
Page 617: Lldp Med Network-Policy Voice Auto
Link Layer Discovery Protocol (LLDP) Commands Parameters • number—Specifies the network policy sequential number. The range is 1-32 • number add/remove —Attaches/removes the specified network policy to the interface. Default Configuration No network policy is attached to the interface. Command Mode Interface Configuration (Ethernet) mode User Guidelines For each port, only one network policy per application (voice, voice-signaling, etc.)
Page 618: Clear Lldp Table
Link Layer Discovery Protocol (LLDP) Commands to disable this mode. The network policy is attached automatically to the voice VLAN. Syntax lldp med network-policy voice auto no lldp med network-policy voice auto Parameters Default Configuration Command Mode Global Configuration mode User Guidelines In Auto mode, the Voice VLAN feature determines on which interfaces to advertise the network policy TLV with application type voice, and controls the parameters of...
Page 619: Lldp Med Location
Link Layer Discovery Protocol (LLDP) Commands Parameters interface-id—Specifies a port ID. Default Configuration If no interface is specified, the default is to clear the LLDP table for all ports. Command Mode Privileged EXEC mode Example switchxxxxxx # clear lldp table gi1 37.21 lldp med location Use the lldp med location Interface Configuration (Ethernet) mode command to configure the location information for the LLDP Media Endpoint Discovery (MED)
Page 620: Show Lldp Configuration
Link Layer Discovery Protocol (LLDP) Commands Default Configuration The location is not configured. Command Mode Interface Configuration (Ethernet) mode Example The following example configures the LLDP MED location information on gi2 as a civic address. switchxxxxxx (config)# interface gi2 switchxxxxxx (config-if)# lldp med location civic-address 616263646566 37.22 show lldp configuration Use the show lldp configuration Privileged EXEC mode command to display the...
Page 621 Link Layer Discovery Protocol (LLDP) Commands Switch# show lldp configuration State: Enabled Timer: 30 Seconds Hold multiplier: 4 Reinit delay: 2 Seconds Tx delay: 2 Seconds Notifications interval: 5 seconds LLDP packets handling: Filtering Port State Optional TLVs Address Notifications -------- ----- --------------...
Page 622 Link Layer Discovery Protocol (LLDP) Commands 802.3 optional TLVs: 802.3-mac-phy, 802.3-lag, 802.3-max-frame-size 802.1 optional TLVs PVID: Enabled PPVIDs: 0, 1, 92 VLANs: 1, 92 Protocols: 802.1x The following table describes the significant fields shown in the display: Field Description Timer The time interval between LLDP updates.
Page 623: Show Lldp Med Configuration
Link Layer Discovery Protocol (LLDP) Commands 37.23 show lldp med configuration Use the show lldp med configuration Privileged EXEC mode command to display the LLDP Media Endpoint Discovery (MED) configuration for all ports or for a specific port. Syntax [interface-id | detailed show lldp med configuration Parameters •...
Page 624: Show Lldp Local Tlvs-Overloading
Link Layer Discovery Protocol (LLDP) Commands Port Capabilities Network Policy Location Notifications Inventory ------ -------------- -------------- ---------- ------------- -------- Enabled Enabled Enabled Example 2 - The following example displays the LLDP MED configuration for gi1. switchxxxxxx # show lldp med configuration gi1 Port Capabilities Network Policy...
Page 625: Show Lldp Local
Link Layer Discovery Protocol (LLDP) Commands Command Mode EXEC mode User Guidelines The command calculates the overloading status of the current LLDP configuration, and not for the last LLDP packet that was sent. Example Switch# show lldp local tlvs-overloading gi1 TLVs Group Bytes Status...
Page 626 Link Layer Discovery Protocol (LLDP) Commands Example The following examples display LLDP information that is advertised from gi1 and Switch# show lldp local gi1 Device ID: 0060.704C.73FF Port ID: gi1 Capabilities: Bridge System Name: ts-7800-1 System description: Port description: Management address: 172.16.1.8 802.3 MAC/PHY Configuration/Status Auto-negotiation support: Supported Auto-negotiation status: Enabled...
Page 627: Show Lldp Statistics
Link Layer Discovery Protocol (LLDP) Commands 802.1 Protocol: 88 8E 01 LLDP-MED capabilities: Network Policy, Location Identification LLDP-MED Device type: Network Connectivity LLDP-MED Network policy Application type: Voice Flags: Tagged VLAN VLAN ID: 2 Layer 2 priority: 0 DSCP: 0 LLDP-MED Power over Ethernet Device Type: Power Sourcing Entity Power source: Primary Power Source...
Page 628 Link Layer Discovery Protocol (LLDP) Commands Syntax [interface-id | detailed show lldp statistics Parameters • interface-id—Specifies the port ID. • detailed—Displays information for non-present ports in addition to present ports. Default Configuration If no port ID is entered, the command displays information for all ports. If detailed is not used, only present ports are displayed.
Page 629: Show Lldp Neighbors
Link Layer Discovery Protocol (LLDP) Commands gi10 37.27 show lldp neighbors Use the show lldp neighbors Privileged EXEC mode command to display information about neighboring devices discovered using LLDP. The information can be displayed for all ports or for a specific port. Syntax [interface-id] show lldp neighbors...
Page 630 Link Layer Discovery Protocol (LLDP) Commands Port Device ID Port ID System Name Capabilities TTL --- ------------------ -------- ---------- ------------ ---- gi1 00:00:00:11:11:11 ts-7800-2 gi1 00:00:00:11:11:11 D ts-7800-2 gi2 00:00:26:08:13:24 ts-7900-1 B, R gi3 00:00:26:08:13:24 ts-7900-2 Example 2 - The following example displays information about neighboring devices discovered using LLDP port 1.
Page 631 Link Layer Discovery Protocol (LLDP) Commands PSE Power class: 1 802.3 Link Aggregation Aggregation capability: Capable of being aggregated Aggregation status: Not currently in aggregation Aggregation port ID: 1 802.3 Maximum Frame Size: 1522 802.3 EEE Remote Tx: 25 usec Remote Rx: 30 usec Local Tx Echo: 30 usec Local Rx Echo: 25 usec...
Page 632 Link Layer Discovery Protocol (LLDP) Commands Serial number: LM759846587 Manufacturer name: VP Model name: TR12 Asset ID: 9 LLDP-MED Location Coordinates: 54:53:c1:f7:51:57:50:ba:5b:97:27:80:00:00:67:01 The following table describes significant LLDP fields shown in the display: Field Description Port The port number. Device ID The neighbor device’s configured ID (name) or MAC address.
Page 633 Link Layer Discovery Protocol (LLDP) Commands Field Description Auto-negotiation The port speed/duplex/flow-control Advertised capabilities advertised by the Capabilities auto-negotiation. Operational MAU The port MAU type. type LLDP MED Capabilities The sender's LLDP-MED capabilities. Device type The device type. Indicates whether the sender is a Network Connectivity Device or Endpoint Device, and if an Endpoint, to which Endpoint Class it belongs.
Page 634 Link Layer Discovery Protocol (LLDP) Commands Field Description Power priority The PD device priority. A PSE device advertises the power priority configured for the port. A PD device advertises the power priority configured for the device. The possible values are: Critical, High and Low. Power value The total power in watts required by a PD device from a PSE device, or the total power...
Page 635: Igmp Snooping Commands
IGMP Snooping Commands 38.1 ip igmp snooping (Global) Use the ip igmp snooping Global Configuration mode command to enable Internet Group Management Protocol (IGMP) snooping. Use the no form of this command to disable IGMP snooping. Syntax ip igmp snooping no ip igmp snooping Default Configuration Disabled.
Page 636: Ip Igmp Snooping Vlan Mrouter
IGMP Snooping Commands Parameters vlan-id vlan —Specifies the VLAN. Default Configuration Disabled Command Mode Global Configuration mode User Guidelines IGMP snooping can be enabled only on static VLANs. IGMPv1, IGMPv2 and IGMPv3 are supported. To activate IGMP snooping, the bridge multicast filtering should be enabled.
Page 637: Ip Igmp Snooping Vlan Mrouter Interface
IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines Multicast router ports are learned according to: • Queries received on the port • PIM/PIMv2 received on the port • DVMRP received on the port • MRDISC received on the port •...
Page 638: Ip Igmp Snooping Vlan Forbidden Mrouter
IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines A port that is defined as a Multicast router port receives all IGMP packets (reports and queries) as well as all Multicast data. You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter interface 38.5...
Page 639: Ip Igmp Snooping Vlan Static
IGMP Snooping Commands User Guidelines A port that is a forbidden mrouter port cannot be a Multicast router port (i.e. cannot be learned dynamically or assigned statically). You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ip igmp snooping vlan 1 forbidden mrouter interface 38.6 ip igmp snooping vlan static Use the ip igmp snooping vlan static Global Configuration mode command to...
Page 640: Ip Igmp Snooping Vlan Multicast-Tv
IGMP Snooping Commands You can register an entry without specifying an interface. Using the no command without a port-list removes the entry. Example switchxxxxxx(config)# ip igmp snooping vlan 1 static 239.2.2.2 interface 38.7 ip igmp snooping vlan multicast-tv Use the ip igmp snooping vlan multicast-tv Global Configuration mode command to define the Multicast IP addresses that are associated with a Multicast TV VLAN.
Page 641: Ip Igmp Snooping Map Cpe Vlan
IGMP Snooping Commands Example switchxxxxxx(config)# ip igmp snooping vlan 1 multicast-tv 239.2.2.2 count 38.8 ip igmp snooping map cpe vlan The ip igmp snooping map cpe vlan Global Configuration mode command maps CPE VLANs to Multicast-TV VLANs. Use the no form of this command to remove the mapping.
Page 642: Ip Igmp Snooping Vlan Querier
IGMP Snooping Commands 38.9 ip igmp snooping vlan querier Use the ip igmp snooping vlan querier Global Configuration mode command to enable the Internet Group Management Protocol (IGMP) querier on a specific VLAN. Use the no form of this command to disable the IGMP querier on a VLAN interface.
Page 643: Ip Igmp Snooping Vlan Querier Address
IGMP Snooping Commands 38.10 ip igmp snooping vlan querier address Use the ip igmp snooping vlan querier address Global Configuration mode command to define the source IP address that the IGMP snooping querier uses. Use the no form of this command to return to default. Syntax vlan-id ip-address...
Page 644: Ip Igmp Robustness
IGMP Snooping Commands Syntax vlan-id {2 | 3} ip igmp snooping vlan querier version vlan-id no ip igmp snooping vlan querier version Parameters • vlan-id vlan —Specifies the VLAN. • querier version —Specifies that the IGMP version would be IGMPv2. •...
Page 645: Ip Igmp Query-Interval
IGMP Snooping Commands Command Mode Interface Configuration (VLAN) mode User Guidelines You can execute the command before the VLAN is created, but you must enter the command in Interface VLAN mode. Example switchxxxxxx(config)# interface vlan 1 switchxxxxxx(config-if)# ip igmp robustness 3 38.13 ip igmp query-interval Use the ip igmp query-interval Interface Configuration (VLAN) mode command to configure the Query interval on a VLAN.
Page 646: Ip Igmp Query-Max-Response-Time
IGMP Snooping Commands Example switchxxxxxx(config)# interface vlan 1 switchxxxxxx(config-if)# ip igmp query-interval 200 38.14 ip igmp query-max-response-time Use the ip igmp query-max-response-time Interface Configuration (VLAN) mode command to configure the Query Maximum Response time on a VLAN. Use the no format of the command to return to default.
Page 647: Ip Igmp Last-Member-Query-Count
IGMP Snooping Commands 38.15 ip igmp last-member-query-count Use the ip igmp last-member-query-count Interface Configuration (VLAN) mode command to configure the Last Member Query Counter on a VLAN. Use the no format of the command to return to default. Syntax count ip igmp last-member-query-count no ip igmp last-member-query-count Parameter...
Page 648: Ip Igmp Snooping Vlan Immediate-Leave
IGMP Snooping Commands Parameters milliseconds—Interval, in milliseconds, at which IGMP group-specific host query messages are sent on the interface. (Range: 100–25500) Default Configuration 1000 Command Mode Interface Configuration (VLAN) mode User Guidelines You can execute the command before the VLAN is created. Example switchxxxxxx(config)# interface vlan 1 switchxxxxxx(config-if)# ip igmp last-member-query-interval 2000...
Page 649: Show Ip Igmp Snooping Mrouter
IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines You can execute the command before the VLAN is created. Example The following example enables IGMP snooping immediate-leave feature on VLAN switchxxxxxx(config)# ip igmp snooping vlan 1 immediate-leave 38.18 show ip igmp snooping mrouter The show ip igmp snooping mrouter EXEC mode command displays information on dynamically learned Multicast router interfaces for all VLANs or for a specific VLAN.
Page 650: Show Ip Igmp Snooping Interface
IGMP Snooping Commands 38.19 show ip igmp snooping interface The show ip igmp snooping interface EXEC mode command displays the IGMP snooping configuration for a specific VLAN. Syntax vlan-id show ip igmp snooping interface Parameters interface vlan-id—Specifies the VLAN ID. Command Mode EXEC mode Example...
Page 651: Show Ip Igmp Snooping Groups
IGMP Snooping Commands IGMP snooping last member query counter: admin 2 oper 2 IGMP snooping last member query interval: admin 1000 msec oper 500 msec IGMP snooping last immediate leave: enable Automatic learning of Multicast router ports is enabled 38.20 show ip igmp snooping groups The show ip igmp snooping groups EXEC mode command displays the Multicast groups learned by the IGMP snooping.
Page 652: Show Ip Igmp Snooping Multicast-Tv
IGMP Snooping Commands Example The following example shows sample output for IGMP version 2. switchxxxxxx# show ip igmp snooping groups Vlan Group Source Include Ports Exclude Ports Comp-Mode Address Address -------- ---- --------- --------- --------- -------- 239.255.255.250 38.21 show ip igmp snooping multicast-tv The show ip igmp snooping multicast-tv EXEC mode command displays the IP addresses associated with Multicast TV VLANs.
Page 653: Show Ip Igmp Snooping Cpe Vlans
IGMP Snooping Commands 1000 239.255.0.5 1000 239.255.0.6 1000 239.255.0.7 38.22 show ip igmp snooping cpe vlans The show ip igmp snooping cpe vlans EXEC mode command displays the CPE VLAN to Multicast TV VLAN mappings. Syntax vlan-id show ip igmp snooping cpe vlans vlan Parameters vlan-id...
Page 654: Ipv6 Mld Snooping Commands
IPv6 MLD Snooping Commands 39.1 ipv6 mld snooping (Global) The ipv6 mld snooping Global Configuration mode command enables IPv6 Multicast Listener Discovery (MLD) snooping. To disable IPv6 MLD snooping, use the no form of this command. Syntax ipv6 mld snooping no ipv6 mld snooping Parameters Default Configuration...
Page 655: Ipv6 Mld Robustness
IPv6 MLD Snooping Commands vlan-id no ipv6 mld snooping vlan Parameters vlan-id—Specifies the VLAN. Default Configuration Disabled Command Mode Global Configuration mode User Guidelines MLD snooping can only be enabled on static VLANs. MLDv1 and MLDv2 are supported. To activate MLD snooping, the Bridge Multicast Filtering command must be enabled.
Page 656: Ipv6 Mld Snooping Vlan Mrouter
IPv6 MLD Snooping Commands Default Configuration Command Mode Interface Configuration (VLAN) mode User Guidelines You can execute the command before the VLAN is created. Example switchxxxxxx(config)# interface vlan 1 switchxxxxxx(config-if)# ipv6 mld robustness 3 39.4 ipv6 mld snooping vlan mrouter Use the ipv6 mld snooping vlan mrouter Global Configuration mode command to enable automatic learning of Multicast router ports.
Page 657: Ipv6 Mld Snooping Vlan Mrouter
IPv6 MLD Snooping Commands User Guidelines Multicast router ports can be configured statically with the bridge multicast forward-all command. You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ipv6 mld snooping vlan 1 mrouter learn pim-dvmrp 39.5 ipv6 mld snooping vlan mrouter Use the ipv6 mld snooping vlan mrouter Interface Configuration mode command to define a port that is connected to a Multicast router port.
Page 658: Ipv6 Mld Snooping Vlan Forbidden Mrouter
IPv6 MLD Snooping Commands You can execute the command before the VLAN is created and for a range of ports as shown in the example. Example switchxxxxxx(config)interface gi1/1/1 switchxxxxxx(config-if)# ipv6 mld snooping vlan 1 mrouter interface gi1/1/1 - 39.6 ipv6 mld snooping vlan forbidden mrouter Use the ipv6 mld snooping vlan forbidden mrouter Global Configuration mode command to forbid a port from being defined as a Multicast router port by static configuration or by automatic learning.
Page 659: Ipv6 Mld Snooping Vlan Static
IPv6 MLD Snooping Commands You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ipv6 mld snooping vlan 1 forbidden mrouter interface 39.7 ipv6 mld snooping vlan static Use the ipv6 mld snooping vlan static Global Configuration mode command to register a IPv6-layer Multicast address to the bridge table, and to add statically ports to the group.
Page 660: Ipv6 Mld Query-Interval
IPv6 MLD Snooping Commands Example switchxxxxxx(config)# ipv6 mld snooping vlan 1 static 239.2.2.2 39.8 ipv6 mld query-interval Use the ipv6 mld query-interval Interface Configuration mode command to configure the Query interval. Use the no format of the command to return to default.
Page 661: Ipv6 Mld Query-Max-Response-Time
IPv6 MLD Snooping Commands 39.9 ipv6 mld query-max-response-time Use the ipv6 mld query-max-response-time Interface Configuration mode command to configure the Query Maximum Response time. Use the no format of the command to return to default. Syntax seconds ipv6 mld query-max-response-time no ipv6 mld query-max-response-time Parameter seconds—Maximum response time, in seconds, advertised in MLD queries.
Page 662: Ipv6 Mld Last-Member-Query-Interval
IPv6 MLD Snooping Commands Address and Source Specific Queries sent before the router assumes there are no listeners for a particular source. Use the no format of the command to return to default. Syntax count ipv6 mld last-member-query-count no ipv6 mld last-member-query-count Parameters count—The number of times that group- or group-source-specific queries are sent upon receipt of a Leave message.
Page 663: Ipv6 Mld Snooping Vlan Immediate-Leave
IPv6 MLD Snooping Commands no ipv6 mld last-member-query-interval Parameter milliseconds—Interval, in milliseconds, at which MLD group-specific host query messages are sent on the interface. (Range: 100–64512). Default Configuration 1000 Command Mode Interface Configuration (VLAN) mode User Guidelines This command provides this value if it is not is not received in MLD general query messages.
Page 664: Show Ipv6 Mld Snooping Mrouter
IPv6 MLD Snooping Commands Syntax vlan-id ipv6 mld snooping vlan immediate-leave vlan-id no ipv6 mld snooping vlan immediate-leave Parameters vlan-id—Specifies the VLAN ID value. (Range: 1–4094) Default Configuration Disabled Command Mode Global Configuration mode User Guidelines You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ipv6 mld snooping vlan 1 immediate-leave 39.13 show ipv6 mld snooping mrouter...
Page 665: Show Ipv6 Mld Snooping Interface
IPv6 MLD Snooping Commands Command Mode EXEC mode Example The following example displays information on dynamically learned Multicast router interfaces for VLAN 1000 switchxxxxxx# show ipv6 mld snooping mrouter interface 1000 VLAN Static Dynamic Forbidden ---- ------ ------- --------- gi3-23 1000 39.14 show ipv6 mld snooping interface The show ipv6 mld snooping interface EXEC mode command displays the IPv6...
Page 666: Show Ipv6 Mld Snooping Groups
IPv6 MLD Snooping Commands MLD Snooping admin: Enabled MLD snooping oper mode: Enabled Routers MLD version: 2 Groups that are in MLD version 1 compatibility mode: FF12::3, FF12::8 MLD snooping robustness:admin 2 oper 2 MLD snooping query interval: admin 125 sec oper 125 sec MLD snooping query maximum response: admin 10 sec oper 10 sec...
Page 667 IPv6 MLD Snooping Commands User Guidelines To see the full multicast address table (including static addresses), use the show bridge multicast address-table command. The Include list contains the ports which are in a forwarding state for this group according to the snooping database. In general, the Exclude list contains the ports which have issued an explicit Exclude for that specific source in a multicast group.
Page 668: Link Aggregation Control Protocol (Lacp) Commands
Link Aggregation Control Protocol (LACP) Commands 40.1 lacp system-priority Use the lacp system-priority Global Configuration mode command to set the system priority. Use the no form of this command to restore the default configuration. Syntax value lacp system-priority no lacp system-priority Parameters value—Specifies the system priority value.
Page 669: Lacp Timeout
Link Aggregation Control Protocol (LACP) Commands no lacp port-priority Parameters value—Specifies the port priority. (Range: 1use the no form of this command65535) Default Configuration The default port priority is 1. Command Mode Interface Configuration (Ethernet) mode Example The following example sets the priority of gi6. switchxxxxxx(config)# interface switchxxxxxx(config-if)# lacp port-priority 247 40.3...
Page 670: Show Lacp
Link Aggregation Control Protocol (LACP) Commands Command Mode Interface Configuration (Ethernet) mode Example The following example assigns a long administrative LACP timeout to gi6. switchxxxxxx(config)# interface gi6 switchxxxxxx(config-if)# lacp timeout long 40.4 show lacp Use the show lacp EXEC mode command to display LACP information for all Ethernet ports or for a specific Ethernet port.
Page 671 Link Aggregation Control Protocol (LACP) Commands system priority: system mac addr: 00:00:12:34:56:78 port Admin key: port Oper key: port Oper number: port Admin priority: port Oper priority: port Admin timeout: LONG port Oper timeout: LONG LACP Activity: ACTIVE Aggregation: AGGREGATABLE synchronization: FALSE collecting:...
Page 672: Show Lacp Port-Channel
Link Aggregation Control Protocol (LACP) Commands Control Variables: BEGIN: FALSE LACP_Enabled: TRUE Ready_N: FALSE Selected: UNSELECTED Port_moved: FALSE NNT: FALSE Port_enabled: FALSE Timer counters: periodic tx timer: current while timer: wait while timer: 40.5 show lacp port-channel Use the show lacp port-channel EXEC mode command to display LACP information for a port-channel.
Page 673 Link Aggregation Control Protocol (LACP) Commands System Priority: 000285:0E1C00 MAC Address: Admin Key: Oper Key: Partner System Priority: 00:00:00:00:00:00 MAC Address: Oper Key: 78-21075-01 Command Line Interface Reference Guide...
Page 674: Garp Vlan Registration Protocol (Gvrp) Commands
GARP VLAN Registration Protocol (GVRP) Commands 41.1 gvrp enable (Global) Use the gvrp enable Global Configuration mode command to enable the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) globally. Use the no form of this command to disable GVRP on the device. Syntax gvrp enable no gvrp enable...
Page 675: Gvrp Vlan-Creation-Forbid
GARP VLAN Registration Protocol (GVRP) Commands no gvrp enable Default Configuration GVRP is disabled on all interfaces. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines An access port does not dynamically join a VLAN because it is always a member of a single VLAN only.
Page 676: Gvrp Registration-Forbid
GARP VLAN Registration Protocol (GVRP) Commands Example The following example disables dynamic VLAN creation on gi3. switchxxxxxx(config)# interface gi3 switchxxxxxx(config-if)# gvrp vlan-creation-forbid 41.4 gvrp registration-forbid Use the gvrp registration-forbid Interface Configuration mode command to deregister all dynamic VLANs on a port and prevent VLAN creation or registration on the port.
Page 677: Show Gvrp Configuration
GARP VLAN Registration Protocol (GVRP) Commands Syntax [interface-id] clear gvrp statistics Parameters Interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel. Default Configuration All GVRP statistics are cleared. Command Mode Privileged EXEC mode Example The following example clears all GVRP statistical information on gi5.
Page 678: Show Gvrp Statistics
GARP VLAN Registration Protocol (GVRP) Commands Command Mode EXEC mode Example The following example displays GVRP configuration. switchxxxxxx# show gvrp configuration GVRP Feature is currently Enabled on the device. Maximum VLANs: 4094 Port(s) GVRP-Status Regist- Dynamic Timers(ms) ration VLAN Creation Join Leave Leave All...
Page 679: Show Gvrp Error-Statistics
GARP VLAN Registration Protocol (GVRP) Commands Example The following example displays GVRP statistical information. switchxxxxxx# show gvrp statistics GVRP statistics: ---------------- Legend: rJE : Join Empty Received rJIn: Join In Received rEmp: Empty Received rLIn: Leave In Received rLE : Leave Empty Received rLA : Leave All Received sJE :...
Page 680 GARP VLAN Registration Protocol (GVRP) Commands Default Configuration All GVRP error statistics are displayed. Command Mode EXEC mode Example The following example displays GVRP error statistics. switchxxxxxx# show gvrp error-statistics GVRP Error Statistics: ---------------------- Legend: INVPROT : Invalid Protocol Id INVATYP : Invalid Attribute Type INVALEN : Invalid Attribute Length...
Page 681: Dhcp Snooping And Arp Inspection Commands
DHCP Snooping and ARP Inspection Commands 42.1 ip dhcp snooping Use the ip dhcp snooping Global Configuration mode command to enable Dynamic Host Configuration Protocol (DHCP) Snooping globally. Use the no form of this command to restore the default configuration. Syntax ip dhcp snooping no ip dhcp snooping...
Page 682: Ip Dhcp Snooping Vlan
DHCP Snooping and ARP Inspection Commands 42.2 ip dhcp snooping vlan Use the ip dhcp snooping vlan Global Configuration mode command to enable DHCP Snooping on a VLAN. Use the no form of this command to disable DHCP Snooping on a VLAN. Syntax vlan-id ip dhcp snooping vlan...
Page 683: Ip Dhcp Snooping Information Option Allowed-Untrusted
DHCP Snooping and ARP Inspection Commands no ip dhcp snooping trust Parameters Default Configuration The interface is untrusted. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines Configure as trusted the ports that are connected to a DHCP server or to other switches or routers.
Page 684: Ip Dhcp Snooping Verify
DHCP Snooping and ARP Inspection Commands Default Configuration DHCP packets with option-82 information from an untrusted port are discarded. Command Mode Global Configuration mode Example The following example allows a device to accept DHCP packets with option-82 information from an untrusted port. switchxxxxxx(config)# ip dhcp snooping information option allowed-untrusted 42.5...
Page 685: Ip Dhcp Snooping Database
DHCP Snooping and ARP Inspection Commands 42.6 ip dhcp snooping database Use the ip dhcp snooping database Global Configuration mode command to enable the DHCP Snooping binding database file. Use the no form of this command to delete the DHCP Snooping binding database file. Syntax ip dhcp snooping database no ip dhcp snooping database...
Page 686: Ip Dhcp Snooping Binding
DHCP Snooping and ARP Inspection Commands Syntax seconds ip dhcp snooping database update-freq no ip dhcp snooping database update-freq Parameters seconds—Specifies the update frequency in seconds. (Range: 600–86400) Default Configuration The default update frequency value is 1200 seconds. Command Mode Global Configuration mode Example The following example sets the DHCP Snooping binding database file update...
Page 687: Clear Ip Dhcp Snooping Database
DHCP Snooping and ARP Inspection Commands • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel. • expiry seconds —Specifies the time interval, in seconds, after which the binding entry is no longer valid. (Range: 10–4294967295) infinite —Specifies infinite lease time.
Page 688: Show Ip Dhcp Snooping
DHCP Snooping and ARP Inspection Commands Syntax clear ip dhcp snooping database Parameters Command Mode Privileged EXEC mode Example The following example clears the DHCP Snooping binding database. switchxxxxxx# clear ip dhcp snooping database 42.10 show ip dhcp snooping Use the show ip dhcp snooping EXEC mode command to display the DHCP snooping configuration for all interfaces or for a specific interface.
Page 689: Show Ip Dhcp Snooping Binding
DHCP Snooping and ARP Inspection Commands DHCP snooping database is Enabled Relay agent Information option 82 is Enabled Option 82 on untrusted port is allowed Verification of hwaddr field is Enabled DHCP snooping file update frequency is configured to: 6666 seconds Interface Trusted ----------- ------------...
Page 690: Ip Source-Guard
DHCP Snooping and ARP Inspection Commands Example The following examples displays the DHCP snooping binding database and configuration information for all interfaces on a device.- switchxxxxxx # show ip dhcp snooping binding Update frequency: 1200 Total number of binding: 2 Mac Address Lease Type...
Page 691: Ip Source-Guard Binding
DHCP Snooping and ARP Inspection Commands User Guidelines IP Source Guard must be enabled globally before enabling IP Source Guard on an interface. IP Source Guard is active only on DHCP snooping untrusted interfaces, and if at least one of the interface VLANs are DHCP snooping enabled. Example The following example enables IP Source Guard on gi5.
Page 692: Ip Source-Guard Tcam Retries-Freq
DHCP Snooping and ARP Inspection Commands User Guidelines The device currently supports filtering that is based only on the source IP address. In future, the device might supports filtering mode that is based on the MAC address and IP source address. Currently the MAC address field is an informative field.
Page 693: Ip Source-Guard Tcam Locate
DHCP Snooping and ARP Inspection Commands By default, once every minute the software conducts a search for available space in the TCAM for the inactive IP Source Guard addresses. Use this command to change the search frequency or to disable automatic retries for TCAM space. The ip source-guard tcam locate Privileged EXEC mode command manually retries locating TCAM resources for the inactive IP Source Guard addresses.
Page 694: Show Ip Source-Guard Configuration
DHCP Snooping and ARP Inspection Commands command to manually retry locating TCAM resources for the inactive IP Source Guard addresses. The show ip source-guard inactive EXEC mode command displays the inactive IP source guard addresses. Example The following example manually retries to locate TCAM resources. switchxxxxxx# ip source-guard tcam locate 42.16 show ip source-guard configuration...
Page 695: Show Ip Source-Guard Status
DHCP Snooping and ARP Inspection Commands Example The following example displays the IP Source Guard configuration. switchxxxxxx# show ip source-guard configuration IP source guard is globally enabled. Interface State --------- ------- Enabled Enabled Enabled Enabled Enabled Enabled Enabled 42.17 show ip source-guard status Use the show ip source-guard status EXEC mode command to display the IP Source Guard status.
Page 696: Show Ip Source-Guard Inactive
DHCP Snooping and ARP Inspection Commands Example The following examples display the IP Source Guard status. switchxxxxxx # show ip source-guard status IP source guard is globally disabled. switchxxxxxx # show ip source-guard status Interface Filter Status IP Address MAC Address VLAN Type -------...
Page 697: Show Ip Source-Guard Statistics
DHCP Snooping and ARP Inspection Commands Use the ip source-guard tcam retries-freq Global Configuration mode command to change the retry frequency or to disable automatic retries for TCAM space. Use the ip source-guard tcam locate Privileged EXEC mode command to manually retry locating TCAM resources for the inactive IP Source Guard addresses.
Page 698: Ip Arp Inspection
DHCP Snooping and ARP Inspection Commands VLAN Statically Permitted Stations DHCP Snooping Permitted Stations ---- ------------------------------- -------------------------------- 42.20 ip arp inspection Use the ip arp inspection Global Configuration mode command globally to enable Address Resolution Protocol (ARP) inspection. Use the no form of this command to disable ARP inspection.
Page 699: Ip Arp Inspection Vlan
DHCP Snooping and ARP Inspection Commands 42.21 ip arp inspection vlan Use the ip arp inspection vlan Global Configuration mode command to enable ARP inspection on a VLAN, based on the DHCP Snooping database. Use the no form of this command to disable ARP inspection on a VLAN. Syntax vlan-id ip arp inspection vlan...
Page 700: Ip Arp Inspection Validate
DHCP Snooping and ARP Inspection Commands Syntax ip arp inspection trust no ip arp inspection trust Parameters Default Configuration The interface is untrusted. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines The device does not check ARP packets that are received on the trusted interface; it only forwards the packets.
Page 701: Ip Arp Inspection List Create
DHCP Snooping and ARP Inspection Commands Syntax ip arp inspection validate no ip arp inspection validate Parameters Default Configuration ARP inspection validation is disabled. Command Mode Global Configuration mode User Guidelines The following checks are performed: • Source MAC address: Compares the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
Page 702: Ip Mac
DHCP Snooping and ARP Inspection Commands Syntax name ip arp inspection list create name no ip arp inspection list create Parameters name—Specifies the static ARP binding list name. (Length: 1–32 characters) Default Configuration No static ARP binding list exists. Command Mode Global Configuration mode User Guidelines Use the ip arp inspection list assign command to assign the list to a VLAN.
Page 703: Ip Arp Inspection List Assign
DHCP Snooping and ARP Inspection Commands Default Configuration No static ARP binding is defined. Command Mode ARP-list Configuration mode Example The following example creates a static ARP binding. switchxxxxxx(config)# ip arp inspection list create servers switchxxxxxx(config-ARP-list)# 172.16.1.1 0060.704C.7321 switchxxxxxx(config-ARP-list)# 172.16.1.2 0060.704C.7322 42.26 ip arp inspection list assign Use the ip arp inspection list assign Global Configuration mode command to...
Page 704: Ip Arp Inspection Logging Interval
DHCP Snooping and ARP Inspection Commands Example The following example assigns the static ARP binding list Servers to VLAN 37. switchxxxxxx(config)# ip arp inspection list assign 37 servers 42.27 ip arp inspection logging interval Use the ip arp inspection logging interval Global Configuration mode command to set the minimum time interval between successive ARP SYSLOG messages.
Page 705: Show Ip Arp Inspection
DHCP Snooping and ARP Inspection Commands 42.28 show ip arp inspection Use the show ip arp inspection EXEC mode command to display the ARP inspection configuration for all interfaces or for a specific interface. Syntax [interface-id] show ip arp inspection Parameters interface-id—Specifies an interface ID.
Page 706: Show Ip Arp Inspection Statistics
DHCP Snooping and ARP Inspection Commands Parameters Command Mode Privileged EXEC mode Example The following example displays the static ARP binding list. switchxxxxxx# show ip arp inspection list List name: servers Assigned to VLANs: 1,2 ----------- -------------- 172.16.1.1 0060.704C.7322 172.16.1.2 0060.704C.7322 42.30 show ip arp inspection statistics Use the show ip arp inspection statistics EXEC command to display Statistics For...
Page 707: Clear Ip Arp Inspection Statistics
DHCP Snooping and ARP Inspection Commands Example switchxxxxxx # show ip arp inspection statistics Vlan Forwarded Packets Dropped Packets IP/MAC Failures ---- ----------------------------------------------- 1500100 42.31 clear ip arp inspection statistics Use the clear ip arp inspection statistics Privileged EXEC mode command to clear statistics ARP Inspection statistics globally.
Page 708: Ip Addressing Commands
IP Addressing Commands 43.1 ip address Use the ip address Interface Configuration (Ethernet, VLAN, Port-channel) mode command to define an IP address for an interface. Use the no form of this command to remove an IP address definition. Syntax If the product is in Layer 3 (Router mode). ip-address mask prefix-length...
Page 709: Ip Address Dhcp
IP Addressing Commands If the device is in Layer 3 router mode, it supports multiple IP addresses. The IP addresses must be from different IP subnets. If the IP address is configured in Interface context, the IP address is bound to the interface in that context.
Page 710: Renew Dhcp
IP Addressing Commands DHCP client configuration on an interface implicitly removes the static IP address configuration on the interface. If the device is configured to obtain its IP address from a DHCP server, it sends a DHCPDISCOVER message to provide information about itself to the DHCP server on the network.
Page 711: Ip Default-Gateway
IP Addressing Commands • When the device is in Layer 2 (switch mode), interface-id is not required.. • This command does not enable DHCP on an interface. If DHCP is not enabled on the requested interface, the command returns an error message.
Page 712: Show Ip Interface
IP Addressing Commands Example The following example defines default gateway 192.168.1.1. switchxxxxxx(config)# ip default-gateway 192.168.1.1 43 5 show ip interface Use the show ip interface EXEC mode command to display the usability status of configured IP interfaces. Syntax [interface-id] show ip interface Parameters interface-id—Specifies an interface ID.
Page 713: Arp
IP Addressing Commands Example 2 - The following example displays the configured IP interfaces and their types when the device is in Switch mode. switchxxxxxx# show ip interface Gateway IP Address Activity status Type ----------------------- ----------------------- -------- 10.5.234.254 Active static IP Address Type Status...
Page 714: Arp Timeout (Global)
IP Addressing Commands User Guidelines The software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware (MAC) addresses. Because most hosts support dynamic address resolution, static ARP cache entries generally do not need to be specified. Example The following example adds IP address 198.133.219.232 and MAC address 00:00:0c:40:0f:bc to the ARP table.
Page 715: Ip Arp Proxy Disable
IP Addressing Commands 43 8 ip arp proxy disable Use the ip arp proxy disable Global Configuration mode command to globally disable proxy Address Resolution Protocol (ARP). Use the no form of this command reenable proxy ARP. This command can only be used when the device is in Router mode. Syntax ip arp proxy disable no ip arp proxy disable...
Page 716: Clear Arp-Cache
IP Addressing Commands Syntax ip proxy-arp no ip proxy-arp Default Configuration ARP Proxy is enabled. Command Mode Interface Configuration (Ethernet, VLAN, Port-channel) mode. It cannot be configured for a range of interfaces (range context). User Guidelines This configuration can be applied only if at least one IP address is defined on a specific interface.To use this command, you must put the switch into routing mode using system.
Page 717: Show Arp
IP Addressing Commands 43 11 show arp Use the show arp Privileged EXEC mode command to display entries in the ARP table. Syntax [ip-address ip-address] [mac-address mac-address] [interface-id] show arp Parameters • ip-address ip-address —Specifies the IP address. • mac-address mac-address —Specifies the MAC address.
Page 718: Show Arp Configuration
IP Addressing Commands 43 12 show arp configuration Use the show arp configuration privileged EXEC command to display the global and interface configuration of the ARP protocol. Syntax show arp configuration Parameters This command has no arguments or key words. Command Mode Privileged EXEC mode Example...
Page 719: Interface Ip
IP Addressing Commands 43 13 interface ip Use the interface ip Global Configuration mode command to enter the IP Interface Configuration mode. This command can only be used when the device is in Router mode. Syntax interface ip -address Parameters ip-address—Specifies one of the IP addresses of the device.
Page 720 IP Addressing Commands Parameters • ip-interface—Specifies the IP interface. • all—Specifies all IP interfaces. • address—Specifies the destination broadcast or host address to which to forward UDP broadcast packets. A value of 0.0.0.0 specifies that UDP broadcast packets are not forwarded to any host. •...
Page 721: Show Ip Helper-Address
IP Addressing Commands The setting of a helper address for a specific interface has precedence over the setting of a helper address for all the interfaces. Forwarding of BOOTP/DHCP (ports 67, 68) cannot be enabled with this command. Use the DHCP relay commands to relay BOOTP/DHCP packets. Example The following example enables the forwarding of UDP Broadcast packets received on all interfaces to the UDP ports of a destination IP address and UDP...
Page 722: Show Ip Dhcp Client Interface
IP Addressing Commands Example The following example displays the IP helper addresses configuration on the system. switchxxxxxx# show ip helper-address Interface Helper Address UDP Ports ------------ -------------- ------------------------ 192.168.1.1 172.16.8.8 37, 42, 49, 53, 137, 138 192.168.2.1 172.16.9.9 37, 49 43 16 show ip dhcp client interface Use the show ip dhcp client interface command in User EXEC or Privileged EXEC mode to display DHCP client interface information.
Page 723 IP Addressing Commands Default Gateway: 170.10.100.1 DNS Servers: 115.1.1.1, 87.12.34.20 DNS Domain Search List: company.com Host Name: switch_floor7 Configuration Server Addresses: 192.1.1.1 202.1.1.1 Configuration Path Name: qqq/config/aaa_config.dat POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00 VLAN 1200 is in client mode Address: 180.10.100.100 Mask: 255.255.255.0 T1 120, T2 192 Default Gateway: 180.10.100.1 DNS Servers: 115.1.1.1, 87.12.34.20 DNS Domain Search List: company.com...
Page 724 IP Addressing Commands POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00 VLAN 1200 is in client mode Address: 180.10.100.100 Mask: 255.255.255.0 T1 120, T2 192 Default Gateway: 180.10.100.1 DNS Servers: 115.1.1.1, 87.12.34.20 DNS Domain Search List: company.com Host Name: switch_floor7 Configuration Server Addresses: configuration. company.com Configuration Path Name: qqq/config/aaa_config.dat POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00...
Page 725: Ipv6 Router Commands
IPv6 Router Commands 44.1 clear ipv6 neighbors Use the clear ipv6 neighbors command in Privileged EXEC mode to delete all entries in the IPv6 neighbor discovery cache, except static entries. Syntax clear ipv6 neighbors Parameters Command Mode Privileged EXEC User Guidelines Example The following example deletes all entries, except static entries, in the neighbor discovery cache:...
Page 726: Ipv6 Address Autoconfig
IPv6 Router Commands Parameters • ipv6-address—Specifies the IPv6 address assigned to the interface. This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16-bit values between colons. • prefix-length—The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
Page 727 IPv6 Router Commands Use the no form of this command to remove the address from the interface. Syntax ipv6 address autoconfig no ipv6 address autoconfig Parameters N/A. Default Configuration Stateless Auto configuration is disabled. Command Mode Interface Configuration mode. User Guidelines This command enables IPv6 on an interface (if it was disabled) and causes the switch to perform IPv6 stateless address auto-configuration to discover prefixes on the link and then to add the eui-64 based addresses to the interface.
Page 728: Ipv6 Address Link-Local
IPv6 Router Commands 44.4 ipv6 address link-local Use the ipv6 address link-local command in Interface Configuration mode to configure an IPv6 link local address for an interface and enable IPv6 processing on the interface. Use the no form of this command to remove the manually configured link local address from the interface.
Page 729: Ipv6 Default-Gateway
IPv6 Router Commands Example The following example enables IPv6 processing on VLAN 1 and configures FE80::260:3EFF:FE11:6770 as the link local address for VLAN 1: interface vlan 1 ipv6 address FE80::260:3EFF:FE11:6770 link-local exit 44.5 ipv6 default-gateway Use the ipv6 default-gateway Global Configuration mode command to define an IPv6 default gateway.
Page 730: Ipv6 Enable
IPv6 Router Commands See the definition of the ipv6 route command for details. Example The following example configures a default gateway console(config)# ipv6 default-gateway fe80::abcd%vlan1 44.6 ipv6 enable Use the ipv6 enable command in Interface Configuration mode to enable IPv6 processing on an interface.
Page 731: Ipv6 Icmp Error-Interval
IPv6 Router Commands exit 44.7 ipv6 icmp error-interval Use the ipv6 icmp error-interval command in Global Configuration mode to configure the interval and bucket size for IPv6 ICMP error messages. Use the no form of this command to return the interval to its default setting. Syntax milliseconds bucketsize...
Page 732: Ipv6 Nd Dad Attempts
IPv6 Router Commands milliseconds bucketsize Average Packets Per Second = (1000/ milliseconds To disable ICMP rate limiting, set the argument to zero. Example The following example shows an interval of 50 milliseconds and a bucket size of 20 tokens being configured for IPv6 ICMP error messages: ipv6 icmp error-interval 50 20 44.8 ipv6 nd dad attempts...
Page 733 IPv6 Router Commands remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of Unicast IPv6 addresses. The DupAddrDetectTransmits node configuration variable (as specified in RFC 4862, IPv6 Stateless Address Autoconfiguration) is used to automatically determine the number of consecutive neighbor solicitation messages that are sent on an interface, while duplicate address detection is performed on a tentative Unicast IPv6 address.
Page 734: Ipv6 Neighbor
IPv6 Router Commands Example The following example configures five consecutive neighbor solicitation messages to be sent on VLAN 1 while duplicate address detection is being performed on the tentative Unicast IPv6 address of the interface. The example also disables duplicate address detection processing on VLAN 2. interface vlan 1 ipv6 nd dad attempts 5 exit...
Page 735 IPv6 Router Commands Command Mode Global Configuration User Guidelines This command is similar to the arp (global) command. Use the ipv6 neighbor command to add a static entry in the IPv6 neighbor discovery cache. If the specified IPv6 address is a global IPv6 address it must belong to one of static on-link prefixes defined in the interface.
Page 736: Ipv6 Unreachables
IPv6 Router Commands Examples Example 1—The following example configures a static entry in the IPv6 neighbor discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and link-layer address 0002.7D1A.9472 on VLAN 1: ipv6 neighbor 2001:0DB8::45A vlan1 0002.7D1A.9472 Example 2—The following example deletes the static entry in the IPv6 neighbor discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and link-layer address 0002.7D1A.9472 on VLAN 1: no ipv6 neighbor 2001:0DB8::45A vlan1...
Page 737: Show Ipv6 Interface
IPv6 Router Commands Parameters N/A. Default Configuration The sending of ICMP IPv6 unreachable messages is enabled. Command Mode Interface Configuration. User Guidelines If the switch receives a Unicast packet destined for itself that uses a protocol it does not recognize, it sends an ICMPv6 unreachable message to the source. If the switch receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message.
Page 738 IPv6 Router Commands • prefix—Prefix generated from a local IPv6 prefix pool. Default Configuration Option brief - all IPv6 interfaces are displayed. Command Mode User EXEC Privileged EXEC User Guidelines Use this command to validate the IPv6 status of an interface and its configured addresses.
Page 739 IPv6 Router Commands FF02::1:FF11:6770 MTU is 1500 bytes ICMP error messages limited interval is 100ms; Bucket size is 10 tokens ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Stateless autoconfiguration is enabled. MLD Version is 2 Field Descriptions: •...
Page 740 IPv6 Router Commands • MLD Version—Version of MLD Example 2—The show ipv6 interface command displays information about the specified manual Ipv6 tunnel: show ipv6 interface tunnel 2 Tunnel 2 is up/up IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01 Global unicast address(es): Ipv6 Global Address Type 2000:0DB8::2/64 (ANY)
Page 741 IPv6 Router Commands interface as being a duplicate address, the processing of IPv6 packets is disabled on the interface and the interface is marked “stalled.” If IPv6 is not enabled, the interface is marked “disabled.” • link-local address—Displays the link-local address assigned to the interface.
Page 742 IPv6 Router Commands show ipv6 interface tunnel 1 Tunnel 1 is up/up IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01 Global unicast address(es): Ipv6 Global Address Type 2000:0DB8::2/64 (ANY) Manual 2000:0DB8::2/64 Manual 2000:1DB8::2011/64 Manual Joined group address(es): FF02::1 FF02::2 FF02::1:FF11:6770 is 1500 bytes ICMP error messages limited interval is 100ms;...
Page 743 IPv6 Router Commands • Global Unicast address(es):—Displays the global Unicast addresses assigned to the interface. The type is manual or autoconfig. • Joined group address(es):—Indicates the Multicast groups to which this interface belongs. • —Maximum transmission unit of the interface. •...
Page 744 IPv6 Router Commands ----------------- --------- ------- ----------------- ------ ---------------- gi10 up/up enabled FE80::0DB8:12AB:FA01 gi11 up/up stalled FE80::0DB8:12AB:FA01 gi12 up/down enabled FE80::0DB8:12AB:FA01 down/down enabled FE80::0DB8:12AB:FA01 tunnel 1 up/up enabled FE80::0DB8:12AB:FA01 vlan 1 up/up enabled FE80::0DB8:12AB:FA01 vlan 1000 up/up stalled FE80::0DB8:12AB:FA01 Example 5. This sample output shows the characteristics of VLAN 1 that has generated a prefix from a local IPv6 prefix pool: interface vlan 1 ipv6 address 2001:0DB8:1::1/64...
Page 745: Show Ipv6 Neighbors
IPv6 Router Commands 2001:0DB8:2::/64 infinite infinite 2001:0DB8:3::/64 infinite infinite 2001:0DB8:4::/64 2592000 604800 2001:0DB8:5::/64 2912000 564900 44.12 show ipv6 neighbors Use the show ipv6 neighbors command in User EXEC or Privileged EXEC mode to display IPv6 neighbor discovery (ND) cache information. Syntax interface-id ipv6-address...
Page 746: Show Ipv6 Route
IPv6 Router Commands Examples Example 1—The following is sample output from the show ipv6 neighbors command when entered with an interface-id: show ipv6 neighbors vlan 1 IPv6 Address Age Link-layer Addr State Interface Router 2000:0:0:4::2 0003.a0d6.141e REACH VLAN1 3001:1::45a 0002.7d1a.9472 REACH VLAN1 FE80::203:A0FF:FED6:141E...
Page 747 IPv6 Router Commands Syntax ipv6-address ipv6-prefix/prefix-length protocol show ipv6 route [ | interface interface-id Parameters • ipv6-address—Displays routing information for a specific IPv6 address. This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16-bit values between colons. •...
Page 748 IPv6 Router Commands User Guidelines This command provides output similar to the show ip route command, except that the information is IPv6-specific. ipv6-address ipv6-prefix prefix-length When the argument is specified, a longest match lookup is performed from the routing table and only route information for that address or network is displayed.
Page 749 IPv6 Router Commands Example 2—The following is sample output from the show ipv6 route command when IPv6 Routing is supported and the command is entered without an IPv6 address or prefix specified and IPv6 Routing is enabled: show ipv6 route Codes: >...
Page 750 IPv6 Router Commands O - OSPF intra-area, OIA - OSPF inter-area, OE1 - OSPF external 1, OE2 - OSPF external 2, [d/m]: d - route’s distance, m - route’s metric IPv6 Routing Table - 261 entries OE1> 2001:200::/35 [20/3] via FE80::60:5C59:9E00:16 Tunnel1 78-21075-01 Command Line Interface Reference Guide...
Page 751: Tunnel Commands
Tunnel Commands Tunnel Commands 45.1 interface tunnel Use the interface tunnel Global Configuration mode command to enter the Interface Configuration (Tunnel) mode. Syntax number interface tunnel Parameters number— Specifies the tunnel number. Default Configuration Command Mode Global Configuration mode Example The following example enters the Interface Configuration (Tunnel) mode.
Page 752: Tunnel Isatap Robustness
Parameters seconds— Specifies the time interval in seconds between ISATAP router solicitation messages. (Range: 10–3600) Default Configuration The default time interval between ISATAP router solicitation messages is 10 seconds. Command Mode Global Configuration mode User Guidelines This command determines the interval between unsolicited router solicitation messages sent to discovery an ISATAP router.
Page 753: Tunnel Isatap Router
Tunnel Commands Default Configuration The default number of router solicitation refresh messages that the device sends is 3. Command Mode Global Configuration mode User Guidelines The router solicitation interval (when there is an active ISATAP router) is the minimum-router-lifetime that is received from the ISATAP router, divided by (Robustness + 1).
Page 754: Tunnel Mode Ipv6Ip
Tunnel Commands User Guidelines This command determines the string that the host uses for automatic tunnel router lookup in the IPv4 DNS procedure. By default, the string ISATAP is used for the corresponding automatic tunnel types. Only one string can represent the automatic tunnel router name per tunnel. Using this command, therefore, overwrites the existing entry.
Page 755: Tunnel Source
Tunnel Commands User Guidelines IPv6 tunneling consists of encapsulating IPv6 packets within IPv4 packets for transmission across an IPv4 routing infrastructure. ISATAP Tunnels Using this command with the isatap keyword specifies automatic ISATAP tunnel. ISATAP tunnels enable transport of IPv6 packets within network boundaries. ISATAP tunnels allow individual IPv4/IPv6 dual-stack hosts within a site to connect to an IPv6 network using the IPv4 infrastructure.
Page 756: Show Ipv6 Tunnel
Tunnel Commands interface is not changed when the IPv4 address is moved to another interface • interface-id—Interface which the minimum IPv4 address is used as the source address for packets sent on the tunnel interface. If the minimum IPv4 address is removed from the interface (removed at all, moved to another interface) then the next minimum IPv4 address is chosen as the local IPv4 address.
Page 757 Tunnel Commands Command Mode EXEC mode Example Example 1. The following example displays information on the ISATAP tunnel, when the all keyword is not configured: switchxxxxxx# show ipv6 tunnel Tunnel 1 Tunnel type : ISATAP Tunnel status : UP Tunnel Local address type : VLAN 100 Tunnel Local Ipv4 address : 192.1.3.4...
Page 758 Tunnel Commands Tunnel type : ISATAP Tunnel status : UP Tunnel Local address type : VLAN 100 Tunnel Local Ipv4 address : 192.1.3.4 ISATAP Parameters Router DNS name : ISATAP Router Solicitation interval : 10 seconds Robustness Tunnel 2 Tunnel type : ISATAP Tunnel status : UP...
Page 759: Dhcp Relay Commands
DHCP Relay Commands 46.1 ip dhcp relay enable (Global) Use the ip dhcp relay enable Global Configuration mode command to enable the DHCP relay feature on the device. Use the no form of this command to disable the DHCP relay feature. Syntax ip dhcp relay enable no ip dhcp relay enable...
Page 760: Ip Dhcp Relay Address (Global)
DHCP Relay Commands Syntax ip dhcp relay enable no ip dhcp relay enable Parameters Default Configuration Disabled Command Mode Interface Configuration (VLAN, Ethernet, Port-channel) mode User Guidelines The operational status of DHCP Relay on an interface is active if one of the following conditions exist: •...
Page 761: Ip Dhcp Relay Address (Interface)
DHCP Relay Commands Syntax ip-address ip dhcp relay address ip-address no ip dhcp relay address [ Parameters ip-address—Specifies the DHCP server IP address. Up to 8 servers can be defined. Default Configuration No server is defined. Command Mode Global Configuration mode User Guidelines Use the ip dhcp relay address command to define a global DHCP Server IP address.
Page 762: Show Ip Dhcp Relay
DHCP Relay Commands ip-address no ip dhcp relay address [ Parameters ip-address—Specifies the DHCP server IP address. Up to 8 servers can be defined. Default Configuration No server is defined. Command Mode Interface Configuration (VLAN, Ethernet, Port-channel) mode User Guidelines Use the ip dhcp relay address command to define a DHCP Server IP address per the interface.
Page 763 DHCP Relay Commands Command Mode EXEC mode Examples Example 1 - Option 82 is not supported: switchxxxxxx# show ip dhcp relay DHCP relay is globally enabled Option 82 is Disabled Maximum number of supported VLANs without IP Address is 256 Number of DHCP Relays enabled on VLANs without IP Address is 0 DHCP relay is not configured on any port.
Page 764 DHCP Relay Commands Example 3. Option 82 is supported (enabled): switchxxxxxx# show ip dhcp relay DHCP relay is globally enabled Option 82 is enabled Maximum number of supported VLANs without IP Address is 4 Number of DHCP Relays enabled on VLANs without IP Address: 2 DHCP relay is enabled on Ports: gi5,po3-4 Active: gi5 Inactive: po3-4...
Page 765: Ip Dhcp Information Option
DHCP Relay Commands VLAN 2: 3.3.3.3, 4.4.4.4, 5.5.5.5 VLAN 10: 6.6.6.6 46.6 ip dhcp information option Use the ip dhcp information option Global Configuration command to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.
Page 766 DHCP Relay Commands Parameters Default Configuration Command Mode EXEC mode Example The following example displays the DHCP Option 82 configuration. switchxxxxxx# show ip dhcp information option Relay agent Information option is Enabled 78-21075-01 Command Line Interface Reference Guide...
Page 767: Ip Routing Protocol-Independent Commands
IP Routing Protocol-Independent Commands IP Routing Protocol-Independent Commands 47.1 ip route Use the ip route command in Global Configuration mode to establish static routes. Use the no form of this command to remove static routes. Syntax prefix mask prefix-length ip-address cost ip route } {{...
Page 768: Show Ip Route
IP Routing Protocol-Independent Commands Example Example 1 - The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using mask: ip route 172.31.0.0 255.255.0.0 172.31.6.6 metric 2 Example 2 - The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using prefix length : ip route 172.31.0.0 /16 172.31.6.6 metric 2 Example 3 - The following example shows how to reject packets for network...
Page 769 IP Routing Protocol-Independent Commands Parameters • IP_address address —IP address about which routing information should be displayed. • mask—The subnet mask. • longer-prefixes—Specifies that only routes matching the IP address and mask pair should be displayed. • static—Displays static routes only. •...
Page 770: Acl Commands
ACL Commands 48.1 ip access-list (IP extended) Use the ip access-list extended Global Configuration mode command to name an IPv4 access list (ACL) and to place the device in IPv4 Access List Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( IP ) deny ( IP )
Page 771: Permit ( Ip )
ACL Commands 48.2 permit ( IP ) Use the permit IP Access-list Configuration mode command to set permit conditions for an IPv4 access list (ACL). Permit conditions are also known as access control entries (ACEs). Syntax protocol {any | source source-wildcard} {any | destination permit destination-wildcard} [dscp number | precedence number] [ time-range...
Page 772 • igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255) • destination-port—Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one...
Page 773: Deny ( Ip )
[dscp number | precedence number] time-range-name] time-range {any | source source-wildcard} {any| s ource-port/port-range}{any | deny tcp destination destination-wildcard} {any| d estination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [ time-range time-range-name] 78-21075-01 Command Line Interface Reference Guide...
Page 774 • igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255) • destination-port—Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one...
Page 775 ACL Commands (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp (4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
Page 776: Ipv6 Access-List (Ipv6 Extended)
ACL Commands switchxxxxxx(config)# ip access-list extended server deny ip switchxxxxxx(config-ip-al)# 176.212.0.0 00.255.255 48.4 ipv6 access-list (IPv6 extended) Use the ipv6 access-list Global Configuration mode command to define an IPv6 access list (ACL) and to place the device in IPv6 Access List Configuration mode. All commands after this command refer to this ACL.
Page 777: Permit ( Ipv6 )
{any | {source-prefix/length} {any | source-port/port-range}}{any | permit tcp destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [ time-range time-range-name] udp {any | {source-prefix/length}} {any | source-port/port-range}}{any | permit destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number][...
Page 778 ACL Commands • number precedence —Specifies the IP precedence value. • icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the following values: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143), mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns (135), nd-na (136).
Page 779: Deny ( Ipv6 )
ACL Commands User Guidelines If a range of ports is used for source port in an ACE, it is not counted again, if it is also used for a source port in another ACE. If a range of ports is used for the destination port in an ACE, it is not counted again if it is also used for destination port in another ACE.
Page 780 ACL Commands Parameters • protocol—The name or the number of an IP protocol. Available protocol names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the ipv6 keyword. (Range: 0–255) • source-prefix/length—The source IPv6 network or class of networks about which to set permit conditions.
Page 781: Mac Access-List
ACL Commands • list-of-flags match-all —List of TCP flags that should occur. If a flag should be set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin.
Page 782: Permit ( Mac )
ACL Commands deny (MAC) commands. The service-acl input command is used to attach this ACL to an interface. Use the no form of this command to remove the access list. Syntax acl-name mac access-list extended acl-name no mac access-list extended Parameters acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).
Page 783 ACL Commands [time-range time-range-name] Parameters • source—Source MAC address of the packet. • source-wildcard—Wildcard bits to be applied to the source MAC address. Use 1s in the bit position that you want to be ignored. • destination—Destination MAC address of the packet. •...
Page 784: Deny (Mac)
ACL Commands 48.9 deny (MAC) Use the deny command in MAC Access List Configuration mode to set deny conditions (ACEs) for a MAC ACL. Syntax {any | source source-wildcard} {any | destination destination-wildcard} deny [{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name] [disable-port | log-input] Parameters...
Page 785: Service-Acl Input
ACL Commands Command Mode MAC Access-list Configuration mode User Guidelines After an access control entry (ACE) is added to an access control list, an implicit deny any any condition exists at the end of the list. That is, if there are no matches, the packets are denied.
Page 786: Time-Range
ACL Commands Command Mode Interface Configuration (Ethernet, Port-Channel) mode. User Guidelines The following rules govern when ACLs can be bound or unbound from an interface: • IPv4 ACLs and IPv6 ACLs can be bound together to an interface. • A MAC ACL cannot be bound on an interface which already has an IPv4 ACL or IPv6 ACL bound to it.
Page 787 ACL Commands Parameters time-range-name—Specifies the name for the time range. (Range: 1–32 characters) Default Configuration No time range is defined Command Mode Global Configuration mode User Guidelines After adding the name of a time range with this command, use the absolute periodic commands to actually configure the time-range.
Page 788: Absolute
ACL Commands Example switchxxxxxx(config)# time-range http-allowed switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005 switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005 48.12 absolute Use the absolute Time-range Configuration mode command to specify an absolute time when a time range is in effect. Use the no form of this command to remove the time limitation.
Page 789: Periodic
ACL Commands Command Mode Time-range Configuration mode Example switchxxxxxx(config)# time-range http-allowed switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005 switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005 48.13 periodic Use the periodic Time-range Configuration mode command to specify a recurring (weekly) time range for functions that support the time-range feature. Use the no form of this command to remove the time limitation.
Page 790: Show Time-Range
ACL Commands • list day-of-the-week1—Specifies a list of days that the time range is in effect. Default Configuration There is no periodic time when the time range is in effect. Command Mode Time-range Configuration mode User Guidelines The second occurrence of the day can be at the following week, e.g. Thursday–Monday means that the time range is effective on Thursday, Friday, Saturday, Sunday, and Monday.
Page 791: Show Access-Lists
ACL Commands -------------- absolute start 12:00 1 jan 2005 absolute end 12:00 31 dec 2005 periodic monday 8:00 to friday 20:00 48.15 show access-lists Use the show access-lists Privileged EXEC mode command to display access control lists (ACLs) configured on the switch. Syntax name show access-lists [...
Page 792: Show Interfaces Access-Lists
ACL Commands Standard IP access list ACL1 permit 192.168.0.0/16 10.1.1.1 Extended IP access list ACL2 permit 234 172.30.19.1 0.0.0.255 any time-range weekdays permit 234 172.30.23.8 0.0.0.255 any time-range weekdays switchxxxxxx#show access-lists time-range-active Extended IP access list ACL1 permit 234 172.30.40.1 0.0.0.0 any permit 234 172.30.8.8 0.0.0.0 any Extended IP access list ACL2...
Page 793 ACL Commands Command Mode Privileged EXEC mode Example switchxxxxxx# # show interfaces access-lists Interface Ingress ACL Egress ACL --------- ----------- ------------ ACL1 ACL2 ACL3 blockcdp, blockvtp 78-21075-01 Command Line Interface Reference Guide...
Page 794: Quality Of Service (Qos) Commands
Quality of Service (QoS) Commands 49.1 Use the qos Global Configuration mode command to enable QoS on the device and set its mode. Use the no form of this command to disable QoS on the device. Syntax basic advanced ports-not-trusted | ports-trusted qos [ no qos Parameters...
Page 795: Qos Advanced-Mode Trust
Quality of Service (QoS) Commands Examples Example 1 - The following example enables QoS basic mode on the device. switchxxxxxx(config)# Example 2 - The following example enables QoS advanced mode on the device with the ports-not-trusted option. switchxxxxxx(config)# qos advanced 49.2 qos advanced-mode trust Use the qos advanced-mode trust Global Configuration command to configure the...
Page 796: Show Qos
Quality of Service (QoS) Commands • ports-not-trusted mode: For packets that are classified to the QoS action trust. • ports-trusted mode: For packets that are not classified by to any QoS action or classified to the QoS action trust. Example The following example sets cos as the trust mode for QoS on the device.
Page 797: Class-Map
Quality of Service (QoS) Commands Qos: basic Basic trust: dscp Example 2 - The following example displays QoS attributes when QoS is enabled in basic mode on the device and the advanced mode is not supported. switchxxxxxx# show qos Qos: disable Trust: dscp 49.4 class-map...
Page 798 Quality of Service (QoS) Commands • match-any—Performs a logical OR of the criteria of the ACLs belonging to this class map. Only a single match criteria in this class map must be matched. Default Configuration If neither match-all nor match-any is specified, the match-all parameter is selected by default.
Page 799: Show Class-Map
Quality of Service (QoS) Commands 49.5 show class-map The show class-map EXEC mode command displays all class maps when QoS is in advanced mode. Syntax class-map-name show class-map [ Parameters class-map-name—Specifies the name of the class map to be displayed. Command Mode EXEC mode Example...
Page 800: Policy-Map
Quality of Service (QoS) Commands Default Configuration No match criterion is supported. Command Mode Class-map Configuration mode. Example The following example defines a class map called Class1. Class1 contains an ACL called enterprise. Only traffic matching all criteria in enterprise belong to the class map.
Page 801: Class
Quality of Service (QoS) Commands User Guidelines Use the policy-map Global Configuration mode command to specify the name of the policy map to be created, added to, or modified before configuring policies for classes whose match criteria are defined in a class map. Entering the policy-map Global Configuration mode command also enables...
Page 802: Show Policy-Map
Quality of Service (QoS) Commands • acl-name access-group —Specifies the name of an IP or MAC Access Control List (ACL). Default Configuration No class map is defined for the policy map. Command Mode Policy-map Configuration mode User Guidelines This is the same as creating a class map and then binding it to the policy map. You can specify an existing class map in this command, or you can use the access-group parameter to create a new class map.
Page 803: Trust
Quality of Service (QoS) Commands Default Configuration All policy-maps are displayed. Command Mode EXEC mode Example The following example displays all policy maps. switchxxxxxx# show policy-map Policy Map policy1 class class1 set IP dscp 7 Policy Map policy2 class class 2 police 96000 4800 exceed-action drop class class3 police 124000 96000 exceed-action policed-dscp-transmit...
Page 804 Quality of Service (QoS) Commands Default Configuration The default state is according to the mode selected in the command (advanced mode). The type of trust is determined in qos advanced-mode trust. Command Mode Policy-map Class Configuration mode User Guidelines Use this command to distinguish the QoS trust behavior for certain traffic from others.
Page 805: Set
Quality of Service (QoS) Commands switchxxxxxx(config-pmap-c)# trust 49.11 set Use the set Policy-map Class Configuration mode command to select the value that QoS uses as the DSCP value, the egress queue or to set user priority values. This command is only available when QoS is in advanced mode. Syntax {dscp new-dscp | queue queue-id | cos new-cos no set...
Page 806: Police
Quality of Service (QoS) Commands switchxxxxxx(config)# class-map c1 switchxxxxxx(config-cmap)# match access-group ip1 switchxxxxxx(config-cmap)# exit switchxxxxxx(config)# policy-map p1 switchxxxxxx(config-pmap)# class c1 switchxxxxxx(config-pmap-c)# set dscp 49.12 police Use the police Policy-map Class Configuration mode command to define the policer for classified traffic. This defines another group of actions for the policy map (per class map).
Page 807: Service-Policy
Quality of Service (QoS) Commands Default Usage Command Mode Policy-map Class Configuration mode User Guidelines This command only exists in when the device is in Layer 2 mode. Policing uses a token bucket algorithm. CIR represents the speed with which the token is added to the bucket.
Page 808: Qos Aggregate-Policer
Quality of Service (QoS) Commands • deny-any—Deny all the packets (which were ingress of the port) that do not meet the rules in a policy. • permit-any—Forward all the packets (which were ingress of the port) that do not meet the rules in a policy. Command Mode Interface Configuration (Ethernet, Port-channel) mode User Guidelines...
Page 809 Quality of Service (QoS) Commands • drop policed-dscp-transmit} exceed-action { —Specifies the action taken when the rate is exceeded. The possible values are: drop—Drops the packet. policed-dscp-transmit—Remarks the packet DSCP. Default Configuration No aggregate policer is defined. Command Mode Global Configuration mode User Guidelines This command only exists when the device is in Layer 2.
Page 810: Show Qos Aggregate-Policer
Quality of Service (QoS) Commands 49.15 show qos aggregate-policer Use the show qos aggregate-policer EXEC mode command to display aggregate policers This command is only available in QoS advanced mode. Syntax show qos aggregate-policer [ aggregate-policer-name Parameters aggregate-policer-name—Specifies the aggregate policer name. Default Configuration All policers are displayed.
Page 811: Wrr-Queue Cos-Map
Quality of Service (QoS) Commands aggregate-policer-name no police aggregate Parameters aggregate-policer-name—Specifies the aggregate policer name. Command Mode Policy-map Class Configuration mode User Guidelines An aggregate policer can be applied to multiple classes in the same policy map. An aggregate policer cannot be applied across multiple policy maps or interfaces. Use the exit command to return to the Configuration mode.
Page 812 Quality of Service (QoS) Commands Syntax queue-id cos0 cos7 wrr-queue cos-map queue-id no wrr-queue cos-map [ Parameters • queue-id—Specifies the queue number to which the CoS values are mapped. • cos0... cos7—Specifies up to 8 CoS values to map to the specified queue number.
Page 813: Wrr-Queue Bandwidth
Quality of Service (QoS) Commands 49.18 wrr-queue bandwidth Use the wrr-queue bandwidth global Configuration command to assign Weighted Round Robin (WRR) weights to egress queues. The weight ratio determines the frequency at which the packet scheduler removes packets from each queue. Use the no form of this command to restore the default configuration.
Page 814: Priority-Queue Out Num-Of-Queues
Quality of Service (QoS) Commands Example The following assigns WRR values to the queues. switchxxxxxx(config)# wrr-queue bandwidth 6 6 6 6 49.19 priority-queue out num-of-queues An expedite queue is a strict priority queue, which is serviced until empty before the other lower priority queues are serviced. Use the priority-queue out num-of-queues Global Configuration mode command to configure the number of expedite queues.
Page 815: Traffic-Shape
Quality of Service (QoS) Commands indicates that the corresponding weight in the wrr-queue bandwidth Interface Configuration mode command is ignored (not used in the ratio calculation). Example The following example configures the number of expedite queues as 2. switchxxxxxx(config)# priority-queue out num-of-queues 49.20 traffic-shape The egress port shaper controls the traffic transmit rate (Tx rate) on a port.
Page 816: Traffic-Shape Queue
Quality of Service (QoS) Commands switchxxxxxx(config)# interface switchxxxxxx(config-if)# 1 124000 9600 traffic-shape 49.21 traffic-shape queue The egress port shaper controls the traffic transmit rate (Tx rate) on a queue on a port. Use the traffic-shape queue Interface Configuration mode command to configure the egress queue shaper.
Page 817: Rate-Limit (Ethernet)
Quality of Service (QoS) Commands 49.22 rate-limit (Ethernet) Use the rate-limit Interface Configuration mode command to limit the incoming traffic rate on a port. Use the no form of this command to disable the rate limit. Syntax committed-rate-kbps [burst committed-burst-bytes] rate-limit no rate-limit Parameters...
Page 818: Rate-Limit (Vlan)
Quality of Service (QoS) Commands 49.23 rate-limit (VLAN) Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the incoming traffic rate for a VLAN. Use the no form of this command to disable the rate limit. Syntax vlan-id committed-rate committed-burst rate-limit no rate-limit vlan...
Page 819: Qos Wrr-Queue Wrtd
Quality of Service (QoS) Commands switchxxxxxx(config)# rate-limit 11 150000 9600 49.24 qos wrr-queue wrtd Use the qos wrr-queue wrtd Global Configuration mode command to enable Weighted Random Tail Drop (WRTD). Use the no form of this command to disable WRTD. Syntax qos wrr-queue wrtd no qos wrr-queue wrtd...
Page 820: Show Qos Interface
Quality of Service (QoS) Commands Syntax show qos wrr-queue wrtd Parameters Default Configuration Command Mode Exec mode Example switchxxxxxx# show qos wrr-queue wrtd Weighted Random Tail Drop is disabled Weighted Random Tail Drop will be enabled after reset 49.26 show qos interface Use the show qos interface EXEC mode command to display Quality of Service (QoS) information on the interface.
Page 821 Quality of Service (QoS) Commands • interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, or Port-channel. Default Configuration Command Mode EXEC mode User Guidelines If no parameter is specified with the show qos interface command, the port QoS mode (DSCP trusted, CoS trusted, untrusted, and so on), default CoS value, DSCP-to-DSCP- map (if any) attached to the port, and policy map (if any) attached to the interface are displayed.
Page 822 Quality of Service (QoS) Commands 5 - 4 6 - 4 7 - 4 Example 2 - This is an example of the output from the show qos interface shapers command Ethernet gi1 Port shaper: disable Committed rate: N/A Committed burst: N/A Target Target Status...
Page 823: Wrr-Queue
Quality of Service (QoS) Commands Example - 3 This is an example of the output from the show qos interface policer command. switchxxxxxx# show qos interface policer Ethernet gi1 Class map: A Policer type: aggregate Commited rate: 192000 bps Commited burst: 9600 bytes Exceed-action: policed-dscp-transmit Class map: B Policer type: single...
Page 824: Qos Wrr-Queue Threshold
Quality of Service (QoS) Commands Parameters tail-drop— Specifies the tail-drop mechanism. Default Configuration The tail-drop mechanism on an egress queue i s disabled. Command Mode Global Configuration mode User Guidelines This command can only be used if Advanced mode is enabled. Example The following example enables the tail-drop mechanism on an egress queue.
Page 825: Qos Map Policed-Dscp
Quality of Service (QoS) Commands • threshold-percentage—Specifies the queue threshold percentage value. Default Configuration The default threshold is 80 percent. Command Mode Global Configuration mode User Guidelines If the threshold is exceeded, packets with the corresponding Drop Precedence (DP) are dropped until the threshold is no longer exceeded. Example The following example assigns a threshold of 80 percent to WRR queue 1.
Page 826: Qos Map Dscp-Queue
Quality of Service (QoS) Commands Command Mode Global Configuration mode. User Guidelines The original DSCP value and policed-DSCP value must be mapped to the same queue in order to prevent reordering. Example The following example marks incoming DSCP value 3 as DSCP value 5 on the policed-DSCP map.
Page 827: Qos Map Dscp-Dp
Quality of Service (QoS) Commands Command Mode Global Configuration mode Example The following example maps DSCP values 33, 40 and 41 to queue 1. switchxxxxxx(config)# qos map dscp-queue 33 40 41 49.31 qos map dscp-dp Use the qos map dscp-dp Global Configuration mode command to map the DSCP values to Drop Precedence.
Page 828: Qos Trust (Global)
Quality of Service (QoS) Commands 49.32 qos trust (Global) Use the qos trust Global Configuration mode command to configure the system to the basic mode and trust state. Use the no form of this command to return to the default configuration. Syntax {cos | dscp} qos trust...
Page 829: Qos Trust (Interface)
Quality of Service (QoS) Commands For an inter-QoS domain boundary, configure the port to the DSCP-trusted state and apply the DSCP-to-DSCP-mutation map if the DSCP values are different in the QoS domains. Example The following example configures the system to the DSCP trust state. switchxxxxxx(config)# qos trust dscp 49.33 qos trust (Interface)
Page 830: Qos Cos
Quality of Service (QoS) Commands 49.34 qos cos Use the qos cos Interface Configuration (Ethernet, Port-channel) mode command to define the default CoS value of a port. Use the no form of this command to restore the default configuration. Syntax default-cos qos cos no qos cos...
Page 831: Qos Map Dscp-Mutation
Quality of Service (QoS) Commands Syntax qos dscp-mutation no qos dscp-mutation Parameters Default Configuration Command Mode Global Configuration mode. User Guidelines Apply the DSCP-to-DSCP-mutation map to a port at the boundary of a Quality of Service (QoS) administrative domain. If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition of another domain.
Page 832: Show Qos Map
Quality of Service (QoS) Commands Syntax in-dscp out-dscp qos map dscp-mutation in-dscp no qos map dscp-mutation [ Parameters • in-dscp—Specifies up to 8 DSCP values to map, separated by spaces. (Range: 0–63) • out-dscp—Specifies up to 8 DSCP mapped values, separated by spaces. (Range: 0–63) Default Configuration The default map is the Null map, which means that each incoming DSCP value is...
Page 833: Clear Qos Statistics
Quality of Service (QoS) Commands Parameters • dscp-queue—Displays the DSCP to queue map. • dscp-dp—Displays the DSCP to Drop Precedence map. • policed-dscp—Displays the DSCP to DSCP remark table. • dscp-mutation—Displays the DSCP-DSCP mutation table. Default Configuration Display all maps. Command Mode EXEC mode Example...
Page 834: Qos Statistics Policer
Quality of Service (QoS) Commands Parameters Default Configuration Command Mode EXEC mode Example The following example clears the QoS statistics counters. switchxxxxxx# clear qos statistics 49.39 qos statistics policer Use the qos statistics policer Interface Configuration (Ethernet, Port-channel) mode command to enable counting in-profile and out-of-profile. Use the no form of this command to disable counting.
Page 835: Qos Statistics Aggregate-Policer
Quality of Service (QoS) Commands Example The following example enables counting in-profile and out-of-profile on the interface. switchxxxxxx(config-if)# policy1 class1 qos statistics policer 49.40 qos statistics aggregate-policer Use the qos statistics aggregate-policer Global Configuration mode command to enable counting in-profile and out-of-profile. Use the no form of this command to disable counting.
Page 836: Show Qos Statistics
Quality of Service (QoS) Commands Syntax set {queue | all} {dp | all} {interface | all} qos statistics queues no qos statistics queues Parameters • set—Specifies the counter set number. • interface—Specifies the Ethernet port. • queue—Specifies the output queue number. •...
Page 837 Quality of Service (QoS) Commands Parameters Default Configuration Command Mode EXEC mode User Guidelines Up to 16 sets of counters can be enabled for policers. The counters can be enabled in the creation of the policers. Use the qos statistics queues Global Configuration mode command to enable QoS statistics for output queues.
Page 838 Quality of Service (QoS) Commands Output Queues ------------- Interface Queue Total packets TD packets --------- ----- ------------- ----------- High 799921 1.2% High 5387326 0.2% 78-21075-01 Command Line Interface Reference Guide...
Page 839: Denial Of Service (Dos) Commands
Denial of Service (DoS) Commands 50.1 security-suite enable Use the security-suite enable Global Configuration mode command to enable the security suite feature. This feature supports protection against various types of attacks. When this command is used, hardware resources are reserved. These hardware resources are released when the no security-suite enable command is entered.
Page 840 Denial of Service (DoS) Commands Parameters global-rules-only—Specifies that all the security suite commands are global commands only (they cannot be applied per-interface). This setting saves space in the Ternary Content Addressable Memory (TCAM). If this keyword is not used, security-suite commands can be used both globally on per-interface. Default Configuration The security suite feature is disabled.
Page 841: Security-Suite Dos Protect
Denial of Service (DoS) Commands switchxxxxxx(config-if)# 50.2 security-suite dos protect Use the security-suite dos protect Global Configuration mode command to protect the system from specific well-known Denial of Service (DoS) attacks. There are three types of attacks against which protection can be supplied (see parameters below).
Page 842: Security-Suite Dos Syn-Attack
Denial of Service (DoS) Commands Example The following example protects the system from the Invasor Trojan DOS attack. switchxxxxxx(config)# security-suite dos protect add invasor-trojan 50.3 security-suite dos syn-attack Use the security-suite dos syn-attack Interface Configuration mode command to rate limit Denial of Service (DoS) SYN attacks. This provides partial blocking of SNY packets (up to the rate that the user specifies).
Page 843: Security-Suite Deny Martian-Addresses
Denial of Service (DoS) Commands User Guidelines For this command to work, security-suite enable must be enabled both globally and for interfaces. This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified destination IP addresses. SYN attack rate limiting is implemented after the security suite rules are applied to the packets.
Page 844 Denial of Service (DoS) Commands reserved {add | There is no no form of the security-suite deny martian-addresses remove} command. Use instead the security-suite deny martian-addresses remove reserved command to remove protection (and free up hardware resources). Parameters • reserved add/remove—Add or remove the table of reserved addresses below.
Page 845: Security-Suite Deny Syn
Denial of Service (DoS) Commands Address block Present Use 224.0.0.0/4 as source This block, formerly known as the Class D address space, is allocated for use in IPv4 multicast address assignments. 240.0.0.0/4 (except when This block, formerly known as the Class E address space, 255.255.255.255/32 is is reserved.
Page 846: Security-Suite Deny Icmp
Denial of Service (DoS) Commands • tcp-port | any—Specifies the destination TCP port. The possible values are: http, ftp-control, ftp-data, ssh, telnet, smtp, dns, tftp, ntp, snmp or port number. Use any to specify all ports. Default Configuration Creation of TCP connections is allowed from all interfaces. If the mask is not specified, it defaults to 255.255.255.255.
Page 847 Denial of Service (DoS) Commands Syntax {[add {ip-address | any} {mask | /prefix-length}] | [remove security-suite deny icmp {ip-address | any} {mask | /prefix-length}]} no security-suite deny icmp Parameters • ip-address | any—Specifies the destination IP address. Use any to specify all IP addresses.
Page 848: Security-Suite Deny Fragmented
Denial of Service (DoS) Commands 50.7 security-suite deny fragmented Use the security-suite deny fragmented Interface Configuration (Ethernet, Port-channel) mode command to discard IP fragmented packets from a specific interface. Use the no form of this command to permit IP fragmented packets. Syntax {[add {ip-address | any} {mask | /prefix-length}] | security-suite deny fragmented...
Page 849: Show Security-Suite Configuration
Denial of Service (DoS) Commands switchxxxxxx(config)# security-suite enable global-rules-only switchxxxxxx(config)# interface switchxxxxxx(config-if)# security-suite deny fragmented add any / To perform this command, DoS Prevention must be enabled in the per-interface mode. 50.8 show security-suite configuration Use the show security-suite configuration EXEC mode command to display the security-suite configuration.
Page 850: Security-Suite Deny Syn-Fin
Denial of Service (DoS) Commands Interface IP Address --------------- -------------- 176.16.23.0\24 Fragmented packets filtering Interface IP Address -------------- -------------- gi2s 176.16.23.0\24 50.9 security-suite deny syn-fin Use the security-suite deny syn-fin Global Configuration mode command to drop all ingressing TCP packets in which both SYN and FIN flags are set. Use the no form of this command to permit TCP packets in which both SYN and FIN are set.
Page 851: Security-Suite Syn Protection Mode
Denial of Service (DoS) Commands 50.10 security-suite syn protection mode Use the security-suite syn protection mode Global Configuration mode command to set the TCP SYN protection mode. Use the no form of this command to set the TCP SYN protection mode to default. Syntax security-suite syn protection mode { disabled...
Page 852: Security-Suite Syn Protection Threshold
Denial of Service (DoS) Commands 01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port gi1 The following example sets the TCP SYN protection feature to block Example 2— TCP SYN attack on ports if an attack is identified from these ports. security-suite syn protection mode block switchxxxxxx(config)# …...
Page 853: Security-Suite Syn Protection Recovery
Denial of Service (DoS) Commands 50.12 security-suite syn protection recovery Use the security-suite syn protection recovery Global Configuration mode command to set the time period for the SYN Protection feature to block an attacked interface. Use the no form of this command to reset the time period to its default value. Syntax timeout security-suite syn protection recovery...
Page 854 Denial of Service (DoS) Commands Syntax show security-suite syn protection interface-id Parameters interface-id—Specifies an interface-ID. The interface-ID can be one of the following types: Ethernet port of Port-Channel. If this parameter is not provided, information is displayed for all interfaces. Command Mode EXEC mode Example...
Page 855: Router Resources Commands
Router Resources Commands 51.1 system router resources Use the system router resources command in Global Configuration mode to configure the system router resources. Use the no form of this command to return to the default. Syntax max-number system router resources [ip-entries no system router resources Parameters •...
Page 856 Router Resources Commands The following table displays the conversion between logical entities to HW entries: Examples Example 1 The following example defines the supported number of IPv4 and IPv6 routing entries. In the example, the configured router entries are less than the router entries which are currently in use.
Page 857: Show System Router Resources
Router Resources Commands IPv4 Entries 1024 Number of Routes Number of Neighbors Number of Interfaces IPv6 Entries 1024 Number of Routes Number of Neighbors Number of Interfaces Number of On-Link Prefixes Non-IP Entries: Setting the new configuration of route entries requires saving the running-configuration file to startup-configuration file and rebooting the system, do you want to continue? (Y/N) [N] Y 51.2...
Page 858 Router Resources Commands In-Use Reserved ------ -------- IPv4 Entries 1024 Number of Routes Number of Neighbors Number of Interfaces IPv6 Entries 1024 Number of Routes Number of Neighbors Number of Interfaces Non-IP Entries: 78-21075-01 Command Line Interface Reference Guide...
Page 859: Dhcpv6 Commands
DHCPv6 Commands 52.1 ipv6 dhcp client stateless Use the ipv6 dhcp client stateless command in Interface Configuration mode to enable DHCP for an IPv6 client process and to enable a request for stateless configuration through the interface on which the command is run. Use the no form of this command to disable requests for stateless configuration.
Page 860: Clear Ipv6 Dhcp Client
• Option 32: OPTION_INFORMATION_REFRESH_TIME - Information Refresh Time Option • Option 41: OPTION_NEW_POSIX_TIMEZONE - New Timezone Posix String • Option 59: OPT_BOOTFILE_URL - Configuration Server URL • Option 60: OPT_BOOTFILE_PARAM, the first parameter - Configuration File Path Name The DHCPv6 client, server, and relay functions are mutually exclusive on an interface.
Page 861: Ipv6 Dhcp Client Information Refresh
DHCPv6 Commands User Guidelines This command restarts DHCP for an IPv6 client on a specified interface after first releasing and un-configuring previously-acquired prefixes and other configuration options (for example, DNS servers). Example The following example restarts the DHCP for IPv6 client on VLAN 100: clear ipv6 dhcp client vlan 100 52.3 ipv6 dhcp client information refresh...
Page 862: Ipv6 Dhcp Client Information Refresh Minimum
User Guidelines This command specifies the information refresh time. If the server does not send an information refresh time option, the value configured by the command is used. Use the infinite keyword to delete refresh, if the DHCP server does not send an information refresh time option.
Page 863: Ipv6 Dhcp Duid-En
DHCPv6 Commands Command Mode Interface configuration (config-if). User Guidelines This command specifies the minimum acceptable information refresh time. If the server sends an information refresh time option of less than the configured minimum refresh time, the configured minimum refresh time will be used instead. This command may be configured in several situations: •...
Page 864: Ipv6 Dhcp Relay Destination (Global)
Parameters • enterprise-number—The vendor’s registered Private Enterprise number as maintained by IANA. • identifier—The vendor-defined hex string (up to 64 hex characters). If the number of the character is not even, an ’0’ is added at the right. Each 2 hex characters can be separated by a period or colon.
Page 865 DHCPv6 Commands Syntax ipv6-address interface-id interface-id ipv6 dhcp relay destination { ]} | ipv6-address interface-id interface-id no ipv6 dhcp relay destination [ ]] | Parameters • ipv6-address—Relay destination address. There are the following types of relay destination address: Link-local unicast. A user must specify an output interface for this kind of address.
Page 866: Ipv6 Dhcp Relay Destination (Interface)
messages to a multicast address, it sets the hop limit field in the IPv6 packet header to 32. Unspecified, loopback, and node-local multicast addresses are not acceptable as the relay destination. ipv6-address interface-id Use the no form of the command with the arguments to remove only the given globally defined address with the given output interface.
Page 867 DHCPv6 Commands Syntax ipv6-address interface-id interface-id ipv6 dhcp relay destination [ ]] | ipv6-address interface-id interface-id no ipv6 dhcp relay destination [ ]] | Parameters • ipv6-address—Relay destination address. The following types of relay destination addresses exist: Link-local unicast. A user must specify an output interface for this kind of address.
Page 868 The incoming DHCP for IPv6 message may have come from a client on that interface, or it may have been relayed by another relay agent. The relay destination can be a Unicast address of a server or another relay agent, or it may be a Multicast address.
Page 869: Show Ipv6 Dhcp
DHCPv6 Commands Example 2—The following example sets the relay well known Multicast link-local destination address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not enabled: interface vlan 100 ipv6 dhcp relay destination vlan 200 exit Example 3—The following example sets the Unicast global relay destination address and enables the DHCPv6 Relay on VLAN 100 if it was not enabled:...
Page 870 Syntax show ipv6 dhcp Parameters Command Mode User EXEC Privileged EXEC User Guidelines This command uses the DUID, based on the link-layer address for both client and server identifiers. The device uses the MAC address from the lowest-numbered interface to form the DUID. The network interface is assumed to be permanently attached to the device.
Page 871: Show Ipv6 Dhcp Interface
DHCPv6 Commands 52.9 show ipv6 dhcp interface Use the show ipv6 dhcp interface command in User EXEC or Privileged EXEC mode to display DHCP for IPv6 interface information. Syntax interface-id show ipv6 dhcp interface [ Parameters interface-id —Interface identifier. Command Mode User EXEC Privileged EXEC User Guidelines...
Page 872 Preference: 20 DNS Servers: 1001::1, 2001::10 DNS Domain Search List: company.com beta.org SNTP Servers: 2004::1 POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00 Configuration Server: config.company.com Configuration Path Name: qqq/config/aaa_config.dat gi2 is in client mode DHCP Operational mode is disabled (IPv6 is not enabled) Stateless Service is enabled Reconfigure service is enabled Information Refresh Minimum...
Page 873 DHCPv6 Commands Information Refresh Minimum Time: 600 seconds Information Refresh Time: 86400 seconds Remain Information Refresh Time: 0 seconds DHCP server: Address FE80::202:FCFF:FEA1:7439, DUID 000300010002FCA17400 Preference: 20 Received Information Refresh Time: 3600 seconds DNS Servers: 1001::1, 2001::10 DNS Domain Search List: company.com beta.org SNTP Servers: 2004::1 POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00 Configuration Server: config.company.com...
Page 874: Dhcp Server Commands
DHCP Server Commands 53.1 ip dhcp server Use the ip dhcp server Global Configuration mode command to enable the DHCP server features on the device. Use the no form of this command to disable the DHCP server. Syntax ip dhcp server no ip dhcp server Default Configuration The DHCP server is disabled.
Page 875: Ip Dhcp Pool Network
DHCP Server Commands Default Configuration DHCP hosts are not configured. Command Mode Global Configuration mode User Guidelines During execution of this command, the configuration mode changes to the DHCP Pool Configuration mode, which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure host parameters, such as the IP subnet number and default router list.
Page 876: Address (Dhcp Host)
DHCP Server Commands this mode, the administrator can configure pool parameters, such as the IP subnet number and default router list. Example The following example configures Pool 1 as the DHCP address pool. Console(config)# Pool1 ip dhcp pool network Console(config-dhcp)# 53 4 address (DHCP Host) Use the address DHCP Pool Host Configuration mode command to manually bind...
Page 877: Address (Dhcp Network)
DHCP Server Commands Command Mode DHCP Pool Host Configuration mode Example The following example manually binds an IP address to a DHCP client. Console(config-dhcp)# address 10.12.1.99 255.255.255.0 01b7.0813.8811.66 53.5 address (DHCP Network) Use the address DHCP Pool Network Configuration mode command to configure the subnet number and mask for a DHCP address pool on a DHCP server.
Page 878: Lease
DHCP Server Commands Command Mode DHCP Pool Network Configuration mode Example The following example configures the subnet number and mask for a DHCP address pool on DHCP server. address Console(config-dhcp)# 10.12.1.0 255.255.255.0 53.6 lease Use the lease DHCP Pool Network Configuration mode command to configure the time duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client.
Page 879: Client-Name
DHCP Server Commands lease Console(config-dhcp)# The following example shows a one-hour lease. lease Console(config-dhcp)# The following example shows a one-minute lease. lease Console(config-dhcp)# 0 0 1 The following example shows an infinite (unlimited) lease. lease infinite Console(config-dhcp)# 53.7 client-name Use the client-name DHCP Pool Host Configuration mode command to define the name of a DHCP client.
Page 880: Default-Router
DHCP Server Commands 53.8 default-router Use the default-router DHCP Pool Configuration mode command to configure the default routerlist for a DHCP client. Use the no form of this command to remove the default router. Syntax ip-address ip-address2 ip-address8 default-router no default-router Parameters ip-address—Specifies the IP address of a router.One IP address is required, although up to eight addresses can be specified in one command line.
Page 881: Domain-Name
DHCP Server Commands Parameters ip-address—Specifies a DNS server IP address.One IP address is required, although up to eight addresses can be specified in one command line. Command Mode DHCP Pool Host Configuration mode DHCP Pool Network Configuration mode Default Configuration No DNS server is defined.
Page 882: Netbios-Name-Server
DHCP Server Commands Example The following example specifies yahoo.com as the DHCP client domain name string. domain-name Console(config-dhcp)# yahoo.com 53.11 netbios-name-server Use the netbios-name-server DHCP Pool Configuration mode command to configure the NetBIOS Windows Internet Naming Service (WINS) servers that are available to Microsoft DHCP clients.
Page 883: Next-Server
DHCP Server Commands Syntax netbios-node-type {b-node p-node m-node h-node} no netbios-node-type Parameters • b-node—Specifies the Broadcast NetBIOS node type. • p-node—Specifies the Peer-to-peer NetBIOS node type. • m-node—Specifies the Mixed NetBIOS node type. • h-node—Specifies the Hybrid NetBIOS node type. Command Mode DHCP Pool Host Configuration mode DHCP Pool Network Configuration mode...
Page 884: Next-Server-Name
DHCP Server Commands Default Configuration If the next-server command is not used to configure a boot server list, the DHCP server uses inbound interface helper addresses as boot servers. Command Mode DHCP Pool Host Configuration mode DHCP Pool Network Configuration mode Example The following example specifies 10.12.1.99 as the IP address of the next server in the boot process.
Page 885: Bootfile
DHCP Server Commands next-server Console(config-dhcp)# www.bootserver.com 53.15 bootfile Use the bootfile DHCP Pool Configuration mode command to specify the default boot image file name for a DHCP client. Use the no form of this command to delete the boot image file name. Syntax filename bootfile...
Page 886: Option
DHCP Server Commands Command Mode DHCP Pool Host Configuration mode DHCP Pool Network Configuration mode Default Configuration No time server name is defined. User Guidelines The time server’s IP address should be on the same subnet as the client subnet. Example The following example specifies 10.12.1.99 as the time server IP address.
Page 887 DHCP Server Commands • ip-address1 ip-address2 …]—Specifies a list of one or more IP addresses. Command Mode DHCP Pool Host Configuration mode DHCP Pool Network Configuration mode User Guidelines DHCP provides a framework for passing configuration information to hosts on a TCP/IP network.
Page 888: Ip Dhcp Excluded-Address
DHCP Server Commands 53.18 ip dhcp excluded-address Use the ip dhcp excluded-address Global Configuration mode command to specify the IP addresses that a DHCP server should not assign to DHCP clients. Use the no form of this command to remove the excluded IP addresses. Syntax low-address high-address...
Page 889: Show Ip Dhcp
DHCP Server Commands Parameters • address —Specifies the binding address to delete from the DHCP database. • * —Clears all automatic bindings. Command Mode Privileged EXEC mode User Guidelines Typically, the address supplied denotes the client IP address. If the asterisk (*) character is specified as the address parameter, DHCP clears all dynamic bindings.
Page 890: Show Ip Dhcp Excluded-Addresses
DHCP Server Commands 53.21 show ip dhcp excluded-addresses The show ip dhcp excluded-addresses EXEC mode command displays the excluded addresses. Syntax show ip dhcp excluded-addresses Command Mode EXEC mode Example The following example displays the excluded addresses. show ip dhcp excluded-addresses console# The number of excluded addresses ranges is 2 Excluded addresses:...
Page 891 DHCP Server Commands The number of host pools is 1 Name IP Address Hardware Address Client Identifier ---------- ---------- ---------------- ----------------- station 172.16.1.11 01b7.0813.8811.66 Example 2 - The following example displays the DHCP pool host configuration with name station: console# show ip dhcp pool host station Name IP Address Hardware Address...
Page 892: Show Ip Dhcp Pool Network
DHCP Server Commands 02af00aa00 53.23 show ip dhcp pool network The show ip dhcp pool network EXEC mode command displays the DHCP network configuration. Syntax name show ip dhcp pool network [ Parameters name —Specifies the DHCP pool name. (Length: 1-32 characters) Command Mode EXEC mode Example...
Page 893: Show Ip Dhcp Binding
DHCP Server Commands DNS server: 10.12.1.99 Domain name: yahoo.com NetBIOS name server: 10.12.1.90 NetBIOS node type: h-node Next server: 10.12.1.99 Next-server-name: 10.12.1.100 Bootfile: Bootfile Time server 10.12.1.99 Options: Code Value ------------------ 3600 qq/aaaa/bbb.txt false 134.14.14.1 1.1.1.1, 12.23.45.2 02af00aa00 53.24 show ip dhcp binding Use the show ip dhcp binding EXEC mode command to display the specific address binding or all the address bindings on the DHCP server.
Page 894 DHCP Server Commands Router> show ip dhcp binding DHCP server enabled The number of used (all types) entries is 6 The number of pre-allocated entries is 1 The number of allocated entries is 1 The number of expired entries is 1 The number of declined entries is 2 The number of static entries is 1 The number of dynamic entries is 2...
Page 895: Show Ip Dhcp Server Statistics
DHCP Server Commands The following table describes the significant fields shown in the display. Field Description IP address The host IP address as recorded on the DHCP server. Hardware address The MAC address or client identifier of the host as recorded on the DHCP server.
Page 896: Show Ip Dhcp Allocated
DHCP Server Commands 53.26 show ip dhcp allocated Use the show ip dhcp allocated EXEC mode command to display the specific allocated address or all the allocated addresses on the DHCP server. Syntax [ip-address] show ip dhcp allocated Parameters ip-address —Specifies the IP address Command Mode EXEC mode...
Page 897: Show Ip Dhcp Declined
DHCP Server Commands ---------- ---------------- -------------------- ------- 172.16.3.254 02c7.f800.0422 Infinite Static The following table describes the significant fields shown in the display. Field Description IP address The host IP address as recorded on the DHCP server. Hardware The MAC address or client identifier of the host as address recorded on the DHCP server.
Page 898: Show Ip Dhcp Expired
DHCP Server Commands Router> show ip dhcp declined 172.16.1.11 DHCP server enabled The number of declined entries is 2 IP address Hardware address 172.16.1.11 00a0.9802.32de 53.28 show ip dhcp expired Use the show ip dhcp expired EXEC command to display the specific expired address or all of the expired addresses on the DHCP server.
Page 899: Show Ip Dhcp Pre-Allocated
DHCP Server Commands 53.29 show ip dhcp pre-allocated Use the show ip dhcp pre-allocated EXEC command to display the specific pre-allocated address or all the pre-allocated addresses on the DHCP server. Syntax [ip-address] show ip dhcp pre-allocated Parameters ip-address—Specifies the IP. Command Mode EXEC mode Examples...

Cisco 300 Series Cli Manual

1 Introduction

2 User Interface Commands

3 Macro Commands

4 RSA and Certificate Commands

5 System Management Commands

6 SSH Client Commands

7 Clock Commands

8 DNS Client Commands

9 Configuration and Image File Commands

10 Auto-Configuration

11 Management ACL Commands

12 Network Management Protocol (SNMP) Commands

13 Web Server Commands

14 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands

15 Line Commands

16 Bonjour Commands

17 Authentication, Authorization and Accounting (AAA) Commands

18 RADIUS Commands

19 TACACS+ Commands

20 Syslog Commands

21 Remote Network Monitoring (RMON) Commands

22 Commands

23 Ethernet Configuration Commands

Quick Links

Related Manuals for Cisco 300 Series

Summary of Contents for Cisco 300 Series