l2nat
To apply an Layer 2 NAT instance to one or more VLANs on a selected interface, enter the l2nat command in interface configuration mode.
Enter the no form of this command to remove an Layer 2 NAT instance from a VLAN or VLAN range.
l2nat instance_name [ vlan | vlan_range ]
no l2nat instance_name [ vlan | vlan_range ]
Syntax Description
instance_name |
The Layer 2 NAT instance that you want to apply to the selected interface |
vlan |
(Optional) If a VLAN or VLAN range is not included, the instance applies to untagged traffic only. |
vlan_range |
(Optional) If a VLAN or VLAN range is not included, the instance applies to untagged traffic only. |
Command Modes
Interface configuration
Command History
|
|
15.0(2)EB |
This command was introduced. |
Usage Guidelines
- The default VLAN is the native VLAN.
- If the same instance needs to be applied to untagged and tagged traffic (in case of native VLAN), you need to explicitly apply the instance to both VLANs.
- You can only have one Layer 2 NAT instance per VLAN, but you can apply the same instance to multiple VLANs to reuse the same translations.
- This command is allowed only on Gigabit uplink interfaces.
- If you have configured two uplink ports in an EtherChannel and you subsequently apply an instance to one port, the same instance is applied to the other port. In the statistics, the numbers from both ports are combined and are reported for the EtherChannel.
- If ports are configured in ring mode, you will need to apply the same instances to the same VLAN/interface combinations. Statistics are reported individually for each uplink port.
Examples
This example shows how to apply the instance named Instance1 to VLAN 10.
Switch(config)# interface Gi1/1
Switch(config-if)# l2nat Instance1 10
This example applies an instance to the native VLAN:
Switch(config)# interface Gi1/1
Switch(config-if)# l2nat Instance1
Related Commands
|
|
inside from |
Translates inside addresses to outside addresses by using Layer 2 NAT. |
l2nat instance |
Creates an Layer 2 NAT instance or enters the submode for the specified Layer 2 NAT instance. |
outside from |
Translates outside addresses to inside addresses by using Layer 2 NAT. |
show l2nat instance |
Displays the configuration details for a specified Layer 2 NAT instance. |
show l2nat interface |
Displays the configuration details for Layer 2 NAT instances on one or more interfaces. |
show l2nat statistics |
Displays the Layer 2 NAT statistics for all interfaces. |
show l2nat statistics interface |
Displays the Layer 2 NAT statistics for a specified interface. |
l2nat instance
To create an Layer 2 NAT instance or to enter the submode to configure an Layer 2 NAT instance, use the l2nat instance command in global configuration mode. Use the no form of this command to remove an Layer 2 NAT instance.
l2nat instance instance_name
no l2nat instance instance_name
Syntax DescriptionS
instance_name |
A string that identifies this Layer 2 NAT instance |
Command Modes
Global configuration
Command History
|
|
15.0(2)EB |
This command was introduced. |
Usage Guidelines
- The maximum number of instances is 128.
- There is no limitation on the number of translation entries per VLAN.
Examples
This example shows how to create a new l2nat instance named Instance1. This same command can then be used to enter the submode for this instance.
Switch(config)# l2nat instance Instance1
This example shows how to remove an l2nat instance named Instance1.
Switch(config)# no l2nat instance Instance1
Related Commands
|
|
debug l2nat |
Shows real-time Layer 2 NAT configuration details when applying a configuration. |
fixup |
Enables protocol fixups for a specified Layer 2 NAT instance. |
inside from |
Translates inside addresses to outside addresses by using Layer 2 NAT. |
l2nat |
Applies an Layer 2 NAT instance to one or all VLANs on a selected interface. |
outside from |
Translates outside addresses to inside addresses by using Layer 2 NAT. |
permit (config-l2nat configuration) |
Permits or blocks specified types of traffic that are not configured to be translated. |
show l2nat instance |
Displays the configuration details for a specified Layer 2 NAT instance. |
show l2nat interface |
Displays the configuration details for Layer 2 NAT instances on one or more interfaces. |
show l2nat statistics |
Displays the Layer 2 NAT statistics for all interfaces. |
show l2nat statistics interface |
Displays the Layer 2 NAT statistics for a specified interface. |
lacp port-priority
To configure the port priority for the Link Aggregation Control Protocol (LACP), use the lacp port-priority command in interface configuration mode. Use the no form of this command to return to the default setting.
lacp port-priority priority
no lacp port-priority
Syntax Description
priority |
Port priority for LACP. The range is 1 to 65535. |
Command Default
The default is 32768.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The lacp port-priority interface configuration command determines which ports are bundled and which ports are put in hot-standby mode when there are more than eight ports in an LACP channel group.
An LACP channel group can have up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode.
In port-priority comparisons, a numerically lower value has a higher priority: When there are more than eight ports in an LACP channel group, the eight ports with the numerically lowest values (highest priority values) for LACP port priority are bundled into the channel group, and the lower-priority ports are put in hot-standby mode. If two or more ports have the same LACP port priority (for example, they are configured with the default setting of 65535), an internal value for the port number determines the priority.
Note The LACP port priorities are only effective if the ports are on the switch that controls the LACP link. See the lacp system-priority global configuration command for determining which switch controls the link.
Use the show lacp internal privileged EXEC command to display LACP port priorities and internal port number values.
For information about configuring LACP on physical ports, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
Examples
This example shows how to configure the LACP port priority on a port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# lacp port-priority 1000
You can verify your settings by entering the show lacp [ channel-group-number ] internal privileged EXEC command.
Related Commands
|
|
channel-group |
Assigns an Ethernet port to an EtherChannel group. |
lacp system-priority |
Configures the LACP system priority. |
show lacp [ channel-group-number ] internal |
Displays internal information for all channel groups or for the specified channel group. |
lacp system-priority
To configure the system priority for the Link Aggregation Control Protocol (LACP), use the lacp system-priority command in global configuration mode. Use the no form of this command to return to the default setting.
lacp system-priority priority
no lacp system-priority
Syntax Description
priority |
System priority for LACP. The range is 1 to 65535. |
Command Default
The default is 32768.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The lacp system-priority command determines which switch in an LACP link controls port priorities.
An LACP channel group can have up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. When there are more than eight ports in an LACP channel group, the switch on the controlling end of the link uses port priorities to determine which ports are bundled into the channel and which ports are put in hot-standby mode. Port priorities on the other switch (the noncontrolling end of the link) are ignored.
In priority comparisons, numerically lower values have higher priority. Therefore, the system with the numerically lower value (higher priority value) for LACP system priority becomes the controlling system. If both switches have the same LACP system priority (for example, they are both configured with the default setting of 32768), the LACP system ID (the switch MAC address) determines which switch is in control.
The lacp system-priority command applies to all LACP EtherChannels on the switch.
Use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag in the output display).
For more information about configuring LACP on physical ports, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
Examples
This example shows how to set the LACP system priority:
Switch(config)# lacp system-priority 20000
link-diag error-rate
To configure the window size for the link diagnostic feature, use the link-diag error-rate command in global configuration mode.
link-diag error-rate (window-size { seconds })
Syntax Description
window-size seconds |
Specifies the link diagnostics error rate sliding-window duration in error-rate calculations; the duration range is from 5 to 600 seconds. |
Command Default
The default window size is 5 minutes.
Command Modes
Global configuration.
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The error rate is calculated based on a sliding window of time. For a given window size, the number of error packets and the total number of packets is sampled five equally spaced times within the window duration. The reported error rate is the average of the five samples, which allows the window to slide (or update) by a duration of one-fifth its size each time it is updated. The window size is configurable in seconds, and the window size must be a multiple of 5 seconds. The corresponding sample rate for the default window is one sample per minute. As a consequence, after every instance where the window size is changed, the reported error rate is not accurate until one window size duration has passed.
The counters used in the calculation are obtained from the platform counters using the show interface counter command. Reported packet errors for the receive direction include “alignment error,” “FCS error,” and “symbol error” frame error types. Reported packet errors for the transmit direction include “excessive collision” and “excessive defer” frame error types.
Examples
This example shows how to set the link-diag error-rate window size to 5 seconds:
Switch(config)# link-diag error-rate window-size 5
link state group
To configure a port as a member of a link-state group, use the link state group command in interface configuration mode. Use the no form of this command to remove the port from the link-state group.
link state group [ number ] { upstream | downstream }
no link state group [ number ] { upstream | downstream }
Syntax Description
number |
(Optional) The link-state group number. The group number can be 1 to 6. |
upstream |
Configures a port as an upstream port for a specific link-state group. |
downstream |
Configures a port as a downstream port for a specific link-state group. |
Command Default
The default group is group 1.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the link state group interface configuration command to configure a port as an upstream or downstream interface for the specified link-state group. If the group number is omitted, the default group number is 1.
To enable link-state tracking, create a link-state group, and specify the interfaces that are assigned to the link-state group. An interface can be an aggregation of ports (an EtherChannel), a single physical port in access or trunk mode, or a routed port. In a link-state group, these interfaces are bundled together. The downstream interfaces are bound to the upstream interfaces. Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces.
For more information about the interactions between the downstream and upstream interfaces, see the “Configuring EtherChannels and Link-State Tracking” chapter of the software configuration guide for this release.
Follow these guidelines to avoid configuration problems:
- An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.
- An interface cannot be a member of more than one link-state group.
- You can configure only two link-state groups per switch.
Examples
This example shows how to configure the interfaces as upstream in group 2 :
Switch# configure terminal
Switch(config)# interface range gigabitethernet1/1 - 2
Switch(config-if-range)# link state group 2 downstream
Switch(config-if-range)# end
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
link state track |
Enables a link-state group. |
show link state group |
Displays the link-state group information. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
link state track
To enable a link-state group, use the link state track command in user EXEC mode. Use the no form of this command to disable a link-state group.
link state track [ number ]
no link state track [ number ]
Syntax Description
number |
(Optional) The link-state group number. The group number can be 1 to 6. The default is 1. |
Command Default
Link-state tracking is disabled for all groups.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the link state track global configuration command to enable a link-state group.
Examples
This example shows how enable link-state group 2:
Switch(config)# link state track 2
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
link state track |
Configures an interface as a member of a link-state group. |
show link state group |
Displays the link-state group information. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
location (global configuration)
To configure location information for an endpoint, use the location command in global configuration mode. Use the no form of this command to remove the location information.
location { admin-tag string | civic-location identifier id | elin-location string identifier id}
no location { admin-tag string | civic-location identifier id | elin-location string identifier id}
Syntax Description
admin-tag |
Configures administrative tag or site information. |
civic-location |
Configures civic location information. |
elin-location |
Configures emergency location information (ELIN). |
identifier id |
Specifies the ID for the civic location or the line location. The ID range is 1 to 4095. Note The identifier for the civic location in the LLDP-MED TLV is limited to 250 bytes or less. To avoid error messages about available buffer space during switch configuration, be sure that the total length of all civic-location information specified for each civic-location identifier does not exceed 250 bytes. |
string |
The site or location information in alphanumeric format. |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
After entering the location civic-location identifier id global configuration command, you enter civic location configuration mode. In this mode, you can enter the civic location and the postal location information.
The civic-location identifier must not exceed 250 bytes.
Use the no lldp med-tlv-select location information interface configuration command to disable the location TLV. The location TLV is enabled by default. For more information, see the “Configuring LLDP and LLDP-MED” chapter of the software configuration guide for this release.
Examples
This example shows how to configure civic location information on the switch:
Switch(config)# location civic-location identifier 1
Switch(config-civic)# number 3550
Switch(config-civic)# primary-road-name "Cisco Way"
Switch(config-civic)# city "San Jose"
Switch(config-civic)# state CA
Switch(config-civic)# building 19
Switch(config-civic)# room C6
Switch(config-civic)# county "Santa Clara"
Switch(config-civic)# country US
Switch(config-civic)# end
You can verify your settings by entering the show location civic-location privileged EXEC command.
This example shows how to configure the emergency location information on the switch:
Switch (config)# location elin-location 14085553881 identifier 1
You can verify your settings by entering the show location elin privileged EXEC command.
location (interface configuration)
To enter location information for an interface, use the location command in interface mode. Use the no form of this command to remove the interface location information.
location { additional-location-information word | civic-location-id id | elin-location-id id}
no location { additional-location-information word | civic-location-id id | elin-location-id id}
Syntax Description
additional-location-information |
Configures additional information for a location or place. |
word |
A word or phrase that provides additional location information. |
civic-location-id |
Configures global civic location information for an interface. |
elin-location-id |
Configures emergency location information for an interface. |
id |
The ID for the civic location or the line location. The ID range is 1 to 4095. Note The identifier for the civic location in the LLDP-MED TLV is limited to 250 bytes or less. To avoid error messages about available buffer space during switch configuration, be sure that the total length of all civic-location information specified for each civic-location ID does not exceed 250 bytes. |
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
After entering the location civic-location-id id interface configuration command, you enter civic location configuration mode. In this mode, you can enter the additional location information.
The civic-location identifier must not exceed 250 bytes.
Examples
This example shows how to enter civic location information for an interface:
Switch(config-if)# interface gigabitethernet1/1
Switch(config-if)# location civic-location-id 1
This example shows how to enter emergency location information for an interface:
Switch(config-if)# interface gigabitethernet1/1
Switch(config-if)# location elin-location-id 1
logging event
To enable notification of interface link status changes, use the logging event command in interface configuration mode. Use the no form of this command to disable notification.
logging event { bundle-status | link-status | spanning-tree | status | trunk status }
no logging event { bundle-status | link-status | spanning-tree | status | trunk status }
Syntax Description
bundle-status |
Enables notification of BUNDLE and UNBUNDLE messages. |
link-status |
Enables notification of interface data link status changes. |
spanning-tree |
Enables notification of spanning-tree events. |
status |
Enables notification of spanning-tree state change messages. |
trunk-status |
Enables notification of trunk-status messages. |
Command Default
Event logging is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Examples
This example shows how to enable spanning-tree logging:
Switch(config-if)# logging event spanning-tree
logging file
To set logging file parameters, use the logging file command in global configuration mode. Use the no form of this command to return to the default setting.
logging file filesystem : filename [ max-file-size | nomax [ min-file-size ]] [ severity-level-number | type ]
no logging file filesystem: filename [ severity-level-number | type ]
Syntax Description
filesystem : filename |
Alias for a flash file system. Contains the path and name of the file that contains the log messages. The syntax for the local flash file system: flash: |
max-file-size |
(Optional) Maximum logging file size. The range is 4096 to 2147483647. |
nomax |
(Optional) Specifies the maximum file size of 2147483647. |
min-file-size |
(Optional) Minimum logging file size. The range is 1024 to 2147483647. |
severity-level-number |
(Optional) Logging severity level. The range is 0 to 7. See the type option for the meaning of each level. |
type |
(Optional) The logging type. These keywords are valid:
- emergencies —System is unusable (severity 0).
- alerts —Immediate action needed (severity 1).
- critical —Critical conditions (severity 2).
- errors —Error conditions (severity 3).
- warnings —Warning conditions (severity 4).
- notifications —Normal but significant messages (severity 5).
- informational —Information messages (severity 6).
- debugging —Debugging messages (severity 7).
|
Command Default
The minimum file size is 2048 bytes; the maximum file size is 4096 bytes.
The default severity level is 7 (debugging messages and numerically lower levels).
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The log file is stored in ASCII text format in an internal buffer on the switch. You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. If the switch fails, the log is lost unless you had previously saved it to flash memory by using the logging file flash: filename global configuration command.
After saving the log to flash memory by using the logging file flash: filename global configuration command, you can use the more flash: filename privileged EXEC command to display its contents.
The command rejects the minimum file size if it is greater than the maximum file size minus 1024; the minimum file size then becomes the maximum file size minus 1024.
Specifying a level causes messages at that level and numerically lower levels to be displayed.
Examples
This example shows how to save informational log messages to a file in flash memory:
Switch(config)# logging file flash:logfile informational
You can verify your setting by entering the show running-config privileged EXEC command.
Related Commands
|
|
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mab request format attribute 32
To enable VLAN ID-based MAC authentication on a switch, use the mab request format attribute 32 command in global configuration mode. Use the no form of this command to return to the default setting.
mab request format attribute 32 vlan access-vlan
no mab request format attribute 32 vlan access-vlan
Syntax Description
This command has no arguments or keywords.
Command Default
VLAN-ID based MAC authentication is disabled.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use this command to allow a RADIUS server to authenticate a new user based on the host MAC address and VLAN.
Use this command on networks with the Microsoft IAS RADIUS server. The Cisco ACS ignores this command.
Examples
This example shows how to enable VLAN-ID based MAC authentication on a switch:
Switch(config)# authentication mac-move permit
Related Commands
|
|
authentication event |
Sets the action for specific authentication events. |
authentication fallback |
Configures a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. |
authentication host-mode |
Sets the authorization manager mode on a port. |
authentication open |
Enables or disables open access on a port. |
authentication order |
Sets the order of authentication methods used on a port. |
authentication periodic |
Enables or disables reauthentication on a port. |
authentication port-control |
Enables manual control of the port authorization state. |
authentication priority |
Adds an authentication method to the port-priority list. |
authentication timer |
Configures the timeout and reauthentication parameters for an 802.1x-enabled port. |
authentication violation |
Configures the violation modes that occur when a new device connects to a port or when a new device connects to a port with the maximum number of devices already connected to that port. |
mab |
Enables MAC-based authentication on a port. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mab eap |
Configures a port to use the Extensible Authentication Protocol (EAP). For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
show authentication |
Displays information about authentication manager events on the switch. |
mac access-group
To apply a MAC access control list (ACL) to a Layer 2 interface, use the mac access-group command in interface configuration mode. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.
mac access-group { name } in
no mac access-group { name }
Syntax Description
name |
A named MAC access list. |
in |
Specifies that the ACL is applied in the ingress direction. Outbound ACLs are not supported on Layer 2 interfaces. |
Command Default
No MAC ACL is applied to the interface.
Command Modes
Interface configuration (Layer 2 interfaces only)
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can apply MAC ACLs only to ingress Layer 2 interfaces. You cannot apply MAC ACLs to Layer 3 interfaces.
On Layer 2 interfaces, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC access lists. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP ACL and a MAC ACL to the interface. You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
If a MAC ACL is already configured on a Layer 2 interface and you apply a new MAC ACL to the interface, the new ACL replaces the previously configured one.
If you apply an ACL to a Layer 2 interface on a switch, and the switch has an input Layer 3 ACL or a VLAN map applied to a VLAN that the interface is a member of, the ACL applied to the Layer 2 interface takes precedence.
When an inbound packet is received on an interface with a MAC ACL applied, the switch checks the match conditions in the ACL. If the conditions are matched, the switch forwards or drops the packet, according to the ACL.
If the specified ACL does not exist, the switch forwards all packets.
For more information about configuring MAC extended ACLs, see the “Configuring Network Security with ACLs” chapter in the software configuration guide for this release.
Examples
This example shows how to apply a MAC extended ACL named macacl2 to an interface:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mac access-group macacl2 in
You can verify your settings by entering the show mac access-group privileged EXEC command. You can see configured ACLs on the switch by entering the show access-lists privileged EXEC command.
Related Commands
|
|
show access-lists |
Displays the ACLs configured on the switch. |
show link state group |
Displays the MAC ACLs configured on the switch. |
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mac access-list extended
To create an access list based on MAC addresses for non-IP traffic, use the mac access-list extended command in global configuration mode. Using this command puts you in the extended MAC access-list configuration mode. Use the no form of this command to return to the default setting.
mac access-list extended name
no mac access-list extended name
Syntax Description
name |
Name assigned to the MAC extended access list. |
Command Default
By default, there are no MAC access lists created.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
MAC-named extended lists are used with VLAN maps and class maps.
You can apply named MAC extended ACLs to VLAN maps or to Layer 2 interfaces; you cannot apply named MAC extended ACLs to Layer 3 interfaces.
Entering the mac access-list extended command enables the MAC access-list configuration mode. These configuration commands are available:
- default —Sets a command to its default.
- deny —Specifies packets to reject. For more information, see the deny (MAC access-list configuration) MAC access-list configuration command.
- exit —Exits from MAC access-list configuration mode.
- no —Negates a command or sets its defaults.
- permit —Specifies packets to forward. For more information, see the permit (MAC access-list configuration) command.
For more information about MAC extended access lists, see the software configuration guide for this release.
Examples
This example shows how to create a MAC named extended access list named mac1 and to enter extended MAC access-list configuration mode:
Switch(config)# mac access-list extended mac1
This example shows how to delete MAC named extended access list mac1:
Switch(config)# no mac access-list extended mac1
You can verify your settings by entering the show access-lists privileged EXEC command.
mac address-table aging-time
To set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated, use the mac address-table aging-time command in global configuration mode. Use the no form of this command to return to the default setting.
mac address-table aging-time { 0 | 10-1000000 } [ vlan vlan-id ]
no mac address-table aging-time { 0 | 10-1000000 } [ vlan vlan-id ]
Syntax Description
0 |
Disables aging. Static address entries are never aged or removed from the table. |
10-1000000 |
Aging time in seconds. The range is 10 to 1000000 seconds. |
vlan vlan-id |
(Optional) Specifies the VLAN ID to which to apply the aging time. The range is 1 to 4094. |
Command Default
The default is 300 seconds.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The aging time applies to all VLANs or a specified VLAN.
If hosts do not send dynamic entries continuously, increase the aging time to record the dynamic entries for a longer time. Increasing the time can reduce the possibility of flooding when the hosts send again.
If you do not specify a specific VLAN, this command sets the aging time for all VLANs.
Examples
This example shows how to set the aging time to 200 seconds for all VLANs:
Switch(config)# mac address-table aging-time 200
You can verify your setting by entering the show mac address-table aging-time privileged EXEC command.
mac address-table learning vlan
To enable MAC address learning on a VLAN, use the mac address-table learning command in global configuration mode. Use the no form of this command to disable MAC address learning on a VLAN to control which VLANs can learn MAC addresses.
mac address-table learning vlan vlan-id
no mac address-table learning vlan vlan-id
Syntax Description
vlan-id |
A single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are is 1 to 4094. The VLAN cannot be an internal VLAN. |
Command Default
By default, MAC address learning is enabled on all VLANs.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When you control MAC address learning on a VLAN, you can manage the available MAC address table space by controlling which VLANs and which ports, can learn MAC addresses.
You can disable MAC address learning on a single VLAN ID (for example, no mac address-table learning vlan 223) or on a range of VLAN IDs (for example, no mac address-table learning vlan 1-20, 15.)
Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN might cause flooding in the network. For example, if you disable MAC address learning on a VLAN with a configured switch virtual interface (SVI), the switch floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN that includes more than two ports, every packet entering the switch is flooded in that VLAN domain. We recommend that you disable MAC address learning only in VLANs that contain two ports and that you use caution before disabling MAC address learning on a VLAN with an SVI.
You cannot disable MAC address learning on a VLAN that the switch uses internally. If the VLAN ID that you enter in the no mac address-table learning vlan vlan-id command is an internal VLAN, the switch generates an error message and rejects the command. To view used internal VLANs, enter the show vlan internal usage privileged EXEC command.
You cannot disable MAC address learning on an RSPAN VLAN. The configuration is not allowed.
If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on the secure port. If you later disable port security on the interface, the disabled MAC address learning state is enabled.
To display MAC address learning status of all VLANs or a specified VLAN, enter the show mac-address-table learning [ vlan vlan-id command].
Examples
This example shows how to disable MAC address learning on VLAN 2003:
Switch(config)# no mac address-table learning vlan 2003
mac address-table move update
To enable the MAC address table move update feature, use the mac address-table move update command in global configuration mode. Use the no form of this command to return to the default setting.
mac address-table move update { receive | transmit }
no mac address-table move update { receive | transmit }
Syntax Description
receive |
Specifies that the switch processes MAC address table move update messages. |
transmit |
Specifies that the switch sends MAC address table move update messages to other switches in the network if the primary link goes down and the standby link comes up. |
Command Default
By default, the MAC address table move update feature is disabled.
Command Modes
Global configuration.
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The MAC address table move update feature allows the switch to provide rapid bidirectional convergence if a primary (forwarding) link goes down and the standby link begins forwarding traffic.
You can configure the access switch to send the MAC address table move update messages if the primary link goes down and the standby link comes up. You can configure the uplink switches to receive and process the MAC address table move update messages.
Examples
This example shows how to configure an access switch to send MAC address table move update messages:
Switch# configure terminal
Switch(conf)# mac address-table move update transmit
This example shows how to configure an uplink switch to obtain and process MAC address table move update messages:
Switch# configure terminal
Switch(conf)# mac address-table move update receive
mac address-table notification
To enable the MAC address notification feature on the switch, use the mac address-table notification command in global configuration mode. Use the no form of this command to return to the default setting.
mac address-table notification { change [ history-size value | interval value ] | mac-move | threshold [[ limit percentage ] interval time ]}
no mac address-table notification { change [ history-size value | interval value ] | mac-move | threshold [[ limit percentage ] interval time ]}
Syntax Description
change |
Enables or disables the MAC notification on the switch. |
history-size value |
(Optional) Configures the maximum number of entries in the MAC notification history table. The range is 0 to 500 entries. The default is 1. |
interval value |
(Optional) Sets the notification trap interval. The switch sends the notification traps when this amount of time has elapsed. The range is 0 to 2147483647 seconds. The default is 1 second. |
mac-move |
Enables MAC move notification. |
threshold |
Enables MAC threshold notification. |
limit percentage |
(Optional) Enters the MAC utilization threshold percentage. The range is 1 to 100 percent. The default is 50 percent. |
interval time |
(Optional) Enters the time between MAC threshold notifications. The range is 120 to 1000000 seconds. The default is 120 seconds. |
Command Default
By default, the MAC address notification, MAC move, and MAC threshold monitoring are disabled.
The default MAC change trap interval is 1 second.
The default number of entries in the history table is 1.
The default MAC utilization threshold is 50 percent.
The default time between MAC threshold notifications is 120 seconds.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The MAC address notification change feature sends Simple Network Management Protocol (SNMP) traps to the network management system (NMS) whenever a new MAC address is added or an old address is deleted from the forwarding tables. MAC change notifications are generated only for dynamic and secure MAC addresses and are not generated for self addresses, multicast addresses, or other static addresses.
When you configure the history-size option, the existing MAC address history table is deleted, and a new table is created.
You enable the MAC address notification change feature by using the mac address-table notification change command. You must also enable MAC address notification traps on an interface by using the snmp trap mac-notification change interface configuration command and configure the switch to send MAC address traps to the NMS by using the snmp-server enable traps mac-notification change global configuration command.
You can also enable traps whenever a MAC address is moved from one port to another in the same VLAN by entering the mac address-table notification mac-move command and the snmp-server enable traps mac-notification move global configuration command.
To generate traps whenever the MAC address table threshold limit is reached or exceeded, enter the mac address-table notification threshold [ limit percentage ] | [ interval time ] command and the snmp-server enable traps mac-notification threshold global configuration command.
Examples
This example shows how to enable the MAC address table change notification feature, set the interval time to 60 seconds, and set the history size to 100 entries:
Switch(config)# mac address-table notification change
Switch(config)# mac address-table notification change interval 60
Switch(config)# mac address-table notification change history-size 100
mac address-table static
To add static addresses to the MAC address table, use the mac address-table static command in global configuration mode. Use the no form of this command to remove static entries from the table.
mac address-table static mac-addr vlan vlan-id interface interface-id
no mac address-table static mac-addr vlan vlan-id [ interface interface-id ]
Syntax Description
mac-addr |
Destination MAC address (unicast or multicast) to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface. |
vlan vlan-id |
Specifies the VLAN for which the packet with the specified MAC address is received. The range is 1 to 4094. |
interface interface-id |
Specifies the interface to which the received packet is forwarded. Valid interfaces include physical ports and port channels. |
Command Default
No static addresses are configured.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Examples
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination, the packet is forwarded to the specified interface.
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet 1/1
mac address-table static drop
To enable unicast MAC address filtering and to configure the switch to drop traffic with a specific source or destination MAC address, use the mac address-table static drop command in global configuration mode. Use the no form of this command to return to the default setting.
mac address-table static mac-addr vlan vlan-id drop
no mac address-table static mac-addr vlan vlan-id drop
Syntax Description
mac-addr |
Unicast source or destination MAC address. Packets with this MAC address are dropped. |
vlan vlan-id |
Specifies the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094. |
Command Default
Unicast MAC address filtering is disabled. The switch does not drop traffic for specific source or destination MAC addresses.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Follow these guidelines when using this command:
- Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported. Packets that are forwarded to the CPU are also not supported.
- If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.
For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.
If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by the mac address-table static mac-addr vlan vlan-id interface interface-id command, the switch adds the MAC address as a static address.
Examples
This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:
Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop
This example shows how to disable unicast MAC address filtering:
Switch(config)# no mac address-table static c2f3.220a.12f4 vlan 4
You can verify your setting by entering the show mac address-table static privileged EXEC command.
macro apply
To apply a macro to an interface or to apply and trace a macro configuration on an interface, use the macro apply command in interface configuration mode.
macro { apply | trace } macro-name [ parameter { value }] [ parameter { value }]
[ parameter { value }]
Syntax Description
apply |
Applies a macro to the specified interface. |
trace |
Applies a macro to an interface and debugs the macro. |
macro - name |
The name of the macro. |
parameter value |
(Optional) Specifies unique parameter values that are specific to the interface. You can enter up to three keyword-value pairs. Parameter keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. |
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can use the macro trace macro-name interface configuration command to apply and show the macros running on an interface or to debug the macro to find any syntax or configuration errors.
If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the interface.
When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface.
Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Some macros might contain keywords that require a parameter value. You can use the macro apply macro-name ? command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
There are Cisco-default Smartports macros embedded in the switch software. You can display these macros and the commands they contain by using the show parser macro user EXEC command.
Follow these guidelines when you apply a Cisco-default Smartports macro on an interface:
- Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro name macro-name user EXEC command.
- Keywords that begin with $ indicate that a unique parameter value is required. Append the Cisco-default macro with the required values by using the parameter value keywords.
The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
When you apply a macro to an interface, the macro name is automatically added to the interface. You can display the applied commands and macro names by using the show running-configuration interface interface-id user EXEC command.
A macro applied to an interface range behaves the same way as a macro applied to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces.
You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.
Examples
After you have created a macro by using the macro name global configuration command, you can apply it to an interface. This example shows how to apply a user-created macro called duplex to an interface:
Switch(config-if)# macro apply duplex
To debug a macro, use the macro trace interface configuration command to find any syntax or configuration errors in the macro as it is applied to an interface. This example shows how troubleshoot the user-created macro called duplex on an interface:
Switch(config-if)# macro trace duplex
Applying command...‘duplex auto’
Applying command...‘speed nonegotiate’
This example shows how to display the Cisco-default cisco-desktop macro and how to apply the macro and set the access VLAN ID to 25 on an interface:
Switch# show parser macro cisco-desktop
--------------------------------------------------------------
Macro name : cisco-desktop
# Basic interface - Enable data VLAN only
# Recommended value for access vlan (AVID) should not be 1
switchport access vlan $AVID
# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security maximum 1
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# Configure port as an edge network port
spanning-tree bpduguard enable
--------------------------------------------------------------
Switch# configure terminal
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# macro apply cisco-desktop $AVID 25
This example shows how to apply a macro directly on to an interface:
Switch# configure terminal
Switch(config)#macro name duplex
Enter macro commands one per line. End with the character ‘@’.
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# macro apply duplex
macro description
To enter a description about which macros are applied to an interface, use the macro description command in interface configuration mode. Use the no form of this command to remove the description.
macro description text
no macro description text
Syntax Description
description text |
Enter a description about the macros that are applied to the specified interface. |
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the description keyword to associate comment text, or the macro name, with an interface. When multiple macros are applied on a single interface, the description text will be from the last applied macro.
This example shows how to add a description to an interface:
Switch(config-if)# macro description duplex settings
You can verify your settings by entering the show parser macro description privileged EXEC command.
Examples
This example shows how to use the predefined global macro with the description of ab-global:
Switch(config-if)# macro keywords $cip_vlan
#macro global description ab-global
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
service password-encryption
logging buffered 16384 debugging
errdisable recovery cause all
errdisable recovery interval 30
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
alarm facility power-supply relay major
alarm facility power-supply syslog
alarm facility power-supply notifies
alarm facility temperature primary relay major
alarm facility temperature primary syslog
alarm facility temperature primary notifies
alarm facility temperature secondary relay minor
alarm facility temperature secondary syslog
alarm facility temperature secondary notifies
alarm facility temperature secondary high 90
alarm facility temperature secondary low 0
access-list 101 permit udp any eq 2222 any dscp 55
access-list 102 permit udp any eq 2222 any dscp 47
access-list 103 permit udp any eq 2222 any dscp 43
access-list 104 permit udp any eq 2222 any
access-list 105 permit udp any eq 44818 any
access-list 105 permit tcp any eq 44818 any
access-list 106 permit udp any eq 319 any
access-list 107 permit udp any eq 320 any
class-map match-all CIP-Implicit_dscp_55
class-map match-all CIP-Implicit_dscp_47
class-map match-all CIP-Implicit_dscp_43
class-map match-all CIP-Implicit_dscp_any
class-map match-all CIP-Other
class-map match-all 1588-PTP-Event
class-map match-all 1588-PTP-General
class-map match-all voip-data
class-map match-all voip-control
police 320000 8000 exceed-action policed-dscp-transmit
police 32000 8000 exceed-action policed-dscp-transmit
policy-map CIP-PTP-Traffic
class CIP-Implicit_dscp_55
class CIP-Implicit_dscp_47
class CIP-Implicit_dscp_43
class CIP-Implicit_dscp_any
Related Commands
|
|
macro apply |
Applies a macro on an interface or applies and traces a macro on an interface. |
macro global |
Applies a macro on a switch or applies and traces a macro on a switch |
macro global description |
Adds a description about the macros that are applied to the switch. |
macro name |
Creates a macro. |
show parser macro |
Displays the macro definition for all macros or for the specified macro. |
macro description
To use a predefined macro description, use the macro description command in global interface mode.
macro description line
Syntax Description
line |
Name of the global macro. |
Command Modes
Global Interface configuration.
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Smartport macros simplify switch configuration by allowing you to use predefined configurations. Instead of learning the advanced features of QoS, spanning tree, security, and other configurations in the CLI, you can point and click to configure ports based on the type of device that is connected. All of the configuration and testing will have already been done behind the scenes by Rockwell and Cisco Systems.
Examples
This example shows how to use the predefined global macro with the description of ab-global:
Switch(config-if)# macro keywords $cip_vlan
#macro global description ab-global
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
service password-encryption
logging buffered 16384 debugging
errdisable recovery cause all
errdisable recovery interval 30
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
alarm facility power-supply relay major
alarm facility power-supply syslog
alarm facility power-supply notifies
alarm facility temperature primary relay major
alarm facility temperature primary syslog
alarm facility temperature primary notifies
alarm facility temperature secondary relay minor
alarm facility temperature secondary syslog
alarm facility temperature secondary notifies
alarm facility temperature secondary high 90
alarm facility temperature secondary low 0
access-list 101 permit udp any eq 2222 any dscp 55
access-list 102 permit udp any eq 2222 any dscp 47
access-list 103 permit udp any eq 2222 any dscp 43
access-list 104 permit udp any eq 2222 any
access-list 105 permit udp any eq 44818 any
access-list 105 permit tcp any eq 44818 any
access-list 106 permit udp any eq 319 any
access-list 107 permit udp any eq 320 any
class-map match-all CIP-Implicit_dscp_55
class-map match-all CIP-Implicit_dscp_47
class-map match-all CIP-Implicit_dscp_43
class-map match-all CIP-Implicit_dscp_any
class-map match-all CIP-Other
class-map match-all 1588-PTP-Event
class-map match-all 1588-PTP-General
class-map match-all voip-data
class-map match-all voip-control
police 320000 8000 exceed-action policed-dscp-transmit
police 32000 8000 exceed-action policed-dscp-transmit
policy-map CIP-PTP-Traffic
class CIP-Implicit_dscp_55
class CIP-Implicit_dscp_47
class CIP-Implicit_dscp_43
class CIP-Implicit_dscp_any
Related Commands
|
|
macro global description |
Use a predefined macro description. |
macro global
To apply a macro to a switch or to apply and trace a macro configuration on a switch, use the macro global command in global configuration mode.
macro global { apply | trace } macro-name [ parameter { value }] [ parameter { value }]
[ parameter { value }]
Syntax Description
apply |
Applies a macro to the switch. |
trace |
Applies a macro to a switch and debugs the macro. |
macro - name |
The name of the macro. |
parameter value |
(Optional) Specifies unique parameter values that are specific to the switch. You can enter up to three keyword-value pairs. Parameter keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can use the macro trace macro-name global configuration command to apply and to show the macros running on a switch or to debug the macro to find any syntax or configuration errors.
If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the switch.
When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the switch.
Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Some macros might contain keywords that require a parameter value. You can use the macro global apply macro-name ? command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
There are Cisco-default Smartports macros embedded in the switch software. You can display these macros and the commands they contain by using the show parser macro user EXEC command.
Follow these guidelines when you apply a Cisco-default Smartports macro on a switch:
- Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro name macro-name user EXEC command.
- Keywords that begin with $ indicate that a unique parameter value is required. Append the Cisco-default macro with the required values by using the parameter value keywords.
The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
When you apply a macro to a switch, the macro name is automatically added to the switch. You can display the applied commands and macro names by using the show running-configuration user EXEC command.
You can delete a global macro-applied configuration on a switch only by entering the no version of each command contained in the macro.
Examples
After you have created a new macro by using the macro name global configuration command, you can apply it to a switch. This example shows how to see the snmp macro and how to apply the macro and set the hostname to test-server and set the IP precedence value to 7:
Switch# show parser macro name snmp
Macro type : customizable
#enable port security, linkup, and linkdown traps
snmp-server enable traps port-security
snmp-server enable traps linkup
snmp-server enable traps linkdown
#set SNMP trap notifications precedence
snmp-server ip precedence VALUE
--------------------------------------------------
Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7
To debug a macro, use the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to a switch. In this example, the addresss parameter value was not entered, causing the snmp-server host command to fail while the remainder of the macro is applied to the switch:
Switch(config)# macro global trace snmp VALUE 7
Applying command...‘snmp-server enable traps port-security’
Applying command...‘snmp-server enable traps linkup’
Applying command...‘snmp-server enable traps linkdown’
Applying command...‘snmp-server host’
Applying command...‘snmp-server ip precedence 7’
This example shows how to apply a macro directly globally:
Switch# configure terminal
Switch(config)# macro global apply test-macro
macro global description
To enter a description about the macros that are applied to the switch, use the macro global description command in global configuration mode. Use the no form of this command to remove the description.
macro global description text
no macro global description text
Syntax Description
text |
A description about the macros that are applied to the switch. |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the description keyword to associate comment text, or the macro name, with a switch. When multiple macros are applied on a switch, the description text will be from the last applied macro.
This example shows how to add a description to a switch:
Switch(config)# macro global description udld aggressive mode enabled
You can verify your settings by entering the show parser macro description privileged EXEC command.
Related Commands
|
|
macro apply |
Applies a macro on an interface or applies and traces a macro on an interface. |
macro description |
Adds a description about the macros that are applied to an interface. |
macro global |
Applies a macro on a switch or applies and traces a macro on a switch. |
macro name |
Creates a macro. |
show parser macro |
Displays the macro definition for all macros or for the specified macro. |
macro name
To create a configuration macro, use the macro name command in global configuration mode. Use the no form of this command to delete the macro definition.
macro name macro-name
no macro name macro-name
Syntax Description
macro-name |
Name of the macro. |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
A macro can contain up to 3000 characters. Enter one macro command per line. Use the @ character to end the macro. Use the # character at the beginning of a line to enter comment text within the macro.
You can define mandatory keywords within a macro by using a help string to specify the keywords. Enter # macro keywords word to define the keywords that are available for use with the macro. You can enter up to three help string keywords separated by a space. If you enter more than three macro keywords, only the first three are shown.
Macro names are case sensitive. For example, the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros.
When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This can cause commands that follow exit, end, or interface interface-id to execute in a different command mode.
The no form of this command only deletes the macro definition. It does not affect the configuration of those interfaces on which the macro is already applied. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. Alternatively, you can create an anti-macro for an existing macro that contains the no form of all the corresponding commands in the original macro and then apply the anti-macro to the interface.
You can modify a macro by creating a new macro with the same name as the existing macro. The newly created macro overwrites the existing macro but does not affect the configuration of those interfaces on which the original macro was applied.
Examples
This example shows how to create a macro that defines the duplex mode and speed:
Switch(config)# macro name duplex
Enter macro commands one per line. End with the character ‘@’.
This example shows how create a macro with # macro keywords:
Switch(config)# macro name test
switchport access vlan $VLANID
switchport port-security maximum $MAX
#macro keywords $VLANID $MAX
This example shows how to display the mandatory keyword values before you apply the macro to an interface:
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# macro apply test ?
WORD keyword to replace with a value e.g $VLANID,$MAX
Switch(config-if)# macro apply test $VLANID ?
WORD Value of first keyword to replace
Switch(config-if)# macro apply test $VLANID 2
WORD keyword to replace with a value e.g $VLANID,$MAX
Switch(config-if)# macro apply test $VLANID 2 $MAX ?
WORD Value of second keyword to replace
Related Commands
|
|
macro apply |
Applies a macro on an interface or applies and traces a macro on an interface. |
macro description |
Adds a description about the macros that are applied to an interface. |
macro global |
Applies a macro on a switch or applies and traces a macro on a switch. |
macro global description |
Adds a description about the macros that are applied to the switch. |
show parser macro |
Displays the macro definition for all macros or for the specified macro. |
match (access-map configuration)
To set the VLAN map to match packets against one or more access lists, use the match access-map command in access-map mode. Use the no form of this command to remove the match parameters.
match { ip address { name | number } [ name | number ] [ name | number ]...} | { mac address { name } [ name ] [ name ]...}
no match { ip address { name | number } [ name | number ] [ name | number ]...} | { mac address { name } [ name ] [ name ]...}
Syntax Description
ip address |
Sets the access map to match packets against an IP address access list. |
mac address |
Sets the access map to match packets against a MAC address access list. |
name |
Name of the access list to match packets against. |
number |
Number of the access list to match packets against. This option is not valid for MAC access lists. |
Command Default
The default action is to have no match parameters applied to a VLAN map.
Command Modes
Access-map configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
You must enter one access list name or number; others are optional. You can match packets against one or more access lists. Matching any of the lists counts as a match of the entry.
In access-map configuration mode, use the match command to define the match conditions for a VLAN map applied to a VLAN. Use the action command to set the action that occurs when the packet matches the conditions.
Packets are matched only against access lists of the same protocol type; IP packets are matched against IP access lists, and all other packets are matched against MAC access lists.
Both IP and MAC addresses can be specified for the same map entry.
Examples
This example shows how to define and apply a VLAN access map vmap4 to VLANs 5 and 6 that will cause the interface to drop an IP packet if the packet matches the conditions defined in access list al2.
Switch(config)# vlan access-map vmap4
Switch(config-access-map)# match ip address al2
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# vlan filter vmap4 vlan-list 5-6
You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
|
|
access-list |
Configures a standard numbered ACL. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
ip access list |
Creates a named access list. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mac access-list extended |
Creates a named MAC address access list. |
show access-lists |
Specifies the action to be taken if the packet matches an entry in an access control list (ACL). |
show vlan access-map |
Displays the VLAN access maps created on the switch. |
vlan access-map |
Creates a VLAN access map. |
match (class-map configuration)
To define the match criteria to classify traffic, use the match command in class-map configuration mode. Use the no form of this command to remove the match criteria.
match { access-group acl-index-or-name | input-interface interface-id-list | ip dscp dscp-list | ip precedence ip-precedence-list }
no match { access-group acl-index-or-name | input-interface interface-id-list | ip dscp dscp-list | ip precedence ip-precedence-list }
Syntax Description
access-group acl-index-or-name |
Specifies number or name of an IP standard or extended access control list (ACL) or MAC ACL. For an IP standard ACL, the ACL index range is 1 to 99 and 1300 to 1999. For an IP extended ACL, the ACL index range is 100 to 199 and 2000 to 2699. |
input-interface interface-id-list |
Specifies the physical ports to which the interface-level class map in a hierarchical policy map applies. This command can only be used in the child-level policy map and must be the only match condition in the child-level policy map. You can specify up to six entries in the list by specifying a port (counts as one entry), a list of ports separated by a space (each port counts as an entry), or a range of ports separated by a hyphen (counts as two entries). This option is available only when the switch is running the IP services image. |
ip dscp dscp-list |
Lists up to eight IP Differentiated Services Code Point (DSCP) values to match against incoming packets. Separate each value with a space. The range is 0 to 63. You also can enter a mnemonic name for a commonly-used value. |
ip precedence ip-precedence-list |
Lists up to eight IP-precedence values to match against incoming packets. Separate each value with a space. The range is 0 to 7. You also can enter a mnemonic name for a commonly used value |
Command Default
No match criteria are defined.
Command Modes
Class-map configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The match command is used to specify which fields in the incoming packets are examined to classify the packets. Only the IP access group or the MAC access group matching to the Ether Type/Len are supported.
To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.
For the match ip dscp dscp-list or the match ip precedence ip-precedence-list command, you can enter a mnemonic name for a commonly used value. For example, you can enter the match ip dscp af11 command, which is the same as entering the match ip dscp 10 command. You can enter the match ip precedence critical command, which is the same as entering the match ip precedence 5 command. For a list of supported mnemonics, enter the match ip dscp ? or the match ip precedence ? command to see the command-line help strings.
Use the input-interface interface-id-list keyword when you are configuring an interface-level class map in a hierarchical policy map. For the interface-id-list, you can specify up to six entries.
Examples
This example shows how to create a class map called class2, which matches all the incoming traffic with DSCP values of 10, 11, and 12:
Switch(config)# class-map class2
Switch(config-cmap)# match ip dscp 10 11 12
Switch(config-cmap)# exit
This example shows how to create a class map called class3, which matches all the incoming traffic with IP-precedence values of 5, 6, and 7:
Switch(config)# class-map class3
Switch(config-cmap)# match ip precedence 5 6 7
Switch(config-cmap)# exit
This example shows how to delete the IP-precedence match criteria and to classify traffic using acl1:
Switch(config)# class-map class2
Switch(config-cmap)# match ip precedence 5 6 7
Switch(config-cmap)# no match ip precedence
Switch(config-cmap)# match access-group acl1
Switch(config-cmap)# exit
This example shows how to specify a list of physical ports to which an interface-level class map in a hierarchical policy map applies:
Switch(config)# class-map match-all class4
Switch(config-cmap)# match input-interface gigabitethernet1/1 gigabitethernet1/2
Switch(config-cmap)# exit
This example shows how to specify a range of physical ports to which an interface-level class map in a hierarchical policy map applies:
Switch(config)# class-map match-all class4
Switch(config-cmap)# match input-interface gigabitethernet1/1 - gigabitethernet1/5
Switch(config-cmap)# exit
Related Commands
|
|
class-map |
Creates a class map to be used for matching packets to the class whose name you specify. |
show class-map |
Displays quality of service (QoS) class maps. |
mdix auto
To enable the automatic medium-dependent interface crossover (auto-MDIX) feature on the interface, use the mdix auto command in interface configuration mode. Use the no form of the command to return to the system default.
mdix auto
no mdix auto
Syntax Description
This command has no arguments or keywords.
Command Default
Auto-MDIX is enabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately. Use the no form of this command to disable auto-MDIX.
When you enable auto-MDIX on an interface, you must also set the interface speed and duplex to auto so that the feature operates correctly.
When auto-MDIX (and autonegotiation of speed and duplex) is enabled on one or both of connected interfaces, link up occurs, even if the cable type (straight-through or crossover) is incorrect.
Auto-MDIX is supported on all 10/100 and 10/100/1000 Mb/s interfaces and on 10/100/1000BASE-TX small form-factor pluggable (SFP) module interfaces. It is not supported on 1000BASE-SX or -LX SFP module interfaces.
Examples
This example shows how to enable auto-MDIX on a port:
Switch# configure terminal
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# speed auto
Switch(config-if)# duplex auto
Switch(config-if)# mdix auto
media-type rj45
To use override the USB connection precedence, when both the USB and RS-232 cables are connected, use the media-type rj45 command in global line console configuration mode.
media-type rj45
no media-type rj45
Command Default
The RS-232 cable is used for connections.
Command Modes
Global Line Console configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can change your cable connection from a USB connection to an RJ-45 connection using the media-type rj45 command provided that you have both R-J45 and RS-232 cables connected.
Examples
This example shows how to switch to an RJ-45 cable connection:
Switch(config)# line console 0
Switch(config-line)# media-type rj45
Related Commands
|
|
show interfaces capabilities |
Displays the capabilities of all interfaces or the specified interface. |
show interfaces transceiver properties |
Displays speed and duplex settings and media-type on an interface. |
mls qos
To enable quality of service (QoS) for the entire switch, use the mls qos command in global configuration mode. Use the no form of this command to reset all the QoS-related statistics and to disable the QoS features for the entire switch.
mls qos
no mls qos
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
This command has no arguments or keywords.
Command Default
QoS is disabled.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When the mls qos command is entered, QoS is enabled with the default parameters on all ports in the system.
There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
When QoS is enabled with the mls qos global configuration command and all other QoS settings are set to their defaults, traffic is classified as best effort (the DSCP and CoS value is set to 0) without any policing. No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and egress queue settings are in effect.
QoS must be globally enabled to use QoS classification, policing, mark down or drop, queueing, and traffic-shaping features. You can create a policy map and attach it to a port before entering the mls qos command. However, until you enter the mls qos command, QoS processing is disabled.
Policy maps and class maps used to configure QoS are not deleted from the configuration by the no mls qos command, but entries corresponding to policy maps are removed from the switch hardware to save system resources. To reenable QoS with the previous configurations, use the mls qos command.
Toggling the QoS status of the switch with this command modifies (reallocates) the sizes of the queues. During the queue size modification, the queue is temporarily shut down during the hardware reconfiguration, and the switch drops newly arrived packets for this queue.
Examples
This example shows how to enable QoS on the switch:
You can verify your settings by entering the show mls qos privileged EXEC command.
mls qos aggregate-policer
To define policer parameters, which can be shared by multiple classes within the same policy map, use the mls qos aggregate-policer command in global configuration mode. Use the no form of this command to delete an aggregate policer.
mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action { drop | policed-dscp-transmit }
no mls qos aggregate-policer aggregate-policer-name
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
aggregate-policer-name |
Name of the aggregate policer referenced by the police aggregate policy-map class configuration command. |
rate-bps |
The average traffic rate in bits per second (b/s). The range is 8000 to 1000000000. |
burst-byte |
The normal burst size in bytes. The range is 8000 to 1000000. |
exceed-action drop |
Specifies that the switch drop the packet when the specified rate is exceeded. |
exceed-action policed-dscp-transmit |
Specifies that the switch change the Differentiated Services Code Point (DSCP) of the packet to that specified in the policed-DSCP map and then send the packet when the specified rate is exceeded. |
Command Default
No aggregate policers are defined.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
A policer defines a maximum permissible rate of transmission, a maximum burst size for transmissions, and an action to take if either maximum is exceeded.
Define an aggregate policer if the policer is shared with multiple classes.
Policers for a port cannot be shared with other policers for another port; traffic from two different ports cannot be aggregated for policing purposes.
The port ASIC device, which controls more than one physical port, supports 256 policers (255 user-configurable policers plus 1 policer reserved for internal use). The maximum number of user-configurable policers supported per port is 63. Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries. You cannot reserve policers per port (there is no guarantee that a port will be assigned to any policer).
You apply an aggregate policer to multiple classes in the same policy map; you cannot use an aggregate policer across different policy maps.
You cannot delete an aggregate policer if it is being used in a policy map. You must first use the no police aggregate aggregate-policer-name policy-map class configuration command to delete the aggregate policer from all policy maps before using the no mls qos aggregate-policer aggregate-policer-name command.
Policing uses a token-bucket algorithm. You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. For more information, see the software configuration guide for this release.
Examples
This example shows how to define the aggregate policer parameters and how to apply the policer to multiple classes in a policy map:
Switch(config)# mls qos aggregate-policer agg_policer1 1000000 1000000 exceed-action drop
Switch(config)# policy-map policy2
Switch(config-pmap)# class class1
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class2
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class3
Switch(config-pmap-c)# trust dscp
Switch(config-pmap-c)# police aggregate agg_policer2
Switch(config-pmap-c)# exit
You can verify your settings by entering the show mls qos aggregate-policer privileged EXEC command.
mls qos cos
To define the default class of service (CoS) value of a port or to assign the default CoS to all incoming packets on the port, use the mls qos cos command in interface configuration mode. Use the no form of this command to return to the default setting.
mls qos cos { default-cos | override }
no mls qos cos { default-cos | override }
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
default-cos |
A default CoS value of a port. If packets are untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. |
override |
Overrides the CoS of the incoming packets, and applies the default CoS value on the port to all incoming packets. |
Command Default
The default CoS value for a port is 0.
CoS override is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can use the default value to assign a CoS and Differentiated Services Code Point (DSCP) value to all incoming packets that are untagged (if the incoming packet does not have a CoS value). You also can assign a default CoS and DSCP value to all incoming packets by using the override keyword.
Use the override keyword when all incoming packets on certain ports deserve higher or lower priority than packets entering from other ports. Even if a port is previously set to trust DSCP, CoS, or IP precedence, this command overrides the previously configured trust state, and all the incoming CoS values are assigned the default CoS value configured with the mls qos cos command. If an incoming packet is tagged, the CoS value of the packet is modified with the default CoS of the port at the ingress port.
Examples
This example shows how to configure the default port CoS to 4 on a port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos trust cos
Switch(config-if)# mls qos cos 4
This example shows how to assign all the packets entering a port to the default port CoS value of 4 on a port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos cos 4
Switch(config-if)# mls qos cos override
You can verify your settings by entering the show mls qos interface privileged EXEC command.
mls qos dscp-mutation
To apply a Differentiated Services Code Point (DSCP)-to-DSCP-mutation map to a DSCP-trusted port, use the mls qos dscp-mutation command in interface configuration mode. Use the no form of this command to return the map to the default settings (no DSCP mutation).
mls qos dscp-mutation dscp-mutation-name
no mls qos dscp-mutation dscp-mutation-name
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
dscp-mutation-name |
Name of the DSCP-to-DSCP-mutation map. This map was previously defined with the mls qos map dscp-mutation global configuration command. |
Command Default
The default DSCP-to-DSCP-mutation map is a null map, which maps incoming DSCPs to the same DSCP values.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
If two quality of service (QoS) domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate one set of DSCP values to match the definition of another domain. You apply the DSCP-to-DSCP-mutation map to the receiving port (ingress mutation) at the boundary of a quality of service (QoS) administrative domain.
With ingress mutation, the new DSCP value overwrites the one in the packet, and QoS handles the packet with this new value. The switch sends the packet out the port with the new DSCP value.
You can configure multiple DSCP-to-DSCP-mutation maps on ingress ports.
You apply the map only to DSCP-trusted ports. If you apply the DSCP mutation map to an untrusted port, to class of service (CoS) or IP-precedence trusted port, the command has no immediate effect until the port becomes DSCP-trusted.
Examples
This example shows how to define the DSCP-to-DSCP-mutation map named dscpmutation1and to apply the map to a port:
Switch(config)# mls qos map dscp-mutation dscpmutation1 10 11 12 13 to 30
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos trust dscp
Switch(config-if)# mls qos dscp-mutation dscpmutation1
This example show how to remove the DSCP-to-DSCP-mutation map name dscpmutation1 from the port and to reset the map to the default:
Switch(config-if)# no mls qos dscp-mutation dscpmutation1
You can verify your settings by entering the show mls qos maps privileged EXEC command.
mls qos map
To define the class of service (CoS)-to-Differentiated Services Code Point (DSCP) map, DSCP-to-CoS map, the DSCP-to-DSCP-mutation map, the IP-precedence-to-DSCP map, and the policed-DSCP map, use the mls qos map command in global configuration mode. Use the no form of this command to return to the default map.
mls qos map { cos-dscp dscp1...dscp8 | dscp-cos dscp-list to cos | dscp-mutation dscp-mutation- name in-dscp to out-dscp | ip-prec-dscp dscp1...dscp8 | policed-dscp dscp-list to mark-down-dscp }
no mls qos map { cos-dscp | dscp-cos | dscp-mutation dscp-mutation-name | ip-prec-dscp | policed-dscp }
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
cos-dscp dscp1...dscp8 |
Defines the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The range is 0 to 63. |
dscp-cos dscp-list to cos |
Defines the DSCP-to-CoS map. For dscp-list, enter up to eight DSCP values, with each value separated by a space. The range is 0 to 63. Then enter the to keyword. For cos, enter a single CoS value to which the DSCP values correspond. The range is 0 to 7. |
dscp-mutation dscp-mutation- name in-dscp to out-dscp |
Defines the DSCP-to-DSCP-mutation map. For dscp-mutation- name, enter the mutation map name. For in-dscp, enter up to eight DSCP values, with each value separated by a space. Then enter the to keyword. For out-dscp, enter a single DSCP value. The range is 0 to 63. |
ip-prec-dscp dscp1...dscp8 |
Defines the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The range is 0 to 63. |
policed-dscp dscp-list to mark-down-dscp |
Defines the policed-DSCP map. For dscp-list, enter up to eight DSCP values, with each value separated by a space. Then enter the to keyword. For mark-down-dscp, enter the corresponding policed (marked down) DSCP value. The range is 0 to 63. |
Command Default
Table 1-1 shows the default CoS-to-DSCP map.
Table 1-1 Default CoS-to-DSCP Map
|
|
0 |
0 |
1 |
8 |
2 |
16 |
3 |
24 |
4 |
32 |
5 |
40 |
6 |
48 |
7 |
56 |
Table 1-2 shows the default DSCP-to-CoS map.
Table 1-2 Default DSCP-to-CoS Map
|
|
0–7 |
0 |
8–15 |
1 |
16–23 |
2 |
24–31 |
3 |
32–39 |
4 |
40–47 |
5 |
48–55 |
6 |
56–63 |
7 |
Table 1-3 shows the default IP-precedence-to-DSCP map.
Table 1-3 Default IP-Precedence-to-DSCP Map
|
|
0 |
0 |
1 |
8 |
2 |
16 |
3 |
24 |
4 |
32 |
5 |
40 |
6 |
48 |
7 |
56 |
The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
All the maps are globally defined. All the maps, except the DSCP-to-DSCP-mutation map, are applied to all ports. The DSCP-to-DSCP-mutation map is applied to a specific port.
Examples
This example shows how to define the IP-precedence-to-DSCP map and to map IP-precedence values 0 to 7 to DSCP values of 0, 10, 20, 30, 40, 50, 55, and 60:
Switch# configure terminal
Switch(config)# mls qos map ip-prec-dscp 0 10 20 30 40 50 55 60
This example shows how to define the policed-DSCP map. DSCP values 1, 2, 3, 4, 5, and 6 are marked down to DSCP value 0. Marked DSCP values that not explicitly configured are not modified:
Switch# configure terminal
Switch(config)# mls qos map policed-dscp 1 2 3 4 5 6 to 0
This example shows how to define the DSCP-to-CoS map. DSCP values 20, 21, 22, 23, and 24 are mapped to CoS 1. DSCP values 10, 11, 12, 13, 14, 15, 16, and 17 are mapped to CoS 0:
Switch# configure terminal
Switch(config)# mls qos map dscp-cos 20 21 22 23 24 to 1
Switch(config)# mls qos map dscp-cos 10 11 12 13 14 15 16 17 to 0
This example shows how to define the CoS-to-DSCP map. CoS values 0 to 7 are mapped to DSCP values 0, 5, 10, 15, 20, 25, 30, and 35:
Switch# configure terminal
Switch(config)# mls qos map cos-dscp 0 5 10 15 20 25 30 35
This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remain as specified in the null map):
Switch# configure terminal
Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 10
Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10
Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20
Switch(config)# mls qos map dscp-mutation mutation1 0 31 32 33 34 to 30
You can verify your settings by entering the show mls qos maps privileged EXEC command.
mls qos queue-set output buffers
To allocate buffers to a queue set (four egress queues per port), use the mls qos queue-set output buffers command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos queue-set output qset-id buffers allocation1... allocation4
no mls qos queue-set output qset-id buffers
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
qset-id |
ID of the queue set. Each port belongs to a queue set, which defines all the characteristics of the four egress queues per port. The range is 1 to 2. |
allocation1... allocation4 |
Buffer space allocation (percentage) for each queue (four values for queues 1 to 4). For allocation1, allocation3, and allocation4, the range is 0 to 99. For allocation2, the range is 1 to 100 (including the CPU buffer). Separate each value with a space. |
Command Default
All allocation values are equally mapped among the four queues (25, 25, 25, 25). Each queue has 1/4 of the buffer space.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Specifies four allocation values, and separate each with a space.
Allocate buffers according to the importance of the traffic; for example, give a large percentage of the buffer to the queue with the highest-priority traffic.
To configure different classes of traffic with different characteristics, use this command with the mls qos queue-set output qset-id threshold global configuration command.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Examples
This example shows how to map a port to queue set 2. It allocates 40 percent of the buffer space to egress queue 1 and 20 percent to egress queues 2, 3, and 4:
Switch(config)# mls qos queue-set output 2 buffers 40 20 20 20
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# queue-set 2
You can verify your settings by entering the show mls qos interface [ interface-id ] buffers or the show mls qos queue-set privileged EXEC command.
mls qos queue-set output threshold
To configure the weighted tail-drop (WTD) thresholds, to guarantee the availability of buffers, and to configure the maximum memory allocation to a queue set (four egress queues per port), use the mls qos queue-set output threshold command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold
no mls qos queue-set output qset-id threshold [ queue-id ]
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
qset-id |
ID of the queue set. Each port belongs to a queue set, which defines all the characteristics of the four egress queues per port. The range is 1 to 2. |
queue-id |
Specific queue in the queue set on which the command is performed. The range is 1 to 4. |
drop-threshold1 drop-threshold2 |
Two WTD thresholds expressed as a percentage of the allocated memory of the queue. Th e range is 1 to 3200 percent. |
reserved-threshold |
Amount of memory to be guaranteed (reserved) for the queue and expressed as a percentage of the allocated memory. The range is 1 to 100 percent. |
maximum-threshold |
Enables a queue in the full condition to get more buffers than are reserved for it. This is the maximum memory the queue can have before the packets are dropped. The range is 1 to 3200 percent. |
Command Default
When quality of service (QoS) is enabled, WTD is enabled.
Table 1-4 shows the default WTD threshold settings.
Table 1-4 Default Egress Queue WTD Threshold Settings
|
|
|
|
|
WTD drop threshold 1 |
100 percent |
200 percent |
100 percent |
100 percent |
WTD drop threshold 2 |
100 percent |
200 percent |
100 percent |
100 percent |
Reserved threshold |
50 percent |
100 percent |
50 percent |
50 percent |
Maximum threshold |
400 percent |
400 percent |
400 percent |
400 percent |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the mls qos queue-set output qset-id buffers global configuration command to allocate a fixed number of buffers to the four queues in a queue set.
The drop-threshold percentages can exceed 100 percent and can be up to the maximum (if the maximum threshold exceeds 100 percent).
While buffer ranges allow individual queues in the queue set to use more of the common pool when available, the maximum number of packets for each queue is still internally limited to 400 percent, or 4 times the allocated number of buffers. One packet can use one 1 or more buffers.
The range increased in Cisco IOS Release 15.0(25)SEE1 or later for the drop-threshold, drop-threshold2, and maximum-threshold parameters.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to decide whether to grant buffer space to a requesting queue. The switch decides whether the target queue has not consumed more buffers than its reserved amount (under-limit), whether it has consumed all of its maximum buffers (over-limit), and whether the common pool is empty (no free buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Examples
This example shows how to map a port to queue set 2. It configures the drop thresholds for queue 2 to 40 and 60 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures 200 percent as the maximum memory this queue can have before packets are dropped:
Switch(config)# mls qos queue-set output 2 threshold 2 40 60 100 200
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# queue-set 2
You can verify your settings by entering the show mls qos interface [ interface-id ] buffers or the show mls qos queue-set privileged EXEC command.
mls qos rewrite ip dscp
To configure the switch to change (rewrite) the Differentiated Services Code Point (DSCP) field of an incoming IP packet, use the mls qos rewrite ip dscp command in global configuration mode. Use the no form of this command to configure the switch to not modify (rewrite) the DSCP field of the packet and to enable DSCP transparency.
mls qos rewrite ip dscp
no mls qos rewrite ip dscp
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
This command has no arguments or keywords.
Command Default
DSCP transparency is disabled. The switch changes the DSCP field of the incoming IP packet.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
DSCP transparency affects only the DSCP field of a packet at the egress. If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet.
By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet that the switch uses to generate a class of service (CoS) value representing the priority of the traffic. The switch also uses the internal DSCP value to select an egress queue and threshold.
For example, if QoS is enabled and an incoming packet has a DSCP value of 32, the switch might modify the internal DSCP value based on the policy-map configuration and change the internal DSCP value to 16. If DSCP transparency is enabled, the outgoing DSCP value is 32 (same as the incoming value). If DSCP transparency is disabled, the outgoing DSCP value is 16 because it is based on the internal DSCP value.
Examples
This example shows how to enable DSCP transparency and configure the switch to not change the DSCP value of the incoming IP packet:
Switch(config)# no mls qos rewrite ip dscp
This example shows how to disable DSCP transparency and configure the switch to change the DSCP value of the incoming IP packet:
Switch(config)# mls qos rewrite ip dscp
You can verify your settings by entering the show running config | include rewrite privileged EXEC command.
Related Commands
|
|
mls qos |
Enables QoS globally. |
show mls qos |
Displays QoS information. |
show running-config | include rewrite |
Displays the DSCP transparency setting. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mls qos srr-queue input bandwidth
To assign shaped round robin (SRR) weights to an ingress queue, use the mls qos srr-queue input bandwidth command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input bandwidth weight1 weight2
no mls qos srr-queue input bandwidth
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
weight1 weight2 |
Ratio of weight1 and weight2 determines the ratio of the frequency in which the SRR scheduler dequeues packets from ingress queues 1 and 2. The range is 1 to 100. Separate each value with a space. |
Command Default
Weight1 and weight2 are 4 (1/2 of the bandwidth is equally shared between the two queues).
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The ratio of the weights is the ratio of the frequency in which the SRR scheduler dequeues packets from each queue.
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. SRR then shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
You specify which ingress queue is the priority queue by using the mls qos srr-queue input priority-queue global configuration command.
Examples
This example shows how to assign the ingress bandwidth for the queues. Priority queueing is disabled, and the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75):
Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0
Switch(config)# mls qos srr-queue input bandwidth 25 75
In this example, queue 2 has three times the bandwidth of queue 1; queue 2 is serviced three times as often as queue 1.
This example shows how to assign the ingress bandwidths for the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratio allocated to queues 1 and 2 is 4/(4+4). SRR services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR equally shares the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue:
Switch(config)# mls qos srr-queue input priority-queue 1 bandwidth 10
Switch(config)# mls qos srr-queue input bandwidth 4 4
You can verify your settings by entering the show mls qos interface [ interface-id ] queueing or the show mls qos input-queue privileged EXEC command.
mls qos srr-queue input buffers
To allocate the buffers between the ingress queues, use the mls qos srr-queue input buffers command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input buffers percentage1 percentage2
no mls qos srr-queue input buffers
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
percentage1 percentage2 |
Percentage of buffers allocated to ingress queues 1 and 2. The range is 0 to 100. Separate each value with a space. |
Command Default
Ninety percent of the buffers is allocated to queue 1, and 10 percent of the buffers is allocated to queue 2.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You should allocate the buffers so that the queues can handle any incoming bursty traffic.
Examples
This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2:
Switch(config)# mls qos srr-queue input buffers 60 40
You can verify your settings by entering the show mls qos interface [ interface-id ] buffers or the show mls qos input-queue privileged EXEC command.
mls qos srr-queue input cos-map
To map class of service (CoS) values to an ingress queue or to map CoS values to a queue and to a threshold ID, use the mls qos srr-queue input cos-map command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input cos-map queue queue-id { cos1...cos8 | threshold threshold-id cos1...cos8 }
no mls qos srr-queue input cos-map
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue queue-id |
Specifies a queue number. For queue-id, the range is 1 to 2. |
cos1...cos8 |
CoS values mapped to an ingress queue. For cos1...cos8, enter up to eight values, and separate each value with a space. The range is 0 to 7. |
threshold threshold-id cos1...cos8 |
Maps CoS values to a queue threshold ID. For threshold-id, the range is 1 to 3. For cos1...cos8, enter up to eight values, and separate each value with a space. The range is 0 to 7. |
Command Default
Table 1-5 shows the default CoS input queue threshold map.
Table 1-5 Default CoS Input Queue Threshold Map
|
|
0–4 |
1–1 |
5 |
2–1 |
6, 7 |
1–1 |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The CoS assigned at the ingress port selects an ingress or egress queue and threshold.
The drop-threshold percentage for threshold 3 is predefined. It is set to the queue-full state. You can assign two weighted tail-drop (WTD) threshold percentages to an ingress queue by using the mls qos srr-queue input threshold global configuration command.
You can map each CoS value to a different queue and threshold combination, allowing the frame to follow different behavior.
Examples
This example shows how to map CoS values 0 to 3 to ingress queue 1 and to threshold ID 1 with a drop threshold of 50 percent. It maps CoS values 4 and 5 to ingress queue 1 and to threshold ID 2 with a drop threshold of 70 percent:
Switch(config)# mls qos srr-queue input cos-map queue 1 threshold 1 0 1 2 3
Switch(config)# mls qos srr-queue input cos-map queue 1 threshold 2 4 5
Switch(config)# mls qos srr-queue input threshold 1 50 70
You can verify your settings by entering the show mls qos maps privileged EXEC command.
mls qos srr-queue input dscp-map
To map Differentiated Services Code Point (DSCP) values to an ingress queue or to map DSCP values to a queue and to a threshold ID, use the mls qos srr-queue input dscp-map command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input dscp-map queue queue-id { dscp1...dscp8 | threshold threshold-id dscp1...dscp8 }
no mls qos srr-queue input dscp-map
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue queue-id |
Specifies a queue number. For queue-id, the range is 1 to 2. |
dscp1...dscp8 |
DSCP values mapped to an ingress queue. For dscp1...dscp8, enter up to eight values, and separate each value with a space. The range is 0 to 63. |
threshold threshold-id dscp1...dscp8 |
Maps DSCP values to a queue threshold ID. For threshold-id, the range is 1 to 3. For dscp1...dscp8, enter up to eight values, and separate each value with a space. The range is 0 to 63. |
Command Default
Table 1-6 shows the default DSCP input queue threshold map.
Table 1-6 Default DSCP Input Queue Threshold Map
|
|
0–39 |
1–1 |
40–47 |
2–1 |
48–63 |
1–1 |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The DSCP assigned at the ingress port selects an ingress or egress queue and threshold.
The drop-threshold percentage for threshold 3 is predefined. It is set to the queue-full state. You can assign two weighted tail-drop (WTD) threshold percentages to an ingress queue by using the mls qos srr-queue input threshold global configuration command.
You can map each DSCP value to a different queue and threshold combination, allowing the frame to follow different behavior.
You can map up to eight DSCP values per command.
Examples
This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent:
Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6
Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26
Switch(config)# mls qos srr-queue input threshold 1 50 70
You can verify your settings by entering the show mls qos maps privileged EXEC command.
mls qos srr-queue input priority-queue
To configure the ingress priority queue and to guarantee bandwidth on the internal ring if the ring is congested, use the mls qos srr-queue input priority-queue command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input priority-queue queue-id bandwidth weight
no mls qos srr-queue input priority-queue queue-id
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue-id |
Ingress queue ID. The range is 1 to 2. |
bandwidth weight |
Specifies bandwidth percentage of the internal ring. The range is 0 to 40. |
Command Default
The priority queue is queue 2, and 10 percent of the bandwidth is allocated to it.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter).
The priority queue is guaranteed part of the bandwidth on the internal ring, which reduces the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Shaped round robin (SRR) services the priority queue for its configured weight as specified by the bandwidth keyword in the mls qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. SRR then shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
To disable priority queueing, set the bandwidth weight to 0, for example, mls qos srr-queue input priority-queue queue-id bandwidth 0 .
Examples
This example shows how to assign the ingress bandwidths for the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratio allocated to queues 1 and 2 is 4/(4+4). SRR services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR then equally shares the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue:
Switch(config)# mls qos srr-queue input priority-queue 1 bandwidth 10
Switch(config)# mls qos srr-queue input bandwidth 4 4
mls qos srr-queue input threshold
To assign weighted tail-drop (WTD) threshold percentages to an ingress queue, use the mls qos srr-queue input threshold command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue input threshold queue-id threshold-percentage1 threshold-percentage2
no mls qos srr-queue input threshold queue-id
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue-id |
ID of the ingress queue. The range is 1 to 2. |
threshold-percentage1 threshold-percentage2 |
Two WTD threshold percentage values. Each threshold value is a percentage of the total number of queue descriptors allocated for the queue. Separate each value with a space. The range is 1 to 100. |
Command Default
When quality of service (QoS) is enabled, WTD is enabled.
The two WTD thresholds are set to 100 percent.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
QoS uses the CoS-to-threshold map or the DSCP-to-threshold map to decide which class of service (CoS) or Differentiated Services Code Points (DSCPs) values are mapped to threshold 1 and to threshold 2. If threshold 1 is exceeded, packets with CoS or DSCPs assigned to this threshold are dropped until the threshold is no longer exceeded. However, packets assigned to threshold 2 continue to be queued and sent as long as the second threshold is not exceeded.
Each queue has two configurable (explicit) drop threshold and one preset (implicit) drop threshold (full).
You configure the CoS-to-threshold map by using the mls qos srr-queue input cos-map global configuration command. You configure the DSCP-to-threshold map by using the mls qos srr-queue input dscp-map global configuration command.
Examples
This example shows how to configure the tail-drop thresholds for the two queues. The queue 1 thresholds are 50 percent and 100 percent, and the queue 2 thresholds are 70 percent and 100 percent:
Switch(config)# mls qos srr-queue input threshold 1 50 100
Switch(config)# mls qos srr-queue input threshold 2 70 100
mls qos srr-queue output cos-map
To map class of service (CoS) values to an egress queue or to map CoS values to a queue and to a threshold ID, use the mls qos srr-queue output cos-map command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue output cos-map queue queue-id { cos1...cos8 | threshold threshold-id cos1...cos8 }
no mls qos srr-queue output cos-map
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue queue-id |
Specifies a queue number. For queue-id, the range is 1 to 4. |
cos1...cos8 |
CoS values mapped to an egress queue. For cos1...cos8, enter up to eight values, and separate each value with a space. The range is 0 to 7. |
threshold threshold-id cos1...cos8 |
Maps CoS values to a queue threshold ID. For threshold-id, the range is 1 to 3. For cos1...cos8, enter up to eight values, and separate each value with a space. The range is 0 to 7. |
Command Default
Table 1-7 shows the default CoS output queue threshold map.
Table 1-7 Default CoS Output Queue Threshold Map
|
|
0, 1 |
2–1 |
2, 3 |
3–1 |
4 |
4–1 |
5 |
1–1 |
6, 7 |
4–1 |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The drop-threshold percentage for threshold 3 is predefined. It is set to the queue-full state.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your quality of service (QoS) solution.
You can assign two weighted tail-drop (WTD) threshold percentages to an egress queue by using the mls qos queue-set output qset-id threshold global configuration command.
You can map each CoS value to a different queue and threshold combination, allowing the frame to follow different behavior.
Examples
This example shows how to map a port to queue set 1. It maps CoS values 0 to 3 to egress queue 1 and to threshold ID 1. It configures the drop thresholds for queue 1 to 50 and 70 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures 200 percent as the maximum memory that this queue can have before packets are dropped.
Switch(config)# mls qos srr-queue output cos-map queue 1 threshold 1 0 1 2 3
Switch(config)# mls qos queue-set output 1 threshold 1 50 70 100 200
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# queue-set 1
You can verify your settings by entering the show mls qos maps , the show mls qos interface [ interface-id ] buffers , or the show mls qos queue-set privileged EXEC command.
mls qos srr-queue output dscp-map
To map Differentiated Services Code Point (DSCP) values to an egress or to map DSCP values to a queue and to a threshold ID, use the mls qos srr-queue output dscp-map command in global configuration mode. Use the no form of this command to return to the default setting.
mls qos srr-queue output dscp-map queue queue-id { dscp1...dscp8 | threshold threshold-id dscp1...dscp8 }
no mls qos srr-queue output dscp-map
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
queue queue-id |
Specifies a queue number. For queue-id, the range is 1 to 4. |
dscp1...dscp8 |
DSCP values mapped to an egress queue. For dscp1...dscp8, enter up to eight values, and separate each value with a space. The range is 0 to 63. |
threshold threshold-id dscp1...dscp8 |
Maps DSCP values to a queue threshold ID. For threshold-id, the range is 1 to 3. For dscp1...dscp8, enter up to eight values, and separate each value with a space. The range is 0 to 63. |
Command Default
Table 1-8 shows the default DSCP output queue threshold map.
Table 1-8 Default DSCP Output Queue Threshold Map
|
|
0–15 |
2–1 |
16–31 |
3–1 |
32–39 |
4–1 |
40–47 |
1–1 |
48–63 |
4–1 |
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The drop-threshold percentage for threshold 3 is predefined. It is set to the queue-full state.
Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
You can assign two weighted tail-drop (WTD) threshold percentages to an egress queue by using the mls qos queue-set output qset-id threshold global configuration command.
You can map each DSCP value to a different queue and threshold combination, allowing the frame to follow different behavior.
You can map up to eight DSCP values per command.
Examples
This example shows how to map a port to queue set 1. It maps DSCP values 0 to 3 to egress queue 1 and to threshold ID 1. It configures the drop thresholds for queue 1 to 50 and 70 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures 200 percent as the maximum memory that this queue can have before packets are dropped.
Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 1 0 1 2 3
Switch(config)# mls qos queue-set output 1 threshold 1 50 70 100 200
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# queue-set 1
You can verify your settings by entering the show mls qos maps , the show mls qos interface [ interface-id ] buffers , or the show mls qos queue-set privileged EXEC command.
mls qos trust
To configure the port trust state, use the mls qos trust command in interface configuration mode. Use the no form of this command to return a port to its untrusted state.
mls qos trust [ cos | device cisco-phone | dscp | ip-precedence ]
no mls qos trust [ cos | device | dscp | ip-precedence ]
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
cos |
(Optional) Classifies an ingress packet by using the packet CoS value. For an untagged packet, use the port default CoS value. |
device cisco-phone |
(Optional) Classifies an ingress packet by trusting the CoS or DSCP value sent from the Cisco IP Phone (trusted boundary), depending on the trust setting. |
dscp |
(Optional) Classifies an ingress packet by using the packet DSCP value (most significant 6 bits of 8-bit service-type field). For a non-IP packet, the packet CoS is used if the packet is tagged. For an untagged packet, the default port CoS value is used. |
ip-precedence |
(Optional) Classifies an ingress packet by using the packet IP-precedence value (most significant 3 bits of 8-bit service-type field). For a non-IP packet, the packet CoS is used if the packet is tagged. For an untagged packet, the port default CoS value is used. |
Command Default
The port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Ingress traffic can be trusted, and classification is performed by examining the packet Differentiated Services Code Point (DSCP), class of service (CoS), or IP-precedence field.
Packets entering a quality of service (QoS) domain are classified at the edge of the domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the domain. Use this command to specify whether the port is trusted and which fields of the packet to use to classify traffic.
When a port is configured with trust DSCP or trust IP precedence and the incoming packet is a non-IP packet, the CoS-to-DSCP map is used to derive the corresponding DSCP value from the CoS value. The CoS can be the packet CoS for trunk ports or the port default CoS for nontrunk ports.
If the DSCP is trusted, the DSCP field of the IP packet is not modified. However, it is still possible that the CoS value of the packet is modified (according to DSCP-to-CoS map).
If the CoS is trusted, the CoS field of the packet is not modified, but the DSCP can be modified (according to CoS-to-DSCP map) if the packet is an IP packet.
The trusted boundary feature prevents security problems if users disconnect their PCs from networked Cisco IP Phones and connect them to the switch port to take advantage of trusted CoS or DSCP settings. You must globally enable the Cisco Discovery Protocol (CDP) on the switch and on the port connected to the IP phone. If the telephone is not detected, trusted boundary disables the trusted setting on the switch or routed port and prevents misuse of a high-priority queue.
If you configure the trust setting for DSCP or IP precedence, the DSCP or IP precedence values in the incoming packets are trusted. If you configure the mls qos cos override interface configuration command on the switch port connected to the IP phone, the switch overrides the CoS of the incoming voice and data packets and assigns the default CoS value to them.
For an inter-QoS domain boundary, you can configure the port to the DSCP-trusted state and apply the DSCP-to-DSCP-mutation map if the DSCP values are different between the QoS domains.
Classification using a port trust state (for example, mls qos trust [ cos | dscp | ip-precedence ] and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.
Note Cisco IOS Release 15.0(1)EY and later supports IPv6 port-based trust with the dual IPv4 and IPv6 Switch Database Management (SDM) templates. You must reload the switch with the dual IPv4 and IPv6 templates for switches running IPv6.
Examples
This example shows how to configure a port to trust the IP precedence field in the incoming packet:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos trust ip-precedence
This example shows how to specify that the Cisco IP Phone connected on a port is a trusted device:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos trust device cisco-phone
You can verify your settings by entering the show mls qos interface privileged EXEC command.
Related Commands
|
|
mls qos cos |
Defines the default CoS value of a port or assigns the default CoS to all incoming packets on the port. |
mls qos dscp-mutation |
Applies a DSCP-to DSCP-mutation map to a DSCP-trusted port. |
mls qos map |
Defines the CoS-to-DSCP map, DSCP-to-CoS map, the DSCP-to-DSCP-mutation map, the IP-precedence-to-DSCP map, and the policed-DSCP map. |
show mls qos interface |
Displays QoS information. |
mls qos vlan-based
To enable VLAN-based quality of service (QoS) on the physical port, use the mls qos vlan-based command in interface configuration mode. Use the no form of this command to disable this feature.
mls qos vlan-based
no mls qos vlan-based
Note This command is available only when the switch is running the LAN Base image.
Syntax Description
There are no arguments or keywords.
Command Default
VLAN-based QoS is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Before attaching a hierarchical policy map to a switch virtual interface (SVI), use the mls qos vlan-based interface configuration command on a physical port if the port is to be specified in the secondary interface level of the hierarchical policy map.
When you configure hierarchical policing, the hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. The individual policer in the interface-level traffic classification only affects the physical ports specified for that classification.
For detailed instructions about configuring hierarchical policy maps, see the “Classifying, Policing, and Marking Traffic by Using Hierarchical Policy Maps” section in the software configuration guide for this release.
Examples
This example shows how to enable VLAN-based policing on a physical port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# mls qos vlan-based
You can verify your settings by entering the show mls qos interface privileged EXEC command.
monitor session
To start a new Switched Port Analyzer (SPAN) session or Remote SPAN (RSPAN) source or destination session, to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance), to add or delete interfaces or VLANs to or from an existing SPAN or RSPAN session, and to limit (filter) SPAN source traffic to specific VLANs, use the monitor session command in global configuration mode. Use the no form of this command to remove the SPAN or RSPAN session or to remove source or destination interfaces or filters from the SPAN or RSPAN session. For destination interfaces, the encapsulation options are ignored with the no form of the command.
monitor session session_number destination { interface interface-id [, | -] [ encapsulation {dot1q | replicate}] [ ingress { dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id }]} | { remote vlan vlan-id }
monitor session session_number filter vlan vlan-id [, | -]
monitor session session_number source { interface interface-id [, | -] [ both | rx | tx ]} | { vlan vlan-id [, | -] [ both | rx | tx ]}| { remote vlan vlan-id }
no monitor session { session_number | all | local | remote }
no monitor session session_number destination { interface interface-id [, | -] [ encapsulation {dot1q | replicate}] [ ingress { dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id }]} | { remote vlan vlan-id }
no monitor session session_number filter vlan vlan-id [, | -]
no monitor session session_number source { interface interface-id [, | -] [ both | rx | tx ]} | { vlan vlan-id [, | -] [ both | rx | tx ]} | { remote vlan vlan-id }
Syntax Description
session_number |
Specifies the session number identified with the SPAN or RSPAN session. The range is 1 to 66. |
destination |
Specifies the SPAN or RSPAN destination. A destination must be a physical port. |
interface interface-id |
Specifies the destination or source interface for a SPAN or RSPAN session. Valid interfaces are physical ports (including type and port number). For source interface, port channel is also a valid interface type, and the valid range is 1 to 6. |
encapsulation dot1q |
(Optional) Specifies that the destination interface uses the IEEE 802.1Q encapsulation method. These keywords are valid only for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN ID; therefore packets are always sent untagged. |
encapsulation replicate |
(Optional) Specifies that the destination interface replicates the source interface encapsulation method. If not selected, the default is to send packets in native form (untagged). These keywords are valid only for local SPAN. For RSPAN, the RSPAN VLAN ID overwrites the original VLAN ID; therefore, packets are always sent untagged. |
ingress |
(Optional) Enables ingress traffic forwarding. |
dot1q vlan vlan-id |
Accepts incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN. |
untagged vlan vlan-id |
Accepts incoming packets with untagged encapsulation with the specified VLAN as the default VLAN. |
vlan vlan-id |
When used with only the ingress keyword, set default VLAN for ingress traffic. |
remote vlan vlan-id |
Specifies the remote VLAN for an RSPAN source or destination session. The range is 2 to 1001 and 1006 to 4094. The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 to 1005 (reserved for Token Ring and FDDI VLANs). |
, |
(Optional) Specifies a series of interfaces or VLANs, or separate a range of interfaces or VLANs from a previous range. Enter a space before and after the comma. |
- |
(Optional) Specifies a range of interfaces or VLANs. Enter a space before and after the hyphen. |
filter vlan vlan-id |
Specifies a list of VLANs as filters on trunk source ports to limit SPAN source traffic to specific VLANs. The vlan-id range is 1 to 4094. |
source |
Specifies the SPAN or RSPAN source. A source can be a physical port, a port channel, or a VLAN. |
both, rx, tx |
(Optional) Specifies the traffic direction to monitor. If you do not specify a traffic direction, the source interface sends both transmitted and received traffic. |
source vlan vlan-id |
Specifies the SPAN source interface as a VLAN ID. The range is 1 to 4094. |
all, local, remote |
Specifies all, local, or remote with the no monitor session command to clear all SPAN and RSPAN, all local SPAN, or all RSPAN sessions. |
Command Default
No monitor sessions are configured.
On a source interface, the default is to monitor both received and transmitted traffic.
On a trunk interface used as a source port, all VLANs are monitored.
If encapsulation replicate is not specified on a local SPAN destination port, packets are sent in native form with no encapsulation tag.
Ingress forwarding is disabled on destination ports.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Traffic that enters or leaves source ports or source VLANs can be monitored by using SPAN or RSPAN. Traffic routed to source ports or source VLANs cannot be monitored.
You can set a combined maximum of two local SPAN sessions and RSPAN source sessions. You can have a total of 66 SPAN and RSPAN sessions on a switch.
You can have a maximum of 64 destination ports on a switch.
Each session can include multiple ingress or egress source ports or VLANs, but you cannot combine source ports and source VLANs in a single session. Each session can include multiple destination ports.
When you use VLAN-based SPAN (VSPAN) to analyze network traffic in a VLAN or set of VLANs, all active ports in the source VLANs become source ports for the SPAN or RSPAN session. Trunk ports are included as source ports for VSPAN, and only packets with the monitored VLAN ID are sent to the destination port.
You can monitor traffic on a single port or VLAN or on a series or range of ports or VLANs. You select a series or range of interfaces or VLANs by using the [, | - ] options.
If you specify a series of VLANs or interfaces, you must enter a space before and after the comma. If you specify a range of VLANs or interfaces, you must enter a space before and after the hyphen (-).
EtherChannel ports cannot be configured as SPAN or RSPAN destination ports. A physical port that is a member of an EtherChannel group can be used as a destination port, but it cannot participate in the EtherChannel group while it is as a SPAN destination.
You can monitor individual ports while they participate in an EtherChannel, or you can monitor the entire EtherChannel bundle by specifying the port-channel number as the RSPAN source interface.
A port used as a destination port cannot be a SPAN or RSPAN source, nor can a port be a destination port for more than one session at a time.
You can enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port; however, IEEE 802.1x authentication is disabled until the port is removed as a SPAN destination. If IEEE 802.1x authentication is not available on the port, the switch returns an error message. You can enable IEEE 802.1x authentication on a SPAN or RSPAN source port.
VLAN filtering refers to analyzing network traffic on a selected set of VLANs on trunk source ports. By default, all VLANs are monitored on trunk source ports. You can use the monitor session session_number filter vlan vlan-id command to limit SPAN traffic on trunk source ports to only the specified VLANs.
VLAN monitoring and VLAN filtering are mutually exclusive. If a VLAN is a source, VLAN filtering cannot be enabled. If VLAN filtering is configured, a VLAN cannot become a source.
If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
Destination ports can be configured to function in these ways:
- When you enter monitor session session_number destination interface interface-id with no other keywords, egress encapsulation is untagged, and ingress forwarding is not enabled.
- When you enter monitor session session_number destination interface interface-id ingress, egress encapsulation is untagged; ingress encapsulation depends on the keywords that follow— dot1q or untagged.
- When you enter monitor session session_number destination interface interface-id encapsulation dot1q with no other keywords, egress encapsulation uses the IEEE 802.1Q encapsulation method. (This applies to local SPAN only; RSPAN does not support encapsulation dot1q.)
- When you enter monitor session session_number destination interface interface-id encapsulation dot1q ingress, egress encapsulation uses the IEEE 802.1Q encapsulation method; ingress encapsulation depends on the keywords that follow— dot1q or untagged. (This applies to local SPAN only; RSPAN does not support encapsulation dot1q.)
- When you enter monitor session session_number destination interface interface-id encapsulation replicate with no other keywords, egress encapsulation replicates the source interface encapsulation; ingress forwarding is not enabled. (This applies to local SPAN only; RSPAN does not support encapsulation replication.)
- When you enter monitor session session_number destination interface interface-id encapsulation replicate ingress, egress encapsulation replicates the source interface encapsulation; ingress encapsulation depends on the keywords that follow— dot1q or untagged. (This applies to local SPAN only; RSPAN does not support encapsulation replication.)
Examples
This example shows how to create a local SPAN session 1 to monitor both sent and received traffic on source port 1 to destination port 2:
Switch(config)# monitor session 1 source interface gigabitethernet1/1 both
Switch(config)# monitor session 1 destination interface gigabitethernet1/2
This example shows how to delete a destination port from an existing local SPAN session:
Switch(config)# no monitor session 2 destination gigabitethernet1/2
This example shows how to limit SPAN traffic in an existing session only to specific VLANs:
Switch(config)# monitor session 1 filter vlan 100 - 110
This example shows how to configure RSPAN source session 1 to monitor multiple source interfaces and to configure the destination RSPAN VLAN 900:
Switch(config)# monitor session 1 source interface gigabitethernet1/1
Switch(config)# monitor session 1 source interface port-channel 2 tx
Switch(config)# monitor session 1 destination remote vlan 900
This example shows how to configure an RSPAN destination session 10 in the switch receiving the monitored traffic:
Switch(config)# monitor session 10 source remote vlan 900
Switch(config)# monitor session 10 destination interface gigabitethernet1/2
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports IEEE 802.1Q encapsulation. Egress traffic replicates the source; ingress traffic uses IEEE 802.1Q encapsulation:
Switch(config)# monitor session 2 destination interface gigabitethernet1/2 encapsulation replicate ingress dot1q vlan 5
This example shows how to configure the destination port for ingress traffic on VLAN 5 by using a security device that does not support encapsulation. Egress traffic and ingress traffic are untagged:
Switch(config)# monitor session 2 destination interface gigabitethernet1/2 ingress untagged vlan 5
You can verify your settings by entering the show monitor privileged EXEC command. You can display SPAN and RSPAN configurations on the switch by entering the show running-config privileged EXEC command. SPAN information appears near the end of the output.
Related Commands
|
|
remote-span |
Configures an RSPAN VLAN in vlan configuration mode. |
show monitor |
Displays SPAN and RSPAN session information. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
mvr (global configuration)
To enable the multicast VLAN registration (MVR) feature on the switch, use the mvr command in global configuration mode without keywords. Use the command with keywords to set the MVR mode for a switch, configure the MVR IP multicast address, set the maximum time to wait for a query reply before removing a port from group membership, and to specify the MVR multicast VLAN. Use the no form of this command to return to the default settings.
mvr [ group ip-address [ count ] | mode [ compatible | dynamic ] | querytime value | vlan vlan-id ]
no mvr [ group ip-address | mode [ compatible | dynamic ] | querytime value | vlan vlan-id ]
Syntax Description
group ip-address |
(Optional) Statically configures an MVR group IP multicast address on the switch. Use the no form of this command to remove a statically configured IP multicast address or contiguous addresses or, when no IP address is entered, to remove all statically configured MVR IP multicast addresses. |
count |
(Optional) Configures multiple contiguous MVR group addresses. The range is 1 to 256; the default is 1. |
mode |
(Optional) Specifies the MVR mode of operation. The default is compatible mode. |
compatible |
(Optional) Sets MVR mode to provide compatibility with Catalyst 2900 XL and Catalyst 3500 XL switches. This mode does not allow dynamic membership joins on source ports. |
dynamic |
(Optional) Sets MVR mode to allow dynamic MVR membership on source ports. |
querytime value |
(Optional) Sets the maximum time to wait for IGMP report memberships on a receiver port. This time applies only to receiver-port leave processing. When an IGMP query is sent from a receiver port, the switch waits for the default or configured MVR querytime for an IGMP group membership report before removing the port from multicast group membership. The value is the response time in units of tenths of a second. The range is 1 to 100; the default is 5 tenths or one-half second. Use the no form of the command to return to the default setting. |
vlan vlan-id |
(Optional) Specifies the VLAN on which MVR multicast data is expected to be received. This is also the VLAN to which all the source ports belong. The range is 1 to 4094; the default is VLAN 1. |
Command Default
MVR is disabled by default.
The default MVR mode is compatible mode.
No IP multicast addresses are configured on the switch by default.
The default group ip address count is 0.
The default query response time is 5 tenths of or one-half second.
The default multicast VLAN for MVR is VLAN 1.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
A maximum of 256 MVR multicast groups can be configured on a switch.
Use the mvr group command to statically set up all the IP multicast addresses that will take part in MVR. Any multicast data sent to a configured multicast address is sent to all the source ports on the switch and to all receiver ports that have registered to receive data on that IP multicast address.
MVR supports aliased IP multicast addresses on the switch. However, if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx).
The mvr querytime command applies only to receiver ports.
If the switch MVR is interoperating with Catalyst 2900 XL or Catalyst 3500 XL switches, set the multicast mode to compatible.
When operating in compatible mode, MVR does not support IGMP dynamic joins on MVR source ports.
MVR can coexist with IGMP snooping on a switch.
Multicast routing and MVR cannot coexist on a switch. If you enable multicast routing and a multicast routing protocol while MVR is enabled, MVR is disabled and a warning message appears. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled with an error message.
Examples
This example shows how to enable MVR:
Use the show mvr privileged EXEC command to display the current setting for maximum multicast groups.
This example shows how to configure 228.1.23.4 as an IP multicast address:
Switch(config)# mvr group 228.1.23.4
This example shows how to configure ten contiguous IP multicast groups with multicast addresses from 228.1.23.1 to 228.1.23.10:
Switch(config)# mvr group 228.1.23.1 10
Use the show mvr members privileged EXEC command to display the IP multicast group addresses configured on the switch.
This example shows how to set the maximum query response time as one second (10 tenths):
Switch(config)# mvr querytime 10
This example shows how to set VLAN 2 as the multicast VLAN:
Switch(config)# mvr vlan 2
Related Commands
|
|
mvr (interface configuration) |
Configures MVR ports. |
show mvr |
Displays MVR global parameters or port parameters. |
show mvr interface |
Displays the configured MVR interfaces with their type, status, and Immediate Leave configuration. Also displays all MVR groups of which the interface is a member. |
show mvr members |
Displays all ports that are members of an MVR multicast group; if the group has no members, its status is shown as Inactive. |
mvr (interface configuration)
To configure a Layer 2 port as a multicast VLAN registration (MVR) receiver or source port, to set the Immediate Leave feature, and to statically assign a port to an IP multicast VLAN and IP address, use the mvr command in interface configuration command. Use the no form of this command to return to the default settings.
mvr [ immediate | type { receiver | source } | vlan vlan-id group [ ip-address ]]
no mvr [ immediate | type { source | receiver } | vlan vlan-id group [ ip-address ]]
Syntax Description
immediate |
(Optional) Enables the Immediate Leave feature of MVR on a port. Use the no mvr immediate command to disable the feature. |
type |
(Optional) Configures the port as an MVR receiver port or a source port. The default port type is neither an MVR source nor a receiver port. The no mvr type command resets the port as neither a source or a receiver port. |
receiver |
Configures the port as a subscriber port that can only receive multicast data. Receiver ports cannot belong to the multicast VLAN. |
source |
Configures the port as an uplink port that can send and receive multicast data for the configured multicast groups. All source ports on a switch belong to a single multicast VLAN. |
vlan vlan-id group |
(Optional) Adds the port as a static member of the multicast group with the specified VLAN ID. The no mvr vlan vlan-id group command removes a port on a VLAN from membership in an IP multicast address group. |
ip-address |
(Optional) Statically configures the specified MVR IP multicast group address for the specified multicast VLAN ID. This is the IP address of the multicast group that the port is joining. |
Command Default
A port is configured as neither a receiver nor a source.
The Immediate Leave feature is disabled on all ports.
No receiver port is a member of any configured multicast group.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Configure a port as a source port if that port should be able to both send and receive multicast data bound for the configured multicast groups. Multicast data is received on all ports configured as source ports.
Receiver ports cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN.
A port that is not taking part in MVR should not be configured as an MVR receiver port or a source port. A non-MVR port is a normal switch port, able to send and receive multicast data with normal switch behavior.
When Immediate Leave is enabled, a receiver port leaves a multicast group more quickly. Without Immediate Leave, when the switch receives an IGMP leave message from a group on a receiver port, it sends out an IGMP MAC-based query on that port and waits for IGMP group membership reports. If no reports are received in a configured time period, the receiver port is removed from multicast group membership. With Immediate Leave, an IGMP MAC-based query is not sent from the receiver port on which the IGMP leave was received. As soon as the leave message is received, the receiver port is removed from multicast group membership, which speeds up leave latency.
The Immediate Leave feature should be enabled only on receiver ports to which a single receiver device is connected.
The mvr vlan group command statically configures ports to receive multicast traffic sent to the IP multicast address. A port statically configured as a member of group remains a member of the group until statically removed. In compatible mode, this command applies only to receiver ports; in dynamic mode, it can also apply to source ports. Receiver ports can also dynamically join multicast groups by using IGMP join messages.
When operating in compatible mode, MVR does not support IGMP dynamic joins on MVR source ports.
Examples
This example shows how to configure a port as an MVR receiver port:
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# mvr type receiver
Use the show mvr interface privileged EXEC command to display configured receiver ports and source ports.
This example shows how to enable Immediate Leave on a port:
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# mvr immediate
This example shows how to add a port on VLAN 1 as a static member of IP multicast group 228.1.23.4:
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# mvr vlan1 group 230.1.23.4
You can verify your settings by entering the show mvr members privileged EXEC command.
Related Commands
|
|
mvr (global configuration) |
Enables and configures multicast VLAN registration on the switch. |
show mvr |
Displays MVR global parameters or port parameters. |
show mvr interface |
Displays the configured MVR interfaces or displays the multicast groups to which a receiver port belongs. Also displays all MVR groups of which the interface is a member. |
show mvr members |
Displays all receiver ports that are members of an MVR multicast group. |
network-policy
To apply a network-policy profile to an interface, use the network-policy command in interface configuration command. Use the no form of this command to remove the policy.
network-policy profile number
no network-policy
Syntax Description
profile number |
The network-policy profile number. |
Command Default
No network-policy profiles are applied.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the network-policy profile number interface configuration command to apply a profile to an interface.
If you first configure a network-policy profile on an interface, you cannot apply the switchport voice vlan command on the interface. If switchport voice vlan vlan-id is already configured on an interface, you can apply a network-policy profile on the interface. The interface then has the voice or voice-signaling VLAN network-policy profile applied on the interface.
Examples
This example shows how to apply network-policy profile 60 to an interface:
Switch(config)# interface_id
Switch(config-if)# network-policy profile 60
network-policy profile (global configuration)
To create a network-policy profile and to enter network-policy configuration mode, use the network-policy profile command in global configuration mode. Use the no form of this command to delete the policy and to return to global configuration mode.
network-policy profile profile number
no network-policy profile profile number
Syntax Description
profile number |
Specifies the network-policy profile number. The range is 1 to 4294967295. |
Command Default
No network-policy profiles are defined.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the network-policy profile global configuration command to create a profile and to enter network-policy profile configuration mode.
To return to the privileged EXEC mode from the network-policy profile configuration mode, enter the exit command.
When you are in network-policy profile configuration mode, you can create the profile for voice and voice signalling by specifying the values for VLAN, class of service (CoS), differentiated services code point (DSCP), and tagging mode.
These profile attributes are then contained in the Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) network-policy time-length-value (TLV).
Examples
This example shows how to create network-policy profile 60:
Switch(config)# network-policy profile 60
Switch(config-network-policy)#
network-policy profile (network-policy configuration)
To configure the network-policy profile, use the network-policy profile in global configuration mode. Use the no form of this command without additional parameters to delete a profile. Use the no form with parameters to change its configured attributes.
network-policy profile profile number {voice | voice-signaling} vlan [ vlan-id {cos cvalue | dscp dvalue } ] | [[dot1p {cos cvalue | dscp dvalue }] | none | untagged]
no network-policy profile profile number {voice | voice-signaling} vlan [ vlan-id | {cos cvalue } | {dscp dvalue } ] | [[dot1p {cos cvalue } | {dscp dvalue }] | none | untagged]
Syntax Description
voice |
Specifies the voice application type. |
voice-signaling |
Specifies the voice-signaling application type. |
vlan |
Specifies the native VLAN for voice traffic. |
vlan-id |
(Optional) Specifies the VLAN for voice traffic. The range is 1 to 4094. |
cos cvalue |
(Optional) Specifies the Layer 2 priority class of service (CoS) for the configured VLAN. The range is 0 to 7; the default is 0. |
dscp dvalue |
(Optional) Specifies the differentiated services code point (DSCP) value for the configured VLAN. The range is 0 to 63; the default is 0. |
dot1p |
(Optional) Configures the telephone to use IEEE 802.1p priority tagging and to use VLAN 0 (the native VLAN). |
none |
(Optional) Does not instruct the IP telephone about the voice VLAN. The telephone uses the configuration from the telephone key pad. |
untagged |
(Optional) Configures the telephone to send untagged voice traffic. This is the default for the telephone. |
Command Default
No network policies are defined.
Command Modes
Network-policy configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the network-policy profile command to configure the attributes of a network-policy profile.
The voice application type is for dedicated IP telephones and similar devices that support interactive voice services. These devices are typically deployed on a separate VLAN for ease of deployment and enhanced security through isolation from data applications.
The voice-signaling application type is for network topologies that require a different policy for voice signaling than for voice media. This application type should not be advertised if all the same network policies apply as those advertised in the voice policy TLV.
This example shows how to configure the voice application type for VLAN 100 with a priority 4 CoS:
Switch(config)# network-policy profile 1
Switch(config-network-policy)# voice vlan 100 cos 4
This example shows how to configure the voice application type for VLAN 100 with a DSCP value of 34:
Switch(config)# network-policy profile 1
Switch(config-network-policy)# voice vlan 100 dscp 34
This example shows how to configure the voice application type for the native VLAN with priority tagging:
Switch(config-network-policy)# voice vlan dot1p cos 4
nmsp
To enable Network Mobility Services Protocol (NMSP) on the switch, use the nmsp in global configuration mode. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to return to the default setting.
nmsp { enable | { notification interval { attachment | location } interval-seconds}}
no nmsp { enable | { notification interval { attachment | location } interval-seconds}}
Syntax Description
enable |
Enables the NMSP features on the switch. |
notification interval |
Specifies the NMSP notification interval. |
attachment |
Specifies the attachment notification interval. |
location |
Specifies the location notification interval. |
interval-seconds |
Duration in seconds before a switch sends the MSE the location or attachment updates. The range is 1 to 30; the default is 30. |
Command Default
NMSP is disabled.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the nmsp global configuration command to enable the switch to send NMSP location and attachment notifications to a Cisco Mobility Services Engine (MSE).
Examples
This example shows how to enable NMSP on a switch and set the location notification time to 10 seconds:
Switch(config)# vlan enable
Switch(config)# vlan notification interval location 10
nmsp attachment suppress
To suppress the reporting of attachment information from a specified interface, use the nmsp attachment suppress command in interface configuration mode. This command is available only when your switch is running the cryptographic (encrypted) software image. Use the no form of this command to return to the default setting.
nmsp attachment suppress
no nmsp attachment suppress
Syntax Description
This command has no arguments or keywords.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Use the nmsp attachment suppress interface configuration command to configure an interface to not send location and attachment notifications to a Cisco Mobility Services Engine (MSE).
Examples
This example shows how to configure an interface to not send attachment information to the MSE:
Switch(config)# switch interface interface-id
Switch(config-if)# nmsp attachment suppress
Related Commands
|
|
nmsp |
Enables Network Mobility Services Protocol (NMSP) on the switch. |
show nmsp |
Displays the NMSP information. |
outside from
To translate outside addresses to inside addresses, use the outside from command in config-l2nat mode.
Enter the no form of this command to remove a translation.
outside from { host | range | network} original ip/ip subnet to translated ip/ip subnet [ mask ] number | mask
no outside from { host | range | network} original ip/ip subnet to translated ip/ip subnet [ mask ] number|mask
Syntax Description
host |
Translates a single host address. |
range |
Translates a range of host addresses. Specify the size of the range by entering the number. |
network |
Translates all host addresses in a subnet. The host octet must be 0, as in 1.1.0.0. If another value is entered, it will be ignored. When entering translated ip, include mask mask |
original ip to translated ip |
The public IP address of the host, range, or network, and the corresponding private IP address. |
mask mask |
Optional except when using the network option. The subnet mask. Valid subnets are 255.255.0.0, 255.255.255.0, 255.255.255.128, 255.255.255.192, 255.255.255.224, and 255.255.255.240. |
number |
Optional except when using the range option. The size of the range. |
Command Modes
Config-l2nat
Command History
|
|
15.0(2)EB |
This command was introduced. |
Usage Guidelines
- Configure translations for each Layer 2 NAT instance.
- To ping from a device on the inside network to a device on the outside network, use the translated address of the outside device. For example, if outside host 10.10.10.1 is translated to inside host 192.168.1.1, ping 192.168.1.1.
- If the Layer 2 NAT instance already exists, the new translation values are appended to the previous list.
- Ranges:
– Ranges must not overlap one another.
– Ranges must not overlap with a /24 network configuration.
– The original and translated IP addresses must match one-to-one (x.x.x.1 to y.y.y.1, x.x.x.2 to x.x.x.2, and so on). If your original addresses and translated addresses do not correspond in this manner, use the host command to configure each address individually.
Examples
This example shows how to configure an instance named Instance1, to translate the outside address 10.1.0.100 to the internal address 192.168.0.100.
Switch(config)# l2nat instance Instance1
Switch (config- l2nat)#
outside from host 10.1.0.100 to 192.168.0.100
This example shows how to configure an instance named Instance1, to translate a range of five outside addresses to corresponding internal addresses. 10.10.10.1 is mapped to 192.168.142.1, 10.10.10.2 to 192.168.142.1, and so on.
Switch
(config)# l2nat instance Instance1
Switch
(config-l2nat)# outside from range 10.10.10.1 to 192.168.142.1 5
This example shows how to configure an instance named Instance1, to translate all addresses in an external subnet to addresses on an internal subnet.
Switch
(config)# l2nat instance Instance1
Switch(config-l2nat)#
outside from network 20.20.30.0 to 192.168.142.0 mask 255.255.255.0
Related Commands
|
|
inside from |
Translates inside addresses to outside addresses by using Layer 2 NAT. |
l2nat |
Applies an Layer 2 NAT instance to one or all VLANs on a selected interface. |
l2nat instance |
Creates an Layer 2 NAT instance or enters the submode for the specified Layer 2 NAT instance. |
show l2nat instance |
Displays the configuration details for a specified Layer 2 NAT instance. |
show l2nat interface |
Displays the configuration details for Layer 2 NAT instances on one or more interfaces. |
show l2nat statistics |
Displays the Layer 2 NAT statistics for all interfaces. |
show l2nat statistics interface |
Displays the Layer 2 NAT statistics for a specified interface. |
pagp learn-method
To learn the source address of incoming packets received from an EtherChannel port, use the pagp learn-method command in interface configuration mode. Use the no form of this command to return to the default setting.
pagp learn-method { aggregation-port | physical-port }
no pagp learn-method
Syntax Description
aggregation-port |
Specifies address learning on the logical port channel. |
physical-port |
Specifies address learning on the physical port within the EtherChannel. |
Command Default
The default is aggregation-port (logical port channel).
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The switch sends packets to the source using any of the ports in the EtherChannel. This setting is the default. With aggregate-port learning, it is not important on which physical port the packet arrives.
The switch sends packets to the source using the same port in the EtherChannel from which it learned the source address. The other end of the channel uses the same port in the channel for a particular destination MAC or IP address.
The learn method must be configured the same at both ends of the link.
The switch supports address learning only on aggregate ports even though the physical-port keyword is provided in the command-line interface (CLI). The pagp learn-method and the pagp port-priority interface configuration commands have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports, such as the Catalyst 1900 switch.
When the link partner to the switch is a physical learner, we recommend that you configure the switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command and to set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command. Use the pagp learn-method interface configuration command only in this situation.
Examples
This example shows how to set the learning method to learn the address on the physical port within the EtherChannel:
Switch(config-if)# pagp learn-method physical-port
This example shows how to set the learning method to learn the address on the port channel within the EtherChannel:
Switch(config-if)# pagp learn-method aggregation-port
You can verify your settings by entering the show running-config privileged EXEC command or the show pagp channel-group-number internal privileged EXEC command.
Related Commands
|
|
pagp port-priority |
Selects a port over which all traffic through the EtherChannel is sent. |
show pagp |
Displays PAgP channel-group information. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
pagp port-priority
To select a port over which all Port Aggregation Protocol (PAgP) traffic through the EtherChannel is sent, use the pagp port-priority command in interface configuration mode. If all unused ports in the EtherChannel are in hot-standby mode, they can be placed into operation if the currently selected port and link fails. Use the no form of this command to return to the default setting.
pagp port-priority priority
no pagp port-priority
Syntax Description
priority |
A priority number ranging from 0 to 255. |
Command Default
The default is 128.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The physical port with the highest priority that is operational and has membership in the same EtherChannel is the one selected for PAgP transmission.
The switch supports address learning only on aggregate ports even though the physical-port keyword is provided in the command-line interface (CLI). The pagp learn-method and the pagp port-priority interface configuration commands have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports, such as the Catalyst 1900 switch.
When the link partner to the switch is a physical learner, we recommend that you configure the switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command and to set the load-distribution method based on the source MAC address by using the port-channel load-balance src-mac global configuration command. Use the pagp learn-method interface configuration command only in this situation.
Examples
This example shows how to set the port priority to 200:
Switch(config-if)# pagp port-priority 200
You can verify your setting by entering the show running-config privileged EXEC command or the show pagp channel-group-number internal privileged EXEC command.
Related Commands
|
|
pagp learn-method |
Provides the ability to learn the source address of incoming packets. |
show pagp |
Displays PAgP channel-group information. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
permit (ARP access-list configuration)
To permit an ARP packet based on matches against the Dynamic Host Configuration Protocol (DHCP) bindings, use the permit Address Resolution Protocol (ARP) access-list command in configuration mode. Use the no form of this command to remove the specified access control entry (ACE) from the access control list.
permit {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
no permit {[ request ] ip { any | host sender-ip | sender-ip sender-ip-mask } mac { any | host sender-mac | sender-mac sender-mac-mask } | response ip { any | host sender-ip | sender-ip sender-ip-mask } [{ any | host target-ip | target-ip target-ip-mask }] mac { any | host sender-mac | sender-mac sender-mac-mask } [{ any | host target-mac | target-mac target-mac-mask }]} [ log ]
Syntax Description
request |
(Optional) Requests a match for the ARP request. When request is not specified, matching is performed against all ARP packets. |
ip |
Specifies the sender IP address. |
any |
Accepts any IP or MAC address. |
host sender-ip |
Accepts the specified sender IP address. |
sender-ip sender-ip-mask |
Accepts the specified range of sender IP addresses. |
mac |
Specifies the sender MAC address. |
host sender-mac |
Accepts the specified sender MAC address. |
sender-mac sender-mac-mask |
Accepts the specified range of sender MAC addresses. |
response ip |
Defines the IP address values for the ARP responses. |
host target-ip |
(Optional) Accepts the specified target IP address. |
target-ip target-ip-mask |
(Optional) Accepts the specified range of target IP addresses. |
mac |
Specifies the MAC address values for the ARP responses. |
host target-mac |
(Optional) Accepts the specified target MAC address. |
target-mac target-mac-mask |
(Optional) Accepts the specified range of target MAC addresses. |
log |
(Optional) Logs a packet when it matches the ACE. Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command. |
Command Modes
ARP access-list configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can add permit clauses to forward ARP packets based on some matching criteria.
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hosts
Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 0000.0000.abcd
Switch(config-arp-nacl)# end
permit (config-l2nat configuration)
Only unicast traffic is subject to translation. To permit or block specified types of traffic that are not configured to be translated, use the permit command in config-l2nat mode.
Enter the no form of this command to drop specified types of traffic that are not configured to be translated.
permit { unmatched | multicast | igmp | all } [in|out]
no permit { unmatched | multicast | igmp | all } [in|out]
Note Pass-through protocols include SNMP, PROFINET, SIP (Voip), Skinny, PTP, Telnet, FTP, and SSH. These protocols do not require any additional NAT processing above the IP layer.
Syntax Description
unmatched |
Unicast packets that are not included in translation entries for this Layer 2 NAT instance. |
multicast |
Multicast packets. |
igmp |
IGMP packets. |
all |
All unmatched, multicast, and IGMP packets. |
in |
(Optional) Packets coming in through the uplinks. Omit this parameter to apply this command to traffic in both directions (the default setting). |
out |
(Optional) Packets going out through the uplinks. Omit this parameter to apply this command to traffic in both directions (the default setting). |
Command Default
Drops all of the listed traffic types through the uplinks, in both directions
Command Modes
Config-l2nat configuration
Command History
|
|
15.0(2)EB |
This command was introduced. |
Usage Guidelines
Configure these settings for each Layer 2 NAT instance.
Examples
This example shows how to configure an instance named Instance1 to permit multicast traffic coming into the uplinks.
Switch(config)# l2nat instance Instance1
Switch(config-l2nat)# permit multicast in
Related Commands
|
|
l2nat |
Applies an Layer 2 NAT instance to one or all VLANs on a selected interface. |
l2nat instance |
Creates an Layer 2 NAT instance or enters the submode for the specified Layer 2 NAT instance. |
show l2nat instance |
Displays the configuration details for a specified Layer 2 NAT instance. |
show l2nat interface |
Displays the configuration details for Layer 2 NAT instances on one or more interfaces. |
show l2nat statistics |
Displays the Layer 2 NAT statistics for all interfaces. |
show l2nat statistics interface |
Displays the Layer 2 NAT statistics for a specified interface. |
permit (MAC access-list configuration)
To allow non-IP traffic to be forwarded if the conditions are matched, use the permit MAC access-list configuration mode. Use the no form of this command to remove a permit condition from the extended MAC access list.
permit | deny { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | cos cos | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp ]
no permit | deny { any | host src-MAC-addr | src-MAC-addr mask } { any | host dst-MAC-addr | dst-MAC-addr mask } [ type mask | cos cos | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp ]
Note Though visible in the command-line help strings, appletalk is not supported as a matching condition.
Syntax Description
deny |
Specifies to deny all non-IP traffic. |
any |
Specifies to deny any source or destination MAC address. |
host src-MAC-addr | src-MAC-addr mask |
Defines a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied. |
host dst-MAC-addr | dst-MAC-addr mask |
Defines a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied. |
type mask |
(Optional) The Ethertype number of a packet with Ethernet II or SNAP encapsulation that identifies the protocol of the packet.
- type is 0 to 65535, specified in hexadecimal.
- mask is a mask of don’t care bits applied to the Ethertype before testing for a match.
|
aarp |
(Optional) Selects Ethertype AppleTalk Address Resolution Protocol that maps a data-link address to a network address. |
amber |
(Optional) Selects EtherType DEC-Amber. |
cos cos |
(Optional) Selects an arbitrary class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message appears if the cos option is configured. |
dec-spanning |
(Optional) Selects EtherType Digital Equipment Corporation (DEC) spanning tree. |
decnet-iv |
(Optional) Selects EtherType DECnet Phase IV protocol. |
diagnostic |
(Optional) Selects EtherType DEC-Diagnostic. |
dsm |
(Optional) Selects EtherType DEC-DSM. |
etype-6000 |
(Optional) Selects EtherType 0x6000. |
etype-8042 |
(Optional) Selects EtherType 0x8042. |
lat |
(Optional) Selects EtherType DEC-LAT. |
lavc-sca |
(Optional) Selects EtherType DEC-LAVC-SCA. |
lsap lsap-number mask |
(Optional) Specifies the LSAP number (0 to 65535) of a packet with 802.2 encapsulation to identify the protocol of the packet. The mask is a mask of don’t care bits applied to the LSAP number before testing for a match. |
mop-console |
(Optional) Selects EtherType DEC-MOP Remote Console. |
mop-dump |
(Optional) Selects EtherType DEC-MOP Dump. |
msdos |
(Optional) Selects EtherType DEC-MSDOS. |
mumps |
(Optional) Selects EtherType DEC-MUMPS. |
netbios |
(Optional) Selects EtherType DEC- Network Basic Input/Output System (NETBIOS). |
vines-echo |
(Optional) Selects EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems. |
vines-ip |
(Optional) Selects EtherType VINES IP. |
xns-idp |
(Optional) Selects EtherType Xerox Network Systems (XNS) protocol suite. |
Command Default
This command has no defaults. However, the default action for a MAC-named ACL is to deny.
Command Modes
MAC access-list configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
To filter IPX traffic, you use the type mask or lsap lsap mask variables, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 1-9 .
Table 1-9 IPX Filtering Criteria
|
|
|
|
arpa |
Ethernet II |
Ethertype 0x8137 |
snap |
Ethernet-snap |
Ethertype 0x8137 |
sap |
Ethernet 802.2 |
LSAP 0xE0E0 |
novell-ether |
Ethernet 802.3 |
LSAP 0xFFFF |
You enter MAC access-list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the any or host keywords, you must enter an address mask.
After an access control entry (ACE) is added to an access control list, an implied deny - any - any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
For more information about MAC-named extended access lists, see the software configuration guide for this release.
Examples
This example shows how to define the MAC-named extended access list to allow NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is allowed.
Switch(config-ext-macl)# permit any host 00c0.00a0.03fa netbios
This example shows how to remove the permit condition from the MAC-named extended access list:
Switch(config-ext-macl)# no permit any 00c0.00a0.03fa 0000.0000.0000 netbios
This example permits all packets with Ethertype 0x4321:
Switch(config-ext-macl)# permit any any 0x4321 0
You can verify your settings by entering the show access-lists privileged EXEC command.
police
To define a policer for classified traffic, use the police command in policy-map class configuration mode. A policer defines a maximum permissible rate of transmission, a maximum burst size for transmissions, and an action to take if either maximum is exceeded. Use the no form of this command to remove an existing policer.
police rate-bps burst-byte [ exceed-action { drop | policed-dscp-transmit }]
no police rate-bps burst-byte [ exceed-action { drop | policed-dscp-transmit }]
Syntax Description
rate-bps |
The average traffic rate in bits per second (b/s). The range is 1000000 to 1000000000. |
burst-byte |
The normal burst size in bytes. The range is 8000 to 1000000. |
exceed-action drop |
(Optional) When the specified rate is exceeded, specifies that the switch drop the packet. |
exceed-action policed-dscp-transmit |
(Optional) When the specified rate is exceeded, specifies that the switch changes the Differentiated Services Code Point (DSCP) of the packet to that specified in the policed-DSCP map and then sends the packet. |
Command Default
No policers are defined.
Command Modes
Policy-map class configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When configuring hierarchical policy maps, you can only use the police policy-map command in a secondary interface-level policy map.
The port ASIC device, which controls more than one physical port, supports 256 policers (255 user-configurable policers plus 1 policer reserved for internal use). The maximum number of user-configurable policers supported per port is 63. Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries. You cannot reserve policers per port. There is no guarantee that a port will be assigned to any policer.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
Policing uses a token-bucket algorithm. You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. You configure how quickly (the average rate) the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. For more information, see the software configuration guide for this release.
Examples
This example shows how to configure a policer that drops packets if traffic exceeds 1 Mb/s average rate with a burst size of 20 KB. The DSCPs of incoming packets are trusted, and there is no packet modification.
Switch(config)# policy-map policy1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# trust dscp
Switch(config-pmap-c)# police 1000000 20000 exceed-action drop
Switch(config-pmap-c)# exit
This example shows how to configure a policer, which marks down the DSCP values with the values defined in policed-DSCP map and sends the packet:
Switch(config)# policy-map policy2
Switch(config-pmap)# class class2
Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit
Switch(config-pmap-c)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
|
|
class |
Defines a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. |
mls qos map policed-dscp |
Applies a policed-DSCP map to a DSCP-trusted port. |
policy-map |
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
set |
Classifies IP traffic by setting a DSCP or IP-precedence value in the packet. |
show policy-map |
Displays quality of service (QoS) policy maps. |
trust |
Defines a trust state for traffic classified through the class policy-map configuration or the class-map global configuration command. |
police aggregate
To apply an aggregate policer to multiple classes in the same policy map, use the police aggregate command in policy-map class configuration mode. Use the no form of this command to remove the specified policer.
police aggregate aggregate-policer-name
no police aggregate aggregate-policer-name
Syntax Description
aggregate-policer-name |
Name of the aggregate policer. |
Command Default
No aggregate policers are defined.
Command Modes
Policy-map class configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
A policer defines a maximum permissible rate of transmission, a maximum burst size for transmissions, and an action to take if either maximum is exceeded.
The port ASIC device, which controls more than one physical port, supports 256 policers (255 user-configurable policers plus 1 policer reserved for internal use). The maximum number of user-configurable policers supported per port is 63. Policers are allocated on demand by the software and are constrained by the hardware and ASIC boundaries. You cannot reserve policers per port. There is no guarantee that a port will be assigned to any policer.
You set aggregate policer parameters by using the mls qos aggregate-policer global configuration command. You apply an aggregate policer to multiple classes in the same policy map; you cannot use an aggregate policer across different policy maps.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
You cannot configure aggregate policers in hierarchical policy maps.
Examples
This example shows how to define the aggregate policer parameters and to apply the policer to multiple classes in a policy map:
Switch(config)# mls qos aggregate-policer agg_policer1 exceed-action drop
Switch(config)# policy-map policy2
Switch(config-pmap)# class class1
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class2
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# police aggregate agg_policer1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class3
Switch(config-pmap-c)# trust dscp
Switch(config-pmap-c)# police aggregate agg_policer2
Switch(config-pmap-c)# exit
You can verify your settings by entering the show mls qos aggregate-policer privileged EXEC command.
policy-map
To create or modify a policy map that can be attached to multiple physical ports or switch virtual interfaces (SVIs) and to enter policy-map configuration mode, use the policy-map command in global configuration mode. Use the no form of this command to delete an existing policy map and to return to global configuration mode.
policy-map policy-map-name
no policy-map policy-map-name
Syntax Description
policy-map-name |
Name of the policy map. |
Command Default
No policy maps are defined.
The default behavior is to set the Differentiated Services Code Point (DSCP) to 0 if the packet is an IP packet and to set the class of service (CoS) to 0 if the packet is tagged. No policing is performed.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
After entering the policy-map command, you enter policy-map configuration mode, and these configuration commands are available:
- class —Defines the classification match criteria for the specified class map. For more information, see the “class” section.
- description —Describes the policy map (up to 200 characters).
- exit —Exits policy-map configuration mode and returns you to global configuration mode.
- no —Removes a previously defined policy map.
- rename —Renames the current policy map.
To return to global configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
Before configuring policies for classes whose match criteria are defined in a class map, use the policy-map command to specify the name of the policy map to be created, added to, or modified. Entering the policy-map command also enables the policy-map configuration mode in which you can configure or modify the class policies for that policy map.
You can configure class policies in a policy map only if the classes have match criteria defined for them. To configure the match criteria for a class, use the class-map global configuration and match class-map configuration commands. You define packet classification on a physical-port basis.
Only one policy map per ingress port or SVI is supported. You can apply the same policy map to multiple physical ports or SVIs.
You can apply a nonhierarchical policy map to physical ports or to SVIs. However, you can only apply a hierarchical policy map to SVIs.
A hierarchical policy map has two levels. The first level, the VLAN level, specifies the actions to be taken against a traffic flow on an SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map.
In a primary VLAN-level policy map, you can only configure the trust state or set a new DSCP or IP precedence value in the packet. In a secondary interface-level policy map, you can only configure individual policers on physical ports that belong to the SVI.
After the hierarchical policy map is attached to an SVI, an interface-level policy map cannot be modified or removed from the hierarchical policy map. A new interface-level policy map also cannot be added to the hierarchical policy map. If you want these changes to occur, the hierarchical policy map must first be removed from the SVI.
For more information about hierarchical policy maps, see the “Policing on SVIs” section in the “Configuring QoS” chapter of the software configuration guide for this release.
Examples
This example shows how to create a policy map called policy1. When attached to the ingress port, it matches all the incoming traffic defined in class1, sets the IP DSCP to 10, and polices the traffic at an average rate of 1 Mb/s and bursts at 20 KB. Traffic exceeding the profile is marked down to a DSCP value received from the policed-DSCP map and then sent.
Switch(config)# policy-map policy1
Switch(config-pmap)# class class1
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit
Switch(config-pmap-c)# exit
This example shows how to configure multiple classes in a policy map called policymap2:
Switch(config)# policy-map policymap2
Switch(config-pmap)# class class1
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap-c)# police 100000 20000 exceed-action policed-dscp-transmit
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class2
Switch(config-pmap-c)# trust dscp
Switch(config-pmap-c)# police 100000 20000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# class class3
Switch(config-pmap-c)# set dscp 0 (no policer)
Switch(config-pmap-c)# exit
This example shows how to create a hierarchical policy map and attach it to an SVI:
Switch(config)# class-map cm-non-int
Switch(config-cmap)# match access-group 101
Switch(config-cmap)# exit
Switch(config)# class-map cm-non-int-2
Switch(config-cmap)# match access-group 102
Switch(config-cmap)# exit
Switch(config)# class-map cm-test-int
Switch(config-cmap)# match input-interface gigabitethernet1/2 - gigabitethernet1/2
Switch(config-cmap)# exit
Switch(config)# policy-map pm-test-int
Switch(config-pmap)# class cm-test-int
Switch(config-pmap-c)# police 18000000 8000 exceed-action drop
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# policy-map pm-test-pm-2
Switch(config-pmap)# class cm-non-int
Switch(config-pmap-c)# set dscp 7
Switch(config-pmap-c)# service-policy pm-test-int
Switch(config-pmap)# class cm-non-int-2
Switch(config-pmap-c)# set dscp 15
Switch(config-pmap-c)# service-policy pm-test-int
Switch(config-pmap-c)# end
Switch(config-cmap)# exit
Switch(config)# interface vlan 10
Switch(config-if)# service-policy input pm-test-pm-2
This example shows how to delete policymap2:
Switch(config)# no policy-map policymap2
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
|
|
class |
Defines a traffic classification match criteria (through the police, set, and trust policy-map class configuration command) for the specified class-map name. |
class-map |
Creates a class map to be used for matching packets to the class whose name you specify. |
service-policy |
Applies a policy map to a port. |
show mls qos vlan |
Displays the quality of service (QoS) policy maps attached to an SVI. |
show policy-map |
Displays QoS policy maps. |
port-channel load-balance
To set the load-distribution method among the ports in the EtherChannel, use the port-channel load-balance command in global configuration mode. Use the no form of this command to return to the default setting.
port-channel load-balance { dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac }
no port-channel load-balance
Syntax Description
dst-ip |
Sets distribution based on the destination host IP address. |
dst-mac |
Sets distribution based on the destination host MAC address. Packets to the same destination are sent on the same port, but packets to different destinations are sent on different ports in the channel. |
src-dst-ip |
Sets distribution based on the source and destination host IP address. |
src-dst-mac |
Sets distribution based on the source and destination host MAC address. |
src-ip |
Sets distribution based on the source host IP address. |
src-mac |
Sets distribution based on the source MAC address. Packets from different hosts use different ports in the channel, but packets from the same host use the same port. |
Command Default
The default is src-mac.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
For information about when to use these forwarding methods, see the “Configuring EtherChannels” chapter in the software configuration guide for this release.
Examples
This example shows how to set the load-distribution method to dst-mac:
Switch(config)# port-channel load-balance dst-mac
You can verify your setting by entering the show running-config privileged EXEC command or the show etherchannel load-balance privileged EXEC command.
Related Commands
|
|
interface port-channel |
Accesses or creates the port channel. |
show etherchannel |
Displays EtherChannel information for a channel. |
show running-config |
Displays the current operating configuration. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
power-supply dual
To set the dual power supply mode of operation, use the power-supply dual command in global configuration mode. Use the no form of this command to return to the default single power supply mode.
power-supply dual
no power-supply dual
Syntax Description
This command has no arguments or keywords.
Command Default
By default, the system operates in single power mode.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The switch has two DC power inputs. When the switch is connected to a second DC input and put in dual power supply mode, the second power supply provides power to the switch if the primary supply fails.
When the switch is in dual power supply mode, you can use the alarm facility power-supply global configuration command to set alarm options. You can use the show facility-alarm status user EXEC command to monitor for a missing or failed primary power supply.
Examples
This example shows how to set the switch in a dual power supply mode:
Switch(config)# power-supply dual
priority-queue
To enable the egress expedite queue on a port, use the priority-queue command in interface configuration mode. Use the no form of this command to return to the default setting.
priority-queue out
no priority-queue out
Syntax Description
out |
Enables the egress expedite queue. |
Command Default
The egress expedite queue is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When you configure the priority-queue out command, the shaped round robin (SRR) weight ratios are affected because there is one fewer queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth shape interface configuration command is ignored (not used in the ratio calculation). The expedite queue is a priority queue, and it is serviced until empty before the other queues are serviced.
Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their SRR weights:
- If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.
- If the egress expedite queue is disabled and the SRR shaped and shared weights are configured, the shaped mode overrides the shared mode for queue 1, and SRR services this queue in shaped mode.
- If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services the queue in shared mode.
Examples
This example shows how to enable the egress expedite queue when the SRR weights are configured. The egress expedite queue overrides the configured SRR weights.
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# srr-queue bandwidth shape 25 0 0 0
Switch(config-if)# srr-queue bandwidth share 30 20 25 25
Switch(config-if)# priority-queue out
This example shows how to disable the egress expedite queue after the SRR shaped and shared weights are configured. The shaped mode overrides the shared mode.
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# srr-queue bandwidth shape 25 0 0 0
Switch(config-if)# srr-queue bandwidth share 30 20 25 25
Switch(config-if)# no priority-queue out
You can verify your settings by entering the show mls qos interface interface-id queueing or the show running-config privileged EXEC command.
Related Commands
|
|
show mls qos interface queueing |
Displays the queueing strategy (SRR, priority queueing), the weights corresponding to the queues, and the CoS-to-egress-queue map. |
srr-queue bandwidth shape |
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port. |
srr-queue bandwidth share |
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port. |
profinet
To configure the switch as a PROFINET Input/Output (IO) device, use the profinet command in global configuration mode. Use the no form of this command to disable the PROFINET feature.
profinet [ id line | vlan vlan id ]
no profinet [ id line | vlan vlan id ]
Syntax Description
id line |
(Optional) Configures the PROFINET device name by using the Cisco IOS software. The maximum length is 240 characters. The only special characters allowed are the period (.) and hyphen (-), and they are allowed only in specific positions within the ID string. The PROFINET ID can have multiple labels within the string. Each label can be from 1 to 63 characters, and labels must be separated by a period (.). The final character in the string must not be zero (0). For more details about configuring the PROFINET ID, see the PROFINET specification, document number TC2-06-0007a, file name PN-AL-protocol_2722_V22_Oct07, available from PROFIBUS. |
vlan vlan id |
(Optional) Specifies the VLAN to be used for PROFINET. The VLAN ID range is 1 to 4094. |
Command Default
PROFINET is configured.
The PROFINET ID is not configured.
The default VLAN is 1.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Typically, a PROFINET configuration is set up without use of the Cisco command-line interface (CLI). The PROFINET management software uses the Layer 2 Discovery and Configuration Protocol (DCP) to assign an IP address and PROFINET ID to the switch and configures the default VLAN number.
Examples
This example shows how to configure a switch as a PROFINET IO-device:
Switch# configure terminal
psp
To control the rate at which protocol packets are sent to the switch, use the psp command in global configuration mode to specify the upper threshold for the packet flow rate. To disable protocol storm protection, use the no version of the command.
psp { arp | dhcp | igmp } pps value
no psp { arp | dhcp | igmp }
Syntax Description
arp |
Sets protocol packet flow rate for ARP and ARP snooping. |
dhcp |
Sets protocol packet flow rate for DHCP and DHCP snooping. |
igmp |
Sets protocol packet flow rate for IGMP and IGMP snooping. |
pps value |
Specifies the threshold value for the number of packets per second. If the traffic exceeds this value, protocol storm protection is enforced. The range is from 5 to 50 packets per second. |
Command Default
Protocol storm protection is disabled by default.
Command Modes
Global configuration
Command History
|
|
15.0(58)SE |
This command was introduced. |
Usage Guidelines
The supported protocols are Address Resolution Protocol (ARP), ARP snooping, Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol (IGMP), and IGMP snooping.
To set error-disable detection protocol storm protection, use the errdisable detect cause psp global configuration command.
When protocol storm protection is configured, a counter records the number of dropped packets. To see the number of dropped packets for a specific protocol, use the show psp statistics { arp | dhcp | igmp } privileged EXEC command. To see the number of dropped packets for all protocols, use the show psp statistics all command. To clear the counter for a protocol, use the clear psp counter [ arp | dhcp | igmp ] command.
ptp (global configuration)
To set the clock properties for Precision Time Protocol (PTP), use the ptp command in global configuration mode. Use the no form of this command to return to the default end-to-end transparent clock mode.
ptp { mode { boundary | e2etransparent | forward } | priority1 value | priority2 value }
no ptp { mode | priority1 | priority2 }
Syntax Description
mode |
Configures the clock mode. |
boundary |
Acts as a grandmaster clock and the parent clock to all connected devices. Enables the switch to participate in selecting the most accurate master clock. Use this mode when overload or heavy load conditions produce significant delay jitter. |
e2etransparent |
Synchronizes all switch ports with the master clock. This is the default clock mode. |
forward |
Allows the incoming PTP packets to pass-through the switch as normal multicast traffic. |
priority1 value |
Overrides the default criteria (such as clock quality and clock class) for the most accurate master clock selection. Lower values take precedence. The range is from 0 to 255. The default is 128. |
priority2 value |
Breaks the tie between two switches that match default criteria. For example, you can use a priority 2 value to give a specific switch priority over other identical switches. The range is from 0 to 255. The default is 128. |
Command Default
The default mode is end-to-end transparent clock mode.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Clock synchronization ensures that the switch and other network devices use the same time base for events and timestamps. After initial synchronization, the switch and the connected devices exchange timing messages to correct time skew caused by clock offsets and network delays.
When boundary clock mode is selected, the switch can become the master clock if more accurate clocks are not selected.
When e2etransparent clock mode is selected, the switch does not participate in the master clock selection and does not synchronize with the master clock. This mode causes less jitter and error accumulation than boundary mode.
If clock selection criteria are equal (including priority2), the clock identity (switch MAC address) is the tie-breaker.
Network master clock selection operates continuously. When a device is added to the network, it announces itself and its clock parameters. If the new clock is more accurate than the existing clocks, it becomes the master, and other clocks synchronize with it.
The ptp priority1 and ptp priority2 commands are available only when the switch is in boundary mode.
If you enter the show ptp clock or show ptp port privileged EXEC command when the switch is in PTP forward mode, an error message states that no information is available.
When the switch is in PTP forward mode, you can change only the PTP configuration mode. You cannot configure PTP port properties when the switch is in forward mode.
Examples
This example shows how to configure the clock to end-to-end transparent mode:
Switch(config)# ptp mode e2etransparent
This example shows how to configure the local clock priority 1 value to 55:
Switch(config)# ptp priority1 55
ptp (interface configuration)
To specify the Precision Time Protocol (PTP) timing settings on a port, use the ptp command in interface configuration mode. Use the no form of this command to return to the default settings.
ptp { announce { interval value | timeout value } | delay-req interval value | enable | sync { interval value | limit value }}
no ptp { announce { interval value | timeout value } | delay-req interval value | enable | sync { interval value | limit value }}
Syntax Description
announce interval value |
Sets the transmittal log mean interval for the announce message. The range is 0 to 4. The default is 1 (2 seconds). |
announce timeout value |
Sets the time for announcing timeout messages. The range is 2 to 10 messages missed. The default is 3 messages missed. |
delay-req interval value |
Sets the transmittal log mean interval for the delay request message. The range is.5 second to 64 seconds. The default is 5 (32 seconds). |
enable |
Enables PTP on a port. |
sync interval value |
Sets the transmittal log mean interval for the sync message. The range is.5 second to 2 seconds. The default is 1 second. |
sync limit value |
Sets the maximum offset value from the master clock before clock synchronization fails. The range is 50 to 500000000 nanoseconds. The default is 500000000 nanoseconds. |
Command Default
PTP is enabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The ptp announce interval, ptp sync interval, ptp follow-up, and ptp delay-response commands are only sent when the port enters the master state.
The timing settings are only available when the switch is in boundary mode.
Examples
This example shows how to set the announce message transmit interval to a value of 3 on Gigabit Ethernet port 1:
Switch(config)# interface gi1/1
Switch(config-if)# ptp announce interval 3
queue-set
To map a port to a queue set, use the queue-set command in interface configuration mode. Use the no form of this command to return to the default setting.
queue-set qset-id
no queue-set qset-id
Syntax Description
qset-id |
ID of the queue set. Each port belongs to a queue set, which defines all the characteristics of the four egress queues per port. The range is 1 to 2. |
Command Default
The queue set ID is 1.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Examples
This example shows how to map a port to queue set 2:
Switch(config)# interface gigabitethernet1/2
Switch(config-if)# queue-set 2
You can verify your settings by entering the show mls qos interface [ interface-id ] buffers privileged EXEC command.
radius-server dead-criteria
To configure the conditions that determine when a RADIUS server is considered unavailable or dead, use the radius-server dead-criteria command in global configuration mode. Use the no form of this command to return to the default settings.
radius-server dead-criteria [ time seconds [ tries number ] | tries number ]
no radius-server dead-criteria [ time seconds [ tries number ] | tries number ]
Syntax Description
time seconds |
(Optional) Sets the time in seconds during which the switch does not need to get a valid response from the RADIUS server. The range is from 1 to 120 seconds. |
tries number |
(Optional) Sets the number of times that the switch does not get a valid response from the RADIUS server before the server is considered unavailable. The range is from 1 to 100. |
Command Default
The switch dynamically determines the seconds value that is from 10 to 60 seconds.
The switch dynamically determines the tries value that is from 10 to 100.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
We recommend that you configure the seconds and number parameters as follows:
- Use the radius-server timeout seconds global configuration command to specify the time in seconds during which the switch waits for a RADIUS server to respond before the IEEE 802.1x authentication times out. The switch dynamically determines the default seconds value that is from 10 to 60 seconds.
- Use the radius-server retransmit retries global configuration command to specify the number of times the switch tries to reach the radius servers before considering the servers to be unavailable. The switch dynamically determines the default tries value that is from 10 to 100.
- The seconds parameter is less than or equal to the number of retransmission attempts times the time in seconds before the IEEE 802.1x authentication times out.
- The tries parameter should be the same as the number of retransmission attempts.
Examples
This example shows how to configure 60 as the time and 10 as the number of tries, the conditions that determine when a RADIUS server is considered unavailable
Switch(config)# radius-server dead-criteria time 60 tries 10
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
dot1x critical (global configuration) |
Configures the parameters for the inaccessible authentication bypass feature. |
dot1x critical (interface configuration) |
Enables the inaccessible authentication bypass feature on an interface and configures the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. |
radius-server retransmit retries |
Specifies the number of times that the switch tries to reach the RADIUS servers before considering the servers to be unavailable. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
radius-server timeout seconds |
Specifies the time in seconds during which the switch waits for a RADIUS server to respond before the IEEE 802.1x authentication times out. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
radius-server host
To configure the RADIUS server parameters, including the RADIUS accounting and authentication, use the radius-server host command in global configuration mode. Use the no form of this command to return to the default settings.
radius-server host ip-address [acct-port udp-port ] [ auth-port udp-port ] [ test username name [ idle-time time ] [ ignore-acct-port ] [ ignore-auth-port ]] [ key string ]
no radius-server host ip-address
Syntax Description
ip-address |
The IP address of the RADIUS server. |
acct-port udp-port |
(Optional) Specifies the UDP port for the RADIUS accounting server. The range is from 0 to 65536. |
auth-port udp-port |
(Optional) Specifies the UDP port for the RADIUS authentication server. The range is from 0 to 65536. |
test username name |
(Optional) Enables automatic server testing of the RADIUS server status, and specify the username to be used. |
idle-time time |
(Optional) Sets the interval of time in minutes after which the switch sends test packets to the server. The range is from 1 to 35791 minutes. |
ignore-acct-port |
(Optional) Disables testing on the RADIUS-server accounting port. |
ignore-auth-port |
(Optional) Disables testing on the RADIUS-server authentication port. |
key string |
(Optional) Specifies the authentication and encryption key for all RADIUS communication between the switch and the RADIUS daemon. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in this command. Leading spaces are ignored, but spaces within and at the end of the key are used. If there are spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. |
Command Default
The UDP port for the RADIUS accounting server is 1646.
The UDP port for the RADIUS authentication server is 1645.
Automatic server testing is disabled.
The idle time is 60 minutes (1 hour).
When the automatic testing is enabled, testing occurs on the accounting and authentication UDP ports.
The authentication and encryption key ( string) is not configured.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
We recommend that you configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values.
Use the test username name keywords to enable automatic server testing of the RADIUS server status and to specify the username to be used.
You can configure the authentication and encryption key by using the radius-server host ip-address key string or the radius-server key { 0 string | 7 string | string } global configuration command. Always configure the key as the last item in this command.
Examples
This example shows how to configure 1500 as the UDP port for the accounting server and 1510 as the UDP port for the authentication server:
Switch(config)# radius-server host 1.1.1.1 acct-port 1500 auth-port 1510
This example shows how to configure the UDP port for the accounting server and the authentication server, enable automated testing of the RADIUS server status, specify the username to be used, and configure a key string:
Switch(config)# radius-server host 1.1.1.2 acct-port 800 auth-port 900 test username aaafail idle-time 75 key abc123
You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
|
|
dot1x critical (global configuration) |
Configures the parameters for the inaccessible authentication bypass feature. |
dot1x critical (interface configuration) |
Enables the inaccessible authentication bypass feature on an interface and configures the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. |
radius-server key { 0 string | 7 string | string } |
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
rcommand
To start a Telnet session and to execute commands on a cluster member switch from the cluster command switch, use the rcommand command in user EXEC mode on the cluster command switch. To end the session, enter the exit command.
rcommand { n | commander | mac-address hw-addr }
Syntax Description
n |
The number that identifies a cluster member. The range is 0 to 15. |
commander |
Provides access to the cluster command switch from a cluster member switch. |
mac-address hw-addr |
Specifies the MAC address of the cluster member switch. |
Command Modes
User EXEC
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
This command is available only on the cluster command switch.
If the switch is the cluster command switch but the cluster member switch n does not exist, an error message appears. To get the switch number, enter the show cluster members privileged EXEC command on the cluster command switch.
You can use this command to access a cluster member switch from the cluster command-switch prompt or to access a cluster command switch from the member-switch prompt.
For Catalyst 2900 XL, 3500 XL, 2950, 2960, 2970, 3550, 3560, and 3750 switches, the Telnet session accesses the member-switch command-line interface (CLI) at the same privilege level as on the cluster command switch. For example, if you execute this command at user level on the cluster command switch, the cluster member switch is accessed at user level. If you use this command on the cluster command switch at privileged level, the command accesses the remote device at privileged level. If you use an intermediate enable-level lower than privileged, access to the cluster member switch is at user level.
For Catalyst 1900 and 2820 switches running standard edition software, the Telnet session accesses the menu console (the menu-driven interface) if the cluster command switch is at privilege level 15. If the cluster command switch is at privilege level 1, you are prompted for the password before being able to access the menu console. Cluster command switch privilege levels map to the cluster member switches running standard edition software as follows:
- If the cluster command switch privilege level is from 1 to 14, the cluster member switch is accessed at privilege level 1.
- If the cluster command switch privilege level is 15, the cluster member switch is accessed at privilege level 15.
The Catalyst 1900 and 2820 CLI is available only on switches running Enterprise Edition Software.
This command will not work if the vty lines of the cluster command switch have access-class configurations.
You are not prompted for a password because the cluster member switches inherited the password of the cluster command switch when they joined the cluster.
Examples
This example shows how to start a session with member 3. All subsequent commands are directed to member 3 until you enter the exit command or close the session.
Cisco Internet Operating System Software...
remote-span
To configure a VLAN as a Remote Switched Port Analyzer (RSPAN) VLAN, use the remote-span command in VLAN configuration mode. Use the no form of this command to remove the RSPAN designation from the VLAN.
remote-span
no remote-span
Syntax Description
This command has no arguments or keywords.
Command Default
No RSPAN VLANs are defined.
Command Modes
VLAN configuration (config-VLAN)
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You can configure RSPAN VLANs only in config-vlan mode (entered by using the vlan global configuration command), not the VLAN configuration mode entered by using the vlan database privileged EXEC command.
If VLAN Trunking Protocol (VTP) is enabled, the RSPAN feature is propagated by VTP for VLAN IDs that are lower than 1005. If the RSPAN VLAN ID is in the extended range, you must manually configure intermediate switches (those in the RSPAN VLAN between the source switch and the destination switch).
Before you configure the RSPAN remote-span command, use the vlan (global configuration) command to create the VLAN.
The RSPAN VLAN has these characteristics:
- No MAC address learning occurs on it.
- RSPAN VLAN traffic flows only on trunk ports.
- Spanning Tree Protocol (STP) can run in the RSPAN VLAN, but it does not run on RSPAN destination ports.
When an existing VLAN is configured as an RSPAN VLAN, the VLAN is first deleted and then recreated as an RSPAN VLAN. Any access ports are made inactive until the RSPAN feature is disabled.
Examples
This example shows how to configure a VLAN as an RSPAN VLAN:
Switch(config-vlan)# remote-span
This example shows how to remove the RSPAN feature from a VLAN:
Switch(config-vlan)# no remote-span
You can verify your settings by entering the show vlan remote-span user EXEC command.
Related Commands
|
|
monitor session |
Enables Switched Port Analyzer (SPAN) and RSPAN monitoring on a port and configures a port as a source or destination port. |
vlan |
Changes to config-vlan mode where you can configure VLANs 1 to 4094. |
renew ip dhcp snooping database
To renew the DHCP snooping binding database, use the renew ip dhcp snooping database command in privileged EXEC mode.
renew ip dhcp snooping database [{ flash :/filename | ftp: //user:password@host/filename | nvram: /filename | rcp: //user@host/filename | tftp: //host/filename }] [ validation none ]
Syntax Description
flash:/ filename |
(Optional) Specifies that the database agent or the binding file is in the flash memory. |
ftp:// user : password @ host / filename |
(Optional) Specifies that the database agent or the binding file is on an FTP server. |
nvram:/ filename |
(Optional) Specifies that the database agent or the binding file is in the NVRAM. |
rcp:// user @ host / filename |
(Optional) Specifies that the database agent or the binding file is on a Remote Control Protocol (RCP) server. |
tftp:// host / filename |
(Optional) Specifies that the database agent or the binding file is on a TFTP server. |
validation none |
(Optional) Specifies that the switch does not verify the cyclic redundancy check (CRC) for the entries in the binding file specified by the URL. |
Command Modes
Privileged EXEC
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
If you do not specify a URL, the switch tries to read the file from the configured URL.
Examples
This example shows how to renew the DHCP snooping binding database without checking CRC values in the file:
Switch#
renew ip dhcp snooping database validation none
You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.
rep admin vlan
To configure a Resilient Ethernet Protocol (REP) administrative VLAN for REP to transmit hardware flood layer (HFL) messages, use the rep admin vlan command in global configuration mode. Use the no form of this command to return to the default configuration with VLAN 1 as the administrative VLAN.
rep admin vlan vlan-id
no rep admin vlan
Syntax Description
vlan-id |
The VLAN ID range is from 1 to 4094. The default is VLAN 1; the range to configure is 2 to 4094. |
Command Default
The administrative VLAN is VLAN 1.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
If the VLAN does not already exist, this command does not create the VLAN.
To avoid the delay introduced by relaying messages in software for link-failure or VLAN-blocking notification during load balancing, REP floods packets at the hardware flood layer (HFL) to a regular multicast address. These messages are flooded to the whole network, not just the REP segment. Switches that do not belong to the segment treat them as data traffic. Configuring an administrative VLAN for the whole domain can control flooding of these messages.
If no REP administrative VLAN is configured, the default is VLAN 1.
There can be only one administrative VLAN on a switch and on a segment.
The administrative VLAN cannot be the RSPAN VLAN.
Examples
This example shows how to configure VLAN 100 as the REP administrative VLAN:
Switch (config)# rep admin vlan 100
You can verify your settings by entering the show interface rep detail privileged EXEC command.
Related Commands
|
|
show interfaces rep detail |
Displays detailed REP configuration and status for all interfaces or the specified interface, including the administrative VLAN. |
rep block port
To configure Resilient Ethernet Protocol (REP) VLAN load balancing, use the rep block port command in interface configuration mode on the REP primary edge port. Use the no form of this command to return to the default configuration.
rep block port { id port-id | neighbor_offset | preferred } vlan { vlan-list | all }
no rep block port { id port-id | neighbor_offset | preferred }
Syntax Description
id port-id |
Identifies the VLAN blocking alternate port by entering the unique port ID that is automatically generated when REP is enabled. The REP port ID is a 16-character hexadecimal value. You can view the port ID for an interface by entering the show interface interface-id rep detail command. |
neighbor_offset |
The VLAN blocking alternate port by entering the offset number of a neighbor. The range is –256 to +256; a value of 0 is invalid. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port. Negative numbers identify the secondary edge port (offset number -1) and its downstream neighbors. |
preferred |
Identifies the VLAN blocking alternate port as the segment port on which you entered the rep segment segment-id preferred interface configuration command. Note Entering the preferred keyword does not ensure that the preferred port is the alternate port; it gives it preference over other similar ports. |
vlan |
Identifies the VLANs to be blocked. |
vlan-list |
A VLAN ID from 1 to 4094 or a range or sequence of VLANs (such as 1-3, 22, 41-44) of VLANs to be blocked. |
all |
Blocks all VLANs. |
Command Default
The default behavior after you enter the rep preempt segment privileged EXEC command (for manual preemption) is to block all VLANs at the primary edge port. This behavior remains until you configure the rep block port command.
If the primary edge port cannot determine which port is to be the alternate port, the default action is no preemption and no VLAN load balancing.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You must enter this command on the REP primary edge port.
When you select an alternate port by entering an offset number, this number identifies the downstream neighbor port of an edge port. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port. Negative numbers identify the secondary edge port (offset number -1) and its downstream neighbors. See Figure 1-1.
Figure 1-1 Neighbor Offset Numbers in a REP Segment
Note You would never enter an offset value of 1 because that is the offset number of the primary edge port itself.
If you have configured a preempt delay time by entering the rep preempt delay seconds interface configuration command and a link failure and recovery occurs, VLAN load balancing begins after the configured preemption time period elapses without another link failure. The alternate port specified in the load-balancing configuration blocks the configured VLANs and unblocks all other segment ports. If the primary edge port cannot determine the alternate port for VLAN balancing, the default action is no preemption.
Each port in a segment has a unique port ID. The port ID format is similar to the one used by the spanning tree algorithm: a port number (unique on the bridge) associated to a MAC address (unique in the network). To determine the port ID of a port, enter the show interface interface-id rep detail privileged EXEC command.
Examples
This example shows how to configure REP VLAN load balancing on the Switch B primary edge port (Gigabit Ethernet port 1) and to configure Gigabit Ethernet port 2 of Switch A as the alternate port to block VLANs 1 to 100. The alternate port is identified by its port ID, shown in bold in the output of the show interface rep detail command for the Switch A port.
Switch A# show interface gigabitethernet1/2 rep detail
GigabitEthernet1/2 REP enabled
Operational Link Status: TWO_WAY
Current Key: 007F001647FB17800EEE
Preempt Delay Timer: 35 sec
Load-balancing block port: none
Load-balancing block vlan: none
LSL PDU rx: 107122, tx: 192493
Switch (config)# interface gigabitethernet1/1
Switch (config-if)# rep block port id 0080001647FB1780 vlan 1-100
This example shows how to configure VLAN load balancing by using a neighbor offset number and how to verify the configuration by entering the show interfaces rep detail privileged EXEC command:
Switch (config)# interface gigabitethernet1/2
Switch (config-if)# rep block port 6 vlan 1-110
Switch# show interface gigabitethernet1/2 rep detail
GigabitEthernet1/2 REP enabled
Operational Link Status: TWO_WAY
Current Key: 007F001647FB178009C3
Preempt Delay Timer: 35 sec
Load-balancing block port: 6
Load-balancing block vlan: 1-110
LSL PDU rx: 1466780, tx: 3056637
BPA TLV rx: 1, tx: 2119695
BPA (STCN, LSL) TLV rx: 0, tx: 0
BPA (STCN, HFL) TLV rx: 0, tx: 0
EPA-ELECTION TLV rx: 757406, tx: 757400
EPA-COMMAND TLV rx: 1, tx: 1
EPA-INFO TLV rx: 178326, tx: 178323
Related Commands
|
|
rep preempt delay |
Configures a waiting period after a segment port failure and recovery before REP VLAN load balancing is triggered. |
rep preempt segment |
Manually starts REP VLAN load balancing on a segment. |
show interfaces rep detail |
Displays REP detailed configuration and status for all interfaces or the specified interface, including the administrative VLAN. |
rep lsl-age-timer
To configure the Link Status Layer (LSL) age timer for the time period that the REP interface remains up without receiving a hello from the REP neighbor, use the rep lsl-age-timer command in interface configuration mode on a Resilient Ethernet Protocol (REP) port. Use the no form of this command to return to the default time.
rep lsl-age timer value
no rep lsl-age timer
Syntax Description
value |
The age-out time in milliseconds. The range is from 120 ms 10000 ms in 40-ms increments. The default is 5000 ms (5 seconds). |
Command Default
The REP link shuts down if it does not receive a hello message from a neighbor within 5000 ms.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The LSL hello timer is set to the age-timer value divided by 3 so that there should be at least two LSL hellos sent during the LSL age-timer period. If no hellos are received within that time, the REP link shuts down.
In Cisco IOS Release 15.0(1)EY, the LSL age-timer range changed from 3000 to 10000 ms in 500-ms increments to 120 to 10000 ms in 40-ms increments. If the REP neighbor device is not running Cisco IOS Release 15.0(1)EY or later, you must use the shorter time range because the device does not accept values out of the earlier range.
EtherChannel port channel interfaces do not support LSL age timer values less than 1000 ms. Although you can configure the REP LSL age timer from 120 ms to 10000 ms, the port channel will remain up for at least 1000 ms (1 second), the mimimum LSL timeout value for port channels.
Examples
This example shows how to configure the REP LSL age timer on a REP link to 7000 ms:
Switch (config)# interface gigabitethernet1/2
Switch (config-if)# rep lsl-age-timer 7000
You can verify the configured ageout time by entering the show interfaces rep detail privileged EXEC command.
Related Commands
|
|
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface, including the configured LSL age-out timer value. |
rep preempt delay
To configure a waiting period after a segment port failure and recovery before Resilient Ethernet Protocol (REP) VLAN load balancing is triggered, use the rep preempt delay command in interface configuration mode on the REP primary edge port. Use the no form of this command to remove the configured delay.
rep preempt delay seconds
no rep preempt delay
Syntax Description
seconds |
The number of seconds to delay REP preemption. The range is 15 to 300. |
Command Default
No preemption delay is set. If you do not enter the rep preempt delay command, the default is manual preemption with no delay.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You must enter this command on the REP primary edge port.
You must enter this command and configure a preempt time delay if you want VLAN load balancing to automatically trigger after a link failure and recovery.
If VLAN load balancing is configured, after a segment port failure and recovery, the REP primary edge port starts a delay timer before VLAN load balancing occurs. Note that the timer restarts after each link failure. When the timer expires, the REP primary edge alerts the alternate port to perform VLAN load balancing (configured by using the rep block port interface configuration command) and prepares the segment for the new topology. The configured VLAN list is blocked at the alternate port, and all other VLANs are blocked at the primary edge port.
Examples
This example shows how to configure a REP preemption time delay of 100 seconds on the primary edge port:
Switch (config)# interface gigabitethernet1/1
Switch (config-if)# rep preempt delay 100
rep preempt segment
To manually start Resilient Ethernet Protocol (REP) VLAN load balancing on a segment, use the rep preempt segment command in privileged EXEC mode.
rep preempt segment segment_id
Syntax Description
segment-id |
ID of the REP segment. The range is from 1 to 1024. |
Command Default
Manual preemption is the default behavior.
Command Modes
Privileged EXEC
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When you enter the rep preempt segment segment-id command, a confirmation message appears before the command is executed because preemption can cause network disruption.
Enter this command on the switch on the segment that has the primary edge port.
If you do not configure VLAN load balancing, entering this command results in the default behavior—the primary edge port blocks all VLANs.
You configure VLAN load balancing by entering the rep block port { id port-id | neighbor_offset | preferred } vlan { vlan-list | all } interface configuration command on the REP primary edge port before you manually start preemption.
Examples
This example shows how to manually trigger REP preemption on segment 100 with the confirmation message:
Switch)# rep preempt segment 100
The command will cause a momentary traffic disruption.
Do you still want to continue? [confirm]
rep segment
To enable Resilient Ethernet Protocol (REP) on the interface and to assign a segment ID to it, use the rep segment command in interface configuration mode. Use the no form of this command to disable REP on the interface.
rep segment segment-id [ edge [ no-neighbor ] [ primary ]] [ preferred ]
no rep segment
Syntax Description
segment-id |
A segment ID to the interface. The range is from 1 to 1024. |
edge |
(Optional) Identifies the interface as one of the two REP edge ports. Entering the edge keyword without the primary keyword configures the port as the secondary edge port. |
no-neighbor |
(Optional) Configures a segment edge with no external REP neighbor. |
primary |
(Optional) On an edge port, specifies that the port is the primary edge port. A segment has only one primary edge port. If you configure two ports in a segment as the primary edge port, for example ports on different switches, the REP selects one of them to serve as the segment primary edge port. |
preferred |
(Optional) Specifies that the port is the preferred alternate port or the preferred port for VLAN load balancing. Note Configuring a port as preferred does not guarantee that it becomes the alternate port; it only gives it a slight edge among equal contenders. The alternate port is usually a previously failed port. |
Command Default
REP is disabled on the interface.
When REP is enabled on an interface, the default is for the port to be a regular segment port.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
REP ports must be Layer 2 trunk ports.
REP ports should not be configured as one of these port types:
- SPAN destination port
- Tunnel port
- Access port
You must configure two edge ports on each REP segment, a primary edge port and a port to act as a secondary edge port. If you configure two ports in a segment as the primary edge port, for example ports on different switches, the configuration is allowed, but the REP selects one of them to serve as the segment primary edge port.
- REP ports follow these rules:
– There is no limit to the number of REP ports on a switch; however, only two ports on a switch can belong to the same REP segment.
– If only one port on a switch is configured in a segment, the port should be an edge port.
– If two ports on a switch belong to the same segment, they must be both edge ports, both regular segment ports, or one regular port and one edge no-neighbor port. An edge port and regular segment port on a switch cannot belong to the same segment.
– If two ports on a switch belong to the same segment and one is configured as an edge port and one as a regular segment port (a misconfiguration), the edge port is treated as a regular segment port.
If you configure two ports in a segment as the primary edge port, for example ports on different switches, the REP selects one of them to serve as the segment primary edge port. Enter the show rep topology privileged EXEC command on a port in the segment to verify which port is the segment primary edge port.
REP interfaces come up in a blocked state and remain in a blocked state until notified that it is safe to unblock. You need to be aware of this to avoid sudden connection losses.
You should configure REP only in networks with redundancy. Configuring REP in a network without redundancy causes loss of connectivity.
In networks where ports on a neighboring switch do not support REP, you can configure the non-REP facing ports as edge no-neighbor ports. These ports inherit all properties of edge ports and you can configure them as any other edge port, including to send STP or REP topology change notices to the aggregation switch. In this case, the STP topology change notice (TCN) that is sent is a multiple spanning-tree (MST) STP message.
Examples
This example shows how to enable REP on a regular (nonedge) segment port:
Switch (config)# interface gigabitethernet1/1
Switch (config-if)# rep segment 100
This example shows how to enable REP on a port and to identify the port as the REP primary edge port:
Switch (config)# interface gigabitethernetv/2
Switch (config-if)# rep segment 100 edge primary
This example shows how to configure the same configuration when the interface has no external REP neighbor:
Switch# configure terminal
Switch (conf)# interface gigabitethernet1/1
Switch (conf-if)# rep segment 100 edge no-neighbor primary
This example shows how to enable REP on a port and to identify the port as the REP secondary edge port:
Switch (config)# interface gigabitethernet1/2
Switch (config-if)# rep segment 100 edge
You can verify your settings by entering the show interfaces rep privileged EXEC command. To verify which port in the segment is the primary edge port, enter the show rep topology privileged EXEC command.
Related Commands
|
|
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface. |
show rep topology [ detail ] |
Displays information about all ports in the segment, including which one was configured and selected as the primary edge port. |
rep stcn
To configure the port to send REP segment topology change notifications (STCNs) to another interface, to other segments, or to Spanning Tree Protocol (STP) networks, use the rep stcn command in interface configuration mode on a Resilient Ethernet Protocol (REP) edge port. Use the no form of this command to disable the sending of STCNs to the interface, segment, or STP network.
rep stcn { interface interface-id | segment id-list | stp }
no rep stcn { interface | segment | stp }
Syntax Description
interface interface-id |
Identifies a physical interface or port channel to receive STCNs. |
segment id-list |
Identifies one REP segment or list of segments to receive STCNs. The range is 1 to 1024. You can also configure a sequence of segments (for example 3-5, 77, 100). |
stp |
Sends STCNs to an STP network. |
Command Default
Transmission of STCNs to other interfaces, segments, or STP networks is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Enter this command on a segment edge port.
You use this command to notify other portions of the Layer 2 network of topology changes that occur in the local REP segment. This removes obsolete entries in the Layer 2 forwarding table in other parts of the network, which allows faster network convergence.
Examples
This example shows how to configure the REP primary edge port to send STCNs to segments 25 to 50:
Switch (config)# interface gigabitethernet1/2
Switch (config-if)# rep stcn segment 25-50
You can verify your settings by entering the show interfaces rep detail privileged EXEC command.
Related Commands
|
|
show interfaces rep [ detail ] |
Displays REP configuration and status for all interfaces or the specified interface. |
reserved-only
To allocate only reserved addresses in the Dynamic Host Configuration Protocol (DHCP) address pool, use the reserved-only command in DHCP pool configuration mode. Use the no form of the command to return to the default.
reserved-only
no reserved-only
Syntax Description
This command has no arguments or keywords.
Command Default
The default is to not restrict pool addresses
Command Modes
DHCP pool configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Entering the reserved-only command restricts assignments from the DHCP pool to preconfigured reservations. Unreserved addresses that are part of the network or on pool ranges are not offered to the client, and other clients are not served by the pool.
By entering this command, users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches.
To access DHCP pool configuration mode, enter the ip dhcp pool name global configuration command.
Examples
This example shows how to configure the DHCP pool to allocate only reserved addresses:
Switch(config)# ip dhcp pool test1
Switch(dhcp-config)# reserved-only
Related Commands
|
|
show ip dhcp pool |
Displays the DHCP address pools. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
rmon collection stats
To collect Ethernet group statistics, which include usage statistics about broadcast and multicast packets, and error statistics about cyclic redundancy check (CRC) alignment errors and collisions use the rmon collection stats command in interface configuration mode. Use the no form of this command to return to the default setting.
rmon collection stats index [ owner name ]
no rmon collection stats index [ owner name ]
Syntax Description
index |
Remote Network Monitoring (RMON) collection control index. The range is 1 to 65535. |
owner name |
(Optional) Specifies the owner of the RMON collection. |
Command Default
The RMON statistics collection is disabled.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
The RMON statistics collection command is based on hardware counters.
Examples
This example shows how to collect RMON statistics for the owner root:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# rmon collection stats 2 owner root
You can verify your setting by entering the show rmon statistics privileged EXEC command.
Related Commands
|
|
show rmon statistics |
Displays RMON statistics. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
sdm prefer
To configure the template used in Switch Database Management (SDM) resource allocation, use the sdm prefer command in global configuration mode. Use the no form of this command to return to the default template.
sdm prefer { default | dual-ipv4-and-ipv6 { default | routing } | qos | routing }
no sdm prefer
Syntax Description
default |
Balances all Layer 2 features. |
dual-ipv4-and-ipv6 { default | routing } |
Balances IPv4 and IPv6 functionality. Select a template that supports both IPv4 and IPv6 routing.
- default —Balances IPv4 and IPv6 Layer 2 functionality.
- routing —Provides maximum system usage for IPv4 and IPv6 routing, including IPv4 policy-based routing. You must use the ipv4 and ipv6 routing template on switches running the IP services image for Layer 3 functionality.
You must configure this template to enable IPv6 features. |
qos |
Provides maximum system usage for quality of service (QoS) access control entries (ACEs). |
routing |
Provides maximum system usage for IPv4 unicast routing. You must use the routing template on switches running the IP services image for Layer 3 functionality. |
Command Default
The default template provides a balance to all features.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
You must reload the switch for the configuration to take effect.
If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template currently in use and the template that will become active after a reload.
Use the no sdm prefer command to set the switch to the default template.
You must use a routing template on switches running the IP services image for Layer 3 functionality.
Do not use the routing template if you are not using Layer 3 functionality on your switch. Entering the sdm prefer routing global configuration command prevents other features from using the memory allocated to unicast routing in the routing template.
Do not use the ipv4 and ipv6 template if you do not plan to enable IPv6 functionality on the switch. Entering the sdm prefer ipv4-and-ipv6 global configuration command divides resources between IPv4 and IPv6, limiting those allocated to IPv4 forwarding.
Table 1-10 shows the resources allowed for each feature in the IPv4 templates and Table 1-11 shows the feature allocation in the dual-ipv4-and-ipv6 templates.
Table 1-10 Approximate Number of Feature Resources Allowed by Each Template
|
|
|
|
Unicast MAC addresses |
8 K |
8 K |
2 K |
IGMP groups and multicast routes |
256 |
256 |
1 K |
Unicast routes |
0 |
|
4 K |
|
0 |
|
2 K |
|
0 |
|
2 K |
Policy-based routing ACEs |
0 |
|
512 |
QoS classification ACEs |
375 |
625 |
625 |
Security ACEs |
375 |
125 |
375 K |
Layer 2 VLANs |
1 K |
1 K |
1 K |
The first eight rows in the tables (unicast MAC addresses through security ACEs) represent approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance. The last row is a guideline used to calculate hardware resource consumption related to the number of Layer 2 VLANs on the switch.
Table 1-11 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates
|
|
|
Unicast MAC addresses |
8 K |
1K |
IPv4 IGMP groups and multicast routes |
256 |
512 |
Total IPv4 unicast routes: |
0 |
2 K |
- Directly connected IPv4 hosts
|
0 |
1 K |
|
0 |
1 K |
IPv6 multicast groups |
375 |
625 |
Total IPv6 unicast routes: |
0 |
1375 |
- Directly connected IPv6 addresses
|
0 |
1 K |
- Indirect IPv6 unicast routes
|
0 |
375 |
IPv4 policy-based routing ACEs |
0 |
125 |
IPv4 or MAC QoS ACEs (total) |
375 |
375 |
IPv4 or MAC security ACEs (total) |
375 |
125 |
IPv6 policy-based routing ACEs |
0 |
125 |
IPv6 QoS ACEs |
0 |
125 |
IPv6 security ACEs |
125 |
125 |
Examples
This example shows how to use the QoS template:
Switch(config)# sdm prefer qos
This example shows how to configure the dual IPv4-and-IPv6 default template on a switch:
Switch(config)# sdm prefer dual-ipv4-and-ipv6 default
This example shows how to configure the IPv4-and-IPv6 routing template on a switch:
Switch(config)# sdm prefer dual-ipv4-and-ipv6 routing
Proceed with reload? [confirm]
Related Commands
|
|
show sdm prefer |
Displays the current SDM template in use or displays the templates that can be used, with approximate resource allocation per feature. |
service password-recovery
To enable the password-recovery mechanism (the default), use the service password-recovery command in global configuration mode. Use the no form of this command to disable part of the password-recovery functionality.
service password-recovery
no service password-recovery
Syntax Description
This command has no arguments or keywords.
Command Default
The password-recovery mechanism is enabled.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
This mechanism allows an end user with physical access to the switch to hold down the Express Setup button and interrupt the bootup process while the switch is powering up and to assign a new password.
When the password-recovery mechanism is disabled, interrupting the bootup process is allowed only if the user agrees to set the system back to the default configuration.
As a system administrator, you can use the no service password-recovery command to disable some of the functionality of the password recovery feature by allowing an end user to reset a password only by agreeing to return to the default configuration.
To use the password-recovery procedure, you must have physical access to the switch.
To delete the switch password and set a new one, follow these steps:
Step 1 Press the Express Setup button until the SETUP LED blinks green and the LED of an available switch downlink port blinks green.
If no switch downlink port is available for your PC or laptop connection, disconnect a device from one of the switch downlink ports. Press the Express Setup button again until the SETUP LED and the port LED blink green.
Step 2 Connect your PC or laptop to the port with the blinking green LED.
The SETUP LED and the switch downlink port LED stop blinking and stay solid green.
Step 3 Press and hold the Express Setup button. Notice that the SETUP LED starts blinking green again. Continue holding the button until the SETUP LED turns solid green (approximately 5 seconds). Release the Express Setup button immediately.
This procedure deletes the password without affecting any other configuration settings. You can now access the switch without a password through the console port or by using Device Manager.
Step 4 Enter a new password through Device Manager by using the Express Setup window or through the command line interface by using the enable secret global configuration command.
If you use the no service password-recovery command to control end user access to passwords, we recommend that you save a copy of the config file in a location away from the switch in case the end user uses the password recovery procedure and sets the system back to default values. Do not keep a backup copy of the config file on the switch.
If the switch is operating in VTP transparent mode, we recommend that you also save a copy of the vlan.dat file in a location away from the switch.
You can verify if password recovery is enabled or disabled by entering the show version privileged EXEC command.
Examples
This example shows how to disable password recovery on a switch so that a user can only reset a password by agreeing to return to the default configuration.
Switch(config)# no service-password recovery
Related Commands
|
|
show version |
Displays version information for the hardware and firmware. |
service-policy
To apply a policy map defined by the policy-map command to the input of a physical port or a switch virtual interface (SVI), use the service-policy command in interface configuration mode. Use the no form of this command to remove the policy map and port association.
service-policy input policy-map-name
no service-policy input policy-map-name
Syntax Description
input policy-map-name |
Applies the specified policy map to the input of a physical port or an SVI. |
Note Though visible in the command-line help strings, the history keyword is not supported, and you should ignore the statistics that it gathers. The output keyword is also not supported.
Command Default
No policy maps are attached to the port.
Command Modes
Interface configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
Only one policy map per ingress port is supported.
Policy maps can be configured on physical ports or on SVIs. When VLAN-based quality of service (QoS) is disabled by using the no mls qos vlan-based interface configuration command on a physical port, you can configure a port-based policy map on the port. If VLAN-based QoS is enabled by using the mls qos vlan-based interface configuration command on a physical port, the switch removes the previously configured port-based policy map. After a hierarchical policy map is configured and applied on an SVI, the interface-level policy map takes effect on the interface.
You can apply a policy map to incoming traffic on a physical port or on an SVI. You can configure different interface-level policy maps for each class defined in the VLAN-level policy map. For more information about hierarchical policy maps, see the “Configuring QoS” chapter in the software configuration guide for this release.
Classification using a port trust state (for example, mls qos trust [ cos | dscp | ip-precedence ] and a policy map (for example, service-policy input policy-map-name) are mutually exclusive. The last one configured overwrites the previous configuration.
Examples
This example shows how to apply plcmap1 to an physical ingress port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# service-policy input plcmap1
This example shows how to remove plcmap2 from a physical port:
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# no service-policy input plcmap2
This example shows how to apply plcmap1 to an ingress SVI when VLAN-based QoS is enabled:
Switch(config)# interface vlan 10
Switch(config-if)# service-policy input plcmap1
This example shows how to create a hierarchical policy map and attach it to an SVI:
Switch(config)# access-list 101 permit ip any any
Switch(config)# class-map cm-1
Switch(config-cmap)# match access 101
Switch(config-cmap)# exit
Switch(config)# class-map cm-interface-1
Switch(config-cmap)# match input gigabitethernet1/1 - gigabitethernet1/2
Switch(config-cmap)# exit
Switch(config)# policy-map port-plcmap
Switch(config-pmap)# class-map cm-interface-1
Switch(config-pmap-c)# police 900000 9000 exc policed-dscp-transmit
Switch(config-pmap-c)# exit
Switch(config)# policy-map vlan-plcmap
Switch(config-pmap)# class-map cm-1
Switch(config-pmap-c)# set dscp 7
Switch(config-pmap-c)# service-policy port-plcmap-1
Switch(config-pmap-c)# exit
Switch(config-pmap)# class-map cm-2
Switch(config-pmap-c)# match ip dscp 2
Switch(config-pmap-c)# service-policy port-plcmap-1
Switch(config-pmap)# exit
Switch(config-pmap)# class-map cm-3
Switch(config-pmap-c)# match ip dscp 3
Switch(config-pmap-c)# service-policy port-plcmap-2
Switch(config-pmap)# exit
Switch(config-pmap)# class-map cm-4
Switch(config-pmap-c)# trust dscp
Switch(config-pmap)# exit
Switch(config)# interface vlan 10
Switch(config-if)# ser input vlan-plcmap
Related Commands
|
|
policy-map |
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
show policy-map |
Displays QoS policy maps. |
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
set
To classify IP traffic by setting a Differentiated Services Code Point (DSCP) or an IP-precedence value in the packet, use the set policy-map class command in configuration mode. Use the no form of this command to remove traffic classification.
set { dscp new-dscp | [ ip ] precedence new-precedence }
no set { dscp new-dscp | [ ip ] precedence new-precedence }
Syntax Description
dscp new-dscp |
Specifies the new DSCP value assigned to the classified traffic. The range is 0 to 63. You also can enter a mnemonic name for a commonly used value. |
[ip] precedence new-precedence |
(Optional) Specifies the new IP-precedence value assigned to the classified traffic. The range is 0 to 7. You also can enter a mnemonic name for a commonly used value. |
Command Default
No traffic classification is defined.
Command Modes
Policy-map class configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
If you have used the set ip dscp p olicy-map class configuration command, the switch changes this command to set dscp in the switch configuration. If you enter the set ip dscp policy-map class configuration command, this setting appears as set dscp in the switch configuration.
You can use the set ip precedence policy-map class configuration command or the set precedence policy-map class configuration command. This setting appears as set ip precedence in the switch configuration.
The set command is mutually exclusive with the trust policy-map class configuration command within the same policy map.
For the set dscp new-dscp or the set ip precedence new-precedence command, you can enter a mnemonic name for a commonly used value. For example, you can enter the set dscp af11 command, which is the same as entering the set dscp 10 command. You can enter the set ip precedence critical command, which is the same as entering the set ip precedence 5 command. For a list of supported mnemonics, enter the set dscp ? or the set ip precedence ? command to see the command-line help strings.
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
Examples
This example shows how to assign DSCP 10 to all FTP traffic without any policers:
Switch(config)# policy-map policy_ftp
Switch(config-pmap)# class ftp_class
Switch(config-pmap-c)# set dscp 10
Switch(config-pmap)# exit
You can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
|
|
class |
Defines a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. |
police |
Defines a policer for classified traffic. |
policy-map |
Creates or modifies a policy map that can be attached to multiple ports to specify a service policy. |
show policy-map |
Displays QoS policy maps. |
trust |
Defines a trust state for traffic classified through the class policy-map configuration command or the class-map global configuration command. |
setup
To configure the switch with its initial configuration, use the setup command in privileged EXEC mode.
setup
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When you use the setup command, make sure that you have this information:
- IP address and network mask
- Password strategy for your environment
- Whether the switch will be used as the cluster command switch and the cluster name
When you enter the setup command, an interactive dialog, called the System Configuration Dialog, appears. It guides you through the configuration process and prompts you for information. The values shown in brackets next to each prompt are the default values last set by using either the setup command facility or the configure privileged EXEC command.
Help text is provided for each prompt. To access help text, press the question mark (?) key at a prompt.
To return to the privileged EXEC prompt without making changes and without running through the entire System Configuration Dialog, press Ctrl-C.
When you complete your changes, the setup program shows you the configuration command script that was created during the setup session. You can save the configuration in NVRAM or return to the setup program or the command-line prompt without saving it.
Examples
This is an example of output from the setup command:
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system.
Would you like to enter basic management setup? [yes/no]: yes
Configuring global parameters:
Enter host name [Switch]:host-name
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: enable-secret-password
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
Enter enable password: enable-password
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: terminal-password
Configure SNMP Network Management? [no]: yes
Community string [public]:
Current interface summary
Any interface listed with OK? value “NO” does not have a valid configuration
Interface IP-Address OK? Method Status Protocol
Vlan1 172.20.135.202 YES NVRAM up up
GigabitEthernet1/1 unassigned YES unset up up
GigabitEthernet1/2 unassigned YES unset up down
Port-channel1 unassigned YES unset up down
Enter interface name used to connect to the
management network from the above interface summary: vlan1
Configuring interface vlan1:
Configure IP on this interface? [yes]: yes
IP address for this interface: ip_address
Subnet mask for this interface [255.0.0.0]: subnet_mask
Would you like to enable as a cluster command switch? [yes/no]: yes
Enter cluster name: cluster-name
The following configuration command script was created:
enable secret 5 $1$LiBw$0Xc1wyT.PXPkuhFwqyhVi0
enable password enable-password
password terminal-password
snmp-server community public
interface GigabitEthernet1/1
interface GigabitEthernet1/2
cluster enable cluster-name
Use this configuration? [yes/no]: yes
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]:
Related Commands
|
|
show running-config |
Displays the running configuration on the switch. For syntax information, see the Cisco IOS Software Command Reference, Release 15.0. |
show version |
Displays version information for the hardware and firmware. |
setup express
To enable Express Setup mode, use the setup express command in global configuration mode. Use the no form of this command to disable Express Setup mode.
setup express
no setup express
Syntax Description
This command has no arguments or keywords.
Command Default
Express Setup is enabled.
Command Modes
Global configuration
Command History
|
|
15.0(1)EY |
This command was introduced. |
Usage Guidelines
When Express Setup is enabled on a new (unconfigured) switch, pressing the Express Setup button for 2 seconds activates Express Setup. You can access the switch through an Ethernet port by using the IP address 10.0.0.1 and then can configure the switch with the web-based Express Setup program or the command-line interface (CLI)-based setup program.
When you press the Express Setup button for 2 seconds on a configured switch, the LEDs below the Express Setup button start blinking. If you press the Express Setup button for a total of 10 seconds, the switch configuration is deleted, and the switch reboots. The switch can then be configured like a new switch, either through the web-based Express Setup program or the CLI-based setup program.
Note As soon as you make any change to the switch configuration (including entering no at the ning of the CLI-based setup program), configuration by Express Setup is no longer available. You can only run Express Setup again by pressing the Express Setup button for 10 seconds. This deletes the switch configuration and reboots the switch.
If Express Setup is active on the switch, entering the write memory or copy running-configuration startup-configuration privileged EXEC commands deactivates Express Setup. The IP address 10.0.0.1 is no longer valid on the switch, and your connection using this IP address ends.
The primary purpose of the no setup express command is to prevent someone from deleting the switch configuration by pressing the Mode button for 10 seconds.
Examples
This example shows how to enable Express Setup mode:
Switch(config)# setup express
You can verify that Express Setup mode is enabled by pressing the Express Setup button:
- On an unconfigured switch, the LEDs below the Express Setup button turn solid green after 3 seconds.
- On a configured switch, the mode LEDs begin blinking after 2 seconds and turn solid green after 10 seconds.
Caution
If you
hold the Express Setup button down for a total of 10 seconds, the configuration is deleted, and the switch reboots.
This example shows how to disable Express Setup mode:
Switch(config)# no setup express
You can verify that Express Setup mode is disabled by pressing the Express Setup button. The LEDs do not turn solid green or begin blinking green if Express Setup mode is not enabled on the switch.