-
Catalyst 3550 Multilayer Switch Command Reference, Rel. 12.2(25)SEE
-
Catalyst 3550 Switch Command Reference (full book in PDF format)
-
Index
-
Preface
-
Using the Command-Line Interface
-
Cisco IOS Commands - aaa through rmon collection stats
-
Cisco IOS Commands - sdm prefer through system mtu
-
Cisco IOS Commands - traceroute mac through wrr-queue threshold
-
Catalyst 3550 Switch Boot Loader Commands
-
Catalyst 3550 Switch Debug Commands
-
Table Of Contents
Catalyst 3550 Switch Cisco IOS Commands
access-list hardware program nonblocking
clear ip arp inspection statistics
clear l2protocol-tunnel counters
clear spanning-tree detected-protocols
deny (ARP access-list configuration)
dot1x critical (global configuration)
dot1x critical (interface configuration)
ip arp inspection vlan logging
ip dhcp snooping information option
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id
ip dhcp snooping information option format snmp-ifindex
ip dhcp snooping vlan information option format-type circuit-id string
ip igmp snooping last-member-query-interval
ip igmp snooping report-suppression
ip igmp snooping source-only-learning age-timer
ip igmp snooping vlan immediate-leave
ip vrf (interface configuration)
mac address-table notification
match (access-map configuration)
match (class-map configuration)
permit (ARP access-list configuration)
Catalyst 3550 Switch Cisco IOS Commands
aaa accounting dot1x
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ...]}
no aaa accounting dot1x {name | default}
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requires access to a RADIUS server.
Note
We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
Examples
This example shows how to configure IEEE 802.1x accounting:
Switch(config)# aaa accounting dot1x default start-stop group radiusSwitch(config)#
Note
Related Commands
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x authentication.
Enables or disables periodic reauthentication.
dot1x timeout reauth-period
Sets the number of seconds between re-authentication attempts.
aaa authentication dot1x
Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x authentication. Use the no form of this command to disable authentication.
aaa authentication dot1x {default} method1
no aaa authentication dot1x {default}
Syntax Description
Note
Defaults
No authentication is performed.
Command Modes
Global configuration
Command History
Usage Guidelines
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
Switch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radiusYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
aaa authorization network
Use the aaa authorization network global configuration command to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable the switch for RADIUS user authorization.
aaa authorization network default group radius
no aaa authorization network default
Syntax Description
default group radius
Use the list of all RADIUS hosts in the server group as the default authorization list.
Defaults
Authorization is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.
Use the show running-config privileged EXEC command to display the configured lists of authorization methods.
Examples
This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:
Switch(config)# aaa authorization network default group radiusYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
access-list hardware program nonblocking
Use the access-list hardware program nonblocking global configuration command to cause the system to continue to forward frames even while a new security access-control list (ACL) configuration is being programmed into the hardware. Use the no form of this command to return to the default behavior, where traffic is blocked on affected interfaces when changes are made to the security ACL configuration while the hardware is updated with the new configuration.
access-list hardware program nonblocking
no access-list hardware program nonblocking
Syntax Description
This command has no arguments or keywords.
Defaults
Traffic is blocked on affected interfaces while a new ACL configuration is loaded into hardware.
Command Modes
Global configuration
Command History
Usage Guidelines
By default, when changes are made to the configuration of security ACLs, the system completely blocks traffic on the affected ports or VLANs while it is updating the hardware to the new configuration. This includes any changes that affect the ternary content addressable memory (TCAM), including applying an ACL to an interface or making changes to VLAN maps or ACLs that are used for security features. This prevents the possibility of forwarding frames that should have been dropped because a partially loaded configuration permitted a frame that the complete configuration would have blocked.
You can use the access-list hardware program nonblocking command to set the system to continue to forward frames while a new security ACL configuration is being programmed into the hardware. Enabling this setting might cause less disruption to traffic that should be allowed while the hardware is being updated, but might also temporarily allow some traffic that would be denied when the new configuration is completely loaded.
Examples
This example shows how to set the system to continue forwarding frames while a new security ACL configuration is being programmed into hardware:
Switch (config)# access-list hardware program nonblockingYou can verify your setting by entering the show running-config | include access-list hardware privileged EXEC command.
Related Commands
access-list {deny | permit}
Configures a standard numbered ACL. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
action (access map configuration)
Defines or modifies the action for the VLAN access map entry.
ip access-group
Applies an IP access list to a Layer 2 or Layer 3 interface.
ip access-list
Configures a named access list. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
Applies a MAC access list to a Layer 2 interface.
Defines the match conditions for a VLAN map.
show running-config | include access-list hardware
Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.
Creates a VLAN access map or enters access-map configuration mode.
Applies a VLAN map to one or more VLANs.
action
Use the action access map configuration command to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.
action {drop | forward}
no action
Syntax Description
drop
Drop the packet when the specified conditions are matched.
forward
Forward the packet when the specified conditions are matched.
Defaults
The default action is to forward packets.
Command Modes
Access-map configuration
Command History
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access map configuration mode, use the match access map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
Examples
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4Switch(config-access-map)# match ip address al2Switch(config-access-map)# action forwardSwitch(config-access-map)# exitSwitch(config)# vlan filter vmap4 vlan-list 5-6You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
archive download-sw
Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and overwrite or keep the existing image.
archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite | /reload | /safe} source-url
Syntax Description
Defaults
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Command Modes
Privileged EXEC
Command History
12.1(4)EA1
This command was introduced.
12.2(25)SE
The http and https keywords were added.
Usage Guidelines
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash space.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.
If you leave the existing software in place before downloading the new image, an error results if the existing software will prevent the new image from fitting onto flash memory.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
Examples
This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tarThis example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
Switch# archive download-sw /image-only tftp://172.20.129.10/test-image.tarThis example shows how to keep the old software version after a successful download:
Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tarRelated Commands
archive tar
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}
Syntax Description
Defaults
None
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
Image names are case sensitive.
Examples
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configsThis example shows how to display the contents of the c3550-ipservices-tar.122-25.tar file that is in flash memory. The contents of the tar file appear on the screen:
Switch# archive tar /table flash:c3550-ipservices-tar.122-25.tarinfo (219 bytes)c3550-ipservices-mz.122-25.SEB/ (directory)c3550-ipservices-mz.122-25/html/ (directory)c3550-ipservices-mz.122-25/c3550-mz.122-25.SEB.bin (6074880 bytes)c3550-ipservices-mz.122-25/info (219 bytes)info.ver (219 bytes)This example shows how to display only the c3550-ipservices-mz.122-25.SEB/html directory and its contents:
Switch# archive tar /table flash:c3550-ipservices-tar.122-25.SEB.tar c3550-ipservices-mz.122-25.SEB/htmlc3550-ipservices-mz.122-25.SEB/html/ (directory)c3550-ipservices-mz.122-25SEB/html/const.htm (556 bytes)c3550-ipservices-mz.122-25SEB/html/xhome.htm (9373 bytes)c3550-ipservices-mz.122-25SEB/html/menu.css (1654 bytes)<output truncated>This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/ new-configsRelated Commands
Downloads a new image to the switch.
Uploads an existing image on the switch to a server.
archive upload-sw
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [/version version_string] destination-url
Syntax Description
Defaults
Uploads the currently running image from the flash: file system.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The upload feature is available only if the HTML files associated with the device manager have been installed with the existing image.
The files are uploaded in this sequence: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the software creates the tar file.
Image names are case sensitive.
Examples
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Switch# archive upload-sw tftp://172.20.140.2/test-image.tarRelated Commands
Downloads a new image to the switch.
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.
arp access-list
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
arp access-list acl-name
no arp access-list acl-name
This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).
Syntax Description
Defaults
No ARP access lists are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
•
•
•
•
•
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
auto qos voip
Use the auto qos voip interface configuration command to automatically configure quality of service (auto-QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to change the auto-QoS configuration settings to the standard QoS defaults.
auto qos voip {cisco-phone | cisco-softphone | trust}
no auto qos voip
Syntax Description
Defaults
Auto-QoS is disabled on all interfaces.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic and class of service (CoS) packet labels and to configure the egress queues as summarized in Table 2-1.
Table 2-1 Traffic Types, Packet Labels, and Egress Queues
DSCP3
46
24, 26
48
56
34
—
—
CoS
5
3
6
7
4
CoS-to-Queue Map
5
3, 6, 7
4
2
0, 1
Egress Queue
Expedite (queue 4)
70% WRR4 (queue 3)
20% WRR (queue 2)
20% WRR (queue 2)
10% WRR (queue 1)
1 STP = Spanning Tree Protocol
2 BPDU = bridge protocol data unit
3 DSCP = Differentiated Services Code Point
4 WRR = weighted round robin
Table 2-2 lists the auto-QoS configuration for the egress queues.
Command Modes
Interface configuration
Command History
12.1(12c)EA1
This command was introduced.
12.1(20)EA2
The cisco-softphone keyword was added, and the generated auto-QoS configuration changed.
Usage Guidelines
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and the edge devices that can classify incoming traffic for QoS.
In releases earlier than Cisco IOS Release 12.1(20)EA2, auto-QoS configures the switch only for VoIP with Cisco IP Phones on switch ports.
In Cisco IOS Release 12.1(20)EA2 or later, auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first interface, these automatic actions occur:
•
•
•
•
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.
Note
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging.
To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. When you enter this command, the switch enables standard QoS and changes the auto-QoS settings to the standard-QoS default settings for that interface.
To disable auto-QoS on the switch, use the no mls qos global configuration command. When you enter this command, the switch disables QoS on all interfaces and enables pass-through mode.
Examples
This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to an interface is a trusted device:
Switch(config)# interface gigabitethernet0/1Switch(config-if)# auto qos voip trustThis example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the device connected to an interface is detected as a Cisco IP Phone:
Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip cisco-phoneThis example shows how to display the QoS configuration that is automatically generated when auto-QoS is enabled:
Switch# debug auto qosAutoQoS debugging is onSwitch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface fastethernet0/1Switch(config-if)# auto qos voip trustSwitch(config-if)#4d22h:mls qos map cos-dscp 0 8 16 26 32 46 48 564d22h:mls qos min-reserve 5 1704d22h:mls qos min-reserve 6 854d22h:mls qos min-reserve 7 514d22h:mls qos min-reserve 8 344d22h:mls qos4d22h:interface FastEthernet0/14d22h: mls qos trust cos4d22h: wrr-queue bandwidth 10 20 70 14d22h: wrr-queue min-reserve 1 54d22h: wrr-queue min-reserve 2 64d22h: wrr-queue min-reserve 3 74d22h: wrr-queue min-reserve 4 84d22h: no wrr-queue cos-map4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 44d22h: wrr-queue cos-map 3 3 6 74d22h: wrr-queue cos-map 4 54d22h: priority-queue outSwitchconfig-if)# interface gigabitethernet0/1Switch(config-if)# auto qos voip cisco-phoneSwitch(config-if)#4d22h:interface GigabitEthernet0/14d22h: mls qos trust device cisco-phone4d22h: mls qos trust cos4d22h: wrr-queue bandwidth 10 20 70 14d22h: wrr-queue queue-limit 50 25 15 104d22h: no wrr-queue cos-map4d22h: wrr-queue cos-map 1 0 14d22h: wrr-queue cos-map 2 2 44d22h: wrr-queue cos-map 3 3 6 74d22h: wrr-queue cos-map 4 54d22h: priority-queue outSwitch(config-if)#You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
Enables debugging of the auto-QoS feature.
mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}
Defines the CoS-to-DSCP map or the DSCP-to-CoS map.
Configures the port trust state.
Displays auto-QoS information.
Displays global QoS configuration information.
Displays QoS information at the interface level.
Displays QoS mapping information.
boot boothlpr
Use the boot boothlpr global configuration command to load a special Cisco IOS image, which when loaded into memory, can load a second Cisco IOS image into memory and launch it. This variable is used only for internal development and testing. Use the no form of this command to return to the default setting.
boot boothlpr filesystem:/file-url
no boot boothlpr
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and name of a bootable helper image.
Defaults
No helper image is loaded.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the BOOTHLPR environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot buffersize
Use the boot buffersize global configuration command to specify the size of the file system-simulated NVRAM in flash memory. The buffer holds a copy of the configuration file in memory. Use the no form of this command to return to the default setting.
boot buffersize size
no boot buffersize
Syntax Description
Defaults
The default is 32 KB.
Command Modes
Global configuration
Command History
Usage Guidelines
The configuration file cannot be larger than the buffer size allocation.
You must reload the switch by using the reload privileged EXEC command for this command to take effect.
This command changes the setting of the CONFIG_BUFSIZE environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot config-file
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
boot config-file flash:/file-url
no boot config-file
Syntax Description
Defaults
The default configuration file is flash:config.text.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot enable-break
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
boot enable-break
no boot enable-break
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.
Note
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot helper
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default setting.
boot helper filesystem:/file-url ...
no boot helper
Syntax Description
Defaults
No helper files are loaded.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot helper-config-file
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. This variable is used only for internal development and testing. Use the no form of this command to return to the default setting.
boot helper-config-file filesystem:/file-url
no boot helper-config file
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and helper configuration file to load.
Defaults
No helper configuration file is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot manual
Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
boot manual
no boot manual
Syntax Description
This command has no arguments or keywords.
Defaults
Manual booting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
boot private-config-file
Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
boot private-config-file filename
no boot private-config-file
Syntax Description
Defaults
The default configuration file is private-config.text.
Command Modes
Global configuration
Command History
Usage Guidelines
Only the Cisco IOS software can read and write a copy of the private configuration file. You cannot read, write, delete, or display a copy of this file.
Filenames are case sensitive.
Examples
This example shows how to specify the name of the private configuration file to be pconfig:
Switch(config)# boot private-config-file pconfigRelated Commands
boot system
Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system filesystem:/file-url ...
no boot system
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and name of a bootable image. Separate image names with a semicolon.
Defaults
The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see "Catalyst 3550 Switch Boot Loader Commands."
Related Commands
channel-group
Use the channel-group interface configuration command to assign an Ethernet interface to an EtherChannel group, to enable an EtherChannel mode, or both. Use the no form of this command to remove an Ethernet interface from an EtherChannel group.
channel-group channel-group-number mode {active | {auto [non-silent]} | {desirable [non-silent]} | on | passive}
no channel-group
PAgP modes:
channel-group channel-group-number mode {{auto [non-silent]} | {desirable [non-silent}}LACP modes:
channel-group channel-group-number mode {active | passive}On mode:
channel-group channel-group-number mode onSyntax Description
Defaults
No channel groups are assigned.
No mode is configured.
Command Modes
Interface configuration
Command History
12.1(4)EA1
This command was introduced.
12.1(12c)EA1
The active and passive keywords were added.
Usage Guidelines
You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You do not have to disable the IP address that is assigned to a physical interface that is part of a channel group, but we highly recommend that you do so.
For Layer 2 EtherChannels, you must configure the channel-group interface configuration command, which automatically creates the port-channel logical interface. You cannot put Layer 2 interfaces into a manually created port-channel interface.
You create Layer 3 port channels by using the interface port-channel command. You must manually configure the port-channel logical interface before putting the interface into the channel group.
Any configuration or attribute changes you make to the port-channel interface are propagated to all interfaces within the same channel group as the port channel (for example, configuration changes are also propagated to the physical interfaces that are not part of the port channel, but are part of the channel group).
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational; however, it allows PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission. Both ends of the link cannot be set to silent.
With the on mode, a PAgP EtherChannel exists only when a port group in on mode is connected to another port group in on mode.
Caution
Note
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
Note
Do not configure a secure port as part of an EtherChannel.
Caution
Examples
This example shows how to assign two interfaces as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:
Switch# configure terminalSwitch(config)# interface range gigabitethernet0/4 -5Switch(config-if-range)# switchport mode accessSwitch(config-if-range)# switchport access vlan 10Switch(config-if-range)# channel-group 5 mode desirableSwitch(config-if-range)# endThis example shows how to set an EtherChannel into PAgP mode:
Switch(config-if)# channel-group 1 mode autoCreating a port-channel interface Port-channel 1This example shows how to set an EtherChannel into LACP mode:
Switch(config-if)# channel-group 1 mode passiveCreating a port-channel interface Port-channel 1You can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
channel-protocol
Use the channel-protocol interface configuration command to configure an EtherChannel for the Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). Use the no form of this command to disable PAgP or LACP on the EtherChannel.
channel-protocol {lacp | pagp}
no channel-protocol
Syntax Description
lacp
Configure an EtherChannel with the LACP protocol.
pagp
Configure an EtherChannel with the PAgP protocol.
Defaults
No protocol is assigned to the EtherChannel.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the channel-protocol command only to restrict a channel to LACP or PAgP.
You must use the channel-group interface command to configure the EtherChannel parameters. The channel-group command can also set the EtherChannel for a channel.
Note
Caution
Examples
This example shows how to set an EtherChannel into PAgP mode:
Switch(config-if)# channel-protocol pagpThis example shows how to set an EtherChannel into LACP mode:
Switch(config-if)# channel-protocol lacpYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
class
Use the class policy-map configuration command to define a traffic classification for the policy to act on. Use the no form of this command to delete an existing class map.
class class-map-name
no class class-map-name
Syntax Description
Note
Defaults
No policy map class-maps are defined.
Command Modes
Policy-map configuration
Command History
Usage Guidelines
Use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode before you use the class command. After you specify a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to an interface by using the service-policy interface configuration command.
The class name that you specify in the policy map ties the characteristics for that class to the class map and its match criteria as configured by using the class-map global configuration command.
The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.
After you enter the class command, the switch enters policy-map class configuration mode, and these configuration commands are available:
•
•
•
•
•
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
Examples
This example shows how to create a policy map called policy1. When attached to the ingress direction, it matches all the incoming traffic defined in class1, sets the IP DSCP to 10, and polices the traffic at an average rate of 1 Mbps and for 20 KB bursts. Traffic exceeding the profile is marked down to a DSCP value obtained from the policed-DSCP map and then sent.
Switch(config)# policy-map policy1Switch(config-pmap)# class class1Switch(config-pmap-c)# set dscp 10Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmitSwitch(config-pmap-c)# exitYou can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
class-map
Use the class-map global configuration command to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.
class-map [match-all | match-any] class-map-name
no class-map [match-all | match-any] class-map-name
Syntax Description
Defaults
No class maps are defined.
When neither the match-all or match-any keyword is specified, the default is match-all.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-interface basis.
After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:
•
•
•
•
•
A class-map with this name already existsTo define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.
To define packet classification on a per-port per-VLAN basis, you must use the match-all keyword with the class-map global configuration command. You also must enter the match vlan vlan-list and the match class-map class-map-name class-map configuration commands. For more information, see the "match (class-map configuration)" section.
Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).
Examples
This example shows how to configure the class map called class1. class1 has one match criterion, which is an access list called 103.
Switch(config)# access-list 103 permit any any dscp 10Switch(config)# class-map class1Switch(config-cmap)# match access-group 103Switch(config-cmap)# exitThis example shows how to delete the class map class1:
Switch(config)# no class-map class1This example shows how to configure a class map called dscp_class whose match criterion is to match IP DSCP 9. A second class map, called vlan_class, matches traffic on VLANs 10, 20 to 30, and 40 to class map dscp_class:
Switch(config)# class-map match-any dscp_classSwitch(config-cmap)# match ip dscp 9Switch(config-cmap)# exitSwitch(config)# class-map match-all vlan_classSwitch(config-cmap)# match vlan 10 20-30 40Switch(config-cmap)# match class-map dscp_classSwitch(config-cmap)# exitYou can verify your settings by entering the show class-map privileged EXEC command.
Related Commands
Defines the match criteria to classify traffic.
Creates or modifies a policy map that can be attached to multiple interfaces to specify a service policy.
Displays QoS class maps.
clear ip arp inspection log
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the contents of the log buffer:
Switch# clear ip arp inspection logYou can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Related Commands
clear ip arp inspection statistics
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the statistics for VLAN 1:
Switch# clear ip arp inspection statistics vlan 1You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
Related Commands
clear l2protocol-tunnel counters
Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [interface-id]
Syntax Description
interface-id
(Optional) Specify interface (physical interface or port channel) on which to clear protocol counters.
Defaults
This command has no defaults.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Examples
This example shows how to clear Layer 2 protocol tunnel counters on an interface:
Switch# clear l2protocol-tunnel counters gigabitethernet0/3Related Commands
Enable tunneling of Layer 2 protocols on an access or IEEE 802.1Q tunnel port.
Displays information about ports configured for Layer 2 protocol tunneling.
clear lacp
Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp {channel-group-number [counters]}
Syntax Description
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear channel-group information for a specific group:
Switch# clear lacp 4This example shows how to clear channel-group traffic counters:
Switch# clear lacp countersYou can verify that the information was deleted by entering the show lacp privileged EXEC command.
Related Commands
clear mac address-table
Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] | notification}
Note
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to remove a specific MAC address from the dynamic address table:
Switch# clear mac address-table dynamic address 0008.0070.0007You can verify that information was deleted by entering the show mac address-table privileged EXEC command.
Related Commands
clear pagp
Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp {channel-group-number [counters] | counters}
Syntax Description
Defaults
This command has no default setting.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear channel-group information for a specific group:
Switch# clear pagp 10This example shows how to clear channel-group traffic filters:
Switch# clear pagp countersYou can verify that information was deleted by entering the show pagp privileged EXEC command.
Related Commands
clear port-security
Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security {all | configured | dynamic | sticky} [[address mac-addr | interface interface-id] [vlan {vlan-id | {access | voice}}]]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
12.1(11)EA1
This command was introduced.
12.1(14)EA1
The all, configured, and vlan keywords were added.
12.2(25)SEB
The access and voice keywords were added.
Usage Guidelines
If you enter the clear port-security all privileged EXEC command, the switch removes all secure MAC addresses from the MAC address table.
If you enter the clear port-security configured address mac-addr vlan vlan-id command, the switch removes the specified secure MAC address from the specified VLAN.
If you enter the clear port-security configured address mac-address command, the switch removes the specified secure MAC address from the MAC address table.
If you enter the clear port-security dynamic interface interface-id command, the switch removes all dynamic secure MAC addresses on an interface from the MAC address table.
If you enter the clear port-security sticky command, the switch removes all sticky secure MAC addresses from the MAC address table.
Examples
This example shows how to remove all secure addresses from the MAC address table:
Switch# clear port-security allThis example shows how to remove a configured secure address from the MAC address table:
Switch# clear port-security configured address 0008.0070.0007This example shows how to remove all the dynamic secure addresses learned on an interface:
Switch# clear port-security dynamic interface gigabitethernet0/1This example shows how to remove all the sticky secure addresses from the address table:
Switch# clear port-security stickyYou can verify that the information was deleted by entering the show port-security privileged EXEC command.
Related Commands
Displays the port security settings for an interface or for the switch.
Enables port security on an interface.
clear spanning-tree counters
Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.
clear spanning-tree counters [interface interface-id]
Syntax Description
interface interface-id
(Optional) Clear all spanning-tree counters on the specified interface. If interface-id is not specified, spanning-tree counters are cleared for all interfaces.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear spanning-tree counters for all interfaces:
Switch# clear spanning-tree countersRelated Commands
clear spanning-tree detected-protocols
Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.
clear spanning-tree detected-protocols [interface interface-id]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2).
However, the switch does not automatically revert to the rapid-PVST+ or MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Examples
This example shows how to restart the protocol migration process on an interface:
Switch# clear spanning-tree detected-protocols interface fastethernet0/1clear vmps statistics
Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
Switch# clear vmps statisticsYou can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Related Commands
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers.
clear vtp counters
Use the clear vtp counters privileged EXEC command to clear the VLAN Trunking Protocol (VTP) and pruning counters.
clear vtp counters
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the VTP counters:
Switch# clear vtp countersYou can verify that information was deleted by entering the show vtp counters privileged EXEC command.
Related Commands
Displays general information about the VTP management domain, status, and counters.
cluster commander-address
You do not need to enter this command. The command switch automatically provides its MAC address to member switches when these switches join the cluster. The member switch adds this information and other cluster information to its running configuration file. Use the no form of this command from the member switch console port to remove it from a cluster only during debugging or recovery procedures.
cluster commander-address mac-address [member number name name]
no cluster commander-address
Syntax Description
Defaults
The switch is not a member of any cluster.
Command Modes
Global configuration
Command History
Usage Guidelines
A cluster member can have only one command switch.
The member switch retains the identity of the command switch during a system reload by using the mac-address parameter.
You can enter the no form on a member switch to remove it from the cluster during debugging or recovery procedures. You would normally use this command from the member switch console port only when the member has lost communication with the command switch. With normal switch configuration, we recommend that you remove member switches only by entering the no cluster member n global configuration command on the command switch.
When a standby command switch becomes active (becomes the command switch), it removes the cluster commander address line from its configuration.
Examples
This is partial sample output from the running configuration of a cluster member:
Switch(config)# show running-config<output truncated>cluster commander-address 00e0.9bc0.a500 member 4 name my_cluster<output truncated>This example shows how to remove a member from the cluster by using the cluster member console:
Switch # configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# no cluster commander-addressYou can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster discovery hop-count
Use the cluster discovery hop-count global configuration command on the command switch to set the hop-count limit for extended discovery of candidate switches. Use the no form of this command to return to the default setting.
cluster discovery hop-count number
no cluster discovery hop-count
Syntax Description
number
Number of hops from the cluster edge that the command switch limits the discovery of candidates. The range is 1 to 7.
Defaults
The hop count is set to 3.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the command switch. This command does not operate on member switches.
If the hop count is set to 1, it disables extended discovery. The command switch discovers only candidates that are one hop from the edge of the cluster. The edge of the cluster is the point between the last discovered member switch and the first discovered candidate switch.
Examples
This example shows how to set hop count limit to 4. This command is executed on the command switch.
Switch(config)# cluster discovery hop-count 4You can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
Displays a list of candidate switches.
cluster enable
Use the cluster enable global configuration command on a command-capable switch to enable it as the cluster command switch, assign a cluster name, and to optionally assign a member number to it. Use the no form of this command to remove all members and to make the command switch a candidate switch.
cluster enable name [command-switch-member-number]
no cluster enable
Syntax Description
Defaults
The switch is not a command switch.
No cluster name is defined.
The member number is 0 when the switch is the command switch.
Command Modes
Global configuration
Command History
Usage Guidelines
This command runs on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster.
You must name the cluster when you enable the command switch. If the switch is already configured as the command switch, this command changes the cluster name if it is different from the previous cluster name.
Examples
This example shows how to enable the command switch, name the cluster, and set the command switch member number to 4:
Switch(config)# cluster enable Engineering-IDF4 4You can verify your setting by entering the show cluster privileged EXEC command on the command switch.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster holdtime
Use the cluster holdtime global configuration command on the command switch to set the duration in seconds before a switch (either the command or member switch) declares the other switch down after not receiving heartbeat messages. Use the no form of this command to return to the default setting.
cluster holdtime holdtime-in-secs
no cluster holdtime
Syntax Description
holdtime-in-secs
Duration in seconds before a switch (either a command or member switch) declares the other switch down. The range is 1 to 300 seconds.
Defaults
The default holdtime is 80 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command with the cluster timer global configuration command only on the command switch. The command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the interval timer and the duration on the command switch:
Switch(config)# cluster timer 3Switch(config)# cluster holdtime 30You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster member
Use the cluster member global configuration command on the command switch to add candidates to a cluster. Use the no form of this command to remove members from the cluster.
cluster member [n] mac-address H.H.H [password enable-password] [vlan vlan-id]
no cluster member n
Syntax Description
Defaults
A newly enabled command switch has no associated cluster members.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the command switch, the switch rejects the command and displays an error message.
You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration. After a candidate switch becomes a member of the cluster, its password becomes the same as the command-switch password.
If a switch does not have a configured host name, the command switch appends a member number to the command-switch host name and assigns it to the member switch.
If you do not specify a VLAN ID, the command switch automatically chooses a VLAN and adds the candidate to the cluster.
Examples
This example shows how to add a switch as member 2 with MAC address 00E0.1E00.2222 and the password key to a cluster. The command switch adds the candidate to the cluster through VLAN 3.
Switch(config)# cluster member 2 mac-address 00E0.1E00.2222 password key vlan 3This example shows how to add a switch with MAC address 00E0.1E00.3333 to the cluster. This switch does not have a password. The command switch selects the next available member number and assigns it to the switch that is joining the cluster.
Switch(config)# cluster member mac-address 00E0.1E00.3333You can verify your settings by entering the show cluster members privileged EXEC command on the command switch.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
Displays a list of candidate switches.
Displays information about the cluster members.
cluster outside-interface
Use the cluster outside-interface global configuration command to configure the outside interface for cluster Network Address Translation (NAT) so that a member without an IP address can communicate with devices outside the cluster. Use the no form of this command to return to the default setting.
cluster outside-interface interface-id
no cluster outside-interface
Syntax Description
interface-id
Interface to serve as the outside interface. Valid interfaces include physical interfaces, port-channels, or VLANs. The port-channel range is 1 to 64. The VLAN range is 1 to 4094.
Defaults
The default outside interface is automatically selected by the command switch.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the command switch. If you enter this command on a member switch, an error message appears.
Examples
This example shows how to set the outside interface to VLAN 1:
Switch(config)# cluster outside-interface vlan 1You can verify your setting by entering the show running-config privileged EXEC command.
Related Commands
cluster run
Use the cluster run global configuration command to enable clustering on a switch. Use the no form of this command to disable clustering on a switch.
cluster run
no cluster run
Syntax Description
This command has no arguments or keywords.
Defaults
Clustering is enabled on all switches.
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter the no cluster run command on a command switch, the command switch is disabled. Clustering is disabled, and the switch is incapable of becoming a candidate switch.
When you enter the no cluster run command on a member switch, it is removed from the cluster. Clustering is disabled, and the switch is incapable of becoming a candidate switch.
When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch.
Examples
This example shows how to disable clustering on the command switch:
Switch(config)# no cluster runYou can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster standby-group
Use the cluster standby-group global configuration command to enable command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol (HSRP). Entering the routing-redundancy keyword enables the same HSRP group to be used for command-switch redundancy and routing redundancy. Use the no form of this command to return to the default setting.
cluster standby-group HSRP-group-name [routing-redundancy]
no cluster standby-group
Syntax Description
Defaults
The cluster is not bound to any HSRP group.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enter this command only on the command switch. If you enter it on a member switch, an error message appears.
The command switch propagates the cluster-HSRP binding information to all cluster-HSRP capable members. Each member switch stores the binding information in its NVRAM.
The HSRP group name must be a valid standby group; otherwise, the command exits with an error.
The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster. The same HSRP group name should also be used on all cluster-HSRP capable members for the HSRP group that is to be bound. (When not binding a cluster to an HSRP group, you can use different names for the cluster commander and the members.)
Examples
This example shows how to bind the HSRP group named my_hsrp to the cluster. This command is executed on the command switch.
Switch(config)# cluster standby-group my_hsrpThis example shows how to use the same HSRP group named my_hsrp for routing redundancy and cluster redundancy:
Switch(config)# cluster standby-group my_hsrp routing-redundancyThis example shows the error message when this command is executed on a command switch and the specified HSRP standby group does not exist:
Switch(config)# cluster standby-group my_hsrp%ERROR: Standby (my_hsrp) group does not existThis example shows the error message when this command is executed on a member switch:
Switch(config)# cluster standby-group my_hsrp routing-redundancy%ERROR: This command runs on a cluster command switchYou can verify your settings by entering the show cluster privileged EXEC command. The output shows whether redundancy is enabled in the cluster.
Related Commands
cluster timer
Use the cluster timer global configuration command on the command switch to set the interval in seconds between heartbeat messages. Use the no form of this command to return to the default setting.
cluster timer interval-in-secs
no cluster timer
Syntax Description
Defaults
The interval is 8 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command with the cluster holdtime global configuration command only on the command switch. The command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the heartbeat interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the heartbeat interval timer and the duration on the command switch:
Switch(config)# cluster timer 3Switch(config)# cluster holdtime 30You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
define interface-range
Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
no define interface-range macro-name interface-range
Syntax Description
macro-name
Name of the interface-range macro; up to 32 characters.
interface-range
Interface range; for valid values for interface ranges, see "Usage Guidelines."
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
Usage Guidelines
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range, use this format:
•
•
Valid values for type and interface:
•
•
•
•
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
For physical interfaces, the interface-id is defined as slot/number (where slot is always 0 for the switch), and the range can be entered as one of the following:
•
•
You can also enter multiple ranges.
When you define a range, you must enter a space before and after the hyphen (-), for example, gigabitethernet0/1 - 2
When you define multiple ranges, you must enter a space before and after the comma (,), for example, fastethernet0/3 - 7 , gigabitethernet0/1 - 2
Examples
This example shows how to create a multiple-interface macro:
Switch(config)# define interface-range macro1 gigabitethernet0/1 -2, gigabitethernet0/5Related Commands
delete
Use the delete privileged EXEC command to delete a file or directory on the flash memory device.
delete [/force] [/recursive] filesystem:/file-url
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you use the /force keyword, you are prompted at the beginning of the deletion process to confirm the deletion.
If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.
The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1.
Examples
This example shows how to remove the directory that contains the old software image after a successful download of a new image:
Switch# delete /force /recursive flash:/old-imageYou can verify that the directory was removed by entering the dir filesystem: privileged EXEC command.
Related Commands
deny
Use the deny MAC access list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.
{deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]
no {deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]
Note
Syntax Description
To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-3.
Defaults
This command has no defaults. However; the default action for a MAC-named ACL is to deny.
Command Modes
MAC-access list configuration
Command History
Usage Guidelines
You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.
If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.
When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.
Note
Examples
This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.
Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.This example shows how to remove the deny condition from the named MAC extended access list:
Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.This example denies all packets with Ethertype 0x4321:
Switch(config-ext-macl)# deny any any 0x4321 0You can verify your settings by entering the show access-lists privileged EXEC command.
Related Commands
deny (ARP access-list configuration)
Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.
deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).
Syntax Description
Defaults
There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
ARP access-list configuration
Command History
Usage Guidelines
You can add deny clauses to drop ARP packets based on matching criteria.
Examples
This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
dot1x
Use the dot1x global configuration command to enable IEEE 802.1x authentication globally. Use the no form of this command to return to the default setting.
dot1x {critical {eapol | recovery delay milliseconds} | system-auth-control}
no dot1x {credentials | critical {eapol | recovery delay} | system-auth-control}
Note
Syntax Description
critical {eapol | recovery delay milliseconds}
Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical (global configuration) command.
system-auth-control
Enable IEEE 802.1x authentication globally on the switch.
Defaults
IEEE 802.1x authentication is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x authentication. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.
If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.
Examples
This example shows how to enable IEEE 802.1x authentication globally on a switch:
Switch(config)# dot1x system-auth-controlYou can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
dot1x auth-fail max-attempts
Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.
dot1x auth-fail max-attempts max-attempts
no dot1x auth-fail max-attempts
Syntax Description
max-attempts
Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.
Defaults
The default is 3 attempts.
Command Modes
Interface configuration
Command History
Usage Guidelines
If you reconfigure the maximum number of authentication failures allowed by the VLAN, the change takes effect after the re-authentication timer expires.
Examples
This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on Gigabit Ethernet interface 3:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet0/3Switch(config-if)# dot1x auth-fail max-attempts 2Switch(config-if)# endSwitch(config)# endSwitch#You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x auth-fail vlan [vlan id]
Enables the optional restricted VLAN feature.
dot1x max-reauth-req [count]
Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified port.
dot1x auth-fail vlan
Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.
dot1x auth-fail vlan vlan-id
no dot1x auth-fail vlan vlan-id
Syntax Description
Defaults
No restricted VLAN is configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can configure a restricted VLAN on ports configured as follows:
•
•
You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if re-authentication is disabled. To start the re-authentication process, the restricted VLAN must receive a link down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If the host is connected through a hub, the port might never receive a link down event and might not detect the new host until the next re-authentication attempt occurs. Therefore, re-authentication should be enabled.
If the user fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the user. Because the user is not notified of the authentication failure, there might be confusion as to why there is restricted access to the network. An EAP success message is sent for these reasons:
•
•
A user might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the user passes the correct username and password combination, the port remains in the restricted VLAN.
Internal VLANs that are used for Layer 3 ports cannot be configured as a restricted VLAN.
You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.
When a restricted VLAN port is moved to an unauthorized state, the authentication process is restarted. If the user fails the authentication process again, the authenticator waits in the held state. After the user has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.
When you reconfigure a restricted VLAN to a different VLAN, any ports in the restricted VLAN are also moved and the ports stay in their current authorized state.
When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state and the authentication process is restarted. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted. As soon as the restricted VLAN becomes active, the port is placed in the restricted VLAN.
The restricted VLAN is supported only in single-host mode (the default port mode).
When a port is placed in a restricted VLAN, the user's MAC address is added to the MAC address table. If a new MAC address appears on the port, it is treated as a security violation.
Examples
This example shows how to configure a restricted VLAN on Gigabit Ethernet interface 1:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet0/1Switch(config-if)# dot1x auth-fail vlan 40Switch(config-if)# endSwitch(config)# endSwitch#You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x auth-fail max-attempts [max-attempts]
Configures the number of authentication attempts allowed before assigning a user to the restricted VLAN.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified port.
dot1x control-direction
Use the dot1x control-direction interface configuration command to configure the IEEE 802.1x authentication with the wake-on-LAN (WoL) feature to configure the port control as unidirectional or bidirectional. Use the no form of this command to return to the default setting.
dot1x control-direction {in | both}
no dot1x control-direction {in | both}
Syntax Description
Defaults
The port is in bidirectional.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.
For more information about WoL, see the "Using IEEE 802.1x Authentication with Wake-on-LAN" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the software configuration guide.
Examples
This example shows how to enable unidirectional control:
Switch(config-if)# dot1x control-direction inThese examples show how to enable bidirectional control:
Switch(config-if)# dot1x control-direction bothYou can verify your settings by entering the show dot1x all privileged EXEC command.
The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:
Supplicant MAC 0002.b39a.9275AuthSM State = CONNECTINGBendSM State = IDLEPortStatus = UNAUTHORIZEDIf you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:
ControlDirection = InIf you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:
ControlDirection = In (Disabled due to port settings)Related Commands
show dot1x all [interface interface-id]
Displays control-direction port setting status for the specified interface.
dot1x critical (global configuration)
Use the dot1x critical global configuration command to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. To return to default settings, use the no form of this command.
dot1x critical {eapol | recovery delay milliseconds}
no dot1x critical {eapol | recovery delay}
Syntax Description
Defaults
The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.
The recovery delay period is 1000 milliseconds (1 second).
Command Modes
Global configuration
Command History
Usage Guidelines
Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is 100 milliseconds. A port can be re-initialized every second.
To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.
Examples
This example shows how to set 200 as the recovery delay period on the switch:
Switch# dot1x critical recovery delay 200You can verify your configuration by entering the show dot1x privileged EXEC command.
Related Commands
Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature.
Displays IEEE 802.1x status for the specified port.
dot1x critical (interface configuration)
Use the dot1x critical interface configuration command to enable the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command.
dot1x critical [recovery action reinitialize | vlan vlan-id]
no dot1x critical [recovery | vlan]
Syntax Description
Defaults
The inaccessible authentication bypass feature is disabled.
The recovery action is not configured.
The access VLAN is not configured.
Command Modes
Interface configuration
Command History
Usage Guidelines
To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:
•
•
•
If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.
You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, the switch changes the port state to the critical authentication state, and it remains in the restricted VLAN.
You can configure the inaccessible bypass feature and port security on the same switch port.
Examples
This example shows how to enable the inaccessible authentication bypass feature on port 1:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface fastethernet0/1Switch(config-if)# dot1x criticalSwitch(config-if)# endSwitch(config)# endSwitch#You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Configures the parameters for the inaccessible authentication bypass feature on the switch.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified port.
dot1x default
Use the dot1x default interface configuration command to reset the configurable IEEE 802.1x parameters to their default values.
dot1x default
Syntax Description
This command has no arguments or keywords.
Defaults
These are the default values:
•
•
•
•
•
•
•
•
•
Command Modes
Interface configuration
Command History
12.1(8)EA1
This command was introduced.
12.1(14)EA1
This command was changed to the interface configuration mode.
Examples
This example shows how to reset the configurable IEEE 802.1x parameters on an interface:
Switch(config-if)# dot1x defaultYou can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x guest-vlan
Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return to the default setting.
dot1x guest-vlan vlan-id
no dot1x guest-vlan
Syntax Description
Defaults
No guest VLAN is configured.
Command Modes
Interface configuration
Command History
12.1(14)EA1
This command was introduced.
12.2(25)SE
The default behavior of this command changed.
Usage Guidelines
For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not currently running IEEE 802.1x authentication. These users might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.
When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.
With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.
Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. In Cisco IOS Release 12.2(25)SE, you can use the dot1x guest-vlan supplicant global configuration command to enable this optional behavior.
However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration command is no longer supported. You can use a restricted VLAN to allow clients that failed authentication access to the network by entering the dot1x auth-fail vlan vlan-id interface configuration command.
Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-specified access VLAN, and authentication is restarted.
Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.
You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can also change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type.
The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN, if one is specified. For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
Examples
This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config-if)# dot1x guest-vlan 5This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:
Switch(config)# dot1x guest-vlan supplicantSwitch(config)# interface FastEthernet0/1Switch(config-if)# dot1x guest-vlan 5You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Enables the optional guest VLAN supplicant feature.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x host-mode
Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the no form of this command to return to the default setting.
dot1x host-mode {multi-host | single-host}
no dot1x host-mode [multi-host | single-host]
Syntax Description
multi-host
Enable multiple-hosts mode on the switch.
single-host
Enable single-host mode on the switch.
Defaults
The default is single-host mode.
Command Modes
Interface configuration
Command History
12.1(14)EA1
This command was introduced. It replaces the dot1x multiple-hosts interface configuration command.
Usage Guidelines
You can use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified interface.
Examples
This example shows how to enable IEEE 802.1x authentication globally, enable IEEE 802.1x authentication on an interface, and enable multiple-hosts mode:
Switch(config)# dot1x system-auth-controlSwitch(config)# interface fastethernet0/1Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x host-mode multi-hostYou can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x initialize
Use the dot1x initialize privileged EXEC command to manually return an IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the interface.
dot1x initialize interface interface-id
Syntax Description
This command has no arguments or keywords.
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to manually return a device connected to a switch interface to an unauthorized state before initiating a new authentication session on the interface.
Examples
This example shows how to manually return a device connected to an interface to an unauthorized state:
Switch# dot1x initialize interface fastethernet0/1You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x mac-auth-bypass
Use the dot1x mac-auth-bypass interface configuration command to enable the MAC authentication bypass feature. Use the no form of this command to disable MAC authentication bypass feature.
dot1x mac-auth-bypass [eap]
no dot1x mac-auth-bypass
Syntax Description
eap
(Optional) Configure the switch to use Extensible Authentication Protocol (EAP) for authentication.
Defaults
MAC authentication bypass is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Unless otherwise stated, the MAC authentication bypass usage guidelines are the same as the IEEE 802.1x authentication guidelines.
If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port.
If the port is in the authorized state, the port remains in this state until re-authorization occurs.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface.
Clients that were authorized with MAC authentication bypass can be re-authenticated.
For more information about how MAC authentication bypass and IEEE 802.lx authentication interact, see the "Understanding IEEE 802.1x Authentication with MAC Authentication Bypass" section and the "IEEE 802.1x Authentication Configuration Guidelines" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
Examples
This example shows how to enable MAC authentication bypass and to configure the switch to use EAP for authentication:
Switch(config-if)# dot1x mac-auth-bypass eapYou can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified port.
dot1x max-reauth-req
Use the dot1x max-reauth-req interface configuration command on the switch stack or on a standalone switch to set the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. Use the no form of this command to return to the default setting.
dot1x max-reauth-req count
no dot1x max-reauth-req
Syntax Description
count
Number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10.
Defaults
The default is 2 times.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Examples
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:
Switch(config-if)# dot1x max-reauth-req 4You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process.
dot1x timeout tx-period
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified port.
dot1x max-req
Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.
dot1x max-req count
no dot1x max-req
Syntax Description
count
Number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process. The range is 1 to 10.
Defaults
The default is 2.
Command Modes
Interface configuration
Command History
12.1(8)EA1
This command was introduced.
12.1(14)EA1
This command was changed to the interface configuration mode.
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Examples
This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process:
Switch(config-if)# dot1x max-req 5You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x multiple-hosts
This is an obsolete command.
In past releases, the dot1x multiple-hosts interface configuration command was used to allow multiple hosts (clients) on an IEEE 802.1x-authorized port.
Command History
12.1(8)EA1
This command was introduced.
12.1(14)EA1
The dot1x multiple-hosts interface configuration command was replaced by the dot1x host-mode interface configuration command.
Related Commands
Set the IEEE 802.1x host mode on an interface.
Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.
dot1x pae
Use the dot1x pae interface configuration command to configure the port as an IEEE 802.1x port access entity (PAE) authenticator. Use the no form of this command to disable IEEE 802.1x authentication on the port.
dot1x pae authenticator
no dot1x pae
Syntax Description
This command has no arguments or keywords.
Defaults
The port is not an IEEE 802.1x PAE authenticator, and IEEE 802.1x authentication is disabled on the port.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.
When you configure IEEE 802.1x authentication on a port, such as entering the dot1x port-control interface configuration command, the switch automatically configures the port as an EEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is enabled.
Examples
This example shows how to disable IEEE 802.1x authentication on the port:
Switch(config-if)# no dot1x paeYou can verify your settings by entering the show dot1x or show eap privileged EXEC command.
Related Commands
dot1x port-control
Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port. Use the no form of this command to return to the default setting.
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control
Syntax Description
Defaults
The default is force-authorized.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must enable IEEE 802.1x authentication globally on the switch by using the dot1x system-auth-control global configuration command before enabling IEEE 802.1x authentication on a specific interface.
The IEEE 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.
You can use the auto keyword only if the port is not configured as one of these:
•
•
•
•
Note
•
To disable IEEE 802.1x authentication globally on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific interface, use the no dot1x port-control interface configuration command.
Examples
This example shows how to enable IEEE 802.1x authentication on an interface:
Switch(config)# interface fastethernet0/1Switch(config-if)# dot1x port-control autoYou can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x re-authenticate
Use the dot1x re-authenticate privileged EXEC command to manually initiate a re-authentication of the IEEE 802.1x-enabled port.
dot1x re-authenticate {interface interface-id}
Syntax Description
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can use this command to re-authenticate a client without waiting for the configured number of seconds between re-authentication attempts (re-authperiod) and automatic re-authentication.
Examples
This example shows how to manually re-authenticate the device connected to an interface:
Switch# dot1x re-authenticate interface fastethernet0/1Related Commands
Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.
dot1x re-authentication
This is an obsolete command.
In past releases, the dot1x re-authentication global configuration command was used to set the amount of time between periodic re-authentication attempts.
Command History
12.1(8)EA1
This command was introduced.
12.1(14)EA1
The dot1x reauthentication interface configuration command replaced the dot1x re-authentication global configuration command.
Related Commands
dot1x reauthentication
Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.
dot1x reauthentication
no dot1x reauthentication
Syntax Description
This command has no arguments or keywords.
Defaults
Periodic re-authentication is disabled.
Command Modes
Interface configuration
Command History
12.1(14)EA1
This command was introduced. It replaces the dot1x re-authentication global configuration command (with the hyphen).
Usage Guidelines
You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command.
Examples
This example shows how to disable periodic re-authentication of the client:
Switch(config-if)# no dot1x reauthenticationThis example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to 4000 seconds:
Switch(config-if)# dot1x reauthenticationSwitch(config-if)# dot1x timeout reauth-period 4000You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Sets the number of seconds between re-authentication attempts.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
dot1x timeout
Use the dot1x timeout interface configuration command to set the IEEE 802.1x timers. Use the no form of this command to return to the default setting.
dot1x timeout {quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | supp-timeout seconds | tx-period seconds}
no dot1x timeout {quiet-period | reauth-period | server-timeout | supp-timeout | tx-period}
Syntax Description
Defaults
These are the defaults:
quiet-period is 60 seconds.
rate-limit is 0 seconds.
reauth-period is 3600 seconds.
server-timeout is 30 seconds.
supp-timeout is 30 seconds.
tx-period is 5 seconds.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.
During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.
When the ratelimit-period is set to 0 (the default), the switch does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.
Examples
This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:
Switch(config-if)# dot1x reauthenticationSwitch(config-if)# dot1x timeout reauth-period 4000This example shows how to enable periodic re-authentication and to specify the value of the Session-Timeout RADIUS attribute as the number of seconds between re-authentication attempts:
Switch(config-if)# dot1x reauthenticationSwitch(config-if)# dot1x timeout reauth-period serverThis example shows how to set 30 seconds as the quiet time on the switch:
Switch(config-if)# dot1x timeout quiet-period 30This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before re-transmitting the request:
Switch(config-if)# dot1x timeout tx-period 60This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:
Switch(config-if)# dot1x timeout supp-timeout 45This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:
Switch(config)# dot1x timeout server-timeout 45This example shows how to return to the default re-authorization period:
Switch(config-if)# no dot1x timeout reauth-periodThis example shows how to set 30 as the number of seconds that the switch ignores EAPOL packets from successfully authenticated clients:
Switch(config-if)# dot1x timeout ratelimit-period 30You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
Sets the maximum number of times that the switch sends an EAP-request/identity frame before restarting the authentication process.
Enables periodic re-authentication of the client.
show dot1x [interface interface-id]
Displays IEEE 802.1x status for the specified interface.
duplex
Use the duplex interface configuration command to specify the duplex mode of operation for Fast Ethernet and Gigabit Ethernet ports. Use the no form of this command to return to the default setting.
duplex {auto | full | half}
no duplex
Note
Syntax Description
auto
Port automatically detects whether it should run in full- or half-duplex mode.
full
Port is in full-duplex mode.
half
Port is in half-duplex mode.
Defaults
The default is auto.
Command Modes
Interface configuration
Command History
Usage Guidelines
Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.
For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.
For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.
You cannot configure duplex mode on GBIC interfaces.
If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.
If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.
Beginning with Cisco IOS Release 12.1(22)EA1, you can configure the duplex setting when the speed is set to auto.
If both the speed and duplex are set to specific values, autonegotiation is disabled.
Caution
Note
Examples
This example shows how to configure an interface for full duplex operation:
Switch(config)# interface gigabitethernet0/1Switch(config-if)# duplex fullYou can verify your setting by entering the show interfaces privileged EXEC command.
Related Commands
Displays the interface settings on the switch.
Sets the speed on a 10/100/1000 Mbps interface.
errdisable detect cause
Use the errdisable detect cause global configuration command to enable error disable detection for a specific cause or all causes. Use the no form of this command to disable the error disable detection feature.
errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}
no errdisable detect cause {all | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}
Syntax Description
Note
Defaults
Detection is enabled for all causes.
Command Modes
Global configuration
Command History
Usage Guidelines
A cause (dhcp-rate-limit, dtp-flap, and so forth) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state.
If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.
Examples
This example shows how to enable error disable detection for the link-flap error-disable cause:
Switch(config)# errdisable detect cause link-flapYou can verify your setting by entering the show errdisable detect privileged EXEC command.
Related Commands
Displays error-disabled detection information.
show interfaces status err-disabled
Displays interface status or a list of interfaces in the error-disabled state.
errdisable recovery
Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.
errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps}} | {interval interval}
no errdisable recovery {cause {all | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps}} | {interval interval}
Syntax Description
Note
Defaults
Recovery is disabled for all causes.
The default recovery interval is 300 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
A cause (bpduguard, dhcp-rate-limit, and so forth) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable the recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.
Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state.
Examples
This example shows how to enable the recovery timer for the BPDU guard error-disable cause:
Switch(config)# errdisable recovery cause bpduguardThis example shows how to set the timer to 500 seconds:
Switch(config)# errdisable recovery interval 500You can verify your settings by entering the show errdisable recovery privileged EXEC command.
Related Commands
Displays error-disabled recovery timer information.
show interfaces status err-disabled
Displays interface status or a list of interfaces in error-disabled state.
flowcontrol
Use the flowcontrol interface configuration command to set the receive or send flow-control value for an interface. When flow control send is on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for the remote device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.
Use the receive off and send off keywords to disable flow control.
flowcontrol {receive | send} {desired | off | on}
Note
Syntax Description
