Table Of Contents
mac-address-table notification change
mac-address-table notification mac-move
mac-address-table notification threshold
mac-address-table unicast-flood
mls rp ip (global configuration mode)
mls rp ip (interface configuration mode)
mls rp ip multicast management-interface
mode dot1q-in-dot1q access-gateway
name (MST configuration submode)
mac access-group
To use a MAC access control list (ACL) to control the reception of incoming traffic on a Gigabit Ethernet interface, an 802.1Q VLAN subinterface, an 802.1Q-in-Q stacked VLAN subinterface, use the mac access-group command in interface or subinterface configuration mode. To remove a MAC ACL, use the no form of this command.
mac access-group access-list-number in
no mac access-group access-list-number in
Syntax Description
access-list-number
Number of a MAC ACL to apply to an interface or subinterface (as specified by a access-list (MAC) command). This is a decimal number from 700 to 799.
in
Filters on inbound packets.
Defaults
No access list is applied to the interface or subinterface.
Command Modes
Interface configuration (config-if)
Subinterface configuration (config-subif)Command History
12.0(32)S
This command was introduced on the Cisco 12000 series Internet router.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.
If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.
On Catalyst 6500 series switches, this command is supported on Layer 2 ports only.
Note
The mac access-group command is supported on a VLAN subinterface only if a VLAN is already configured on the subinterface.
Examples
The following example applies MAC ACL 101 on incoming traffic received on Gigabit Ethernet interface 0:
Router> enableRouter# configure terminalRouter(config)# interface gigabitethernet 0Router(config-if)# mac access-group 101 inRelated Commands
mac access-list extended
To access a subcommand to define extended MAC-access lists, use the mac access-list extended command in global configuration mode. To remove MAC-access lists, use the no form of this command.
mac access-list extended name
no mac access-list extended name
Syntax Description
Defaults
No default ACL
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter the ACL name, follow these naming conventions:
•
•
•
•
•
You can configure named ACLs that filter Internet Packet Exchange (IPX), DECnet, AppleTalk, Virtual Integrated Network Service (VINES), or Xerox Network Services (XNS) traffic based on MAC addresses (IPX filtering with a MAC ACL is supported only with a Policy Feature Card 3 [PFC3]).
In systems that are configured with PFC3, if you want to classify all IPX traffic by using a MAC-access list that matches on EtherType 0x8137, use the ipx-arpa or ipx-non-arpa protocol.
Once you enter the mac access-list extended name command, use the following subset to create or delete entries in a MAC-access list:
[no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol [vlan vlan] [cos value]]}
The vlan vlan and cos value keywords and arguments are supported in PFC3BXL or PFC3B mode with Release 12.2(17b)SXA and later releases.
The vlan vlan and cos value keywords and arguments are not supported on the MAC VLAN access control lists (VACLs).
Table 8 describes the syntax of the mac access-list extended subcommands.
Valid protocol names are as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
When you enter the src-mac mask or dest-mac mask value, note these guidelines and restrictions:
•
•
•
•
•
•
•
Malformed, invalid, deliberately corrupt EtherType 0x800 IP frames are not recognized as IP traffic and are not filtered by IP ACLs.
An ACE created with the mac access-list extended command with the ip keyword filters malformed, invalid, deliberately corrupt EtherType 0x800 IP frames only; it does not filter any other IP traffic.
Examples
This example shows how to create a MAC-access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:
Router(config)# mac access-list extended mac_layerRouter(config-ext-macl)# deny 0000.4700.0001 0.0.0 0000.4700.0009 0.0.0 dsmRouter(config-ext-macl)# permit any anyRelated Commands
mac packet-classify
To classify Layer 3 packets as Layer 2 packets, use the mac packet-classify command in interface configuration mode. To return to the default settings, use the no form of this command.
mac packet-classify
no mac packet-classify
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
12.2(18)SXD
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
You can configure these interface types for multilayer MAC access control list (ACL) quality of service (QoS) filtering:
•
•
•
The ingress traffic that is permitted or denied by a MAC ACL on an interface configured for multilayer MAC ACL QoS filtering is processed by egress interfaces as MAC-layer traffic. You cannot apply egress IP ACLs to traffic that was permitted or denied by a MAC ACL on an interface configured for multilayer MAC ACL QoS filtering.
Microflow policing does not work on interfaces that have the mac packet-classify command enabled.
The mac packet-classify command causes the Layer 3 packets to be classified as Layer 2 packets and disables IP classification.
Traffic is classified based on 802.1Q class of service (CoS), trunk VLAN, EtherType, and MAC addresses.
Examples
This example shows how to classify incoming and outgoing Layer 3 packets as Layer 2 packets:
Router(config-if)# mac packet-classifyRouter(config-if)#This example shows how to disable the classification of incoming and outgoing Layer 3 packets as Layer 2 packets:
Router(config-if)# no mac packet-classifyRouter(config-if)#Related Commands
mac packet-classify use vlan
To enable VLAN-based quality of service (QoS) filtering in the MAC access control lists (ACLs), use the mac packet-classify use vlan command in global configuration mode. To return to the default settings, use the no form of this command.
mac packet-classify use vlan
no mac packet-classify use vlan
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command is supported in PFC3BXL or PFC3B mode only.
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
You must use the no mac packet-classify use vlan command to disable the VLAN field in the Layer 2 key if you want to apply QoS to the Layer 2 Service Advertising Protocol (SAP)-encoded packets (for example, Intermediate System-to-Intermediate System [IS-IS] and Internet Packet Exchange [IPX]).
QoS does not allow policing of non-Advanced Research Protocol Agency (ARPA) Layer 2 packets (for example, IS-IS and IPX) if the VLAN field is enabled.
Examples
This example shows how to enable Layer 2 classification of IP packets:
Router(config)# mac packet-classify use vlanRouter(config)This example shows how to disable Layer 2 classification of IP packets:
Router(config)# no mac packet-classify use vlanRouter(config)Related Commands
mac-address-table aging-time
To configure the maximum aging time for entries in the Layer 2 table, use the mac-address-table aging-time command in global configuration mode. To reset maximum aging time to the default setting, use the no form of this command.
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
mac-address-table aging-time seconds
no mac-address-table aging-time seconds
Cisco 7600 Series Routers
mac-address-table aging-time seconds [routed-mac | vlan vlan-id]
no mac-address-table aging-time seconds [routed-mac | vlan vlan-id]
Catalyst Switches
mac-address-table aging-time seconds [routed-mac | vlan vlan-id]
no mac-address-table aging-time seconds [routed-mac | vlan vlan-id]
Syntax Description
Command Default
The default aging time is 300 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The aging time entry will take the specified value. Valid entries are from 10 to 1000000 seconds.
This command cannot be disabled.
Catalyst Switches and Cisco 7600 Routers
If you do not enter a VLAN, the change is applied to all routed-port VLANs.
Enter 0 seconds to disable aging.
You can enter the routed-mac keyword to configure the MAC address aging time for traffic that has the routed MAC (RM) bit set.
Examples
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The following example shows how to configure aging time to 300 seconds:
mac-address-table aging-time 300Catalyst Switches and Cisco 7600 Routers
The following example shows how to configure the aging time:
mac-address-table aging-time 400The following example shows how to change the RM aging time to 500 seconds:
mac-address-table aging-time 500 routed-macThe following example shows how to disable the aging time:
mac-address-table aging-time 0Related Commands
show mac-address-table
Displays information about the MAC address table.
show mac-address-table aging-time
Displays the MAC address aging time.
mac-address-table dynamic
To add dynamic addresses to the MAC address table, use the mac-address-table dynamic command in global configuration mode. Dynamic addresses are automatically added to the address table and dropped from it when they are not in use. To remove dynamic entries from the MAC address table, use the no form of this command.
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
mac-address-table dynamic hw-address interface {fa | gi} [slot/port] vlan vlan-id
no mac-address-table dynamic hw-address vlan vlan-id
Catalyst Switches
mac-address-table dynamic hw-address interface [atm slot/port] [vlan vlan-id]
no mac-address-table dynamic hw-address [vlan vlan-id]
Syntax Description
Command Default
Dynamic addresses are not added to the MAC address table.
Command Modes
Global configuration
Command History
Usage Guidelines
If the vlan-id argument is omitted and the no form of the command is used, the MAC address is removed from all VLANs.
Examples
The following example shows how to add a MAC address on port fa1/1 to VLAN 4:
Switch(config)# mac-address-table dynamic 00c0.00a0.03fa fa1/1 vlan 4Related Commands
mac-address-table learning
To enable MAC-address learning, use the mac-address-table learning command in global configuration mode. To disable learning, use the no form of this command.
[default] mac-address-table learning {vlan vlan-id | interface interface slot/port} [module num]
no mac-address-table learning {vlan vlan-id | interface interface slot/port} [module num]
Syntax Description
Defaults
If you configure a VLAN on a port in a module, all the supervisor engines and Distributed Forwarding Cards (DFCs) in the Catalyst 6500 series switch are enabled to learn all the MAC addresses on the specified VLAN.
Command Modes
Global configuration
Command History
12.2(18)SXE
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
You can use the module num keyword and argument to specify supervisor engines or DFCs only.
You can use the vlan vlan-id keyword and argument on switch-port VLANs only. You cannot use the vlan vlan-id keyword and argument to configure learning on routed interfaces.
You can use the interface interface slot/port keyword and arguments on routed interfaces, supervisor engines, and DFCs only. You cannot use the interface interface slot/port keyword and arguments to configure learning on switch-port interfaces or non-DFC modules.
Examples
This example shows how to enable MAC-address learning on a switch-port interface on all modules:
Router(config)# mac-address-table learning vlan 100Router(config)#This example shows how to enable MAC-address learning on a switch-port interface on a specified module:
Router(config)# mac-address-table learning vlan 100 module 4Router(config)#This example shows how to disable MAC-address learning on a specified switch-port interface for all modules:
Router(config)# no mac-address-table learning vlan 100Router(config)#This example shows how to enable MAC-address learning on a routed interface on all modules:
Router(config)# mac-address-table learning vlan 100Router(config)#This example shows how to enable MAC-address learning on a routed interface for a specific module:
Router(config)# mac-address-table learning interface FastEthernet 3/48 module 4Router(config)#This example shows how to disable MAC-address learning for all modules on a specific routed interface:
Router(config)# no mac-address-table learning interface FastEthernet 3/48Router(config)#Related Commands
mac-address-table limit
To enable MAC limiting, use the mac-address-table limit command in global configuration mode. To disable MAC limiting, use the no form of this command.
mac-address-table limit [maximum num] [action {warning | limit | shutdown}] [notification {syslog | trap | both}]
mac-address-table limit [vlan vlan | interface type mod/port] [maximum num] [action {warning | limit | shutdown}] [flood]
no mac-address-table limit [vlan vlan] [maximum | action]
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this syntax for enabling MAC limiting globally:
mac-address-table limit [maximum num] [action {warning | limit | shutdown}] [notification {syslog | trap | both}]
Use this syntax for enabling per-VLAN MAC limiting:
mac-address-table limit [vlan vlan] [maximum num] [action {warning | limit | shutdown}] [flood]
Use this syntax for enabling per-port MAC limiting:
mac-address-table limit [interface type mod/port] [maximum num] [action {warning | limit | shutdown}] [flood]
If you enable per-VLAN MAC limiting, the per-VLAN MAC limiting supersedes the mac-address-table limit command that globally enables MAC limiting.
The maximum number of MAC entries is based per VLAN and per EARL.
If you do not specify a maximum, an action, or a notification, the default settings are used.
If you enable per-VLAN MAC limiting, MAC limiting is enabled on the VLAN specified only.
The flood keyword is supported on VLAN interfaces only.
The flood action occurs only if the limit action is configured and is violated.
In the shutdown state, the VLAN remains in the blocked state until you reenable it through the CLI.
Examples
This example shows how to enable the MAC limit globally:
Router(config)# mac-address-table limitRouter(config)#This example shows how to enable per-VLAN MAC limiting:
Router(config)# mac-address-table limit vlan 501 maximum 50 action shutdownRouter(config)#Related Commands
show mac-address-table limit
Displays the information about the MAC-address table.
mac-address-table notification change
To send a notification of the dynamic changes to the MAC address table, use the mac-address-table notification change command in global configuration mode. To return to the default settings, use the no form of this command.
mac-address-table notification change [history size | interval seconds]
no mac-address-table notification change
Syntax Description
Command Default
The default settings are as follows:
•
•
–
–
Command Modes
Global configuration (config)
Command History
Examples
This example shows how to configure the Simple Network Management Protocol (SNMP) notification of dynamic additions to the MAC address table of addresses:
Router(config)# mac-address-table notification change interval 5 history 25Related Commands
mac-address-table notification mac-move
To enable MAC-move notification, use the mac-address-table notification mac-move command in global configuration mode. To disable MAC-move notification, use the no form of this command.
mac-address-table notification mac-move
no mac-address-table notification mac-move
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Usage Guidelines
MAC-move notification generates a syslog message whenever a MAC address or host moves between different switch ports.
MAC-move notification does not generate a notification when a new MAC address is added to the content-addressable memory (CAM) or when a MAC address is removed from the CAM.
MAC-move notification is supported on switch ports only.
Examples
This example shows how to enable MAC-move notification:
Router(config)# mac-address-table notification mac-moveRouter(config)#This example shows how to disable MAC-move notification:
Router(config)# no mac-address-table notification mac-moveRouter(config)#Related Commands
show mac-address-table notification mac-move
Displays the information about the MAC-address table.
mac-address-table notification threshold
To enable content-addressable memory (CAM) table usage monitoring notification, use the mac-address-table notification threshold command in global configuration mode. To disable CAM table usage monitoring notification, use the no form of this command.
mac-address-table notification threshold limit percentage interval time
no mac-address-table notification threshold
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Modes
Global configuration
Command History
12.2(18)SXE
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
When you enable CAM table usage monitoring, the number of valid entries in the CAM table are counted and if the percentage of the CAM utilization is higher or equal to the specified threshold, a message is displayed.
Examples
This example shows how to enable CAM table usage monitoring notification and use the default settings:
Router(config)# mac-address-table notification thresholdRouter(config)#This example shows how to enable CAM table usage monitoring notification and set the threshold and interval:
Router(config)# mac-address-table notification threshold limit 20 interval 200Router(config)#This example shows how to disable CAM table usage monitoring notification:
Router(config)# no mac-address-table notification thresholdRouter(config)#Related Commands
show mac-address-table notification threshold
Displays information about the MAC-address table.
mac-address-table secure
To add secure addresses to the MAC address table, use the mac-address-table secure command in global configuration mode. To remove secure entries from the MAC address table, use the no form of this command.
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
mac-address-table secure hw-address interface {fa | gi} slot/port vlan vlan-id
no mac-address-table secure hw-address vlan vlan-id
Catalyst Switches
mac-address-table secure hw-address interface [atm slot/port] [vlan vlan-id]
no mac-address-table secure hw-address [vlan vlan-id]
Syntax Description
Command Default
Secure addresses are not added to the MAC address table.
Command Modes
Global configuration
Command History
Usage Guidelines
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
Secure addresses can be assigned to only one port at a time. Therefore, if a secure address table entry for the specified MAC address and VLAN already exists on another port, it is removed from that port and assigned to the specified one.
Catalyst Switches
Secure addresses can be assigned to only one port at a time. Therefore, if a secure address table entry for the specified MAC address and VLAN already exists on another port, it is removed from that port and assigned to the specified one.
Dynamic-access ports cannot be configured with secure addresses.
Examples
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The following example shows how to add a secure MAC address to VLAN 6 of port fa1/1:
Router(config)# mac-address-table secure 00c0.00a0.03fa fa1/1 vlan 6
Catalyst Switches
The following example shows how to add a secure MAC address to VLAN 6 of port fa1/1:
Switch(config)# mac-address-table secure 00c0.00a0.03fa fa1/1 vlan 6The following example shows how to add a secure MAC address to ATM port 2/1:
Switch(config)# mac-address-table secure 00c0.00a0.03fa atm 2/1Related Commands
mac-address-table static
To add static entries to the MAC address table or to disable Internet Group Multicast Protocol (IGMP) snooping for a particular static multicast MAC address, use the mac-address-table static command in global configuration mode. To remove entries profiled by the combination of specified entry information, use the no form of this command. See the "Usage Guidelines" section for other information about the no form of this command.
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
mac-address-table static mac-address vlan vlan-id interface type slot/port
no mac-address-table static mac-address vlan vlan-id interface type slot/port
Catalyst Switches
mac-address-table static mac-address vlan vlan-id {interface int | drop [disable-snooping]}
[dlci dlci | pvc vpi/vci] [auto-learn | disable-snooping] [protocol {ip | ipx | assigned}]Syntax Description
Command Default
Static entries are not added to the MAC address table.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The output interface specified cannot be a switched virtual interface (SVI).
Entering the no form of this command does not remove system MAC addresses.
When you remove a MAC address, entering the interface type slot/port argument is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
Catalyst Switches
The output interface specified cannot be an SVI.
As a good practice, configure static mac addresses on Layer 2 EtherChannels only and not on Layer 2 physical member ports of an Etherchannel. This practice does not apply to Layer 3 EtherChannels and its members.
Use the no form of this command to do the following:
•
•
The dlci dlci keyword and argument are valid only if Frame Relay encapsulation has been enabled on the specified interface.
The pvc vpi/vci keyword and arguments are supported on ATM interfaces only.
When specifying the pvc vpi/vci, you must specify both a VPI and a VCI, separated by a slash.
When you install a static MAC address, it is associated with a port. If the same MAC address is seen on a different port, the entry is updated with the new port if you enter the auto-learn keyword.
The output interface specified must be a Layer 2 IDB and not an SVI.
The ipx keyword is not supported.
You can enter up to 15 interfaces per command entered, but you can enter more interfaces by repeating the command.
If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.
Entering the no form of this command does not remove system MAC addresses.
When you remove a MAC address, entering interface int is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
The mac-address-table static mac-address vlan vlan-id interface int disable-snooping command disables snooping on the specified static MAC address/VLAN pair only. To reenable snooping, first you must delete the MAC address using the no form of the command, and then reinstall the MAC address using the mac-address-table static mac-address vlan vlan-id interface int command, without entering the disable-snooping keyword.
The mac-address-table static mac-address vlan vlan-id drop command cannot be applied to a multicast MAC address.
Specifying a MAC Address for DLCI or PVC Circuits
To support multipoint bridging and other features, the behavior of the following command has changed for ATM and Frame Relay interfaces in Cisco IOS Release 12.2(18)SXE and later releases. In previous releases, you needed to specify a VLAN ID and an interface only.
Router(config)# mac-address-table static 000C.0203.0405 vlan 101 interface ATM6/1In Cisco IOS Release 12.2(18)SXE, you must also specify the dlci option for Frame Relay interfaces, or the pvc option for ATM interfaces, such as in the following example:
Router(config)# mac-address-table static 000C.0203.0405 vlan 101 interface ATM6/1 pvc6/101
Note
Examples
The following example shows how to add static entries to the MAC address table:
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7The following example shows how to configure a static MAC address with IGMP snooping disabled for a specified address:
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7 disable-snoopingThe following example shows how to add static entries to the MAC address table for an ATM PVC circuit and for a Frame Relay DLCI circuit:
Router(config)# mac-address-table static 0C01.0203.0405 vlan 101 interface ATM6/1 pvc 6/101Router(config)# mac-address-table static 0C01.0203.0406 vlan 202 interface POS4/2 dlci 200Related Commands
show mac-address-table address
Displays MAC address table information for a specific MAC address.
mac-address-table synchronize
To synchronize the Layer 2 MAC address table entries across the Policy Feature Card (PFC) and all the Distributed Forwarding Cards (DFCs), use the mac-address-table synchronize command in global configuration mode. To disable MAC address table synchronization or reset the activity timer, use the no form of this command.
mac-address-table synchronize [activity-time seconds]
no mac-address-table synchronize [activity-time seconds]
Syntax Description
activity-time seconds
(Optional) Specifies the activity timer interval: valid values are 160, 320, and 640 seconds.
Defaults
The default settings are as follows:
•
•
•
Command Modes
Global configuration
Command History
Usage Guidelines
We recommend that you configure the activity time so that at least two activity times exist within the regular Layer 2 aging time (or within the aging time used for VLANs in distributed EtherChannels if this feature is used only for distributed EtherChannels). If at least two activity times do not exist within the aging time, then an error message is displayed.
Examples
This example shows how to specify the activity timer interval:
mac-address-table synchronize activity-time 320Related Commands
show mac-address-table synchronize statistics
Displays information about the MAC address table.
mac-address-table unicast-flood
To enable unicast-flood protection, use the mac-address-table unicast-flood command in global configuration mode. To disable unicast-flood protection, use the no form of this command.
mac-address-table unicast-flood limit kfps vlan vlan-id {filter timeout | alert | shutdown}
no mac-address-table unicast-flood limit kfps vlan vlan
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.2(17d)SXB
Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2 only.
We recommend that you configure unicast-flood protection as follows:
•
•
The shutdown keyword is supported on nontrunk ports only.
If you specify alert and unknown unicast floods exceeding the threshold are detected, a system message is displayed and no further action is taken.
If you specify shutdown and unknown unicast floods exceeding the threshold are detected, a system message is displayed. Once the system message is displayed, the port goes to err-disable mode.
Examples
This example shows how to set the flood rate limit to 3000 floods per second (fps) and display a system message when the rate limit has been exceeded:
Router(config)# mac-address-table unicast-flood limit 3 vlan 125 alertRouter(config)#Related Commands
show mac-address-table unicast-flood
Displays information about the MAC-address table.
match (VLAN access-map)
To specify the match clause by selecting one or more IP, Internetwork Packet Exchange (IPX), or MAC access control lists (ACLs) for a VLAN access-map sequence for traffic filtering, use the match command in VLAN access-map configuration mode. To remove the match clause, use the no form of this command.
match {ip address {acl-number | acl-name} | ipx address {acl-number | acl-name} | mac address acl-name}
no match {ip address {acl-number | acl-name} | ipx address {acl-number | acl-name} | mac address acl-name}
Syntax Description
Defaults
No match clause is specified.
Command Modes
VLAN access-map configuration
Command History
Usage Guidelines
The match ipx address and match mac address commands are not supported for VLAN ACLs (VACLs) on WAN interfaces.
IPX ACLs that are used in VACLs can specify only the IPX protocol type, the source network, the destination network, and the destination host address.
The MAC sequence is not effective for IP or IPX packets. IP packets and IPX packets should be access controlled by IP and IPX match clauses.
You cannot configure VACLs on secondary VLANs. The secondary VLAN inherits all features that are configured on the primary VLAN.
The following commands appear in the command-line interface (CLI) help but are not supported by the quality of service (QoS) as implemented on the policy feature card (PFC):
•
•
•
•
•
•
•
•
•
•
Examples
The following example defines a match clause for a VLAN access map:
Router(config)# vlan access-map map1 10Router(config-access-map)# match ip address 13Related Commands
mls qos cos
To define the default multilayer switching (MLS) class of service (CoS) value of a port or to assign the default CoS value to all incoming packets on the port, use the mls qos cos command in interface configuration mode. To return to the default CoS setting, use the no form of this command.
Cisco 3660, 3845, 6500, 7200, 7400, and 7500 Series Routers
mls qos cos {cos-value | override}
no mls qos cos {cos-value | override}
Cisco 7600 Series Routers
mls qos cos cos-value
no mls qos cos cos-value
Syntax Description
Command Default
The defaults are as follows:
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
Cisco 3660, 3845, 6500, 7200, 7400, and 7500 Series Routers
You can assign the default CoS and differentiated services code point (DSCP) value to all packets entering a port if the port has been configured by use of the override keyword.
Use the override keyword when all incoming packets on certain ports deserve a higher or lower priority than packets the enter from other ports. Even if a port was previously set to trust DSCP or CoS, this command overrides that trust state, and all the CoS values on the incoming packets are changed to the default CoS value that is configured with the mls qos cos command. If an incoming packet is tagged, the CoS value of the packet is modified at the ingress port. It is changed to the default CoS of that port.
Use the show mls qos interface privileged EXEC command to verify your settings.
Cisco 7600 Series Routers
CoS values are configurable on physical LAN ports only.
On Cisco 7600 series routers that are configured with a Supervisor Engine 2, the following restrictions apply:
•
•
Examples
Cisco 3660, 3845, 6500, 7200, 7400, and 7500 Series Routers
The following example shows how to assign 4 as the default port CoS:
Router(config)# interface gigabitethernet 0/1Router(config-if)# mls qos trust cosRouter(config-if)# mls qos cos 4The following example shows how to assign 4 as the default port CoS value for all packets the enter the port:
Router(config)# interface gigabitethernet0/1Router(config-if)# mls qos cos 4Router(config-if)# mls qos cos overrideCisco 7600 Series Routers
The following example shows how to configure the default QoS CoS value as 6:
Router(config)# interface gigabitethernet 0/1Router(config-if)# mls qos cos 6Related Commands
mls qos map
To define the multilayer switching (MLS) class of service (CoS)-to-differentiated services code point (DSCP) map or DSCP-to-CoS map, use the mls qos map command in global configuration mode. To return to the default map, use the no form of this command.
mls qos map {cos-dscp dscp1...dscp8 | dscp-cos dscp-list to cos}
no mls qos map {cos-dscp | dscp-cos}
Syntax Description
Command Default
Table 9 shows the default CoS-to-DSCP map.
Table 10 shows the default DSCP-to-CoS map.
Table 10 Default DSCP-to-CoS Map
0
8, 10
16, 18
24, 26
32, 34
40, 46
48
56
0
1
2
3
4
5
6
7
Command Modes
Global configuration
Command History
Usage Guidelines
All of the CoS-to-DSCP and DSCP-to-CoS maps are globally defined. You apply all maps to all ports.
If you enter the mls qos trust cos command, the default CoS-to-DSCP map is applied.
If you enter the mls qos trust dscp command, the default DSCP-to-CoS map is applied.
After a default map is applied, you can define the CoS-to-DSCP or DSCP-to-CoS map by entering consecutive mls qos map commands.
If the mls qos trust dscp command is entered and a packet with an untrusted DSCP value is at an ingress port, the packet CoS value is set to 0.
Use the show mls qos maps privileged EXEC command to verify your settings.
Examples
The following example shows how to define the DSCP-to-CoS map. DSCP values 16, 18, 24, and 26 are mapped to CoS 1. DSCP values 0, 8, and 10 are mapped to CoS 0.
Router# configure terminalRouter(config)# mls qos map dscp-cos 16 18 24 26 to 1Router(config)# mls qos map dscp-cos 0 8 10 to 0The following example shows how to define the CoS-to-DSCP map. CoS values 0 to 7 are mapped to DSCP values 8, 8, 8, 8, 24, 32, 56, and 56.
Router# configure terminalRouter(config)# mls qos map cos-dscp 8 8 8 8 24 32 56 56Related Commands
mls qos trust
To configure the multilayer switching (MLS) port trust state and to classify traffic by examining the class of service (CoS) or differentiated services code point (DSCP) value, use the mls qos trust command in interface configuration mode. To return a port to its untrusted state, use the no form of this command.
mls qos trust [cos | dscp | ip-precedence]
no mls qos trust
Syntax Description
Command Default
The defaults for LAN interfaces and WAN interfaces on the Optical Service Modules (OSMs) are as follows:
•
•
Command Modes
Interface configuration
Command History
Usage Guidelines
Packets the enter a quality of service (QoS) domain are classified at its edge. Because the packets are classified at the edge, the switch port within the QoS domain can be configured to a trusted state. It is not necessary to classify the packets at every switch within the domain. Use the mls qos trust command to set the trusted state of an interface and to indicate which fields of the packet are used to classify traffic.
The following conditions apply to the mls qos trust command running on Cisco 7600 series routers:
•
•
•
•
•
Note
Examples
The following example shows how to set the trusted state of an interface to IP precedence:
Router(config-if)# mls qos trust ip-precedenceRelated Commands
mls rp ip
To enable the Multilayer Switching Protocol (MLSP) and multilayer switching (MLS), use the mls rp ip command in global configuration mode. To disable MLS, use the no form of this command.
mls rp ip
no mls rp ip
Syntax Description
This command has no arguments or keywords.
Command Default
MLS is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable MLS, either globally or on a specific interface. MLSP is the protocol that runs between the switches and routers.
Examples
The following example enables MLS:
Router(config)# mls rp ipRelated Commands
mls rp ip (global configuration mode)
To enable external systems to establish IP shortcuts to the Multilayer Switching Feature Card (MSFC), use the mls rp ip command in global configuration mode. To remove a prior entry, use the no form of this command.
mls rp ip [input-acl | route-map]
no mls rp ip
Syntax Description
input-acl
(Optional) Enables the IP-input access list.
route-map
(Optional) Enables the IP-route map.
Defaults
No shortcuts are configured.
Command Modes
Global configuration
Command History
Examples
This example shows how to allow the external systems to establish IP shortcuts with IP-input access lists:
Router(config)# mls rp ip input-aclRouter(config)#Related Commands
mls ip
Enables MLS IP for the internal router on the interface.
show mls ip multicast
Displays the MLS IP information.
mls rp ip (interface configuration mode)
To enable the external systems to enable Multilayer Switching (MLS) IP on a specified interface, use the mls rp ip command in interface configuration mode. To disable MLS IP, use the no form of this command.
mls rp ip
no mls rp ip
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
Examples
This example shows how to enable the external systems to enable MLS IP on an interface:
Router(config-if)# mls rp ipRouter(config-if)Related Commands
mls rp ip (global configuration mode)
Enables external systems to establish IP shortcuts to the MSFC.
show mls ip multicast
Displays the MLS IP information.
mls rp ip multicast
To enable IP multicast multilayer switching (MLS) (hardware switching) on an external or internal router in conjunction with Layer 3 switching hardware for the Catalyst 5000, use the mls rp ip multicast command in interface configuration mode. To disable IP multicast MLS on the interface or virtual LAN (VLAN), use the no form of this command.
mls rp ip multicast
no mls rp ip multicast
Syntax Description
This command has no arguments or keywords.
Command Default
IP multicast MLS is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is available only on specific router platforms connected to a Catalyst 5000 switch. Use this command to reduce multicast load on the router. The switch performs the multicast packet replication and forwarding.
IP multicast MLS is enabled by default on an interface after IP multicast routing and Protocol Independent Multicast (PIM) are enabled.
Examples
The following example shows how to disable IP multicast MLS:
Router(config)# interface fastethernet1/0.1Router(config-if)# no mls rp ip multicastRelated Commands
mls rp ip multicast management-interface
To assign a different interface (other than the default) to act as the management interface for Multilayer Switching (MLS), use the mls rp ip multicast management-interface command in interface configuration mode. To restore the default interface as the management interface, use the no form of this command.
mls rp ip multicast management-interface
no mls rp ip multicast management-interface
Syntax Description
This command has no arguments or keywords.
Command Default
When IP multicast MLS is enabled, the subinterface (or virtual LAN [VLAN] interface) that has the lowest VLAN ID and is active (in the "up" state) is automatically selected as the management interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
When you enable IP multicast MLS, the subinterface (or VLAN interface) that has the lowest VLAN ID and is active (in the "up" state) is automatically selected as the management interface. The one-hop protocol Multilayer Switching Protocol (MLSP) is used between a router and a switch to pass messages about hardware-switched flows. MLSP packets are sent and received on the management interface. Typically, the interface in VLAN 1 is chosen (if that interface exists). Only one management interface is allowed on a single trunk link.
In most cases, we recommend that the management interface be determined by default. However, you can optionally use this command to specify a different router interface or subinterface as the management interface. We recommend using a subinterface with minimal data traffic so that multicast MLSP packets can be sent and received more quickly.
If the user-configured management interface goes down, the router uses the default interface (the active interface with the lowest VLAN ID) until the user-configured interface comes up again.
Examples
The following example shows how to configure the Fast Ethernet interface as the management interface:
Router(config)# interface fastethernet1/0.1Router(config-if)# mls rp ip multicast management-interfaceRelated Commands
mls rp ip multicast
Enables IP multicast MLS (hardware switching) on an external or internal router in conjunction with Layer 3 switching hardware for the Catalyst 5000 switch.
mls rp ipx (global)
To enable the router as a multilayer switching (MLS) IPX Route Processor (RP), or to allow the external systems to enable MLS IPX to a Multilayer Switch Feature Card (MSFC), use the mls rp ipx command in global configuration mode. To disable MLS IPX on the router or MSFC, use the no form of this command.
mls rp ipx [input-acl]
no mls rp ipx [input-acl]
Syntax Description
Command Default
MLS IPX is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Multilayer Switching Protocol (MLSP) is the protocol that runs between the MLS switching engine and the MLS RP.
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
Examples
The following example enables MLS IPX on the MLS RP:
Router(config)# mls rp ipxThis example shows how to allow the external systems to enable MLS IPX to the MSFC and override ACLs:
Router(config)# mls rp ipx input-aclRouter(config)#Related Commands
mls rp ipx (interface)
To enable multilayer switching (MLS) Internetwork Packet Exchange (IPX) on a router interface, use the mls rp ipx command in interface configuration mode. To disable MLS IPX on a router interface, use the no form of this command.
mls rp ipx
no mls rp ipx
Syntax Description
This command has no arguments or keywords.
Command Default
MLS IPX is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Multilayer Switching Protocol (MLSP) is the protocol that runs between the MLS Switching Engine and the MLS RP.
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 720.
Examples
The following example shows how to enable MLS IPX on a router interface:
Router(config-if)# mls rp ipxRelated Commands
mls rp locate ipx
To display information about all switches currently shortcutting for the specified Internetwork Packet Exchange (IPX) flows, use the mls rp locate ipx command in privileged EXEC mode.
mls rp locate ipx destination-network.destination-node [source-network]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to display the switch that is shortcutting routed flows to the specified IPX flow:
Router# mls rp locate ipx 30.0000.1111.2222locator response from switch id 0010.1400.601fRelated Commands
mls rp management-interface
To specify an interface as the management interface, use the mls rp management-interface command in interface configuration mode. To remove an interface as the management interface, use the no form of this command.
mls rp management-interface
no mls rp management-interface
Syntax Description
This command has no keywords or arguments.
Command Default
No interface is specified as the management interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
Multilayer Switching Protocol (MLSP) packets are sent and received through the management interface.
Select only one IPX multilayer switching (MLS) interface connected to the switch. If you fail to select this interface, no connection between the MLS route processor (RP) and the MLS switching engine occurs, and any routing updates or changes to access lists are not reflected on the switch.
Examples
The following example shows how to select a management interface:
Router(config-if)# mls rp management-interfaceRelated Commands
mls rp nde-address
To specify a NetFlow Data Export (NDE) address, use the mls rp nde-address command in global configuration mode.
mls rp nde-address [ip-addr]
no mls rp nde-address [ip-addr]
Syntax Description
Command Default
No NDE address is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command on a route processor (RP) to specify the NDE address for a router. If you do not specify an NDE IP address for the multilayer switching (MLS) RP, the MLS RP automatically selects one of its interface's IP addresses and uses that IP address as its NDE IP address and its MLS IP address.
Use the following syntax to specify an IP subnet address:
•
•
•
Examples
The following example shows how to set the NDE address to 172.25.2.1:
Router(config)# mls rp nde-address 172.25.2.1Related Commands
mls rp vlan-id
To assign a virtual LAN (VLAN) identification number to an interface, use the mls rp vlan-id command in interface configuration mode. To remove a VLAN identification number, use the no form of this command.
mls rp vlan-id vlanid-number
no mls rp vlan-id vlanid-number
Syntax Description
Command Default
No VLAN identification number is assigned.
Command Modes
Interface configuration
Command History
Examples
The following example shows how to assign the VLAN identification number to an interface:
Router(config-if)# mls rp vlan-id 23Related Commands
mls rp vtp-domain
To assign a multilayer switching (MLS) interface to a specific Virtual Trunking Protocol (VTP) domain on the MLS route processor (RP), use the mls rp vtp-domain command in interface configuration mode. To remove a VTP domain, use the no form of this command.
mls rp vtp-domain domain-name
no mls rp vtp-domain domain-name
Syntax Description
Command Default
The interface is assigned to the null domain.
Command Modes
Interface configuration
Command History
Usage Guidelines
The assigned IPX MLS interface must be either an Ethernet interface or a Fast Ethernet interface—both without subinterfaces.
Examples
The following example shows how to assign the MLS interface to the VTP domain named engineering:
Router(config-if)# mls rp vtp-domain engineeringRelated Commands
mls switching
To enable the hardware switching, use the mls switching command in global configuration mode. To disable hardware switching, use the no form of this command.
mls switching
no mls switching
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Examples
This example shows how to enable the hardware switching:
Router(config)# mls switchingRouter(config)#This example shows how to disable the hardware switching:
Router(config)# no mls switchingRouter(config)#Related Commands
mls switching unicast
Enables the hardware switching of the unicast traffic for an interface.
mls switching unicast
To enable the hardware switching of the unicast traffic for an interface, use the mls switching unicast command in interface configuration mode. To disable the hardware switching of the unicast traffic for an interface, use the no form of this command.
mls switching unicast
no mls switching unicast
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
12.2(14)SX
Support for this command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Examples
This example shows how to enable the hardware switching for an interface:
Router(config-if)# mls switching unicastRouter(config-if)#This example shows how to disable the hardware switching for an interface:
Router(config-if)# no mls switching unicastRouter(config-if)#Related Commands
mode dot1q-in-dot1q access-gateway
To enable a Gigabit Ethernet WAN interface to act as a gateway for 802.1Q in 802.1Q (Q-in-Q) VLAN translation, use the mode dot1q-in-dot1q access-gateway command. To disable the Q-in-Q VLAN translation on the interface, use the no form of this command.
mode dot1q-in-dot1q access-gateway
no mode dot1q-in-dot1q access-gateway
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This command is supported on the Gigabit Ethernet (GE) WAN interfaces on Cisco 7600 series routers that are configured with an Optical Services Module (OSM)-2+4GE-WAN+ OSM module only.
OSMs are not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 32.
802.1Q provides a trunking option that tags packets with two VLAN tags to allow multiple VLANs to be trunked together across an intermediate network. This use of a double-tagged tunnel is also referred to as Q-in-Q tunneling.
The mode dot1q-in-dot1q access-gateway command enhances Q-in-Q tunneling by tagging packets with two VLAN tags to allow multiple VLANs to be trunked together across an intermediate network. This use of double-tagged tunnels performs the following functions:
•
•
•
In Cisco IOS Release 12.2(18)SXE and later releases, you can also combine multiple GE-WAN interfaces into a virtual port-channel interface to enable Q-in-Q link bundling. Combining the interfaces not only simplifies the configuration, but allows the GE-WAN OSM to load balance the provider edge (PE) VLANs among the physical interfaces that are members of the bundle. Also, if one interface member of the link bundle goes down, its PE VLANs are automatically reallocated to the other members of the bundle.
Note
After configuring the mode dot1q-in-dot1q access-gateway command, use the bridge-domain (subinterface configuration) command to configure the VLAN mapping to be used on each subinterface.
Caution
Note
Tip
Examples
This example shows a typical configuration for the mode dot1q-in-dot1q access-gateway command:
Router# configure terminalRouter(config)# interface GE-WAN 4/1Router(config-if)# mode dot1q-in-dot1q access-gatewayRouter(config-if)#This example shows the system message that appears when you try to configure the mode dot1q-in-dot1q access-gateway command without first removing the IP address configuration:
Router# configure terminalRouter(config)# interface GE-WAN 3/0Router(config-if)# mode dot1q-in-dot1q access-gateway% interface GE-WAN3/0 has IP address 192.168.100.101configured. Please remove the IP address before configuring'mode dot1q-in-dot1q access-gateway' on this interface.Router(config-if)# no ip address 192.168.100.101 255.255.255Router(config-if)# mode dot1q-in-dot1q access-gatewayRouter(config-if)#This example shows how to disable QinQ mapping on an interface by using the no form of the mode dot1q-in-dot1q access-gateway command. In addition, this command automatically removes all subinterfaces on the interface and all of the subinterface QinQ mappings (configured with the bridge-domain (subinterface configuration) command) and service policies.
Router# configure terminalRouter(config)# interface GE-WAN 3/0Router(config-if)# no mode dot1q-in-dot1q access-gatewayRouter(config-if)#This example shows a virtual port-channel interface that was created and assigned with two GE-WAN interfaces. The mode dot1q-in-dot1q access-gateway command is then enabled on the port-channel interface to allow it to act as a QinQ link bundle:
Router(config)# interface port-channel 20Router(config-if)# interface GE-WAN 3/0Router(config-if)# port-channel 20 mode onRouter(config-if)# interface GE-WAN 3/1Router(config-if)# port-channel 20 mode onRouter(config-if)# interface port-channel 20Router(config-if)# no ip addressRouter(config-if)# mode dot1q-in-dot1q access-gatewayRouter(config-if)#This example shows the error message that appears if you attempt to enable QinQ translation on a port-channel interface that contains one or more invalid interfaces:
Router# configure terminalRouter(config)# interface port-channel 307600-2(config-if)# mode dot1q-in-dot1q access-gateway% 'mode dot1q-in-dot1q access-gateway' is not supported on Port-channel30% Port-channel30 contains 2 Layer 2 Gigabit Ethernet interface(s)Router(config-if)#Related Commands
monitor session
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
To start a new Switched Port Analyzer (SPAN) session, add or delete interfaces from an existing SPAN session, or delete a SPAN session, use the monitor session command in global configuration mode. To remove one or more source interfaces or destination interfaces from the SPAN session, use the no form of this command.
Source Interface
monitor session session source interface type/slot/port [, | - | rx | tx | both]
no monitor session session source interface type/slot/port [, | - | rx | tx | both]
Destination Interface
monitor session session destination interface type/slot/port [, | -]
no monitor session session destination interface type/slot/port [, | -]
Session
monitor session session
no monitor session session
Cisco 6500/6000 Catalyst Switches and Cisco 7600 Series Routers
To start a new ERSPAN, SPAN, or RSPAN session, add or delete interfaces or VLANs to or from an existing session, filter ERSPAN, SPAN, or RSPAN traffic to specific VLANs, or delete a session, use the monitor session command in global configuration mode. To remove one or more source or destination interfaces from the session, remove a source VLAN from the session, or delete a session, use the no form of this command.
Setting the Source Interface or VLAN
monitor session session source {interface type | vlan vlan-id [rx | tx | both] | remote vlan rspan-vlan-id}
no monitor session session source {interface type | vlan vlan-id [rx | tx | both] | remote vlan rspan-vlan-id}
Setting the Destination Interface or VLAN
monitor session session destination {interface type | vlan vlan-id | remote vlan vlan-id | analysis-module slot-number | {data-port port-number}
no monitor session session destination {interface type | vlan vlan-id | remote vlan vlan-id | analysis-module slot-number | data-port port-number}
Setting the Filter VLAN
monitor session session-number filter vlan vlan-range
no monitor session session-number filter vlan vlan-range
Setting the Session Type
monitor session session-number type {erspan-source | erspan-destination}
no monitor session {range session-range | local | remote | all | session}
Enabling a Service Module
monitor session servicemodule mod-list
no monitor session servicemodule mod-list
Syntax Description
Command Default
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
A trunking interface monitors all VLANs and all received and transmitted traffic.
Cisco 6500/6000 Catalyst Switches and 7600 Series Routers
The defaults are as follows:
•
•
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The port-channel number supports six EtherChannels and eight ports in each channel.
Only one SPAN destination for a SPAN session is supported. If you attempt to add another destination interface to a session that already has a destination interface configured, you will get an error. You must first remove a SPAN destination interface before changing the SPAN destination to a different interface.
Ciso 6500/6000 Catalyst Switches
The number of valid values for port-channel number depends on the software release. For Cisco IOS releases prior to software Release 12.1(3a)E3, valid values are from 1 to 256; for Cisco IOS Release 12.1(3a)E3, 12.1(3a)E4, and 12.1(4)E1, valid values are from 1 to 64. Cisco IOS Release 12.1(5c)EX and later support a maximum of 64 values ranging from 1 to 256.
Only one destination per SPAN session is supported. If you attempt to add another destination interface to a session that already has a destination interface configured, you get an error. You must first remove a SPAN destination interface before changing the SPAN destination to a different interface.
You can configure up to 64 SPAN destination interfaces, but you can have one egress SPAN source interface and up to 64 ingress source interfaces only.
A SPAN session can either monitor VLANs or monitor individual interfaces, but it cannot monitor both specific interfaces and specific VLANs. Configuring a SPAN session with a source interface and then trying to add a source VLAN to the same SPAN session causes an error. Configuring a SPAN session with a source VLAN and then trying to add a source interface to that session also causes an error. You must first clear any sources for a SPAN session before switching to another type of source.
If you enter the filter keyword on a monitored trunk interface, only traffic on the set of specified VLANs is monitored.
Port channel interfaces display in the list of interface options if you have them configured. VLAN interfaces are not supported. However, you can span a particular VLAN by entering the monitor session session source vlan vlan-id command.
The following servicemodule mod-list values are valid for the Cisco 6500/6000 Catalyst switches:
•
•
•
Cisco 7600 Series Routers
Use these formatting guidelines when configuring monitor sessions:
•
•
single-interface , single-interface , single-interface
•
type slot/first-port , last-port
•
single-interface, - interface-range , ... in any order.
•
•
single-vlan , single-vlan , single-vlan ...
•
first-vlan-ID - last-vlan-ID
•
single-vlan , vlan-range , ... in any order
•
–
The analysis-module slot-number and the data-port port-number keywords and arguments are supported only on NAM.
The number of valid values for port-channel number are a maximum of 64 values ranging from 1 to 256.
You cannot share the destination interfaces among SPAN sessions. For example, a single destination interface can belong to one SPAN session only and cannot be configured as a destination interface in another SPAN session.
Note
The Supervisor Engine 720 local SPAN, RSPAN, and ERSPAN session limits are as follows:
66
2 (ingress or egress or both)
64
23
The Supervisor Engine 720 local SPAN, RSPAN, and ERSPAN source and destination limits are as follows:
Note
•
The Supervisor Engine 2 local SPAN and RSPAN session limits are as follows:
66
2 (ingress or egress or both)
0
64
1 ingress
1 (ingress or egress or both)
64
1 or 2 egress
0
64
The Supervisor Engine 2 local SPAN and RSPAN source and destination limits are as follows:
Note
Note
A particular SPAN session can either monitor the VLANs or monitor individual interfaces—you cannot have a SPAN session that monitors both specific interfaces and specific VLANs. If you first configure a SPAN session with a source interface, and then try to add a source VLAN to the same SPAN session, you get an error. You also get an error if you configure a SPAN session with a source VLAN and then try to add a source interface to that session. You must first clear any sources for a SPAN session before switching to another type of source.
If you enter the filter keyword on a monitored trunk interface, only traffic on the set of specified VLANs is monitored.
The port-channel interfaces display in the list of interface options if you have them configured. The VLAN interfaces are not supported. However, you can span a particular VLAN by entering the monitor session session source vlan vlan-id command.
The show monitor command displays the SPAN service module session only if it is allocated in the system. It also displays a list of allowed modules and a list of active modules that can use the service module session.
Only the no form of the monitor session servicemodule command is displayed when you enter the show running-config command.
If no module is allowed to use the service module session, the service module session is automatically deallocated. If at least one module is allowed to use the service module session and at least one module is online, the service module session is automatically allocated.
If you allow or disallow a list of modules that are not service modules from using the service module session, there will be no effect on the allocation or deallocation of the service module session. Only the list of modules is saved in the configuration.
If you disable the SPAN service module session with the no monitor session sericemodule command, allowing or disallowing a list of modules from using the service module session has no effect on the allocation or deallocation of the service module session. Only the list of modules is saved in the configuration.
The monitor session sericemodule command is accepted even if there are no modules physically inserted in any slot.
Examples
Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Routers
The following example shows how to add a destination VLAN to an existing SPAN session:
Router(config)# monitor session 1 destination interface fastEthernet 2/0Cisco 6500/600 Catalyst Switches
The following example shows how to add a destination VLAN to an existing SPAN session:
Router(config)# monitor session 1 destination vlan 100The following example shows how to delete a destination VLAN from an existing SPAN session:
Router(config)# no monitor session 1 destination vlan 100The following example shows how to limit SPAN traffic to specific VLANs:
Router(config)# monitor session 1 filter vlan 100 - 304Cisco 7600 Series Routers
This example shows how to configure multiple sources for a session:
Router(config)# monitor session 2 source interface fastethernet 5/15 , 7/3 rxRouter(config)# monitor session 2 source interface gigabitethernet 1/2 txRouter(config)# monitor session 2 source interface port-channel 102Router(config)# monitor session 2 source filter vlan 2 - 3Router(config)# monitor session 2 destination remote vlan 901This example shows how to configure an RSPAN destination in the final switch (RSPAN destination session):
Router(config)# monitor session 8 source remote vlan 901Router(config)# monitor session 8 destination interface fastethernet 1/2 , 2/3This example shows how to clear the configuration for sessions 1 and 2:
Router(config)# no monitor session 1 - 2Router(config)#This example shows how to clear the configuration for all sessions:
Router(config)# no monitor session allRouter(config)#This example shows how to clear the configuration for all remote sessions:
Router(config)# no monitor session remoteRouter(config)#This example shows how to allow a list of modules to use the SPAN service module session:
Router(config)# monitor session servicemodule module 1 - 2Router(config)#This example shows how to disallow a list of modules from using the SPAN service module session:
Router(config)# no monitor session servicemodule module 1 - 2Router(config)#Related Commands
mvrp global
To enable MVRP globally on a device and on a specified interface, use the mvrp global command in global configuration mode. To disable MRVP, use the no form of this command.
mvrp global
no mvrp
Syntax Description
This command has no arguments or keywords.
Command Default
MVRP is administratively disabled.
MRVP is administratively enabled on each interface.
Command Modes
Global configuration
Command History
Usage Guidelines
MVRP is operational on an interface only if MVRP is administratively enabled both globally at the device level and at the interface level.
When MVRP is operational on an interface MVRP PDUs are transmitted out the interface which must be a forwarding IEEE 802.1Q trunk. Other MVRP-related operations can then be effective on the interface.
Examples
The following example configures global mvrp on the device and interfaces:
Router(config)# mvrp global%MVRP is now globally enabled. MVRP is operational on 802.1q trunk ports only.Router(config)# interface fastethernet2/1Router(config-if)# no mvrpRouter(config)# interface fastehternet2/2Router(config-if)# mvrpRelated Commands
mvrp mac-learning
To enable automatic learning of dynamic MAC table entries, use the mvrp mac-learning auto command in global configuration mode. To disable automatic learning of dynamic MAC table entries, use the no form of this command.
mvrp mac-learning auto
no mvrp mac-learning auto
Syntax Description
Command Default
Automatic MAC learning is disabled.
Command Modes
Global configuration (Router(config)#)
Command History
Usage Guidelines
With this command you can allow or disallow MVRP to provision MAC learning on devices where MVRP is configured. Automatic MAC learning is disabled by default.
Examples
The following example enables automatic provisioning of MAC learning by MVRP:
Router(config)# mvrp mac-learning autoRelated Commands
mvrp registration
To set the registrars in a Multiple Registration Protocol (MRP) MRP Attribute Declaration (MAD) instance associated with an interface, use the mvrp registration command in global configuration mode. To disable the registrars, use the no form of this command.
mvrp registration {normal | fixed | forbidden}
no mvrp registration
Syntax Description
Command Default
Normal
Command Modes
Global configuration
Command History
Usage Guidelines
The mvrp registration command is only operational if MVRP is configured on an interface.
The no mvrp registration command sets the registrar state to the default.
This command can be used to set the Registrar in a MAD instance associated with an interface to one of the three states. This command is effective only if MVRP is operational on the interface.
Given that up to 4094 VLANs can be configured on a trunk port, there may be up to 4094 ASM and RSM pairs in a MAD instance associated with that interface. In other words, there can be up to 4094 Registrars. When this command is used, it sets the state of all the Registrars on the interface together.
Examples
The following example sets a fixed, forbidden and normal registrar on a MAD instance:
Router(config)# mvrp global%MVRP is now globally enabled. MVRP is operational on IEEE 802.1q trunk ports only.Router(config)# interface fastethernet2/1Router(config-if)# mvrp registration fixedRouter(config-if)# interface fastethernet2/2Router(config-if)# mvrp registration forbiddenRouter(config-if)# interface fastethernet2/3Router(config-if)# no mvrp registrationRelated Commands
mvrp timer
To set period timers that are used in MRP on a given interface, use the mvrp timer command in interface configuration mode. To remove the timer value, use the no form of this command.
mvrp timer {join | leave | leave-all | periodic} [timer-value]
no mvrp timer
Syntax Description
Command Default
Join timer-value: 20 centi-seconds
Leave timer-value: 60 centi-seconds
LeaveAll timer-value: 1000 centi-seconds
Command Modes
Interface configuration (Router(config-if)#)
Command History
Usage Guidelines
The no mvrp timer command resets the timer value to the default value.
Examples
The following example sets timer levels on an interface:
Router(config)# mvrp global%MVRP is now globally enabled. MVRP is operational on IEE 802.1q trunk ports.Router(config)# interface GigabitEthernet 6/1Router(config-if)# mvrp timer join 30Router(config-if)# mvrp timer leave 70Router(config-if)# mvrp timer leaveall 1500Related Commands
mvrp vlan creation
To enable dynamic VLAN creation on a device using Multiple VLAN Registration Protocol (MVRP), use the mvrp vlan creation command in global configuration mode. To dynamic VLAN creation for MVRP, use the no form of this command.
mvrp vlan creation
no mvrp vlan creation
Syntax Description
This command has no arguments or keywords.
Command Default
MVRP is disabled.
Command Modes
Global (Router(config) #)
Command History
Usage Guidelines
MVRP dynamic VLAN creation can be used only if Virtual Trunking Protocol (VTP) is in transparent mode.
Examples
The following example shows a command sequence enabling MVRP dynamic VLAN creation. Notice that the device recognizes that the VTP mode is incorrect and rejects the request for dynamic VLAN creation. Once the VTP mode is changed, MVRP dynamic VLAN creation is allowed.
Router(config)# mvrp vlan creation%Command Rejected: VTP is in non-transparent (server) mode.Router(config)# vtp mode transparentSetting device to VTP TRANSPARENT mode.Router(config)# mvrp vlan creation%VLAN now may be dynamically created via MVRP/Related Commands
mvrp global
Enables MVRP globally on a device.
vtp mode
Sets the mode for VTP mode on the device.
name (MST configuration submode)
To set the name of a Multiple Spanning Tree (MST) region, use the name command in MST configuration submode. To return to the default name, use the no form of this command.
name name
no name name
Syntax Description
Defaults
Empty string
Command Modes
MST configuration submode
Command History
Usage Guidelines
Two or more Cisco 7600 series routers with the same VLAN mapping and configuration version number are considered to be in different MST regions if the region names are different.
Caution
Examples
This example shows how to name a region:
Router(config-mst)# name CiscoRouter(config-mst)#Related Commands
pagp learn-method
To learn the input interface of the incoming packets, use the pagp learn-method command in interface configuration mode. To return to the default settings, use the no form of this command.
pagp learn-method {aggregation-port | physical-port}
no pagp learn-method
Syntax Description
aggregation-port
Specifies how to learn the address on the port channel.
physical-port
Specifies how to learn the address on the physical port within the bundle.
Defaults
If you do not specify a keyword for the command, the default is aggregation-port.
Command Modes
Interface configuration
Command History
Examples
This example shows how to set the learning method to learn the address on the physical port within the bundle:
Router(config-if)# pagp learn-method physical-portRouter(config-if)#This example shows how to set the learning method to learn the address on the port channel within the bundle:
Router(config-if)# pagp learn-method aggregation-portRouter(config-if)#Related Commands
pagp port-priority
To select a port in hot standby mode, use the pagp port-priority command in interface configuration mode. To return to the default settings, use the no form of this command.
pagp port-priority priority
no pagp port-priority
Syntax Description
Defaults
priority is 128.
Command Modes
Interface configuration
Command History
Usage Guidelines
The higher the priority means the better the chances are that the port will be selected in the hot standby mode.
Examples
This example shows how to set the port priority:
Router(config-if)# pagp port-priority 45Router(config-if)#Related Commands
pagp learn-method
Learns the input interface of the incoming packets.
show pagp
Displays port-channel information.
port-channel load-defer
To configure the port load share deferral interval for all port channels, use the port-channel load-defer command in global configuration mode. To reset the port defer interval to the default setting, use the no form of this command.
port-channel load-defer seconds
no port-channel load-defer
Syntax Description
seconds
Sets the time interval in seconds by which load sharing will be deferred on the switch. Valid range is from 1 to 1800 seconds. The default deferal interval is 120 seconds
Defaults
The port defer interval is 120 seconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
To reduce data loss following a stateful switchover (SSO), port load share deferral can be enabled by entering the port-channel port load-defer command on a port channel of a switch that is connected by a multichassis EtherChannel (MEC) to a virtual switching system (VSS). Port load share deferral temporarily prevents the switch from forwarding data traffic to MEC member ports on a failed chassis of the VSS while the VSS recovers from the SSO.
The load share deferral interval is determined by a single global timer configurable by the port-channel load-defer command. After an SSO switchover, a period of several seconds to several minutes can be required for the reinitialization of line cards and the reestablishment of forwarding tables, particularly multicast topologies.
The valid range of seconds is 1 to 1800 seconds; the default is 120 seconds.
Examples
This example shows how to set the global port deferral interval to 60 seconds:
Router(config)# port-channel load-defer 60Router(config)#This example shows how to verify the configuration of the port deferral interval on a port channel:
Router# show etherchannel 50 port-channelPort-channels in the group:----------------------Port-channel: Po50 (Primary Aggregator)------------Age of the Port-channel = 0d:00h:22m:20sLogical slot/port = 46/5 Number of ports = 3HotStandBy port = nullPort state = Port-channel Ag-InuseProtocol = LACPFast-switchover = disabledLoad share deferral = enabled defer period = 60 sec time left = 57 secRouter#Related Commands
port-channel port load-defer
To enable the temporary deferral of port load sharing during the connection or reconnection of a port channel, use the port-channel port load-defer command in interface configuration mode. To disable the deferral of port load sharing on a port channel, use the no form of this command.
port-channel port load-defer
no port-channel port load-defer
Syntax Description
This command has no keywords or arguments.
Defaults
The port load share deferral feature is not enabled on a port channel.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
To reduce data loss following a stateful switchover (SSO), a port load share deferral can be enabled on a port channel of a switch that is connected by a multichassis EtherChannel (MEC) to a virtual switching system (VSS). The load share deferral interval prevents the switch from forwarding data traffic to MEC member ports on a failed chassis of the VSS while the VSS recovers from the SSO.
When load share deferral is enabled on a port channel, the assignment of a member port's load share is delayed for a period that is configurable globally by the port-channel load-defer command. During the deferral period, the load share of a deferred member port is set to 0. In this state, the deferred port is capable of receiving data and control traffic, and of sending control traffic, but the port is prevented from sending data traffic over the MEC to the VSS. Upon expiration of the global deferral timer, the deferred member port exits the deferral state and the port assumes its normal configured load share.
Load share deferral is applied only if at least one other member port of the port channel is currently active with a nonzero load share. If a port enabled for load share deferral is the first member bringing up the EtherChannel, the deferral feature does not apply and the port will forward traffic immediately.
The load share deferral interval is determined by a single global timer configurable from 1 to 1800 seconds by the port-channel load-defer command. The default interval is 120 seconds. After an SSO switchover, a period of several seconds to several minutes can be required for the reinitialization of line cards and the reestablishment of forwarding tables, particularly multicast topologies.
Examples
This example shows how to enable the load share deferral feature on port channel 50 of a switch that is an MEC peer to a VSS:
Router(config)# interface port-channel 50Router(config-if)# port-channel port load-deferThis will enable the load share deferral feature on this port-channel.The port-channel should connect to a Virtual Switch (VSS).Do you wish to proceed? [yes/no]: yesRouter(config-if)#This example shows how to verify the state of the port deferral feature on a port channel:
Router# show etherchannel 50 port-channelPort-channels in the group:----------------------Port-channel: Po50 (Primary Aggregator)------------Age of the Port-channel = 0d:00h:22m:20sLogical slot/port = 46/5 Number of ports = 3HotStandBy port = nullPort state = Port-channel Ag-InuseProtocol = LACPFast-switchover = disabledLoad share deferral = enabled defer period = 120 sec time left = 57 secRouter#Related Commands
private-vlan
To configure private VLANs (PVLANs) and the association between a PVLAN and a secondary VLAN, use the private-vlan command in config-vlan submode. To return to the default settings, use the no form of this command.
private-vlan {isolated | community | primary}
private-vlan association {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list}
no private-vlan {isolated | community | primary}
no private-vlan association
Syntax Description
Defaults
No PVLANs are configured.
Command Modes
config-vlan submode
Command History
Usage Guidelines
You cannot configure PVLANs on a port-security port.
If you enter a pvlan command on a port-security port, this error message is displayed:
Command rejected: Gix/y is Port Security enabled port.Within groups of 12 ports (1-12, 13-24, 25-36, and 37-48), do not configure the ports as isolated or as community VLAN ports when one of the ports is a trunk, a Switch Port Analyzer (SPAN) destination, or a promiscuous private VLAN port. If one port is a trunk, a SPAN destination, or a promiscuous private VLAN port, any isolated or community VLAN configuration for the other ports within the 12 ports is inactive. To reactivate the ports, remove the isolated or community VLAN-port configuration and enter the shutdown and no shutdown commands.
Caution
Note
You cannot configure VLAN 1 or VLANs 1001 to 1005 as PVLANs.
VLAN Trunking Protocol (VTP) does not support PVLANs. You must configure PVLANs on each device where you want PVLAN ports.
The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs. The secondary-vlan-list argument can contain multiple community VLAN IDs.
The secondary-vlan-list argument can contain only one isolated VLAN ID. A PVLAN is a set of private ports that are characterized by using a common set of VLAN number pairs. Each pair is made up of at least two special unidirectional VLANs and is used by isolated ports and/or by a community of ports to communicate with routers.
An isolated VLAN is a VLAN that is used by isolated ports to communicate with promiscuous ports. An isolated VLAN's traffic is blocked on all other private ports in the same VLAN. Its traffic can only be received by standard trunking ports and promiscuous ports that are assigned to the corresponding primary VLAN.
A promiscuous port is defined as a private port that is assigned to a primary VLAN.
A primary VLAN is defined as the VLAN that is used to convey the traffic from the routers to customer end stations on private ports.
A community VLAN is defined as the VLAN that carries the traffic among community ports and from community ports to the promiscuous ports on the corresponding primary VLAN.
You can specify only one isolated vlan-id, while multiple community VLANs are allowed. Isolated and community VLANs can only be associated with one VLAN. The associated VLAN list may not contain primary VLANs. Similarly, you cannot configure a VLAN that is already associated to a primary VLAN as a primary VLAN.
The private-vlan commands do not take effect until you exit the config-VLAN submode.
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive.
Refer to the Cisco 7600 Series Router Cisco IOS Software Configuration Guide for additional configuration guidelines.
Examples
This example shows how to create a PVLAN relationship between the primary VLAN 14, the isolated VLAN 19, and the community VLANs 20 and 21:
Router(config) # vlan 19Router(config-vlan) # private-vlan isolatedRouter(config) # vlan 20Router(config-vlan) # private-vlan communityRouter(config-vlan) # private-vlan communityRouter(config) # vlan 14Router(config-vlan) # private-vlan primaryRouter(config-vlan) # private-vlan association 19-21This example shows how to remove an isolated VLAN and community VLAN 20 from the PVLAN association:
Router(config) # vlan 14Router(config-vlan) # private-vlan association remove 18,20Router(config-vlan) #This example shows how to remove a PVLAN relationship and delete the primary VLAN. The associated secondary VLANs are not deleted.
Router(config-vlan) # no private-vlan 14Router(config-vlan) #Related Commands
show vlan
Displays VLAN information.
show vlan private-vlan
Displays PVLAN information.
private-vlan mapping
To create a mapping between the primary and the secondary VLANs so that both VLANs share the same primary VLAN switched virtual interface (SVI), use the private-vlan mapping command in interface configuration mode. To remove all private VLAN (PVLAN) mappings from the SVI, use the no form of this command.
private-vlan mapping [secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list]
no private-vlan mapping
Syntax Description
Defaults
No PVLAN SVI mapping is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
The private-vlan mapping command affects traffic that is switched in the software on the Multilayer Switching Feature Card (MSFC) or MSFC2. The private-vlan mapping command does not configure Layer 3 switching on the Policy Feature Card (PFC) or PFC2.
The secondary-vlan-list argument cannot contain spaces; it can contain multiple comma-separated items. Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs.
This command is valid in the interface configuration mode of the primary VLAN.
The SVI of the primary VLAN is created at Layer 3.
Traffic that is received on the secondary VLAN is routed by the SVI of the primary VLAN.
The SVIs of existing secondary VLANs do not function and are considered as down after you enter this command.
A secondary SVI can only be mapped to one primary SVI. If you configure the primary VLAN as a secondary VLAN, all the SVIs that are specified in this command are brought down.
If you configure a mapping between two VLANs that do not have a valid Layer 2 association, the mapping configuration does not take effect.
Examples
This example shows how to permit routing of secondary VLAN-ingress traffic from PVLANs 303 through 307, 309, and 440 and verify the configuration:
Router# configure terminalRouter(config)# interface vlan 202Router(config-if)# private-vlan mapping add 303-307,309,440Router(config-if)# endRouter# show interfaces private-vlan mappingInterface Secondary VLAN Type--------- -------------- -----------------vlan202 303 communityvlan202 304 communityvlan202 305 communityvlan202 306 communityvlan202 307 communityvlan202 309 communityvlan202 440 isolatedRouter#This example shows the displayed error message if the VLAN that you are adding is already mapped to the SVI of VLAN 19. You must delete the mapping from the SVI of VLAN 19 first.
Router(config)# interface vlan 19Router(config-if)# private-vlan mapping 19 add 21Command rejected: The interface for VLAN 21 is already mapped as s secondary.Router(config-if)#This example shows how to remove all PVLAN mappings from the SVI of VLAN 19:
Router(config)# interface vlan 19Router(config-if)# no private-vlan mappingRouter(config-if)#
Related Commands
private-vlan synchronize
To map the secondary VLANs to the same instance as the primary VLAN, use the private-vlan synchronize command in MST configuration submode.
private-vlan synchronize
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
MST configuration submode
Command History
Usage Guidelines
If you do not map VLANs to the same instance as the associated primary VLAN when you exit the Multiple Spanning Tree (802.1s) (MST) configuration submode, a warning message displays and lists the secondary VLANs that are not mapped to the same instance as the associated primary VLAN. The private-vlan synchronize command automatically maps all secondary VLANs to the same instance as the associated primary VLANs.
Examples
This example assumes that a primary VLAN 2 and a secondary VLAN 3 are associated to VLAN 2, and that all VLANs are mapped to the Common and Internal Spanning Tree (CIST) instance 1. This example also shows the output if you try to change the mapping for the primary VLAN 2 only:
Router(config)# spanning-tree mst configurationRouter(config-mst)# instance 1 vlan 2Router(config-mst)# exitThese secondary vlans are not mapped to the same instance as their primary:-> 3This example shows how to initialize private VLAN (PVLAN) synchronization:
Router(config-mst)# private-vlan synchronizeRouter(config-mst)#Related Commands
show
Verifies the MST configuration.
show spanning-tree mst
Displays information about the MST protocol.
rep admin vlan
Use the rep admin vlan global configuration command to configure a Resilient Ethernet Protocol (REP) administrative VLAN for REP to transmit hardware flood layer (HFL) messages. Use the no form of this command to return to the default configuration with VLAN 1 as the administrative VLAN.
rep admin vlan vlan-id
no rep admin vlan
Syntax Description
vlan-id
The VLAN ID range is from 1 to 4094. The default is VLAN 1; the range to configure is 2 to 4094.
Defaults
The administrative VLAN is VLAN 1.
Command Modes
Global configuration
Command History
Usage Guidelines
If the VLAN does not already exist, this command does not create the VLAN.
To avoid the delay introduced by relaying messages in software for link-failure or VLAN-blocking notification during load balancing, REP floods packets at the hardware flood layer (HFL) to a regular multicast address. These messages are flooded to the whole network, not just the REP segment. Switches that do not belong to the segment treat them as data traffic. Configuring an administrative VLAN for the whole domain can control flooding of these messages.
If no REP administrative VLAN is configured, the default is VLAN 1.
There can be only one administrative VLAN on a switch and on a segment.
The administrative VLAN cannot be the RSPAN VLAN.
Examples
This example shows how to configure VLAN 100 as the REP administrative VLAN:
Switch (config)# rep admin vlan 100You can verify your settings by entering the show interface rep detail privileged EXEC command.
Related Commands
show interfaces rep detail
Displays detailed REP configuration and status for all interfaces or the specified interface, including the administrative VLAN.
rep block port
Use the rep block port interface configuration command on the REP primary edge port to configure Resilient Ethernet Protocol (REP) VLAN load balancing. Use the no form of this command to return to the default configuration.
rep block port {id port-id | neighbor_offset | preferred} vlan {vlan-list | all}
no rep block port {id port-id | neighbor_offset | preferred}
Syntax Description
Defaults
The default behavior after you enter the rep preempt segment privileged EXEC command (for manual preemption) is to block all VLANs at the primary edge port. This behavior remains until you configure the rep block port command.
If the primary edge port cannot determine which port is to be the alternate port, the default action is no preemption and no VLAN load balancing.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must enter this command on the REP primary edge port.
When you select an alternate port by entering an offset number, this number identifies the downstream neighbor port of an edge port. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port. Negative numbers identify the secondary edge port (offset number -1) and its downstream neighbors. See Neighbor Offset Numbers in a REP SegmentFigure 0-1.
Figure 0-1 Neighbor Offset Numbers in a REP Segment
Note
If you have configured a preempt delay time by entering the rep preempt delay seconds interface configuration command and a link failure and recovery occurs, VLAN load balancing begins after the configured preemption time period elapses without another link failure. The alternate port specified in the load-balancing configuration blocks the configured VLANs and unblocks all other segment ports. If the primary edge port cannot determine the alternate port for VLAN balancing, the default action is no preemption.
Each port in a segment has a unique port ID. The port ID format is similar to the one used by the spanning tree algorithm: a port number (unique on the bridge) associated to a MAC address (unique in the network). To determine the port ID of a port, enter the show interface interface-id rep detail privileged EXEC command.
Examples
This example shows how to configure REP VLAN load balancing on the Switch B primary edge port (Gigabit Ethernet port 1/0/1) and to configure Gigabit Ethernet port 1/0/2 of Switch A as the alternate port to block VLANs 1 to 100. The alternate port is identified by its port ID, shown in bold in the output of the show interface rep detail command for the Switch A port.
Switch A# show interface gigabitethernet0/2 rep detailGigabitEthernet0/2 REP enabledSegment-id: 2 (Segment)PortID: 0080001647FB1780Preferred flag: NoOperational Link Status: TWO_WAYCurrent Key: 007F001647FB17800EEEPort Role: OpenBlocked Vlan: <empty>Admin-vlan: 1Preempt Delay Timer: 35 secLoad-balancing block port: noneLoad-balancing block vlan: noneSTCN Propagate to:PDU/TLV statistics:LSL PDU rx: 107122, tx: 192493Switch B# config tSwitch (config)# interface gigabitethernet1/0/1Switch (config-if)# rep block port id 0080001647FB1780 vlan 1-100Switch (config-if)# exitThis example shows how to configure VLAN load balancing by using a neighbor offset number and how to verify the configuration by entering the show interfaces rep detail privileged EXEC command:
Switch# config tSwitch (config)# interface gigabitethernet1/0/2Switch (config-if)# rep block port 6 vlan 1-110Switch (config-if)# endSwitch# show interface gigabitethernet1/0/2 rep detailGigabitEthernet0/2 REP enabledSegment-id: 2 (Segment)PortID: 0080001647FB1780Preferred flag: NoOperational Link Status: TWO_WAYCurrent Key: 007F001647FB178009C3Port Role: OpenBlocked Vlan: <empty>Admin-vlan: 3Preempt Delay Timer: 35 secLoad-balancing block port: 6Load-balancing block vlan: 1-110STCN Propagate to: noneLSL PDU rx: 1466780, tx: 3056637HFL PDU rx: 2, tx: 0BPA TLV rx: 1, tx: 2119695BPA (STCN, LSL) TLV rx: 0, tx: 0BPA (STCN, HFL) TLV rx: 0, tx: 0EPA-ELECTION TLV rx: 757406, tx: 757400EPA-COMMAND TLV rx: 1, tx: 1EPA-INFO TLV rx: 178326, tx: 178323Related Commands
rep preempt delay
Use the rep preempt delay interface configuration command on the REP primary edge port to configure a waiting period after a segment port failure and recovery before Resilient Ethernet Protocol (REP) VLAN load balancing is triggered. Use the no form of this command to remove the configured delay.
rep preempt delay seconds
no rep preempt delay
Syntax Description
Defaults
No preemption delay is set. If you do not enter the rep preempt delay command, the default is manual preemption with no delay.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must enter this command on the REP primary edge port.
You must enter this command and configure a preempt time delay if you want VLAN load balancing to automatically trigger after a link failure and recovery.
If VLAN load balancing is configured, after a segment port failure and recovery, the REP primary edge port starts a delay timer before VLAN load balancing occurs. Note that the timer restarts after each link failure. When the timer expires, the REP primary edge alerts the alternate port to perform VLAN load balancing (configured by using the rep block port interface configuration command) and prepares the segment for the new topology. The configured VLAN list is blocked at the alternate port, and all other VLANs are blocked at the primary edge port.
Examples
This example shows how to configure REP preemption time delay of 100 seconds on the primary edge port:
Switch (config)# interface gigabitethernet1/0/1Switch (config-if)# rep preempt delay 100Switch (config-if)# exitYou can verify your settings by entering the show interfaces rep privileged EXEC command.
Related Commands
Configures VLAN load balancing.
show interfaces rep [detail]
Displays REP configuration and status for all interfaces or the specified interface.
rep preempt segment
Use the rep preempt segment privileged EXEC command to manually start Resilient Ethernet Protocol (REP) VLAN load balancing on a segment.
rep preempt segment segment_id
Syntax Description
Defaults
Manual preemption is the default behavior.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When you enter the rep preempt segment segment-id command, a confirmation message appears before the command is executed because preemption can cause network disruption.
Enter this command on the switch on the segment that has the primary edge port.
If you do not configure VLAN load balancing, entering this command results in the default behavior—the primary edge port blocks all VLANs.
You configure VLAN load balancing by entering the rep block port {id port-id | neighbor_offset | preferred} vlan {vlan-list | all} interface configuration command on the REP primary edge port before you manually start preemption.
There is not a no version of this command.
Examples
This example shows how to manually trigger REP preemption on segment 100 with the confirmation message:
Switch)# rep preempt segment 100The command will cause a momentary traffic disruption.Do you still want to continue? [confirm]Related Commands
Configures VLAN load balancing.
show interfaces rep [detail]
Displays REP configuration and status for all interfaces or the specified interface.
rep segment
Use the rep segment interface configuration command to enable Resilient Ethernet Protocol (REP) on the interface and to assign a segment ID to it. Use the no form of this command to disable REP on the interface.
rep segment segment-id [edge [primary]] [preferred]
no rep segment
Syntax Description
Defaults
REP is disabled on the interface.
When REP is enabled on an interface, the default is for the port to be a regular segment port.
Command Modes
Interface configuration
Command History
