Cisco 300 Series Cli Manual

Cisco 300 Series Cli Manual

Stackable managed switches
Hide thumbs Also See for 300 Series:
Table of Contents

Advertisement

CLI GUIDE
Cisco 300 Series Stackable Managed Switches Command Line
Interface Reference Guide, Release 1.4

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 300 Series

  • Page 1 CLI GUIDE Cisco 300 Series Stackable Managed Switches Command Line Interface Reference Guide, Release 1.4...
  • Page 3: Table Of Contents

    Contents Table of Contents Introduction....................... 24 802.1X Commands ..................45 aaa authentication dot1x ..............45 authentication open .
  • Page 4 Contents show authentication methods ............94 password .
  • Page 5 Contents bridge multicast ipv6 forbidden source group ......... 158 bridge multicast unregistered .
  • Page 6 Contents cdp log mismatch voip ..............208 cdp log mismatch native .
  • Page 7 Contents boot system ................263 show running-config .
  • Page 8 Contents ip dhcp snooping ..............310 ip dhcp snooping vlan .
  • Page 9 Contents ip domain polling-interval ............. . 356 ip domain retry .
  • Page 10 Contents show interfaces advertise ............. . 406 show interfaces description .
  • Page 11 Contents show ip igmp snooping multicast-tv ........... . 449 IP Addressing Commands................
  • Page 12 Contents ipv6 dhcp guard preference ............505 ipv6 first hop security .
  • Page 13 Contents show ipv6 dhcp guard ..............570 show ipv6 dhcp guard policy .
  • Page 14 Contents lacp timeout ................634 show lacp .
  • Page 15 Contents macro name ................685 macro .
  • Page 16 Contents show power inline consumption ............734 Port Channel Commands ................
  • Page 17 Contents qos statistics aggregate-policer ............784 qos statistics queues .
  • Page 18 Contents macro auto smartport type ............. 840 macro auto processing cdp .
  • Page 19 Contents spanning-tree priority ..............892 spanning-tree disable .
  • Page 20 Contents show ip ssh-client ..............948 show ip ssh-client server .
  • Page 21 Contents show version ................994 show version md5 .
  • Page 22 Contents exit (Configuration) ..............1039 exit (EXEC) .
  • Page 23 Contents show vlan private-vlan ............. . . 1084 switchport access multicast-tv vlan .
  • Page 24: Introduction

    Introduction This section describes how to use the Command Line Interface (CLI). It contains the following topics: • User (Privilege) Levels • CLI Command Modes • Accessing the CLI • CLI Command Conventions • Editing Features • Interface Naming Conventions •...
  • Page 25 Introduction • Level 1—Users with this level can only run User EXEC mode commands. Users at this level cannot access the web GUI or commands in the Privileged EXEC mode. • Level 7—Users with this level can run commands in the User EXEC mode and a subset of commands in the Privileged EXEC mode.
  • Page 26: Cli Command Modes

    Introduction Example 2— Switch between Level 1 to Level 15. The user must know the password: switchxxxxxx# switchxxxxxx# enable Enter Password: ****** (this is the password for level 15 - level15@abc) switchxxxxxx# If authentication of passwords is performed on RADIUS or TACACS+ servers, the NOTE passwords assigned to user level 7 and user level 15 must be configured on the external server and associated with the $enable7$ and $enable15$ user names,...
  • Page 27: Privileged Exec Mode

    Introduction The user-level prompt consists of the switch host name followed by a #. The default host name is switchxxxxxx where xxxxxx is the last six digits of the device’s MAC address, as shown below switchxxxxxx# The default host name can be changed via the hostname command in Global Configuration mode.
  • Page 28 Introduction The following example shows how to access Global Configuration mode and return to Privileged EXEC mode: switchxxxxxx# switchxxxxxx# configure switchxxxxxx(config)# exit switchxxxxxx# Interface or Line Configuration Modes Various submodes may be entered from Global Configuration mode. These submodes enable performing commands on a group of interfaces or lines. For instance to perform several operations on a specific port or range of ports, you can enter the Interface Configuration mode for that interface.
  • Page 29: Accessing The Cli

    Introduction Configuration mode. The interface Global Configuration command is used to enter this mode. • Line Interface—Contains commands used to configure the management connections for the console, Telnet and SSH. These include commands such as line timeout settings, etc. The line Global Configuration command is used to enter the Line Configuration command mode.
  • Page 30 User Name When the appears, enter cisco at the prompt and press Enter. The switchxxxxxx# prompt is displayed. You can now enter CLI commands to manage the switch. For detailed information on CLI commands, refer to the appropriate chapter(s) of this reference guide.
  • Page 31: Cli Command Conventions

    Introduction Click Start, then select All Programs > Accessories > Command Prompt to open a STEP 1 command prompt. Figure 1 Start > All Programs > Accessories > Command Prompt At the prompt, enter telnet 1<IP address of switch>, then press Enter. STEP 2 Figure 2 Command Prompt will be displayed.
  • Page 32: Editing Features

    Introduction Convention Description press key Names of keys to be pressed are shown in bold. Ctrl+F4 Keys separated by the + character are to be pressed simultaneously on the keyboard Fixed-width font indicates CLI prompts, CLI commands entered by Screen Display the user, and system messages displayed on the console.
  • Page 33: Terminal Command Buffer

    Introduction • Partial keyword lookup—If a command is incomplete and or the character ? is entered in place of a parameter, the matched keyword or parameters for this command are displayed. To assist in using the CLI, there is an assortment of editing features. The following features are described: •...
  • Page 34: Command Completion

    Introduction Negating the Effect of Commands For many configuration commands, the prefix keyword no can be entered to cancel the effect of a command or reset the configuration to the default value. This Reference Guide provides a description of the negation effect for each CLI command.
  • Page 35: Copying And Pasting Text

    Introduction Copying and Pasting Text Up to 1000 lines of text (or commands) can be copied and pasted into the device. It is the user’s responsibility to ensure that the text copied into the device consists NOTE of legal commands only. When copying and pasting commands from a configuration file, make sure that the following conditions exist: •...
  • Page 36 Introduction Sample of these various options are shown in the example below: switchxxxxxx(config)#interface GigabitEthernet 1 switchxxxxxx(config)#interface GE1 switchxxxxxx(config)#interface gi1 switchxxxxxx(config)#interface po1 switchxxxxxx(config)# interface vlan 1 Loopback Interface for a description of the loopback interface. NOTE Interface Range Interfaces may be described on an individual basis or within a range. The interface range command has the following syntax: <interface-range>...
  • Page 37 Introduction Range lists can contain either ports and port-channels or VLANs. Combinations of NOTE port/port-channels and VLANs are not allowed The space after the comma is optional. When a range list is defined, a space after the first entry and before the comma (,) must be entered.
  • Page 38: Loopback Interface

    Introduction System Modes Sx300/ESW2-350 and Sx500 devices function in either Router (Layer 3) or Switch (Layer 2) system mode, while SG500X devices always function in Switch plus Router system mode. Therefore, the parts of this section that refer to switching between the two system modes are not relevant for SG500X devices.
  • Page 39 Introduction A loopback interface does not support bridging; it cannot be a member of any VLAN, and no layer 2 protocol can be enabled on it. Layer 3 Specification IP Interface IPv4 and IPv6 addresses can be assigned to a loopback interface. The IPv6 link-local interface identifier is 1.
  • Page 40: Configuration Examples

    Introduction Configuration Examples Layer 2 Switch The following example shows how to configure IP on a Layer 2 switch: Switch# configure terminal Switch(config)# interface vlan 1 Switch(config-if)# ip address 10.10.10.2 /24 default-gateway 10.10.10.1 Switch(config-if)# exit Switch(config)# interface loopback 1 Switch(config-if)# ip address 172.25.13.2 /32 Switch(config-if)# ipv6 address 2001:DB8:2222:7272::72/128 Switch(config-if)# exit...
  • Page 41 Introduction Layer 3 Switch with Static Routing The following example shows you how to configure IP on a Layer 3 switch with static routing: Switch# configure terminal Switch(config)# interface vlan 1 Switch(config-if)# ip address 10.10.10.2 /24 Switch(config-if)# ipv6 address 2001:DB8:2222:7270::2312/64 Switch(config-if)# exit Switch(config)# interface vlan 2 Switch(config-if)# ip address 10.11.11.2 /24...
  • Page 42 Introduction The neighbor router 2001:DB8:3333:7271::1 connected to VLAN 1 should be configured with the static route defined immediately below. IPv6 Route 2001:DB8:2222:7272::72/128 2001:DB8:3333:7271::2312 Without RIP The following example describes how to configure IP on a Layer 3 switch with RIP not running on the loopback interface: Switch# configure terminal Switch(config)# interface vlan 1...
  • Page 43 Introduction With RIP The following example describes how to configure IP on a Layer 3 switch with RIP running on the loopback interface: Switch# configure terminal Switch(config)# interface vlan 1 Switch(config-if)# ip address 10.10.10.2 /24 Switch(config-if)# exit Switch(config)# interface vlan 2 Switch(config-if)# ip address 10.11.11.2 /24 Switch(config-if)# exit Switch(config)# interface loopback 1...
  • Page 44 Introduction On all other devices, the four highest ports (e.g. ports 49-52 on SG300-52) cannot be configured with auto-negotiation. PHY Diagnostics The following exceptions exist: • Copper Ports—PHY diagnostics are only supported on copper ports. • FE ports—Only basic tests are supported (no cable length). •...
  • Page 45: Commands

    802.1X Commands Dependencies Between Multi-Session Mode and System Mode Multi-session mode works differently in switch mode and router mode, as described below: • Multi-Session mode (called Full Multi-Session mode) supports Guest VLAN, RADIUS VLAN attributes, and WEB-Based authentication are supported in Sx300 in switch mode.
  • Page 46: Authentication Open

    802. 1 X Commands Command Mode Global Configuration mode User Guidelines You can select either authentication by a RADIUS server, no authentication (none), or both methods. If you require that authentication succeeds even if no RADIUS server response was received, specify none as the final method in the command line. Example The following example sets the 802.1X authentication mode to RADIUS server authentication.
  • Page 47: Clear Dot1X Statistics

    802. 1 X Commands User Guidelines Open Access or Monitoring mode allows clients or devices to gain network access before authentication is performed. In the mode the switch performs failure replies received from a Radius server as success. Example The following example enables open mode on interface gi 1 1: switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)#...
  • Page 48: Data

    802. 1 X Commands data To specify web-based page customization, the data command in Web-Based Page Customization Configuration mode is used. Syntax value data Parameters • value —String of hexadecimal digit characters up to 320 characters. Default Configuration No user customization. Command Mode Web-Based Page Customization Configuration mode User Guidelines...
  • Page 49: Dot1X Auth-Not-Req

    802. 1 X Commands switchxxxxxx# show running-config dot1x page customization data ******** exit dot1x auth-not-req Use the dot1x auth-not-req Interface Configuration (VLAN) mode command to enable unauthorized devices access to a VLAN. Use the no form of this command to disable access to a VLAN. Syntax dot1x auth-not-req no dot1x auth-not-req...
  • Page 50: Dot1X Authentication

    802. 1 X Commands If a VLAN is configured as an unauthenticated VLAN, traffic tagged with that VLAN and received from a member port of that VLAN will be bridged regardless of whether the port/host is authorized or not. The guest VLAN cannot be configured as unauthorized VLAN. Example The following example enables unauthorized devices access to VLAN 5.
  • Page 51: Dot1X Guest-Vlan

    802. 1 X Commands User Guidelines Static MAC addresses cannot be authorized by the MAC-based method. It is not recommended to change a dynamic MAC address to a static one or delete it if the MAC address was authorized by the MAC-based authentication: a.
  • Page 52: Dot1X Guest-Vlan Enable

    802. 1 X Commands User Guidelines Use the dot1x guest-vlan enable command to enable unauthorized users on an interface to access the guest VLAN. A device can have only one global guest VLAN. The guest VLAN must be a static VLAN and it cannot be removed. The Default VLAN cannot be configured as guest VLAN.
  • Page 53: Dot1X Guest-Vlan Timeout

    802. 1 X Commands User Guidelines The port cannot belong to the guest VLAN. The guest VLAN and the WEB-Based authentication cannot be configured on a port at the same time. This command cannot be configured if the monitoring VLAN is enabled on the interface.
  • Page 54: Dot1X Host-Mode

    802. 1 X Commands Parameters • timeout —Specifies the time delay in seconds between enabling 802.1X (or port up) and adding the port to the guest VLAN. (Range: 30–180). Default Configuration The guest VLAN is applied immediately. Command Mode Global Configuration mode User Guidelines This command is relevant if the guest VLAN is enabled on the port.
  • Page 55 802. 1 X Commands Default Configuration Default mode is multi-host. Command Mode Interface (Ethernet) Configuration mode User Guidelines Single-Host Mode The single-host mode manages the authentication status of the port: the port is authorized if there is an authorized host. In this mode, only a single host can be authorized on the port.
  • Page 56 802. 1 X Commands is the RADIUS assigned VLAN or the unauthenticated VLANs. See the dot1x radius-attributes vlan command to enable RADIUS VLAN assignment at a port. The switch removes from FDB all MAC addresses learned on a port when its authentication status is changed from authorized to unauthorized.
  • Page 57: Dot1X Max-Hosts

    802. 1 X Commands Example switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# dot1x host-mode multi-host 2.11 dot1x max-hosts Use the dot1x max-hosts interface configuration command to configure the maximum number of authorized hosts allowed on the interface. Use the no format of the command to return to the default. Syntax dot1x max-hosts count...
  • Page 58: Dot1X Max-Login-Attempts

    802. 1 X Commands switchxxxxxx(config-if)# dot1x max-hosts 2.12 dot1x max-login-attempts To set the maximum number of allowed login attempts, use this command in Interface Configuration mode. To return to the default setting, use the no form of this command. Syntax count dot1x max-login-attempts no dot1x max-login-attempts...
  • Page 59: Dot1X Max-Req

    802. 1 X Commands 2.13 dot1x max-req Use the dot1x max-req Interface Configuration mode command to set the maximum number of times that the device sends an Extensible Authentication Protocol (EAP) request/identity frame (assuming that no response is received) to the client before restarting the authentication process.
  • Page 60: Dot1X

    802. 1 X Commands 2.14 dot1x page customization Use the dot1x page customization command in Global Configuration mode command to enter the Web-Based Page Customization Configuration mode, Syntax dot1x page customization Parameters Default Configuration No user customization. Command Mode Web-Based Page Customization Configuration mode User Guidelines The command should not be entered or edited manually (unless when using copy-paste).
  • Page 61: Dot1X Port-Control

    802. 1 X Commands 2.15 dot1x port-control Use the dot1x port-control Interface Configuration mode command to enable manual control of the port authorization state. Use the no form of this command to restore the default configuration. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} [time-range time-range-name Parameters •...
  • Page 62: Dot1X Radius-Attributes Vlan

    802. 1 X Commands stations, in order to proceed to the forwarding state immediately after successful authentication. Example The following example sets 802.1X authentication on gi 1 1 to auto mode. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# dot1x port-control auto 2.16 dot1x radius-attributes vlan Use the dot1x radius-attributes vlan Interface Configuration mode command to enable RADIUS-based VLAN assignment.
  • Page 63 802. 1 X Commands If a RADIUS server assigns a client with a non-existing VLAN, the switch creates the VLAN. The VLAN is removed when it is no longer being used. If RADIUS provides valid VLAN information and the port does not belong to the VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
  • Page 64: Dot1X Re-Authenticate

    802. 1 X Commands Examples Example 1. This example enables user-based VLAN assignment. If the RADIUS server authorized the supplicant, but did not provide a supplicant VLAN, the supplicant is rejected. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# dot1x radius-attributes vlan switchxxxxxx(config-if)# exit Example 2.
  • Page 65: Dot1X Reauthentication

    802. 1 X Commands Example The following command manually initiates re-authentication of 802.1X-enabled gi 1 1: switchxxxxxx# dot1x re-authenticate gi11 2.18 dot1x reauthentication Use the dot1x reauthentication Interface Configuration mode command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.
  • Page 66: Dot1X Timeout Quiet-Period

    802. 1 X Commands Syntax dot1x system-auth-control no dot1x system-auth-control Parameters Default Configuration Disabled. Command Mode Global Configuration mode Example The following example enables 802.1X globally. switchxxxxxx(config)# dot1x system-auth-control 2.20 dot1x timeout quiet-period Use the dot1x timeout quiet-period Interface Configuration mode command to set the time interval that the device remains in a quiet state following a failed authentication exchange (for example, if the client provided an invalid password).
  • Page 67: Dot1X Timeout Reauth-Period

    802. 1 X Commands Default Configuration The default quiet period is 60 seconds. Command Mode Interface (Ethernet) Configuration mode User Guidelines During the quiet period, the device does not accept or initiate authentication requests. The default value of this command should only be changed to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.
  • Page 68: Dot1X Timeout Server-Timeout

    802. 1 X Commands no dot1x timeout reauth-period Parameters • seconds reauth-period —Number of seconds between re-authentication attempts. (Range: 300-4294967295). Default Configuration 3600 Command Mode Interface (Ethernet) Configuration mode User Guidelines The command is only applied to the 802.1x authentication method. Example switchxxxxxx(config)# interface gi11...
  • Page 69: Dot1X Timeout Silence-Period

    802. 1 X Commands Default Configuration The default timeout period is 30 seconds. Command Mode Interface (Ethernet) Configuration mode User Guidelines The actual timeout period can be determined by comparing the value specified by this command to the result of multiplying the number of retries specified by the radius-server retransmit command by the timeout period specified by the radius-server retransmit...
  • Page 70: Dot1X Timeout Supp-Timeout

    802. 1 X Commands Default Configuration The silence period is not limited. Command Mode Interface (Ethernet) Configuration mode User Guidelines The command is only applied to WEB-based authentication. If an authorized client does not send traffic during the silence period specified by the command, the state of the client is changed to unauthorized.
  • Page 71: Dot1X Timeout Tx-Period

    802. 1 X Commands Command Mode Interface (Ethernet) Configuration mode User Guidelines The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. The command is only applied to the 802.1x authentication method.
  • Page 72: Dot1X Traps Authentication Failure

    802. 1 X Commands Command Mode Interface (Ethernet) Configuration mode User Guidelines The default value of this command should be changed only to adjust to unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers. The command is only applied to the 802.1x authentication method.
  • Page 73: Dot1X Traps Authentication Quiet

    802. 1 X Commands Command Mode Global Configuration mode User Guidelines Any combination of the keywords are allowed. At least one keyword must be configured. A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
  • Page 74: Dot1X Traps Authentication Success

    802. 1 X Commands User Guidelines The traps are sent after the client is set to the quiet state after the maximum sequential attempts of login. The command is only applied to the web-based authentication. A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
  • Page 75: Dot1X Unlock Client

    802. 1 X Commands User Guidelines Any combination of the keywords are allowed. At least one keyword must be configured. A rate limit is applied to the traps: not more than one trap of this type can be sent in 10 seconds.
  • Page 76: Dot1X Violation-Mode

    802. 1 X Commands Example switchxxxxxx# dot1x unlock client gi11 00:01:12:af:00:56 2.30 dot1x violation-mode Use the dot1x violation-mode Interface Configuration mode command to configure the action to be taken when an unauthorized host on authorized port in single-host mode attempts to access the interface. Use the no form of this command to return to default.
  • Page 77: Show Dot1X

    802. 1 X Commands User Guidelines The command is relevant only for single-host mode. For BPDU messages whose MAC addresses are not the supplicant MAC address are not discarded in Protect mode. BPDU message whose MAC addresses are not the supplicant MAC address cause a shutdown in Shutdown mode.
  • Page 78 802. 1 X Commands Authentication is enabled Authenticating Servers: Radius, None Unathenticated VLANs: 100, 1000, 1021 Guest VLAN: VLAN 11, timeout 30 sec Authentication failure traps are enables for 802.1x+mac Authentication success traps are enables for 802.1x Authentication quiet traps are enables for 802.1x gi11 Host mode: multi-sessions Authentication methods: 802.1x+mac...
  • Page 79 802. 1 X Commands Authentication methods: 802.1x+mac Port Adminstrated status: auto Port Operational status: authorized Guest VLAN: disabled VLAN Radius Attribute: enabled Open access: enabled Time range name: work_hours (Active now) Server-timeout: 30 sec Aplied Authenticating Server: Radius Applied Authentication method: 802.1x Session Time (HH:MM:SS): 00:25:22 MAC Address: 00:08:78:32:98:66 Username: Bob...
  • Page 80 802. 1 X Commands Port Adminstrated status: auto Port Operational status: authorized Guest VLAN: disabled VLAN Radius Attribute: disabled Time range name: work_hours (Active now) Open access: disabled Server-timeout: 30 sec Aplied Authenticating Server: Radius Applied Authentication method: 802.1x Session Time (HH:MM:SS): 00:25:22 MAC Address: 00:08:78:32:98:66 Username: Bob Violation:...
  • Page 81 802. 1 X Commands • Host mode—The port authentication configured mode. Possible values: single-host, multi-host, multi-sessions. • single-host • multi-host • multi-sessions • Authentication methods—Authentication methods configured on port. Possible values are combinations of the following methods: • 802.1x • •...
  • Page 82: Show Dot1X Locked Clients

    802. 1 X Commands • Server timeout—Number of seconds that the device waits for a response from the authentication server before resending the request. • Session Time—Amount of time (HH:MM:SS) that the user is logged in. • MAC address—Supplicant MAC address. •...
  • Page 83: Show Dot1X Statistics

    802. 1 X Commands Port MAC Address Remaining Time -------------- -------------- ------- gi11 0008.3b79.8787 gi11 0008.3b89.3128 gi12 0008.3b89.3129 2.33 show dot1x statistics Use the show dot1x statistics Privileged EXEC mode command to display 802.1X statistics for the specified port. Syntax interface-id show dot1x statistics interface Parameters...
  • Page 84 802. 1 X Commands EapolRespIdFramesRx: 3 EapolRespFramesRx: 6 EapolReqIdFramesTx: 3 EapolReqFramesTx: 6 InvalidEapolFramesRx: 0 EapLengthErrorFramesRx: 0 LastEapolFrameVersion: 1 LastEapolFrameSource: 00:08:78:32:98:78 The following table describes the significant fields shown in the display: Field Description EapolFramesRx Number of valid EAPOL frames of any type that have been received by this Authenticator.
  • Page 85: Show Dot1X Users

    802. 1 X Commands Field Description EapLengthErrorFramesR Number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid. LastEapolFrameVersion Protocol version number carried in the most recently received EAPOL frame. LastEapolFrameSource Source MAC address carried in the most recently received EAPOL frame.
  • Page 86 802. 1 X Commands Port Username MAC Address Auth Auth Session VLAN Method Server Time ---- -------- ----------- ----- ----- ------ ---- gi11 0008.3b71.1 802.1x Remote 09:01:00 1020 gi12 Allan Remote 00:11:12 0008.3b79.8 gi12 John Remote 00:27:16 0008.3baa.0 OL-32830-01 Command Line Interface Reference Guide...
  • Page 87: Authentication, Authorization And Accounting (Aaa) Commands

    Authentication, Authorization and Accounting (AAA) Commands aaa authentication login Use the aaa authentication login Global Configuration mode command to set one or more authentication methods to be applied during login. Use the no form of this command to restore the default authentication method. Syntax list-name method1...
  • Page 88: Aaa Authentication Enable

    Authentication, Authorization and Accounting (AAA) Commands Keyword Description radius Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for tacacs authentication. Default Configuration If no methods are specified, the default are the locally-defined users and passwords.
  • Page 89 Authentication, Authorization and Accounting (AAA) Commands Syntax list-name method method2 aaa authentication enable {default | ...]} list-name no aaa authentication enable {default | Parameters • default—Uses the listed authentication methods that follow this argument as the default method list, when accessing higher privilege levels. •...
  • Page 90: Login Authentication

    Authentication, Authorization and Accounting (AAA) Commands User Guidelines list-name method1 Create a list by entering the aaa authentication enable [method2...] list-name command where is any character string used to name this list. The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
  • Page 91: Enable Authentication

    Authentication, Authorization and Accounting (AAA) Commands Parameters • default—Uses the default list created with the aaa authentication login command. • list-name —Uses the specified list created with the aaa authentication login command. Default Configuration default Command Mode Line Configuration Mode Examples Example 1 - The following example specifies the login authentication method as the default method for a console session.
  • Page 92: Ip Http Authentication

    Authentication, Authorization and Accounting (AAA) Commands no enable authentication Parameters • default—Uses the default list created with the aaa authentication enable command. • list-name —Uses the specified list created with the aaa authentication enable command. Default Configuration default. Command Mode Line Configuration Mode Examples Example 1 - The following example specifies the authentication method as the...
  • Page 93 Authentication, Authorization and Accounting (AAA) Commands Syntax method1 method2 ip http authentication aaa login-authentication ...] no ip http authentication aaa login-authentication Parameters • method method2 ...]—Specifies a list of methods that the authentication algorithm tries, in the given sequence. The additional authentication methods are used only if the previous method returns an error, not if it fails.
  • Page 94: Show Authentication Methods

    Authentication, Authorization and Accounting (AAA) Commands show authentication methods The show authentication methods Privileged EXEC mode command displays information about the authentication methods. Syntax show authentication methods Parameters Default Configuration Command Mode Privileged EXEC mode Example The following example displays the authentication configuration: switchxxxxxx# show authentication methods...
  • Page 95: Password

    Authentication, Authorization and Accounting (AAA) Commands Console_Enable(with authorization): Enable, None Line Login Method List Enable Method List -------------- ----------------- ------------------ Console Console_Login Console_Enable Telnet Default Default Default Default HTTP, HHTPS: Radius, local Dot1x: Radius password Use the password Line Configuration mode command to specify a password on a line (also known as an access method, such as a console or Telnet).
  • Page 96: Enable Password

    Authentication, Authorization and Accounting (AAA) Commands switchxxxxxx(config-line)# password secret enable password Use the enable password Global Configuration mode command to set a local password to control access to normal and privilege levels. Use the no form of this command to return to the default password. Syntax privilege-level unencrypted-password...
  • Page 97: Service Password-Recovery

    Authentication, Authorization and Accounting (AAA) Commands administrator must add encrypted in front of this encrypted password when entering the enable command in switch A. In this way, the two switches will have the same password. Passwords are encrypted by default. You only are required to use the encrypted keyword when you are actually entering an encrypted keyword.
  • Page 98 Authentication, Authorization and Accounting (AAA) Commands Parameters Default Configuration The service password recovery is enabled by default. Command Mode Global Configuration mode User Guidelines • If password recovery is enabled, the user can access the boot menu and trigger the password recovery in the boot menu. All configuration files and user files are kept.
  • Page 99: Username

    Authentication, Authorization and Accounting (AAA) Commands 3.10 username Use the username Global Configuration mode command to establish a username-based authentication system. Use the no form to remove a user name. Syntax name unencrypted-password username {nopassword | {password { | {encrypted encrypted-password privilege-level unencrypted-password...
  • Page 100: Show Users Accounts

    Authentication, Authorization and Accounting (AAA) Commands Examples Example 1 - Sets an unencrypted password for user tom (level 15). It will be encrypted in the configuration file. switchxxxxxx(config)# username tom password 1234 Example 2 - Sets a password for user jerry (level 15) that has already been encrypted.
  • Page 101: Aaa Accounting Login

    Authentication, Authorization and Accounting (AAA) Commands Example The following example displays information about the users local database switchxxxxxx# show users accounts Password Username Privilege Expiry date -------- --------- ---------- Jan 18 2005 Robert Jan 19 2005 Smith The following table describes the significant fields shown in the display: Field Description Username...
  • Page 102 Authentication, Authorization and Accounting (AAA) Commands Command Mode Global Configuration mode User Guidelines This command enables the recording of device management sessions (Telnet, serial and WEB but not SNMP). It records only users that were identified with a username (e.g. a user that was logged in with a line password is not recorded).
  • Page 103: Aaa Accounting Dot1X

    Authentication, Authorization and Accounting (AAA) Commands The following table describes the supported TACACS+ accounting arguments and in which messages they are sent by the switch. Name Description Start Stop Message Message task_id A unique accounting session identifier. user username that is entered for login authentication rem-addr IP address.of the user...
  • Page 104 Authentication, Authorization and Accounting (AAA) Commands User Guidelines This command enables the recording of 802.1x sessions. If accounting is activated, the device sends start/stop messages to a RADIUS server when a user logs in / logs out to the network, respectively. The device uses the configured priorities of the available RADIUS servers in order to select the RADIUS server.
  • Page 105: Show Accounting

    Authentication, Authorization and Accounting (AAA) Commands Name Start Stop Description Acct-Authentic (45) Indicates how the supplicant was authenticated. Acct-Session-Time (46) Indicates how long the supplicant was logged Acct-Terminate-Cause Reports why the (49) session was terminated. Nas-Port-Type (61) Indicates the supplicant physical port type.
  • Page 106: Passwords Complexity Enable

    Authentication, Authorization and Accounting (AAA) Commands switchxxxxxx# show accounting Login: Radius 802.1x: Disabled 3.15 passwords complexity enable Use the passwords complexity enable Global Configuration mode command to enforce minimum password complexity. The no form of this command disables enforcing password complexity. Syntax passwords complexity enable no passwords complexity enable...
  • Page 107: Passwords Complexity

    Authentication, Authorization and Accounting (AAA) Commands • Does not repeat or reverse the manufacturer’s name or any variant reached by changing the case of the characters. You can control the above attributes of password complexity with specific commands described in this section. If you have previously configured other complexity settings, then those settings are used.
  • Page 108 Authentication, Authorization and Accounting (AAA) Commands no passwords complexity min-length | min-classes | not-current | no-repeat | not-username | not-manufacturer-name Parameters • number min-length —Sets the minimal length of the password. (Range: 0–64) • min-classes number —Sets the minimal character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard).
  • Page 109: Passwords Aging

    Authentication, Authorization and Accounting (AAA) Commands 3.17 passwords aging Use the passwords aging Global Configuration mode command to enforce password aging. Use the no form of this command to return to default. Syntax days passwords aging no passwords aging Parameters •...
  • Page 110: Default Configuration

    Authentication, Authorization and Accounting (AAA) Commands Syntax show passwords configuration Parameters Default Configuration Command Mode Privileged EXEC mode Example switchxxxxxx# show passwords configuration Passwords aging is enabled with aging time 180 days. Passwords complexity is enabled with the following attributes: Minimal length: 3 characters Minimal classes: 3 New password must be different than the current: Enabled...
  • Page 111: Acl Commands

    ACL Commands ip access-list (IP extended) Use the ip access-list extended Global Configuration mode command to name an IPv4 access list (ACL) and to place the device in IPv4 Access List Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( IP ) deny ( IP )
  • Page 112: Permit ( Ip )

    ACL Commands permit ( IP ) Use the permit IP Access-list Configuration mode command to set permit conditions for an IPv4 access list (ACL). Permit conditions are also known as access control entries (ACEs). Use the no form of the command to remove the access control entry.
  • Page 113 ACL Commands [log-input] igmp {any | source source-wildcard} {any | destination no permit destination-wildcard}[igmp-type] [dscp number | precedence number] [ time-range time-range-name] [log-input] {any | source source-wildcard} {any| s ource-port/port-range}{any | no permit tcp destination destination-wildcard} {any| d estination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [ time-range-name] time-range...
  • Page 114 • igmp-type —IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255) • destination-port —Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen.
  • Page 115: Deny ( Ip )

    ACL Commands Default Configuration No IPv4 access list is defined. Command Mode IP Access-list Configuration mode User Guidelines If a range of ports is used for source port in an ACE, it is not counted again, if it is also used for a source port in another ACE. If a range of ports is used for the destination port in an ACE, it is not counted again if it is also used for destination port in another ACE.
  • Page 116 ACL Commands igmp {any | source source-wildcard} {any | destination deny destination-wildcard}[igmp-type][ priority] [dscp number | precedence ace-priority number] [ time-range-name] [disable-port | l og-input ] time-range {any | source source-wildcard} {any| s ource-port/port-range}{any | deny tcp destination destination-wildcard} {any| d estination-port/port-range} [ ace-priority priority] [dscp number | precedence number] [match-all list-of-flags][ time-range...
  • Page 117 • igmp-type —IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255) • destination-port —Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen.
  • Page 118 ACL Commands options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack. • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32) •...
  • Page 119: Ipv6 Access-List (Ipv6 Extended)

    ACL Commands ipv6 access-list (IPv6 extended) Use the ipv6 access-list Global Configuration mode command to define an IPv6 access list (ACL) and to place the device in Ipv6 Access-list Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( IPv6 ) deny ( IPv6 )
  • Page 120: Permit ( Ipv6 )

    ACL Commands switchxxxxxx(config-ip-al)# permit tcp 2001:0DB8:0300:0201::/64 any any 80 permit ( IPv6 ) Use the permit command in Ipv6 Access-list Configuration mode to set permit conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the access control entry.
  • Page 121 ACL Commands {any | {source-prefix/length} {any | source-port/port-range}}{any | no permit tcp destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [ time-range-name] time-range [log-input] udp {any | {source-prefix/length}} {any | source-port/port-range}}{any | no permit destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number] [ time-range-name] time-range...
  • Page 122 ACL Commands one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80).
  • Page 123: Deny ( Ipv6 )

    ACL Commands If a range of ports is used for source port it is counted again if it is also used for destination port. If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.
  • Page 124 ACL Commands icmp {any | {source-prefix/length}{any | destination- prefix/length} no deny {any| i cmp-type} {any| i cmp-code} [dscp number | precedence number] [ time-range time-range-name] [disable-port | l og-input ] tcp {any | {source-prefix/length} {any | source-port/port-range}}{any | no deny destination- prefix/length} {any| destination-port/port-range} [dscp number | precedence number] [match-all list-of-flags] [ time-range-name]...
  • Page 125 ACL Commands • destination-port —Specifies the UDP/TCP destination port. You can enter a range of ports by using a hyphen. E.g. 20 - 21. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds...
  • Page 126: Mac Access-List

    ACL Commands source port in another ACE. If a range of ports is used for a destination port in ACE it is not counted again if it is also used for a destination port in another ACE. If a range of ports is used for source port it is counted again if it is also used for destination port.
  • Page 127: Permit ( Mac )

    ACL Commands User Guidelines A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name If ace-priority is omitted, the system sets the rule's priority to the current highest priority ACE (in the current ACL) + 20.
  • Page 128 ACL Commands • priority - Specify the priority of the access control entry (ACE) in the access control list (ACL). "1" value represents the highest priority and "2147483647" number represents the lowest priority.(Range: 1-2147483647) • eth-type —The Ethernet type in hexadecimal format of the packet. •...
  • Page 129: Deny (Mac)

    ACL Commands deny (MAC) Use the deny command in MAC Access-list Configuration mode to set deny conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the access control entry. Syntax {any | source source-wildcard} {any | destination destination-wildcard} deny priority][{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | ace-priority...
  • Page 130: Service-Acl Input

    ACL Commands hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.
  • Page 131 ACL Commands • deny-any—Deny all packets (that were ingress at the port) that do not meet the rules in this ACL. • permit-any—Forward all packets (that were ingress at the port) that do not meet the rules in this ACL. Default Configuration No ACL is assigned.
  • Page 132: Time-Range

    ACL Commands switchxxxxxx(config-mac-al)# exit switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# service-acl input server-acl default-action deny-any 4.11 time-range Use the time-range Global Configuration mode command to define time ranges for different functions. In addition, this command enters the Time-range Configuration mode. All commands after this one refer to the time-range being defined. This command sets a time-range name.
  • Page 133: Absolute

    ACL Commands To ensure that the time range entries take effect at the desired times, the software clock should be set by the user or by SNTP. If the software clock is not set by the user or by SNTP, the time range ACEs are not activated. The user cannot delete a time-range that is bound to any features.
  • Page 134: Periodic

    ACL Commands Parameters • start—Absolute time and date that the permit or deny statement of the associated function going into effect. If no start time and date are specified, the function is in effect immediately. • end—Absolute time and date that the permit or deny statement of the associated function is no longer in effect.
  • Page 135 ACL Commands hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… periodic list day-of-the-week7] hh:mm to hh:mm day-of-the-week1 [day-of-the-week2… no periodic list day-of-the-week7] hh:mm to hh:mm all periodic list hh:mm to hh:mm all no periodic list Parameters • day-of-the-week—The starting day that the associated time range is in effect.
  • Page 136: Show Time-Range

    ACL Commands 4.14 show time-range Use the show time-range User EXEC mode command to display the time range configuration. Syntax time-range-name show time-range Parameters time-range-name—Specifies the name of an existing time range. Command Mode User EXEC mode Example switchxxxxxx> show time-range http-allowed -------------- absolute start 12:00 1 Jan 2005 end...
  • Page 137: Show Interfaces Access-Lists

    ACL Commands • time-range-active—Shows only the Access Control Entries (ACEs) whose time-range is currently active (including those that are not associated with time-range). Command Mode Privileged EXEC mode Example switchxxxxxx# show access-lists Standard IP access list 1 Extended IP access list ACL2 permit 234 172.30.19.1 0.0.0.255 any priority 20 time-range weekdays permit 234 172.30.23.8 0.0.0.255 any priority 40 time-range weekdays switchxxxxxx# show access-lists time-range-active...
  • Page 138: Clear Access-Lists Counters

    ACL Commands Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, port-channel or VLAN. Command Mode Privileged EXEC mode Example Interface ACLs --------- ----------------------- gi11 blockcdp, blockvtp gi12 Ingress: server1 4.17 clear access-lists counters Use the clear access-lists counters Privileged EXEC mode command to clear access-lists (ACLs) counters.
  • Page 139: Show Interfaces Access-Lists Trapped Packets

    ACL Commands 4.18 show interfaces access-lists trapped packets Use the show interfaces access-lists trapped packets Privileged EXEC mode command to display Access List (ACLs) trapped packets. Syntax [interface-id | port-channel-number | show interfaces access-lists trapped packets VLAN] Parameters • interface-id—Specifies an interface ID, the interface ID is an Ethernet port port-channel.
  • Page 140 ACL Commands Example 2: switchxxxxxx# show interfaces access-lists trapped packets gi11 Packets were trapped on interface gi11 OL-32830-01 Command Line Interface Reference Guide...
  • Page 141: Address Table Commands

    Address Table Commands bridge multicast filtering To enable the filtering of Multicast addresses, use the bridge multicast filtering Global Configuration mode command. To disable Multicast address filtering, use the no form of this command. Syntax bridge multicast filtering no bridge multicast filtering Parameters This command has no arguments or keywords.
  • Page 142: Bridge Multicast Mode

    Address Table Commands Example The following example enables bridge Multicast filtering. switchxxxxxx(config)# bridge multicast filtering bridge multicast mode To configure the Multicast bridging mode, use the bridge multicast mode Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.
  • Page 143 Address Table Commands the ipv4 mode, because there is no overlapping of IPv4 Multicast addresses in these modes. For each Forwarding Data Base (FDB) mode, use different CLI commands to configure static entries in the FDB, as described in the following table: FDB Mode CLI Commands mac-group...
  • Page 144: Bridge Multicast Address

    Address Table Commands bridge multicast address To register a MAC-layer Multicast address in the bridge table and statically add or remove ports to or from the group, use the bridge multicast address Interface (VLAN) Configuration mode command. To unregister the MAC address, use the no form of this command.
  • Page 145: Bridge Multicast Forbidden Address

    Address Table Commands You can execute the command before the VLAN is created. Examples Example 1 - The following example registers the MAC address to the bridge table: switchxxxxxx(config)# interface vlan 8 switchxxxxxx(config-if)# bridge multicast address 01:00:5e:02:02:03 Example 2 - The following example registers the MAC address and adds ports statically.
  • Page 146: Bridge Multicast Ip-Address

    Address Table Commands • interface-list ethernet —Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports. • port-channel-list port-channel —Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces.
  • Page 147 Address Table Commands Syntax ip-multicast-address [[add | remove] {interface-list bridge multicast ip-address port-channel port-channel-list ip-multicast-address no bridge multicast ip-address Parameters • ip-multicast-address—Specifies the group IP Multicast address. • add—(Optional) Adds ports to the group. • remove—(Optional) Removes ports from the group. •...
  • Page 148: Bridge Multicast Forbidden Ip-Address

    Address Table Commands switchxxxxxx(config-if)# bridge multicast ip-address 239.2.2.2 The following example registers the IP address and adds ports statically. switchxxxxxx(config)# interface vlan 8 switchxxxxxx(config-if)# bridge multicast ip-address 239.2.2.2 add gi14 bridge multicast forbidden ip-address To forbid adding or removing a specific IP Multicast address to or from specific ports, use the bridge multicast forbidden ip-address Interface (VLAN) Configuration mode command.
  • Page 149: Bridge Multicast Source Group

    Address Table Commands Command Mode Interface (VLAN) Configuration mode User Guidelines Before defining forbidden ports, the Multicast group should be registered. You can execute the command before the VLAN is created. Example The following example registers IP address 239.2.2.2, and forbids the IP address on port gi 1 4 within VLAN 8.
  • Page 150: Bridge Multicast Forbidden Source Group

    Address Table Commands • interface-list ethernet —(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports. • port-channel-list port-channel —(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces;...
  • Page 151 Address Table Commands Parameters • ip-address—Specifies the source IP address. • ip-multicast-address—Specifies the group IP Multicast address. • add—(Optional) Forbids adding ports to the group for the specific source IP address. • remove—(Optional) Forbids removing ports from the group for the specific source IP address.
  • Page 152: Bridge Multicast Ipv6 Mode

    Address Table Commands bridge multicast ipv6 mode To configure the Multicast bridging mode for IPv6 Multicast packets, use the bridge multicast ipv6 mode Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command. Syntax {mac-group | ip-group | ip-src-group} bridge multicast ipv6 mode...
  • Page 153 Address Table Commands For each Forwarding Data Base (FDB) mode, use different CLI commands to configure static entries for IPv6 Multicast addresses in the FDB, as described in the following table:: FDB Mode CLI Commands bridge multicast address bridge multicast forbidden mac-group address ipv6-group...
  • Page 154: Bridge Multicast Ipv6 Ip-Address

    Address Table Commands 5.10 bridge multicast ipv6 ip-address To register an IPv6 Multicast address to the bridge table, and statically add or remove ports to or from the group, use the bridge multicast ipv6 ip-address Interface (VLAN) Configuration mode command. To unregister the IPv6 address, use the no form of this command.
  • Page 155: Bridge Multicast Ipv6 Forbidden Ip-Address

    Address Table Commands You can execute the command before the VLAN is created. Examples Example 1 - The following example registers the IPv6 address to the bridge table: switchxxxxxx(config)# interface vlan 8 switchxxxxxx(config-if)# bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1 Example 2 - The following example registers the IPv6 address and adds ports statically.
  • Page 156: Bridge Multicast Ipv6 Source Group

    Address Table Commands • interface-list ethernet —(Optional) Specifies a list of Ethernet ports. Separate nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen to designate a range of ports. • port-channel-list port-channel —(Optional) Specifies a list of port channels. Separate nonconsecutive port-channels with a comma and no spaces.
  • Page 157 Address Table Commands Syntax ipv6-source-address ipv6-multicast-address bridge multicast ipv6 source group [[add | remove] {ethernet interface-list | port-channel port-channel-list}] ipv6-address ipv6-multicast-address no bridge multicast ipv6 source group Parameters • ipv6-source-address—Specifies the source IPv6 address. • ipv6-multicast-address—Specifies the group IPv6 Multicast address. •...
  • Page 158: Bridge Multicast Ipv6 Forbidden Source Group

    Address Table Commands 5.13 bridge multicast ipv6 forbidden source group To forbid adding or removing a specific IPv6 source address - Multicast address pair to or from specific ports, use the bridge multicast ipv6 forbidden source group Interface (VLAN) Configuration mode command. To return to the default configuration, use the no form of this command.
  • Page 159: Bridge Multicast Unregistered

    Address Table Commands User Guidelines Before defining forbidden ports, the Multicast group should be registered. You can execute the command before the VLAN is created. Example The following example registers a source IPv6 address - Multicast IPv6 address pair to the bridge table, and forbids adding the pair to gi 1 4 on VLAN 8: switchxxxxxx(config)# interface vlan 8 switchxxxxxx(config-if)#...
  • Page 160: Bridge Multicast Forward-All

    Address Table Commands User Guidelines Do not enable unregistered Multicast filtering on ports that are connected to routers, because the 224.0.0.x address range should not be filtered. Note that routers do not necessarily send IGMP reports for the 224.0.0.x range. You can execute the command before the VLAN is created.
  • Page 161: Bridge Multicast Forbidden Forward-All

    Address Table Commands Default Configuration Forwarding of all Multicast packets is disabled. Command Mode Interface (VLAN) Configuration mode Example The following example enables all Multicast packets on port gi 1 4 to be forwarded. switchxxxxxx(config)# interface vlan 2 switchxxxxxx(config-if)# bridge multicast forward-all add gi14 5.16 bridge multicast forbidden forward-all To forbid a port to dynamically join Multicast groups, use the bridge multicast...
  • Page 162: Bridge Unicast Unknown

    Address Table Commands Default Configuration Ports are not forbidden to dynamically join Multicast groups. The default option is add. Command Mode Interface (VLAN) Configuration mode User Guidelines Use this command to forbid a port to dynamically join (by IGMP, for example) a Multicast group.
  • Page 163: Show Bridge Unicast Unknown

    Address Table Commands Default Configuration Forwarding. Command Mode Interface (Ethernet, Port Channel) Configuration mode. Example The following example drops Unicast packets on gi 1 1 when the destination is unknown. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# bridge unicast unknown filtering 5.18 show bridge unicast unknown To display the unknown Unicast filtering configuration, use the show bridge unicast unknown Privileged EXEC mode command.
  • Page 164: Mac Address-Table Static

    Address Table Commands gi13 Filter 5.19 mac address-table static To add a MAC-layer station source address to the MAC address table, use the mac address-table static Global Configuration mode command. To delete the MAC address, use the no form of this command. Syntax mac-address vlan-id...
  • Page 165 Address Table Commands User Guidelines Use the command to add a static MAC address with given time-to-live in any mode or to add a secure MAC address in a secure mode. Each MAC address in the MAC address table is assigned two attributes: type and time-to-live.
  • Page 166: Clear Mac Address-Table

    Address Table Commands Example 2 - The following example adds a deleted-on-reset static MAC address: switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi11 delete-on-reset Example 3 - The following example adds a deleted-on-timeout static MAC address: switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1 interface gi11 delete-on-timeout Example 4 - The following example adds a secure MAC address: switchxxxxxx(config)#...
  • Page 167: Mac Address-Table Aging-Time

    Address Table Commands Default Configuration For dynamic addresses, if interface-id is not supplied, all dynamic entries are deleted. Command Mode Privileged EXEC mode Examples Example 1 - Delete all dynamic entries from the FDB. switchxxxxxx# clear mac address-table dynamic Example 2 - Delete all secure entries from the FDB learned on secure port gi 1 1. switchxxxxxx# clear mac address-table secure interface gi11 5.21 mac address-table aging-time...
  • Page 168: Port Security

    Address Table Commands Example switchxxxxxx(config)# mac address-table aging-time 600 5.22 port security To enable port security learning mode on an interface, use the port security Interface (Ethernet, Port Channel) Configuration mode command. To disable port security learning mode on an interface, use the no form of this command. Syntax seconds port security [forward...
  • Page 169: Port Security Mode

    Address Table Commands See the mac address-table static command for information about MAC address attributes (type and time-to-live) definitions. When the port security command enables the lock mode on a port all dynamic addresses learned on the port are changed to permanent secure addresses. When the port security command enables a mode on a port differing from the lock mode all dynamic addresses learned on the port are deleted.
  • Page 170 Address Table Commands Parameters • max-addresses— Non-secure mode with limited learning dynamic MAC addresses. The static MAC addresses may be added on the port manually by the mac address-table static command. • lock— Secure mode without MAC learning. The static and secure MAC addresses may be added on the port manually by the mac address-table static...
  • Page 171: Port Security Max

    Address Table Commands Lock for gi 1 4. switchxxxxxx(config)# interface gi14 switchxxxxxx(config-if)# port security mode lock switchxxxxxx(config-if)# port security switchxxxxxx(config-if)# exit 5.24 port security max To configure the maximum number of addresses that can be learned on the port while the port is in port, max-addresses or secure mode, use the port security max Interface (Ethernet, Port Channel) Configuration mode command.
  • Page 172: Port Security Routed Secure-Address

    Address Table Commands Example The following example sets the port to limited learning mode: switchxxxxxx(config)# interface gi14 switchxxxxxx(config-if)# port security mode max switchxxxxxx(config-if)# port security max 20 switchxxxxxx(config-if)# port security switchxxxxxx(config-if)# exit 5.25 port security routed secure-address To add a MAC-layer secure address to a routed port. (port that has an IP address defined on it), use the port security routed secure-address Interface (Ethernet, Port Channel) Configuration mode command.
  • Page 173: Show Mac Address-Table

    Address Table Commands Example The following example adds the MAC-layer address 00:66:66:66:66:66 to gi 1 1. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# port security routed secure-address 00:66:66:66:66:66 5.26 show mac address-table To display entries in the MAC address table, use the show mac address-table Privileged EXEC mode command.
  • Page 174: Show Mac Address-Table Count

    Address Table Commands User Guidelines Internal usage VLANs (VLANs that are automatically allocated on routed ports) are presented in the VLAN column by a port number and not by a VLAN ID. Examples Example 1 - Displays entire address table. switchxxxxxx# show mac address-table Aging time is 300 sec...
  • Page 175: Show Bridge Multicast Mode

    Address Table Commands Parameters • vlan vlan —(Optional) Specifies VLAN. • interface-id interface-id —(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel. Command Mode Privileged EXEC mode Example switchxxxxxx# show mac address-table count This may take some time.
  • Page 176: Show Bridge Multicast Address-Table

    Address Table Commands Example The following example displays the Multicast bridging mode for all VLANs switchxxxxxx# show bridge multicast mode VLAN IPv4 Multicast Mode IPv6 Multicast Mode Admin Oper Admin Oper ----- ----------- ----------- ----------- ----------- MAC-GROUP MAC-GROUP MAC-GROUP MAC-GROUP IPv4-GROUP IPv4-GROUP IPv6-GROUP...
  • Page 177 Address Table Commands ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast address. ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast address. • format—(Optional) Applies if mac-multicast-address was selected. In this case either MAC or IP format can be displayed. Display entries for specified Multicast address format. The possible values are: ip—Specifies that the Multicast address is an IP address.
  • Page 178 Address Table Commands Example The following example displays bridge Multicast address information. switchxxxxxx# show bridge multicast address-table Multicast address table for VLANs in MAC-GROUP bridging mode: Vlan MAC Address Type Ports ---- ----------------- -------------- ----- 01:00:5e:02:02:03 Static Forbidden ports for Multicast addresses: Vlan MAC Address Ports...
  • Page 179: Show Bridge Multicast Address-Table Static

    Address Table Commands Multicast address table for VLANs in IPv6-GROUP bridging mode: VLAN IP/MAC Address Type Ports ---- ----------------- --------- --------------------- ff02::4:4:4 Static gi11-2, gi13, Po1 Forbidden ports for Multicast addresses: VLAN IP/MAC Address Ports ---- ----------------- ----------- ff02::4:4:4 gi14 Multicast address table for VLANs in IPv6-SRC-GROUP bridging mode: Vlan Group Address...
  • Page 180 Address Table Commands [vlan vlan-id] [address show bridge multicast address-table static ipv4-multicast-address] [source ipv4-source-address] [vlan vlan-id] [address show bridge multicast address-table static ipv6-multicast-address] [source ipv6-source-address] Parameters • vlan-id vlan —(Optional) Specifies the VLAN ID. • address—(Optional) Specifies the Multicast address. The possible values are: mac-multicast-address—(Optional) Specifies the MAC Multicast address.
  • Page 181 Address Table Commands Example The following example displays the statically-configured Multicast addresses. switchxxxxxx# show bridge multicast address-table static MAC-GROUP table Vlan MAC Address Ports ---- -------------- -------- 0100.9923.8787 Forbidden ports for multicast addresses: Vlan MAC Address Ports ---- -------------- -------- IPv4-GROUP Table Vlan IP Address...
  • Page 182: Show Bridge Multicast Filtering

    Address Table Commands Vlan IP Address Ports --------- ---- ---------------- gi11-4 FF12::8 Forbidden ports for multicast addresses: Vlan IP Address Ports --------- ---- ---------------- FF12::3 gi14 gi14 FF12::8 IPv6-SRC-GROUP Table: Vlan Group Address Source Ports address ---- --------------- ------ --------------- gi11-4 FF12::8 FE80::201:C9A9:FE40:...
  • Page 183: Show Bridge Multicast Unregistered

    Address Table Commands Command Mode Privileged EXEC mode Example The following example displays the Multicast configuration for VLAN 1. switchxxxxxx# show bridge multicast filtering 1 Filtering: Enabled VLAN: 1 Forward-All Port Static Status ----- --------- ------ gi11 Forbidden Filter gi12 Forward Forward(s) gi13...
  • Page 184: Show Ports Security

    Address Table Commands Example The following example displays the unregistered Multicast configuration. switchxxxxxx# show bridge multicast unregistered Port Unregistered ------- ------------- gi11 Forward gi12 Filter gi13 Filter 5.33 show ports security To display the port-lock status, use the show ports security Privileged EXEC mode command.
  • Page 185: Show Ports Security Addresses

    Address Table Commands Port Status Learning Action Maximum Trap Frequency ------- -------- --------- ------ ------- -------- gi11 Enabled Max- Discard Enabled Addresses gi12 Disabled Max- Addresses gi13 Enabled Lock Discard Disabled The following table describes the fields shown above. Field Description Port The port number.
  • Page 186: Bridge Multicast Reserved-Address

    Address Table Commands Default Configuration Display for all interfaces. If detailed is not used, only present ports are displayed. Command Mode Privileged EXEC mode Example The following example displays dynamic addresses in all currently locked port: Port Status Learning Current Maximum ------- --------...
  • Page 187 Address Table Commands • ethtype ethernet-v2 —(Optional) Specifies that the packet type is Ethernet v2 and the Ethernet type field (16 bits in hexadecimal format). (Range: 0x0600–0xFFFF) • —(Optional) Specifies that the packet type is LLC and the DSAP-SSAP field (16 bits in hexadecimal format). (Range: 0xFFFF) •...
  • Page 188: Show Bridge Multicast Reserved-Addresses

    Address Table Commands bridge multicast reserved-address switchxxxxxx(config)# 00:3f:bd:45:5a:b1 5.36 show bridge multicast reserved-addresses To display the Multicast reserved-address rules, use the show bridge multicast reserved-addresses Privileged EXEC mode command. Syntax show bridge multicast reserved-addresses Command Mode Privileged EXEC mode Example switchxxxxxx # show bridge multicast reserved-addresses MAC Address Frame Type...
  • Page 189: Auto-Update And Auto-Configuration

    Auto-Update and Auto-Configuration boot host auto-config Use the boot host auto-config Global Configuration mode command to enable auto configuration via DHCP. Use the no form of this command to disable DHCP auto configuration. Syntax extension boot host auto-config [tftp | scp | auto [ no boot host auto-config Parameters •...
  • Page 190: Boot Host Auto-Update

    Auto-Update and Auto-Configuration Examples Example 1. The following example specifies the auto mode and specifies "scon" as the SCP extension: switchxxxxxx# boot host auto-config auto scon Example 2. The following example specifies the auto mode and does not provide an SCP extension. In this case "scp"...
  • Page 191: Show Boot

    Auto-Update and Auto-Configuration • extension —The SCP file extension. When no value is specified, 'scp' is used. (Range: 1-16 characters) Default Configuration Enabled by default with the auto option. Command Mode Global Configuration mode User Guidelines The TFTP or SCP protocol is used to download/upload an image file. Examples Example 1—The following example specifies the auto mode and specifies "scon"...
  • Page 192 Auto-Update and Auto-Configuration Parameters Default Configuration Command Mode Privileged EXEC mode Examples switchxxxxxx# show boot Auto Config ------------ Config Download via DHCP: enabled Download Protocol: auto SCP protocol will be used for files with extension: scp Configuration file auto-save: enabled Auto Config State: Finished successfully Server IP address: 1.2.20.2 Configuration filename: /config/configfile1.cfg...
  • Page 193 Auto-Update and Auto-Configuration ----------- Image Download via DHCP: enabled switchxxxxxx# show boot Auto Config ------------ Config Download via DHCP: enabled "Download Protocol: scp Configuration file auto-save: enabled Auto Config State: Downloading configuration file Auto Update ----------- Image Download via DHCP: enabled switchxxxxxx# show boot Auto Config...
  • Page 194: Ip Dhcp Tftp-Server Ip Address

    Auto-Update and Auto-Configuration ----------- Image Download via DHCP: enabled Auto Update State: Downloaded indirect image file Indirect Image filename: /image/indirectimage.txt ip dhcp tftp-server ip address Use the ip dhcp tftp-server ip address Global Configuration mode command to set the backup server’s IP address. This address server as the default address used by a switch when it has not been received from the DHCP server.
  • Page 195: Ip Dhcp Tftp-Server File

    Auto-Update and Auto-Configuration Example 2. The example specifies the IPv6 address of TFTP server: ip dhcp tftp-server ip address 3000:1::12 switchxxxxxx# Example 3. The example specifies the IPv6 address of TFTP server: switchxxxxxx# ip dhcp tftp-server ip address tftp-server.company.com ip dhcp tftp-server file Use the ip dhcp tftp-server file Global Configuration mode command to set the full file name of the configuration file to be downloaded from the backup server when it has not been received from the DHCP server.
  • Page 196: Ip Dhcp Tftp-Server Image File

    Auto-Update and Auto-Configuration ip dhcp tftp-server image file Use the ip dhcp tftp-server image file Global Configuration mode command to set the indirect file name of the image file to be downloaded from the backup server when it has not been received from the DHCP server. Use the no form of this command to remove the file name.
  • Page 197 Auto-Update and Auto-Configuration Parameters Default Configuration Command Mode User EXEC mode User Guidelines The backup server can be a TFTP server or a SCP server. Example show ip dhcp tftp-server server address active 1.1.1.1 from sname manual 2.2.2.2 file path on server active conf/conf-file from option 67 manual...
  • Page 198: Bonjour Commands

    Bonjour Commands bonjour enable Use the bonjour enable Global Configuration mode command to enable Bonjour globally. Use the no format of the command to disable Bonjour globally. Syntax bonjour enable no bonjour enable. Default Configuration Enable Command Mode Global Configuration mode Examples switchxxxxxx(config)# bonjour enable...
  • Page 199: Show Bonjour

    Bonjour Commands Parameters • interface-list —Specifies a list of interfaces, which can be of the following types: Ethernet port, Port-channel and VLAN. Default Configuration The list is empty. Command Mode Global Configuration mode User Guidelines This command can only be used in router mode. Examples switchxxxxxx(config)# bonjour interface range VLAN 100-103...
  • Page 200 Bonjour Commands In router mode: switchxxxxxx# show bonjour Bonjour status: enabled L2 interface status: Up IP Address: 10.5.226.46 Service Admin Status Oper Status ------- ------------ -------------- csco-sb enabled enabled http enabled enabled https enabled disabled enabled disabled telnet enabled disabled In router mode: switchxxxxxx# show bonjour Bonjour global status: enabled...
  • Page 201: Cdp Commands

    CDP Commands cdp run The cdp run Global Configuration mode command enables CDP globally. The no format of this command disabled CDP globally. Syntax cdp run no cdp run Parameters Default Configuration Enabled. Command Mode Global Configuration mode User Guidelines CDP is a link layer protocols for directly-connected CDP/LLDP-capable devices to advertise themselves and their capabilities.
  • Page 202: Cdp Enable

    CDP Commands Example switchxxxxxx(config)# cdp run cdp enable The cdp enable Interface Configuration mode command enables CDP on interface. The no format of the CLI command disables CDP on an interface. Syntax cdp enable Parameters Default Configuration Enabled Command Mode Interface (Ethernet) Configuration mode User Guidelines For CDP to be enabled on an interface, it must first be enabled globally using...
  • Page 203: Cdp Pdu

    CDP Commands cdp pdu Use the cdp pdu Global Configuration mode command when CDP is not enabled globally. It specifies CDP packets handling when CDP is globally disabled. The no format of this command returns to default. Syntax cdp pdu [filtering | bridging | flooding] no cdp pdu Parameters •...
  • Page 204: Cdp Advertise-V2

    CDP Commands cdp advertise-v2 The cdp advertise-v2 Global Configuration mode command specifies version 2 of transmitted CDP packets. The no format of this command specifies version 1. Syntax cdp advertise-v2 no cdp advertise-v2 Parameters Default Configuration Version 2. Command Mode Global Configuration mode Example switchxxxxxx(config)#...
  • Page 205: Cdp Mandatory-Tlvs Validation

    CDP Commands Default Configuration Enabled Command Mode Global Configuration mode User Guidelines This MIB specifies the Voice Vlan ID (VVID) to which this port belongs: • 0—The CDP packets transmitting through this port contain Appliance VLAN-ID TLV with value of 0. VoIP and related packets are expected to be sent and received with VLAN-ID=0 and an 802.1p priority.
  • Page 206: Cdp Source-Interface

    CDP Commands Parameters Default Configuration Enabled. Command Mode Global Configuration mode Example This example turns off mandatory TLV validation: switchxxxxxx(config)# no cdp mandatory-tlvs validation cdp source-interface The cdp source-interface Global Configuration mode command specifies the CDP source port used for source IP address selection. The no format of this command deletes the source interface.
  • Page 207: Cdp Log Mismatch Duplex

    CDP Commands User Guidelines Use the cdp source-interface command to specify an interface whose minimal IP address will be advertised in the TVL instead of the minimal IP address of the outgoing interface. Example switchxxxxxx(config)# cdp source-interface gi11 cdp log mismatch duplex Use the cdp log mismatch duplex Global and Interface Configuration mode command to enable validating that the duplex status of a port received in a CDP packet matches the ports actual configuration.
  • Page 208: Cdp Log Mismatch Voip

    CDP Commands cdp log mismatch voip Use the cdp log mismatch voip Global and Interface Configuration mode command to enable validating that the VoIP status of the port received in a CDP packet matches its actual configuration. If not, a SYSLOG message is generated by CDP.
  • Page 209: Cdp Device-Id Format

    CDP Commands Syntax cdp log mismatch native no cdp log mismatch native Parameters Default Configuration The switch reports native VLAN mismatches from all ports. Command Mode Global Configuration mode Interface (Ethernet) Configuration mode Example switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# cdp log mismatch native 8.11 cdp device-id format The cdp device-id format Global Configuration mode command specifies the...
  • Page 210: Cdp Timer

    CDP Commands Default Configuration MAC address is selected by default. Command Mode Global Configuration mode Example switchxxxxxx(config)# cdp device-id format serial-number 8.12 cdp timer The cdp timer Global Configuration mode command specifies how often CDP packets are transmitted. The no format of this command returns to default. Syntax cdp timer seconds...
  • Page 211: Cdp Holdtime

    CDP Commands 8.13 cdp holdtime The cdp holdtime Global Configuration mode command specifies a value of the Time-to-Live field into sent CDP messages. The no format of this command returns to default. Syntax seconds cdp holdtime no cdp holdtime Parameters •...
  • Page 212: Clear Cdp Table

    CDP Commands • interface-id —Specifies the interface identifier of the counters that should be cleared. Command Mode Privileged EXEC mode User Guidelines Use the command clear cdp counters without parameters to clear all the counters. Use the clear cdp counters global to clear only the global counters. interface-id Use the clear cdp counters command to clear the counters of the...
  • Page 213: Show Cdp

    CDP Commands Parameters Command Mode Privileged EXEC mode Example The example deletes all entries from the CDP Cache tables: switchxxxxxx# clear cdp table 8.16 show cdp The show cdp Privileged EXEC mode command displays the interval between advertisements, the number of seconds the advertisements are valid and version of the advertisements.
  • Page 214: Show Cdp Entry

    • version—Limits the display to information about the version of software running on the neighbors. Default Configuration Version Command Mode Privileged EXEC mode Example switchxxxxxx# show cdp entry device.cisco.com Device ID: device.cisco.com OL-32830-01 Command Line Interface Reference Guide...
  • Page 215: Show Cdp Interface

    Holdtime: 125 sec Version: Cisco Internetwork Operating System Software IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM SOFTWARE Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Mon 07-Apr-97 19:51 by dschwart switchxxxxxx# show cdp entry device.cisco.com protocol Protocol information for device.cisco.com: IP address: 192.168.68.18...
  • Page 216: Show Cdp Neighbors

    CDP Commands Parameters • interface-id —Interface ID. Command Mode Privileged EXEC mode Example switchxxxxxx# show cdp interface gi11 CDP is globally enabled CDP log duplex mismatch Globally is enabled Per interface is enabled CDP log voice VLAN mismatch Globally is enabled Per interface is enabled CDP log native VLAN mismatch Globally is disabled...
  • Page 217 CDP Commands • secondary—Displays information about neighbors from the secondary cache. Default Configuration If an interface ID is not specified, the command displays information for the neighbors of all ports. If detail or secondary are not specified, the default is secondary. Command Mode Privileged EXEC mode User Guidelines...
  • Page 218 CDP Commands Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay Device ID Local...
  • Page 219 CDP Commands Entry address(es): IP address: 172.19.169.87 Platform: company TD6780, Capabilities: Router Device ID: SEP000427D400ED Advertisement version: 2 Entry address(es): IP address: 1.6.1.81 Platform: Company IP Phone x8810, Capabilities: Host Interface: gi11, Port ID (outgoing port): Port 1 Time To Live: 150 sec Version : P00303020204 Duplex: full...
  • Page 220 CDP Commands • External Port-ID—Identifies the physical connector port on which the CDP packet is transmitted. It is used in devices, such as those with optical ports, in which signals from multiple hardware interfaces are multiplexed through a single physical port. It contains the name of the external physical port through which the multiplexed signal is transmitted.
  • Page 221: Show Cdp Tlv

    CDP Commands • Remote Port_ID—Identifies the port the CDP packet is sent on • sysName—An ASCII string containing the same value as the sending device's sysName MIB object. • sysObjectID—The OBJECT-IDENTIFIER value of the sending device's sysObjectID MIB object. • Time To Live—The remaining amount of time, in seconds, the current device will hold the CDP advertisement from a transmitting router before discarding it.
  • Page 222 CDP Commands CDP is really running on the port, i.e. CDP is enabled globally and on the port, which is UP. Examples Example 1 - In this example, CDP is disabled and no information is displayed. switchxxxxxx# show cdp tlv cdp globally is disabled Example 2 - In this example, CDP is globally enabled but disabled on the port and no information is displayed.
  • Page 223 CDP Commands Ethernet gi13 is down Example 4 - In this example, CDP is globally enabled and enabled on the port, which is up and information is displayed. switchxxxxxx# show cdp tlv interface gi11 cdp globally is enabled Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone,M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay...
  • Page 224 CDP Commands cdp globally is enabled Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone,M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay Interface TLV: gi11 CDP is enabled Ethernet gi11 is up,...
  • Page 225: Show Cdp Traffic

    CDP Commands 8.21 show cdp traffic The show cdp traffic Privileged EXEC mode command displays the CDP counters, including the number of packets sent and received and checksum errors. Syntax interface-id show cdp traffic [global | Parameters • global—Display only the global counters •...
  • Page 226 CDP Commands CDP version 1 advertisements output: 100, Input CDP version 2 advertisements output: 81784, Input gi12 Total packets output: 81684, Input: 81790 Hdr syntax: 0, Chksum error: 0, Encaps: 0 No memory: 0, Invalid packet: 0 CDP version 1 advertisements output: 100, Input CDP version 2 advertisements output:...
  • Page 227: Clock Commands

    Clock Commands absolute To specify an absolute time when a time range is in effect, use the absolute command in Time-range Configuration mode. To restore the default configuration, use the no form of this command. Syntax hh:mm day month year absolute start no absolute start hh:mm day month year...
  • Page 228: Clock Dhcp Timezone

    Clock Commands Example switchxxxxxx(config)# time-range http-allowed switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005 switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005 clock dhcp timezone To specify that the timezone and the Summer Time (Daylight Saving Time) of the system can be taken from the DHCP Timezone option, use the clock dhcp timezone command in Global Configuration mode.
  • Page 229: Clock Set

    Clock Commands The no form of the command clears the dynamic Time Zone and Summer Time from the DHCP server are cleared. In case of multiple DHCP-enabled interfaces, the following precedence is applied: - information received from DHCPv6 precedes information received from DHCPv4 - information received from DHCP client running on lower interface precedes information received from DHCP client running on higher interfac...
  • Page 230: Clock Source

    Clock Commands User Guidelines After boot the system clock is set to the time of the image creation. Example The following example sets the system time to 13:32:00 on March 7th, 2005. switchxxxxxx# clock set 13:32:00 7 Mar 2005 clock source To configure an external time source for the system clock, use the clock source command in Global Configuration mode.
  • Page 231: Clock Summer-Time

    Clock Commands if the command is executed twice, each time with a different clock source, both sources will be operational, SNTP has higher priority than time from browser. Example The following example configures an SNTP server as an external time source for the system clock.
  • Page 232 Clock Commands • recurring—Indicates that summer time starts and ends on the corresponding specified days every year. • date—Indicates that summer time starts on the first date listed in the command and ends on the second date in the command. •...
  • Page 233: Clock Timezone

    Clock Commands Time: 2 AM local time • Before 2007: Start: First Sunday in April End: Last Sunday in October Time: 2 AM local time EU rules for Daylight Saving Time: • Start: Last Sunday in March • End: Last Sunday in October •...
  • Page 234: Periodic

    Clock Commands Default Configuration Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), which is the same: • Offsets are 0. • Acronym is empty. Command Mode Global Configuration mode User Guidelines The system internally keeps time in UTC, so this command is used only for display purposes and when the time is manually set.
  • Page 235: Sntp Anycast Client Enable

    Clock Commands Parameters • day-of-the-week —The starting day that the associated time range is in effect. The second occurrence is the ending day the associated statement is in effect. The second occurrence can be the following week (see description in the User Guidelines). Possible values are: mon, tue, wed, thu, fri, sat, and sun.
  • Page 236: Sntp Authenticate

    Clock Commands Syntax sntp anycast client enable [both | ipv4 | ipv6] Parameters • both—(Optional) Specifies the IPv4 and IPv6 SNTP Anycast clients are enabled. If the parameter is not defined it is the default value. • ipv4—(Optional) Specifies the IPv4 SNTP Anycast clients are enabled. •...
  • Page 237: Sntp Authentication-Key

    Clock Commands Parameters Default Configuration Authentication is disabled. Command Mode Global Configuration mode Examples The following example enables authentication for received SNTP traffic and sets the key and encryption key. switchxxxxxx(config)# sntp authenticate switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey switchxxxxxx(config)# sntp trusted-key 8 9.10 sntp authentication-key...
  • Page 238: Sntp Broadcast Client Enable

    Clock Commands Default Configuration No authentication key is defined. Command Mode Global Configuration mode Examples The following example defines the authentication key for SNTP. switchxxxxxx(config)# sntp authentication-key ClkKey switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey switchxxxxxx(config)# sntp trusted-key 8 switchxxxxxx(config)# sntp authenticate 9.11 sntp broadcast client enable To enable SNTP Broadcast clients, use the sntp broadcast client enable command...
  • Page 239: Sntp Client Enable

    Clock Commands Command Mode Global Configuration mode User Guidelines Use the sntp broadcast client enable Interface Configuration mode command to enable the SNTP Broadcast client on a specific interface. After entering this command, you must enter the clock source command with the sntp keyword for the command to be run.
  • Page 240: Sntp Client Enable (Interface)

    Clock Commands Default Configuration The SNTP client is disabled. Command Mode Global Configuration mode User Guidelines Use the sntp client enable command to enable SNTP Broadcast and Anycast clients. Example The following example enables the SNTP Broadcast and Anycast clients on VLAN 100: switchxxxxxx(config)# sntp client enable vlan 100...
  • Page 241: Sntp Server

    Clock Commands User Guidelines This command enables the SNTP Broadcast and Anycast client on an interface. Use the no form of this command to disable the SNTP client. Example The following example enables the SNTP broadcast and anycast client on an interface.
  • Page 242: Sntp Source-Interface

    Clock Commands Command Mode Global Configuration mode User Guidelines ip-address hostname keyid Use the sntp server { } [poll] [key ] command to define a SNTP server. The switch supports up to 8 SNTP servers. ip-address hostname Use the no sntp server command to remove one SNTP server.
  • Page 243: Sntp Source-Interface-Ipv6

    Clock Commands Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface, the interface IP address belonging to next hop IPv4 subnet is applied. If the source interface is not the outgoing interface, the minimal IPv4 address defined on the interface is applied.
  • Page 244: Sntp Trusted-Key

    Clock Commands Command Mode Global Configuration mode User Guidelines The outgoing interface is selected based on the SNTP server's IP address. If the source interface is the outgoing interface, the IPv6 address defined on the interfaces and selected in accordance with RFC 6724. If the source interface is not the outgoing interface, the minimal IPv4 address defined on the interface and with the scope of the destination IPv6 address is applied.
  • Page 245: Sntp Unicast Client Enable

    Clock Commands Command Mode Global Configuration mode User Guidelines The trusted key is used for authentication of all servers not having personal keys assigned by the sntp server command. Examples The following example authenticates key 8. switchxxxxxx(config)# sntp trusted-key switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey switchxxxxxx(config)# sntp trusted-key 8...
  • Page 246: Sntp Unicast Client Poll

    Clock Commands User Guidelines Use the sntp server Global Configuration mode command to define SNTP servers. Example The following example enables the device to use SNTP Unicast clients. switchxxxxxx(config)# sntp unicast client enable 9.19 sntp unicast client poll To enable polling for the SNTP Unicast clients, use the sntp unicast client poll command in Global Configuration mode.
  • Page 247: Show Clock

    Clock Commands 9.20 show clock To display the time and date from the system clock, use the show clock command in User EXEC mode. Syntax show clock [detail] Parameters • detail—(Optional) Displays the time zone and summer time configuration. Command Mode User EXEC mode User Guidelines Before the time, there is displayed either a star (*), period (.), or blank:...
  • Page 248: Show Sntp Configuration

    Clock Commands Time source is sntp Time from Browser is enabled Time zone (DHCPv4 on VLAN1): Acronym is RAIN Offset is UTC+2 Time zone (Static): Offset is UTC+0 Summertime (DHCPv4 on VLAN1): Acronym is SUN Recurring every year. Begins at first Sunday of Apr at 02:00. Ends at first Tuesday of Sep at 02:00.
  • Page 249 Clock Commands Default Configuration Command Mode Privileged EXEC mode Examples The following example displays the device’s current SNTP configuration. switchxxxxxx# show sntp configuration SNTP port : 123 Polling interval: 1024 seconds MD5 Authentication Keys ----------------------------------- John123 Alice456 ----------------------------------- Authentication is not required for synchronization. No trusted keys Unicast Clients: enabled Unicast Clients Polling: enabled...
  • Page 250: Show Sntp Status

    Clock Commands Polling: enabled Encryption Key: disabled Broadcast Clients: enabled for IPv4 and IPv6 Anycast Clients: disabled No Broadcast Interfaces Source IPv4 interface: vlan 1 Source IPv6 interface: vlan 10 9.22 show sntp status To display the SNTP servers status, use the show sntp status command in Privileged EXEC mode.
  • Page 251 Clock Commands Stratum Level: 1 Offset: 7.33mSec Delay: 117.79mSec dns_server.comapany.com Server: Source: static Status: Unknown Last response: 12:17.17.987 PDT Feb 19 2005 Stratum Level: 1 Offset: 8.98mSec Delay: 189.19mSec 3001:1:1::1 Server: Source: DHCPv6 on VLAN 2 Status: Unknown Last response: Offset: mSec Delay: mSec dns1.company.com...
  • Page 252: Show Time-Range

    Clock Commands 9.23 show time-range To display the time range configuration, use the show time-range command in User EXEC mode. Syntax time-range-name show time-range Parameters • time-range-name —Specifies the name of an existing time range. Command Mode User EXEC mode Example switchxxxxxx# show time-range...
  • Page 253 Clock Commands Default Configuration No time range is defined Command Mode Global Configuration mode User Guidelines After entering to Time-range Configuration mode with this command, use the absolute and periodic commands to actually configure the time-range. Multiple periodic commands are allowed in a time range. Only one absolute command is allowed.
  • Page 254: Configuration And Image File Commands

    Configuration and Image File Commands 10.0 10.1 copy The copy Privileged EXEC mode command copies a source file to a destination file. Syntax source-url destination-url copy [exclude | include-encrypted | include-plaintext] Parameters • source-url —Specifies the source file URL or source file reserved keyword to be copied.
  • Page 255 Configuration and Image File Commands • — null: Null destination for copies or files. A remote file can be copied to null to determine its size. For instance copy running-conf null returns the size of the running configuration file. • —...
  • Page 256 Configuration and Image File Commands • ipv6_address interface_id - Refers to the IPv6 address on the interface specified. • ipv6_address %0 - Refers to the IPv6 address on the single interface on which an IPv6 address is defined. • ipv6_address - Refers to the IPv6 address on the single interface on which an IPv6 address is defined.
  • Page 257 Configuration and Image File Commands source-url Use the copy running-config command to load a configuration file from a network server to the running configuration file of the device. The commands in the loaded configuration file are added to those in the running configuration file as if the commands were typed in the command-line interface (CLI).
  • Page 258 Configuration and Image File Commands Examples Example 1 - The following example copies system image file1 from the TFTP server 172.16.101.101 to the non-active image file. switchxxxxxx# //172.16.101.101/file1 copy tftp: image Accessing file 'file1' on 172.16.101.101... Loading file1 from 172.16.101.101: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  • Page 259: Write

    Configuration and Image File Commands The following example copies file1 to the Startup Configuration file. The username and password used for SCP session authentication are: jeff and admin1. The IP address of the server containing file1 is 102.1.2.2. switchxxxxxx# copy scp://jeff:admin1@102.1.2.2/file1 startup-config 10.2 write Use the write Privileged EXEC mode command to save the running configuration to the startup configuration file.
  • Page 260: Delete

    Configuration and Image File Commands 10.3 delete The delete Privileged EXEC mode command deletes a file from a flash memory device. Syntax delete Parameters • —Specifies the location URL or reserved keyword of the file to be deleted. (Length: 1–160 characters) Command Mode Privileged EXEC mode User Guidelines...
  • Page 261: More

    Configuration and Image File Commands Syntax Parameters This command has no arguments or keywords. Command Mode Privileged EXEC mode Examples Example 1. The following example displays the list of files on a flash file system with static images. The Flash size column for all files except dynamic image specifies the maximum allowed size.
  • Page 262 Configuration and Image File Commands Syntax more Parameters • —Specifies the location URL or reserved keyword of the source file to be displayed. (Length: 1–160 characters). Default Configuration This command has no arguments or keywords. Command Mode Privileged EXEC mode User Guidelines The following keywords and URL prefixes are supported •...
  • Page 263: Rename

    Configuration and Image File Commands 10.6 rename The rename Privileged EXEC mode command renames a file. Syntax rename url new-url Parameters • —Specifies the file location URL. (Length: 1–160 characters) • new-url —Specifies the file’s new URL. (Length: 1–160 characters) Default Configuration This command has no arguments or keywords.
  • Page 264: Show Running-Config

    Configuration and Image File Commands Syntax boot system {image-1 | image-2} Parameters • image-1—Specifies that image-1 is loaded as the system image during the next device startup. • image-2—Specifies that image-2 is loaded as the system image during the next device startup. Default Configuration This command has no default configuration.
  • Page 265 Configuration and Image File Commands • brief—Displays configuration without SSL and SSH keys. Default Configuration All interfaces are displayed. If the detailed or brief keyword is not specified, the detailed keyword is applied. Command Mode Privileged EXEC mode Examples The following example displays the running configuration file contents. switchxxxxxx# show running-config config-file-header...
  • Page 266: Show Startup-Config

    Configuration and Image File Commands exit line console exec-timeout 0 exit switchxxxxxx# 10.9 show startup-config Use the show startup-config Privileged EXEC mode command to display the Startup Configuration file contents. Syntax interface-id-list show startup-config [interface Parameters • interface-id-list interface —Specifies a list of interface IDs. The interface IDs can be one of the following types: Ethernet port, port-channel or VLAN.
  • Page 267: Show Bootvar

    Configuration and Image File Commands ssd file passphrase control unrestricted no ssd file integrity control ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0 no spanning-tree interface range gi11-4 speed 1000 exit no lldp run interface vlan 1 ip address 1.1.1.1 255.0.0.0 exit line console exec-timeout 0 exit switchxxxxxx# 10.10 show bootvar...
  • Page 268: Service Mirror-Configuration

    Configuration and Image File Commands Example The following example displays the active system image file that was loaded by the device at startup and the system image file that will be loaded after rebooting the switch: switchxxxxxx# show bootvar Image Filename Version Date...
  • Page 269: Show Mirror-Configuration Service

    Configuration and Image File Commands User Guidelines The mirror-configuration service automatically keeps a copy of the last known stable configuration (startup configuration that has not been modified for 24H). The mirror-configuration file is not deleted when restoring to factory default. When this service is disabled, the mirror-configuration file is not created and if such file already exists, it is deleted.
  • Page 270 Configuration and Image File Commands Example The following example displays the status of the mirror-configuration service switchxxxxxx# show mirror-configuration service Mirror-configuration service is enabled OL-32830-01 Command Line Interface Reference Guide...
  • Page 271: Dhcp Relay Commands

    DHCP Relay Commands 11.0 11.1 ip dhcp relay enable (Global) Use the ip dhcp relay enable Global Configuration mode command to enable the DHCP relay feature on the device. Use the no form of this command to disable the DHCP relay feature. Syntax ip dhcp relay enable no ip dhcp relay enable...
  • Page 272: Ip Dhcp Relay Enable (Interface)

    DHCP Relay Commands 11.2 ip dhcp relay enable (Interface) Use the ip dhcp relay enable Interface Configuration mode command to enable the DHCP relay feature on an interface. Use the no form of this command to disable the DHCP relay agent feature on an interface. Syntax ip dhcp relay enable no ip dhcp relay enable...
  • Page 273: Ip Dhcp Relay Address (Global)

    DHCP Relay Commands 11.3 ip dhcp relay address (Global) Use the ip dhcp relay address Global Configuration mode command to define the DHCP servers available for the DHCP relay. Use the no form of this command to remove the server from the list. Syntax ip-address ip dhcp relay address...
  • Page 274: Ip Dhcp Relay Address (Interface)

    DHCP Relay Commands 11.4 ip dhcp relay address (Interface) Use the ip dhcp relay address Interface Configuration (VLAN, Ethernet, Port-channel) command to define the DHCP servers available by the DHCP relay for DHCP clients connected to the interface. Use the no form of this command to remove the server from the list.
  • Page 275: Show Ip Dhcp Relay

    DHCP Relay Commands 11.5 show ip dhcp relay Use the show ip dhcp relay EXEC mode command to display the DHCP relay information. Syntax show ip dhcp relay Command Mode User EXEC mode Examples Example 1. Option 82 is not supported: switchxxxxxx# show ip dhcp relay DHCP relay is globally enabled...
  • Page 276 DHCP Relay Commands DHCP relay is enabled on VLANs: 1, 2, 4, 5 Active: Inactive: 1, 2, 4, 5 Global Servers: 1.1.1.1 , 2.2.2.2 Example 3. Option 82 is supported (enabled): switchxxxxxx# show ip dhcp relay DHCP relay is globally enabled Option 82 is enabled Maximum number of supported VLANs without IP Address is 4 Number of DHCP Relays enabled on VLANs without IP Address: 2...
  • Page 277: Ip Dhcp Information Option

    DHCP Relay Commands DHCP relay is enabled on VLANs: 1, 2, 4, 5 Active: 1, 2, 4, 5 Inactive: Global Servers: 1.1.1.1 , 2.2.2.2 VLAN 1: 1.1.1.1, 100.10.1.1 VLAN 2: 3.3.3.3, 4.4.4.4, 5.5.5.5 VLAN 10: 6.6.6.6 11.6 ip dhcp information option Use the ip dhcp information option Global Configuration command to enable DHCP option-82 data insertion.
  • Page 278: Show Ip Dhcp Information Option

    DHCP Relay Commands 11.7 show ip dhcp information option The show ip dhcp information option EXEC mode command displays the DHCP Option 82 configuration. Syntax show ip dhcp information option Parameters Default Configuration Command Mode User EXEC mode Example The following example displays the DHCP Option 82 configuration. switchxxxxxx# show ip dhcp information option Relay agent Information option is Enabled...
  • Page 279: Dhcp Server Commands

    DHCP Server Commands 12.0 12.1 address (DHCP Host) To manually bind an IP address to a DHCP client, use the address command in DHCP Pool Host Configuration mode. To remove the IP address binding to the client, use the no form of this command. Syntax ip-address mask...
  • Page 280: Address (Dhcp Network)

    DHCP Server Commands User Guidelines To classify the DHCP client, DHCP server uses either the client identifier passed in Option 61, if the client-identifier keyword is configured or the client MAC address, if the hardware-address keyword is configured. Example The following example manually binds an IP address to a DHCP client. switchxxxxxx(config)# ip dhcp pool host aaaa switchxxxxxx(config-dhcp)#...
  • Page 281: Bootfile

    DHCP Server Commands • prefix-length —Specifies the number of bits that comprise the address prefix. The prefix is an alternative way of specifying the client network mask. The prefix length must be preceded by a forward slash (/). • low-address —Specifies the first IP address to use in the address range.
  • Page 282: Clear Ip Dhcp Binding

    DHCP Server Commands Parameters • filename —Specifies the file name used as a boot image. (Length: 1–128 characters). Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Example The following example specifies boot_image_file as the default boot image file name for a DHCP client.
  • Page 283: Client-Name

    DHCP Server Commands Use the no ip dhcp pool Global Configuration mode command to delete a manual binding. Example The following example deletes the address binding 10.12.1.99 from a DHCP server database: switchxxxxxx# clear ip dhcp binding 10.12.1.99 12.5 client-name To define the name of a DHCP client, use the client-name command in DHCP Pool Host Configuration mode.
  • Page 284: Default-Router

    DHCP Server Commands 12.6 default-router To configure the default router list for a DHCP client, use the default-router command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the default router list, use the no form of this command.
  • Page 285: Domain-Name

    DHCP Server Commands in DHCP Pool Host Configuration mode. To remove the DNS server list, use the no form of this command. Syntax ip-address ip-address2 ip-address8 dns-server no dns-server Parameters • ip-address ip-address2 ip-address8 ]—Specifies the IP addresses of DNS servers. Up to eight addresses can be specified in one command line. Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode...
  • Page 286: Ip Dhcp Excluded-Address

    DHCP Server Commands Syntax domain domain-name no domain-name Parameters • domain —Specifies the DHCP client domain name string. (Length: 1–32 characters). Command Mode DHCP Pool Network Configuration mode DHCP Pool Host Configuration mode Default Configuration No domain name is defined. Example The following example specifies yahoo.com as the DHCP client domain name string.
  • Page 287: Ip Dhcp Pool Host

    DHCP Server Commands • high-address —(Optional) Specifies the last IP address in the excluded address range. Default Configuration All IP pool addresses are assignable. Command Mode Global Configuration mode User Guidelines The DHCP server assumes that all pool addresses can be assigned to clients. Use this command to exclude a single IP address or a range of IP addresses.
  • Page 288: Ip Dhcp Pool Network

    DHCP Server Commands Default Configuration DHCP hosts are not configured. Command Mode Global Configuration mode User Guidelines During execution of this command, the configuration mode changes to the DHCP Pool Configuration mode. In this mode, the administrator can configure host parameters, such as the IP subnet number and default router list.
  • Page 289: Ip Dhcp Server

    DHCP Server Commands Command Mode Global Configuration mode User Guidelines During execution of this command, the configuration mode changes to DHCP Pool Network Configuration mode. In this mode, the administrator can configure pool parameters, such as the IP subnet number and default router list. Example The following example configures Pool 1 as the DHCP address pool.
  • Page 290: Lease

    DHCP Server Commands 12.13 lease To configure the time duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client, use the lease command in DHCP Pool Network Configuration mode. To restore the default value, use the no form of this command. Syntax days hours...
  • Page 291: Netbios-Name-Server

    DHCP Server Commands The following example shows a one-minute lease. switchxxxxxx(config-dhcp)# lease 0 0 1 The following example shows an infinite (unlimited) lease. switchxxxxxx(config-dhcp)# lease infinite 12.14 netbios-name-server To configure the NetBIOS Windows Internet Naming Service (WINS) server list that is available to Microsoft DHCP clients, use the netbios-name-server in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode.
  • Page 292: Netbios-Node-Type

    DHCP Server Commands switchxxxxxx(config-dhcp)# netbios-name-server 10.12.1.90 12.15 netbios-node-type To configure the NetBIOS node type for Microsoft DHCP clients, use the netbios-node-type command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To return to default, use the no form of this command.
  • Page 293: Next-Server

    DHCP Server Commands 12.16 next-server To configure the next server (siaddr) in the boot process of a DHCP client, use the next-server command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the next server, use the no form of this command.
  • Page 294: Next-Server-Name

    DHCP Server Commands 12.17 next-server-name To configure the next server name (sname) in the boot process of a DHCP client, use the next-server-name command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the boot server name, use the no form of this command.
  • Page 295: Option

    DHCP Server Commands 12.18 option To configure the DHCP server options, use the option command in DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration mode. To remove the options, use the no form of this command. Syntax code value string...
  • Page 296 DHCP Server Commands User Guidelines The option command enables defining any option that cannot be defined by other special CLI commands. A new definition of an option overrides the previous definition of this option. The boolean keyword may be configured for the following options: 19, 20, 27, 29-31, 34, 36, and 39.
  • Page 297: Show Ip Dhcp

    DHCP Server Commands 12.19 show ip dhcp To display the DHCP configuration, use the show ip dhcp command in User EXEC mode. Syntax show ip dhcp Command Mode User EXEC mode Example The following example displays the DHCP configuration. switchxxxxxx# show ip dhcp DHCP server is enabled.
  • Page 298 DHCP Server Commands switchxxxxxx# show ip dhcp allocated DHCP server enabled The number of allocated entries is 3 IP address Hardware address Lease expiration Type ---------- ---------------- -------------------- --------- 172.16.1.11 00a0.9802.32de Feb 01 1998 12:00 AM Dynamic 172.16.3.253 02c7.f800.0422 Infinite Automatic 172.16.3.254 02c7.f800.0422 Infinite...
  • Page 299: Show Ip Dhcp Binding

    DHCP Server Commands Lease The lease expiration date of the host IP address. expiration Type The manner in which the IP address was assigned to the host. 12.21 show ip dhcp binding To display the specific address binding or all the address bindings on the DHCP server, use the show ip dhcp binding command in User EXEC mode.
  • Page 300: Lease The Lease Expiration Date Of The Host Ip Address

    DHCP Server Commands ---------- ---------------- ------------- ------- --------- 1.16.1.11 00a0.9802.32de Feb 01 1998 dynamic allocated 1.16.3.23 02c7.f801.0422 12:00AM dynamic expired 1.16.3.24 02c7.f802.0422 dynamic declined 1.16.3.25 02c7.f803.0422 dynamic pre-allocated 1.16.3.26 02c7.f804.0422 dynamic declined switchxxxxxx# show ip dhcp binding 1.16.1.11 DHCP server enabled IP address Hardware Address Lease Expiration Type...
  • Page 301: Show Ip Dhcp Declined

    DHCP Server Commands 12.22 show ip dhcp declined To display the specific declined address or all of the declined addresses on the DHCP server, use the show ip dhcp declined command in User EXEC mode. Syntax ip-address show ip dhcp declined [ Parameters •...
  • Page 302: Show Ip Dhcp Excluded-Addresses

    DHCP Server Commands 12.23 show ip dhcp excluded-addresses To display the excluded addresses, use the show ip dhcp excluded-addresses command in User EXEC mode. Syntax show ip dhcp excluded-addresses Command Mode User EXEC mode Example The following example displays excluded addresses. switchxxxxxx# show ip dhcp excluded-addresses The number of excluded addresses ranges is 2...
  • Page 303: Show Ip Dhcp Pool Host

    DHCP Server Commands switchxxxxxx# show ip dhcp expired DHCP server enabled The number of expired entries is 1 IP address Hardware address 172.16.1.11 00a0.9802.32de 172.16.3.254 02c7.f800.0422 switchxxxxxx# show ip dhcp expired 172.16.1.11 DHCP server enabled The number of expired entries is 1 IP address Hardware address 172.16.1.13 00a0.9802.32de...
  • Page 304 DHCP Server Commands The number of host pools is 1 Name IP Address Hardware Address Client Identifier ---------- ---------- ---------------- ----------------- station 172.16.1.11 01b7.0813.8811.66 Example 2. The following example displays the DHCP pool host configuration of the pool named station: switchxxxxxx# show ip dhcp pool host station Name...
  • Page 305: Show Ip Dhcp Pool Network

    DHCP Server Commands 4 134.14.14.1 ip-list 8 1.1.1.1, 12.23.45.2 5 02af00aa00 12.26 show ip dhcp pool network To display the DHCP network configuration, use the show ip dhcp pool network command in User EXEC mode. Syntax name show ip dhcp pool network [ Parameters •...
  • Page 306: Show Ip Dhcp Pre-Allocated

    DHCP Server Commands --------------------------------- ------------------------ marketing 10.1.1.17-10.1.1.178 255.255.255.0 0d:12h:0m Statistics: All-range Available Free Pre-allocated Allocated Expired Declined ---------- --------- ----- ------------- --------- --------- -------- 162 150 68 50 20 Default router: 10.1.1.1 DNS server: 10.12.1.99 Domain name: yahoo.com NetBIOS name server: 10.12.1.90 NetBIOS node type: h-node Next server: 10.12.1.99 Next-server-name: 10.12.1.100...
  • Page 307: Show Ip Dhcp Server Statistics

    DHCP Server Commands Syntax ip-address show ip dhcp pre-allocated [ Parameters • ip-address —(Optional) Specifies the IP. Command Mode User EXEC mode Examples switchxxxxxx# show ip dhcp pre-allocated DHCP server enabled The number of pre-allocated entries is 1 IP address Hardware address 172.16.1.11 00a0.9802.32de...
  • Page 308: Time-Server

    DHCP Server Commands Example The following example displays DHCP server statistics switchxxxxxx# show ip dhcp server statistics DHCP server enabled The number of network pools is 7 The number of excluded pools is 2 The number of used (all types) entries is 7 The number of pre-allocated entries is 1 The number of allocated entries is 3 The number of expired entries is 1...
  • Page 309 DHCP Server Commands Default Configuration No time server is defined. User Guidelines The time server’s IP address should be on the same subnet as the client subnet. Example The following example specifies 10.12.1.99 as the time server IP address. switchxxxxxx(config-dhcp)# time-server 10.12.1.99 OL-32830-01 Command Line Interface Reference Guide...
  • Page 310: Dhcp Snooping Commands

    DHCP Snooping Commands 13.0 13.1 ip dhcp snooping Use the ip dhcp snooping Global Configuration mode command to enable Dynamic Host Configuration Protocol (DHCP) Snooping globally. Use the no form of this command to restore the default configuration. Syntax ip dhcp snooping no ip dhcp snooping Parameters Default Configuration...
  • Page 311: Ip Dhcp Snooping Vlan

    DHCP Snooping Commands 13.2 ip dhcp snooping vlan Use the ip dhcp snooping vlan Global Configuration mode command to enable DHCP Snooping on a VLAN. Use the no form of this command to disable DHCP Snooping on a VLAN. Syntax vlan-id ip dhcp snooping vlan vlan-id...
  • Page 312: Ip Dhcp Snooping Information Option Allowed-Untrusted

    DHCP Snooping Commands Syntax ip dhcp snooping trust no ip dhcp snooping trust Parameters Default Configuration The interface is untrusted. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines Configure as trusted the ports that are connected to a DHCP server or to other switches or routers.
  • Page 313: Ip Dhcp Snooping Verify

    DHCP Snooping Commands Parameters Default Configuration DHCP packets with option-82 information from an untrusted port are discarded. Command Mode Global Configuration mode Example The following example allows a device to accept DHCP packets with option-82 information from an untrusted port. switchxxxxxx(config)# ip dhcp snooping information option allowed-untrusted 13.5 ip dhcp snooping verify...
  • Page 314: Ip Dhcp Snooping Database

    DHCP Snooping Commands Example The following example configures a device to verify that the source MAC address in a DHCP packet received on an untrusted port matches the client hardware address. switchxxxxxx(config)# ip dhcp snooping verify 13.6 ip dhcp snooping database Use the ip dhcp snooping database Global Configuration mode command to enable the DHCP Snooping binding database file.
  • Page 315: Ip Dhcp Snooping Database Update-Freq

    DHCP Snooping Commands Example The following example enables the DHCP Snooping binding database file. switchxxxxxx(config)# ip dhcp snooping database 13.7 ip dhcp snooping database update-freq Use the ip dhcp snooping database update-freq Global Configuration mode command to set the update frequency of the DHCP Snooping binding database file.
  • Page 316: Ip Dhcp Snooping Binding

    DHCP Snooping Commands 13.8 ip dhcp snooping binding Use the ip dhcp snooping binding Privileged EXEC mode command to configure the DHCP Snooping binding database and add dynamic binding entries to the database. Use the no form of this command to delete entries from the binding database.
  • Page 317: Clear Ip Dhcp Snooping Database

    DHCP Snooping Commands The entry would not be added to the configuration files. The entry would be displayed in the show commands as a “DHCP Snooping” entry. An entry added by this command can override the existed dynamic entry. An entry added by this command cannot override the existed static entry added by the ip source-guard binding command.
  • Page 318: Show Ip Dhcp Snooping

    DHCP Snooping Commands switchxxxxxx# clear ip dhcp snooping database 13.10 show ip dhcp snooping Use the show ip dhcp snooping EXEC mode command to display the DHCP snooping configuration for all interfaces or for a specific interface. Syntax show ip dhcp snooping [interface-id] Parameters •...
  • Page 319: Show Ip Dhcp Snooping Binding

    DHCP Snooping Commands 13.11 show ip dhcp snooping binding Use the show ip dhcp snooping binding User EXEC mode command to display the DHCP Snooping binding database and configuration information for all interfaces or for a specific interface. Syntax mac-address show ip dhcp snooping binding [mac-address ] [ip-address ip-address...
  • Page 320: Ip Source-Guard

    DHCP Snooping Commands 13.12 ip source-guard Use the ip source-guard command in Configuration mode or Interface Configuration mode to enable IP Source Guard globally on a device or in Interface Configuration (Ethernet, Port-channel) mode to enable IP Source Guard on an interface.
  • Page 321: Ip Source-Guard Binding

    DHCP Snooping Commands 13.13 ip source-guard binding Use the ip source-guard binding Global Configuration mode command to configure the static IP source bindings on the device. Use the no form of this command to delete the static bindings. Syntax mac-address vlan-id ip-address interface-id ip source-guard binding mac-address vlan-id no ip source-guard binding...
  • Page 322: Ip Source-Guard Tcam Retries-Freq

    DHCP Snooping Commands 13.14 ip source-guard tcam retries-freq Use the ip source-guard tcam retries-freq Global Configuration mode command to set the frequency of retries for TCAM resources for inactive IP Source Guard addresses. Use the no form of this command to restore the default configuration. Syntax seconds | ip source-guard tcam retries-freq {...
  • Page 323: Ip Source-Guard Tcam Locate

    DHCP Snooping Commands switchxxxxxx(config)# ip source-guard tcam retries-freq 13.15 ip source-guard tcam locate Use the ip source-guard tcam locate Privileged EXEC mode command to manually retry to locate TCAM resources for inactive IP Source Guard addresses. Syntax ip source-guard tcam locate Parameters Command Mode Privileged EXEC mode...
  • Page 324: Show Ip Source-Guard Configuration

    DHCP Snooping Commands 13.16 show ip source-guard configuration Use the show ip source-guard configuration EXEC mode command to display the IP source guard configuration for all interfaces or for a specific interface. Syntax nterface-id show ip source-guard configuration [i Parameters •...
  • Page 325: Show Ip Source-Guard Inactive

    DHCP Snooping Commands Parameters • mac-address mac-address —Specifies a MAC address. • ip-address ip-address —Specifies an IP address. • vlan vlan-id —Specifies a VLAN ID. • interface-id —Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel. Command Mode User EXEC mode Example...
  • Page 326: Show Ip Source-Guard Statistics

    DHCP Snooping Commands User Guidelines Since the IP Source Guard uses the Ternary Content Addressable Memory (TCAM) resources, there may be situations when IP Source Guard addresses are inactive because of a lack of TCAM resources. By default, once every minute the software conducts a search for available space in the TCAM for the inactive IP Source Guard addresses.
  • Page 327: Ip Arp Inspection

    DHCP Snooping Commands Command Mode User EXEC mode Example switchxxxxxx# show ip source-guard statistics VLAN Statically Permitted Stations DHCP Snooping Permitted Stations ---- ------------------------------- -------------------------------- 13.20 ip arp inspection Use the ip arp inspection Global Configuration mode command globally to enable Address Resolution Protocol (ARP) inspection.
  • Page 328: Ip Arp Inspection Vlan

    DHCP Snooping Commands Example The following example enables ARP inspection on the device. switchxxxxxx(config)# ip arp inspection 13.21 ip arp inspection vlan Use the ip arp inspection vlan Global Configuration mode command to enable ARP inspection on a VLAN, based on the DHCP Snooping database. Use the no form of this command to disable ARP inspection on a VLAN.
  • Page 329: Ip Arp Inspection Trust

    DHCP Snooping Commands 13.22 ip arp inspection trust Use the ip arp inspection trust Interface Configuration (Ethernet, Port-channel) mode command to configure an interface trust state that determines if incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to restore the default configuration.
  • Page 330: Ip Arp Inspection Validate

    DHCP Snooping Commands 13.23 ip arp inspection validate Use the ip arp inspection validate Global Configuration mode command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to restore the default configuration. Syntax ip arp inspection validate no ip arp inspection validate...
  • Page 331: Ip Arp Inspection List Create

    DHCP Snooping Commands 13.24 ip arp inspection list create Use the ip arp inspection list create Global Configuration mode command to create a static ARP binding list and enters the ARP list configuration mode. Use the no form of this command to delete the list. Syntax name ip arp inspection list create...
  • Page 332: Ip Arp Inspection List Assign

    DHCP Snooping Commands Syntax ip-address mac-address ip-address mac-address no ip Parameters • ip-address —Specifies the IP address to be entered to the list. • mac-address —Specifies the MAC address associated with the IP address. Default Configuration No static ARP binding is defined. Command Mode ARP-list Configuration mode Example...
  • Page 333: Ip Arp Inspection Logging Interval

    DHCP Snooping Commands • name —Specifies the static ARP binding list name. Default Configuration No static ARP binding list assignment exists. Command Mode Global Configuration mode Example The following example assigns the static ARP binding list Servers to VLAN 37. switchxxxxxx(config)# 37 servers ip arp inspection list assign...
  • Page 334: Show Ip Arp Inspection

    DHCP Snooping Commands Example The following example sets the minimum ARP SYSLOG message logging time interval to 60 seconds. switchxxxxxx(config)# ip arp inspection logging interval 13.28 show ip arp inspection Use the show ip arp inspection EXEC mode command to display the ARP inspection configuration for all interfaces or for a specific interface.
  • Page 335: Show Ip Arp Inspection List

    DHCP Snooping Commands 13.29 show ip arp inspection list Use the show ip arp inspection list Privileged EXEC mode command to display the static ARP binding list. Syntax show ip arp inspection list Parameters Command Mode Privileged EXEC mode Example The following example displays the static ARP binding list.
  • Page 336: Clear Ip Arp Inspection Statistics

    DHCP Snooping Commands Parameters • vlan-id —Specifies VLAN ID. Command Mode User EXEC mode User Guidelines To clear ARP Inspection counters use the clear ip arp inspection statistics command. Counters values are kept when disabling the ARP Inspection feature. Example switchxxxxxx# show ip arp inspection statistics Vlan...
  • Page 337: Dhcpv6 Commands

    DHCPv6 Commands 14.0 14.1 clear ipv6 dhcp client Use the clear ipv6 dhcp client command in Privileged EXEC mode to restart DHCP for an IPv6 client on an interface. Syntax interface-id clear ipv6 dhcp client Parameters • interface-id —Interface identifier. Default Configuration Command Mode Privileged EXEC mode...
  • Page 338: Ipv6 Dhcp Client Information Refresh

    DHCPv6 Commands 14.2 ipv6 dhcp client information refresh To configure the refresh time for IPv6 client information refresh time on a specified interface if the DHCPv6 server reply does not include the Information Refresh Time, use the ipv6 dhcp client information refresh command in Interface Configuration mode.
  • Page 339: Ipv6 Dhcp Client Information Refresh Minimum

    DHCPv6 Commands switchxxxxxx(config-if)# ipv6 dhcp client stateless switchxxxxxx(config-if)# ipv6 dhcp client information refresh 172800 switchxxxxxx(config-if)# exit 14.3 ipv6 dhcp client information refresh minimum To configure the minimum acceptable refresh time on the specified interface, use the ipv6 dhcp client information refresh minimum command in Interface Configuration mode.
  • Page 340: Ipv6 Dhcp Client Stateless

    DHCPv6 Commands • For planned changes, including renumbering. An administrator can gradually decrease the time as the planned event nears. • Limit the amount of time before new services or servers are available to the client, such as the addition of a new Simple Network Time Protocol (SNTP) server or a change of address of a Domain Name System (DNS) server.
  • Page 341 DHCPv6 Commands User Guidelines Enabling this command starts the DHCPv6 client process if this process is not yet running and IPv6 interface is enabled on the interface. This command enables the DHCPv6 Stateless service on the interface. The service allows to receive the configuration from a DHCP server, passed in the following options: •...
  • Page 342: Ipv6 Dhcp Duid-En

    DHCPv6 Commands 14.5 ipv6 dhcp duid-en Use the ipv6 dhcp duid-en command in Global Configuration mode to set the Vendor Based on Enterprise Number DHVPv6 Unique Identified (DUID-EN) format. To return to the default value, use the no form of this command. Syntax enterprise-number identifier ipv6 dhcp duid-en...
  • Page 343: Ipv6 Dhcp Relay Destination (Global)

    DHCPv6 Commands Example 2. The following sets the DIID-EN format using colons as delimiter: switchxxxxxx(config)# ipv6 dhcp udid-en 9 0C:C0:84:D3:03:00:09:12 14.6 ipv6 dhcp relay destination (Global) To specify a globally-defined relay destination address to which client messages are forwarded, use the ipv6 dhcp relay destination command in global configuration mode.
  • Page 344 DHCPv6 Commands User Guidelines The ipv6 dhcp relay destination command specifies a destination address to which client messages are forwarded. The address is used by all DHCPv6 relays running on the switch. When a relay service is running on an interface, a DHCP for IPv6 message received on that interface will be forwarded to all configured relay destinations configured per interface and globally.
  • Page 345: Ipv6 Dhcp Relay Destination (Interface)

    DHCPv6 Commands 14.7 ipv6 dhcp relay destination (Interface) To specify a destination address to which client messages are forwarded and to enable DHCP for IPv6 relay service on the interface, use the ipv6 dhcp relay destination command in Interface configuration mode. To remove a relay destination on the interface or to delete an output interface for a destination, use the no form of this command.
  • Page 346 DHCPv6 Commands DHCPv6 Relay inserts the Interface-id option if an IPv6 global address is not defined on the interface on which the relay is running. The Interface-id field of the option is the interface name (a value of the ifName field of the ifTable) on which the relay is running.
  • Page 347 DHCPv6 Commands switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 dhcp relay destination FE80::1:2 vlan 200 exit switchxxxxxx(config-if)# Example 2. The following example sets the relay well known Multicast link-local destination address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not enabled: switchxxxxxx(config)# interface vlan 100...
  • Page 348: Show Ipv6 Dhcp

    DHCPv6 Commands 14.8 show ipv6 dhcp Use the show ipv6 dhcp command in User EXEC or Privileged EXEC mode to display the Dynamic DHCP unique identifier (DUID) on a specified device.This information is relevant for DHCPv6 clients and DHCPv6 relays. Syntax show ipv6 dhcp Parameters...
  • Page 349: Show Ipv6 Dhcp Interface

    DHCPv6 Commands switchxxxxxx# show ipv6 dhcp The switch’s DHCPv6 unique identifier(DUID)is 000300010024012607AA Format: 3 Hardware type: 1 MAC Address: 0024.0126.07AA Example 3. The following is sample output from this command when the switch’s UDID format is vendorbased on link-layer address and DHCPv6 Relay is supported: switchxxxxxx# show ipv6 dhcp...
  • Page 350: User Guidelines

    DHCPv6 Commands Command Mode User EXEC mode Privileged EXEC mode User Guidelines If no interfaces are specified in the command, all interfaces on which DHCP for IPv6 (client or server) is enabled are displayed. If an interface is specified in the command, only information about the specified interface is displayed.
  • Page 351 DHCPv6 Commands VLAN 110 is in client mode DHCP Operational mode is disabled (IPv6 is not enabled) Stateless Service is enabled Reconfigure service is enabled Information Refresh Minimum Time: 600 seconds Information Refresh Time: 86400 seconds Remain Information Refresh Time: 0 seconds VLAN 1000 is in client mode DHCP Operational mode is disabled (Interface status is DOWN) Stateless Service is enabled...
  • Page 352 DHCPv6 Commands DNS Servers: 1001::1, 2001::10 DNS Domain Search List: company.com beta.org SNTP Servers: 2004::1 POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00 Configuration Server: config.company.com Configuration Path Name: qqq/config/aaa_config.dat Indirect Image Path Name: qqq/config/aaa_image_name.txt OL-32830-01 Command Line Interface Reference Guide...
  • Page 353: Dns Client Commands

    DNS Client Commands 15.0 15.1 clear host Use the clear host command in privileged EXEC mode to delete dynamic hostname-to-address mapping entries from the DNS client name-to-address cache. Syntax hostname | clear host { Parameters • hostname —Name of the host for which hostname-to-address mappings are to be deleted from the DNS client name-to-address cache.
  • Page 354: Ip Domain Lookup

    DNS Client Commands Example The following example deletes all dynamic entries from the DNS client name-to-address cache. switchxxxxxx# clear host * 15.2 ip domain lookup Use the ip domain lookup command in Global Configuration mode to enable the IP Domain Naming System (DNS)-based host name-to-address translation. To disable the DNS, use the no form of this command.
  • Page 355: Ip Domain Name

    DNS Client Commands 15.3 ip domain name Use the ip domain name command in Global Configuration mode. to define a default domain name that the switch uses to complete unqualified hostnames (names without a dotted-decimal domain name). To delete the static defined default domain name, use the no form of this command.
  • Page 356: Ip Domain Polling-Interval

    DNS Client Commands switchxxxxxx(config)# ip domain name website.com 15.4 ip domain polling-interval Use the ip domain polling-interval command in Global Configuration mode to specify the polling interval. Use the no form of this command to return to the default behavior. Syntax seconds ip domain polling-interval...
  • Page 357: Ip Domain Retry

    DNS Client Commands 15.5 ip domain retry Use the ip domain retry command in Global Configuration mode to specify the number of times the device will send Domain Name System (DNS) queries when there is no replay. To return to the default behavior, use the no form of this command. Syntax number ip domain retry...
  • Page 358: Ip Host

    DNS Client Commands To return to the default behavior, use the no form of this command. Syntax seconds ip domain timeout no ip domain timeout Parameters seconds —Time, in seconds, to wait for a response to a DNS query. The range is from 1 to 60.
  • Page 359 DNS Client Commands name name address1...address8 no ip host ip host Parameters • hostname —Name of the host. (Length: 1–158 characters. Maximum label length of each domain level is 63 characters). • address1 —Associated host IP address (IPv4 or IPv6, if IPv6 stack is supported).
  • Page 360: Ip Name-Server

    DNS Client Commands 15.8 ip name-server Use the ip name-server command in Global Configuration mode to specify the address of one or more name servers to use for name and address resolution. Use the no form of this command to remove the static specified addresses. Syntax server1-address server-address2...erver-address8...
  • Page 361: Show Hosts

    DNS Client Commands 15.9 show hosts Use the show hosts command in privileged EXEC mode to display the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of hostnames and addresses. Syntax hostname show hosts [all |...
  • Page 362 DNS Client Commands Source Interface Preference Domain static website.com dhcpv6 vlan 100 qqtca.com dhcpv6 vlan 100 company.com dhcpv6 vlan 1100 pptca.com Name Server Table Source Interface Preference IP Address static 192.0.2.204 static 192.0.2.205 static 192.0.2.105 2002:0:22AC::11:231A:0BB4 DHCPv6 vlan 100 1 DHCPv4 vlan 1 192.1.122.20...
  • Page 363: Denial Of Service (Dos) Commands

    Denial of Service (DoS) Commands 16.0 16.1 security-suite deny fragmented To discard IP fragmented packets from a specific interface, use the security-suite deny fragmented Interface (Ethernet, Port Channel) Configuration mode command. To permit IP fragmented packets, use the no form of this command. Syntax {[add {ip-address | any} {mask | /prefix-length}] | security-suite deny fragmented...
  • Page 364: Security-Suite Deny Icmp

    Denial of Service (DoS) Commands User Guidelines For this command to work, show security-suite configuration must be enabled both globally and for interfaces. Example The following example attempts to discard IP fragmented packets from an interface. switchxxxxxx(config)# security-suite enable global-rules-only interface gi11 switchxxxxxx(config)# switchxxxxxx(config-if)#...
  • Page 365: Security-Suite Deny Martian-Addresses

    Denial of Service (DoS) Commands If mask is not specified, it defaults to 255.255.255.255. If prefix-length is not specified, it defaults to 32. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines For this command to work, show security-suite configuration must be enabled both globally and for interfaces.
  • Page 366 Denial of Service (DoS) Commands /prefix-length}} | remove {ip-address {mask | /prefix-length}}, and removes all entries added by the user. The user can remove a specific entry by using remove ip-address {mask | /prefix-length} parameter. reserved {add | There is no no form of the security-suite deny martian-addresses remove} command.
  • Page 367: Security-Suite Deny Syn

    Denial of Service (DoS) Commands reserved security-suite deny martian-addresses adds or removes the addresses in the following table: Address Block Present Use 0.0.0.0/8 (except Addresses in this block refer to source hosts when 0.0.0.0/32 is on "this" network. the source address) 127.0.0.0/8 This block is assigned for use as the Internet...
  • Page 368 Denial of Service (DoS) Commands Syntax [add {tcp-port | any} {ip-address | any} {mask | security-suite deny syn { /prefix-length}] | [remove {tcp-port | any} {ip-address | any} {mask | /prefix-length}]} no security-suite deny syn Parameters • ip-address | any—Specifies the destination IP address. Use any to specify all IP addresses.
  • Page 369: Security-Suite Deny Syn-Fin

    Denial of Service (DoS) Commands switchxxxxxx(config)# security-suite enable global-rules-only interface gi11 switchxxxxxx(config)# switchxxxxxx(config-if)# security-suite deny syn add any /32 any To perform this command, DoS Prevention must be enabled in the per-interface mode. 16.5 security-suite deny syn-fin To drop all ingressing TCP packets in which both SYN and FIN are set, use the security-suite deny syn-fin Global Configuration mode command.
  • Page 370: Security-Suite Dos Protect

    Denial of Service (DoS) Commands 16.6 security-suite dos protect To protect the system from specific well-known Denial of Service (DoS) attacks, use the security-suite dos protect Global Configuration mode command. There are three types of attacks against which protection can be supplied (see parameters below).
  • Page 371: Security-Suite Dos Syn-Attack

    Denial of Service (DoS) Commands switchxxxxxx(config)# security-suite dos protect add invasor-trojan 16.7 security-suite dos syn-attack To rate limit Denial of Service (DoS) SYN attacks, use the security-suite dos syn-attack Interface Configuration mode command. This provides partial blocking of SNY packets (up to the rate that the user specifies). To disable rate limiting, use the no form of this command.
  • Page 372: Security-Suite Enable

    Denial of Service (DoS) Commands This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified destination IP addresses. SYN attack rate limiting is implemented after the security suite rules are applied to the packets. The ACL and QoS rules are not applied to those packets. Since the hardware rate limiting counts bytes, it is assumed that the size of “SYN”...
  • Page 373 Denial of Service (DoS) Commands • show security-suite configuration • show security-suite configuration • show security-suite configuration • show security-suite configuration • show security-suite configuration Syntax [global-rules-only] security-suite enable no security-suite enable Parameters global-rules-only—(Optional) Specifies that all the security suite commands are global commands only (they cannot be applied per-interface).
  • Page 374: Security-Suite Syn Protection Mode

    Denial of Service (DoS) Commands switchxxxxxx(config)# security-suite enable global-rules-only interface gi11 switchxxxxxx(config)# switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10 To perform this command, DoS Prevention must be enabled in the per-interface mode. Example 2—The following example enables the security suite feature globally and on interfaces.
  • Page 375: Security-Suite Syn Protection Recovery

    Denial of Service (DoS) Commands User Guidelines On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP SYN packets. In case the protection mode is block but SYN Traffic cannot be blocked, a relevant SYSLOG message will be created, e.g.: “port gi11 is under TCP SYN attack.
  • Page 376: Security-Suite Syn Protection Threshold

    Denial of Service (DoS) Commands Parameters timeout—Defines the timeout (in seconds) by which an interface from which SYN packets are blocked gets unblocked. Note that if a SYN attack is still active on this interface it might become blocked again. (Range: 10-600) Default Configuration The default timeout is 60 seconds.
  • Page 377: Show Security-Suite Configuration

    Denial of Service (DoS) Commands Example The following example sets the TCP SYN protection threshold to 40 pps. switchxxxxxx(config)# security-suite syn protection threshold 40 16.12 show security-suite configuration To display the security-suite configuration, use the show security-suite configuration command. switchxxxxxx> Syntax show security-suite configuration Command Mode...
  • Page 378: Show Security-Suite Syn Protection

    Denial of Service (DoS) Commands Interface IP Address --------------- -------------- 176.16.23.0\24 Fragmented packets filtering Interface IP Address -------------- -------------- 176.16.23.0\24 16.13 show security-suite syn protection To display the SYN Protection feature configuration and the operational status per interface-id, including the time of the last attack per interface, use the show security-suite syn protection switchxxxxxx>...
  • Page 379 Denial of Service (DoS) Commands gi11 Attacked 19:58:22.289 PDT Feb 19 2012 Blocked and Reported gi12 Attacked 19:58:22.289 PDT Feb 19 2012 Reported gi13 Attacked 19:58:22.289 PDT Feb 19 2012 Blocked and Reported OL-32830-01 Command Line Interface Reference Guide...
  • Page 380: Eee Commands

    EEE Commands 17.1 eee enable (global) To enable the EEE mode globally, use the eee enable Global Configuration command. To disable the mode, use the no format of the command. Syntax eee enable no eee enable Parameters This command has no arguments or keywords. Default Configuration EEE is enabled.
  • Page 381: Eee Enable (Interface)

    EEE Commands 17.2 eee enable (interface) To enable the EEE mode on an Ethernet port, use the eee enable Interface Configuration command. To disable the mode, use the no format of the command. Syntax eee enable no eee enable Parameters This command has no arguments or keywords.
  • Page 382: Show Eee

    EEE Commands Parameters This command has no arguments or keywords. Default Configuration Enabled Command Mode Interface (Ethernet) Configuration mode User Guidelines Enabling EEE LLDP advertisement enables devices to choose and change system wake-up times in order to get the optimal energy saving mode. Example switchxxxxxx(config)# interface gi11...
  • Page 383 EEE Commands Example 1 - The following displays brief Information about all ports. switchxxxxxx# show eee EEE globally enabled EEE Administrate status is enabled on ports: gi11-2, gi14 EEE Operational status is enabled on ports: gi11-2, gi14 EEE LLDP Administrate status is enabled on ports: gi11-3 EEE LLDP Operational status is enabled on ports: gi11-2 Example 2 - The following is the information displayed when a port is in the Not Present state;...
  • Page 384 EEE Commands Port Status: UP EEE capabilities: Speed 10M: EEE not supported Speed 100M: EEE supported Speed : EEE supported Current port speed: 1000Mbps EEE Administrate status: enabled EEE LLDP Administrate status: enabled Example 5 - The following is the information displayed when the neighbor does not support EEE.
  • Page 385 EEE Commands Current port speed: 1000Mbps EEE Administrate status: disabled EEE Operational status: disabled EEE LLDP Administrate status: enabled EEE LLDP Operational status: disabled Example 7 - The following is the information displayed when EEE is running on the port, and EEE LLDP is disabled. switchxxxxxx# show eee gi12 Port Status: UP...
  • Page 386 EEE Commands Speed 100M: EEE supported Speed 1G: EEE supported Current port speed: 1000Mbps EEE Remote status: enabled EEE Administrate status: enabled EEE Operational status: enabled EEE LLDP Administrate status: enabled EEE LLDP Operational status: enabled Resolved Tx Timer: 10usec Local Tx Timer: 10 usec Remote Rx Timer: 5 usec Resolved Timer: 25 usec...
  • Page 387 EEE Commands Local Rx Timer: 16 Example 10 - The following is the information displayed when EEE and EEE LLDP are running on the port. show eee gi13 Port Status: UP EEE capabilities: Speed 10M: EEE not supported Speed 100M: EEE supported Speed 1G: EEE supported Current port speed: 1000Mbps EEE Remote status: enabled...
  • Page 388: Ethernet Configuration Commands

    Ethernet Configuration Commands 18.1 interface To enter Interface configuration mode in order to configure an interface, use the interface Global Configuration mode command. Syntax interface-id interface Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, port-channel, VLAN, range, IP interface or tunnel. Default Configuration None Command Mode...
  • Page 389: Interface Range

    Ethernet Configuration Commands 18.2 interface range To execute a command on multiple ports at the same time, use the interface range command. Syntax interface-id-list interface range Parameters interface-id-list—Specify list of interface IDs. The interface ID can be one of the following types: Ethernet port, VLAN, or port-channel Default Configuration None...
  • Page 390 Ethernet Configuration Commands Parameters This command has no arguments or keywords. Default Configuration The interface is enabled. Command Mode Interface Configuration mode User Guidelines The shutdown command set a value of ifAdminStatus (see RFC 2863) to DOWN. When ifAdminStatus is changed to DOWN, ifOperStatus will be also changed to DOWN.
  • Page 391: Operation Time

    Ethernet Configuration Commands switchxxxxxx(config-if)# Example 3—The following example shuts down vlan 100. switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# shutdown switchxxxxxx(config-if)# Example 4—The following example shuts down tunnel 1. switchxxxxxx(config)# interface tunnel 1 switchxxxxxx(config-if)# shutdown switchxxxxxx(config-if)# Example 5—The following example shuts down Port Channel 3. switchxxxxxx(config)# interface po3 switchxxxxxx(config-if)#...
  • Page 392: Description

    Ethernet Configuration Commands Parameters • time-range-name—Specifies a time range the port operates (in up state). When the Time Range is not in effect, the port is shutdown. (Range: 1–32 characters) Default Configuration There is no time range configured on the port authorized state. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines...
  • Page 393: Speed

    Ethernet Configuration Commands no description Parameters string—Specifies a comment or a description of the port to assist the user. (Length: 1–64 characters). Default Configuration The interface does not have a description. Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example adds the description ‘SW#3’...
  • Page 394: Duplex

    Ethernet Configuration Commands Default Configuration The port operates at its maximum speed capability. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines The no speed command in a port-channel context returns each port in the port-channel to its maximum capability. Example The following example configures the speed of gi 1 4 to 100 Mbps operation.
  • Page 395: Negotiation

    Ethernet Configuration Commands Example The following example configures gi 1 1 to operate in full duplex mode. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# duplex full 18.8 negotiation To enable auto-negotiation operation for the speed and duplex parameters and master-slave mode of a given interface, use the negotiation Interface (Ethernet, Port Channel) Configuration mode command.
  • Page 396: Flowcontrol

    Ethernet Configuration Commands Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example enables auto-negotiation on gi 1 1. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# negotiation 18.9 flowcontrol To configure the Flow Control on a given interface, use the flowcontrol Interface (Ethernet, Port Channel) Configuration mode command.
  • Page 397: Mdix

    Ethernet Configuration Commands Example The following example enables Flow Control on port gi 1 1 switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# flowcontrol on 18.10 mdix To enable cable crossover on a given interface, use the mdix Interface (Ethernet) Configuration mode command. To disable cable crossover, use the no form of this command.
  • Page 398: Back-Pressure

    Ethernet Configuration Commands 18.11 back-pressure To enable back pressure on a specific interface, use the back-pressure Interface (Ethernet) Configuration mode command. To disable back pressure, use the no form of this command. Syntax back-pressure no back-pressure Parameters This command has no arguments or keywords Default Configuration Back pressure is disabled.
  • Page 399: Clear Counters

    Ethernet Configuration Commands Syntax port jumbo-frame no port jumbo-frame Parameters This command has no arguments or keywords Default Configuration Jumbo frames are disabled on the device. Command Mode Global Configuration mode User Guidelines This command takes effect only after resetting the device. Example The following example enables jumbo frames on the device.
  • Page 400: Set Interface Active

    Ethernet Configuration Commands Command Mode Privileged EXEC mode Example The following example clears the statistics counters for gi 1 1. switchxxxxxx# clear counters gi11 18.14 set interface active To reactivate an interface that was shut down, use the set interface active Privileged EXEC mode command.
  • Page 401: Errdisable Recovery Cause

    Ethernet Configuration Commands 18.15 errdisable recovery cause To enable automatic re-activation of an interface after an Err-Disable shutdown, use the errdisable recovery cause Global Configuration mode command. To disable automatic re-activation, use the no form of this command. Syntax errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | stp-bpdu-guard | loopback-detection | udld } no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny | stp-bpdu-guard | loopback-detection | udld }...
  • Page 402: Errdisable Recovery Interval

    Ethernet Configuration Commands Example The following example enables automatic re-activation of an interface after all states. switchxxxxxx(config)# errdisable recovery cause all 18.16 errdisable recovery interval To set the error recovery timeout intervalse the errdisable recovery interval Global Configuration mode command. To return to the default configuration, use the no form of this command.
  • Page 403: Errdisable Recovery Reset

    Ethernet Configuration Commands 18.17 errdisable recovery reset To reactivate one or more interfaces that were shut down by a given application, use the errdisable recovery reset Privileged EXEC mode command. A single interface, multiple interfaces or all interfaces can be specified. Syntax errdisable recovery reset {all | port-security | dot1x-src-address | acl-deny | s tp-bpdu-guard | loopback-detection | | udld...
  • Page 404: Show Interfaces Configuration

    Ethernet Configuration Commands gi11 switchxxxxxx# errdisable recovery reset interface — Example 2 The following example reactivates all interfaces regardless their state: switchxxxxxx# errdisable recovery reset all — Example 3 The following example enables all interfaces in the port security Err-Disable state switchxxxxxx# errdisable recovery reset port-security 18.18 show interfaces configuration...
  • Page 405: Show Interfaces Status

    Ethernet Configuration Commands Example The following example displays the configuration of all configured interfaces: switchxxxxxx# show interfaces configuration Flow Admin Back Mdix Port Type Duplex Speed control State Pressure Mode ------ --------- ------ ----- -------- ------- ----- -------- ---- gi11 1G-Copper Full 10000 Disabled Off Disabled...
  • Page 406: Show Interfaces Advertise

    Ethernet Configuration Commands Example The following example displays the status of all configured interfaces. switchxxxxxx# show interfaces status Flow Link Back Mdix Port Type Duplex Speed Neg ctrl State Pressure Mode ------ --------- ------ ----- -------- ---- ------ -------- -- gi11 1G-Copper Full 1000...
  • Page 407 Ethernet Configuration Commands Command Mode Privileged EXEC mode Examples The following examples display auto-negotiation information. switchxxxxxx# show interfaces advertise Port Type Prefered Operational Link Advertisement ------- ---- --------- ------ ------------------------------ Master 1G-Copper Enable 1000f, 100f, 10f, 10h Slave 1G-Copper Enable 1000f switchxxxxxx# show interfaces advertise...
  • Page 408: Show Interfaces Description

    Ethernet Configuration Commands 18.21 show interfaces description To display the description for all configured interfaces or for a specific interface, use the show interfaces description Privileged EXEC mode command. Syntax [interface-id | detailed show interfaces description Parameters • interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.
  • Page 409: Show Interfaces Counters

    Ethernet Configuration Commands 18.22 show interfaces counters To display traffic seen by all the physical interfaces or by a specific interface, use the show interfaces counters Privileged EXEC mode command. Syntax [interface-id | detailed show interfaces counters Parameters • interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.
  • Page 410 Ethernet Configuration Commands Multiple Collision Frames: 0 SQE Test Errors: 0 Deferred Transmissions: 0 Late Collisions: 0 Excessive Collisions: 0 Carrier Sense Errors: 0 Oversize Packets: 0 Internal MAC Rx Errors: 0 Symbol Errors: 0 Received Pause Frames: 0 OL-32830-01 Command Line Interface Reference Guide...
  • Page 411 Ethernet Configuration Commands Transmitted Pause Frames: 0 The following table describes the fields shown in the display. Field Description InOctets Number of received octets. InUcastPkts Number of received Unicast packets. InMcastPkts Number of received Unicast packets. InBcastPkts Number of received broadcast packets. OutOctets Number of transmitted octets.
  • Page 412: Show Ports Jumbo-Frame

    Ethernet Configuration Commands Field Description Internal MAC Rx Errors Number of frames for which reception fails due to an internal MAC sublayer receive error. Received Pause Number of MAC Control frames received Frames with an opcode indicating the PAUSE operation. Transmitted Pause Number of MAC Control frames Frames...
  • Page 413: Show Errdisable Recovery

    Ethernet Configuration Commands 18.24 show errdisable recovery To display the Err-Disable configuration of the device, use the show errdisable recovery Privileged EXEC mode command. Syntax show errdisable recovery Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example displays the Err-Disable configuration.
  • Page 414: Show Errdisable Interfaces

    Ethernet Configuration Commands 18.25 show errdisable interfaces To display the Err-Disable state of all interfaces or of a specific interface, use the show errdisable interfaces Privileged EXEC mode command. Syntax [interface-id] show errdisable interfaces Parameters • interface—(Optional) Port or port-channel number. Default Configuration Display for all interfaces.
  • Page 415: Storm-Control Broadcast Level

    Ethernet Configuration Commands Parameters This command has no arguments or keywords. Default Configuration Disabled Command Mode Interface (Ethernet) Configuration mode User Guidelines Use the storm-control include-multicast Interface Configuration command to count Multicast packets and optionally unknown Unicast packets in the storm control calculation.
  • Page 416: Storm-Control Include-Multicast

    Ethernet Configuration Commands Default Configuration 10% of port speed in Kbps Command Mode Interface (Ethernet) Configuration mode User Guidelines Use the storm-control broadcast enable Interface Configuration command to enable storm control. The calculated rate includes the 20 bytes of Ethernet framing overhead (preamble+SFD+IPG).
  • Page 417: Show Storm-Control

    Ethernet Configuration Commands Parameters unknown-unicast—(Optional) Specifies also the count of unknown Unicast packets. Default Configuration Disabled Command Mode Interface (Ethernet) Configuration mode Example switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# storm-control include-multicast 18.29 show storm-control To display the configuration of storm control for a port, use the show storm-control Privileged EXEC mode command.
  • Page 418 Ethernet Configuration Commands Example switchxxxxxx# show storm-control Port State Admin Rate Oper Rate Included [Kb/Sec] -------- -------- ------------- ---------- ------------ gi11 Enabled 12345 Kb/Sec 12345 Broadcast, Multicast, Unknown Unicast gi12 Disabled 100000 Kb/Sec 100000 Broadcast gi13 Enabled 000000 Broadcast OL-32830-01 Command Line Interface Reference Guide...
  • Page 419: Green Ethernet

    Green Ethernet 19.1 green-ethernet energy-detect (global) To enable Green-Ethernet Energy-Detect mode globally, use the green-ethernet energy-detect Global Configuration mode command. To disable this feature, use the no form of this command. Syntax green-ethernet energy-detect no green-ethernet energy-detect Parameters This command has no arguments or keywords. Default Configuration Disabled.
  • Page 420: Green-Ethernet Short-Reach (Global)

    Green Ethernet Syntax green-ethernet energy-detect no green-ethernet energy-detect Parameters This command has no arguments or keywords. Default Configuration Enabled. Command Mode Interface (Ethernet) Configuration mode User Guidelines Energy-Detect only works on copper ports. When a port is enabled for auto selection, copper/fiber Energy-Detect cannot work.
  • Page 421: Green-Ethernet Short-Reach (Interface)

    Green Ethernet Parameters This command has no arguments or keywords. Default Configuration Disabled. Command Mode Global Configuration mode Example switchxxxxxx(config)# green-ethernet short-reach 19.4 green-ethernet short-reach (interface) Use the green-ethernet short-reach Interface Configuration mode command to enable green-ethernet short-reach mode on a port. Use the no form of this command to disable it on a port.
  • Page 422: Green-Ethernet Power-Meter Reset

    Green Ethernet When the interface is set to enhanced mode, after the VCT length check has completed and set the power to low, an active monitoring for errors is done continuously. In the case of errors crossing a certain threshold, the PHY will be reverted to long reach.
  • Page 423 Green Ethernet Syntax interface-id | detailed show green-ethernet [ Parameters • interface-id—(Optional) Specifies an Ethernet port • detailed—(Optional) Displays information for non-present ports in addition to present ports. Default Configuration Display for all ports. If detailed is not used, only present ports are displayed. Command Mode Privileged EXEC mode User Guidelines...
  • Page 424 Green Ethernet Example Short-Reach Non-Operational Reasons Priority Reason Description Port is not present Link Type is not supported (fiber) Link Speed Is not Supported (100M,10M) Link Length received from VCT test exceeds threshold Port Link is Down – NA switchxxxxxx# show green-ethernet Energy-Detect mode: Enabled Short-Reach mode: Disabled...
  • Page 425: Garp Vlan Registration Protocol (Gvrp) Commands

    GARP VLAN Registration Protocol (GVRP) Commands 20.0 20.1 clear gvrp statistics To clear GVRP statistical information for all interfaces or for a specific interface, use the clear gvrp statistics Privileged EXEC mode command. Syntax [interface-id] clear gvrp statistics Parameters Interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
  • Page 426: Gvrp Enable (Global)

    GARP VLAN Registration Protocol (GVRP) Commands 20.2 gvrp enable (Global) To enable the Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) globally, use the gvrp enable Global Configuration mode command. To disable GVRP on the device, use the no form of this command. Syntax gvrp enable no gvrp enable...
  • Page 427: Gvrp Registration-Forbid

    GARP VLAN Registration Protocol (GVRP) Commands Parameters This command has no arguments or keywords. Default Configuration GVRP is disabled on all interfaces. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines An access port does not dynamically join a VLAN because it is always a member of a single VLAN only.
  • Page 428: Gvrp Vlan-Creation-Forbid

    GARP VLAN Registration Protocol (GVRP) Commands Default Configuration Dynamic registration of VLANs on the port is allowed. Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example forbids dynamic registration of VLANs on switchxxxxxx(config-if)# interface gi12 switchxxxxxx(config-if)# gvrp registration-forbid 20.5 gvrp vlan-creation-forbid To disable dynamic VLAN creation or modification, use the gvrp vlan-creation-forbid Interface Configuration mode command.
  • Page 429: Show Gvrp Configuration

    GARP VLAN Registration Protocol (GVRP) Commands switchxxxxxx(config-if)# interface gi13 switchxxxxxx(config-if)# gvrp vlan-creation-forbid 20.6 show gvrp configuration To display GVRP configuration information, including timer values, whether GVRP and dynamic VLAN creation are enabled, and which ports are running GVRP, use the show gvrp configuration EXEC mode command. Syntax [interface-id | detailed show gvrp configuration...
  • Page 430: Show Gvrp Error-Statistics

    GARP VLAN Registration Protocol (GVRP) Commands Enabled Normal Enabled 1200 20000 20.7 show gvrp error-statistics Use the show gvrp error-statistics EXEC mode command to display GVRP error statistics for all interfaces or for a specific interface. Syntax show gvrp error-statistics [interface-id] Parameters interface-id—(Optional) Specifies an interface ID.
  • Page 431: Show Gvrp Statistics

    GARP VLAN Registration Protocol (GVRP) Commands 20.8 show gvrp statistics To display GVRP statistics for all interfaces or for a specific interface, use the show gvrp statistics EXEC mode command. Syntax [interface-id] show gvrp statistics Parameters interface-id—(Optional) Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
  • Page 432 GARP VLAN Registration Protocol (GVRP) Commands Port rJIn rEmp rLIn sJIn sEmp sLIn ----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- OL-32830-01 Command Line Interface Reference Guide...
  • Page 433: Igmp Snooping Commands

    IGMP Snooping Commands 21.0 21.1 ip igmp snooping (Global) To enable Internet Group Management Protocol (IGMP) snooping, use the ip igmp snooping command in Global Configuration mode. To return to the default, use the no form of this command. Syntax ip igmp snooping no ip igmp snooping Default Configuration...
  • Page 434: Ip Igmp Snooping Vlan Mrouter

    IGMP Snooping Commands vlan-id no ip igmp snooping vlan Parameters • vlan-id —Specifies the VLAN. Default Configuration Disabled Command Mode Global Configuration mode User Guidelines IGMP snooping can be enabled only on static VLANs. IGMPv1, IGMPv2, and IGMPv3 Snooping are supported. To activate IGMP snooping, bridge multicast filtering must be enabled by the bridge multicast filtering command.
  • Page 435: Ip Igmp Snooping Vlan Mrouter Interface

    IGMP Snooping Commands Default Configuration Learning pim-dvmrp is enabled. Command Mode Global Configuration mode User Guidelines Multicast router ports are learned according to: • Queries received on the port • PIM/PIMv2 received on the port • DVMRP received on the port •...
  • Page 436: Ip Igmp Snooping Vlan Forbidden Mrouter

    IGMP Snooping Commands Default Configuration No ports defined Command Mode Global Configuration mode User Guidelines A port that is defined as a Multicast router port receives all IGMP packets (reports and queries) as well as all Multicast data. You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter interface gi1 21.5 ip igmp snooping vlan forbidden mrouter...
  • Page 437: Ip Igmp Snooping Vlan Static

    IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines A port that is a forbidden mrouter port cannot be a Multicast router port (i.e. cannot be learned dynamically or assigned statically). You can execute the command before the VLAN is created. Example switchxxxxxx(config)# ip igmp snooping vlan 1 forbidden mrouter interface 21.6 ip igmp snooping vlan static...
  • Page 438: Ip Igmp Snooping Vlan Multicast-Tv

    IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines Static Multicast addresses can only be defined on static VLANs. You can execute the command before the VLAN is created. You can register an entry without specifying an interface. Using the no command without a port-list removes the entry. Example switchxxxxxx(config)# ip igmp snooping vlan 1 static 239.2.2.2 interface 21.7 ip igmp snooping vlan multicast-tv...
  • Page 439: Ip Igmp Snooping Map Cpe Vlan

    IGMP Snooping Commands Command Mode Global Configuration mode User Guidelines Use this command to define the Multicast transmissions on a Multicast-TV VLAN. The configuration is only relevant for an Access port that is a member in the configured VLAN as a Multicast-TV VLAN. If an IGMP message is received on such an Access port, it is associated with the Multicast-TV VLAN only if it is for one of the Multicast IP addresses that are associated with the Multicast-TV VLAN.
  • Page 440: Ip Igmp Snooping Querier

    IGMP Snooping Commands User Guidelines Use this command to associate the CPE VLAN with a Multicast-TV VLAN. If an IGMP message is received on a customer port tagged with a CPE VLAN, and there is mapping from that CPE VLAN to a Multicast-TV VLAN, the IGMP message is associated with the Multicast-TV VLAN.
  • Page 441: Ip Igmp Snooping Vlan Querier

    IGMP Snooping Commands Example The following example disables the IGMP Snooping querier globally: switchxxxxxx(config)# no ip igmp snooping querier 21.10 ip igmp snooping vlan querier To enable the IGMP Snooping querier on a specific VLAN, use the ip igmp snooping vlan querier command in Global Configuration mode. To disable the IGMP Snooping querier on the VLAN interface, use the no form of this command.
  • Page 442: Ip Igmp Snooping Vlan Querier Address

    IGMP Snooping Commands 21.11 ip igmp snooping vlan querier address To define the source IP address that the IGMP snooping querier uses, use the ip igmp snooping vlan querier address command in Global Configuration mode. To return to the default, use the no form of this command. Syntax vlan-id ip-address...
  • Page 443 IGMP Snooping Commands Syntax vlan-id ip igmp snooping vlan querier election vlan-id no ip igmp snooping vlan querier election Parameters • vlan-id —Specifies the VLAN. Default Configuration Enabled Command Mode Global Configuration mode User Guidelines Use the no form of the ip igmp snooping vlan querier election command to disable IGMP Querier election mechanism on a VLAN.
  • Page 444: Ip Igmp Snooping Vlan Querier Version

    IGMP Snooping Commands 21.13 ip igmp snooping vlan querier version To configure the IGMP version of an IGMP Snooping querier on a specific VLAN, use the ip igmp snooping vlan querier version command in Global Configuration mode. To return to the default, use the no form of this command. Syntax vlan-id ip igmp snooping vlan...
  • Page 445: Show Ip Igmp Snooping Cpe Vlans

    IGMP Snooping Commands vlan-id no ip igmp snooping vlan immediate-leave Parameters • vlan-id —Specifies the VLAN ID value. (Range: 1–4094). Default Configuration Disabled Command Mode Global Configuration mode User Guidelines You can execute the command before the VLAN is created. Example The following example enables IGMP snooping immediate-leave feature on VLAN switchxxxxxx(config)# ip igmp snooping vlan 1 immediate-leave...
  • Page 446: Show Ip Igmp Snooping Groups

    IGMP Snooping Commands Example The following example displays the CPE VLAN to Multicast TV VLAN mappings. switchxxxxxx# show ip igmp snooping cpe vlans CPE VLAN Multicast-TV VLAN -------- ------------------ 1118 1119 21.16 show ip igmp snooping groups To display the Multicast groups learned by the IGMP snooping, use the show ip igmp snooping groups command in User EXEC mode.
  • Page 447: Show Ip Igmp Snooping Interface

    IGMP Snooping Commands Example The following example shows sample output: switchxxxxxx# show ip igmp snooping groups vlan 1 switchxxxxxx# show ip igmp snooping groups Vlan Group Address Source Address Include Ports Exclude Ports Comp-Mode ---- --------------- ---------------- ------------ -------- --------- 239.255.255.250 gi11 21.17 show ip igmp snooping interface...
  • Page 448: Show Ip Igmp Snooping Mrouter

    IGMP Snooping Commands IGMP Snooping Querier is enabled IGMP Snooping Querier operation state: is running IGMP Snooping Querier version: 2 IGMP Snooping Querier election is enabled IGMP Snooping Querier address: 194.12.10.166 IGMP snooping robustness: admin 2 oper 2 IGMP snooping query interval: admin 125 sec oper 125 sec IGMP snooping query maximum response: admin 10 sec oper 10 sec IGMP snooping last member query counter: admin 2 oper 2 IGMP snooping last member query interval: admin 1000 msec oper 500 msec...
  • Page 449: Show Ip Igmp Snooping Multicast-Tv

    IGMP Snooping Commands VLAN Dynamic Static Forbidden ---- --------- --------- ---------- 1000 gi11 gi12 gi13-4 21.19 show ip igmp snooping multicast-tv To display the IP addresses associated with Multicast TV VLANs, use the show ip igmp snooping multicast-tv EXEC mode command in User EXEC mode. Syntax show ip igmp snooping multicast-tv [vlan vlan-id...
  • Page 450: Ip Addressing Commands

    IP Addressing Commands 22.0 IP addresses and Layer 2 Interfaces IP addresses can be configured on the following Layer 2 interfaces: Only in router mode. • Port channel • VLAN • Loopback port Lists of Commands 22.1 ip address Use the ip address Interface Configuration (Ethernet, VLAN, Port-channel) mode command to define an IP address for an interface.
  • Page 451 IP Addressing Commands • mask —Specifies the network mask of the IP address. • prefix-length —Specifies the number of bits that comprise the IP address prefix. The prefix length must be preceded by a forward slash (/). (Range: 8–30) • default-gateway-ip-address —Specifies the default gateway IP address.
  • Page 452: Ip Address Dhcp

    IP Addressing Commands switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0 Example 2. The following example configures 3 overlapped IP addresses. switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# 1.1.1.1 255.0.0.0 ip address switchxxxxxx(config)# exit switchxxxxxx(config)# interface vlan switchxxxxxx(config-if)# 1.2.1.1 255.255.0.0 ip address switchxxxxxx(config)# This IP address overlaps IP address 1.1.1.1/8 on vlan1, are you sure? [Y/N]Y switchxxxxxx(config)#...
  • Page 453: Renew Dhcp

    IP Addressing Commands Command Mode Interface Configuration mode User Guidelines Use the ip address dhcp command to enable DHCP client on the interface. In switch mode the ip address dhcp command removes the manually configured address. The default route (Default Gateway) received in DHCP Router option (Option 3) is assigned a metric of 253.
  • Page 454: Ip Default-Gateway

    IP Addressing Commands Command Mode Privileged EXEC mode User Guidelines Use the renew dhcp command in switch mode to renew a DHCP address. This command does not enable DHCP client and if DHCP client is not enabled, the command returns an error message. Use the renew dhcp command in router mode to renew a DHCP address on an interface.
  • Page 455: Show Ip Interface

    IP Addressing Commands Command Mode Global Configuration mode Default Configuration No default gateway is defined. User Guidelines Use the ip default-gateway command to defines a default gateway (default route). The ip default-gateway command adds the default route with metric of 1. ip-address Use the no ip default-gateway command to delete one default...
  • Page 456 IP Addressing Commands Examples Example 1 - The following example displays the configured IP addresses and their types in switch mode: switchxxxxxx# show ip interface IP Address I/F Status Type Status admin/oper ------------- ------ ----------- ------- ------ 10.5.234.232/24 vlan 1 UP/UP Static Valid...
  • Page 457: Arp

    IP Addressing Commands 10.5.230.232/24 vlan 1 UP/UP Static disable Enabled Valid 22.6 arp Use the arp Global Configuration mode command to add a permanent entry to the Address Resolution Protocol (ARP) cache. Use the no form of this command to remove an entry from the ARP cache.
  • Page 458: Arp Timeout (Global)

    IP Addressing Commands 22.7 arp timeout (Global) Use the arp timeout Global Configuration mode command to set the time interval during which an entry remains in the ARP cache. Use the no form of this command to restore the default configuration. Syntax seconds arp timeout...
  • Page 459: Ip Proxy-Arp

    IP Addressing Commands Parameters Default Enabled by default. Command Mode Global Configuration mode User Guidelines This command overrides any proxy ARP interface configuration. The command is supported only in the router mode. Example The following example globally disables ARP proxy. switchxxxxxx(config)# ip arp proxy disable 22.9 ip proxy-arp...
  • Page 460: Clear Arp-Cache

    IP Addressing Commands User Guidelines This configuration can be applied only if at least one IP address is defined on a specific interface. The command is supported only in router mode. Example The following example enables ARP proxy when the switch is in router mode. switchxxxxxx(config-if)# ip proxy-arp 22.10 clear arp-cache...
  • Page 461: Show Arp Configuration

    IP Addressing Commands Parameters • ip-address ip-address —Specifies the IP address. • mac-address mac-address —Specifies the MAC address. • interface-id —Specifies an interface ID. Command Mode Privileged EXEC mode User Guidelines Since the associated interface of a MAC address can be aged out from the FDB table, the Interface field can be empty.
  • Page 462: Interface Ip

    IP Addressing Commands Command Mode Privileged EXEC mode Example switchxxxxxx# show arp configuration Global configuration: ARP Proxy: enabled ARP timeout: 80000 Seconds Interface configuration: VLAN 1: ARP Proxy: disabled ARP timeout:60000 Seconds VLAN 10: ARP Proxy: enabled ARP timeout:70000 Seconds VLAN 20: ARP Proxy: enabled ARP timeout:80000 Second (Global)
  • Page 463: Ip Helper-Address

    IP Addressing Commands Example The following example enters the IP interface configuration mode. switchxxxxxx(config)# interface ip 192.168.1.1 switchxxxxxx(config-ip)# 22.14 ip helper-address Use the ip helper-address Global Configuration mode command to enable the forwarding of UDP Broadcast packets received on an interface to a specific (helper) address.
  • Page 464: Show Ip Helper-Address

    IP Addressing Commands Command Mode Global Configuration mode User Guidelines The command is supported only in router mode. This command forwards specific UDP Broadcast packets from one interface to another, by specifying a UDP port number to which UDP broadcast packets with that destination port number are forwarded.
  • Page 465: Show Ip Dhcp Client Interface

    IP Addressing Commands Syntax show ip helper-address Parameters This command has no arguments or key words. Command Mode Privileged EXEC mode User Guidelines The command is supported only in router mode. Example The following example displays the IP helper addresses configuration on the system: switchxxxxxx# show ip...
  • Page 466 IP Addressing Commands Command Mode User EXEC mode User Guidelines If no interfaces are specified, all interfaces on which DHCP client is enabled are displayed. If an interface is specified, only information about the specified interface is displayed. Example The following is sample output of the show ip dhcp client interface command: switchxxxxxx# show ip dhcp client interface VLAN 100 is in client mode...
  • Page 467: Ip Routing Protocol-Independent Commands

    IP Routing Protocol-Independent Commands 23.0 23.1 ip redirects Use the ip redirects command in IP Interface Configuration mode to enable the sending of ICMP redirect messages to re-send a packet through the same interface on which the packet was received. To disable the sending of redirect messages, use the no form of this command.
  • Page 468: Ip Route

    IP Routing Protocol-Independent Commands switchxxxxxx(config-ip)# exit 23.2 ip route To establish static routes, use the ip route command in global configuration mode. To remove static routes, use the no form of this command. Syntax ip route prefix mask prefix-length } {{ ip-address [metric value...
  • Page 469: Show Ip Route

    IP Routing Protocol-Independent Commands Examples Example 1—The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using mask: switchxxxxxx(config)# ip route 172.31.0.0 255.255.0.0 172.31.6.6 metric 2 Example 2—The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using prefix length : switchxxxxxx(config)# ip route 172.31.0.0 /16 172.31.6.6 metric 2...
  • Page 470 IP Routing Protocol-Independent Commands Parameters • ip-address address —IP address about which routing information should be displayed. • mask —The value of the subnet mask. • longer-prefixes—Specifies that only routes matching the IP address and mask pair should be displayed. •...
  • Page 471 IP Routing Protocol-Independent Commands S> 10.10.0.0/16 1/128 10.120.254.244 00:02:22 vlan3 S> 10.16.2.0/24 1/128 10.119.254.244 00:02:22 vlan2 C> 10.119.0.0/16 0/1 0.0.0.0 vlan2 C> 10.120.0.0/16 0/1 0.0.0.0 vlan3 Example 2. The following is sample output from the show ip route command when IP Routing is enabled: switchxxxxxx# show ip route...
  • Page 472: Show Ip Route Summary

    IP Routing Protocol-Independent Commands Code IP Route Distance/ Next Hop Last Time Outgoing Metric IP Address Updated Interface ------ ------------------- ----------- --------------- ------------- ----------------------- S> 10.16.2.0/24 110/128 10.119.254.244 00:02:22 vlan2 S> 10.16.2.64/26 110/128 100.1.14.244 00:02:22 vlan1 S> 10.16.2.128/26 110/128 110.9.2.2 00:02:22 vlan3 S>...
  • Page 473 IP Routing Protocol-Independent Commands Number of prefixes: /16: 16, /18: 10, /22: 15, /24: 19 OL-32830-01 Command Line Interface Reference Guide...
  • Page 474: Ip System Management Commands

    IP System Management Commands 24.0 24.1 ping Use the ping EXEC mode command to send ICMP echo request packets to another node on the network. Syntax ping [ip] {i pv4-address | hostname size packet_size count packet_count timeout time_out source-address ] [source ipv6-address | hostname size packet_size count packet_count...
  • Page 475 IP System Management Commands Default Usage Command Mode Privileged EXEC mode User Guidelines Press Esc to stop pinging. Following are sample results of the ping command: • Destination does not respond—If the host does not respond, a “no answer from host” appears within 10 seconds. •...
  • Page 476 IP System Management Commands round-trip (ms) min/avg/max = 7/8/11 Example 2 - Ping a site. switchxxxxxx> ping ip yahoo.com Pinging yahoo.com [66.218.71.198] with 64 bytes of data: 64 bytes from 66.218.71.198: icmp_seq=0. time=11 ms 64 bytes from 66.218.71.198: icmp_seq=1. time=8 ms 64 bytes from 66.218.71.198: icmp_seq=2.
  • Page 477: Telnet

    IP System Management Commands 64 bytes from FF02::1: icmp_seq=2. time=1050 ms 64 bytes from FF02::1: icmp_seq=3. time=0 ms 64 bytes from FF02::1: icmp_seq=3. time=70 ms 64 bytes from FF02::1: icmp_seq=4. time=0 ms 64 bytes from FF02::1: icmp_seq=3. time=1050 ms 64 bytes from FF02::1: icmp_seq=4. time=70 ms 64 bytes from FF02::1: icmp_sq=4.
  • Page 478 IP System Management Commands system-specific functions. To enter a Telnet sequence, press the escape sequence keys (Ctrl-shift-6) followed by a Telnet command character. Special Telnet Sequences Telnet Sequence Purpose Ctrl-shift-6-b Break Ctrl-shift-6-c Interrupt Process (IP) Ctrl-shift-6-h Erase Character (EC) Ctrl-shift-6-o Abort Output (AO) Ctrl-shift-6-t Are You There? (AYT)
  • Page 479 IP System Management Commands Keywords Table Options Description /echo Enables local echo. /quiet Prevents onscreen display of all messages from the software. /source-interfac Specifies the source interface. /stream Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UNIX-to-UNIX Copy Program...
  • Page 480: Traceroute

    IP System Management Commands Keyword Description Port Number nntp Network News Transport Protocol pim-auto-r PIM Auto-RP pop2 Post Office Protocol v2 pop3 Post Office Protocol v3 smtp Simple Mail Transport Protocol sunrpc Sun Remote Procedure Call syslog Syslog tacacs TAC Access Control System talk Talk telnet...
  • Page 481 IP System Management Commands Parameters • ip—Use IPv4 to discover the route. • ipv6—Use IPv6 to discover the route. • ipv4-address—IPv4 address of the destination host. • ipv6-address—IPv6 address of the destination host. • hostname—Hostname of the destination host. (Length: 1-160 characters. Maximum label size for each part of the host name: 58.) •...
  • Page 482 IP System Management Commands The traceroute command sends out one probe at a time. Each outgoing packet can result in one or two error messages. A "time exceeded” error message indicates that an intermediate router has seen and discarded the probe. A "destination unreachable"...
  • Page 483 IP System Management Commands Field Description 192.68.191.83 IP address of this router. 1 msec 1 msec 1 Round-trip time for each of the probes that msec are sent. The following are characters that can appear in the traceroute command output: Field Description The probe timed out.
  • Page 484: Ipv6 First Hop Security

    IPv6 First Hop Security 25.0 Policies Policies contain the rules of verification that will be performed on input packets. They can be attached to VLANs and/or port (Ethernet port or port channel). The final set of rules that is applied to an input packet on a port is built in the following way: 1.
  • Page 485: Address-Config

    IPv6 First Hop Security Default policies can never be deleted. You can only delete the user-added configuration. Lists of Commands 25.1 address-config To specify allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, use the address-config command in Neighbor Binding Policy Configuration mode.
  • Page 486: Address-Prefix-Validation

    IPv6 First Hop Security If no keyword is defined the address-config any command is applied. Example The following example shows how to change the global configuration to allow only DHCP address configuration method: switchxxxxxx(config)# ipv6 neighbor binding policy policy1 switchxxxxxx(config-nbr-binding)# address-config dhcp switchxxxxxx(config-nbr-binding)# exit...
  • Page 487: Clear Ipv6 First Hop Security Counters

    IPv6 First Hop Security User Guidelines When a policy containing this command is attached to a VLAN, it overrides the global configuration and is applied to all ports of the VLAN. When this command is used in a policy attached to a port, it overrides the global and the VLAN configurations.
  • Page 488: Clear Ipv6 First Hop Security Error Counters

    IPv6 First Hop Security Example The following example clears IPv6 First Hop Security counters on port gi 1 1 switchxxxxxx# clear ipv6 first hop security counters interface gi11 25.4 clear ipv6 first hop security error counters To clear IPv6 First Hop Security global error counters, use the clear ipv6 first hop security error counters command in privileged EXEC mode.
  • Page 489 IPv6 First Hop Security Syntax vlan-id clear ipv6 neighbor binding prefix table [vlan prefix-address prefix-length Parameters • vlan-id —Clear the dynamic prefixes that match the specified VLAN. • prefix-address prefix-length —Clear the specific dynamic prefix. Command Mode Privileged EXEC mode User Guidelines This command deletes the dynamic entries of the Neighbor Prefix table.
  • Page 490: Clear Ipv6 Neighbor Binding Table

    IPv6 First Hop Security 25.6 clear ipv6 neighbor binding table To remove dynamic entries from the Neighbor Binding table, use the clear ipv6 neighbor binding table command in Privilege EXEC configuration mode. Syntax vlan-id interface-id clear ipv6 neighbor binding table [vlan ] [interface ] [ipv6 ipv6-address...
  • Page 491: Device-Role (Ipv6 Dhcp Guard)

    IPv6 First Hop Security Example The following example clears all dynamic entries that exist on VLAN 100 & port gi 1 1: switchxxxxxx# clear ipv6 neighbor binding table vlan 100 interface gi11 25.7 device-role (IPv6 DHCP Guard) To specify the role of the device attached to the port within an IPv6 DHCP Guard policy, use the device-role command in IPv6 DHCPv6 Guard Policy Configuration mode.
  • Page 492: Device-Role (Neighbor Binding)

    IPv6 First Hop Security • REPL Y • RECONFIGURE • RELAY-REPL • LEASEQUERY-REPLY Example The following example defines an IPv6 DHCP Guard policy named policy 1 and configures the port role as the server: switchxxxxxx(config)# ipv6 dhcp guard policy policy1 switchxxxxxx(config-dhcp-guard)# device-role server switchxxxxxx(config-dhcp-guard)#...
  • Page 493: Device-Role (Nd Inspection Policy)

    IPv6 First Hop Security Command Mode Neighbor Binding Policy Configuration mode. User Guidelines If this command is part of a policy attached to a VLAN, it is applied to all the ports in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the value in the policy attached to the VLAN.
  • Page 494 IPv6 First Hop Security no device-role Parameters • host—Sets the role of the device to host. • router—Sets the role of the device to router. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 495: Device-Role (Ra Guard Policy)

    IPv6 First Hop Security 25.10 device-role (RA Guard Policy) To specify the role of the device attached to the port within an IPv6 RA Guard policy, use the device-role command in RA Guard Policy Configuration mode. To returned to the default, use the no form of this command. Syntax device-role {host | router} no device-role...
  • Page 496: Drop-Unsecure

    IPv6 First Hop Security switchxxxxxx(config-ra-guard)# exit 25.11 drop-unsecure To enable dropping messages with no or invalid options or an invalid signature within an IPv6 ND Inspection policy, use the drop-unsecure command in ND Inspection Policy Configuration mode. To return to the default, use the no form of this command.
  • Page 497: Hop-Limit

    IPv6 First Hop Security Example The following example defines an ND Inspection policy named policy1, places the switch in ND Inspection Policy Configuration mode, and enables the switch to drop messages with no or invalid options or an invalid signature: switchxxxxxx(config)# ipv6 nd inspection policy policy1 switchxxxxxx(config-nd-inspection)#...
  • Page 498: Ipv6 Dhcp Guard

    IPv6 First Hop Security Command Mode RA Guard Policy Configuration mode User Guidelines If this command is part of a policy attached to a VLAN, it is applied to all the ports in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the value in the policy attached to the VLAN.
  • Page 499 IPv6 First Hop Security no ipv6 dhcp guard Parameters Default Configuration DHCPv6 Guard on a VLAN is disabled. Command Mode Interface (VLAN) Configuration mode User Guidelines DHCPv6 Guard blocks messages sent by DHCPv6 servers/relays to clients received on ports that are not configured as a DHCPv6 server. Client messages or messages sent by relay agents from clients to servers are not blocked.
  • Page 500: Ipv6 Dhcp Guard Attach-Policy (Port Mode)

    IPv6 First Hop Security 25.14 ipv6 dhcp guard attach-policy (port mode) To attach a DHCPv6 Guard policy to a specific port, use the ipv6 dhcp guard attach-policy command in Interface Configuration mode. To return to the default, use the no form of this command. Syntax policy-name vlan-list...
  • Page 501 IPv6 First Hop Security • The rules, configured in the policy attached to the VLAN are added to the set if they have not been added. • The global rules are added to the set if they have not been added. Use no ipv6 dhcp guard attach-policy to detach all user-defined DHCP Guard policies attached to the port.
  • Page 502: Ipv6 Dhcp Guard Attach-Policy (Vlan Mode)

    IPv6 First Hop Security Example 4—In the following example DHCPv6 Guard detaches policy1 from the gi 1 1 port: switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# no ipv6 dhcp guard attach-policy policy1 switchxxxxxx(config-if)# exit 25.15 ipv6 dhcp guard attach-policy (VLAN mode) To attach a DHCPv6 Guard policy to a specified VLAN, use the ipv6 dhcp guard attach-policy command in VLAN Configuration mode.
  • Page 503: Ipv6 Dhcp Guard Policy

    IPv6 First Hop Security Example In the following example, the DHCPv6 Guard policy policy1 is attached to VLAN 100: switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy1 switchxxxxxx(config-if)# exit 25.16 ipv6 dhcp guard policy To define a DHCP Guard policy and place the switch in DHCPv6 Guard Policy Configuration mode, use the ipv6 dhcp guard policy command in Global Configuration mode.
  • Page 504 IPv6 First Hop Security • match server address • match reply • preference Each policy of the same type (for example, DHCPv6 Guard policies) must have a unique name. Policies of different types can have the same policy name. The switch supports two predefined, default DHCPv6 Guard policies named: "vlan_default"...
  • Page 505: Ipv6 Dhcp Guard Preference

    IPv6 First Hop Security Example 2—The following example defines a DHCPv6 Guard named policy1 by multiple steps: switchxxxxxx(config)# ipv6 dhcp guard policy policy1 switchxxxxxx(config-dhcp-guard)# match server address list1 switchxxxxxx(config-dhcp-guard)# exit switchxxxxxx(config)# ipv6 dhcp guard policy policy1 switchxxxxxx(config-dhcp-guard)# device-role server switchxxxxxx(config-dhcp-guard)# exit Example 3—The following example removes an attached DHCPv6 Guard policy: switchxxxxxx(config)# no ipv6 dhcp guard policy policy1...
  • Page 506 IPv6 First Hop Security Default Configuration Verification is disabled. Command Mode Global Configuration mode User Guidelines This command enables verification that the preference value in messages sent by value DHCPv6 servers messages (see RFC3315) is greater than or less than the argument.
  • Page 507: Ipv6 First Hop Security

    IPv6 First Hop Security Example 2—The following example defines a global minimum preference value of 10 and a global maximum preference value of 102 using a single command: switchxxxxxx(config)# ipv6 dhcp guard preference minimum 10 maximum 102 25.18 ipv6 first hop security To globally enable IPv6 First Hop Security on a VLAN, use the ipv6 first hop security command in VLAN Configuration mode.
  • Page 508: Ipv6 First Hop Security Attach-Policy (Port Mode)

    IPv6 First Hop Security switchxxxxxx(config-if)# exit Example 2—The following example enables IPv6 First Hop Security on VLANs 100-107: switchxxxxxx(config)# interface range vlan 100-107 switchxxxxxx(config-if-range)# ipv6 first hop security switchxxxxxx(config-if-range)# exit 25.19 ipv6 first hop security attach-policy (port mode) To attach an IPv6 First Hop Security policy to a specific port, use the ipv6 first hop security attach-policy command in Interface Configuration mode.
  • Page 509 IPv6 First Hop Security User Guidelines Use this command to attach an IPv6 First Hop Security policy to a port. Each succeeding usage of this command overrides the previous usage of the command with the same policy. Each time the command is used, it overrides the previous command within the same policy.
  • Page 510: Ipv6 First Hop Security Attach-Policy (Vlan Mode)

    IPv6 First Hop Security switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy1 vlan 1-10,12-20 switchxxxxxx(config-if)# exit Example 3—In the following example, the IPv6 First Hop Security policy policy1 is attached to the gi 1 1 port and applied to VLANs 1-10 and the IPv6 First Hop Security policy policy2 is attached to the gi 1 1 port and applied to VLANs 12-20: switchxxxxxx(config)# interface gi11...
  • Page 511: Ipv6 First Hop Security Logging Packet Drop

    IPv6 First Hop Security Parameters • policy-name —The IPv6 First Hop Security policy name (up to 32 characters). Default Configuration The IPv6 First Hop Security default policy is applied. Command Mode Interface (VLAN) Configuration mode User Guidelines Use this command to attach an IPv6 First Hop Security policy to a VLAN. If a policy specified by the policy-name argument is not defined, the command is rejected.
  • Page 512: Ipv6 First Hop Security Policy

    IPv6 First Hop Security no ipv6 first hop security logging packet drop Parameters Default Configuration Logging is disabled. Command Mode Global Configuration mode User Guidelines Use this command to log packets that are dropped. If logging is enabled, the switch sends a rate-limited SYSLOG message every time it drops a message. Example The following example shows how to enable logging of dropped packets by the IPv6 first-hop security feature:...
  • Page 513 IPv6 First Hop Security Default Configuration No IPv6 First Hop Security policy is configured Command Mode Global Configuration mode User Guidelines This command defines an IPv6 First Hop Security policy, and places the switch in IPv6 First Hop Security Policy Configuration mode The following command can be configured in IPv6 First Hop Security Policy Configuration mode: •...
  • Page 514: Ipv6 Nd Inspection

    IPv6 First Hop Security Examples Example 1—The following example defines the IPv6 First Hop Security policy named policy1, places the switch in IPv6 First Hop Security Policy Configuration mode, and enables logging of dropped packets: switchxxxxxx(config)# ipv6 first hop security policy policy1 switchxxxxxx(config-ipv6-fhs)# logging packet drop switchxxxxxx(config)# exit...
  • Page 515: Ipv6 Nd Inspection Attach-Policy (Port Mode)

    IPv6 First Hop Security Command Mode Interface (VLAN) Configuration mode User Guidelines Use the command to enable ND Inspection on a VLAN. IPv6 ND Inspection validates the Neighbor Discovery Protocol (NDP) messages using the ND Inspection policies and global ND Inspection configuration. ND Inspection bridges NDP messages to all ports excluding the source port within the VLAN with the following exception: RS and CPS messages are not bridged to ports configured as host (see the device-role command).
  • Page 516 IPv6 First Hop Security Syntax policy-name vlan-list ipv6 nd inspection attach-policy [vlan policy-name no ipv6 nd inspection attach-policy [ Parameters • policy-name —The ND Inspection policy name (up to 32 characters). • vlan-list vlan —Specifies that the ND Inspection policy is to be attached to vlan-list the VLAN(s) in .
  • Page 517 IPv6 First Hop Security policy-name Use the no ipv6 nd inspection attach-policy command to detach the specific policy from the port. Examples Example 1—In the following example, the ND Inspection policy policy1 is attached to the gi 1 1 port: switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)#...
  • Page 518: Ipv6 Nd Inspection Attach-Policy (Vlan Mode)

    IPv6 First Hop Security 25.25 ipv6 nd inspection attach-policy (VLAN mode) To attach an ND Inspection policy to a specified VLAN, use the ipv6 nd inspection attach-policy command in VLAN Configuration mode. To return to the default, use the no form of this command. Syntax policy-name ipv6 nd inspection attach-policy...
  • Page 519: Ipv6 Nd Inspection Drop-Unsecure

    IPv6 First Hop Security 25.26 ipv6 nd inspection drop-unsecure To globally enable dropping messages with no CGA and RSA Signature options, use the ipv6 nd inspection drop-unsecure command in Global Configuration mode. To disable this function, use the no form of this command. Syntax ipv6 nd inspection drop-unsecure no ipv6 nd inspection drop-unsecure...
  • Page 520: Ipv6 Nd Inspection Policy

    IPv6 First Hop Security 25.27 ipv6 nd inspection policy To define an ND Inspection policy and place the switch in IPv6 ND Inspection Policy Configuration mode, use the ipv6 nd inspection policy command in Global Configuration mode. To remove the ND Inspection policy, use the no form of this command.
  • Page 521 IPv6 First Hop Security ipv6 nd inspection policy port_default exit These policies cannot be removed, but they can be changed. The no ipv6 nd inspection policy does not remove these policies, it only removes the policy configuration defined by the user. The default policies cannot be attached by the ipv6 nd inspection attach-policy (port mode)
  • Page 522: Ipv6 Nd Inspection Sec-Level Minimum

    IPv6 First Hop Security switchxxxxxx(config-nd-inspection)# exit Example 3. The following example removes an attached ND Inspection policy: switchxxxxxx(config)# no ipv6 nd inspection policy policy1 Policy policy1 is applied on the following ports: gi11, gi12 The policy1 will be detached and removed, are you sure [Y/N]Y 25.28 ipv6 nd inspection sec-level minimum To globally specify the minimum security level value, use the ipv6 nd inspection sec-level minimum command in Global Configuration mode.
  • Page 523: Ipv6 Nd Inspection Validate Source-Mac

    IPv6 First Hop Security Example The following example enables the switch to specify 2 as the minimum CGA security level: switchxxxxxx(config)# ipv6 nd inspection sec-level minimum 2 25.29 ipv6 nd inspection validate source-mac To globally enable checking source MAC address against the link-layer address in the source/target link-layer option, use the ipv6 nd inspection validate source-mac command in Global Configuration mode.
  • Page 524: Ipv6 Nd Raguard

    IPv6 First Hop Security Example The following example enables the switch to drop an NDP message whose link-layer address in the source/target link-layer option does not match the MAC address: switchxxxxxx(config)# ipv6 nd inspection validate source-mac 25.30 ipv6 nd raguard To globally enable the Router Advertisements (RA) guard feature on a VLAN, use the ipv6 nd raguard command in VLAN Configuration mode.
  • Page 525: Ipv6 Nd Raguard Attach-Policy (Port Mode)

    IPv6 First Hop Security Examples Example 1—The following example enables RA Guard on VLAN 100: switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 nd raguard switchxxxxxx(config-if)# exit Example 2—The following example enables RA Guard on VLANs 100-107: switchxxxxxx(config)# interface range vlan 100-107 switchxxxxxx(config-if-range)# ipv6 nd raguard switchxxxxxx(config-if-range)#...
  • Page 526 IPv6 First Hop Security Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines Use this command to attach an RA Guard policy to a port. Each time the command is used, it overrides the previous command within the same policy. policy-name If a policy specified by the argument is not defined, the command is...
  • Page 527: Ipv6 Nd Raguard Attach-Policy (Vlan Mode)

    IPv6 First Hop Security switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1 vlan 1-10,12-20 switchxxxxxx(config-if)# exit Example 3—In the following example, the RA Guard policy policy1 is attached to the gi 1 1 port and applied to VLANs 1-10 and the RA Guard policy policy2 is attached to the gi 1 1 port and applied to VLANs 12-20: switchxxxxxx(config)# interface gi11...
  • Page 528: Ipv6 Nd Raguard Hop-Limit

    IPv6 First Hop Security Default Configuration The RA Guard default policy is applied. Command Mode Interface (VLAN) Configuration mode User Guidelines Use this command to attach an RA Guard policy to a VLAN. If a policy specified by the policy-name argument is not defined, the command is rejected.
  • Page 529 IPv6 First Hop Security • value minimum —Verifies that the hop-count limit is greater than or equal to the value argument. Range 1-255. Default Configuration No hop-count limit is verified. Command Mode Global Configuration mode User Guidelines This command enables verification that the advertised Cur Hop Limit value in an RA message (see RFC4861) is greater than or less than the value set by the value argument.
  • Page 530: Ipv6 Nd Raguard Managed-Config-Flag

    IPv6 First Hop Security switchxxxxxx(config)# ipv6 nd raguard hop-limit minimum 3 maximum 100 25.34 ipv6 nd raguard managed-config-flag To globally enable verification of the advertised the Managed Address Configuration flag in RA messages, use the ipv6 nd raguard managed-config-flag command in Global Configuration mode. To return to the default, use the no form of this command.
  • Page 531: Ipv6 Nd Raguard Other-Config-Flag

    IPv6 First Hop Security 25.35 ipv6 nd raguard other-config-flag To globally enable verification of the advertised “Other Configuration” flag in RA messages, use the ipv6 nd raguard other-config-flag command in Global Configuration mode. To return to the default, use the no form of this command. Syntax ipv6 nd raguard other-config-flag {on | off} no ipv6 nd raguard other-config-flag...
  • Page 532: Ipv6 Nd Raguard Policy

    IPv6 First Hop Security 25.36 ipv6 nd raguard policy To define an RA Guard policy name and place the switch in IPv6 RA Guard Policy Configuration mode, use the ipv6 nd raguard policy command in Global Configuration mode. To remove the RA Guard policy, use the no form of this command.
  • Page 533 IPv6 First Hop Security The policies cannot be attached by the ipv6 nd raguard attach-policy (port mode) ipv6 nd raguard attach-policy (VLAN mode) command. The vlan_default policy is attached by default to a VLAN, if no other policy is attached to the VLAN. The port_default policy is attached by default to a port, if no other policy is attached to the port.
  • Page 534: Ipv6 Nd Raguard Router-Preference

    IPv6 First Hop Security switchxxxxxx(config-ra-guard)# exit switchxxxxxx(config)# ipv6 nd raguard policy policy1 switchxxxxxx(config-ra-guard)# device-role router switchxxxxxx(config-ra-guard)# exit Example 3—The following example removes an attached RA Guard policy: switchxxxxxx(config)# no ipv6 nd raguard policy policy1 Policy policy1 is applied on the following ports: gi11, gi12 The policy1 will be detached and removed, are you sure [Y/N]Y 25.37 ipv6 nd raguard router-preference...
  • Page 535 IPv6 First Hop Security Command Mode Global Configuration mode User Guidelines This command enables verification of the advertised Default Router Preference value in RA messages (see RFC4191). value Configuring the minimum keyword and argument specifies the minimum allowed value. Received RA messages with a Default Router Preference value less value than the argument are dropped.
  • Page 536: Ipv6 Neighbor Binding

    IPv6 First Hop Security 25.38 ipv6 neighbor binding To globally enable the Neighbor Binding (NB) integrity feature on a VLAN, use the ipv6 neighbor binding command in VLAN Configuration mode. To return to the default, use the no form of this command. Syntax ipv6 neighbor binding no ipv6 neighbor binding...
  • Page 537: Ipv6 Neighbor Binding Address-Config

    IPv6 First Hop Security switchxxxxxx(config-if-range)# exit 25.39 ipv6 neighbor binding address-config To specify allowed configuration methods of global IPv6 addresses, use the ipv6 neighbor binding address-config command in Global Configuration mode. To return to the default setting, use the no form of this command. Syntax ipv6 neighbor binding address-config [stateless | any] [dhcp] no ipv6 neighbor binding address-config...
  • Page 538 IPv6 First Hop Security stateless—IPv6 addresses are bound from NDP messages, and only global addresses belonging to learned prefixes with set A-flag or prefixes manually configured with the autoconfig keyword are allowed. any—IPv6 addresses are bound from NDP messages and only global addresses belonging to prefixes in NPT are allowed.
  • Page 539: Ipv6 Neighbor Binding Address-Prefix

    IPv6 First Hop Security switchxxxxxx(config)# ipv6 neighbor binding address-config stateless Example 4. The following example specifies that only the stateless IPv6 address configuration and assignment by DHCPv6 methods can be applied and binding only from NDP messages is supported: switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation switchxxxxxx(config)# ipv6 neighbor binding address-config stateless dhcp...
  • Page 540 IPv6 First Hop Security Command Mode Global Configuration mode User Guidelines Use the ipv6 neighbor binding address-prefix command to add a static prefix to the Neighbor Prefix table. vlan-id Use the no ipv6 neighbor binding address-prefix vlan ipv6-prefix prefix-length command to remove one static entry from the Neighbor Prefix table.
  • Page 541: Ipv6 Neighbor Binding Address-Prefix-Validation

    IPv6 First Hop Security Example 4. The following example deletes all static entries: switchxxxxxx(config)# no ipv6 neighbor binding address-prefix 25.41 ipv6 neighbor binding address-prefix-validation To globally enable validation of a bound IPv6 address against the Neighbor Prefix table, use the ipv6 neighbor binding address-prefix-validation command in Global Configuration mode.
  • Page 542: Ipv6 Neighbor Binding Attach-Policy (Port Mode)

    IPv6 First Hop Security 25.42 ipv6 neighbor binding attach-policy (port mode) To attach a Neighbor Binding policy to a specific port, use the ipv6 neighbor binding attach-policy command in Interface Configuration mode. To return to the default, use the no form of this command. Syntax policy-name vlan-list...
  • Page 543 IPv6 First Hop Security • The rules, configured in the policy attached to the VLAN are added to the set if they have not been added. • The global rules are added to the set if they have not been added. Use the no ipv6 neighbor binding attach-policy command to detach all user-defined policies attached to the port.
  • Page 544: Ipv6 Neighbor Binding Attach-Policy (Vlan Mode)

    IPv6 First Hop Security Example 4—In the following example, Neighbor Binding Integrity detaches policy policy1 detached to the gi 1 1 port: switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# no ipv6 neighbor binding attach-policy policy1 switchxxxxxx(config-if)# exit 25.43 ipv6 neighbor binding attach-policy (VLAN mode) To attach a Neighbor Binding policy to a specific VLAN, use the ipv6 neighbor binding attach-policy command in VLAN Configuration mode.
  • Page 545: Ipv6 Neighbor Binding Lifetime

    IPv6 First Hop Security Example In the following example, the Neighbor Binding policy policy1 is attached to VLAN 100: switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy1 switchxxxxxx(config-if)# exit 25.44 ipv6 neighbor binding lifetime To globally change the default of the Neighbor Binding table entry lifetime, use the ipv6 neighbor binding lifetime command in Global Configuration mode.
  • Page 546: Ipv6 Neighbor Binding Logging

    IPv6 First Hop Security 25.45 ipv6 neighbor binding logging To globally enable the logging of Binding table main events, use the ipv6 neighbor binding logging command in Global Configuration mode. To disable this feature, use the no form of this command. Syntax ipv6 neighbor binding logging no ipv6 neighbor binding logging...
  • Page 547: Ipv6 Neighbor Binding Max-Entries

    IPv6 First Hop Security 25.46 ipv6 neighbor binding max-entries To globally specify the maximum number of dynamic entries that are allowed to be inserted in the Binding table cache, use the ipv6 neighbor binding max-entries command in Global Configuration mode. To return to the default, use the no form of this command.
  • Page 548: Ipv6 Neighbor Binding Policy

    IPv6 First Hop Security switchxxxxxx(config)# ipv6 neighbor binding max-entries mac-limit 2 25.47 ipv6 neighbor binding policy To define a Neighbor Binding policy and place the switch in IPv6 Neighbor Binding Policy Configuration mode, use the ipv6 neighbor binding policy command in Global Configuration mode.
  • Page 549 IPv6 First Hop Security The policies cannot be attached by the ipv6 neighbor binding attach-policy (port mode) ipv6 neighbor binding attach-policy (VLAN mode) command. The vlan_default policy is attached by default to a VLAN, if no other policy is attached to the VLAN.
  • Page 550: Ipv6 Neighbor Binding Static

    IPv6 First Hop Security logging binding switchxxxxxx(config-nbr-binding)# exit Example 3—The following example remove an attached Neighbor Binding policy: switchxxxxxx(config)# no ipv6 neighbor binding policy policy1 Policy policy1 is applied on the following ports: gi11, gi12 The policy1 will be detached and removed, are you sure [Y/N]Y 25.48 ipv6 neighbor binding static To add a static entry to the Neighbor Binding table, use the ipv6 neighbor binding static command in Global Configuration mode.
  • Page 551: Ipv6 Source Guard

    IPv6 First Hop Security User Guidelines This command is used to add static entries to the Neighbor Binding table. Static entries can be configured regardless the port role. If the entry (dynamic or static) already exists, the new static entry overrides the existing one.
  • Page 552: Ipv6 Source Guard Attach-Policy (Port Mode)

    IPv6 First Hop Security Examples Example 1—The following example enables IPv6 Source Guard on VLAN 100: switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 source guard switchxxxxxx(config-if)# exit Example 2—The following example enables IPv6 Source Guard on VLANs 100-107: switchxxxxxx(config)# interface range vlan 100-107 switchxxxxxx(config-if-range)# ipv6 source guard switchxxxxxx(config-if-range)#...
  • Page 553 IPv6 First Hop Security User Guidelines Use this command to attach an IPv6 Source Guard policy to a port. Each succeeding ipv6 source guard attach-policy command overrides the previous policy attachment on the same port. IPv6 Source guard policies can be used to block forwarding IPv6 data messages with unknown source IPv6 addresses or with source IPv6 addresses bound to a port differing from the input one.
  • Page 554: Ipv6 Source Guard Policy

    IPv6 First Hop Security 25.51 ipv6 source guard policy To define an IPv6 Source Guard policy name and place the user in IPv6 Source Guard Configuration, use the ipv6 source guard policy command in Global Configuration mode. To remove the IPv6 Source Guard policy name, use the no form of this command.
  • Page 555: Logging Binding

    IPv6 First Hop Security The policy cannot be attached by the ipv6 source guard attach-policy (port mode) command. The port_default policy is attached by default to a port, if no other policy is attached to the port. If an attached policy is removed, it is detached automatically before removing. Examples Example 1—The following example defines the IPv6 Source Guard policy named policy1, places the router in IPv6 Source Guard Policy Configuration mode, and...
  • Page 556: Logging Packet Drop

    IPv6 First Hop Security Parameters • enable—Enables logging of Binding table main events. If no keyword is configured, this keyword is applied by default. • disable—Disables logging of Binding table main events. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 557: Managed-Config-Flag

    IPv6 First Hop Security Parameters • enable—Enables logging of dropped packets. If no keyword is configured, this keyword is applied by default. • disable—Disables logging of dropped packets. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 558: Match Ra Address

    IPv6 First Hop Security no managed-config-flag Parameters • on—The value of the flag must be 1. • off—The value of the flag must be 0. • disable—The value of the flag is not validated. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 559 IPv6 First Hop Security Syntax ipv6-prefix-list-name match ra address {prefix-list } | disable no match ra address Parameters • ipv6-prefix-list-name prefix-list —The IPv6 prefix list to be matched. • disable—Disables verification of the router’s IPv6 address. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 560: Match Ra Prefixes

    IPv6 First Hop Security 25.56 match ra prefixes To enable verification of the advertised prefixes in received RA messages within an IPv6 RA Guard policy, use the match ra prefixes command in RA Guard Policy Configuration mode. To return to the default, use the no form of this command. Syntax ipv6-prefix-list-name match ra prefixes {prefix-list...
  • Page 561: Match Reply

    IPv6 First Hop Security switchxxxxxx(config-ra-guard)# match ra prefixes prefix-list list1 switchxxxxxx(config-ra-guard)# exit switchxxxxxx(config)# ipv6 prefix-list list1 deny 2001:0DB8:101::/64 switchxxxxxx(config)# ipv6 prefix-list list1 permit 2001:0DB8:100::/64 25.57 match reply To enable verification of the assigned IPv6 addressed in messages sent by DHCPv6 servers/relays to a configured prefix list within a DHCPv6 Guard policy, use the match reply command in DHCPv6 Guard Policy Configuration mode.
  • Page 562: Match Server Address

    IPv6 First Hop Security • RELAY-REPL Note 1. Assigned addresses are not verified if a value of the Status Code option (if it presents) differs from the following ones: • Success • UseMulticast Note 2. In RELAY-REPL messages DHCPv6 Guard validates the message encapsulated in the DHCP-relay-message option.
  • Page 563 IPv6 First Hop Security no match server address Parameters • ipv6-prefix-list-name prefix-list —The IPv6 prefix list to be matched. • disable—Disables verification of the DHCP server's and relay’s IPv6 address. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 564: Max-Entries

    IPv6 First Hop Security addresses to the prefix list named list1, and defines the prefix list named list1 authorizing the server with link-local address FE80::A8BB:CCFF:FE01:F700 only: switchxxxxxx(config)# ipv6 dhcp guard policy policy1 switchxxxxxx(config-dhcp-guard)# match server address prefix-list list1 switchxxxxxx(config-dhcp-guard)# exit switchxxxxxx(config)# ipv6 prefix-list list1 permit FE80::A8BB:CCFF:FE01:F700/128 25.59 max-entries...
  • Page 565: Other-Config-Flag

    IPv6 First Hop Security Command Mode Neighbor Binding Policy Configuration mode. User Guidelines If this command is part of a policy attached to a VLAN, it is applied to all the ports in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the value in the policy attached to the VLAN.
  • Page 566: Preference

    IPv6 First Hop Security Parameters • on—The value of the flag must be 1. • off—The value of the flag must be 0. • disable—The value of the flag is not validated. Default Configuration Policy attached to port or port channel: the value configured in the policy attached to the VLAN.
  • Page 567 IPv6 First Hop Security Syntax value value preference {[maximum { | disable}] [minimum { | disable}]} no preference [maximum] [minimum] Parameters • value maximum —Advertised preference value is lower or equal than that set by the value argument. Range 0-255. A value of the high boundary must be equal to or greater than a value of the low boundary.
  • Page 568: Router-Preference

    IPv6 First Hop Security switchxxxxxx(config-dhcp-guard)# preference minimum 10 switchxxxxxx(config-dhcp-guard)# exit 25.62 router-preference To enable verification of advertised Default Router Preference value in RA messages within an IPv6 RA Guard policy, use the router-preference command in RA Guard Policy Configuration mode. To return to the default, use the no form of this command.
  • Page 569: Sec-Level Minimum

    IPv6 First Hop Security User Guidelines Use this command to change the global configuration specified by the ipv6 nd raguard router-preference command on the port on which this policy applies. Use the disable keyword to disable of verification in both global or VLAN configuration.
  • Page 570: Show Ipv6 Dhcp Guard

    IPv6 First Hop Security Command Mode ND inspection Policy Configuration mode User Guidelines If this command is part of a policy attached to a VLAN, it is applied to all the ports in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value overrides the value in the policy attached to the VLAN.
  • Page 571: Show Ipv6 Dhcp Guard Policy

    IPv6 First Hop Security Example The following example gives an example of the output of the show ipv6 dhcp guard command: switchxxxxxx# show ipv6 dhcp guard IPv6 DHCP Guard is enabled on VLANs:1-4,6,7,100-120 Default Preference minimum: 10 maximum: 100 25.65 show ipv6 dhcp guard policy To display DHCPv6 guard policies on all ports configured with the DHCPv6 guard feature, use the show ipv6 dhcp guard policy command in privileged EXEC mode.
  • Page 572 IPv6 First Hop Security DHCPv6 Guard Policy: policy1 device-role: server preference minimum: 1 maximum: 200 server address prefix list: list1 reply prefix list name: list10 Attached to VLANs: 1-100,111-4094 Attached to ports: Ports VLANs gi11-2 1-58,68-4094 gi13-4 1-4094 Po1-4 1-4094 Example 2—The following example displays the attached policies: switchxxxxxx# show ipv6 dhcp guard policy active...
  • Page 573: Show Ipv6 First Hop Security

    IPv6 First Hop Security switchxxxxxx# show ipv6 dhcp guard policy policy1 policy2 25.66 show ipv6 first hop security To display all IPv6 First Hop Security global configuration, use the show ipv6 first hop security command in Privilege EXEC configuration mode. Syntax show ipv6 first hop security Parameters...
  • Page 574: Show Ipv6 First Hop Security Active Policies

    IPv6 First Hop Security 25.67 show ipv6 first hop security active policies To display information about the policies applied to the port and to the VLAN, use the show ipv6 first hop security active policies command in privileged EXEC mode. Syntax interface-id vlan-id...
  • Page 575 IPv6 First Hop Security IPv6 First Hop Security Policy: logging packet drop: enabled (from global configuration) DHCPv6 Guard Policy: device-role: server (from policy1 attached to the port) reply prefix list name: list10 (from policy2 attached to the VLAN) server address prefix list name: list22 (from policy2 attached to the VLAN) preference minimum: 1 (from policy2 attached to the VLAN) maximum: 200 (from policy2 attached to the VLAN)
  • Page 576: Show Ipv6 First Hop Security Attached Policies

    IPv6 First Hop Security other-flag: disabled (default) router-preference: minimum: medium (from policy2 attached to the VLAN) maximum: medium (from policy2 attached to the VLAN) IPv6 Source Guard Policy: trusted port: enabled (from policy1 attached to the port) 25.68 show ipv6 first hop security attached policies To display information about the policies attached to the port and to the VLAN, use the show ipv6 first hop security attached policies command in privileged EXEC...
  • Page 577: Show Ipv6 First Hop Security Counters

    IPv6 First Hop Security Attached to VLAN 100 RA Guard Policy: policy1 Neighbor Bind Policy: policy2 Attached to port gi11 and VLAN 100 IPv6 First Hop Security Policy: FHSpolicy ND Inspection Policy: policy1 RA Guard Policy: policy3 Neighbor Bind Policy: policy3 IPv6 Source Guard Policy: policy4 25.69 show ipv6 first hop security counters To display information about the packets counted by the port counter, use the...
  • Page 578 IPv6 First Hop Security Received messages on gi11: Protocol Protocol message RA[63] RS[0] NA[13] NS[0] REDIR[0] DHCPv6 ADV[0] REP[20] REC[0] REL-REP[0] LEAS-REP[10] RLS[0] DEC[0] Dropped messages on gi11: Protocol Protocol message RA[2] RS[0] NA[0] NS[0] REDIR[0] DHCPv6 ADV[1] REP[2] REC[0] REL-REP[1] LEAS-REP[0] RLS[0] DEC[0] Dropped reasons on gi11: Feature Number Reason...
  • Page 579: Show Ipv6 First Hop Security Error Counters

    IPv6 First Hop Security 25.70 show ipv6 first hop security error counters To display global error counters, use the show ipv6 first hop security error counters command in privileged EXEC mode. Syntax show ipv6 first hop security error counters Parameters Command Mode Privileged EXEC mode User Guidelines...
  • Page 580 IPv6 First Hop Security Parameters • policy-name —Displays the IPv6 First Hop policy with the given name. • active—Displays the attached Ipv6 First Hop Security policies. Command Mode Privileged EXEC mode User Guidelines This command displays the options configured for the policy on all s configured with the port IPv6 First Hop...
  • Page 581: Show Ipv6 Nd Inspection

    IPv6 First Hop Security Attached to ports: Policy Name Ports VLANs policy1 gi11-2 1-100 port-default gi11-2 101-4094 gi13-4 1-1094 Example 3—The following example displays the user defined policies: switchxxxxxx# show ipv6 first hop security policy policy1 policy2 25.72 show ipv6 nd inspection To display ND Inspection global configuration, use the show ipv6 nd inspection command in Privilege EXEC configuration mode.
  • Page 582: Show Ipv6 Nd Inspection Policy

    IPv6 First Hop Security Example The following example gives an example of the show ipv6 nd snooping command output: switchxxxxxx# show ipv6 nd snooping IPv6 ND Inspection is enabled on VLANs:1-4,6,7,100-120 unsecure drop: enabled sec-level minimum value: 2 source mac validation: disabled 25.73 show ipv6 nd inspection policy To display an IPv6 ND Inspection policy on all ports configured with the ND Inspection feature, use the show ipv6 nd inspection policy command in privileged...
  • Page 583: Show Ipv6 Nd Raguard

    IPv6 First Hop Security Attached to VLANs: 1-100,111-4094 Attached to ports: Ports VLANs gi11-2 1-58,68-4094 gi13-4 1-4094 1-4094 Example 2—The following example displays the attached policies: switchxxxxxx# show ipv6 nd inspection policy active Attached to VLANs: Policy Name VLANs vlan-default 1-4094 Attached to ports: Policy Name...
  • Page 584: Show Ipv6 Nd Raguard Policy

    IPv6 First Hop Security Syntax show ipv6 nd raguard Parameters Command Mode Privileged EXEC mode Example The following example gives an example of the show ipv6 nd raguard command output: switchxxxxxx# show ipv6 nd raguard IPv6 RA Guard is enabled on VLANs:1-4,6,7,100-120 "Managed address configuration"...
  • Page 585 IPv6 First Hop Security Parameters • policy-name —Displays the RA guard policy with the given name. • active—Displays the attached user defined RA guard policies. Command Mode Privileged EXEC mode User Guidelines This command displays the options configured for the policy on all s configured with the RA port guard feature.
  • Page 586: Show Ipv6 Neighbor Binding

    IPv6 First Hop Security vlan-default 1-4094 Attached to ports: Policy Name Ports VLANs port-default gi11-4 1-4094 Example 3—The following example displays the user defined policies: switchxxxxxx# show ipv6 nd raguard policy policy1 policy2 25.76 show ipv6 neighbor binding To display Neighbor Binding global configuration, use the show ipv6 neighbor binding command in Privilege EXEC configuration mode.
  • Page 587: Show Ipv6 Neighbor Binding Policy

    IPv6 First Hop Security Neighbor Binding Integrity is enabled on VLANs:1-4,6-7,100-120 Binding logging: disabled Binding lifetime: 56 minutes Address Configuration method: dhcp Binding address prefix validation: disabled Maximum entries VLAN: unlimited Port: 1 MAC: 1 25.77 show ipv6 neighbor binding policy To display Neighbor Binding policies, use the show ipv6 neighbor binding policy command in Privilege EXEC configuration mode.
  • Page 588 IPv6 First Hop Security Neighbor Binding Policy: policy1 address configuration method: dhcp binding address prefix validation: disabled device-role: perimiter binding logging: disabled max-entries VLAN: unlimited Port: 10 MAC: 2 Attached to VLANs: 1-100,111-4094 Attached to ports: Ports VLANs gi11-2 1-58,68-4094 gi13-4 1-4094 Po1-4...
  • Page 589: Show Ipv6 Neighbor Binding Prefix Table

    IPv6 First Hop Security Example 3—The following example displays the user defined policies: switchxxxxxx# show ipv6 neighbor binding policy policy1 policy2 25.78 show ipv6 neighbor binding prefix table To display contents of the Neighbor Prefix table, use the show ipv6 neighbor binding prefix table command in Privilege EXEC configuration mode.
  • Page 590: Show Ipv6 Neighbor Binding Table

    IPv6 First Hop Security 1027 2002:1::/64 dynamic 25.79 show ipv6 neighbor binding table To display contents of the Binding table, use the show ipv6 neighbor binding table command in Privilege EXEC configuration mode. Syntax show ipv6 neighbor binding table [vlan vlan-id ] [interface interface-id...
  • Page 591 IPv6 First Hop Security VLAN IPv6 address Inter MAC address Origin State Expir TCAM Time Ovrfl ----- ----------- ------- -------------- ------ ----- ------ ----- 2001:300::1 gi11 AABB.CC01.F500 VALID 2001:600::1 gi11 AABB.CC01.F501 TENT AABB.CC01.F100 2001:100::2 gi12 VALID AABB.CC01.F160 2001:200::3 gi12 VALID Field Descriptions: •...
  • Page 592: Show Ipv6 Source Guard

    IPv6 First Hop Security 25.80 show ipv6 source guard To display IPv6 Source Guard global configuration, use the show ipv6 source guard command in Privilege EXEC configuration mode. Syntax show ipv6 source guard Parameters Command Mode Privileged EXEC mode User Guidelines This displays IPv6 Source Guard global configuration.
  • Page 593 IPv6 First Hop Security Command Mode Privileged EXEC mode User Guidelines This command displays all configured IPv6 Source Guard policies, the given one or all attached IPv6 Source Guard policies. Examples Example 1—The following example displays the policy configuration for a policy named policy1: switchxxxxxx# show ipv6 source guard policy policy1...
  • Page 594: Trusted-Port (Ipv6 Source Guard)

    IPv6 First Hop Security Example 3—The following example displays the user defined policies: switchxxxxxx# show ipv6 source guard policy policy1 policy2 25.82 trusted-port (IPv6 Source Guard) To configure a port as trusted port within an IPv6 Source Guard policy, use the trusted-port command in IPv6 Source Guard Policy Configuration mode.
  • Page 595: Validate Source-Mac

    IPv6 First Hop Security switchxxxxxx(config-ipv6-srcguard)# exit 25.83 validate source-mac To enable checking the MAC addresses against the link-layer address within an IPv6 ND Inspection policy, use the validate source-mac command in ND Inspection Policy Configuration mode. To return to the default, use the no form of this command.
  • Page 596 IPv6 First Hop Security switchxxxxxx(config-nd-inspection)# validate source-mac switchxxxxxx(config-nd-inspection)# exit OL-32830-01 Command Line Interface Reference Guide...
  • Page 597: Ipv6 Prefix List Commands

    IPv6 Prefix List Commands 26.0 26.1 clear ipv6 prefix-list Use the clear ipv6 prefix-list command in privileged EXEC mode to reset the hit count of the IPv6 prefix list entries. Syntax prefix-list-name ipv6-prefix prefix-length clear ipv6 prefix-list [ Parameters • prefix-list-name —The name of the prefix list from which the hit count is to be cleared.
  • Page 598: Ipv6 Prefix-List

    IPv6 Prefix List Commands Example The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/35: switchxxxxxx# clear ipv6 prefix-list first_list 2001:0DB8::/35 26.2 ipv6 prefix-list Use the ipv6 prefix-list command in Global Configuration mode to create an entry in an IPv6 prefix list.
  • Page 599 IPv6 Prefix List Commands • ge-value —Specifies a prefix length greater than or equal to the prefix-length argument. It is the lowest value of a range of the length (the “from” portion of the length range). • le-value —Specifies a prefix length greater than or equal to the prefix-length argument.
  • Page 600 IPv6 Prefix List Commands prefix length greater than, or equal to, a value is specified using the ge keyword. The ge and le keywords can be used to specify the range of the prefix length to be ipv6-prefix prefix-length matched in more detail than the usual argument.
  • Page 601 IPv6 Prefix List Commands • L - prefix length • ge - is defined • le - is not defined The prefix cP/cL matches the prefix-list entry if PrefixIsEqual(cP,P,L) && cL >= ge Case 3. An prefix-list entry is: • P - prefix address •...
  • Page 602: Show Ipv6 Prefix-List

    IPv6 Prefix List Commands switchxxxxxx(config)# ipv6 prefix-list abc permit 5F00::/48 le 64 Example 4. The following example denies prefix lengths greater than 64 bits in routes that have the prefix 2001:0DB8::/64: switchxxxxxx(config)# ipv6 prefix-list abc permit 2001:0DB8::/64 le 128 Example 5. The following example permits mask lengths from 32 to 64 bits in all address space: switchxxxxxx(config)# ipv6 prefix-list abc permit ::/0 ge 32 le 64...
  • Page 603 IPv6 Prefix List Commands list-name seq-num show ipv6 prefix-list Parameters • detail | summary—Displays detailed or summarized information about all IPv6 prefix lists. • list-name —Name of a specific IPv6 prefix list. • pv6-prefix —All prefix list entries for the specified IPv6 network. This argument must be in the form documented in RFC 4293 where the address is specified in hexadecimal using 16-bit values between colons.
  • Page 604 IPv6 Prefix List Commands count: 1, range entries: 0 seq 5 permit 2002::/16 (hit count: 313) ipv6 prefix-list aggregate: count: 3, range entries: 2 seq 5 deny 3FFE:C00::/24 ge 25 (hit count: 568) seq 10 description The Default Action seq 15 permit ::/0 le 48 (hit count: 31310) ipv6 prefix-list bgp-in: count: 6, range entries: 3 seq 5 deny 5F00::/8 le 128 (hit count: 0)
  • Page 605 IPv6 Prefix List Commands count: 2, range entries: 2 ipv6 prefix-list bgp-in: count: 6, range entries: 3 Example 3. The following example shows the output of the show ipv6 prefix-list command with the seq keyword: switchxxxxxx# show ipv6 prefix-list bgp-in seq 15 seq 15 deny ::/1 (hit count: 0) OL-32830-01 Command Line Interface Reference Guide...
  • Page 606: Ipv6 Commands

    IPv6 Commands 27.0 27.1 clear ipv6 neighbors Use the clear ipv6 neighbors command in privileged EXEC mode to delete all entries in the IPv6 neighbor discovery cache, except static entries. Syntax clear ipv6 neighbors Parameters Command Mode Privileged EXEC mode User Guidelines Example The following example deletes all entries, except static entries, in the neighbor...
  • Page 607 IPv6 Commands Syntax ipv6-address prefix-length ipv6 address ipv6-address prefix-length no ipv6 address [ Parameters • ipv6-address —Specifies the global unicast IPv6 address assigned to the interface. This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16-bit values between colons.
  • Page 608: Ipv6 Address Autoconfig

    IPv6 Commands 27.3 ipv6 address autoconfig Use the ipv6 address autoconfig command in Interface Configuration mode to enable automatic configuration of IPv6 addresses using stateless auto configuration on an interface and enable IPv6 processing on the interface. Addresses are configured depending on the prefixes received in Router Advertisement messages.
  • Page 609: Ipv6 Address Eui-64

    IPv6 Commands Example The following example assigns the IPv6 address automatically: switchxxxxxx(config)# interface vlan 100 switchxxxxxx(config-if)# ipv6 address autoconfig switchxxxxxx(config-if)# exit 27.4 ipv6 address eui-64 Use the ipv6 address eui-64 command in Interface Configuration mode to configure a global unicast IPv6 address for an interface and enables IPv6 processing on the interface using an EUI-64 interface ID in the low order 64 bits of the address.
  • Page 610: Ipv6 Address Link-Local

    IPv6 Commands User Guidelines prefix-length If the value specified for the argument is greater than 64 bits, the prefix bits have precedence over the interface ID. If the switch detects another host using one of its IPv6 addresses, it adds the IPv6 address and displays an error message on the console.
  • Page 611: Ipv6 Default-Gateway

    IPv6 Commands Command Mode Interface Configuration mode User Guidelines The switch automatically generates a link local address for an interface when IPv6 processing is enabled on the interface, typically when an IPv6 address is configured on the interface. To manually specify a link local address to be used by an interface, use the ipv6 address link-local command.
  • Page 612: Ipv6 Enable

    IPv6 Commands Default Configuration No default gateway is defined. Command Mode Global Configuration mode User Guidelines The command is an alias of the ipv6 route command with the predefined (default) route: ipv6-address interface-id ipv6 route ::/0 See the definition of the ipv6 route command for details.
  • Page 613: Ipv6 Icmp Error-Interval

    IPv6 Commands Parameters Default Configuration IPv6 addressing is enabled. Command Mode Interface Configuration mode User Guidelines This command automatically configures an IPv6 link-local Unicast address on the interface while also enabling the interface for IPv6 processing. The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
  • Page 614 IPv6 Commands Parameters • milliseconds —Time interval between tokens being placed in the bucket. Each token represents a single ICMP error message. The acceptable range is from 0 to 2147483647. A value of 0 disables ICMP rate limiting. • bucketsize —Maximum number of tokens stored in the bucket.
  • Page 615: Ipv6 Link-Local Default Zone

    IPv6 Commands 27.9 ipv6 link-local default zone Use the Ipv6 link-local default zone command to configure an interface to egress a link local packet without a specified interface or with the default zone 0. Use the no form of this command to return the default link local interface to the default value.
  • Page 616 IPv6 Commands Syntax value ipv6 nd dad attempts no ipv6 nd dad attempts Parameters • value —The number of neighbor solicitation messages. The acceptable range is from 0 to 600. Configuring a value of 0 disables duplicate address detection processing on the specified interface; a value of 1 configures a single transmission without follow-up transmissions.
  • Page 617 IPv6 Commands assigned to the interface are set to a pending state. Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively up. An interface returning to administratively up, restarts duplicate address detection for all of the Unicast IPv6 addresses on the interface. While duplicate address detection is performed on the link-local address of an interface, the state for the other IPv6 addresses is still set to TENTATIVE.
  • Page 618: Ipv6 Neighbor

    IPv6 Commands switchxxxxxx(config-if)# exit 27.11 ipv6 neighbor Use the ipv6 neighbor command in Global Configuration mode to configure a static entry in the IPv6 neighbor discovery cache. To remove a static IPv6 entry from the IPv6 neighbor discovery cache, use the no form of this command. Syntax ipv6-address interface-id mac-address ipv6 neighbor...
  • Page 619 IPv6 Commands If an entry for the specified IPv6 address already exists in the neighbor discovery cache, learned through the IPv6 neighbor discovery process, the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
  • Page 620: Ipv6 Unreachables

    IPv6 Commands Example 3. The following example deletes all static entries in the IPv6 neighbor discovery cache on VLAN 1: switchxxxxxx(config)# no ipv6 neighbor vlan1 Example 4. The following example deletes all static entries in the IPv6 neighbor discovery cache on all interfaces: switchxxxxxx(config)# no ipv6 neighbor 27.12 ipv6 unreachables...
  • Page 621: Show Ipv6 Interface

    IPv6 Commands If the switch receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message. Example The following example disables the generation of ICMPv6 unreachable messages, as appropriate, on an interface:...
  • Page 622 IPv6 Commands User Guidelines Use this command to validate the IPv6 status of an interface and its configured addresses. This command also displays the parameters that IPv6 uses for operation on this interface and any configured features. If the interface’s hardware is usable, the interface is marked up. If you specify an optional interface identifier, the command displays information only about that specific interface.
  • Page 623 IPv6 Commands • vlan 1 is up/up—Indicates the interface status: administrative/operational. • IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the interface. If IPv6 is enabled, the interface is marked Enabled. If duplicate address detection processing identified the link-local address of the interface as being a duplicate address, the processing of IPv6 packets is disabled on the interface and the interface is marked Stalled.
  • Page 624 IPv6 Commands 2000:0DB8::2/64 Manual 2000:1DB8::2011/64 Manual Joined group address(es): FF02::1 FF02::2 FF02::1:FF11:6770 MTU is 1500 bytes ICMP error messages limited interval is 100ms; Bucket size is 10 tokens ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds MLD Version is 2 Tunnel mode is manual Tunnel Local IPv4 address : 10.10.10.1(auto)
  • Page 625 IPv6 Commands • ND DAD—The state of duplicate address detection on the interface (enabled or disabled). • number of DAD attempts:—Number of consecutive neighbor solicitation messages that are sent on the interface while duplicate address detection is performed. • ND reachable time—Displays the neighbor discovery reachable time (in milliseconds) assigned to this interface.
  • Page 626 IPv6 Commands FF02::1:FF11:6770 is 1500 bytes ICMP error messages limited interval is 100ms; Bucket size is 10 tokens ND DAD is disabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds MLD Version is 2 Tunnel mode is ISATAP Tunnel Local IPv4 address : 10.10.10.1(VLAN 1) ISATAP Router DNS name is isatap Field Descriptions:...
  • Page 627 IPv6 Commands • —Maximum transmission unit of the interface. • ICMP error messages—Specifies the minimum interval (in milliseconds) between error messages sent on this interface. • number of DAD attempts:—Number of consecutive neighbor solicitation messages that are sent on the interface while duplicate address detection is performed.
  • Page 628: Show Ipv6 Link-Local Default Zone

    IPv6 Commands vlan 100 up/up enabled FE80::0DB8:12AB:FA01 vlan 1000 up/up stalled FE80::0DB8:12AB:FA01 27.14 show ipv6 link-local default zone Use the show ipv6 link-local default zone command in user EXEC or privileged EXEC mode to display the IPv6 link local default zone. Syntax show ipv6 link-local default zone Command Mode...
  • Page 629 IPv6 Commands Parameters • interface-id —Specifies the identifier of the interface from which IPv6 neighbor information is to be displayed. • ipv6-address —Specifies the IPv6 address of the neighbor. This argument must be in the form documented in RFC4293 where the address is specified in hexadecimal using 16-bit values between colons.
  • Page 630: Show Ipv6 Route

    IPv6 Commands IPv6 Address Age Link-layer Addr State Interface Router 2000:0:0:4::2 0003.a0d6.141e REACH VLAN1 Field Descriptions: • Total number of entries—Number of entries (peers) in the cache. • IPv6 Address—IPv6 address of neighbor or interface. • Age—Time (in minutes) since the address was confirmed to be reachable. A hyphen (-) indicates a static entry.
  • Page 631 IPv6 Commands • protocol—Displays routes for the specified routing protocol using any of these keywords: bgp, isis, ospf, or rip; or displays routes for the specified type of route using any of these keywords: connected, static, nd, or icmp. • interface-id interface —Identifier of an interface.
  • Page 632: Show Ipv6 Route Summary

    IPv6 Commands ND> 2001::/64 [0/0] via :: VLAN 100 ND> 2002:1:1:1::/64 [0/0] via :: VLAN 100 ND> 3001::/64 [0/0] via :: VLAN 101 ND> 4004::/64 [0/0] via :: VLAN 110 27.17 show ipv6 route summary Use the show ipv6 route summary command in User EXEC or Privileged EXEC mode to display the current contents of the IPv6 routing table in summary format.
  • Page 633: Link Aggregation Control Protocol (Lacp) Commands

    Link Aggregation Control Protocol (LACP) Commands 28.1 lacp port-priority To set the physical port priority, use the lacp port-priority Interface (Ethernet) Configuration mode command. To restore the default configuration, use the no form of this command. Syntax value lacp port-priority no lacp port-priority Parameters value—Specifies the port priority.
  • Page 634: Lacp System-Priority

    Link Aggregation Control Protocol (LACP) Commands 28.2 lacp system-priority To set the system priority, use the lacp system-priority Global Configuration mode command. To restore the default configuration, use the no form of this command. Syntax value lacp system-priority no lacp system-priority Parameters value—Specifies the system priority value.
  • Page 635: Show Lacp

    Link Aggregation Control Protocol (LACP) Commands • short—Specifies the short timeout value. Default Configuration The default port timeout value is Long. Command Mode Interface (Ethernet) Configuration mode Example The following example assigns a long administrative LACP timeout to gi 1 6: switchxxxxxx(config)# interface gi16 switchxxxxxx(config-if)#...
  • Page 636 Link Aggregation Control Protocol (LACP) Commands Example The following example displays LACP information for switchxxxxxx# show lacp ethernet Port 1 LACP parameters: Actor system priority: system mac addr: 00:00:12:34:56:78 port Admin key: port Oper key: port Oper number: port Admin priority: port Oper priority: port Admin timeout: LONG...
  • Page 637: Show Lacp Port-Channel

    Link Aggregation Control Protocol (LACP) Commands Port 1 LACP Statistics: LACP PDUs sent: LACP PDUs received: Port 1 LACP Protocol State: LACP State Machines: Receive FSM: Port Disabled State Mux FSM: Detached State Control Variables: BEGIN: FALSE LACP_Enabled: TRUE Ready_N: FALSE Selected: UNSELECTED...
  • Page 638 Link Aggregation Control Protocol (LACP) Commands Example The following example displays LACP information about port-channel 1. switchxxxxxx# show lacp port-channel 1 Port-Channel 1:Port Type 1000 Ethernet Actor System Priority: 000285:0E1C00 MAC Address: Admin Key: Oper Key: Partner System Priority: 00:00:00:00:00:00 MAC Address: Oper Key: OL-32830-01 Command Line Interface Reference Guide...
  • Page 639: Line Commands

    Line Commands 29.1 autobaud To configure the line for automatic baud rate detection (autobaud), use the autobaud command in Line Configuration mode. Use the no form of this command to disable automatic baud rate detection. Syntax autobaud no autobaud Parameters This command has no arguments or keywords.
  • Page 640: Exec-Timeout

    Line Commands 29.2 exec-timeout To set the session idle time interval, during which the system waits for user input before automatic logoff, use the exec-timeout Line Configuration mode command. To restore the default configuration, use the no form of this command. Syntax minutes seconds...
  • Page 641: Speed

    Line Commands Parameters • console—Enters the terminal line mode. • telnet—Configures the device as a virtual terminal for remote access (Telnet). • ssh—Configures the device as a virtual terminal for secured remote access (SSH). Command Mode Global Configuration mode Example The following example configures the device as a virtual terminal for remote (Telnet) access.
  • Page 642: Show Line

    Line Commands Command Mode Line Configuration Mode User Guidelines The configured speed is only applied when autobaud is disabled. This configuration applies to the current session only. Example The following example configures the line baud rate as 9600 bits per second. switchxxxxxx(config-line)# speed 9600 29.5 show line...
  • Page 643 Line Commands Console configuration: Interactive timeout: Disabled History: 10 Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 Telnet configuration: Telnet is enabled. Interactive timeout: 10 minutes 10 seconds History: 10 SSH configuration: SSH is enabled. Interactive timeout: 10 minutes 10 seconds History: 10 OL-32830-01 Command Line Interface Reference Guide...
  • Page 644: Link Layer Discovery Protocol (Lldp) Commands

    Link Layer Discovery Protocol (LLDP) Commands 30.0 30.1 clear lldp table To clear the neighbors table for all ports or for a specific port, use the clear lldp table command in Privileged EXEC mode. Syntax [interface-id] clear lldp table Parameters interface-id—(Optional) Specifies a port ID.
  • Page 645: Lldp Hold-Multiplier

    Link Layer Discovery Protocol (LLDP) Commands Syntax {mac-address | host-name} lldp chassis-id no lldp chassis-id Parameters • mac-address—Specifies the chassis ID to use the device MAC address. • host-name—Specifies the chassis ID to use the device configured host name. Default Configuration MAC address.
  • Page 646: Lldp Lldpdu

    Link Layer Discovery Protocol (LLDP) Commands Parameters number hold-multiplier —Specifies the LLDP packet hold time interval as a multiple of the LLDP timer value (range: 2-10). Default Configuration The default LLDP hold multiplier is 4. Command Mode Global Configuration mode User Guidelines The actual Time-To-Live (TTL) value of LLDP frames is calculated by the following formula:...
  • Page 647 Link Layer Discovery Protocol (LLDP) Commands Parameters • filtering—Specifies that when LLDP is globally disabled, LLDP packets are filtered (deleted). • flooding—Specifies that when LLDP is globally disabled, LLDP packets are flooded (forwarded to all interfaces). Default Configuration LLDP packets are filtered when LLDP is globally disabled. Command Mode Global Configuration mode User Guidelines...
  • Page 648: Lldp Management-Address

    Link Layer Discovery Protocol (LLDP) Commands 30.5 lldp management-address To specify the management address advertised by an interface, use the lldp management-address Interface (Ethernet) Configuration mode command. To stop advertising management address information, use the no form of this command. Syntax {ip-address | none | automatic [interface-id]} lldp management-address...
  • Page 649: Lldp Med

    Link Layer Discovery Protocol (LLDP) Commands User Guidelines Each port can advertise one IP address. Example The following example sets the LLDP management address advertisement mode to automatic on gi 1 2. switchxxxxxx(config)# interface gi12 switchxxxxxx(config-if)# lldp management-address automatic 30.6 lldp med To enable or disable LLDP Media Endpoint Discovery (MED) on a port, use the lldp med Interface (Ethernet) Configuration mode command.
  • Page 650: Lldp Med Notifications Topology-Change

    Link Layer Discovery Protocol (LLDP) Commands Example The following example enables LLDP MED with the location TLV on gi 1 3. switchxxxxxx(config)# interface gi13 switchxxxxxx(config-if)# lldp med enable location 30.7 lldp med notifications topology-change To enable sending LLDP MED topology change notifications on a port, use the lldp med notifications topology-change Interface (Ethernet) Configuration mode command.
  • Page 651: Lldp Med Fast-Start Repeat-Count

    Link Layer Discovery Protocol (LLDP) Commands 30.8 lldp med fast-start repeat-count When a port comes up, LLDP can send packets more quickly than usual using its fast-start mechanism. To configure the number of packets that is sent during the activation of the fast start mechanism, use the lldp med fast-start repeat-count Global Configuration mode command.
  • Page 652: Lldp Med Network-Policy (Global)

    Link Layer Discovery Protocol (LLDP) Commands Parameters • data coordinate —Specifies the location data as coordinates in hexadecimal format. • data civic-address —Specifies the location data as a civic address in hexadecimal format. • data ecs-elin —Specifies the location data as an Emergency Call Service Emergency Location Identification Number (ECS ELIN) in hexadecimal format.
  • Page 653 Link Layer Discovery Protocol (LLDP) Commands To remove LLDP MED network policy, use the no form of this command. Syntax number application [vlan vlan-id] [vlan-type {tagged | lldp med network-policy untagged}] [up priority] [dscp value] number no lldp med network-policy Parameters •...
  • Page 654: Lldp Med Network-Policy (Interface)

    Link Layer Discovery Protocol (LLDP) Commands User Guidelines Use the lldp med network-policy Interface Configuration command to attach a network policy to a port. Up to 32 network policies can be defined. Example This example creates a network policy for the voice-signal application and attaches it to port 1.
  • Page 655: Lldp Med Network-Policy Voice Auto

    Link Layer Discovery Protocol (LLDP) Commands Command Mode Interface (Ethernet) Configuration mode User Guidelines For each port, only one network policy per application (voice, voice-signaling, etc.) can be defined. Example This example creates a network policy for the voice-signally application and attaches it to port 1.
  • Page 656: Lldp Notifications

    Link Layer Discovery Protocol (LLDP) Commands Parameters This command has no arguments or keywords. Default Configuration None Command Mode Global Configuration mode User Guidelines In Auto mode, the Voice VLAN feature determines on which interfaces to advertise the network policy TLV with application type voice, and controls the parameters of that TLV.
  • Page 657: Lldp Notifications Interval

    Link Layer Discovery Protocol (LLDP) Commands Default Configuration Disabled. Command Mode Interface (Ethernet) Configuration mode Example The following example enables sending LLDP notifications on gi 1 1. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# lldp notifications enable 30.14 lldp notifications interval To configure the maximum transmission rate of LLDP notifications, use the lldp notifications interval Global Configuration mode command.
  • Page 658: Lldp Optional-Tlv

    Link Layer Discovery Protocol (LLDP) Commands 30.15 lldp optional-tlv To specify which optional TLVs are transmitted, use the lldp optional-tlv Interface (Ethernet) Configuration mode command. To restore the default configuration, use the no form of this command. Syntax tlv2 tlv5 none lldp optional-tlv …...
  • Page 659: Lldp Optional-Tlv 802.1

    Link Layer Discovery Protocol (LLDP) Commands 30.16 lldp optional-tlv 802.1 To specify whether to transmit the 802.1 TLV, use the lldp optional-tlv 802.1 Interface (Ethernet) Configuration mode command. To revert to the default setting, use the no form of this command. Syntax {enable | disable} lldp optional-tlv 802.1 pvid...
  • Page 660: Lldp Run

    Link Layer Discovery Protocol (LLDP) Commands Command Mode Interface (Ethernet) Configuration mode Example lldp optional-tlv 802.1 protocol add stp switchxxxxxx(config)# 30.17 lldp run To enable LLDP, use the lldp run Global Configuration mode command. To disable LLDP, use the no form of this command. Syntax lldp run no lldp run...
  • Page 661: Lldp Reinit

    Link Layer Discovery Protocol (LLDP) Commands Syntax lldp receive no lldp receive Parameters This command has no arguments or keywords. Default Configuration Enabled Command Mode Interface (Ethernet) Configuration mode User Guidelines LLDP manages LAG ports individually. LLDP data received through LAG ports is stored individually per port.
  • Page 662: Lldp Timer

    Link Layer Discovery Protocol (LLDP) Commands Parameters seconds reinit —Specifies the minimum time in seconds an LLDP port waits before reinitializing LLDP transmission.(Range: 1–10) Default Configuration 2 seconds Command Mode Global Configuration mode Example switchxxxxxx(config)# lldp reinit 4 30.20 lldp timer To specify how often the software sends LLDP updates, use the lldp timer Global Configuration mode command.
  • Page 663: Lldp Transmit

    Link Layer Discovery Protocol (LLDP) Commands Example The following example sets the interval for sending LLDP updates to 60 seconds. switchxxxxxx(config)# lldp timer 60 30.21 lldp transmit To enable transmitting LLDP on an interface. use the no form of this command to stop transmitting LLDP on an interface, use the lldp transmit Interface (Ethernet) Configuration mode command.
  • Page 664: Lldp Tx-Delay

    Link Layer Discovery Protocol (LLDP) Commands switchxxxxxx(config-if)# lldp transmit 30.22 lldp tx-delay To set the delay between successive LLDP frame transmissions initiated by value/status changes in the LLDP local systems MIB, use the lldp tx-delay Global Configuration mode command. To restore the default configuration, use the no form of this command.
  • Page 665: Show Lldp Configuration

    Link Layer Discovery Protocol (LLDP) Commands 30.23 show lldp configuration To display the LLDP configuration for all ports or for a specific port, use the show lldp configuration Privileged EXEC mode command. Syntax [interface-id | detailed show lldp configuration Parameters •...
  • Page 666 Link Layer Discovery Protocol (LLDP) Commands gi12 PD, SN 172.16.1.1 Disabled gi13 RX,TX PD, SN, SD, SC None Disabled gi14 RX,TX SN, SD, SC automatic Disabled Example 2 - Display LLDP configuration for port 1. switchxxxxxx# show lldp configuration gi11 State: Enabled Timer: 30 Seconds Hold multiplier: 4...
  • Page 667: Show Lldp Local

    Link Layer Discovery Protocol (LLDP) Commands Field Description Tx delay The delay between successive LLDP frame transmissions initiated by value/status changes in the LLDP local systems MIB. Port The port number. State The port’s LLDP state. Optional TLVs Optional TLVs that are advertised. Possible values are: PD - Port description SN - System name SD - System description...
  • Page 668 Link Layer Discovery Protocol (LLDP) Commands Example The following examples display LLDP information that is advertised from 1 and switchxxxxxx# show lldp local gi11 Device ID: 0060.704C.73FF Port ID: gi11 Capabilities: Bridge System Name: ts-7800-1 System description: Port description: Management address: 172.16.1.8 802.3 MAC/PHY Configuration/Status Auto-negotiation support: Supported Auto-negotiation status: Enabled...
  • Page 669: Show Lldp Local Tlvs-Overloading

    Link Layer Discovery Protocol (LLDP) Commands 802.1 Protocol: 88 8E 01 LLDP-MED capabilities: Network Policy, Location Identification LLDP-MED Device type: Network Connectivity LLDP-MED Network policy Application type: Voice Flags: Tagged VLAN VLAN ID: 2 Layer 2 priority: 0 DSCP: 0 LLDP-MED Power over Ethernet Device Type: Power Sourcing Entity Power source: Primary Power Source...
  • Page 670: Show Lldp Med Configuration

    Link Layer Discovery Protocol (LLDP) Commands Syntax [interface-id] show lldp local tlvs-overloading Parameters interface-id—(Optional) Specifies a port ID. Default Configuration If no port ID is entered, the command displays information for all ports. Command Mode User EXEC mode User Guidelines The command calculates the overloading status of the current LLDP configuration, and not for the last LLDP packet that was sent.
  • Page 671 Link Layer Discovery Protocol (LLDP) Commands Syntax [interface-id | detailed show lldp med configuration Parameters • interface-id—(Optional) Specifies the port ID. • detailed—(Optional) Displays information for non-present ports in addition to present ports. Default Configuration If no port ID is entered, the command displays information for all ports. If detailed is not used, only present ports are displayed.
  • Page 672: Show Lldp Neighbors

    Link Layer Discovery Protocol (LLDP) Commands gi13 Enabled Example 2 - The following example displays the LLDP MED configuration for switchxxxxxx# show lldp med configuration gi11 Port Capabilities Network Policy Location Notifications Inventory ------- -------------- ---------------- --------- ---------- -------- gi11 Enabled Network policies: Location:...
  • Page 673 Link Layer Discovery Protocol (LLDP) Commands Examples Example 1 - The following example displays information about neighboring devices discovered using LLDP on all ports on which LLDP is enabled and who are Location information, if it exists, is also displayed. switchxxxxxx# show lldp neighbors System capability legend:...
  • Page 674 Link Layer Discovery Protocol (LLDP) Commands Auto-negotiation status: Enabled. Auto-negotiation Advertised Capabilities: 100BASE-TX full duplex, 1000BASE-T full duplex. Operational MAU type: 1000BaseTFD 802.3 Power via MDI MDI Power support Port Class: PD PSE MDI Power Support: Not Supported PSE MDI Power State: Not Enabled PSE power pair control ability: Not supported.
  • Page 675 Link Layer Discovery Protocol (LLDP) Commands Layer 2 priority: 0 DSCP: 0 LLDP-MED Power over Ethernet Device Type: Power Device Power source: Primary power Power priority: High Power value: 9.6 Watts Hardware revision: 2.1 Firmware revision: 2.3 Software revision: 2.7.1 Serial number: LM759846587 Manufacturer name: VP Model name: TR12...
  • Page 676 Link Layer Discovery Protocol (LLDP) Commands Field Description Capabilities The capabilities discovered on the neighbor device. Possible values are: B - Bridge R - Router W - WLAN Access Point T - Telephone D - DOCSIS cable device H - Host r - Repeater O - Other System description...
  • Page 677 Link Layer Discovery Protocol (LLDP) Commands Field Description Flags Flags. The possible values are: Unknown policy: Policy is required by the device, but is currently unknown. Tagged VLAN: The specified application type is using a tagged VLAN. Untagged VLAN: The specified application type is using an Untagged VLAN VLAN ID The VLAN identifier for the application...
  • Page 678: Show Lldp Statistics

    Link Layer Discovery Protocol (LLDP) Commands 30.28 show lldp statistics To display LLDP statistics on all ports or a specific port, use the show lldp statistics EXEC mode command. Syntax [interface-id | detailed show lldp statistics Parameters • interface-id—(Optional) Specifies the port ID. •...
  • Page 679 Link Layer Discovery Protocol (LLDP) Commands gi14 The following table describes significant LLDP fields shown in the display: Field Description Port The port number. Device ID The neighbor device’s configured ID (name) or MAC address. Port ID The neighbor device’s port ID. System name The neighbor device’s administratively assigned name.
  • Page 680 Link Layer Discovery Protocol (LLDP) Commands Field Description Device type The device type. Indicates whether the sender is a Network Connectivity Device or Endpoint Device, and if an Endpoint, to which Endpoint Class it belongs. LLDP MED - Network Policy Application type The primary function of the application defined for this network policy.
  • Page 681: Loopback Detection Commands

    Loopback Detection Commands 31.0 31.1 loopback-detection enable (Global) To enable the Loopback Detection (LBD) feature globally, use the loopback-detection enable Global Configuration mode command. To disable the Loopback Detection feature, use the no form of this command. Syntax loopback-detection enable no loopback-detection enable Parameters This command has no arguments or keywords.
  • Page 682: Loopback-Detection Enable (Interface)

    Loopback Detection Commands 31.2 loopback-detection enable (Interface) To enable the Loopback Detection (LBD) feature on an interface, use the loopback-detection enable Interface (Ethernet, Port Channel) Configuration mode command. To disable the Loopback Detection feature on the interface, use the no form of this command.
  • Page 683: Show Loopback-Detection

    Loopback Detection Commands Syntax seconds loopback-detection interval no loopback-detection interval Parameters seconds—Specifies the time interval in seconds between LBD packets. (Range: 10–60 seconds) Default Configuration The default time interval between LBD packets is seconds. Command Mode Global Configuration mode Example The following example sets the time interval between LBD packets to 45 seconds.
  • Page 684 Loopback Detection Commands Command Mode Privileged EXEC mode User Guidelines User Guidelines Operational status of indicates the following conditions are meet: Active • Loopback is globally enabled. • Loopback is enabled on the interface. • Interface operational state of the interface is up. •...
  • Page 685: Macro Commands

    Macro Commands 32.0 32.1 macro name Use the macro name Global Configuration mode command to define a macro. There are two types of macros that can be defined: • Global macros define a group of CLI commands that can be run at any time. •...
  • Page 686 Macro Commands Macros may contain keywords (parameters). The following describes these keywords: • A macro can contain up to three keywords. • All matching occurrences of the keyword are replaced by the corresponding value specified in the macro command. • Keyword matching is case-sensitive •...
  • Page 687 Macro Commands help string will be displayed if help on the macro is requested from the macro and macro global commands. The GUI also uses the keywords specified in the command as the parameter names for the macro. See Example 2 and 3 below for a description of how this command is used in the CLI.
  • Page 688: Macro

    Macro Commands Example 2 -The following example shows how to create a macro with the parameters: DUPLEX and SPEED. When the macro is run, the values of DUPLEX and SPEED must be provided by the user. The #macro keywords command enables the user to receive help for the macro as shown in Example 3.
  • Page 689 Macro Commands • Apply a macro to the interface while displaying the actions being performed Syntax macro-name parameter-name1 value parameter-name2 macro {apply | trace} value parameter-name3 value Parameters • apply—Apply a macro to the specific interface. • trace—Apply and trace a macro to the specific interface. •...
  • Page 690 Macro Commands if it is part of a large string, is considered a match and replaced by the corresponding value. When you apply a macro to an interface, the switch automatically generates a macro description command with the macro name. As a result, the macro name is appended to the macro history of the interface.
  • Page 691: Macro Description

    Macro Commands 32.3 macro description Use the macro description Interface Configuration mode command to append a description, for example, a macro name, to the macro history of an interface. Use the no form of this command to clear the macro history of an interface. When the macro is applied to an interface, the switch automatically generates a macro description command with the macro name.
  • Page 692: Macro Global

    Macro Commands switchxxxxxx(config-if)# macro description dup switchxxxxxx(config-if)# macro description duplex switchxxxxxx(config-if)# switchxxxxxx(config)# exit switchxxxxxx# show parser macro description Global Macro(s): Interface Macro Description(s) ------------ -------------------------------------------------- gi12 gi13 duplex | dup | duplex -------------------------------------------------------------- switchxxxxxx# configure switchxxxxxx(config)# interface gi12 switchxxxxxx(config-if)# no macro description switchxxxxxx(config-if)# switchxxxxxx(config)# exit...
  • Page 693 Macro Commands Parameters • apply—Apply a macro to the switch. • trace—Apply and trace a macro to the switch. • macro-name —Specify the name of the macro. • parameter-name value —Specify the parameter values required for the switch. You can enter up to three parameter-value pairs. Parameter keyword matching is case sensitive.
  • Page 694: Macro Global Description

    Macro Commands switchxxxxxx(config)# macro name console-timeout Enter macro commands one per line. End with the character ‘@’. line console exec-timeout $timeout-interval switchxxxxxx(config)# macro global trace console-timeout $timeout-interval 100 Applying command… ‘line console’ Applying command… ‘exec-timeout 100’ 32.5 macro global description Use the macro global description Global Configuration command to enter a description which is used to indicate which macros have been applied to the switch.
  • Page 695: Show Parser Macro

    Macro Commands Examples switchxxxxxx(config)# macro global description "set console timeout interval" 32.6 show parser macro Use the show parser macro User EXEC mode command to display the parameters for all configured macros or for one macro on the switch. Syntax interface-id | show parser macro [{brief | description [interface detailed]...
  • Page 696 Macro Commands Total number of macros = 6 -------------------------------------------------------------- Macro name : company-global Macro type : default global # Enable dynamic port error recovery for link state # failures -------------------------------------------------------------- Macro name : company-desktop Macro type : default interface # macro keywords $AVID # Basic interface - Enable data VLAN only # Recommended value for access vlan (AVID) should not be 1 switchport access vlan $AVID...
  • Page 697: Interface Command

    Macro Commands default interface: company-desktop default interface: company-phone default interface: company-switch default interface: company-router customizable : snmp Example 4 - This is an example of output from the show parser macro description command. switchxxxxxx# show parser macro description Global Macro(s): company-global Example 5 - This is an example of output from the show parser macro description interface command.
  • Page 698: Management Acl Commands

    Management ACL Commands 33.1 deny (Management) To set permit rules (ACEs) for the management access list (ACL), use the deny Management Access-list Configuration mode command. Syntax [interface-id] [service service] deny {ipv4-address | ipv6-address/ipv6-prefix-length} [mask {mask | deny ip-source prefix-length}] [interface-id] [service service] Parameters •...
  • Page 699: Permit (Management)

    Management ACL Commands Command Mode Management Access-list Configuration mode User Guidelines Rules with ethernet, VLAN, and port-channel parameters are valid only if an IP address is defined on the appropriate interface. Example The following example denies all ports in the ACL called mlist. switchxxxxxx(config)# management access-list mlist switchxxxxxx(config-macl)#...
  • Page 700: Management Access-List

    Management ACL Commands • prefix-length mask — Specifies the number of bits that comprise the source IPv4 address prefix. The prefix length must be preceded by a forward slash (/). This parameter is relevant only to IPv4 addresses. (Range: 0–32) Default Configuration No rules are configured.
  • Page 701 Management ACL Commands Command Mode Global Configuration mode User Guidelines Use this command to configure a management access list. This command enters the Management Access-list Configuration mode, where the denied or permitted access conditions are defined with the deny and permit commands. If no match criteria are defined, the default value is deny.
  • Page 702: Management Access-Class

    Management ACL Commands switchxxxxxx(config-macl)# switchpermit switchxxxxxx(config-macl)# switchexit switchxxxxxx(config)# management access-class mlist 33.4 management access-class To restrict management connections by defining the active management access list (ACL), use the management access-class Global Configuration mode command. To disable management connection restrictions, use the no form of this command.
  • Page 703: Show Management Access-List

    Management ACL Commands 33.5 show management access-list To display management access lists (ACLs), use the show management access-list Privileged EXEC mode command. Syntax name show management access-list [ Parameters name—(Optional) Specifies the name of a management access list to be displayed.
  • Page 704 Management ACL Commands Syntax show management access-class Parameters This command has no arguments or keywords. Command Mode Privileged EXEC mode Example The following example displays the active management ACL information. switchxxxxxx# show management access-class Management access-class is enabled, using access list mlist OL-32830-01 Command Line Interface Reference Guide...
  • Page 705: Mld Snooping Commands

    MLD Snooping Commands 34.0 34.1 ipv6 mld snooping (Global) To enable IPv6 Multicast Listener Discovery (MLD) snooping, use the ipv6 mld snooping command in Global Configuration mode. To return to the default, use the no form of this command. Syntax ipv6 mld snooping no ipv6 mld snooping Parameters...
  • Page 706: Ipv6 Mld Snooping Querier

    MLD Snooping Commands Syntax vlan-id ipv6 mld snooping vlan vlan-id no ipv6 mld snooping vlan Parameters • vlan-id —Specifies the VLAN. Default Configuration Disabled Command Mode Global Configuration mode User Guidelines MLD snooping can only be enabled on static VLANs. MLDv1 and MLDv2 are supported.
  • Page 707: Ipv6 Mld Snooping Vlan Querier

    MLD Snooping Commands Parameters Default Configuration Enabled Command Mode Global Configuration mode User Guidelines To run the MLD Snooping querier on a VLAN, you have enable it globally and on the VLAN. Example The following example disables the MLD Snooping querier globally: switchxxxxxx(config)# no ipv6 mld snooping querier 34.4 ipv6 mld snooping vlan querier To enable the Internet MLD Snooping querier on a specific VLAN, use the ipv6 mld...
  • Page 708: Ipv6 Mld Snooping Vlan Querier Election

    MLD Snooping Commands Command Mode Global Configuration mode User Guidelines The MLD Snooping querier can be enabled on a VLAN only if MLD Snooping is enabled for that VLAN. Example The following example enables the MLD Snooping querier on VLAN 1: switchxxxxxx(config)# ipv6 mld snooping vlan 1 querier 34.5 ipv6 mld snooping vlan querier election To enable MLD Querier election mechanism of an MLD Snooping querier on a...
  • Page 709: Ipv6 Mld Snooping Vlan Querier Version

    MLD Snooping Commands If the MLD Querier election mechanism is enabled, the MLD Snooping querier supports the standard MLD Querier election mechanism specified in RFC2710 and RFC3810. If MLD Querier election mechanism is disabled, MLD Snooping Querier delays sending General Query messages for 60 seconds from the time it was enabled. During this time, if the switch did not receive an IGMP query from another Querier - it starts sending General Query messages.
  • Page 710: Ipv6 Mld Snooping Vlan Mrouter

    MLD Snooping Commands Default Configuration MLDv1. Command Mode Global Configuration mode Example he following example sets the version of the MLD Snooping Querier VLAN 1 to 2: switchxxxxxx(config)# ipv6 mld snooping vlan 1 querier version 2 34.7 ipv6 mld snooping vlan mrouter To enable automatic learning of Multicast router ports, use the ipv6 mld snooping vlan mrouter command in Global Configuration mode.
  • Page 711: Ipv6 Mld Snooping Vlan Mrouter Interface

    MLD Snooping Commands Example switchxxxxxx(config)# ipv6 mld snooping vlan 1 mrouter learn pim-dvmrp 34.8 ipv6 mld snooping vlan mrouter interface To define a port that is connected to a Multicast router port, use the ipv6 mld snooping mrouter interface command in Global Configuration mode. To return to the default, use the no form of this command.
  • Page 712: Ipv6 Mld Snooping Vlan Forbidden Mrouter

    MLD Snooping Commands 34.9 ipv6 mld snooping vlan forbidden mrouter To forbid a port from being defined as a Multicast router port by static configuration or by automatic learning, use the ipv6 mld snooping vlan forbidden mrouter command in Global Configuration mode. To return to the default, use the no form of this command.
  • Page 713: Ipv6 Mld Snooping Vlan Static

    MLD Snooping Commands 34.10 ipv6 mld snooping vlan static To register a IPv6-layer Multicast address to the bridge table, and to add statically ports to the group, use the ipv6 mld snooping vlan static command in Global Configuration mode. To return to the default, use the no form of this command. Syntax vlan-id ipv6-address...
  • Page 714: Ipv6 Mld Snooping Vlan Immediate-Leave

    MLD Snooping Commands 34.11 ipv6 mld snooping vlan immediate-leave To enable MLD Snooping Immediate-Leave processing on a VLAN, use the ipv6 mld snooping vlan immediate-leave command in Global Configuration mode. To return to the default, use the no form of this command. Syntax vlan-id ipv6 mld snooping vlan...
  • Page 715 MLD Snooping Commands Syntax vlan-id ipv6-multicast-address show ipv6 mld snooping groups [vlan ] [address ipv6-address [source Parameters • vlan-id vlan —(Optional) Specifies the VLAN ID. • address ipv6-multicast-address —(Optional) Specifies the IPv6 multicast address. • ipv6-address source —(Optional) Specifies the IPv6 source address. Command Mode User EXEC mode Default Configuration...
  • Page 716: Show Ipv6 Mld Snooping Interface

    MLD Snooping Commands Example The following example shows the output for show ipv6 mld snooping groups. switchxxxxxx# show ipv6 mld snooping groups VLAN Group Address Source Address Include Ports Exclude Ports Compatibility Mode ---- -------- --------------------- ----------- ---------- ------------- FF12::3 FE80::201:C9FF:FE40:8001 gi11 FF12::3...
  • Page 717: Show Ipv6 Mld Snooping Mrouter

    MLD Snooping Commands Example The following example displays the MLD snooping configuration for VLAN 1000. switchxxxxxx# show ipv6 mld snooping interface 1000 MLD Snooping is globally enabled MLD Snooping Querier is globally enabled VLAN 1000 MLD Snooping is enabled MLD snooping last immediate leave: enable Automatic learning of multicast router ports is enabled MLD Snooping Querier is enabled MLD Snooping Querier operation state: is running...
  • Page 718 MLD Snooping Commands Default Configuration Display information for all VLANs. Command Mode User EXEC mode Example The following example displays information on dynamically learned Multicast router interfaces for VLAN 1000: switchxxxxxx# show ipv6 mld snooping mrouter interface 1000 VLAN Dynamic Static Forbidden ----...
  • Page 719: Phy Diagnostics Commands

    PHY Diagnostics Commands 35.1 test cable-diagnostics tdr To use Time Domain Reflectometry (TDR) technology to diagnose the quality and characteristics of a copper cable attached to a port, use the test cable-diagnostics tdr Privileged EXEC mode command. Syntax interface-id test cable-diagnostics tdr interface Parameters interface-id—(Optional) Specifies an Ethernet port ID.
  • Page 720: Show Cable-Diagnostics Tdr

    PHY Diagnostics Commands - Test the copper cables attached to port 2 (a combo port with fiber Example 2 active). switchxxxxxx# test cable-diagnostics tdr interface gi1 Fiber ports are not supported 35.2 show cable-diagnostics tdr To display information on the last Time Domain Reflectometry (TDR) test performed on all copper ports or on a specific copper port, use the show cable-diagnostics tdr Privileged EXEC mode command.
  • Page 721: Show Cable-Diagnostics Cable-Length

    PHY Diagnostics Commands Test has not been performed Open 13:32:00 23 July 2010 35.3 show cable-diagnostics cable-length To display the estimated copper cable length attached to all ports or to a specific port, use the show cable-diagnostics cable-length Privileged EXEC mode command.
  • Page 722: Show Fiber-Ports Optical-Transceiver

    PHY Diagnostics Commands 35.4 show fiber-ports optical-transceiver To display the optical transceiver diagnostics, use the show fiber-ports optical-transceiver Privileged EXEC mode command. Syntax [interface interface-id show fiber-ports optical-transceiver Parameters • interface-id—(Optional) Specify an Ethernet port ID. Default Configuration All ports are displayed. If detailed is not used, only present ports are displayed. Command Mode Privileged EXEC mode Examples...
  • Page 723 PHY Diagnostics Commands N/A - Not Available, N/S - Not Supported, W - Warning, E - Error OL-32830-01 Command Line Interface Reference Guide...
  • Page 724: Power Over Ethernet (Poe) Commands

    Power over Ethernet (PoE) Commands 36.0 36.1 power inline To configure the inline power administrative mode on an interface, use the power inline Interface Configuration mode command. Syntax power inline auto [ time-range time-range-name] never power inline Parameters • auto—Turns on the device discovery protocol and applies power to the device.
  • Page 725: Power Inline Inrush Test Disable

    Power over Ethernet (PoE) Commands Example The following example turns on the device discovery protocol on port 4. switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# power inline auto 36.2 power inline inrush test disable To disable the inrush test (a hardware test that checks input surge current for PoE devices), use the power inline inrush test disable Global Configuration mode command.
  • Page 726: Power Inline Legacy Support Disable

    Power over Ethernet (PoE) Commands 36.3 power inline legacy support disable To disable the legacy PDs support, use the power inline legacy support disable Global Configuration mode command. To enable the legacy support, use the no form of this command. Syntax power inline legacy support disable no power inline legacy support disable...
  • Page 727: Power Inline Priority

    Power over Ethernet (PoE) Commands Parameters pd-type—Enters a comment or a description to assist in recognizing the type of the powered device attached to this interface. (Length: 1–24 characters) Default Configuration There is no description. Command Mode Interface (Ethernet) Configuration mode Example The following example adds the description ‘ip phone’...
  • Page 728: Power Inline Usage-Threshold

    Power over Ethernet (PoE) Commands Command Mode Interface (Ethernet) Configuration mode Example The following example sets the inline power management priority of port 4 to High. switchxxxxxx(config)# interface gi1 switchxxxxxx(config-if)# power inline priority high 36.6 power inline usage-threshold To configure the threshold for initiating inline power usage alarms, use the power inline usage-threshold Global Configuration mode command.
  • Page 729: Power Inline Traps Enable

    Power over Ethernet (PoE) Commands 36.7 power inline traps enable To enable inline power traps, use the power inline traps enable Global Configuration mode command. To disable traps, use the no form of this command. Syntax power inline traps enable no power inline traps enable Default Configuration Inline power traps are disabled.
  • Page 730: Power Inline Limit-Mode

    Power over Ethernet (PoE) Commands Default Configuration The default value is the maximum power allowed in the specific working mode: 15.4W in case of AF port and 30W in case of AT port Command Mode Interface (Ethernet) Configuration mode User Guidelines The operational power limit is the minimum of the configured power limit value and the maximum power capability on port.
  • Page 731: Show Power Inline

    Power over Ethernet (PoE) Commands Command Mode Global Configuration mode User Guidelines Changing the PoE limit mode of the system will turn the power OFF and ON for all PoE ports. Example The following example sets the power limit to class. switchxxxxxx(config)# power inline limit-mode class "Changing the PoE limit mode of the system will turn the power OFF and ON for all...
  • Page 732 Power over Ethernet (PoE) Commands Examples Example 1—The following example displays information about the inline power for all ports (port power based). switchxxxxxx(config)# show power inline Power Limit Mode: Usage threshold: 95% Traps: Enable Inrush Test: Enable Unit Power Nominal Consumed Legacy Power...
  • Page 733 Power over Ethernet (PoE) Commands Denied Counter: 0 Absent Counter: 0 Invalid Signature Counter: 0 The following table describes the fields shown in the display: Field Description Power Inline power sourcing equipment operational status. Nominal Power Inline power sourcing equipment nominal power in Watts.
  • Page 734: Show Power Inline Consumption

    Power over Ethernet (PoE) Commands Following is a list of port status values: Port is off – Underload disconnect detected Port is off – Overload detected Port is off – Short detected Port is off - Invalid PD resistor signature detected Port is on - Valid PD resistor signature detected Port is off - Power was denied Port is on - Valid capacitor signature detected...
  • Page 735 Power over Ethernet (PoE) Commands Example The following example displays information about the inline power consumption. switchxxxxxx# show power inline consumption Port Power Limit(W) Power (W) Voltage(V) Current(mA) ---- ------------- ---------- --------- ------------ gi11 15.4 4.115 50.8 gi12 15.4 4.157 50.7 gi13 15.4...
  • Page 736: Port Channel Commands

    Port Channel Commands 37.1 channel-group To associate a port with a port-channel, use the channel-group Interface (Ethernet) Configuration mode command. To remove a port from a port-channel, use the no form of this command. Syntax port-channel {on | auto} channel-group mode no channel-group Parameters...
  • Page 737: Port-Channel Load-Balance

    Port Channel Commands Example The following example forces port 1 to join port-channel 1 without an LACP operation. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# channel-group 1 mode on 37.2 port-channel load-balance To configure the load balancing policy of the port channeling, use the port-channel load-balance Global Configuration mode command.
  • Page 738: Show Interfaces Port-Channel

    Port Channel Commands 37.3 show interfaces port-channel To display port-channel information for all port channels or for a specific port channel, use the show interfaces port-channel Privileged EXEC mode command. Syntax [interface-id] show interfaces port-channel Parameters interface-id—(Optional) Specify an interface ID. The interface ID must be a port channel.
  • Page 739: Port Monitor Commands

    Port Monitor Commands 38.0 38.1 port monitor Use the port monitor Interface Configuration (Ethernet) mode command to start a port monitoring session (mirroring). Use the no form of this command to stop a port monitoring session. Syntax src-interface-id port monitor [rx | tx] src-interface-id no port monitor...
  • Page 740 Port Monitor Commands User Guidelines This command enables port copy between source port (src-interface) to a destination port (The port in context). The analyzer port for port ingress traffic mirroring should be the same port for all mirrored ports. The analyzer port for port egress traffic mirroring should be the same port for all mirrored ports.
  • Page 741: Show Ports Monitor

    Port Monitor Commands 2. Mirrored traffic is exposed to the STP state, i.e. if the port is in STP blocking, it will not egress any mirrored traffic. Example The following example copies traffic for both directions (Tx and Rx) from the source port gi 1 2 to destination port gi 1 1.
  • Page 742: Quality Of Service (Qos) Commands

    Quality of Service (QoS) Commands 39.0 39.1 Use the qos Global Configuration mode command to enable QoS on the device and set its mode. Use the no form of this command to disable QoS on the device. Syntax qos [basic | {advanced [ports-not-trusted | ports-trusted]}] no qos Parameters •...
  • Page 743: Qos Advanced-Mode Trust

    Quality of Service (QoS) Commands Examples Example 1—The following example disables QoS on the device. switchxxxxxx(config)# Example 2—The following example enables QoS advanced mode on the device with the ports-not-trusted option. switchxxxxxx(config)# qos advanced 39.2 qos advanced-mode trust Use the qos advanced-mode trust Global Configuration mode command to configure the trust mode in advanced mode.
  • Page 744: Show Qos

    Quality of Service (QoS) Commands User Guidelines The configuration is relevant for advanced mode in the following cases: • ports-not-trusted mode: For packets that are classified to the QoS action trust. • ports-trusted mode: For packets that are not classified by to any QoS action or classified to the QoS action trust.
  • Page 745: Class-Map

    Quality of Service (QoS) Commands Qos: Disabled switchxxxxxx(config)# show qos Qos: Basic mode Basic trust: dscp switchxxxxxx(config)# show qos Qos: Advanced mode Advanced mode trust type: cos Advanced mode ports state: Trusted 39.4 class-map Use the class-map Global Configuration mode command to create or modify a class map and enter the Class-map Configuration mode (only possible when QoS is in the advanced mode).
  • Page 746: Show Class-Map

    Quality of Service (QoS) Commands User Guidelines The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally-named service policy applied on a per-interface basis. A class map consists of one or more ACLs. It defines a traffic flow by determining which packets match some or all of the criteria specified in the ACLs.
  • Page 747: Match

    Quality of Service (QoS) Commands Syntax class-map-name show class-map [ Parameters class-map-name—Specifies the name of the class map to be displayed. Command Mode Privileged EXEC mode Example The following example displays the class map for Class1. switchxxxxxx(config)# show class-map Class Map matchAny class1 Match access-group mac 39.6 match Use the match Class-map Configuration mode.
  • Page 748: Policy-Map

    Quality of Service (QoS) Commands Command Mode Class-map Configuration mode. Example The following example defines a class map called Class1. Class1 contains an ACL called enterprise. Only traffic matching all criteria in enterprise belong to the class map. switchxxxxxx(config)# class-map class1 enterprise switchxxxxxx(config-cmap)#...
  • Page 749: Class

    Quality of Service (QoS) Commands A policy map contains one or more class maps and an action that is taken if the packet matches the class map. Policy maps may be bound to ports/port-channels. Entering the policy-map Global Configuration mode command also enables configuring or modifying the class policies for that policy map.
  • Page 750: Show Policy-Map

    Quality of Service (QoS) Commands Default Configuration No class map is defined for the policy map. Command Mode Policy-map Configuration mode. User Guidelines This command is only available when QoS is in advanced mode. This is the same as creating a class map and then binding it to the policy map. You can specify an existing class map in this command, or you can use the access-group parameter to create a new class map.
  • Page 751: Trust

    Quality of Service (QoS) Commands Default Configuration All policy-maps are displayed. Command Mode Privileged EXEC mode Example The following example displays all policy maps. switchxxxxxx(config)# show policy-map Policy Map policy1 class class1 set IP dscp 7 Policy Map policy2 class class 2 police 96000 4800 exceed-action drop 39.10 trust Use the trust Policy-map Class Configuration mode.
  • Page 752 Quality of Service (QoS) Commands Command Mode Policy-map Class Configuration mode. User Guidelines This command is relevant only when QoS is in advanced, ports-not-trusted mode. Trust indicates that traffic is sent to the queue according to the packet’s QoS parameters (UP or DSCP). Use this command to distinguish the QoS trust behavior for certain traffic from others.
  • Page 753: Set

    Quality of Service (QoS) Commands 39.11 set Use the set Policy-map Class Configuration mode. command to select the value that QoS uses as the DSCP value, the egress queue or to set user priority values. Syntax new-dscp queue-id new-cos set {dscp | queue | cos no set...
  • Page 754: Police

    Quality of Service (QoS) Commands switchxxxxxx(config-cmap)# match access-group ip1 switchxxxxxx(config-cmap)# exit switchxxxxxx(config)# policy-map p1 switchxxxxxx(config-pmap)# class c1 switchxxxxxx(config-pmap-c)# set dscp 39.12 police Use the police Policy-map Class Configuration mode. command to define the policer for classified traffic. This defines another group of actions for the policy map (per class map).
  • Page 755: Service-Policy

    Quality of Service (QoS) Commands User Guidelines This command is used after the policy-map class commands. This command is only available when QoS is in advanced mode. Policing uses a token bucket algorithm. This command does not work in Layer 3 mode. Examples Example 1.
  • Page 756: Qos Aggregate-Policer

    Quality of Service (QoS) Commands • permit-any—Forward all the packets (which were ingress of the port) that do not meet the rules in a policy. Command Mode Interface (Ethernet, Port Channel) Configuration mode Default Policy map is not bound. User Guidelines This command is only available in QoS advanced mode.
  • Page 757 Quality of Service (QoS) Commands Parameters • aggregate-policer-name —Specifies the aggregate policer name. • committed-rate-kbps —Specifies the average traffic rate (CIR) in kbits per second (bps).(Range 100–10000000) • committed-burst-byte —Specifies the normal burst size (CBS) in bytes. (Range: 3000–19173960) • exceed-action—Specifies the action taken when the committed rate is exceeded.
  • Page 758: Show Qos Aggregate-Policer

    Quality of Service (QoS) Commands Policing uses a token bucket algorithm. CIR represents the speed with which the token is added to the bucket. CBS represents the depth of the bucket. This command does not work in Layer 3 mode. Examples Example 1.
  • Page 759: Police Aggregate

    Quality of Service (QoS) Commands aggregate-policer policer1 96000 4800 exceed-action drop not used by any policy map 39.16 police aggregate Use the police aggregate Policy-map Class Configuration mode. command to apply an aggregate policer to multiple class maps within the same policy map. Use the no form of this command to remove an existing aggregate policer from a policy map.
  • Page 760: Wrr-Queue Cos-Map

    Quality of Service (QoS) Commands switchxxxxxx(config-pmap)# class class1 policer1 switchxxxxxx(config-pmap-c)# police aggregate switchxxxxxx(config-pmap-c)# exit switchxxxxxx(config-pmap)# exit switchxxxxxx(config)# policy-map policy2 class2 switchxxxxxx(config-pmap)# class switchxxxxxx(config-pmap-c)# police aggregate policer1 39.17 wrr-queue cos-map Use the wrr-queue cos-map Global Configuration mode command to map Class of Service (CoS) values to a specific egress queue.
  • Page 761: Wrr-Queue Bandwidth

    Quality of Service (QoS) Commands CoS value 6 is mapped to queue 8 CoS value 7 is mapped to queue 7 The default CoS value mapping to 4 queues is as follows: CoS value 0 is mapped to queue 1. CoS value 1 is mapped to queue 1.
  • Page 762 Quality of Service (QoS) Commands no wrr-queue bandwidth Parameters weight1 weight1... weighting the ratio of bandwidth assigned by the WRR packet scheduler to the packet queues. See explanation in the User Guidelines. Separate each value by a space. (Range for each weight: 0–255) Default Configuration wrr is disabled by default.
  • Page 763: Priority-Queue Out Num-Of-Queues

    Quality of Service (QoS) Commands 39.19 priority-queue out num-of-queues Use the priority-queue out num-of-queues Global Configuration mode command to configure the number of expedite queues. Use the no form of this command to restore the default configuration. Syntax number-of-queues priority-queue out num-of-queues no priority-queue out num-of-queues Parameters •...
  • Page 764: Traffic-Shape

    Quality of Service (QoS) Commands Example The following example configures the number of expedite queues as 2. switchxxxxxx(config)# priority-queue out num-of-queues 39.20 traffic-shape Use the traffic-shape Interface (Ethernet) Configuration mode command to configure the egress port shaper. Use the no form of this command to disable the shaper.
  • Page 765: Traffic-Shape Queue

    Quality of Service (QoS) Commands switchxxxxxx(config-if)# traffic-shape 64 4096 39.21 traffic-shape queue Use the traffic-shape queue Interface (Ethernet) Configuration mode command to configure the egress queue shaper. Use the no form of this command to disable the shaper. Syntax queue-id committed-rate committed-burst traffic-shape queue queue-id...
  • Page 766: Rate-Limit (Ethernet)

    Quality of Service (QoS) Commands Example The following example sets a shaper on queue 1 on gi 1 1 when the average traffic rate exceeds 124000 kbps or the normal burst size exceeds 9600 bytes. switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# traffic-shape queue 1 64 4096 39.22 rate-limit (Ethernet) Use the rate-limit Interface (Ethernet) Configuration mode command to limit the...
  • Page 767: Rate-Limit (Vlan)

    Quality of Service (QoS) Commands Example The following example limits the incoming traffic rate on gi 1 1 to 150,000 kbps. interface gi11 switchxxxxxx(config)# 150000 switchxxxxxx(config-if)# rate-limit 39.23 rate-limit (VLAN) Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the incoming traffic rate for a VLAN.
  • Page 768: Qos Wrr-Queue Wrtd

    Quality of Service (QoS) Commands that is rate limited, the packet is counted only in the traffic policing of the policy map. This command does not work in Layer 3 mode and it does not work in conjunction with IP Source Guard. Example The following example limits the rate on VLAN 11 to 150000 kbps or the normal burst size to 9600 bytes.
  • Page 769: Show Qos Wrr-Queue Wrtd

    Quality of Service (QoS) Commands This setting will take effect only after copying running configuration to startu p configuration and resetting the device switchxxxxxx(config)# 39.25 show qos wrr-queue wrtd Use the show qos wrr-queue wrtd Privileged EXEC mode command to display the Weighted Random Tail Drop (WRTD) configuration.
  • Page 770 Quality of Service (QoS) Commands Parameters • buffers—Displays the buffer settings for the interface's queues. For GE ports, displays the queue depth for each of the queues. • queueing—Displays the queue's strategy (WRR or EF), the weight for WRR queues, the CoS to queue map and the EF priority. •...
  • Page 771 Quality of Service (QoS) Commands Default CoS: 0 Trust mode: disabled Policy applied: AV1 Default ACE action: deny-all Example 2—The following is an example of the output from the show qos interface queueing command for 4 queues. switchxxxxxx(config)# gi11 show qos interface queueing Ethernet gi10/1 wrr bandwidth weights and EF priority: qid-weights...
  • Page 772 Quality of Service (QoS) Commands Example 3 —The following an example of the output from the show qos interface buffers command for 8 queues switchxxxxxx(config)# show qos interface buffers gi11 gi11 Notify Q depth: gi11 buffers gi11 Ethernet thresh0 thresh1 thresh2 OL-32830-01 Command Line Interface Reference Guide...
  • Page 773 Quality of Service (QoS) Commands Example 4—This is an example of the output from the show qos interface shapers command. switchxxxxxx(config)# show qos interface shapers gi11 gi11 Port shaper: enable Committed rate: 192000 bps Committed burst: 9600 bytes Target Target Status Committed Committed...
  • Page 774: Qos Map Policed-Dscp

    Quality of Service (QoS) Commands Example 5—This is an example of the output from show qos interface policer switchxxxxxx(config)# gi11 show qos interface policer gi11 Ethernet Class map: A Policer type: aggregate Commited rate: 192000 bps Commited burst: 9600 bytes Exceed-action: policed-dscp-transmit Class map: B Policer type: single...
  • Page 775: Qos Map Dscp-Queue

    Quality of Service (QoS) Commands Syntax dscp-list to dscp-mark-down qos map policed-dscp dscp-list no qos map policed-dscp [ Parameters • dscp-list —Specifies up to 8 DSCP values, separated by spaces. (Range: 0–63) • dscp-mark-down —Specifies the DSCP value to mark down. (Range: 0–63) Default Configuration The default map is the Null map, which means that each incoming DSCP value is mapped to the same DSCP value.
  • Page 776: Qos Trust (Global)

    Quality of Service (QoS) Commands Parameters • dscp-list—Specifies up to 8 DSCP values, separated by spaces. (Range: 0– • queue-id—Specifies the queue number to which the DSCP values are mapped. Default Configuration The default map for 4 queues is as follows. DSCP value 0-15 16-23...
  • Page 777 Quality of Service (QoS) Commands no qos trust Parameters • cos— Specifies that ingress packets are classified with packet CoS values. Untagged packets are classified with the default port CoS value. • dscp—Specifies that ingress packets are classified with packet DSCP values.
  • Page 778: Qos Trust (Interface)

    Quality of Service (QoS) Commands 39.30 qos trust (Interface) Use the qos trust Interface (Ethernet, Port Channel) Configuration mode command to enable port trust state while the system is in the basic QoS mode. Use the no form of this command to disable the trust state on each port. Syntax qos trust no qos trust...
  • Page 779: Qos Dscp-Mutation

    Quality of Service (QoS) Commands Parameters default-cos—Specifies the default CoS value (VPT value) of the port. If the port is trusted and the packet is untagged, then the default CoS value become the CoS value. (Range: 0–7) Default Configuration The default CoS value of a port is 0. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines...
  • Page 780: Qos Map Dscp-Mutation

    Quality of Service (QoS) Commands Default Configuration Disabled Command Mode Global Configuration mode User Guidelines Apply the DSCP-to-DSCP-mutation map to a port at the boundary of a Quality of Service (QoS) administrative domain. If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition of another domain.
  • Page 781: Show Qos Map

    Quality of Service (QoS) Commands • out-dscp—Specifies up to 8 DSCP mapped values, separated by spaces. (Range: 0–63) Default Configuration The default map is the Null map, which means that each incoming DSCP value is mapped to the same DSCP value. Command Mode Global Configuration mode User Guidelines...
  • Page 782 Quality of Service (QoS) Commands Default Configuration Display all maps. Command Mode Privileged EXEC mode Examples Example 1. The following example displays the QoS mapping information: switchxxxxxx(config)# show qos map dscp-queue Dscp-queue map: d1 : d2 0 ------------------------------------ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 03 03 03 03 03 03 03 03...
  • Page 783: Clear Qos Statistics

    Quality of Service (QoS) Commands 50 51 52 53 54 55 56 57 58 59 21 21 39.35 clear qos statistics Use the clear qos statistics Privileged EXEC mode command to clear the QoS statistics counters. Syntax clear qos statistics Parameters Default Configuration Command Mode...
  • Page 784: Qos Statistics Aggregate-Policer

    Quality of Service (QoS) Commands policy-map-name class-map-name no qos statistics policer Parameters • policy-map-name—Specifies the policy map name. • class-map-name—Specifies the class map name. Default Configuration Counting in-profile and out-of-profile is disabled. Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example enables counting in-profile and out-of-profile on the interface.
  • Page 785: Qos Statistics Queues

    Quality of Service (QoS) Commands Command Mode Global Configuration mode Example The following example enables counting in-profile and out-of-profile on the interface. policer1 switchxxxxxx(config)# qos statistics aggregate-policer 39.38 qos statistics queues Use the qos statistics queues Global Configuration mode command to enable QoS statistics for output queues.
  • Page 786: Show Qos Statistics

    Quality of Service (QoS) Commands User Guidelines There are no user guidelines for this command. If the queue parameter is all, traffic in cascading ports is also counted. Example The following example enables QoS statistics for output queues for counter set 1. switchxxxxxx(config)# qos statistics queues all all all...
  • Page 787 Quality of Service (QoS) Commands Example The following example displays Quality of Service statistical information. switchxxxxxx(config)# show qos statistics Policers --------- Interface Policy map Class Map In-profile bytes Out-of-profile bytes -------- ---------- ------- ------------- -------------------- Policy1 Class1 7564575 5433 Policy1 Class2 8759 Policy1...
  • Page 788: Radius Commands

    RADIUS Commands 40.1 radius-server host Use the radius-server host Global Configuration mode command to configure a RADIUS server host. Use the no form of the command to delete the specified RADIUS server host. Syntax ip-address | hostname auth-port-number radius-server host { } [auth-port acct-port-number timeout...
  • Page 789 RADIUS Commands • deadtime deadtime —Specifies the length of time in minutes during which a RADIUS server is skipped over by transaction requests. (Range: 0–2000) • key-string —Specifies the authentication and encryption key for all RADIUS communications between the device and the RADIUS server. This key must match the encryption used on the RADIUS daemon.
  • Page 790: Radius-Server Key

    RADIUS Commands Example The following example specifies a RADIUS server host with IP address 192.168.10.1, authentication request port number 20, and a 20-second timeout period. switchxxxxxx(config)# radius-server host 192.168.10.1 auth-port timeout 40.2 radius-server key Use the radius-server key Global Configuration mode command to set the authentication key for RADIUS communications between the device and the RADIUS daemon.
  • Page 791: Radius-Server Retransmit

    RADIUS Commands Example The following example defines the authentication key for all RADIUS communications between the device and the RADIUS daemon. switchxxxxxx(config)# enterprise-server radius-server key 40.3 radius-server retransmit Use the radius-server retransmit Global Configuration mode command to specify the number of times the software searches the list of RADIUS server hosts. Use the no form of this command to restore the default configuration.
  • Page 792: Radius-Server Host Source-Interface

    RADIUS Commands 40.4 radius-server host source-interface Use the radius-server host source-interface Global Configuration mode command to specify the source interface whose IPv4 address will be used as the Source IPv4 address for communication with IPv4 RADIUS servers. Use the no form of this command to restore the default configuration.
  • Page 793: Radius-Server Host Source-Interface-Ipv6

    RADIUS Commands 40.5 radius-server host source-interface-ipv6 Use the radius-server host source-interface-ipv6 Global Configuration mode command to specify the source interface whose IPv6 address will be used as the source IPv6 address for communication with IPv6 RADIUS servers. Use the no form of this command to restore the default configuration.
  • Page 794: Radius-Server Timeout

    RADIUS Commands 40.6 radius-server timeout Use the radius-server timeout Global Configuration mode command to set how long the device waits for a server host to reply. Use the no form of this command to restore the default configuration. Syntax timeout-seconds radius-server timeout no radius-server timeout Parameters...
  • Page 795: Show Radius-Servers

    RADIUS Commands no radius-server deadtime Parameters • deadtime —Specifies the time interval in minutes during which a RADIUS server is skipped over by transaction requests. (Range: 0–2000). Default Configuration The default deadtime interval is 0. Command Mode Global Configuration mode Example The following example sets all RADIUS server deadtimes to 10 minutes.
  • Page 796: Show Radius-Servers Key

    RADIUS Commands 172.16.1.1 1812 1813 Global Global 1 172.16.1.2 1812 1813 Global 2 Global values -------------- TimeOut: 3 Retransmit: 3 Deadtime: 0 Source IPv4 interface: vlan 120 Source IPv6 interface: vlan 10 40.9 show radius-servers key Use the show radius-servers key Privileged EXEC mode command to display the RADIUS server key settings.
  • Page 797: Remote Network Monitoring (Rmon) Commands

    Remote Network Monitoring (RMON) Commands 41.1 rmon alarm To configure alarm conditions, use the rmon alarm Global Configuration modecommand. To remove an alarm, use the no form of this command. Syntax index mib-object-id interval rising-threshold falling-threshold rmon alarm rising-event falling-event [type {absolute | delta}] [startup {rising | rising-falling | falling}] [owner name] index no rmon alarm...
  • Page 798 Remote Network Monitoring (RMON) Commands • type {absolute | delta}—(Optional) Specifies the method used for sampling the selected variable and calculating the value to be compared against the thresholds. The possible values are: absolute—Specifies that the selected variable value is compared directly with the thresholds at the end of the sampling interval.
  • Page 799: Show Rmon Alarm-Table

    Remote Network Monitoring (RMON) Commands falling threshold value 1000000, rising threshold event index 10, falling threshold event index 10, absolute method type and rising-falling alarm. switchxxxxxx(config)# rmon alarm 1000 1.3.6.1.2.1.2.2.1.10.1 360000 1000000 1000000 10 20 41.2 show rmon alarm-table To display a summary of the alarms table, use the show rmon alarm-table Privileged EXEC mode command.
  • Page 800: Show Rmon Alarm

    Remote Network Monitoring (RMON) Commands 41.3 show rmon alarm To display alarm configuration, use the show rmon alarm Privileged EXEC mode command. Syntax number show rmon alarm Parameters number alarm —Specifies the alarm index. (Range: 1–65535) Command Mode Privileged EXEC mode Example The following example displays RMON 1 alarms.
  • Page 801: Rmon Event

    Remote Network Monitoring (RMON) Commands The following table describes the significant fields shown in the display: Field Description Alarm Alarm index. Monitored variable OID. Last Sample Value of the statistic during the last sampling period. For Value example, if the sample type is delta, this value is the difference between the samples at the beginning and end of the period.
  • Page 802 Remote Network Monitoring (RMON) Commands Syntax index {none | log | trap | log-trap} [community text] [description text] rmon event [owner name] index no rmon event Parameters • index—Specifies the event index. (Range: 1–65535) • none— Specifies that no notification is generated by the device for this event.
  • Page 803: Show Rmon Events

    Remote Network Monitoring (RMON) Commands switchxxxxxx(config)# rmon event 41.5 show rmon events To display the RMON event table, use the show rmon events Privileged EXEC mode command. Syntax show rmon events Parameters This command has no arguments or keywords. Command Mode Privileged EXEC mode Example The following example displays the RMON event table.
  • Page 804: Show Rmon Log

    Remote Network Monitoring (RMON) Commands Field Description Owner The entity that configured this event. Last time The time this entry last generated an event. If this entry has not sent generated any events, this value is zero. 41.6 show rmon log To display the RMON log table, use the show rmon log Privileged EXEC mode command.
  • Page 805: Rmon Table-Size

    Remote Network Monitoring (RMON) Commands 41.7 rmon table-size To configure the maximum size of RMON tables, use the rmon table-size Global Configuration modecommand. To return to the default size, use the no form of this command. Syntax {history entries | log entries rmon table-size {history | log} no rmon table-size...
  • Page 806: Show Rmon Statistics

    Remote Network Monitoring (RMON) Commands 41.8 show rmon statistics To display RMON Ethernet statistics, use the show rmon statistics Privileged EXEC mode command. Syntax {interface-id} show rmon statistics Parameters interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or Port-channel.
  • Page 807 Remote Network Monitoring (RMON) Commands The following table describes the significant fields displayed. Field Description Dropped Total number of events in which packets were dropped by the probe due to lack of resources. Note that this number is not necessarily the number of packets dropped. It is the number of times this condition was detected.
  • Page 808: Rmon Collection Stats

    Remote Network Monitoring (RMON) Commands Field Description 65 to 127 Total number of packets (including bad packets) received that are Octets between 65 and 127 octets in length inclusive (excluding framing bits but including FCS octets). 128 to 255 Total number of packets (including bad packets) received that are Octets between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets).
  • Page 809: Show Rmon Collection Stats

    Remote Network Monitoring (RMON) Commands Command Mode Interface Configuration mode. 41.10 show rmon collection stats To display the requested RMON history group statistics, use the show rmon collection stats Privileged EXEC mode command. Syntax [interface-id] show rmon collection stats Parameters interface-id—(Optional) Specifies an interface ID.
  • Page 810: Show Rmon History

    Remote Network Monitoring (RMON) Commands Field Description Granted Samples The granted number of samples to be saved. Owner The entity that configured this entry. 41.11 show rmon history To display RMON Ethernet history statistics, use the show rmon history Privileged EXEC mode command.
  • Page 811 Remote Network Monitoring (RMON) Commands switchxxxxxx# show rmon history errors Sample Set: 1 Owner: Me Interface:gi11 Interval: 1800 Requested samples: 50 Granted samples: 50 Maximum table size: 500 (800 after reset) Time Under Align size Oversize Fragments Jabbers ------------ ------- ----- Jan 18 2005 --------...
  • Page 812 Remote Network Monitoring (RMON) Commands Field Description Multicast Number of good packets received during this sampling interval that were directed to a multicast address. This number does not include packets addressed to the broadcast address. Utilization Best estimate of the mean physical layer network utilization on this interface during this sampling interval, in hundredths of a percent.
  • Page 813: Router Resources Commands

    Router Resources Commands 42.0 42.1 system router resources To configure the system router resources, use the system router resources command in Global Configuration mode. To return to the default, use the no form of this command. Syntax max-number system router resources [ip-entries no system router resources Parameters •...
  • Page 814 Router Resources Commands Data Validation: If the new settings exceed the maximum number of routing entries, the command is rejected and a message is displayed to the user. If the new settings are fewer than the currently in-use routing entries, a confirmation message is displayed to the user (before the save confirmation message).
  • Page 815: Show System Router Resources

    Router Resources Commands Setting the new configuration of route entries requires saving the running-configuration file to startup-configuration file and rebooting the system, do you want to continue? (Y/N) [N] Y Example 2 The following example defines the supported number of IPv4 and IPv6 routing entries.
  • Page 816 Router Resources Commands Parameters This command has no arguments or keywords. Command Mode User EXEC mode Example In the following example, the configured router entries are displayed: switchxxxxxx# show system router resources Each IPv4 Route consumes 1 entry. Each IPv4 Neighbor consumes 1 entry. Each IPv4 Interface consumes 2 entries.
  • Page 817: Rsa And Certificate Commands

    RSA and Certificate Commands 43.0 Keys and Certificates The device automatically generates default RSA/DSA keys and certificates at following times: • When the device is booted following a software upgrade. • When the device is booted with an empty configuration. •...
  • Page 818: Crypto Key Generate Dsa

    RSA and Certificate Commands The following table describes how keys/certificates can be copied from one type of configuration file to another (using the copy command).. Destination File Copy from Copy Copy from Type Running Config. from Remote/Local Startup Backup Config. File Config.
  • Page 819 RSA and Certificate Commands Syntax crypto key generate dsa Parameters Default Configuration The application creates a default key automatically. Command Mode Global Configuration mode User Guidelines DSA keys are generated in pairs - one public DSA key and one private DSA key. If the device already has DSA keys default or user defined, a warning is displayed with a prompt to replace the existing keys with new keys.
  • Page 820: Crypto Key Generate Rsa

    RSA and Certificate Commands 43.2 crypto key generate rsa The crypto key generate rsa Global Configuration mode command generates RSA key pairs. Syntax crypto key generate rsa Parameters Default Configuration The application creates a default key automatically. Command Mode Global Configuration mode User Guidelines RSA keys are generated in pairs - one public RSA key and one private RSA key.
  • Page 821 RSA and Certificate Commands Use the no form of the command to remove the user key and generate a new default in its place. Syntax crypto key import {dsa | rsa} encrypted crypto key import {dsa | rsa} no crypto key { Parameters Default Configuration DSA and RSA key pairs do not exist.
  • Page 822: Show Crypto Key

    RSA and Certificate Commands E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz +RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4 VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs lUADMltCRvs+lsB33IBdvoRDdl98YaA2htZay1TkbMqCUBdfl0+74UOqa/b+bp67wCYKe9 yen418MaYKtcHJBQmF7sUQZQGP34VPmOMyZzon68S/ZoT77cy0ihRZx9wcI1yYhJnDiYxP dgXHYhW6kCTcTj6LrUSQuxCJ9su89ZIWNn5OwdgonLSpvfnabv2GHmmelaveL7JJ/7UcfO 61q5D4PJ67Vk2xL7PqyHXN931rseTzPuJplkSLCFZ5uqTMbWWyQEKmHDlOx35vlGou5tky 9LgIwG4d+9edctZZaggeq5cgjnsZWJgUoB4Bn4hIreyOdHDiFUPPRxkoyhGOGnJuvxC9T9 K6BF1wBTdDQS+Gu47/0/gRoD/50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL/bu QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF++6nY RfMN8CsV+9jQKQP7ZaGc8Ju+d72jvSwppSr032HY+IpzZ4ujkK+/X5oawZL5NnkaEQTQKX RSL55S4O5NPOjS/pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF/Axj2dXLweQd5 lxk7m0/mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ== ---- END SSH2 PRIVATE KEY ---- ---- BEGIN SSH2 PUBLIC KEY ---- Comment: RSA Public Key AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb+yWEp9042vupLvYVq3ngt1sB9JH OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7 7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE= ---- END SSH2 PUBLIC KEY ---- 43.4 show crypto key The show crypto key Privileged EXEC mode command displays the device’s SSH private and public keys for both default and user-defined keys.
  • Page 823: Crypto Certificate Generate

    RSA and Certificate Commands • rsa—Displays the RSA key. • dsa—Displays the DSA key. Default Configuration Command Mode Privileged EXEC mode User Guidelines See Keys and Certificates for information on how to display and copy this key pair. Example The following example displays the SSH public DSA keys on the device. switchxxxxxx# show crypto key mypubkey dsa ---- BEGIN SSH2 PUBLIC KEY ----...
  • Page 824 RSA and Certificate Commands Parameters • number —Specifies the certificate number. (Range: 1–2) • length key-generate —Regenerates SSL RSA key and specifies the SSL's RSA key length. (Range: 512–2048) The following elements can be associated with the key. When the key is displayed, they are also displayed.
  • Page 825: Crypto Certificate Request

    RSA and Certificate Commands If both certificates 1 and 2 have been generated, use the ip https certificate command to activate one of them. See Keys and Certificates for information on how to display and copy this key pair. Erasing the startup configuration or returning to factory defaults automatically deletes the default keys and they are recreated during device initialization.
  • Page 826 RSA and Certificate Commands state —Specifies the state or province name. (Length: 1–64 characters) country —Specifies the country name. (Length: 2 characters) Default Configuration If cn common-name is not specified, it defaults to the device’s lowest static IPv6 address (when the certificate is generated), or to the device’s lowest static IPv4 address if there is no static IPv6 address, or to 0.0.0.0 if there is no static IP address.
  • Page 827: Crypto Certificate Import

    RSA and Certificate Commands m5ZZPhIwl8ARSPXwhVdJexFjbnmvcacqjPG8pIiRV6LkxryGF2bVU3jKEipcZa g+uNpyTkDt3ZVU72pjz/fa8TF0n3 -----END CERTIFICATE REQUEST----- 43.7 crypto certificate import The crypto certificate import Global Configuration mode command imports a certificate signed by a Certification Authority for HTTPS. In addition, the RSA key-pair can also be imported. Use the no form of the command to delete the user-defined keys and certificate.
  • Page 828 RSA and Certificate Commands When using the encrypted form of the command, only the private key must be in encrypted format. See Keys and Certificates for information on how to display and copy this key pair. Examples Example 1 - The following example imports a certificate signed by the Certification Authority for HTTPS.
  • Page 829 RSA and Certificate Commands switchxxxxxx(config)# crypto certificate import Please paste the input now, add a period (.) on a separate line after the input,and press Enter. -----BEGIN RSA PRIVATE KEY----- ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh 2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C 11EoqzpCq5mT7+VOFhPSO4dUU+NwLv1YCb1Fb7MFoAa0N+y+2NwoGp0pxOvDA9ENYl7qsZ MWmCfXu52/IxC7fD8FWxEBtks4V81Xqa7K6ET657xS7m8yTJFLZJyVawGXKnIUs6uTzhhW dKWWc0e/vwMgPtLlWyxWynnaP0fAJ+PawOAdsK75bo79NBim3HcNVXhWNzqfg2s3AYCRBx WuGoazpxHZ0s4+7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl+XI B3u4EEcEngYMewy5obn1vnFSot+d5JHuRwzEaRAIKfbHa34alVJaN+2AMCb0hpI3IkreYo A8Lk6UMOuIQaMnhYf+RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5+eIYPhve5jYaEn UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb/mVt8+zpqcCU9HCWQqsMrNFOFrSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4= -----END RSA PRIVATE KEY-----...
  • Page 830 RSA and Certificate Commands SHA1 Finger print: DC789788 DC88A988 127897BC BB789788 Example 3 - Import certificate with encrypted key switchxxxxxx(config)# encrypted crypto certificate 1 import -----BEGIN RSA ENCRYPTED PRIVATE KEY----- wJIjj/tFEI/Z3GFkTl5C+SFOeSyTxnSsfssNo9CoHJ6X9Jg1SukjtXU49kaUbTjoQVQatZ AdQwgWM5mnjUhUaJ1MM3WfrApY7HaBL3iSXS9jDVrf++Q/KKhVH6Pxlv6cKvYYzHg43Unm CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoVQwD7RqKpL9wo3+YVFVS6XCB7pDb7iPePefa6 GD/crN28vTLGf/NpyKoOhdAMRuwEQoapMo0Py2Cvy+sqLiv4ZKck1FPlsVFV7X7sh+zVa3 We84pmzyjGiY9S0tPdBSGhJ2xDNcqTyvUpffFEJJYrdGKGybqD0o3tD/ioUQ3UJgxDbGYw aLlLoavSjMYiWkdPjfcbn5MVRdU5iApCQJXWv3MYC8GQ4HDa6UDN6aoUBalUhqjT+REwWO DXpJmvmX4T/u5W4DPvELqTHyETxgQKNErlO7gRi2yyLcybUokh+SP+XuRkG4IKnn8KyHtz XeoDojSe6OYOQww2R0nAqnZsZPgrDzj0zTDL8qvykurfW4jWa4cv1Sc1hDEFtHH7NdDLjQ FkPFNAKvFMcYimidapG+Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP CZM927oxkb41g+U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB+4PW Qmy4fTF4wQdvCLy+WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz+LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF...
  • Page 831 RSA and Certificate Commands NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl Wm5G2/V7mvXOnuTMgvqa8IJeTon1ySSv5Mx9frdv23lGDAY+BZ4MfDerlCRqoifP PWHuPb4D76bAKwe6LUGGkU0Vj+CYQ2Iar1+m66RyehO8E2/PvPdU7G/qHDVQcxM5 475BJt7tbBUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBOknTzas7HniIHMPeC5yC0 2rd7c+zqQOe1e4CpEvV1OC0QGvPa72pz+m/zvoFmAC5WjQngQMMwH8rNdvrfaSyE dkB/761PpeKkUtgyPHfTzfSMcJdBOPPnpQcqbxCFh9QSNa4ENSXqC5pND02RHXFx wS1XJGrhMUoNGz1BY5DJWw== -----END CERTIFICATE----- Certificate imported successfully. Issued by : C= , ST= , L= , CN=0.0.0.0, O= , OU= Valid From: Jan 24 18:41:24 2011 GMT Valid to: Jan 24 18:41:24 2012 GMT router.gm.com General Motors Subject: C=US , ST= , L= , CN=...
  • Page 832 RSA and Certificate Commands zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz+LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF +yAI5xABZdTPqz0l7FNMzhIrXvCqcCCCx+JbgP1PwYTDyD+m2H5v8Yv6sT3y7fZC9+5/Sn Vf8jpTLMWFgVF9U1Qw9bA8HA7K42XE3R5Zr1doOeUrXQUkuRxLAHkifD7ZHrE7udOmTiP9 W3PqtJzbtjjvMjm5/C+hoC6oLNP6qp0TEn78EdfaHpMMutMF0leKuzizenZQ== -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGJAoGBAMoCaK+b9hTgrzEeWjdz55FoWwV8s54k5VpuRtv1e5r1zp7kzIL6mvCCXk6J9c kkr+TMfX63b9t5RgwGPgWeDHw3q5QkaqInzz1h7j2+A++mwCsHui1BhpFNFY/gmENiGq9f puukcnoTvBNvz7z3VOxv6hw1UHMTOeO+QSbe7WwVAgMBAAE= -----END RSA PUBLIC KEY----- -----BEGIN CERTIFICATE----- MIICHDCCAYUCEFCcI4/dhLsUhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl Wm5G2/V7mvXOnuTMgvqa8IJeTon1ySSv5Mx9frdv23lGDAY+BZ4MfDerlCRqoifP PWHuPb4D76bAKwe6LUGGkU0Vj+CYQ2Iar1+m66RyehO8E2/PvPdU7G/qHDVQcxM5 475BJt7tbBUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBOknTzas7HniIHMPeC5yC0 2rd7c+zqQOe1e4CpEvV1OC0QGvPa72pz+m/zvoFmAC5WjQngQMMwH8rNdvrfaSyE dkB/761PpeKkUtgyPHfTzfSMcJdBOPPnpQcqbxCFh9QSNa4ENSXqC5pND02RHXFx wS1XJGrhMUoNGz1BY5DJWw== -----END CERTIFICATE----- Certificate imported successfully.
  • Page 833: Show Crypto Certificate

    RSA and Certificate Commands SHA1 Finger print: DC789788 DC88A988 127897BC BB789788 43.8 show crypto certificate The show crypto certificate Privileged EXEC mode command displays the device SSL certificates and key-pair for both default and user defined keys. Syntax show crypto certificate [mycertificate] [ number Parameters •...
  • Page 834 RSA and Certificate Commands L0VByb3h5JTIwU29mdHdhcmUlMjBSb290JTIwQ2VydGlmaWVyLENOPXNlcnZl -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh 2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C 11EoqzpCq5mT7+VOFhPSO4dUU+NwLv1YCb1Fb7MFoAa0N+y+2NwoGp0pxOvDA9ENYl7qsZ MWmCfXu52/IxC7fD8FWxEBtks4V81Xqa7K6ET657xS7m8yTJFLZJyVawGXKnIUs6uTzhhW dKWWc0e/vwMgPtLlWyxWynnaP0fAJ+PawOAdsK75bo79NBim3HcNVXhWNzqfg2s3AYCRBx WuGoazpxHZ0s4+7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl+XI B3u4EEcEngYMewy5obn1vnFSot+d5JHuRwzEaRAIKfbHa34alVJaN+2AMCb0hpI3IkreYo A8Lk6UMOuIQaMnhYf+RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5+eIYPhve5jYaEn UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb/mVt8+zpqcCU9HCWQqsMrNFOFrSpcbHu5V4 ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4= -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2 Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a+7043wfVmH+QOXf TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0/nwsXDAgEj -----END RSA PUBLIC KEY----- Issued by: www.verisign.com Valid from: 8/9/2003 to 8/9/2004 Subject: CN= router.gm.com, 0= General Motors, C= US Finger print: DC789788 DC88A988 127897BC BB789788...
  • Page 835: Smartport Commands

    Smartport Commands 44.0 44.1 macro auto (Global) The macro auto Global Configuration mode command sets the Auto Smartports administrative global state. The no format of the command returns to the default. Syntax macro auto {enabled | disabled | controlled} no macro auto Parameters •...
  • Page 836: Macro Auto Smartport (Interface)

    Smartport Commands If the Auto Smartport Administrative state is controlled, the Auto Smartport Operational state is managed by the Voice VLAN manager and is set as follows: • Auto Smartport Operational state is disabled when the OUI Voice VLAN is enabled.
  • Page 837: Macro Auto Trunk Refresh

    Smartport Commands Syntax macro auto smartport no macro auto smartport Parameters This command has no arguments or keywords. Default Configuration Enabled. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines This command is effective only when Auto Smartport is globally enabled. Example Enables the Auto Smartport feature on port 1: switchxxxxxx(config)#...
  • Page 838: Macro Auto Resume

    Smartport Commands Default Configuration See User Guidelines. Command Mode Global Configuration mode User Guidelines The macro auto smartport command becomes effective only when the Auto Smartport is globally enabled. smartport-type interface-id are defined, the attached Smartport macro If both is executed on the interface if it has the given Smartport type. smartport-type If only is defined, the attached Smartport macro is executed on all...
  • Page 839: Macro Auto Persistent

    Smartport Commands Parameters This command has no arguments or keywords. Default Configuration None Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines When a Smartport macro fails at an interface, the Smartport type of the interface becomes Unknown. You must diagnose the reason for the failure on the interface and/or Smartport macro, and correct the error.
  • Page 840: Macro Auto Smartport Type

    Smartport Commands Default Configuration Not persistent. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines A Smartport’s persistent interface retains its dynamic configuration in the following cases: link down/up, the attaching device ages out, and reboot. Note that for persistence and the Smartport configuration to be effective across reboot, the Running Configuration file must be saved to the Startup Configuration file.
  • Page 841 Smartport Commands • parameter-name value —Specifies the parameter name and its value (Range: printer, desktop, guest, server, host, ip_camera, ip_phone, ip_phone_desktop, switch, router or wireless access point (ap)). Default Configuration parameter-name value —Parameter default value. For instance, if the parameter is the voice VLAN, the default value is the default voice VLAN.
  • Page 842: Macro Auto Processing Cdp

    Smartport Commands 7. # 8. #the port type cannot be detected automatically 9. # 10. switchport mode access 11. switchport access vlan $native_vlan 12. # 13. #single host 14. port security max 1 15. port security mode max-addresses 16. port security discard trap 60 17.
  • Page 843: Macro Auto Processing Lldp

    Smartport Commands Default Configuration Enabled Command Mode Global Configuration mode Example To enable CDP globally: switchxxxxxx(config)# macro auto processing cdp 44.8 macro auto processing lldp The macro auto processing lldp Global Configuration mode command enables using the LLDP capability information to identify the type of an attached device. When Auto Smartport is enabled on an interface and this command is run, the switch automatically applies the corresponding Smartport type to the interface based on the LLDP capabilities advertised by the attaching device(s).
  • Page 844: Macro Auto Processing Type

    Smartport Commands Example To enable LLDP globally: switchxxxxxx(config)# macro auto processing lldp 44.9 macro auto processing type The macro auto processing type Global Configuration mode command enables or disables automatic detection of devices of given type. The no format of the command returns to the default.
  • Page 845: Macro Auto User Smartport Macro

    Smartport Commands switch set type to switch router set type to router set type to access point switchxxxxxx(config)# macro auto processing type ap enabled 44.10 macro auto user smartport macro The macro auto user smartport macro Global Configuration mode command links user-defined Smartport macros to a Smartport type.
  • Page 846: Macro Auto Built-In Parameters

    Smartport Commands User Guidelines The scope of each parameter is the macro in which it is defined, with the exception of the parameter $voice_vlan, which is a global parameter and its value is specified by the switch and cannot be defined in a macro. The macros must be defined before linking them in this command.
  • Page 847: Show Macro Auto Processing

    Smartport Commands • parameter-name value —Specifies the parameter name and its value. These are the parameters of the built-in or user-defined macro defined in the macro auto user smartport macro command Default Configuration The default value of parameter $native_vlan of the built-in Smartport macros is 1. For other parameters, the default value is the parameter’s default value.
  • Page 848: Show Macro Auto Smart-Macros

    Smartport Commands Default Configuration None Command Mode User EXEC mode Example switchxxxxxx# show macro auto processing CDB: enabled LLDP: enabled host :disabled ip_phone :enabled ip_phone_desktop:enabled switch :enabled router :disabled :enabled 44.13 show macro auto smart-macros The show macro auto smart-macros EXEC mode command displays the name of Smartport macros, their type (built-in or user-defined) and their parameters.
  • Page 849 Smartport Commands Command Mode User EXEC mode Example switchxxxxxx# show macro auto smart-macros SG300-52-R#show macro auto smart-macros SmartPort type : printer Parameters : $native_vlan=1 SmartPort Macro: printer (Built-In) SmartPort type : desktop Parameters : $max_hosts=10 $native_vlan=1 SmartPort Macro: desktop (Built-In) SmartPort type : guest Parameters : $native_vlan=1...
  • Page 850: Show Macro Auto Ports

    Smartport Commands Parameters : $native_vlan=1 $voice_vlan=1 SmartPort Macro: switch (Built-In) SmartPort type : router Parameters : $native_vlan=1 $voice_vlan=1 SmartPort Macro: router (Built-In) SmartPort type : ap Parameters : $native_vlan=1 $voice_vlan=1 SmartPort Macro: ap (Built-In) SG300-52-R# 44.14 show macro auto ports The show macro auto ports EXEC mode command displays information about all Smartport ports or a specific one.
  • Page 851 Smartport Commands switchxxxxxx# show macro auto ports Smartport is enabled Administrative Globally Auto Smartport is enabled Operational Globally Auto Smartport is enabled Interface Auto Smartport Persistent Smartport Type Admin State State ----------- ------------- ---------- -------------- gi11 disabled enabled router(static) gi12 disabled enabled switch...
  • Page 852: Smartport Switchport Trunk Allowed Vlan

    Smartport Commands Example 3—Disabling auto SmartPort on gi 1 2: switchxxxxxx(config)# interface gi12 switchxxxxxx(config-if)# no macro auto smartport switchxxxxxx(config-if)# switchxxxxxx# show macro auto ports gi12 SmartPort is Enabled Administrative Globally Auto SmartPort is controlled Operational Globally Auto SmartPort is enabled Auto SmartPort is disabled on gi12 Persistent state is not-persistent Interface type is default...
  • Page 853 Smartport Commands Syntax vlan-list | vlan-list | all smartport switchport trunk allowed vlan {add [ all] | remove [ Parameters • vlan-list —Specifies a list of VLAN IDs to add to interface. Separate nonconsecutive VLAN IDs with a comma and no spaces; use a hyphen to designate a range of IDs.
  • Page 854: Smartport Switchport Trunk Native Vlan

    Smartport Commands 44.16 smartport switchport trunk native vlan Use the smartport switchport trunk native vlan Interface Configuration (Ethernet, port-channel) mode command to define the native VLAN when the interface is in trunk mode. Use the no form of this command to restore the default configuration. Syntax native vlan-id...
  • Page 855: Smartport Storm-Control Broadcast Enable

    Smartport Commands 44.17 smartport storm-control broadcast enable Use the smartport storm-control broadcast enable Interface Configuration (Ethernet, port-channel) mode command to enable storm control on a Smartport port. Use the no form of this command to disable storm control.. Syntax smartport storm-control broadcast enable Parameters This command has no arguments or keywords.
  • Page 856: Smartport Storm-Control Include-Multicast

    Smartport Commands Parameters • level —Suppression level in percentage. Block the flooding of storm packets when the value specified for level is reached. (Range 1 -100) • kbps —Maximum of kilobits per second of broadcast traffic on a port. (Range 70–10000000) Default Configuration •...
  • Page 857 Smartport Commands Syntax smartport storm-control include-multicast [unknown-unicast] no smartport storm-control include-multicast Parameters • unknown-unicast—Specifies also the count of unknown Unicast packets. Default Configuration Disabled Command Mode Interface (Ethernet, Port Channel) Configuration mode Example switchxxxxxx(config)# interface gi11 switchxxxxxx(config-if)# smartport storm-control include-multicast OL-32830-01 Command Line Interface Reference Guide...
  • Page 858: Network Management Protocol (Snmp) Commands

    Network Management Protocol (SNMP) Commands 45.0 45.1 snmp-server community To set the community access string (password) that permits access to SNMP commands (v1 and v2), use the snmp-server community Global Configuration mode command. This is used for SNMP commands, such as GETs and SETs. This command configures both SNMP v1 and v2.
  • Page 859 Network Management Protocol (SNMP) Commands • prefix-length—(Optional) Specifies the number of bits that comprise the IPv4 address prefix. If unspecified, it defaults to 32. The command returns an error if the prefix-length is specified without an IPv4 address. • view-name view —(Optional) Specifies the name of a view configured using the command...
  • Page 860: Snmp-Server Community-Group

    Network Management Protocol (SNMP) Commands 45.2 snmp-server community-group To configure access rights to a user group, use snmp-server community-group. The group must exist in order to be able to specify the access rights. This command configures both SNMP v1 and v2. Syntax community string group-name [ip-address |...
  • Page 861: Snmp-Server Server

    Network Management Protocol (SNMP) Commands User Guidelines group-name is used to restrict the access rights of a community string. When a group-name is specified, the software: • Generates an internal security-name. • Maps the internal security-name for SNMPv1 and SNMPv2 security models to the group-name.
  • Page 862: Snmp-Server Source-Interface

    Network Management Protocol (SNMP) Commands 45.4 snmp-server source-interface To specify the interface from which a Simple Network Management Protocol (SNMP) trap originates the informs or traps, use the snmp-server source-interface command in Global Configuration mode. To returned to the default, use the no form of this command.
  • Page 863: Snmp-Server Source-Interface-Ipv6

    Network Management Protocol (SNMP) Commands Use the no snmp-server source-interface informs command to remove the source interface for SNMP informs. Use the no snmp-server source-interface command to remove the source interface for SNMP traps and informs. Example The following example configures the VLAN 10 as the source interface for traps. switchxxxxxx(config)# snmp-server source-interface traps vlan 100 45.5 snmp-server source-interface-ipv6...
  • Page 864: Snmp-Server View

    Network Management Protocol (SNMP) Commands User Guidelines If the source interface is the outgoing interface, the IPv6 address defined on the interfaces is selected in accordance with RFC 6724. If the source interface is not the outgoing interface, the minimal IPv6 address defined on the source interface with the scope of the destination IPv6 address is applied.
  • Page 865 Network Management Protocol (SNMP) Commands • excluded—Specifies that the view type is excluded. • oid-tree—(Optional) Specifies the ASN.1 subtree object identifier to be included or excluded from the view. To identify the subtree, specify a text string consisting of numbers, such as 1.3.6.2.4, or a word, such as System and, optionally, a sequence of numbers.
  • Page 866: Snmp-Server Group

    Network Management Protocol (SNMP) Commands 45.7 snmp-server group To configure an SNMP group, use the snmp-server group Global Configuration mode command. Groups are used to map SNMP users to SNMP views. To remove an SNMP group, use the no form of this command. Syntax groupname v1 | v2 | v3 {noauth | auth | priv} [notify notifyview]}...
  • Page 867: Show Snmp Views

    Network Management Protocol (SNMP) Commands notifyview is not specified, the notify view is not defined. readview is not specified, all objects except for the community-table and SNMPv3 user and access tables are available for retrieval. writeview is not specified, the write view is not defined. Command Mode Global Configuration mode User Guidelines...
  • Page 868: Show Snmp Groups

    Network Management Protocol (SNMP) Commands Default Configuration If viewname is not specified, all views are displayed. Command Mode Privileged EXEC mode Example The following example displays the configured SNMP views. switchxxxxxx# show snmp views Name OID Tree Type ---------------- ---------------------- ---------- Default Included...
  • Page 869: Snmp-Server User

    Network Management Protocol (SNMP) Commands Example The following example displays the configured SNMP groups.: switchxxxxxx# show snmp groups Name Security Views Model Level Read Write Notify ------------- ----- ---- ------- ------- ------- user-group no_auth Default "" "" managers-group no_auth Default Default ""...
  • Page 870 Network Management Protocol (SNMP) Commands username groupname {v1 | v2c | [ host] v3[ encrypted snmp-server user remote auth {md5 | sha} encrypted-auth-password [priv encrypted-priv-password]]} username {v1 | v2c | [remote host] v3[ {md5 | sha} no snmp-server user auth Parameters •...
  • Page 871 Network Management Protocol (SNMP) Commands Command Mode Global Configuration mode User Guidelines For SNMP v1 and v2, this command performs the same actions as snmp-server community-group, except that snmp-server community-group configures both v1 and v2 at the same time. With this command, you must perform it once for v1 and once for v2. When you enter the show running-config command, you do not see a line for the SNMP user defined by this command.
  • Page 872: Show Snmp Users

    Network Management Protocol (SNMP) Commands switchxxxxxx(config)# snmp-server user tom acbd v2c switchxxxxxx(config)# snmp-server user tom acbd v3 45.11 show snmp users To display the configured SNMP users, use the show snmp users Privileged EXEC mode command. Syntax username show snmp users [ Parameters username—(Optional) Specifies the user name.
  • Page 873 Network Management Protocol (SNMP) Commands Authentication Algorithm : MD5 Privacy Algorithm : None Remote Auth Password : helloworld1234567890987665 Priv Password User name : hello Group name : world Authentication Algorithm : MD5 Privacy Algorithm : DES Remote Auth Password (encrypted): Z/tC3UF5j0pYfmXm8xeMvcIOQ6LQ4GOACCGYLRdAgOE6XQKTC qMlrnpWuHraRlZj Priv Password (encrypted) : kN1ZHzSLo6WWxlkuZVzhLOo1gI5waaNf7Vq6yLBpJdS4N68tL 1tbTRSz2H4c4Q4o...
  • Page 874: Snmp-Server Filter

    Network Management Protocol (SNMP) Commands 45.12 snmp-server filter To create or update an SNMP server notification filter, use the snmp-server filter Global Configuration mode command. To remove a notification filter, use the no form of this command. Syntax filter-name oid-tree {included | excluded} snmp-server filter filter-name oid-tree...
  • Page 875: Show Snmp Filters

    Network Management Protocol (SNMP) Commands Example The following example creates a filter that includes all objects in the MIB-II system group except for sysServices (System 7) and all objects for interface 1 in the MIB-II interfaces group (this format depends on the parameters define din ifEntry). switchxxxxxx(config)# snmp-server filter f1 system included switchxxxxxx(config)#...
  • Page 876: Snmp-Server Host

    Network Management Protocol (SNMP) Commands 45.14 snmp-server host To configure the host for SNMP notifications: (traps/informs), use the snmp-server host Global Configuration mode command. To remove the specified host, use the no form of this command. Syntax {host-ip | hostname} [traps | informs] [version {1 | 2c | 3 [auth | snmp-server host noauth | priv]}] community-string [udp-port port] [filter filtername] [timeout seconds] [retries retries]...
  • Page 877 Network Management Protocol (SNMP) Commands • port udp-port —(Optional) UDP port of the host to use. The default is 162. (Range: 1–65535) • filtername filter —(Optional) Filter for this host. If unspecified, nothing is filtered. The filter is defined using snmp-server filter (no specific order of commands is imposed on the user).
  • Page 878: Snmp-Server Engineid Local

    Network Management Protocol (SNMP) Commands snmp-server host 1.1.1.121 abc switchxxxxxx(config)# 45.15 snmp-server engineID local To specify the SNMP engineID on the local device for SNMP v3, use the snmp-server engineID local Global Configuration mode command. To remove this engine ID, use the no form of this command. Syntax engineid-string default...
  • Page 879: Snmp-Server Engineid Remote

    Network Management Protocol (SNMP) Commands As the engineID should be unique within an administrative domain, the following guidelines are recommended: • Since the engineID should be unique within an administrative domain, use the default keyword to configure the Engine ID or configure it explicitly. In the latter case verify that it is unique within the administrative domain.
  • Page 880: Show Snmp Engineid

    Network Management Protocol (SNMP) Commands the system automatically prefixes the hexadecimal string with a zero. (Range: engineid-string5–32 characters. 9–64 hexadecimal digits) Default Configuration The remote engineID is not configured by default. Command Mode Global Configuration mode User Guidelines A remote engine ID is required when an SNMP version 3 inform is configured. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
  • Page 881: Snmp-Server Enable Traps

    Network Management Protocol (SNMP) Commands Example The following example displays the SNMP engine ID. switchxxxxxx# show snmp engineID Local SNMP engineID: 08009009020C0B099C075878 IP address Remote SNMP engineID ----------- ------------------------------- 172.16.1.1 08009009020C0B099C075879 45.18 snmp-server enable traps To enable the device to send SNMP traps, use the snmp-server enable traps Global Configuration mode command.
  • Page 882: Snmp-Server Trap Authentication

    Network Management Protocol (SNMP) Commands 45.19 snmp-server trap authentication To enable the device to send SNMP traps when authentication fails, use the snmp-server trap authentication Global Configuration mode command. To disable SNMP failed authentication traps, use the no form of this command. Syntax snmp-server trap authentication no snmp-server trap authentication...
  • Page 883: Snmp-Server Location

    Network Management Protocol (SNMP) Commands Syntax text snmp-server contact no snmp-server contact Parameters text—Specifies system contact information. (Length: 1–160 characters) Default Configuration None Command Mode Global Configuration mode Example The following example sets the system contact information to Technical_Support. switchxxxxxx(config)# snmp-server contact Technical_Support 45.21 snmp-server location To set the value of the system location string, use the snmp-server location Global...
  • Page 884: Snmp-Server Set

    Network Management Protocol (SNMP) Commands Command Mode Global Configuration mode Example The following example sets the device location to New_York. switchxxxxxx(config)# snmp-server location New_York 45.22 snmp-server set To define SNMP MIB commands in the configuration file if a MIB performs an action for which there is no corresponding CLI command, use the snmp-server set Global Configuration mode command.
  • Page 885: Snmp Trap Link-Status

    Network Management Protocol (SNMP) Commands Example The following example configures the scalar MIB sysName with the value TechSupp. switchxxxxxx(config)# snmp-server set sysName sysname TechSupp 45.23 snmp trap link-status To enable link-status generation of SNMP traps, use the snmp trap link-status Interface Configuration mode command.
  • Page 886 Network Management Protocol (SNMP) Commands Syntax show snmp Parameters This command has no arguments or keywords Default Configuration None Command Mode Privileged EXEC mode Example The following example displays the SNMP communications status. switchxxxxxx# show snmp SNMP is enabled SNMP traps Source IPv4 interface: vlan 1 SNMP informs Source IPv4 interface: vlan 11 SNMP traps Source IPv6 interface: vlan 10 SNMP informs Source IPv6 interface:...
  • Page 887 Network Management Protocol (SNMP) Commands Target Address Type Community Version Filter Retries Port Name ----------- ---- -------- ------- ---- ------ ------- 192.122.173.42 Trap public 192.122.173.42 Inform public Version 3 notifications Target Address Type Username Security Filter Retries Level Port name ----------- ---- --------...
  • Page 888: Spanning-Tree Commands

    Spanning-Tree Commands 46.0 46.1 spanning-tree Use the spanning-tree Global Configuration mode command to enable spanning-tree functionality. Use the no form of this command to disable the spanning-tree functionality. Syntax spanning-tree no spanning-tree Parameters Default Configuration Spanning-tree is enabled. Command Mode Global Configuration mode Example The following example enables spanning-tree functionality.
  • Page 889: Spanning-Tree Mode

    Spanning-Tree Commands 46.2 spanning-tree mode Use the spanning-tree mode Global Configuration mode command to select which Spanning Tree Protocol (STP) protocol to run. Use the no form of this command to restore the default configuration. Syntax {stp| spanning-tree mode rstp no spanning-tree mode Parameters •...
  • Page 890: Spanning-Tree Forward-Time

    Spanning-Tree Commands 46.3 spanning-tree forward-time Use the spanning-tree forward-time Global Configuration mode command to configure the spanning-tree bridge forward time, which is the amount of time a port remains in the listening and learning states before entering the forwarding state. Use the no form of this command to restore the default configuration. Syntax seconds spanning-tree forward-time...
  • Page 891: Spanning-Tree Hello-Time

    Spanning-Tree Commands 46.4 spanning-tree hello-time Use the spanning-tree hello-time Global Configuration mode command to configure how often the device broadcasts Hello messages to other devices. Use the no form of this command to restore the default configuration. Syntax seconds spanning-tree hello-time no spanning-tree hello-time Parameters seconds—Specifies the spanning-tree Hello time in seconds.
  • Page 892: Spanning-Tree Priority

    Spanning-Tree Commands Syntax seconds spanning-tree max-age no spanning-tree max-age Parameters seconds—Specifies the spanning-tree bridge maximum age in seconds. (Range: 6–40) Default Configuration The default maximum age is 20 seconds. Command Mode Global Configuration mode User Guidelines When configuring the maximum age, the following relationships should be maintained: 2*(Forward-Time - 1) >= Max-Age Max-Age >= 2*(Hello-Time + 1)
  • Page 893: Spanning-Tree Disable

    Spanning-Tree Commands no spanning-tree priority Parameters priority—Specifies the bridge priority. (Range: 0–61440) Default Configuration Default priority = 32768. Command Mode Global Configuration mode User Guidelines The priority value must be a multiple of 4096. The switch with the lowest priority is the root of the spanning tree. When more than one switch has the lowest priority, the switch with the lowest MAC address is selected as the root.
  • Page 894: Spanning-Tree Cost

    Spanning-Tree Commands Default Configuration Spanning tree is enabled on all ports. Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example disables the spanning tree on switchxxxxxx(config)# interface switchxxxxxx(config-if)# spanning-tree disable 46.8 spanning-tree cost Use the spanning-tree cost Interface (Ethernet, Port Channel) Configuration mode command to configure the spanning-tree path cost for a port.
  • Page 895: Spanning-Tree Port-Priority

    Spanning-Tree Commands Command Mode Interface (Ethernet, Port Channel) Configuration mode Example The following example configures the spanning-tree cost on 15 to 35000. switchxxxxxx(config)# interface switchxxxxxx(config-if)# spanning-tree cost 35000 46.9 spanning-tree port-priority Use the spanning-tree port-priority Interface (Ethernet, Port Channel) Configuration mode command to configure the port priority. Use the no form of this command to restore the default configuration.
  • Page 896: Spanning-Tree Portfast

    Spanning-Tree Commands switchxxxxxx(config)# interface switchxxxxxx(config-if)# spanning-tree port-priority 96 46.10 spanning-tree portfast Use the spanning-tree portfast Interface (Ethernet, Port Channel) Configuration mode command to enable the PortFast mode. In PortFast mode, the interface is immediately put into the forwarding state upon linkup, without waiting for the standard forward time delay.
  • Page 897: Spanning-Tree Link-Type

    Spanning-Tree Commands 46.11 spanning-tree link-type Use the spanning-tree link-type Interface (Ethernet, Port Channel) Configuration mode command to override the default link-type setting determined by the port duplex mode, and enable RSTP transitions to the Forwarding state. Use the no form of this command to restore the default configuration. Syntax {point-to-point | shared} spanning-tree link-type...
  • Page 898: Spanning-Tree Bpdu (Global)

    Spanning-Tree Commands Syntax {long | short} spanning-tree pathcost method no spanning-tree pathcost method Parameters • long—Specifies that the default port path costs are within the range: 1–200,000,000. • short—Specifies that the default port path costs are within the range: 1–200,000,000. Default Configuration Long path cost method.
  • Page 899: Spanning-Tree Bpdu (Interface)

    Spanning-Tree Commands Syntax {filtering | flooding} spanning-tree bpdu no spanning-tree bpdu Parameters • filtering—Specifies that BPDU packets are filtered when the spanning tree is disabled on an interface. • flooding—Specifies that untagged BPDU packets are flooded unconditionally (without applying VLAN rules) to all ports with the spanning tree disabled and BPDU handling mode of flooding.
  • Page 900: Spanning-Tree Guard Root

    Spanning-Tree Commands Syntax {filtering | flooding} spanning-tree bpdu no spanning-tree bpdu Parameters • filtering—Specifies that BPDU packets are filtered when the spanning tree is disabled on an interface. • flooding—Specifies that untagged BPDU packets are flooded unconditionally (without applying VLAN rules) to ports with the spanning tree disabled and BPDU handling mode of flooding.
  • Page 901: Spanning-Tree Bpduguard

    Spanning-Tree Commands Default Configuration Root guard is disabled. Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines Root Guard can be enabled when the device operates in any mode (STP, RSTP and MSTP). When Root Guard is enabled, the port changes to the alternate state if the spanning-tree calculations select the port as the root port.
  • Page 902: Clear Spanning-Tree Detected-Protocols

    Spanning-Tree Commands Command Mode Interface (Ethernet, Port Channel) Configuration mode User Guidelines The command can be enabled when the spanning tree is enabled (useful when the port is in the PortFast mode) or disabled. Example The following example shuts down 5 when it receives a BPDU.
  • Page 903: Spanning-Tree Mst Priority

    Spanning-Tree Commands Example This restarts the STP migration process on all interfaces. switchxxxxxx# clear spanning-tree detected-protocols 46.18 spanning-tree mst priority Use the spanning-tree mst priority Global Configuration mode command to configure the device priority for the specified spanning-tree instance. Use the no form of this command to restore the default configuration.
  • Page 904: Spanning-Tree Mst Max-Hops

    Spanning-Tree Commands Example The following example configures the spanning tree priority of instance 1 to 4096. switchxxxxxx(config)# spanning-tree mst priority 4096 46.19 spanning-tree mst max-hops Use the spanning-tree mst max-hops Global Configuration mode command to configure the number of hops in an MST region before the BDPU is discarded and the port information is aged out.
  • Page 905: Spanning-Tree Mst Port-Priority

    Spanning-Tree Commands 46.20 spanning-tree mst port-priority Use the spanning-tree mst port-priority Interface (Ethernet, Port Channel) Configuration mode command to configure the priority of a port. Use the no form of this command to restore the default configuration. Syntax instance-id priority spanning-tree mst port-priority instance-id...
  • Page 906 Spanning-Tree Commands Forwarding state. Use the no form of this command to restore the default configuration. Syntax instance-id cost spanning-tree mst cost instance-id no spanning-tree mst cost Default Configuration Parameters • instance-id—Specifies the spanning-tree instance ID. (Range: 1–15) • cost—Specifies the port path cost. (Range: 1–200000000) Default Configuration Default path cost is determined by the port speed and path cost method (long or short) as shown below:...
  • Page 907: Spanning-Tree Mst Configuration

    Spanning-Tree Commands 46.22 spanning-tree mst configuration Use the spanning-tree mst configuration Global Configuration mode command to enable configuring an MST region by entering the MST mode. Syntax spanning-tree mst configuration Command Mode Global Configuration mode User Guidelines For two or more switches to be in the same MST region, they must contain the same VLAN mapping, the same configuration revision number, and the same name.
  • Page 908: Name (Mst)

    Spanning-Tree Commands • vlan-range—The specified range of VLANs is added to the existing ones. To specify a range, use a hyphen. To specify a series, use a comma. (Range: 1–4094) Default Configuration All VLANs are mapped to the common and internal spanning tree (CIST) instance (instance 0).
  • Page 909: Revision (Mst)

    Spanning-Tree Commands Default Configuration The default name is the bridge MAC address. Command Mode MST Configuration mode Example The following example defines the instance name as Region1. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)# region1 name 46.25 revision (MST) Use the revision MST Configuration mode command to define the MST configuration revision number.
  • Page 910: Show (Mst)

    Spanning-Tree Commands switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst) # revision 46.26 show (MST) Use the show MST Configuration mode command to display the current or pending MST region configuration. Syntax {current | pending} show Parameters • current—Displays the current MST region configuration. •...
  • Page 911: Exit (Mst)

    Spanning-Tree Commands 46.27 exit (MST) Use the exit MST Configuration mode command to exit the MST region Configuration mode and apply all configuration changes. Syntax exit Parameters Default Configuration Command Mode MST Configuration mode Example The following example exits the MST Configuration mode and saves changes. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)#...
  • Page 912: Show Spanning-Tree

    Spanning-Tree Commands Default Configuration Command Mode MST Configuration mode Example The following example exits the MST Configuration mode without saving changes. switchxxxxxx(config)# spanning-tree mst configuration switchxxxxxx(config-mst)# abort 46.29 show spanning-tree Use the show spanning-tree Privileged EXEC mode command to display the spanning-tree configuration.
  • Page 913 Spanning-Tree Commands Default Configuration If no interface is specified, the default is all interfaces. Command Mode Privileged EXEC mode User Guidelines This command only works when MST is enabled. Example The following examples display spanning-tree information in various configurations switchxxxxxx# show spanning-tree Spanning tree enabled mode RSTP Default port cost method: long...
  • Page 914 Spanning-Tree Commands Interfaces Name State Prio. No Cost Role PortFast Type ------ ------ ------ ----- ---- ------- ---------- 128.1 Enabled 20000 Root P2p (RSTP) 128.2 Enabled 20000 Desg Shared (STP) 128.3 Disabled 20000 128.4 Enabled 20000 Altn Shared (STP) 128.5 Enabled 20000 switchxxxxxx#...
  • Page 915 Spanning-Tree Commands Interfaces Name State Prio.Nb Cost Role PortFast Type --------- -------- ------- ----- ---- -------- ---------- Enabled 128.1 20000 Enabled 128.2 20000 Disabled 128.3 20000 Enabled 128.4 20000 Enabled 128.5 20000 switchxxxxxx# show spanning-tree active Spanning tree enabled mode RSTP Default port cost method: long Root ID Priority...
  • Page 916 Spanning-Tree Commands Bridge ID Priority 36864 Address 00:02:4b:29:7a:00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interfaces Name State Prio.Nbr Cost Role PortFast Type --------- ------- ------ ----- ---- -------- ---------- Enabled 128.4 Altn Shared (STP) switchxxxxxx# show spanning-tree detail Spanning tree enabled mode RSTP...
  • Page 917 Spanning-Tree Commands Port 2 ( 2) enabled State: Forwarding Role: Designated Port id: 128.2 Port cost: 20000 Type: Shared (configured: auto) STP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Guard root: Disabled BPDU guard: Disabled Number of transitions to forwarding state: 1...
  • Page 918 Spanning-Tree Commands switchxxxxxx# show spanning-tree ethernet Port 1 ( 1) enabled State: Forwarding Role: Root Port id: 128.1 Port cost: 20000 Type: P2p (configured: auto) RSTP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:01:42:97:e0:00 Designated port id: 128.25 Designated path cost: 0 Guard root: Disabled BPDU guard: Disabled...
  • Page 919 Spanning-Tree Commands Name State Prio.Nbr Cost Role PortFast Type ---- ------- -------- ----- ---- -------- ------------- Enabled 128.1 20000 Root P2p Bound (RSTP) Enabled 128.2 20000 Desg Shared Bound Enabled 128.3 20000 Desg (STP) Enabled 128.4 20000 Desg ###### MST 1 Vlans Mapped: 10-20 Root ID Priority 24576...
  • Page 920 Spanning-Tree Commands This switch is the IST master. Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 Number of topology changes 2 last change occurred 2d18h Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Port 1 ( 1) enabled...
  • Page 921 Spanning-Tree Commands Port 4 ( 4) enabled State: Forwarding Role: Designated Port id: 128.4 Port cost: 20000 Type: Shared (configured: auto) Internal Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Number of transitions to forwarding state: 1 BPDU: sent 2, received 170638 ###### MST 1 Vlans Mapped: 10-20...
  • Page 922 Spanning-Tree Commands Port 2 ( 2) enabled State: Forwarding Role: Designated Port id: 128.2 Port cost: 20000 Type: Shared (configured: auto) Boundary STP Port Fast: No (configured:no) Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00 Designated port id: 128.2 Designated path cost: 20000 Number of transitions to forwarding state: 1 BPDU: sent 2, received 170638 Port 3 (...
  • Page 923: Show Spanning-Tree Bpdu

    Spanning-Tree Commands IST Master ID Priority 32768 Address 00:02:4b:19:7a:00 Path Cost 10000 Rem hops Bridge ID Priority 32768 Address 00:02:4b:29:7a:00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Max hops 20 switchxxxxxx# show spanning-tree Spanning tree enabled mode MSTP Default port cost method: long ###### MST 0 Vlans Mapped: 1-9 CST Root ID...
  • Page 924: Spanning-Tree Loopback-Guard

    Spanning-Tree Commands Default Configuration Show information for all interfaces. If detailed is not used, only present ports are displayed. Command Mode User EXEC mode Example The following examples display spanning-tree BPDU information: switchxxxxxx# show spanning-tree bpdu The following is the output if the global BPDU handling command is not supported.
  • Page 925 Spanning-Tree Commands Syntax spanning-tree loopback-guard no spanning-tree loopback-guard Parameters Default Configuration Command Mode Global User Guidelines This enables shutting down all interfaces if a loopback BPDU is received on it. Example switchxxxxxx(config)# spanning-tree loopback-guard OL-32830-01 Command Line Interface Reference Guide...
  • Page 926: Ssd Commands

    SSD Commands 47.0 47.1 ssd config To enter the Secure Sensitive Data (SSD) command mode, use ssd config in Global Configuration mode. In this command mode, an administrator can configure how the sensitive data on the device, such as keys and passwords, is to be protected.
  • Page 927 SSD Commands To reset the passphrase to the default passphrase, use the no passphrase. Syntax {passphrase} passphrase {encrypted-passphrase} encrypted passphrase no passphrase Parameters • passphrase—New system passphrase. • encrypted-passphrase—The passphrase in its encrypted form. Default Usage If this command is not entered, the default passphrase is used. Command Mode SSD Configuration mode User Guidelines...
  • Page 928: Ssd Rule

    SSD Commands Please reenter SSD passphrase:********** 47.3 ssd rule To configure an SSD rule, use ssd rule in SSD Configuration mode. A device grants read permission of sensitive data to users based on the SSD rules. A user that is granted Both or Plaintext read permission is also granted permission to enter SSD Configuration mode.
  • Page 929 The following is the order in which SSD rules are applied: • users The SSD rules for specified • The SSD rule for the default-user (cisco). • The SSD rules for level-15 users. • The remaining SSD rules for all.
  • Page 930: Show Ssd

    SSD Commands switchxxxxxx(config-ssd)# encrypted ssd rule iurwe874jho32iu9ufjo32i83232fdefsd Example 4 - The following example deletes a default rule. switchxxxxxx(config-ssd)# no ssd rule all secure Example 5 - The following example deletes a user-defined rule. switchxxxxxx(config-ssd)# no ssd rule user james secure Example 6 - The following example deletes all rules.
  • Page 931 SSD Commands SSD Configuration mode Default Configuration Display all SDD information. Examples Example 1 - The following example displays all SSD information. switchxxxxxx(config-ssd)# show ssd SSD current parameters: Local Passphrase: Default File Passphrase Control: Unrestricted File Integrity Control: Disabled SSD parameters after reset: Local Passphrase: Default File Passphrase Control: Unrestricted...
  • Page 932: Ssd Session Read

    SSD Commands Level-15 secure Both Encrypted Default Level-15 insecure Both Encrypted Default secure Encrypted-Only Encrypted Default insecure Encrypted-Only Encrypted Default insecure-xml-snmp Plaintext-Only Plaintext *Default * Modified default entry Example 3 - The following example displays the SSD attributes. switchxxxxxx(config-ssd)# show ssd brief SSD current parameters: Local Passphrase: Default...
  • Page 933: Show Ssd Session

    SSD Commands Command Mode Global Configuration mode. Default The command itself does not have a default. However, note that the read mode of the session itself, defaults to the default read mode of the SSD rule that the device uses to grant SSD permission to the user of the session. User Guidelines Use no ssd session read to restore the default read option of the SSD rules.
  • Page 934: Ssd File Passphrase Control

    SSD Commands User Read Permission: Both Current Session Read mode: Plaintext 47.7 ssd file passphrase control To provide an additional level of protection when copying configuration files to the startup configuration file, use ssd file passphrase control in SSD Configuration mode.
  • Page 935: Ssd File Integrity Control

    SSD Commands If a user-defined passphrase in Unrestricted mode are configured, it is highly recommended to enable SSD File Integrity Control. Enabling SSD File Integrity Control protects configuration files from tampering. Examples console(ssd-config)# ssd file passphrase control restricted console(ssd-config)# no ssd file passphrase control 47.8 ssd file integrity control To instruct the device to protect newly-generated configuration files that contain...
  • Page 936 SSD Commands A device determines whether the integrity of a configuration file is protected by examining the File Integrity Control command in the file. If a file in integrity-protected, but a device finds the integrity of the file is not intact, the device rejects the file.
  • Page 937: Ssh Client Commands

    SSH Client Commands 48.0 48.1 ip ssh-client authentication To define the SSH client authentication method used by the local SSH clients to be authenticated by remote SSH servers, use the ip ssh-client authentication command in Global Configuration mode. To return to default, use the no format of the command. Syntax ip ssh-client authentication {password | public-key {rsa | dsa}} no ip ssh-client authentication...
  • Page 938: Ip Ssh-Client Change Server Password

    SSH Client Commands Example The following example specifies that, username and public key are used for authentication: switchxxxxxx(config)# ip ssh-client authentication public-key rsa 48.2 ip ssh-client change server password To change a password of an SSH client on a remote SSH server, use the ip ssh-client change server password command in Global Configuration mode.
  • Page 939: Ip Ssh-Client Key

    SSH Client Commands Example The following example changes a password of the local SSH clients: switchxxxxxx(config)# ip ssh-client change server password server 10.7.50.155 username john old-password &&&@@@aaff new-password &&&@@@aaee 48.3 ip ssh-client key To create a key pair for SSH client authentication by public key (either by generating a key or by importing a key), use the ip ssh-client key command in Global Configuration mode.
  • Page 940 SSH Client Commands User Guidelines When using the keyword generate, a private key and a public key of the given type (RSA/DSA) are generated for the SSH client. Downloading a configuration file with a Key Generating command is not allowed, and such download will fail. When using the keyword key-pair, the user can import a key-pair created by another device.
  • Page 941 SSH Client Commands This may take a few minutes, depending on the key size. Example 2 - In the following example, both public and private keys of the RSA type are imported (private key as plaintext): switchxxxxxx(config)# ip ssh-client key rsa key-pair Please paste the input now, add a period (.) on a separate line after the input -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDH6CU/2KYRl8rYrK5+TIvwS4zvhBmiC4I31m9cR/1iRTFViMRuJ++TEr...
  • Page 942: Ip Ssh-Client Password

    SSH Client Commands (Need to encrypted SSH client RSA key pair, for example:) -----BEGIN RSA ENCRYPTED PRIVATE KEY----- gxeOjs6OzGRtL4qstmQg1B/4gexQblfa56RdjgHAMejvUT02elYmNi+m4aTu6mlyXPHmYP lXlXny7jZkHRvgg8EzcppEB0O3yQzq3kNi756cMg4Oqbkm7TUOtdqYFEz/h8rJJ0QvUFfh BsEQ3e16E/OPitWgK43WTzedsuyFeOoMXR9BCuxPUJc2UeqQVM2IJt5OM0FbVt0S6oqXhG sEEdoTlhlDwHWg97FcV7x+bEnPfzFGrmbrUxcxOxlkFsuCNo3/94PHK8zEXyWtrx2KoCDQ qFRuM8uecpjmDh6MO2GURUVstctohEWEIVCIOr5SBCbciaxv5oS0jIzXMrJA== -----END RSA PRIVATE KEY----- -----BEGIN RSA PUBLIC KEY----- MIGHAoGBALLOeh3css8tBL8ujFt3trcX0XJyJLlxxt4sGp8Q3ExlSRN25+Mcac6togpIEg tIzk6t1IEJscuAih9Brwh1ovgMLRaMe25j5YjO4xG6Fp42nhHiRcie+YTS1o309EdZkiXa QeJtLdnYL/r3uTIRVGbXI5nxwtfWpwEgxxDwfqzHAgEj -----END RSA PUBLIC KEY----- Example 4 - In the following example, a DSA key pair is removed: switchxxxxxx(config)# no ip ssh-client key dsa Example 5 - In the following example, all key pairs (RSA and DSA types) are...
  • Page 943: Ip Ssh-Client Server Authentication

    SSH Client Commands Parameters • string —Password for the SSH clients (1 - 70 characters). The password cannot include the characters "@" and ":". • encrypted-string —Password for the SSH client in encrypted form. Default Configuration The default password is anonymous. Command Mode Global Configuration mode User Guidelines...
  • Page 944: Ip Ssh-Client Server Fingerprint

    SSH Client Commands Parameters This command has no arguments or keywords. Default Configuration SSH server authentication is disabled Command Mode Global Configuration mode User Guidelines When remote SSH server authentication is disabled, any remote SSH server is accepted (even if there is no entry for the remote SSH server in the SSH Trusted Remote Server table).
  • Page 945: Ip Ssh-Client Source-Interface

    SSH Client Commands • ip-address —Specifies the address of an SSH server. The IP address can be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions. • fingerprint —FIngerprint of the SSH server public key (32 Hex characters). Default Configuration The Trusted Remote SSH Server table is empty.
  • Page 946: Ipv6 Ssh-Client Source-Interface

    SSH Client Commands Syntax interface-id ip ssh-client source-interface no ip ssh-client source-interface Parameters • interface-id —Specifies the source interface. Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet. Command Mode Global Configuration mode User Guidelines...
  • Page 947: Ip Ssh-Client Username

    SSH Client Commands Syntax interface-id ipv6 ssh-client source-interface no ipv6 ssh-client source-interface Parameters • interface-id —(Optional) Specifies the source interface. Default Configuration The IPv6 source address is the IPv6 address defined of the outgoing interface and selected in accordance with RFC6724. Command Mode Global Configuration mode User Guidelines...
  • Page 948: Show Ip Ssh-Client

    SSH Client Commands Syntax string ip ssh-client username no ip ssh-client username Parameters • string —Username of the SSH client.The length is 1 - 70 characters. The username cannot include the characters "@" and ":". Default Configuration The default username is anonymous Command Mode Global Configuration mode User Guidelines...
  • Page 949 SSH Client Commands • rsa—Specifies displaying the RSA key type. • mypubkey—Specifies that only the public key is selected to be displayed. Command Mode Privileged EXEC mode User Guidelines Use the command with a specific key-type to display the SSH client key; You can either specify display of public key or private key, or with no parameter to display both private and public keys.
  • Page 950 SSH Client Commands Example 2. The following example displays the authentication method and DSA private key in encrypted format: switchxxxxxx# show ip ssh-client key DSA Source IPv4 interface: vlan 1 Source IPv6 interface: vlan 10 Authentication method: DSA key Username: john Key Source: User Defined...
  • Page 951: Show Ip Ssh-Client Server

    SSH Client Commands n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PRIVATE KEY ---- Example 3. The following example displays the SSH client authentication method, the username and the password: switchxxxxxx# show ip ssh-client Source IPv4 interface: vlan 1 Source IPv6 interface: vlan 10 Authentication method: DSA key Username:...
  • Page 952 SSH Client Commands User Guidelines If a specific SSH server is specified, only the fingerprint of this SSH server is displayed. Otherwise, all known servers are displayed. Examples Example 1 - In the following example, the SSH remote server authentication method and all trusted remote SSH servers are displayed: switchxxxxxx# show ip ssh-client server...
  • Page 953 SSH Client Commands vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PUBLIC KEY ---- ---- BEGIN SSH2 PRIVATE KEY ---- Comment: DSA Private Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV ---- END SSH2 PRIVATE KEY ---- Example 3 - The following example displays the SSH client authentication method, the username and the password: switchxxxxxx# show ip ssh-client...
  • Page 954: Syslog Commands

    SYSLOG Commands 49.0 49.1 aaa logging To enable logging AAA logins, use the aaa logging Global Configuration mode command. To disable logging AAA logins, use the no form of this command. Syntax aaa logging login} no aaa logging {login} Parameters login—Enables logging messages related to successful AAA login events, unsuccessful AAA login events and other AAA login-related events.
  • Page 955: Clear Logging

    SYSLOG Commands 49.2 clear logging To clear messages from the internal logging buffer, use the clear logging Privileged EXEC mode command. Syntax clear logging Parameters This command has no arguments or keywords. Default Configuration None Command Mode Privileged EXEC mode Example The following example clears messages from the internal logging buffer.
  • Page 956: File-System Logging

    SYSLOG Commands Default Configuration None Command Mode Privileged EXEC mode Example The following example clears messages from the logging file. switchxxxxxx# clear logging file Clear Logging File [y/n] 49.4 file-system logging To enable logging file system events, use the file-system logging Global Configuration mode command.
  • Page 957: Logging Buffered

    SYSLOG Commands Example The following example enables logging messages related to file copy operations. switchxxxxxx(config)# file-system logging copy 49.5 logging buffered To limit the SYSLOG message display to messages with a specific severity level, and to define the buffer size (number of messages that can be stored), use the logging buffered Global Configuration mode command.
  • Page 958: Logging Console

    SYSLOG Commands User Guidelines All the SYSLOG messages are logged to the internal buffer. This command limits the messages displayed to the user. Example The following example shows two ways of limiting the SYSLOG message display from an internal buffer to messages with severity level debugging. In the second example, the buffer size is set to 100 and severity level informational.
  • Page 959: Logging File

    SYSLOG Commands Example The following example limits logging messages displayed on the console to messages with severity level errors. switchxxxxxx(config)# logging console errors 49.7 logging file To limit SYSLOG messages sent to the logging file to messages with a specific severity level, use the logging file Global Configuration mode command.
  • Page 960: Logging Host

    SYSLOG Commands 49.8 logging host To log messages to the specified SYSLOG server, use the logging host Global Configuration command. To delete the SYSLOG server with the specified address from the list of SYSLOG servers, use the no form of this command. Syntax {ip-address | ipv6-address | hostname} port...
  • Page 961: Logging On

    SYSLOG Commands User Guidelines You can use multiple SYSLOG servers. Examples switchxxxxxx(config)# logging host 1.1.1.121 switchxxxxxx(config)# logging host 3000::100/SYSLOG1 49.9 logging on To enable message logging, use the logging on Global Configuration mode command. This command sends debug or error messages asynchronously to designated locations.
  • Page 962: Logging Source-Interface

    SYSLOG Commands Example The following example enables logging error messages. switchxxxxxx(config)# logging on 49.10 logging source-interface To specify the source interface whose IPv4 address will be used as the source IPv4 address for communication with IPv4 SYSLOG servers, use the logging source-interface Global Configuration mode command.
  • Page 963: Logging Source-Interface-Ipv6

    SYSLOG Commands Example The following example configures the VLAN 10 as the source interface. switchxxxxxx(config)# logging source-interface vlan 100 49.11 logging source-interface-ipv6 To specify the source interface whose IPv6 address will be used as the source IPv6 address for communication with IPv6 SYSLOG servers, use the logging source-interface-ipv6 Global Configuration mode command.
  • Page 964: Logging Aggregation On

    SYSLOG Commands Example The following example configures the VLAN 10 as the source interface. switchxxxxxx(config)# logging source-interface-ipv6 vlan 100 49.12 logging aggregation on To control aggregation of SYSLOG messages, use the logging aggregation on Global Configuration mode command. If aggregation is enabled, logging messages are displayed every time interval (according to the aging time specified logging aggregation aging-time).
  • Page 965: Logging Aggregation Aging-Time

    SYSLOG Commands 49.13 logging aggregation aging-time To configure the aging time of the aggregated SYSLOG messages, use the logging aggregation aging-time Global Configuration mode command. The SYSLOG messages are aggregated during the time interval set by the aging-time parameter. To return to the default, use the no form of this command. Syntax logging aggregation aging-time no logging aggregation aging-time...
  • Page 966: Show Logging

    SYSLOG Commands Parameters • hostname—The system hostname will be used as the message origin identifier. • IP—IP address of the sending interface that is used as the message origin identifier. • IPv6—IPv6 address of the sending interface that is used as the message origin identifier.
  • Page 967 SYSLOG Commands Command Mode Privileged EXEC mode Example The following example displays the logging status and the SYSLOG messages stored in the internal buffer. switchxxxxxx# show logging Logging is enabled. Origin id: hostname Console Logging: Level info. Console Messages: 0 Dropped. Buffer Logging: Level info.
  • Page 968: Show Logging File

    SYSLOG Commands 49.16 show logging file To display the logging status and the SYSLOG messages stored in the logging file, use the show logging file Privileged EXEC mode command. Syntax show logging file Parameters This command has no arguments or keywords. Default Configuration None Command Mode...
  • Page 969: Show Syslog-Servers

    SYSLOG Commands File system Delete-Rename Enabled Management ACL Deny Enabled Aggregation: Disabled. Aggregation aging time: 300 Sec 1-Jan-2010 05:57:00 :%SSHD-E-ERROR: SSH error: key_read: type mismatch: encoding error 01-Jan-2010 05:56:36 :%SSHD-E-ERROR: SSH error: key_read: type mismatch: encoding error 01-Jan-2010 05:55:37 :%SSHD-E-ERROR: SSH error: key_read: type mismatch: encoding error 01-Jan-2010 05:55:03 :%SSHD-E-ERROR: SSH error: key_read: key_from_blob bgEgGnt9 z6NHgZwKI5xKqF7cBtdl1xmFgSEWuDhho5UedydAjVkKS5XR2...
  • Page 970 SYSLOG Commands Example The following example provides information about the SYSLOG servers. switchxxxxxx# show syslog-servers Source IPv4 interface: vlan 1 Source IPv6 interface: vlan 10 Device Configuration -------------------- IP address Port Facility Severity Description ------------- ---- --------- -------- -------------- 1.1.1.121 local7 info 3000::100...
  • Page 971: System Management Commands

    System Management Commands 50.0 50.1 disable ports leds To turn off the LEDs on all ports on a device, use the disable ports leds Global Configuration mode command. To set the LEDs of all the ports on the device to their current operational status of the port, use the no disable ports leds command.
  • Page 972: Hostname

    System Management Commands 50.2 hostname To specify or modify the device host name, use the hostname Global Configuration mode command. To remove the existing host name, use the no form of the command. Syntax name hostname no hostname Parameters Name—Specifies the device host name. (Length: 1-160 characters. Maximum label size for each part of the host name: 58).
  • Page 973 System Management Commands Parameters • in hhh:mm | mmm—(Optional) Schedules a reload of the software to take effect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days. • at hh:mm—(Optional) Schedules a reload of the software to take place at the specified time (using a 24-hour clock).
  • Page 974: Resume

    System Management Commands Examples Example 1: The following example reloads the operating system. switchxxxxxx> reload This command will reset the whole system and disconnect your current session. Do you want to continue? (y/n) [Y] Example 2: The following example reloads the operating system in 10 minutes. switchxxxxxx>...
  • Page 975: Service Cpu-Input-Rate

    System Management Commands Parameters connection—(Optional) Specifies the connection number. (Range: 1-4 connections.) Default Configuration The default connection number is that of the most recent connection. Command Mode Privileged EXEC mode Example The following command switches to open Telnet session number 1. switchxxxxxx>...
  • Page 976: Service Cpu-Utilization

    System Management Commands 50.6 service cpu-utilization To enable measuring CPU utilization, use the service cpu-utilization Global Configuration mode command. To restore the default configuration, use the no form of this command. Syntax service cpu-utilization no service cpu-utilization Parameters This command has no arguments or keywords. Default Configuration Measuring CPU utilization is enabled.
  • Page 977 System Management Commands • queues-mode mode {router | switch} } router—Specifies that the device functions as a switch-router. • switch—Specifies that the device functions as a switch. • queues-mode {4|8}—Specifies that the system uses 4 or 8 QoS queues. Command Mode Privileged EXEC mode User Guidelines The system mode and the queues mode appears in the configuration file header...
  • Page 978 System Management Commands • When downgrading the queues mode from 8 queues to 4 queues, if Queue-related configuration exist on the startup configuration file, the system will reject the downgrade of queues and will require the user to delete all the queue-related configuration from the startup configuration file before downgrading the queues mode When changing the queues mode during configuration download to startup configuration file, the existing queues configuration is not tested and the download will not be rejected.
  • Page 979: Show Cpu Input Rate

    System Management Commands ssd-control-start 50.8 show cpu input rate To display the rate of input frames to the CPU in packets per seconds (pps), use the show cpu input rate EXEC mode command. Syntax show cpu input rate Parameters This command has no arguments or keywords. Command Mode User EXEC mode Example...
  • Page 980: Show Environment

    System Management Commands Default Usage None Command Mode Privileged EXEC mode User Guidelines Use the show cpu-utilization command to enable measuring CPU utilization. Example The following example displays CPU utilization information. switchxxxxxx> show cpu utilization CPU utilization service is on. CPU utilization -------------------------------------------------- five seconds: 5%;...
  • Page 981 System Management Commands User Guidelines The fan and temperature status parameters are available only on devices on which FAN and/or temperature sensor are installed. Fan status can be one of: • OK - The fan/s functions correctly. • Failure - The fan failed. •...
  • Page 982: Show Inventory

    System Management Commands TEMPERATURE is Warning 50.11 show inventory To display system information, use the show inventory EXEC mode command. Syntax show inventory [entity] Parameters entity—Specifies the entity to be displayed. It can be a number (1 - 8 ) for a specific unit number, or an interface (Ethernet) name.
  • Page 983: Show Sessions

    System Management Commands Syntax show reload Parameters This command has no arguments or keywords. Default Usage None Command Mode Privileged EXEC mode User Guidelines You can use this command to display a pending software reload. To cancel a pending reload, use this command with the cancel parameter. Example The following example displays that reboot is scheduled for 00:00 on Saturday, April-20.
  • Page 984: Show System

    System Management Commands Command Mode User EXEC mode User Guidelines The show sessions command displays Telnet sessions to remote hosts opened by the current Telnet session to the local device. It does not display Telnet sessions to remote hosts opened by other Telnet sessions to the local device. Example The following example displays open Telnet sessions.
  • Page 985: Show System Mode

    System Management Commands Command Mode User EXEC mode Example switchxxxxxx> show system System Description: SG300-24P System Up Time (days,hour:min:sec): 03,02:27:46 System Contact: System Name: switch151400 System Location: System MAC Address: 00:24:ab:15:14:00 System Object ID: 1.3.6.1.4.1.9.6.1.85.24.2 Unit Temperature (Celsius) Status ---- --------------------- ------ 50.15 show system mode To display information on features control, use the show system mode EXEC mode command.
  • Page 986: Show System Languages

    System Management Commands Command Mode User EXEC mode Example The following example displays system mode information. switchxxxxxx> show system mode Feature State ------------------- --------- Mode: Router Queues Configuration: 8 Queues 50.16 show system languages To display the list of supported languages, use the show system languages EXEC mode command.
  • Page 987: Show System Tcam Utilization

    System Management Commands Language Name Unicode Name Code Num of Sections --------------- -------------- ------ ------------- English English en-US Japanese µùѵ£¼F¬P ja-JP 50.17 show system tcam utilization To display the Ternary Content Addressable Memory (TCAM) utilization, use the show system tcam utilization EXEC mode command. Syntax show system tcam utilization Parameters...
  • Page 988: Show Tech-Support

    System Management Commands Syntax show services tcp-udp Parameters This command has no arguments or keywords. Command Mode Privileged EXEC mode User Guidelines The output does not show sessions where the device is a TCP/UDP client. Examples switchxxxxxx> show services tcp-udp Type Local IP Address Remote IP address Service Name...
  • Page 989 System Management Commands Syntax config memory show tech-support [ Parameters • memory—(Optional) Displays memory and processor state data. • config—(Optional) Displays switch configuration within the CLI commands supported on the device. Default Configuration By default, this command displays the output of technical-support-related show commands.
  • Page 990: Show System Fans

    System Management Commands • Proc info (like print OS tasks) • Versions of software components • Output of command show cpu utilization 50.20 show system fans To view the status of the fans on the device, use the show system fans EXEC mode command.
  • Page 991: Show System Sensors

    System Management Commands 50.21 show system sensors To view the temperature sensor status, use the show system sensors EXEC mode command. Syntax show system sensors Parameters This command has no arguments or keywords. Default Usage None Command Mode User EXEC mode Examples Example 1: For Standalone systems with a single sensor status switchxxxxxx>...
  • Page 992: Show System Id

    System Management Commands Unit Sensor Temperature(c) Status --------- -------------- Failure Example 4: For systems with multiple sensor statuses Unit/ Sensor Temperature(c) Alarm Sensor Status Temp(C) --------- -------------- ------- Failure 50.22 show system id To display the system identity information, use the show system id EXEC mode command.
  • Page 993: Show Ports Leds Configuration

    System Management Commands 50.23 show ports leds configuration To display whether the LEDs of the ports are enabled or disabled, use the show port leds configuration EXEC mode command. Syntax show ports leds configuration Parameters This command has no arguments or keywords. Command Mode User EXEC mode Examples...
  • Page 994: Show Version

    System Management Commands Parameters This command has no arguments or keywords. Default Usage None Command Mode User EXEC mode Example The following example displays information about the active users. switchxxxxxx> show users Username Protocol Location ---------- ----------- ------------ Serial John 172.16.0.1 Robert HTTP...
  • Page 995: Show Version Md5

    System Management Commands Example The following example displays system version information. switchxxxxxx> show version SW Version 1.1.0.5 ( date 15-Sep-2010 time 10:31:33 ) Boot Version 1.1.0.2 ( date 04-Sep-2010 time 21:51:53 ) HW Version 50.26 show version md5 To display external MD5 digest of firmware, use the show version md5 EXEC mode command.
  • Page 996 System Management Commands Syntax system recovery no system recovery Parameters This command has no arguments or keywords. Default Configuration System recovery is enabled by default. Command Mode Global Configuration mode Example switchxxxxxx(config)# no system recovery OL-32830-01 Command Line Interface Reference Guide...
  • Page 997: Tacacs+ Commands

    TACACS+ Commands 51.1 tacacs-server host To specify a TACACS+ host, use the tacacs-server host Global Configuration mode command. To delete the specified TACACS+ host, use the no form of this command. Syntax ip-address hostname port-number tacacs-server host { } [single-connection] [port timeout key-string priority...
  • Page 998: Tacacs-Server Host Source-Interface

    TACACS+ Commands • key-string —(Optional) Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. To specify an empty string, enter "". (Length: 0-128 characters). If this parameter is omitted, the globally-defined key (set in the tacacs-server key command tacacs-server host source-interface...
  • Page 999: Tacacs-Server Host Source-Interface-Ipv6

    TACACS+ Commands Syntax interface-id tacacs-server host source-interface no tacacs-server host source-interface Parameters • interface-id —Specifies the source interface. Default Configuration The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet. Command Mode Global Configuration mode User Guidelines...
  • Page 1000: Tacacs-Server Key

    TACACS+ Commands Syntax interface-id tacacs-server host source-interface-ipv6 no tacacs-server host source-interface-ipv6 Parameters • interface-id —Specifies the source interface. Default Configuration The IPv6 source address is the IPv6 address defined on the outgoing interface and selected in accordance with RFC6724. Command Mode Global Configuration mode User Guidelines If the source interface is the outgoing interface, the source IPv6 address is an IPv6...
  • Page 1001: Tacacs-Server Timeout

    TACACS+ Commands Syntax key-string tacacs-server key encrypted-key-string encrypted tacacs-server key no tacacs-server key Parameters • key-string —Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. (Length: 0–128 characters) •...

Table of Contents