Table Of Contents

Catalyst 3550 Switch Cisco IOS Commands

aaa accounting dot1x

aaa authentication dot1x

aaa authorization network

access-list hardware program nonblocking

action

archive download-sw

archive tar

archive upload-sw

arp access-list

auto qos voip

boot buffersize

boot config-file

boot enable-break

boot helper

boot helper-config-file

boot manual

boot private-config-file

boot system

channel-group

channel-protocol

class

class-map

clear ip arp inspection log

clear ip arp inspection statistics

clear ip dhcp snooping

clear l2protocol-tunnel counters

clear lacp

clear mac address-table

clear pagp

clear port-security

clear spanning-tree counters

clear spanning-tree detected-protocols

clear vmps statistics

clear vtp counters

cluster commander-address

cluster discovery hop-count

cluster enable

cluster holdtime

cluster member

cluster outside-interface

cluster run

cluster standby-group

cluster timer

define interface-range

delete

deny

deny (ARP access-list configuration)

dot1x

dot1x auth-fail max-attempts

dot1x auth-fail vlan

dot1x control-direction

dot1x critical (global configuration)

dot1x critical (interface configuration)

dot1x default

dot1x fallback

dot1x guest-vlan

dot1x host-mode

dot1x initialize

dot1x mac-auth-bypass

dot1x max-reauth-req

dot1x max-req

dot1x multiple-hosts

dot1x pae

dot1x port-control

dot1x re-authenticate

dot1x re-authentication

dot1x reauthentication

dot1x timeout

duplex

errdisable detect cause

errdisable recovery

fallback profile

flowcontrol

interface port-channel

interface range

interface vlan

ip access-group

ip address

ip admission

ip admission name proxy http

ip arp inspection filter vlan

ip arp inspection limit

ip arp inspection log-buffer

ip arp inspection trust

ip arp inspection validate

ip arp inspection vlan

ip arp inspection vlan logging

ip dhcp snooping

ip dhcp snooping binding

ip dhcp snooping database

ip dhcp snooping information option

ip dhcp snooping information option allow-untrusted

ip dhcp snooping information option format remote-id

ip dhcp snooping information option format snmp-ifindex

ip dhcp snooping limit rate

ip dhcp snooping trust

ip dhcp snooping verify

ip dhcp snooping vlan

ip dhcp snooping vlan information option format-type circuit-id string

ip igmp filter

ip igmp max-groups

ip igmp profile

ip igmp snooping

ip igmp snooping last-member-query-interval

ip igmp snooping querier

ip igmp snooping report-suppression

ip igmp snooping source-only-learning age-timer

ip igmp snooping tcn

ip igmp snooping tcn flood

ip igmp snooping vlan immediate-leave

ip igmp snooping vlan mrouter

ip igmp snooping vlan static

ip source binding

ip ssh

ip verify source

ip vrf (global configuration)

ip vrf (interface configuration)

l2protocol-tunnel

l2protocol-tunnel cos

lacp port-priority

lacp system-priority

logging event

logging file

mac access-group

mac access-list extended

mac address-table aging-time

mac address-table notification

mac address-table static

mac address-table static drop

macro apply

macro description

macro global

macro global description

macro name

match (access-map configuration)

match (class-map configuration)

mls aclmerge delay

mls qos

mls qos aggregate-policer

mls qos cos

mls qos cos policy-map

mls qos dscp-mutation

mls qos map

mls qos min-reserve

mls qos monitor

mls qos trust

monitor session

mvr (global configuration)

mvr (interface configuration)

pagp learn-method

pagp port-priority

permit

permit (ARP access-list configuration)

police

police aggregate

policy-map

port-channel load-balance

power inline

priority-queue

radius-server dead-criteria

rcommand

remote-span

rmon collection stats

Catalyst 3550 Switch Cisco IOS Commands

---

aaa accounting dot1x

Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.

aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+} ... ] | group {name | radius | tacacs+} [group {name | radius | tacacs+} ...]}

no aaa accounting dot1x {name | default}

Syntax Description

name	Name of a server group. This is optional when you enter it after the broadcast group and group keywords.
default	Use the accounting methods that follow as the default list for accounting services.
start-stop	Send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested-user process begins regardless of whether or not the start accounting notice was received by the accounting server.
broadcast	Enable accounting records to be sent to multiple AAA servers and send accounting records to the first server in each group. If the first server is unavailable, the switch uses the list of backup servers to identify the first server.
group	Specify the server group to be used for accounting services. These are valid server group names: •name—Name of a server group. •radius—List of all RADIUS hosts. •tacacs+—List of all TACACS+ hosts. The group keyword is optional when you enter it after the broadcast group and group keywords. You can enter more than optional group keyword.
radius	(Optional) Enable RADIUS authorization.
tacacs+	(Optional) Enable TACACS+ accounting.

Defaults

AAA accounting is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(20)SE	This command was introduced.

Usage Guidelines

This command requires access to a RADIUS server.

---

Note We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.

---

Examples

This example shows how to configure IEEE 802.1x accounting:

Switch(config)# aaa accounting dot1x default start-stop group radius

Switch(config)#

---

Note The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.

---

Related Commands

Command	Description
aaa authentication dot1x	Specifies one or more AAA methods for use on interfaces running IEEE 802.1x authentication.
dot1x re-authentication	Enables or disables periodic reauthentication.
dot1x timeout reauth-period	Sets the number of seconds between re-authentication attempts.

aaa authentication dot1x

Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with IEEE 802.1x authentication. Use the no form of this command to disable authentication.

aaa authentication dot1x {default} method1

no aaa authentication dot1x {default}

Syntax Description

default	Use the listed authentication method that follows this argument as the default method when a user logs in.
method1	Enter the group radius keywords to use the list of all RADIUS servers for authentication.

---

Note Though other commands are visible in the command-line help strings, only the default and group radius keywords are supported.

---

Defaults

No authentication is performed.

Command Modes

Global configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.

Usage Guidelines

The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.

If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.

Use the show running-config privileged EXEC command to display the configured lists of authentication methods.

Examples

This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.

Switch(config)# aaa new-model

Switch(config)# aaa authentication dot1x default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands.
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

aaa authorization network

Use the aaa authorization network global configuration command to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable the switch for RADIUS user authorization.

aaa authorization network default group radius

no aaa authorization network default

Syntax Description

default group radius

Use the list of all RADIUS hosts in the server group as the default authorization list.

Defaults

Authorization is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.

Use the show running-config privileged EXEC command to display the configured lists of authorization methods.

Examples

This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:

Switch(config)# aaa authorization network default group radius

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

access-list hardware program nonblocking

Use the access-list hardware program nonblocking global configuration command to cause the system to continue to forward frames even while a new security access-control list (ACL) configuration is being programmed into the hardware. Use the no form of this command to return to the default behavior, where traffic is blocked on affected interfaces when changes are made to the security ACL configuration while the hardware is updated with the new configuration.

access-list hardware program nonblocking

no access-list hardware program nonblocking

Syntax Description

This command has no arguments or keywords.

Defaults

Traffic is blocked on affected interfaces while a new ACL configuration is loaded into hardware.

Command Modes

Global configuration

Command History

Release	Modification
12.1(11)EA1	This command was introduced.

Usage Guidelines

By default, when changes are made to the configuration of security ACLs, the system completely blocks traffic on the affected ports or VLANs while it is updating the hardware to the new configuration. This includes any changes that affect the ternary content addressable memory (TCAM), including applying an ACL to an interface or making changes to VLAN maps or ACLs that are used for security features. This prevents the possibility of forwarding frames that should have been dropped because a partially loaded configuration permitted a frame that the complete configuration would have blocked.

You can use the access-list hardware program nonblocking command to set the system to continue to forward frames while a new security ACL configuration is being programmed into the hardware. Enabling this setting might cause less disruption to traffic that should be allowed while the hardware is being updated, but might also temporarily allow some traffic that would be denied when the new configuration is completely loaded.

Examples

This example shows how to set the system to continue forwarding frames while a new security ACL configuration is being programmed into hardware:

Switch (config)# access-list hardware program nonblocking

You can verify your setting by entering the show running-config | include access-list hardware privileged EXEC command.

Related Commands

Command	Description
access-list {deny | permit}	Configures a standard numbered ACL. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
action (access map configuration)	Defines or modifies the action for the VLAN access map entry.
ip access-group	Applies an IP access list to a Layer 2 or Layer 3 interface.
ip access-list	Configures a named access list. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
mac access-group	Applies a MAC access list to a Layer 2 interface.
match (access-map configuration)	Defines the match conditions for a VLAN map.
show running-config | include access-list hardware	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.
vlan access-map	Creates a VLAN access map or enters access-map configuration mode.
vlan filter	Applies a VLAN map to one or more VLANs.

action

Use the action access map configuration command to set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.

action {drop | forward}

no action

Syntax Description

drop	Drop the packet when the specified conditions are matched.
forward	Forward the packet when the specified conditions are matched.

Defaults

The default action is to forward packets.

Command Modes

Access-map configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

You enter access-map configuration mode by using the vlan access-map global configuration command.

If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.

In access map configuration mode, use the match access map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.

The drop and forward parameters are not used in the no form of the command.

Examples

This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:

Switch(config)# vlan access-map vmap4

Switch(config-access-map)# match ip address al2

Switch(config-access-map)# action forward

Switch(config-access-map)# exit

Switch(config)# vlan filter vmap4 vlan-list 5-6

You can verify your settings by entering the show vlan access-map privileged EXEC command.

Related Commands

Command	Description
access-list {deny | permit}	Configures a standard numbered ACL. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
ip access-list	Creates a named access list. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
mac access-list extended	Creates a named MAC address access list.
match (access-map configuration)	Defines the match conditions for a VLAN map.
show vlan access-map	Displays the VLAN access maps created on the switch.
vlan access-map	Creates a VLAN access map.

archive download-sw

Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and overwrite or keep the existing image.

archive download-sw {/force-reload | /imageonly | /leave-old-sw | /no-set-boot | /overwrite | /reload | /safe} source-url

Syntax Description

/force-reload	Unconditionally force a system reload after successfully downloading the software image.
/imageonly	Download only the software image but not the HTML files associated with the device manager. The HTML files for the existing version are deleted only if the existing version is being overwritten or removed.
/leave-old-sw	Keep the old software version after a successful download.
/no-set-boot	Do not alter the setting of the BOOT environment variable to point to the new software image after it is successfully downloaded.
/overwrite	Overwrite the software image in flash with the downloaded one.
/reload	Reload the system after successfully downloading the image unless the configuration has been changed and not been saved.
/safe	Keep the current software image; do not delete it to make room for the new software image before the new image is downloaded. The current image is deleted after the download.
source-url	The source URL alias for a local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/image-name.tar •The syntax for an HTTP server: http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar •The syntax for a secure HTTP server: https://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/image-name.tar •The syntax for the TFTP: tftp:[[//location]/directory]/image-name.tar The image-name.tar is the software image to download and install on the switch.

Defaults

The current software image is not overwritten with the downloaded image.

Both the software image and HTML files are downloaded.

The new image is downloaded to the flash: file system.

The BOOT environment variable is changed to point to the new software image on the flash: file system.

Image names are case sensitive; the image file is provided in tar format.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.2(25)SE	The http and https keywords were added.

Usage Guidelines

Use the /overwrite option to overwrite the image on the flash device with the downloaded one.

If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.

If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.

The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.

Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash space.

If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.

If you leave the existing software in place before downloading the new image, an error results if the existing software will prevent the new image from fitting onto flash memory.

After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.

Examples

This example shows how to download a new image from a TFTP server at 172.20.129.10 and overwrite the image on the switch:

Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tar 

This example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:

Switch# archive download-sw /image-only tftp://172.20.129.10/test-image.tar 

This example shows how to keep the old software version after a successful download:

Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tar 

Related Commands

Command	Description
archive tar	Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.
archive upload-sw	Uploads an existing image on the switch to a server.
delete	Deletes a file or directory on the flash memory device.

archive tar

Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.

archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}

Syntax Description

/create destination-url flash:/file-url	Create a new tar file on the local or network file system. For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported: •The syntax for the local flash filesystem: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to be created. For flash:/file-url, specify the location on the local flash file system from which the new tar file is created. An optional list of files or directories within the source directory can be specified to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file.
/table source-url	Display the contents of an existing tar file to the screen. For source-url, specify the source URL alias for the local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to display.
/xtract source-url flash:/file-url [dir/file...]	Extract files from a tar file to the local file system. For source-url, specify the source URL alias for the local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/tar-filename.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/tar-filename.tar •The syntax for the TFTP: tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file from which to extract. For flash:/file-url, specify the location on the local flash file system into which the tar file is extracted. For flash:/file-url [dir/file...], specify the location on the local flash file system into which the tar file is extracted. Use the dir/file... option to specify an optional list of files or directories within the tar file to be extracted. If none are specified, all files and directories are extracted.

Defaults

None

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

Image names are case sensitive.

Examples

This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:

Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs

This example shows how to display the contents of the c3550-ipservices-tar.122-25.tar file that is in flash memory. The contents of the tar file appear on the screen:

Switch# archive tar /table flash:c3550-ipservices-tar.122-25.tar

info (219 bytes)

c3550-ipservices-mz.122-25.SEB/ (directory)

c3550-ipservices-mz.122-25/html/ (directory)

c3550-ipservices-mz.122-25/c3550-mz.122-25.SEB.bin (6074880 bytes)

c3550-ipservices-mz.122-25/info (219 bytes)

info.ver (219 bytes)

This example shows how to display only the c3550-ipservices-mz.122-25.SEB/html directory and its contents:

Switch# archive tar /table flash:c3550-ipservices-tar.122-25.SEB.tar 
c3550-ipservices-mz.122-25.SEB/html

c3550-ipservices-mz.122-25.SEB/html/ (directory)

c3550-ipservices-mz.122-25SEB/html/const.htm (556 bytes)

c3550-ipservices-mz.122-25SEB/html/xhome.htm (9373 bytes)

c3550-ipservices-mz.122-25SEB/html/menu.css (1654 bytes)

<output truncated>

This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.

Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/ new-configs

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch.
archive upload-sw	Uploads an existing image on the switch to a server.

archive upload-sw

Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.

archive upload-sw [/version version_string] destination-url

Syntax Description

/version version_string

(Optional) Specify the specify version string of the image to be uploaded.

destination-url

The destination URL alias for a local or network file system. These options are supported: •The syntax for the local flash file system: flash: •The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/image-name.tar •The syntax for the Remote Copy Protocol (RCP): rcp:[[//username@location]/directory]/image-name.tar •The syntax for the TFTP: tftp:[[//location]/directory]/image-name.tar The image-name.tar is the name of the software image to be stored on the server.

Defaults

Uploads the currently running image from the flash: file system.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

The upload feature is available only if the HTML files associated with the device manager have been installed with the existing image.

The files are uploaded in this sequence: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the software creates the tar file.

Image names are case sensitive.

Examples

This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:

Switch# archive upload-sw tftp://172.20.140.2/test-image.tar 

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch.
archive tar	Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.

arp access-list

Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.

arp access-list acl-name

no arp access-list acl-name

This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).

Syntax Description

acl-name

Name of the ACL.

Defaults

No ARP access lists are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:

•default: returns a command to its default setting.

•deny: specifies packets to reject. For more information, see the "deny (ARP access-list configuration)" section.

•exit: exits ARP access-list configuration mode.

•no: negates a command or returns to default settings.

•permit: specifies packets to forward. For more information, see the "permit (ARP access-list configuration)" section.

Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.

When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).

Examples

This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts

Switch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcd

Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command	Description
deny (ARP access-list configuration)	Denies an ARP packet based on matches compared against the DHCP bindings.
ip arp inspection filter vlan	Permits ARP requests and responses from a host configured with a static IP address.
permit (ARP access-list configuration)	Permits an ARP packet based on matches compared against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.

auto qos voip

Use the auto qos voip interface configuration command to automatically configure quality of service (auto-QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to change the auto-QoS configuration settings to the standard QoS defaults.

auto qos voip {cisco-phone | cisco-softphone | trust}

no auto qos voip

Syntax Description

cisco-phone	Identify this interface as connected to a Cisco IP Phone, and automatically configure QoS for VoIP. The QoS labels of incoming packets are trusted only when the telephone is detected.
cisco-softphone	Identify this port as connected to a device running the Cisco SoftPhone, and automatically configure QoS for VoIP.
trust	Identify this interface as connected to a trusted switch or router, and automatically configure QoS for VoIP. The QoS labels of incoming packets are trusted.

Defaults

Auto-QoS is disabled on all interfaces.

When auto-QoS is enabled, it uses the ingress packet label to categorize traffic and class of service (CoS) packet labels and to configure the egress queues as summarized in Table 2-1.

Table 2-1 Traffic Types, Packet Labels, and Egress Queues

	VoIP Data Traffic	VoIP Control Traffic	Routing Protocol Traffic	STP1 BPDU2 Traffic	Real-Time Video Traffic	All Other Traffic
DSCP3	46	24, 26	48	56	34	— —
CoS	5	3	6	7	4
CoS-to-Queue Map	5	3, 6, 7			4	2	0, 1
Egress Queue	Expedite (queue 4)	70% WRR4 (queue 3)			20% WRR (queue 2)	20% WRR (queue 2)	10% WRR (queue 1)

1 STP = Spanning Tree Protocol 2 BPDU = bridge protocol data unit 3 DSCP = Differentiated Services Code Point 4 WRR = weighted round robin

Table 2-2 lists the auto-QoS configuration for the egress queues.

Table 2-2 Auto-QoS Configuration for the Egress Queues

Egress Queue	Queue Number	CoS-to-Queue Map	Queue Weight	Queue Size for Gigabit-Capable Ports	Queue Size (in packets) for 10/100 Ethernet Ports
Expedite	4	5	-	10 percent	34 (10 percent)
70% WRR	3	3, 6, 7	70 percent	15 percent	51 (15 percent)
20% WRR	2	2, 4	20 percent	25 percent	82 (25 percent)
10% WRR	1	0, 1	10 percent	50 percent	170 (50 percent)

Command Modes

Interface configuration

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.
12.1(20)EA2	The cisco-softphone keyword was added, and the generated auto-QoS configuration changed.

Usage Guidelines

Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and the edge devices that can classify incoming traffic for QoS.

In releases earlier than Cisco IOS Release 12.1(20)EA2, auto-QoS configures the switch only for VoIP with Cisco IP Phones on switch ports.

In Cisco IOS Release 12.1(20)EA2 or later, auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.

To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.

---

Note The switch applies the auto-QoS-generated commands as if the commands were entered from the command-line interface (CLI). An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning. If all the generated commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.

---

If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.

When you enable the auto-QoS feature on the first interface, these automatic actions occur:

•QoS is globally enabled (mls qos global configuration command).

•When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is connected to a Cisco IP Phone, the switch enables the trusted boundary feature. The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the interface is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The egress queues on the interface are also reconfigured (see Table 2-2).

•When you enter the auto qos voip cisco-softphone interface configuration command on a port at the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to decide whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The egress queues on the interface are also reconfigured (see Table 2-2).

•When you enter the auto qos voip trust interface configuration command on a port connected to the interior of the network, the ingress classification on the interface is set to trust the QoS label received in the packet, and the egress queues on the interface are reconfigured (see Table 2-2).

You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.

---

Note When a device running Cisco SoftPhone is connected to a switch or routed port, the switch supports only one Cisco SoftPhone application per port.

---

After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy from the interface, and apply the new policy map.

To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging.

To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. When you enter this command, the switch enables standard QoS and changes the auto-QoS settings to the standard-QoS default settings for that interface.

To disable auto-QoS on the switch, use the no mls qos global configuration command. When you enter this command, the switch disables QoS on all interfaces and enables pass-through mode.

Examples

This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to an interface is a trusted device:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# auto qos voip trust

This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the device connected to an interface is detected as a Cisco IP Phone:

Switch(config)# interface fastethernet0/1

Switch(config-if)# auto qos voip cisco-phone

This example shows how to display the QoS configuration that is automatically generated when auto-QoS is enabled:

Switch# debug auto qos

AutoQoS debugging is on

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# interface fastethernet0/1

Switch(config-if)# auto qos voip trust

Switch(config-if)#

4d22h:mls qos map cos-dscp 0 8 16 26 32 46 48 56

4d22h:mls qos min-reserve 5 170

4d22h:mls qos min-reserve 6 85

4d22h:mls qos min-reserve 7 51

4d22h:mls qos min-reserve 8 34

4d22h:mls qos

4d22h:interface FastEthernet0/1

4d22h: mls qos trust cos

4d22h: wrr-queue bandwidth 10 20 70 1

4d22h: wrr-queue min-reserve 1 5

4d22h: wrr-queue min-reserve 2 6

4d22h: wrr-queue min-reserve 3 7

4d22h: wrr-queue min-reserve 4 8

4d22h: no wrr-queue cos-map

4d22h: wrr-queue cos-map 1 0 1 

4d22h: wrr-queue cos-map 2 2 4

4d22h: wrr-queue cos-map 3 3 6 7

4d22h: wrr-queue cos-map 4 5

4d22h: priority-queue out

Switchconfig-if)# interface gigabitethernet0/1

Switch(config-if)# auto qos voip cisco-phone

Switch(config-if)#

4d22h:interface GigabitEthernet0/1

4d22h: mls qos trust device cisco-phone

4d22h: mls qos trust cos

4d22h: wrr-queue bandwidth 10 20 70 1

4d22h: wrr-queue queue-limit 50 25 15 10

4d22h: no wrr-queue cos-map

4d22h: wrr-queue cos-map 1 0 1

4d22h: wrr-queue cos-map 2 2 4

4d22h: wrr-queue cos-map 3 3 6 7

4d22h: wrr-queue cos-map 4 5

4d22h: priority-queue out

Switch(config-if)#

You can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.

Related Commands

Command	Description
debug auto qos	Enables debugging of the auto-QoS feature.
mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}	Defines the CoS-to-DSCP map or the DSCP-to-CoS map.
mls qos trust	Configures the port trust state.
show auto qos	Displays auto-QoS information.
show mls qos	Displays global QoS configuration information.
show mls qos interface	Displays QoS information at the interface level.
show mls qos maps	Displays QoS mapping information.

boot buffersize

Use the boot buffersize global configuration command to specify the size of the file system-simulated NVRAM in flash memory. The buffer holds a copy of the configuration file in memory. Use the no form of this command to return to the default setting.

boot buffersize size

no boot buffersize

Syntax Description

size	The buffer allocation size in bytes. The range is 4096 to 524288 bytes.

Defaults

The default is 32 KB.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

The configuration file cannot be larger than the buffer size allocation.

You must reload the switch by using the reload privileged EXEC command for this command to take effect.

This command changes the setting of the CONFIG_BUFSIZE environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot config-file

Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.

boot config-file flash:/file-url

no boot config-file

Syntax Description

flash:/file-url

The path (directory) and name of the configuration file.

Defaults

The default configuration file is flash:config.text.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot enable-break

Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.

boot enable-break

no boot enable-break

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.

---

Note Despite the setting of this command, you can interrupt the automatic boot process at any time by pressing the MODE button on the switch front panel.

---

This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot helper

Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default setting.

boot helper filesystem:/file-url ...

no boot helper

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and a list of loadable files to dynamically load during loader initialization. Separate each image name with a semicolon.

Defaults

No helper files are loaded.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot helper-config-file

Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. This variable is used only for internal development and testing. Use the no form of this command to return to the default setting.

boot helper-config-file filesystem:/file-url

no boot helper-config file

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and helper configuration file to load.

Defaults

No helper configuration file is specified.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot manual

Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.

boot manual

no boot manual

Syntax Description

This command has no arguments or keywords.

Defaults

Manual booting is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot the system, use the boot boot loader command, and specify the name of the bootable image.

This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot private-config-file

Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.

boot private-config-file filename

no boot private-config-file

Syntax Description

filename

The name of the private configuration file.

Defaults

The default configuration file is private-config.text.

Command Modes

Global configuration

Command History

Release	Modification
12.1(11)EA1	This command was introduced.

Usage Guidelines

Only the Cisco IOS software can read and write a copy of the private configuration file. You cannot read, write, delete, or display a copy of this file.

Filenames are case sensitive.

Examples

This example shows how to specify the name of the private configuration file to be pconfig:

Switch(config)# boot private-config-file pconfig

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

boot system

Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.

boot system filesystem:/file-url ...

no boot system

Syntax Description

filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and name of a bootable image. Separate image names with a semicolon.

Defaults

The switch attempts to automatically boot the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Filenames and directory names are case sensitive.

If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.

This command changes the setting of the BOOT environment variable. For more information, see Appendix A, "Catalyst 3550 Switch Boot Loader Commands."

Related Commands

Command	Description
show boot	Displays the settings of the boot environment variables.

channel-group

Use the channel-group interface configuration command to assign an Ethernet interface to an EtherChannel group, to enable an EtherChannel mode, or both. Use the no form of this command to remove an Ethernet interface from an EtherChannel group.

channel-group channel-group-number mode {active | {auto [non-silent]} | {desirable [non-silent]} | on | passive}

no channel-group

PAgP modes:
channel-group channel-group-number mode {{auto [non-silent]} | {desirable [non-silent}}

LACP modes:
channel-group channel-group-number mode {active | passive}

On mode:
channel-group channel-group-number mode on

Syntax Description

channel-group-number	Specify the channel group number. The range is 1 to 64.
mode	Specify the EtherChannel Port Aggregation Protocol (PAgP) mode of the interface.
active	Unconditionally enable Link Aggregation Control Protocol (LACP). Active mode places a port into a negotiating state in which the port initiates negotiations with other ports by sending LACP packets. A channel is formed with another port group in either the active or passive mode.
auto	Enable PAgP only if a PAgP device is detected. Auto mode places an interface into a passive negotiating state, in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation. A channel is formed only with another port group in desirable mode. When auto is enabled, silent operation is the default.
desirable	Unconditionally enable PAgP. Desirable mode places an interface into an active negotiating state, in which the interface starts negotiations with other interfaces by sending PAgP packets. A channel is formed with another port group in either the desirable or auto mode. When desirable is enabled, silent operation is the default.
non-silent	(Optional) Use in PAgP mode with the auto or desirable keyword when traffic is expected from the other device.
on	Enable on mode. In on mode, a usable EtherChannel exists only when both connected port groups are in the on mode.
passive	Enable LACP only if a LACP device is detected. Passive mode places an interface into a negotiating state in which the interface responds to LACP packets it receives but does not initiate LACP packet negotiation. A channel is formed only with another port group in active mode.

Defaults

No channel groups are assigned.

No mode is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(12c)EA1	The active and passive keywords were added.

Usage Guidelines

You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.

You do not have to disable the IP address that is assigned to a physical interface that is part of a channel group, but we highly recommend that you do so.

For Layer 2 EtherChannels, you must configure the channel-group interface configuration command, which automatically creates the port-channel logical interface. You cannot put Layer 2 interfaces into a manually created port-channel interface.

You create Layer 3 port channels by using the interface port-channel command. You must manually configure the port-channel logical interface before putting the interface into the channel group.

Any configuration or attribute changes you make to the port-channel interface are propagated to all interfaces within the same channel group as the port channel (for example, configuration changes are also propagated to the physical interfaces that are not part of the port channel, but are part of the channel group).

If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational; however, it allows PAgP to operate, to attach the interface to a channel group, and to use the interface for transmission. Both ends of the link cannot be set to silent.

With the on mode, a PAgP EtherChannel exists only when a port group in on mode is connected to another port group in on mode.

---

Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

---

---

Note You cannot enable both PAgP and LACP modes on an EtherChannel group.

---

Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.

---

Note If IEEE 802.1x authentication is enabled on a not-yet active port of an EtherChannel in software releases earlier than Cisco IOS Release 12.2(25)SE, the port does not join the EtherChannel.

---

Do not configure a secure port as part of an EtherChannel.

---

Caution Do not enable Layer 3 addresses on the physical EtherChannel interfaces. Do not assign bridge groups on the physical EtherChannel interfaces because it creates loops.

---

Examples

This example shows how to assign two interfaces as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:

Switch# configure terminal 

Switch(config)# interface range gigabitethernet0/4 -5 

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 10

Switch(config-if-range)# channel-group 5 mode desirable 

Switch(config-if-range)# end 

This example shows how to set an EtherChannel into PAgP mode:

Switch(config-if)# channel-group 1 mode auto 

Creating a port-channel interface Port-channel 1

This example shows how to set an EtherChannel into LACP mode:

Switch(config-if)# channel-group 1 mode passive 

Creating a port-channel interface Port-channel 1

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
interface port-channel	Accesses or creates the port channel.
show lacp	Display LACP information.
show pagp	Display PAgP information.
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

channel-protocol

Use the channel-protocol interface configuration command to configure an EtherChannel for the Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). Use the no form of this command to disable PAgP or LACP on the EtherChannel.

channel-protocol {lacp | pagp}

no channel-protocol

Syntax Description

lacp	Configure an EtherChannel with the LACP protocol.
pagp	Configure an EtherChannel with the PAgP protocol.

Defaults

No protocol is assigned to the EtherChannel.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Usage Guidelines

Use the channel-protocol command only to restrict a channel to LACP or PAgP.

You must use the channel-group interface command to configure the EtherChannel parameters. The channel-group command can also set the EtherChannel for a channel.

---

Note You cannot enable both PAgP and LACP modes on an EtherChannel group.

---

---

Caution Do not enable Layer 3 addresses on the physical EtherChannel interfaces. To prevent loops, do not assign bridge groups on the physical EtherChannel interfaces.

---

Examples

This example shows how to set an EtherChannel into PAgP mode:

Switch(config-if)# channel-protocol pagp

This example shows how to set an EtherChannel into LACP mode:

Switch(config-if)# channel-protocol lacp

You can verify your settings by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
show lacp	Display LACP information.
show pagp	Display PAgP information.
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

class

Use the class policy-map configuration command to define a traffic classification for the policy to act on. Use the no form of this command to delete an existing class map.

class class-map-name

no class class-map-name

Syntax Description

class-map-name

Name of the class map.

---

Note Though visible in the command-line help strings, the class class-default option is not supported.

---

Defaults

No policy map class-maps are defined.

Command Modes

Policy-map configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(9)EA1	The access-group, any, dscp, destination-address, input-interface, precedence, protocol, and source-address keywords were removed.

Usage Guidelines

Use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode before you use the class command. After you specify a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to an interface by using the service-policy interface configuration command.

The class name that you specify in the policy map ties the characteristics for that class to the class map and its match criteria as configured by using the class-map global configuration command.

The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.

After you enter the class command, the switch enters policy-map class configuration mode, and these configuration commands are available:

•exit: exits policy-map class configuration mode and returns to policy-map configuration mode.

•no: returns a command to its default setting.

•police: defines a policer or aggregate policer for the classified traffic. The policer specifies the bandwidth limitations and the action to take when the limits are exceeded. For more information, see the police and police aggregate policy-map class commands.

•set: specifies a value to be assigned to the classified traffic. For more information, see the set command.

•trust: defines a trust state for traffic classified with the class or the class-map command. For more information, see the trust command.

To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

Examples

This example shows how to create a policy map called policy1. When attached to the ingress direction, it matches all the incoming traffic defined in class1, sets the IP DSCP to 10, and polices the traffic at an average rate of 1 Mbps and for 20 KB bursts. Traffic exceeding the profile is marked down to a DSCP value obtained from the policed-DSCP map and then sent.

Switch(config)# policy-map policy1

Switch(config-pmap)# class class1

Switch(config-pmap-c)# set dscp 10

Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmit

Switch(config-pmap-c)# exit

You can verify your settings by entering the show policy-map privileged EXEC command.

Related Commands

Command	Description
class-map	Creates a class map to be used for matching packets to the class whose name you specify.
policy-map	Creates or modifies a policy map that can be attached to multiple interfaces to specify a service policy.
show policy-map	Displays quality of service (QoS) policy maps.

class-map

Use the class-map global configuration command to create a class map to be used for matching packets to the class whose name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.

class-map [match-all | match-any] class-map-name

no class-map [match-all | match-any] class-map-name

Syntax Description

match-all	(Optional) Perform a logical-AND of all matching statements under this class map. All criteria in the class map must be matched.
match-any	(Optional) Perform a logical-OR of the matching statements under this class map. One or more criteria must be matched.
class-map-name	Name of the class map.

Defaults

No class maps are defined.

When neither the match-all or match-any keyword is specified, the default is match-all.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode.

The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-interface basis.

After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:

•description: describes the class map (up to 200 characters). The show class-map privileged EXEC command displays the description and the name of the class-map.

•exit: exits from QoS class-map configuration mode.

•match: configures classification criteria. For more information, see the match (class-map configuration) command.

•no: removes a match statement from a class map.

•rename: renames the current class map. If you rename a class map with a name that is already in use, this message appears:

A class-map with this name already exists

To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.

To define packet classification on a per-port per-VLAN basis, you must use the match-all keyword with the class-map global configuration command. You also must enter the match vlan vlan-list and the match class-map class-map-name class-map configuration commands. For more information, see the "match (class-map configuration)" section.

Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).

Examples

This example shows how to configure the class map called class1. class1 has one match criterion, which is an access list called 103.

Switch(config)# access-list 103 permit any any dscp 10

Switch(config)# class-map class1

Switch(config-cmap)# match access-group 103

Switch(config-cmap)# exit

This example shows how to delete the class map class1:

Switch(config)# no class-map class1

This example shows how to configure a class map called dscp_class whose match criterion is to match IP DSCP 9. A second class map, called vlan_class, matches traffic on VLANs 10, 20 to 30, and 40 to class map dscp_class:

Switch(config)# class-map match-any dscp_class

Switch(config-cmap)# match ip dscp 9

Switch(config-cmap)# exit

Switch(config)# class-map match-all vlan_class

Switch(config-cmap)# match vlan 10 20-30 40

Switch(config-cmap)# match class-map dscp_class

Switch(config-cmap)# exit

You can verify your settings by entering the show class-map privileged EXEC command.

Related Commands

Command	Description
match (class-map configuration)	Defines the match criteria to classify traffic.
policy-map	Creates or modifies a policy map that can be attached to multiple interfaces to specify a service policy.
show class-map	Displays QoS class maps.

clear ip arp inspection log

Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.

clear ip arp inspection log

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Examples

This example shows how to clear the contents of the log buffer:

Switch# clear ip arp inspection log

You can verify that the log was cleared by entering the show ip arp inspection log privileged command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
ip arp inspection vlan	Controls the type of packets that are logged per VLAN.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

clear ip arp inspection statistics

Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.

clear ip arp inspection statistics [vlan vlan-range]

Syntax Description

vlan vlan-range

(Optional) Clear statistics for the specified VLAN or VLANs. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Examples

This example shows how to clear the statistics for VLAN 1:

Switch# clear ip arp inspection statistics vlan 1

You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.

Related Commands

Command	Description
archive upload-sw	Defines an ARP access control list (ACL).
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
ip arp inspection vlan logging	Controls the type of packets that are logged per VLAN.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

clear ip dhcp snooping

Use the clear ip dhcp snooping privileged EXEC command on the switch stack or on a standalone switch to clear the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters.

clear ip dhcp snooping {binding | database statistics | statistics}

Syntax Description

binding	Clear the DHCP snooping binding database.
database statistics	Clear the DHCP snooping binding database agent statistics.
statistics	Clear the DHCP snooping statistics counter.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(37)SE	The statistics keyword was introduced.

Usage Guidelines

When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.

Examples

This example shows how to clear the DHCP snooping binding database agent statistics:

Switch# clear ip dhcp snooping database statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.

This example shows how to clear the DHCP snooping statistics counters:

Switch# clear ip dhcp snooping statistics 

You can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
ip dhcp snooping database	Configures the DHCP snooping binding database agent or the binding file.
show ip dhcp snooping binding	Displays the status of DHCP snooping database agent.
show ip dhcp snooping database	Displays the DHCP snooping binding database agent statistics.
show ip dhcp snooping statistics statistics	Displays the DHCP snooping statistics.

clear l2protocol-tunnel counters

Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.

clear l2protocol-tunnel counters [interface-id]

Syntax Description

interface-id

(Optional) Specify interface (physical interface or port channel) on which to clear protocol counters.

Defaults

This command has no defaults.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(9)EA1	This command was introduced.

Usage Guidelines

Use this command to clear protocol tunnel counters on the switch or on the specified interface.

Examples

This example shows how to clear Layer 2 protocol tunnel counters on an interface:

Switch# clear l2protocol-tunnel counters gigabitethernet0/3

Related Commands

Command	Description
l2protocol-tunnel	Enable tunneling of Layer 2 protocols on an access or IEEE 802.1Q tunnel port.
show l2protocol-tunnel	Displays information about ports configured for Layer 2 protocol tunneling.

clear lacp

Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.

clear lacp {channel-group-number [counters]}

Syntax Description

channel-group-number	Channel group number. The range is 1 to 64.
counters	Clear traffic counters.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Examples

This example shows how to clear channel-group information for a specific group:

Switch# clear lacp 4

This example shows how to clear channel-group traffic counters:

Switch# clear lacp counters

You can verify that the information was deleted by entering the show lacp privileged EXEC command.

Related Commands

Command	Description
show lacp	Displays LACP channel-group information.

clear mac address-table

Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.

clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] | notification}

---

Note Beginning with Cisco IOS Release 12.1(11)EA1, the clear mac address-table command replaces the clear mac- address-table command (with the hyphen).

---

Syntax Description

dynamic	Delete all dynamic MAC addresses.
dynamic address mac-addr	(Optional) Delete the specified dynamic MAC address.
dynamic interface interface-id	(Optional) Delete all dynamic MAC addresses on the specified physical port or port channel.
dynamic vlan vlan-id	(Optional) Delete all dynamic MAC addresses for the specified VLAN. The range is 1 to 4096.
notification	Clear the notifications in the history table and reset the counters.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(8)EA1	The notification keyword was added.
12.1(11)EA1	The clear mac-address-table command was replaced by the clear mac address-table command.

Examples

This example shows how to remove a specific MAC address from the dynamic address table:

Switch# clear mac address-table dynamic address 0008.0070.0007

You can verify that information was deleted by entering the show mac address-table privileged EXEC command.

Related Commands

Command	Description
mac address-table notification	Enables the MAC address notification feature.
show mac address-table	Displays the MAC address table static and dynamic entries.
show mac address-table notification	Displays the MAC address notification settings for all interfaces or the specified interface.
snmp trap mac-notification	Enables the Simple Network Management Protocol (SNMP) MAC address notification trap on a specific interface.

clear pagp

Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.

clear pagp {channel-group-number [counters] | counters}

Syntax Description

channel-group-number	Channel group number. The range is 1 to 64.
counters	Clear traffic filters.

Defaults

This command has no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Examples

This example shows how to clear channel-group information for a specific group:

Switch# clear pagp 10

This example shows how to clear channel-group traffic filters:

Switch# clear pagp counters

You can verify that information was deleted by entering the show pagp privileged EXEC command.

Related Commands

Command	Description
show pagp	Displays PAgP channel-group information.

clear port-security

Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.

clear port-security {all | configured | dynamic | sticky} [[address mac-addr | interface interface-id] [vlan {vlan-id | {access | voice}}]]

Syntax Description

all	Delete all secure MAC addresses.
configured	Delete configured secure MAC addresses.
dynamic	Delete secure MAC addresses auto-learned by hardware.
sticky	Delete secure MAC addresses, either auto-learned or configured.
address mac-addr	(Optional) Delete the specified dynamic secure MAC address.
interface interface-id	(Optional) Delete all the dynamic secure MAC addresses on the specified physical port or VLAN.
vlan	(Optional) Enter one of these options after you enter the vlan keyword: •vlan-id—On a trunk port, specify the VLAN ID of the VLAN on which this address should be cleared. •access—On an access port, specify the VLAN as an access VLAN. •voice—On an access port, specify the VLAN as a voice VLAN. Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(11)EA1	This command was introduced.
12.1(14)EA1	The all, configured, and vlan keywords were added.
12.2(25)SEB	The access and voice keywords were added.

Usage Guidelines

If you enter the clear port-security all privileged EXEC command, the switch removes all secure MAC addresses from the MAC address table.

If you enter the clear port-security configured address mac-addr vlan vlan-id command, the switch removes the specified secure MAC address from the specified VLAN.

If you enter the clear port-security configured address mac-address command, the switch removes the specified secure MAC address from the MAC address table.

If you enter the clear port-security dynamic interface interface-id command, the switch removes all dynamic secure MAC addresses on an interface from the MAC address table.

If you enter the clear port-security sticky command, the switch removes all sticky secure MAC addresses from the MAC address table.

Examples

This example shows how to remove all secure addresses from the MAC address table:

Switch# clear port-security all

This example shows how to remove a configured secure address from the MAC address table:

Switch# clear port-security configured address 0008.0070.0007

This example shows how to remove all the dynamic secure addresses learned on an interface:

Switch# clear port-security dynamic interface gigabitethernet0/1

This example shows how to remove all the sticky secure addresses from the address table:

Switch# clear port-security sticky

You can verify that the information was deleted by entering the show port-security privileged EXEC command.

Related Commands

Command	Description
show port-security	Displays the port security settings for an interface or for the switch.
switchport port-security	Enables port security on an interface.

clear spanning-tree counters

Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.

clear spanning-tree counters [interface interface-id]

Syntax Description

interface interface-id

(Optional) Clear all spanning-tree counters on the specified interface. If interface-id is not specified, spanning-tree counters are cleared for all interfaces.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(13)EA1	This command was introduced.

Examples

This example shows how to clear spanning-tree counters for all interfaces:

Switch# clear spanning-tree counters

Related Commands

Command	Description
show spanning-tree	Displays spanning-tree state information.

clear spanning-tree detected-protocols

Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.

clear spanning-tree detected-protocols [interface interface-id]

Syntax Description

interface interface-id

(Optional) Restart the protocol migration process on the specified interface. Valid interfaces include physical ports, VLANs, and port channels. The VLAN range is 1 to 4094. The port-channel range is 1 to 64.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(9)EA1	This command was introduced.

Usage Guidelines

A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated with a different region, or an RST BPDU (version 2).

However, the switch does not automatically revert to the rapid-PVST+ or MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot determine whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.

Examples

This example shows how to restart the protocol migration process on an interface:

Switch# clear spanning-tree detected-protocols interface fastethernet0/1

clear vmps statistics

Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.

clear vmps statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Examples

This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:

Switch# clear vmps statistics

You can verify that information was deleted by entering the show vmps statistics privileged EXEC command.

Related Commands

Command	Description
show vmps	Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers.

clear vtp counters

Use the clear vtp counters privileged EXEC command to clear the VLAN Trunking Protocol (VTP) and pruning counters.

clear vtp counters

Syntax Description

This command has no arguments or keywords.

Defaults

No default is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Examples

This example shows how to clear the VTP counters:

Switch# clear vtp counters

You can verify that information was deleted by entering the show vtp counters privileged EXEC command.

Related Commands

Command	Description
show vtp	Displays general information about the VTP management domain, status, and counters.

cluster commander-address

You do not need to enter this command. The command switch automatically provides its MAC address to member switches when these switches join the cluster. The member switch adds this information and other cluster information to its running configuration file. Use the no form of this command from the member switch console port to remove it from a cluster only during debugging or recovery procedures.

cluster commander-address mac-address [member number name name]

no cluster commander-address

Syntax Description

mac-address	MAC address of the cluster command switch.
member number	(Optional) Number of a configured member switch. The range is from 0 to 15.
name name	(Optional) Name of the configured cluster up to 31 characters.

Defaults

The switch is not a member of any cluster.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

A cluster member can have only one command switch.

The member switch retains the identity of the command switch during a system reload by using the mac-address parameter.

You can enter the no form on a member switch to remove it from the cluster during debugging or recovery procedures. You would normally use this command from the member switch console port only when the member has lost communication with the command switch. With normal switch configuration, we recommend that you remove member switches only by entering the no cluster member n global configuration command on the command switch.

When a standby command switch becomes active (becomes the command switch), it removes the cluster commander address line from its configuration.

Examples

This is partial sample output from the running configuration of a cluster member:

Switch(config)# show running-config

<output truncated>

cluster commander-address 00e0.9bc0.a500 member 4 name my_cluster

<output truncated>

This example shows how to remove a member from the cluster by using the cluster member console:

Switch # configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# no cluster commander-address

You can verify your settings by entering the show cluster privileged EXEC command.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.

cluster discovery hop-count

Use the cluster discovery hop-count global configuration command on the command switch to set the hop-count limit for extended discovery of candidate switches. Use the no form of this command to return to the default setting.

cluster discovery hop-count number

no cluster discovery hop-count

Syntax Description

number

Number of hops from the cluster edge that the command switch limits the discovery of candidates. The range is 1 to 7.

Defaults

The hop count is set to 3.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Enter this command only on the command switch. This command does not operate on member switches.

If the hop count is set to 1, it disables extended discovery. The command switch discovers only candidates that are one hop from the edge of the cluster. The edge of the cluster is the point between the last discovered member switch and the first discovered candidate switch.

Examples

This example shows how to set hop count limit to 4. This command is executed on the command switch.

Switch(config)# cluster discovery hop-count 4

You can verify your setting by entering the show cluster privileged EXEC command.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.
show cluster candidates	Displays a list of candidate switches.

cluster enable

Use the cluster enable global configuration command on a command-capable switch to enable it as the cluster command switch, assign a cluster name, and to optionally assign a member number to it. Use the no form of this command to remove all members and to make the command switch a candidate switch.

cluster enable name [command-switch-member-number]

no cluster enable

Syntax Description

name	Name of the cluster up to 31 characters. Valid characters include only alphanumerics, dashes, and underscores.
command-switch-member-number	(Optional) Assign a member number to the command switch of the cluster. The range is 0 to 15.

Defaults

The switch is not a command switch.

No cluster name is defined.

The member number is 0 when the switch is the command switch.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

This command runs on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster.

You must name the cluster when you enable the command switch. If the switch is already configured as the command switch, this command changes the cluster name if it is different from the previous cluster name.

Examples

This example shows how to enable the command switch, name the cluster, and set the command switch member number to 4:

Switch(config)# cluster enable Engineering-IDF4 4

You can verify your setting by entering the show cluster privileged EXEC command on the command switch.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.

cluster holdtime

Use the cluster holdtime global configuration command on the command switch to set the duration in seconds before a switch (either the command or member switch) declares the other switch down after not receiving heartbeat messages. Use the no form of this command to return to the default setting.

cluster holdtime holdtime-in-secs

no cluster holdtime

Syntax Description

holdtime-in-secs

Duration in seconds before a switch (either a command or member switch) declares the other switch down. The range is 1 to 300 seconds.

Defaults

The default holdtime is 80 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Use this command with the cluster timer global configuration command only on the command switch. The command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.

The holdtime is typically set as a multiple of the interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.

Examples

This example shows how to change the interval timer and the duration on the command switch:

Switch(config)# cluster timer 3

Switch(config)# cluster holdtime 30

You can verify your settings by entering the show cluster privileged EXEC command.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.

cluster member

Use the cluster member global configuration command on the command switch to add candidates to a cluster. Use the no form of this command to remove members from the cluster.

cluster member [n] mac-address H.H.H [password enable-password] [vlan vlan-id]

no cluster member n

Syntax Description

n	The number that identifies a cluster member. The range is 0 to 15.
mac-address H.H.H	MAC address of the member switch in hexadecimal format.
password enable-password	Enable password of the candidate switch. The password is not required if there is no password on the candidate switch.
vlan vlan-id	(Optional) VLAN ID through which the candidate is added to the cluster by the command switch. The range is 1 to 4094.

Defaults

A newly enabled command switch has no associated cluster members.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Enter this command only on the command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the command switch, the switch rejects the command and displays an error message.

You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The command switch selects the next available member number and assigns it to the switch that is joining the cluster.

You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration. After a candidate switch becomes a member of the cluster, its password becomes the same as the command-switch password.

If a switch does not have a configured host name, the command switch appends a member number to the command-switch host name and assigns it to the member switch.

If you do not specify a VLAN ID, the command switch automatically chooses a VLAN and adds the candidate to the cluster.

Examples

This example shows how to add a switch as member 2 with MAC address 00E0.1E00.2222 and the password key to a cluster. The command switch adds the candidate to the cluster through VLAN 3.

Switch(config)# cluster member 2 mac-address 00E0.1E00.2222 password key vlan 3

This example shows how to add a switch with MAC address 00E0.1E00.3333 to the cluster. This switch does not have a password. The command switch selects the next available member number and assigns it to the switch that is joining the cluster.

Switch(config)# cluster member mac-address 00E0.1E00.3333

You can verify your settings by entering the show cluster members privileged EXEC command on the command switch.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.
show cluster candidates	Displays a list of candidate switches.
show cluster members	Displays information about the cluster members.

cluster outside-interface

Use the cluster outside-interface global configuration command to configure the outside interface for cluster Network Address Translation (NAT) so that a member without an IP address can communicate with devices outside the cluster. Use the no form of this command to return to the default setting.

cluster outside-interface interface-id

no cluster outside-interface

Syntax Description

interface-id

Interface to serve as the outside interface. Valid interfaces include physical interfaces, port-channels, or VLANs. The port-channel range is 1 to 64. The VLAN range is 1 to 4094.

Defaults

The default outside interface is automatically selected by the command switch.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Enter this command only on the command switch. If you enter this command on a member switch, an error message appears.

Examples

This example shows how to set the outside interface to VLAN 1:

Switch(config)# cluster outside-interface vlan 1

You can verify your setting by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

cluster run

Use the cluster run global configuration command to enable clustering on a switch. Use the no form of this command to disable clustering on a switch.

cluster run

no cluster run

Syntax Description

This command has no arguments or keywords.

Defaults

Clustering is enabled on all switches.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

When you enter the no cluster run command on a command switch, the command switch is disabled. Clustering is disabled, and the switch is incapable of becoming a candidate switch.

When you enter the no cluster run command on a member switch, it is removed from the cluster. Clustering is disabled, and the switch is incapable of becoming a candidate switch.

When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch.

Examples

This example shows how to disable clustering on the command switch:

Switch(config)# no cluster run

You can verify your setting by entering the show cluster privileged EXEC command.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.

cluster standby-group

Use the cluster standby-group global configuration command to enable command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol (HSRP). Entering the routing-redundancy keyword enables the same HSRP group to be used for command-switch redundancy and routing redundancy. Use the no form of this command to return to the default setting.

cluster standby-group HSRP-group-name [routing-redundancy]

no cluster standby-group

Syntax Description

HSRP-group-name	Name of the HSRP group that is bound to the cluster. The group name is limited to 32 characters.
routing-redundancy	(Optional) Enable the same HSRP standby group to be used for command-switch redundancy and routing redundancy.

Defaults

The cluster is not bound to any HSRP group.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

You must enter this command only on the command switch. If you enter it on a member switch, an error message appears.

The command switch propagates the cluster-HSRP binding information to all cluster-HSRP capable members. Each member switch stores the binding information in its NVRAM.

The HSRP group name must be a valid standby group; otherwise, the command exits with an error.

The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster. The same HSRP group name should also be used on all cluster-HSRP capable members for the HSRP group that is to be bound. (When not binding a cluster to an HSRP group, you can use different names for the cluster commander and the members.)

Examples

This example shows how to bind the HSRP group named my_hsrp to the cluster. This command is executed on the command switch.

Switch(config)# cluster standby-group my_hsrp 

This example shows how to use the same HSRP group named my_hsrp for routing redundancy and cluster redundancy:

Switch(config)# cluster standby-group my_hsrp routing-redundancy

This example shows the error message when this command is executed on a command switch and the specified HSRP standby group does not exist:

Switch(config)# cluster standby-group my_hsrp 

%ERROR: Standby (my_hsrp) group does not exist

This example shows the error message when this command is executed on a member switch:

Switch(config)# cluster standby-group my_hsrp routing-redundancy

%ERROR: This command runs on a cluster command switch

You can verify your settings by entering the show cluster privileged EXEC command. The output shows whether redundancy is enabled in the cluster.

Related Commands

Command	Description
standby ip	Enables HSRP on the interface. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.
show standby	Displays standby group information. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.

cluster timer

Use the cluster timer global configuration command on the command switch to set the interval in seconds between heartbeat messages. Use the no form of this command to return to the default setting.

cluster timer interval-in-secs

no cluster timer

Syntax Description

interval-in-secs

Interval in seconds between heartbeat messages. The range is 1 to 300 seconds.

Defaults

The interval is 8 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Use this command with the cluster holdtime global configuration command only on the command switch. The command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.

The holdtime is typically set as a multiple of the heartbeat interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.

Examples

This example shows how to change the heartbeat interval timer and the duration on the command switch:

Switch(config)# cluster timer 3

Switch(config)# cluster holdtime 30

You can verify your settings by entering the show cluster privileged EXEC command.

Related Commands

Command	Description
show cluster	Displays the cluster status and a summary of the cluster to which the switch belongs.

define interface-range

Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.

define interface-range macro-name interface-range

no define interface-range macro-name interface-range

Syntax Description

macro-name	Name of the interface-range macro; up to 32 characters.
interface-range	Interface range; for valid values for interface ranges, see "Usage Guidelines."

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

The macro name is a 32-character maximum character string.

A macro can contain up to five ranges.

All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.

When entering the interface-range, use this format:

•type {first-interface} - {last-interface}

•You must add a space between the first interface number and the hyphen when entering an interface-range. For example, gigabitethernet 0/1 -5 is a valid range; gigabitethernet 0/1-5 is not a valid range.

Valid values for type and interface:

•vlan vlan-id, where vlan-id is from 1 to 4094; do not enter leading zeros

•port-channel port-channel-number, where port-channel-number is 1 to 64

•fastethernet interface-id

•gigabitethernet interface-id

VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.

For physical interfaces, the interface-id is defined as slot/number (where slot is always 0 for the switch), and the range can be entered as one of the following:

•type 0/number - number (for example, gigabitethernet0/1 -2)

•type 0/number - 0/number (for example, gigabitethernet 0/1 - 0/2)

You can also enter multiple ranges.

When you define a range, you must enter a space before and after the hyphen (-), for example, gigabitethernet0/1 - 2

When you define multiple ranges, you must enter a space before and after the comma (,), for example, fastethernet0/3 - 7 , gigabitethernet0/1 - 2

Examples

This example shows how to create a multiple-interface macro:

Switch(config)# define interface-range macro1 gigabitethernet0/1 -2, gigabitethernet0/5 

Related Commands

Command	Description
interface range	Executes a command on multiple ports at the same time.
show running-config	Displays the current operating configuration, including defined macros. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

delete

Use the delete privileged EXEC command to delete a file or directory on the flash memory device.

delete [/force] [/recursive] filesystem:/file-url

Syntax Description

/force	(Optional) Suppress the prompt that confirms the deletion.
/recursive	(Optional) Delete the named directory and all subdirectories and the files contained in it.
filesystem:	Alias for a flash file system. Use flash: for the system board flash device.
/file-url	The path (directory) and filename to delete.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

If you use the /force keyword, you are prompted at the beginning of the deletion process to confirm the deletion.

If you use the /recursive keyword without the /force keyword, you are prompted to confirm the deletion of every file.

The prompting behavior depends on the setting of the file prompt global configuration command. By default, the switch prompts for confirmation on destructive file operations. For more information about this command, see the Cisco IOS Command Reference for Release 12.1.

Examples

This example shows how to remove the directory that contains the old software image after a successful download of a new image:

Switch# delete /force /recursive flash:/old-image

You can verify that the directory was removed by entering the dir filesystem: privileged EXEC command.

Related Commands

Command	Description
archive download-sw	Downloads a new image to the switch and overwrites or keeps the existing image.

deny

Use the deny MAC access list configuration command to prevent non-IP traffic from being forwarded if the conditions are matched. Use the no form of this command to remove a deny condition from the named MAC access list.

{deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask |mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

no {deny | permit} {any | host src-MAC-addr | src-MAC-addr mask} {any | host dst-MAC-addr | dst-MAC-addr mask} [type mask | aarp | amber | cos cos | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | lsap lsap mask | mop-console | mop-dump | msdos | mumps | netbios | vines-echo | vines-ip | xns-idp]

---

Note Though visible in the command-line help strings, appletalk is not supported as a matching condition, nor is matching on any SNAP-encapsulated packet with a non-zero Organizational Unique Identifier (OUI).

---

Syntax Description

any	Keyword to specify to deny any source or destination MAC address.
host src MAC-addr | src-MAC-addr mask	Define a host MAC address and optional subnet mask. If the source address for a packet matches the defined address, non-IP traffic from that address is denied.
host dst-MAC-addr | dst-MAC-addr mask	Define a destination MAC address and optional subnet mask. If the destination address for a packet matches the defined address, non-IP traffic to that address is denied.
type mask	(Optional) Use the Ethertype number of a packet with Ethernet II or SNAP encapsulation to identify the protocol of the packet. The type is 0 to 65535, typically specified in hexadecimal. The mask is a mask of don't care bits applied to the Ethertype before testing for a match.
aarp	(Optional) Select Ethertype AppleTalk Address Resolution Protocol that maps a data-link address to a network address.
amber	(Optional) Select EtherType DEC-Amber.
cos cos	(Optional) Select a class of service (CoS) number from 0 to 7 to set priority. Filtering on CoS can be performed only in hardware. A warning message reminds the user if the cos option is configured.
dec-spanning	(Optional) Select EtherType Digital Equipment Corporation (DEC) spanning tree.
decnet-iv	(Optional) Select EtherType DECnet Phase IV protocol.
diagnostic	(Optional) Select EtherType DEC-Diagnostic.
dsm	(Optional) Select EtherType DEC-DSM.
etype-6000	(Optional) Select EtherType 0x6000.
etype-8042	(Optional) Select EtherType 0x8042.
lat	(Optional) Select EtherType DEC-LAT.
lavc-sca	(Optional) Select EtherType DEC-LAVC-SCA.
lsap lsap-number mask	(Optional) Use the LSAP number (0 to 65535) of a packet with IEEE 802.2 encapsulation to identify the protocol of the packet. mask is a mask of don't care bits applied to the LSAP number before testing for a match.
mop-console	(Optional) Select EtherType DEC-MOP Remote Console.
mop-dump	(Optional) Select EtherType DEC-MOP Dump.
msdos	(Optional) Select EtherType DEC-MSDOS.
mumps	(Optional) Select EtherType DEC-MUMPS.
netbios	(Optional) Select EtherType DEC- Network Basic Input/Output System (NETBIOS).
vines-echo	(Optional) Select EtherType Virtual Integrated Network Service (VINES) Echo from Banyan Systems.
vines-ip	(Optional) Select EtherType VINES IP.
xns-idp	(Optional) Select EtherType Xerox Network Systems (XNS) protocol suite (0 to 65535), an arbitrary Ethertype in decimal, hexadecimal, or octal.

To filter IPX traffic, you use the type mask or lsap lsap mask keywords, depending on the type of IPX encapsulation being used. Filter criteria for IPX encapsulation types as specified in Novell terminology and Cisco IOS terminology are listed in Table 2-3.

Table 2-3 IPX Filtering Criteria

IPX Encapsulation Type		Filter Criterion
Cisco IOS Name	Novel Name
arpa	Ethernet II	Ethertype 0x8137
snap	Ethernet-snap	Ethertype 0x8137
sap	Ethernet IEEE 802.2	LSAP 0xE0E0
novell-ether	Ethernet IEEE 802.3	LSAP 0xFFFF

Defaults

This command has no defaults. However; the default action for a MAC-named ACL is to deny.

Command Modes

MAC-access list configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

You enter MAC-access list configuration mode by using the mac access-list extended global configuration command.

If you use the host keyword, you cannot enter an address mask; if you do not use the host keyword, you must enter an address mask.

When an access control entry (ACE) is added to an access control list, an implied deny-any-any condition exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first ACE is added, the list permits all packets.

---

Note For more information about named MAC extended access lists, see the software configuration guide for this release.

---

Examples

This example shows how to define the named MAC extended access list to deny NETBIOS traffic from any source to MAC address 00c0.00a0.03fa. Traffic matching this list is denied.

Switch(config-ext-macl)# deny any host 00c0.00a0.03fa netbios.

This example shows how to remove the deny condition from the named MAC extended access list:

Switch(config-ext-macl)# no deny any 00c0.00a0.03fa 0000.0000.0000 netbios.

This example denies all packets with Ethertype 0x4321:

Switch(config-ext-macl)# deny any any 0x4321 0

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands

Command	Description
mac access-list extended	Creates an access list based on MAC addresses for non-IP traffic.
permit	Permits non-IP traffic to be forwarded if conditions are matched.
show access-lists	Displays access control lists configured on a switch.

deny (ARP access-list configuration)

Use the deny Address Resolution Protocol (ARP) access-list configuration command to deny an ARP packet based on matches against the DHCP bindings. Use the no form of this command to remove the specified access control entry (ACE) from the access list.

deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]

This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).

Syntax Description

request	(Optional) Define a match for the ARP request. When request is not specified, matching is performed against all ARP packets.
ip	Specify the sender IP address.
any	Deny any IP or MAC address.
host sender-ip	Deny the specified sender IP address.
sender-ip sender-ip-mask	Deny the specified range of sender IP addresses.
mac	Deny the sender MAC address.
host sender-mac	Deny a specific sender MAC address.
sender-mac sender-mac-mask	Deny the specified range of sender MAC addresses.
response ip	Define the IP address values for the ARP responses.
host target-ip	Deny the specified target IP address.
target-ip target-ip-mask	Deny the specified range of target IP addresses.
mac	Deny the MAC address values for the ARP responses.
host target-mac	Deny the specified target MAC address.
target-mac target-mac-mask	Deny the specified range of target MAC addresses.
log	(Optional) Log a packet when it matches the ACE.

Defaults

There are no default settings. However, at the end of the ARP access list, there is an implicit deny ip any mac any command.

Command Modes

ARP access-list configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

You can add deny clauses to drop ARP packets based on matching criteria.

Examples

This example shows how to define an ARP access list and to deny both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:

Switch(config)# arp access-list static-hosts

Switch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcd

Switch(config-arp-nacl)# end

You can verify your settings by entering the show arp access-list privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
ip arp inspection filter vlan	Permits ARP requests and responses from a host configured with a static IP address.
permit (ARP access-list configuration)	Permits an ARP packet based on matches against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.

dot1x

Use the dot1x global configuration command to enable IEEE 802.1x authentication globally. Use the no form of this command to return to the default setting.

dot1x {critical {eapol | recovery delay milliseconds} | system-auth-control}

no dot1x {credentials | critical {eapol | recovery delay} | system-auth-control}

---

Note Though visible in the command-line help strings, the credentials name keywords are not supported.

---

Syntax Description

critical {eapol | recovery delay milliseconds}	Configure the inaccessible authentication bypass parameters. For more information, see the dot1x critical (global configuration) command.
system-auth-control	Enable IEEE 802.1x authentication globally on the switch.

Defaults

IEEE 802.1x authentication is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)EA1	This command was introduced.
12.2(25)SE	The guest-vlan supplicant keywords were added.
12.2(25)SEE	The critical {eapol | recovery delay milliseconds} keywords were added. The guest-vlan supplicant keyword was removed.

Usage Guidelines

You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list before globally enabling IEEE 802.1x authentication. A method list describes the sequence and authentication methods to be queried to authenticate a user.

Before globally enabling IEEE 802.1x authentication on a switch, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x authentication and EtherChannel are configured.

If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and with EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.

Examples

This example shows how to enable IEEE 802.1x authentication globally on a switch:

Switch(config)# dot1x system-auth-control

You can verify your settings by entering the show dot1x privileged EXEC command.

Related Commands

Command	Description
dot1x guest-vlan	Enables and specifies an active VLAN as an IEEE 802.1x guest VLAN.
dot1x port-control	Enables manual control of the authorization state of the port.
show dot1x	Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.

dot1x auth-fail max-attempts

Use the dot1x auth-fail max-attempts interface configuration command to configure the maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. To return to the default setting, use the no form of this command.

dot1x auth-fail max-attempts max-attempts

no dot1x auth-fail max-attempts

Syntax Description

max-attempts

Specify a maximum number of authentication attempts allowed before a port is moved to the restricted VLAN. The range is 1 to 3, the default value is 3.

Defaults

The default is 3 attempts.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SED	This command was introduced.

Usage Guidelines

If you reconfigure the maximum number of authentication failures allowed by the VLAN, the change takes effect after the re-authentication timer expires.

Examples

This example shows how to set 2 as the maximum number of authentication attempts allowed before the port is moved to the restricted VLAN on Gigabit Ethernet interface 3:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gigabitethernet0/3

Switch(config-if)# dot1x auth-fail max-attempts 2

Switch(config-if)# end

Switch(config)# end

Switch#

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x auth-fail vlan [vlan id]	Enables the optional restricted VLAN feature.
dot1x max-reauth-req [count]	Sets the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x auth-fail vlan

Use the dot1x auth-fail vlan interface configuration command to enable the restricted VLAN on a port. To return to the default setting, use the no form of this command.

dot1x auth-fail vlan vlan-id

no dot1x auth-fail vlan vlan-id

Syntax Description

vlan-id

Specify a VLAN in the range of 1 to 4094.

Defaults

No restricted VLAN is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SED	This command was introduced.

Usage Guidelines

You can configure a restricted VLAN on ports configured as follows:

• single-host (default) mode only

• auto mode for authorization

You should enable re-authentication. The ports in restricted VLANs do not receive re-authentication requests if re-authentication is disabled. To start the re-authentication process, the restricted VLAN must receive a link down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If the host is connected through a hub, the port might never receive a link down event and might not detect the new host until the next re-authentication attempt occurs. Therefore, re-authentication should be enabled.

If the user fails authentication, the port is moved to a restricted VLAN, and an EAP success message is sent to the user. Because the user is not notified of the authentication failure, there might be confusion as to why there is restricted access to the network. An EAP success message is sent for these reasons:

•If the EAP success message is not sent, the user tries to authenticate every 60 seconds (the default) by sending an EAP-start message.

•Some hosts (for example, devices running Windows XP) cannot implement DHCP until they receive an EAP success message.

A user might cache an incorrect username and password combination after receiving an EAP success message from the authenticator and re-use that information in every re-authentication. Until the user passes the correct username and password combination, the port remains in the restricted VLAN.

Internal VLANs that are used for Layer 3 ports cannot be configured as a restricted VLAN.

You cannot configure a VLAN to be both a restricted VLAN and a voice VLAN. If you do this, a syslog message is generated.

When a restricted VLAN port is moved to an unauthorized state, the authentication process is restarted. If the user fails the authentication process again, the authenticator waits in the held state. After the user has correctly re-authenticated, all IEEE 802.1x ports are reinitialized and treated as normal IEEE 802.1x ports.

When you reconfigure a restricted VLAN to a different VLAN, any ports in the restricted VLAN are also moved and the ports stay in their current authorized state.

When you shut down or remove a restricted VLAN from the VLAN database, any ports in the restricted VLAN are immediately moved to an unauthorized state and the authentication process is restarted. The authenticator does not wait in a held state because the restricted VLAN configuration still exists. While the restricted VLAN is inactive, all authentication attempts are counted. As soon as the restricted VLAN becomes active, the port is placed in the restricted VLAN.

The restricted VLAN is supported only in single-host mode (the default port mode).

When a port is placed in a restricted VLAN, the user's MAC address is added to the MAC address table. If a new MAC address appears on the port, it is treated as a security violation.

Examples

This example shows how to configure a restricted VLAN on Gigabit Ethernet interface 1:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# dot1x auth-fail vlan 40

Switch(config-if)# end

Switch(config)# end

Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x auth-fail max-attempts [max-attempts]	Configures the number of authentication attempts allowed before assigning a user to the restricted VLAN.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x control-direction

Use the dot1x control-direction interface configuration command to configure the IEEE 802.1x authentication with the wake-on-LAN (WoL) feature to configure the port control as unidirectional or bidirectional. Use the no form of this command to return to the default setting.

dot1x control-direction {in | both}

no dot1x control-direction {in | both}

Syntax Description

in	Enable bidirectional control on port. The port cannot receive packets from or send packets to the host.
both	Enable unidirectional control on port. The port can send packets to the host but cannot receive packets from the host.

Defaults

The port is in bidirectional.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEC	This command was introduced.

Usage Guidelines

Use the both keyword or the no form of this command to return to the default setting, bidirectional mode.

For more information about WoL, see the "Using IEEE 802.1x Authentication with Wake-on-LAN" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter in the software configuration guide.

Examples

This example shows how to enable unidirectional control:

Switch(config-if)# dot1x control-direction in

These examples show how to enable bidirectional control:

Switch(config-if)# dot1x control-direction both

You can verify your settings by entering the show dot1x all privileged EXEC command.

The show dot1x all privileged EXEC command output is the same for all switches except for the port names and the state of the port. If a host is attached to the port but is not yet authenticated, a display similar to this appears:

Supplicant MAC 0002.b39a.9275

AuthSM State = CONNECTING

BendSM State = IDLE

PortStatus = UNAUTHORIZED

If you enter the dot1x control-direction in interface configuration command to enable unidirectional control, this appears in the show dot1x all command output:

ControlDirection  = In

If you enter the dot1x control-direction in interface configuration command and the port cannot support this mode due to a configuration conflict, this appears in the show dot1x all command output:

ControlDirection  = In (Disabled due to port settings)

Related Commands

Command	Description
show dot1x all [interface interface-id]	Displays control-direction port setting status for the specified interface.

dot1x critical (global configuration)

Use the dot1x critical global configuration command to configure the parameters for the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. To return to default settings, use the no form of this command.

dot1x critical {eapol | recovery delay milliseconds}

no dot1x critical {eapol | recovery delay}

Syntax Description

eapol	Specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.
recovery delay milliseconds	Set the recovery delay period in milliseconds. The range is from 1 to 10000 milliseconds.

Defaults

The switch does not send an EAPOL-Success message to the host when the switch successfully authenticates the critical port by putting the critical port in the critical-authentication state.

The recovery delay period is 1000 milliseconds (1 second).

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

Use the eapol keyword to specify that the switch sends an EAPOL-Success message when the switch puts the critical port in the critical-authentication state.

Use the recovery delay milliseconds keyword to set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available. The default recovery delay period is 100 milliseconds. A port can be re-initialized every second.

To enable inaccessible authentication bypass on a port, use the dot1x critical interface configuration command. To configure the access VLAN to which the switch assigns a critical port, use the dot1x critical vlan vlan-id interface configuration command.

Examples

This example shows how to set 200 as the recovery delay period on the switch:

Switch# dot1x critical recovery delay 200

You can verify your configuration by entering the show dot1x privileged EXEC command.

Related Commands

Command	Description
dot1x critical (interface configuration)	Enables the inaccessible authentication bypass feature, and configures the access VLAN for the feature.
show dot1x	Displays IEEE 802.1x status for the specified port.

dot1x critical (interface configuration)

Use the dot1x critical interface configuration command to enable the inaccessible authentication bypass feature, also referred to as critical authentication or the authentication, authorization, and accounting (AAA) fail policy. You can also configure the access VLAN to which the switch assigns the critical port when the port is in the critical-authentication state. To disable the feature or return to default, use the no form of this command.

dot1x critical [recovery action reinitialize | vlan vlan-id]

no dot1x critical [recovery | vlan]

Syntax Description

recovery action reinitialize	Enable the inaccessible-authentication-bypass recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available.
vlan vlan-id	Specify the access VLAN to which the switch can assign a critical port. The range is from 1 to 4094.

Defaults

The inaccessible authentication bypass feature is disabled.

The recovery action is not configured.

The access VLAN is not configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

To specify the access VLAN to which the switch assigns a critical port when the port is in the critical-authentication state, use the vlan vlan-id keywords. The specified type of VLAN must match the type of port, as follows:

•If the critical port is an access port, the VLAN must be an access VLAN.

•If the criticalport is a private VLAN host port, the VLAN must be a secondary private VLAN.

•If the critical port is a routed port, you can specify a VLAN but this is optional.

If the client is running Windows XP and the critical port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated.

If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.

You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, the switch changes the port state to the critical authentication state, and it remains in the restricted VLAN.

You can configure the inaccessible bypass feature and port security on the same switch port.

Examples

This example shows how to enable the inaccessible authentication bypass feature on port 1:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet0/1

Switch(config-if)# dot1x critical

Switch(config-if)# end

Switch(config)# end

Switch#

You can verify your configuration by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x critical (global configuration)	Configures the parameters for the inaccessible authentication bypass feature on the switch.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x default

Use the dot1x default interface configuration command to reset the configurable IEEE 802.1x parameters to their default values.

dot1x default

Syntax Description

This command has no arguments or keywords.

Defaults

These are the default values:

•The per-interface IEEE 802.1x protocol enable state is disabled (force-authorized).

•The number of seconds between re-authentication attempts is 3600 seconds.

•The periodic re-authentication is disabled.

•The quiet period is 60 seconds.

•The retransmission time is 30 seconds.

•The maximum retransmission number is 2 times.

•The host mode is single host.

•The client timeout period is 30 seconds.

•The authentication server timeout period is 30 seconds.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(14)EA1	This command was changed to the interface configuration mode.

Examples

This example shows how to reset the configurable IEEE 802.1x parameters on an interface:

Switch(config-if)# dot1x default

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x fallback

Use the dot1xfallback interface configuration command on the switch stack or on a standalone switch to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.

dot1x fallback fallback-profile

no dot1x fallback

Syntax Description

fallback-profile

Specify a fallback profile for clients that do not support IEEE 802.1x authentication.

Defaults

No fallback is enabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(35)SE	This command was introduced.

Usage Guidelines

You must enter the dot1x port-control auto interface configuration command on a switch port before entering this command.

Examples

This example shows how to specify a fallback profile to a switch port that has been configured for IEEE 802.1x authentication:

Switch# configure terminal 

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface gigabitethernet1/0/3

Switch(config-if)# dot1x fallback profile1

Switch(config-fallback-profile)# exit

Switch(config)# end

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.
fallback profile	Create a web authentication fallback profile.
ip admission	Enable web authentication on a port
ip admission name proxy http	Enable web authentication globally on a switch

dot1x guest-vlan

Use the dot1x guest-vlan interface configuration command to specify an active VLAN as an IEEE 802.1x guest VLAN. Use the no form of this command to return to the default setting.

dot1x guest-vlan vlan-id

no dot1x guest-vlan

Syntax Description

vlan-id

Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.

Defaults

No guest VLAN is configured.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)EA1	This command was introduced.
12.2(25)SE	The default behavior of this command changed.

Usage Guidelines

For each IEEE 802.1x port on the switch, you can configure a guest VLAN to provide limited services to clients (a device or workstation connected to the switch) not currently running IEEE 802.1x authentication. These users might be upgrading their system for IEEE 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable.

When you enable a guest VLAN on an IEEE 802.1x port, the switch assigns clients to a guest VLAN when it does not receive a response to its Extensible Authentication Protocol over LAN (EAPOL) request/identity frame or when EAPOL packets are not sent by the client.

With Cisco IOS Release 12.2(25)SE and later, the switch maintains the EAPOL packet history. If another EAPOL packet is detected on the interface during the lifetime of the link, the guest VLAN feature is disabled. If the port is already in the guest VLAN state, the port returns to the unauthorized state, and authentication restarts. The EAPOL history is reset upon loss of link.

Before Cisco IOS Release 12.2(25)SE, the switch did not maintain the EAPOL packet history and allowed clients that failed authentication access to the guest VLAN, regardless of whether EAPOL packets had been detected on the interface. In Cisco IOS Release 12.2(25)SE, you can use the dot1x guest-vlan supplicant global configuration command to enable this behavior.

However, in Cisco IOS Release 12.2(25)SEE, the dot1x guest-vlan supplicant global configuration command is no longer supported. You can use a restricted VLAN to allow clients that failed authentication access to the network by entering the dot1x auth-fail vlan vlan-id interface configuration command.

Any number of non-IEEE 802.1x-capable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the RADIUS-configured or user-specified access VLAN, and authentication is restarted.

Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode.

You can configure any active VLAN except an Remote Switched Port Analyzer (RSPAN) VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.

After you configure a guest VLAN for an IEEE 802.1x port to which a DHCP client is connected, you might need to get a host IP address from a DHCP server. You can also change the settings for restarting the IEEE 802.1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type.

The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When MAC authentication bypass is enabled on an IEEE 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN, if one is specified. For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.

Examples

This example shows how to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config-if)# dot1x guest-vlan 5

This example shows how to enable the optional guest VLAN behavior and to specify VLAN 5 as an IEEE 802.1x guest VLAN:

Switch(config)# dot1x guest-vlan supplicant

Switch(config)# interface FastEthernet0/1

Switch(config-if)# dot1x guest-vlan 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x	Enables the optional guest VLAN supplicant feature.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x host-mode

Use the dot1x host-mode interface configuration command to allow a single host (client) or multiple hosts on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the no form of this command to return to the default setting.

dot1x host-mode {multi-host | single-host}

no dot1x host-mode [multi-host | single-host]

Syntax Description

multi-host	Enable multiple-hosts mode on the switch.
single-host	Enable single-host mode on the switch.

Defaults

The default is single-host mode.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)EA1	This command was introduced. It replaces the dot1x multiple-hosts interface configuration command.

Usage Guidelines

You can use this command to limit an IEEE 802.1x-enabled port to a single client or to attach multiple clients to an IEEE 802.1x-enabled port. In multiple-hosts mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.

Before entering this command, make sure that the dot1x port-control interface configuration command is set to auto for the specified interface.

Examples

This example shows how to enable IEEE 802.1x authentication globally, enable IEEE 802.1x authentication on an interface, and enable multiple-hosts mode:

Switch(config)# dot1x system-auth-control

Switch(config)# interface fastethernet0/1

Switch(config-if)# dot1x port-control auto

Switch(config-if)# dot1x host-mode multi-host

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x initialize

Use the dot1x initialize privileged EXEC command to manually return an IEEE 802.1x-enabled port to an unauthorized state before initiating a new authentication session on the interface.

dot1x initialize interface interface-id

Syntax Description

This command has no arguments or keywords.

Defaults

There is no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(14)EA1	This command was introduced.

Usage Guidelines

Use this command to manually return a device connected to a switch interface to an unauthorized state before initiating a new authentication session on the interface.

Examples

This example shows how to manually return a device connected to an interface to an unauthorized state:

Switch# dot1x initialize interface fastethernet0/1

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x mac-auth-bypass

Use the dot1x mac-auth-bypass interface configuration command to enable the MAC authentication bypass feature. Use the no form of this command to disable MAC authentication bypass feature.

dot1x mac-auth-bypass [eap]

no dot1x mac-auth-bypass

Syntax Description

eap	(Optional) Configure the switch to use Extensible Authentication Protocol (EAP) for authentication.

Defaults

MAC authentication bypass is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

Unless otherwise stated, the MAC authentication bypass usage guidelines are the same as the IEEE 802.1x authentication guidelines.

If you disable MAC authentication bypass from a port after the port has been authenticated with its MAC address, the port state is not affected.

If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port.

If the port is in the authorized state, the port remains in this state until re-authorization occurs.

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface.

Clients that were authorized with MAC authentication bypass can be re-authenticated.

For more information about how MAC authentication bypass and IEEE 802.lx authentication interact, see the "Understanding IEEE 802.1x Authentication with MAC Authentication Bypass" section and the "IEEE 802.1x Authentication Configuration Guidelines" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.

Examples

This example shows how to enable MAC authentication bypass and to configure the switch to use EAP for authentication:

Switch(config-if)# dot1x mac-auth-bypass eap

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x max-reauth-req

Use the dot1x max-reauth-req interface configuration command on the switch stack or on a standalone switch to set the maximum number of times that the switch restarts the authentication process before a port changes to the unauthorized state. Use the no form of this command to return to the default setting.

dot1x max-reauth-req count

no dot1x max-reauth-req

Syntax Description

count

Number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10.

Defaults

The default is 2 times.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SE	This command was introduced.
12.2(25)SEC	The count range changed.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Examples

This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:

Switch(config-if)# dot1x max-reauth-req 4

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x max-req	Sets the maximum number of times that the switch forwards an EAP frame (assuming that no response is received) to the authentication server before restarting the authentication process.
dot1x timeout tx-period	Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.

dot1x max-req

Use the dot1x max-req interface configuration command to set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP) frame from the authentication server (assuming that no response is received) to the client before restarting the authentication process. Use the no form of this command to return to the default setting.

dot1x max-req count

no dot1x max-req

Syntax Description

count

Number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process. The range is 1 to 10.

Defaults

The default is 2.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(14)EA1	This command was changed to the interface configuration mode.

Usage Guidelines

You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Examples

This example shows how to set 5 as the number of times that the switch sends an EAP frame from the authentication server before restarting the authentication process:

Switch(config-if)# dot1x max-req 5

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x timeout	Sets the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x multiple-hosts

This is an obsolete command.

In past releases, the dot1x multiple-hosts interface configuration command was used to allow multiple hosts (clients) on an IEEE 802.1x-authorized port.

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(14)EA1	The dot1x multiple-hosts interface configuration command was replaced by the dot1x host-mode interface configuration command.

Related Commands

Command	Description
dot1x host-mode	Set the IEEE 802.1x host mode on an interface.
show dot1x	Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.

dot1x pae

Use the dot1x pae interface configuration command to configure the port as an IEEE 802.1x port access entity (PAE) authenticator. Use the no form of this command to disable IEEE 802.1x authentication on the port.

dot1x pae authenticator

no dot1x pae

Syntax Description

This command has no arguments or keywords.

Defaults

The port is not an IEEE 802.1x PAE authenticator, and IEEE 802.1x authentication is disabled on the port.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

Use the no dot1x pae interface configuration command to disable IEEE 802.1x authentication on the port.

When you configure IEEE 802.1x authentication on a port, such as entering the dot1x port-control interface configuration command, the switch automatically configures the port as an IEEE 802.1x authenticator. After the no dot1x pae interface configuration command is entered, the Authenticator PAE operation is enabled.

Examples

This example shows how to disable IEEE 802.1x authentication on the port:

Switch(config-if)# no dot1x pae

You can verify your settings by entering the show dot1x or show eap privileged EXEC command.

Related Commands

Command	Description
show dot1x	Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port.
show eap	Displays EAP registration and session information for the switch or for the specified port.

dot1x port-control

Use the dot1x port-control interface configuration command to enable manual control of the authorization state of the port. Use the no form of this command to return to the default setting.

dot1x port-control {auto | force-authorized | force-unauthorized}

no dot1x port-control

Syntax Description

auto	Enable IEEE 802.1x authentication on the interface and cause the port to transition to the authorized or unauthorized state based on the IEEE 802.1x authentication exchange between the switch and the client.
force-authorized	Disable IEEE 802.1x authentication on the interface and cause the port to transition to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1x-based authentication of the client.
force-unauthorized	Deny all access through this interface by forcing the port to transition to the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface.

Defaults

The default is force-authorized.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.

Usage Guidelines

You must enable IEEE 802.1x authentication globally on the switch by using the dot1x system-auth-control global configuration command before enabling IEEE 802.1x authentication on a specific interface.

The IEEE 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports.

You can use the auto keyword only if the port is not configured as one of these:

•Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.

•Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable IEEE 802.1x authentication on a dynamic port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed.

•Dynamic-access ports—If you try to enable IEEE 802.1x authentication on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.

•EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.

---

Note In software releases earlier than Cisco IOS Release 12.2(25)SE, if IEEE 802.1x authentication is enabled on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.

---

•Switched Port Analyzer (SPAN) destination port—You can enable IEEE 802.1x authentication on a port that is a SPAN destination port; however, IEEE 802.1x authentication is disabled until the port is removed as a SPAN destination. You can enable IEEE 802.1x authentication on a SPAN source port.

To disable IEEE 802.1x authentication globally on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific interface, use the no dot1x port-control interface configuration command.

Examples

This example shows how to enable IEEE 802.1x authentication on an interface:

Switch(config)# interface fastethernet0/1

Switch(config-if)# dot1x port-control auto

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x re-authenticate

Use the dot1x re-authenticate privileged EXEC command to manually initiate a re-authentication of the IEEE 802.1x-enabled port.

dot1x re-authenticate {interface interface-id}

Syntax Description

interface interface-id

Slot and port number of the interface to re-authenticate.

Defaults

There is no default setting.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(8)EA1	This command was introduced.

Usage Guidelines

You can use this command to re-authenticate a client without waiting for the configured number of seconds between re-authentication attempts (re-authperiod) and automatic re-authentication.

Examples

This example shows how to manually re-authenticate the device connected to an interface:

Switch# dot1x re-authenticate interface fastethernet0/1

Related Commands

Command	Description
show dot1x	Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.

dot1x re-authentication

This is an obsolete command.

In past releases, the dot1x re-authentication global configuration command was used to set the amount of time between periodic re-authentication attempts.

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(14)EA1	The dot1x reauthentication interface configuration command replaced the dot1x re-authentication global configuration command.

Related Commands

Command	Description
dot1x reauthentication	Sets the number of seconds between re-authentication attempts.
show dot1x	Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified interface.

dot1x reauthentication

Use the dot1x reauthentication interface configuration command to enable periodic re-authentication of the client. Use the no form of this command to return to the default setting.

dot1x reauthentication

no dot1x reauthentication

Syntax Description

This command has no arguments or keywords.

Defaults

Periodic re-authentication is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(14)EA1	This command was introduced. It replaces the dot1x re-authentication global configuration command (with the hyphen).

Usage Guidelines

You configure the amount of time between periodic re-authentication attempts by using the dot1x timeout reauth-period interface configuration command.

Examples

This example shows how to disable periodic re-authentication of the client:

Switch(config-if)# no dot1x reauthentication

This example shows how to enable periodic re-authentication and to set the number of seconds between re-authentication attempts to 4000 seconds:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x timeout	Sets the number of seconds between re-authentication attempts.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

dot1x timeout

Use the dot1x timeout interface configuration command to set the IEEE 802.1x timers. Use the no form of this command to return to the default setting.

dot1x timeout {quiet-period seconds | ratelimit-period seconds | reauth-period {seconds | server} | server-timeout seconds | supp-timeout seconds | tx-period seconds}

no dot1x timeout {quiet-period | reauth-period | server-timeout | supp-timeout | tx-period}

Syntax Description

quiet-period seconds	Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535.
ratelimit-period seconds	Number of seconds that the switch ignores Extensible Authentication Protocol over LAN (EAPOL) packets from clients that have been successfully authenticated during this duration. The range is 1 to 65535.
reauth-period seconds	Set the number of seconds between re-authentication attempts. The keywords have these meanings: •seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds. •server—Sets the number of seconds as the value of the Session-Timeout RADIUS attribute (Attribute[27]).
server-timeout seconds	Number of seconds that the switch waits for the retransmission of packets by the switch to the authentication server. The range is 30 to 65535.
supp-timeout seconds	Number of seconds that the switch waits for the retransmission of packets by the switch to the client. The range is 30 to 65535.
tx-period seconds	Number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request. The range is 1 to 65535.

Defaults

These are the defaults:

quiet-period is 60 seconds.

rate-limit is 0 seconds.

reauth-period is 3600 seconds.

server-timeout is 30 seconds.

supp-timeout is 30 seconds.

tx-period is 5 seconds.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(14)EA1	The supp-timeout and server-timeout keywords were added, and the command was changed to the interface configuration mode.
12.1(22)EA5	The reauth-period server keywords were added
12.2(25)SE	The ranges for the server-timeout, supp-timeout, and tx-period keywords were changed.
12.2(25)SEC	The range for the tx-period keyword was changed, and the reauth-period server keywords were added.
12.2(25)SEE	The ratelimit-period keyword was introduced.
12.2(40)SE	The range for tx-period seconds is incorrect. The correct range is from 1 to 65535.

Usage Guidelines

You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.

The dot1x timeout reauth-period interface configuration command affects the behavior of the switch only if you have enabled periodic re-authentication by using the dot1x reauthentication interface configuration command.

During the quiet period, the switch does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a number smaller than the default.

When the ratelimit-period is set to 0 (the default), the switch does not ignore EAPOL packets from clients that have been successfully authenticated and forwards them to the RADIUS server.

Examples

This example shows how to enable periodic re-authentication and to set 4000 as the number of seconds between re-authentication attempts:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period 4000

This example shows how to enable periodic re-authentication and to specify the value of the Session-Timeout RADIUS attribute as the number of seconds between re-authentication attempts:

Switch(config-if)# dot1x reauthentication

Switch(config-if)# dot1x timeout reauth-period server

This example shows how to set 30 seconds as the quiet time on the switch:

Switch(config-if)# dot1x timeout quiet-period 30

This example shows how to set 60 as the number of seconds to wait for a response to an EAP-request/identity frame from the client before re-transmitting the request:

Switch(config-if)# dot1x timeout tx-period 60

This example shows how to set 45 seconds as the switch-to-client retransmission time for the EAP request frame:

Switch(config-if)# dot1x timeout supp-timeout 45

This example shows how to set 45 seconds as the switch-to-authentication server retransmission time:

Switch(config)# dot1x timeout server-timeout 45

This example shows how to return to the default re-authorization period:

Switch(config-if)# no dot1x timeout reauth-period

This example shows how to set 30 as the number of seconds that the switch ignores EAPOL packets from successfully authenticated clients:

Switch(config-if)# dot1x timeout ratelimit-period 30

You can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
dot1x max-req	Sets the maximum number of times that the switch sends an EAP-request/identity frame before restarting the authentication process.
dot1x reauthentication	Enables periodic re-authentication of the client.
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified interface.

duplex

Use the duplex interface configuration command to specify the duplex mode of operation for Fast Ethernet and Gigabit Ethernet ports. Use the no form of this command to return to the default setting.

duplex {auto | full | half}

no duplex

---

Note This command is not available on Gigabit Interface Converter (GBIC) ports. The default duplex on GBIC ports is autonegotiation.

---

Syntax Description

auto	Port automatically detects whether it should run in full- or half-duplex mode.
full	Port is in full-duplex mode.
half	Port is in half-duplex mode.

Defaults

The default is auto.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

Certain ports can be configured to be either full duplex or half duplex. Applicability of this command depends on the device to which the switch is attached.

For Fast Ethernet ports, setting the port to auto has the same effect as specifying half if the attached device does not autonegotiate the duplex parameter.

For Gigabit Ethernet ports, setting the port to auto has the same effect as specifying full if the attached device does not autonegotiate the duplex parameter.

You cannot configure duplex mode on GBIC interfaces.

If both ends of the line support autonegotiation, we highly recommend using the default autonegotiation settings. If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do use the auto setting on the supported side.

If the speed is set to auto, the switch negotiates with the device at the other end of the link for the speed setting and then forces the speed setting to the negotiated value. The duplex setting remains as configured on each end of the link, which could result in a duplex setting mismatch.

Beginning with Cisco IOS Release 12.1(22)EA1, you can configure the duplex setting when the speed is set to auto.

If both the speed and duplex are set to specific values, autonegotiation is disabled.

---

Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration.

---

---

Note For guidelines on setting the switch speed and duplex parameters, see the software configuration guide for this release.

---

Examples

This example shows how to configure an interface for full duplex operation:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# duplex full

You can verify your setting by entering the show interfaces privileged EXEC command.

Related Commands

Command	Description
show interfaces	Displays the interface settings on the switch.
speed	Sets the speed on a 10/100/1000 Mbps interface.

errdisable detect cause

Use the errdisable detect cause global configuration command to enable error disable detection for a specific cause or all causes. Use the no form of this command to disable the error disable detection feature.

errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}

no errdisable detect cause {all | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap}

Syntax Description

all	Enable error detection for all error-disable states.
arp-inspection	Enable error detection for dynamic Address Resolution Protocol (ARP) inspection.
dhcp-rate-limit	Enable error detection for the DHCP rate limit cause.
dtp-flap	Enable error detection for the Dynamic Trunking Protocol (DTP) flap error-disable cause.
gbic-invalid	Enable error detection for an invalid GBIC error-disable cause.
l2ptguard	Enable error detection for a Layer 2 protocol-tunnel error-disable cause.
link-flap	Enable error detection for the link flap error-disable cause.
loopback	Enable error detection for detected loopbacks.
pagp-flap	Enable error detection for the Port Aggregation Protocol (PAgP) flap-error disable cause.

---

Note Though visible in the command-line help strings, the arp-inspection keyword is not supported.

---

Defaults

Detection is enabled for all causes.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(8)EA1	The bpduguard, rootguard, and udld keywords were removed.
12.1(9)EA1	The l2ptguard and gbic-invalid keywords were added.
12.1(13)EA1	The loopback keyword was added.
12.1(19)EA1	The dhcp-rate-limit and loopback keywords were added.
12.2(25)SEA	The arp-inspection keyword was added.

Usage Guidelines

A cause (dhcp-rate-limit, dtp-flap, and so forth) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state.

If you set a recovery mechanism for the cause by entering the errdisable recovery global configuration command for the cause, the interface is brought out of the error-disabled state and allowed to retry the operation when all causes have timed out. If you do not set a recovery mechanism, you must enter the shutdown and then the no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable error disable detection for the link-flap error-disable cause:

Switch(config)# errdisable detect cause link-flap

You can verify your setting by entering the show errdisable detect privileged EXEC command.

Related Commands

Command	Description
show errdisable detect	Displays error-disabled detection information.
show interfaces status err-disabled	Displays interface status or a list of interfaces in the error-disabled state.

errdisable recovery

Use the errdisable recovery global configuration command to configure the recover mechanism variables. Use the no form of this command to return to the default setting.

errdisable recovery {cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps}} | {interval interval}

no errdisable recovery {cause {all | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | loopback | pagp-flap | psecure-violation | security-violation | udld | vmps}} | {interval interval}

Syntax Description

cause	Enable error disable to recover from a specific cause.
all	Enable the timer to recover from all error-disable causes.
arp-inspection	Enable the timer to recover from the Address Resolution Protocol (ARP) inspection error-disable state.
bpduguard	Enable the timer to recover from the bridge protocol data unit (BPDU) guard error-disable state.
channel-misconfig	Enable the timer to recover from the EtherChannel misconfiguration error-disable state.
dhcp-rate-limit	Enable the timer to recover from the DHCP error-disable state.
dtp-flap	Enable the timer to recover from the Dynamic Trunking Protocol (DTP) flap error-disable state.
gbic-invalid	Enable the timer to recover from an invalid GBIC error-disable state.
l2ptguard	Enable the timer to recover from a Layer 2 protocol tunnel error-disable state.
link-flap	Enable the timer to recover from the link-flap error-disable state.
loopback	Enable the timer to recover from a loopback error-disable state.
pagp-flap	Enable the timer to recover from the Port Aggregation Protocol (PAgP)-flap error-disable state.
psecure-violation	Enable the timer to recover from a port security violation disable state.
security-violation	Enable the timer to recover from an IEEE 802.1x violation disable state
udld	Enable the timer to recover from the UniDirectional Link Detection (UDLD) error-disable state.
vmps	Enable the timer to recover from the VLAN Membership Policy Server (VMPS) error-disable state.
interval interval	Specify the time to recover from the specified error-disable state. The range is 30 to 86400 seconds. The same interval is applied to all causes. The default interval is 300 seconds. Note The error-disabled recovery timer is initialized at a random differential from the configured interval value. The difference between the actual timeout value and the configured value can be up to 15 percent of the configured interval.

---

Note Though visible in the command-line help strings, the arp-inspection, storm-control, and unicast-flood keywords are not supported.

---

Defaults

Recovery is disabled for all causes.

The default recovery interval is 300 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(8)EA1	The rootguard keyword was deleted.
12.1(9)EA1	The gbic-invalid, l2ptguard, and psecure-violation keywords were added.
12.1(13)EA1	The channel-misconfig keyword was added.
12.1(19)EA1	The dhcp-rate-limit, loopback, security-violation, and vmps keywords were added.
12.2(25)SEA	The arp-inspection keyword was added.

Usage Guidelines

A cause (bpduguard, dhcp-rate-limit, and so forth) is defined as the reason why the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state, an operational state similar to link-down state. If you do not enable the recovery for the cause, the interface stays in error-disabled state until you enter a shutdown and no shutdown interface configuration command. If you enable the recovery for a cause, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out.

Otherwise, you must enter the shutdown then no shutdown commands to manually recover an interface from the error-disabled state.

Examples

This example shows how to enable the recovery timer for the BPDU guard error-disable cause:

Switch(config)# errdisable recovery cause bpduguard

This example shows how to set the timer to 500 seconds:

Switch(config)# errdisable recovery interval 500

You can verify your settings by entering the show errdisable recovery privileged EXEC command.

Related Commands

Command	Description
show errdisable recovery	Displays error-disabled recovery timer information.
show interfaces status err-disabled	Displays interface status or a list of interfaces in error-disabled state.

fallback profile

Use the fallback profile global configuration command on the switch stack or on a standalone switch to create a fallback profile for web authentication. To return to the default setting, use the no form of this command.

fallback profile fallback-profile

no fallback profile

Syntax Description

fallback-profile	Configure a fallback profile for clients that do not support IEEE 802.1x authentication. The clients connect to the port by using web authentication.
ip	Create an IP configuration.
access-group	Specify access control for packets.
admission	Apply an IP admission rule.

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.2(35)SE	This command was introduced.

Usage Guidelines

The fallback profile is used to define the IEEE 802.1x fallback behavior for IEEE 802.1x ports that do not have supplicants. The only supported behavior is to fall back to web authentication.

Examples

This example shows how to create a fallback profile to be used with web authentication:

Switch# configure terminal

Switch(config)# ip admission name rule1 proxy http  
Switch(config)# fallback profile profile1 

Switch(config)# end

Switch#

You can verify your settings by entering the show running-configuration [interface interface-id] privileged EXEC command.

Related Commands

Command	Description
show dot1x [interface interface-id]	Displays IEEE 802.1x status for the specified port.
dot1x fallback	Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
ip admission	Enable web authentication on a switch port
ip admission name proxy http	Enable web authentication globally on a switch

flowcontrol

Use the flowcontrol interface configuration command to set the receive or send flow-control value for an interface. When flow control send is on for a device and it detects any congestion at its end, it notifies the link partner or the remote device of the congestion by sending a pause frame. When flow control receive is on for the remote device and it receives a pause frame, it stops sending any data packets. This prevents any loss of data packets during the congestion period.

Use the receive off and send off keywords to disable flow control.

flowcontrol {receive | send} {desired | off | on}

---

Note On the Catalyst 3550 switch, Gigabit Ethernet ports can receive and send pause frames; Fast Ethernet ports can receive only pause frames. Therefore, for 10/100 ports, the send keyword is not available.

---

Syntax Description

receive	Set whether the interface can receive flow-control packets from a remote device.
send	Set whether the interface can send flow-control packets to a remote device. This keyword is not available for 10/100 Mbps interfaces.
desired	When used with receive, allows an interface to operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets. When used with send, the interface sends flow-control packets to a remote device if the remote device supports it.
off	When used with receive, turns off an attached device's ability to send flow-control packets to an interface. When used with send, turns off the local port's ability to send flow-control packets to a remote device.
on	When used with receive, allows an interface to operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets. When used with send, the interface sends flow-control packets to a remote device if the remote device supports it.

Defaults

The defaults for Gigabit Ethernet interfaces are flowcontrol receive off and flowcontrol send desired. The defaults for Fast Ethernet interfaces are flowcontrol receive off and flowcontrol send off.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

You must not configure both IEEE 802.3z flow control and quality of service (QoS) on a switch. Before configuring flow control on an interface, use the no mls qos global configuration command to disable QoS on the switch.

Note that when used with receive, the on and desired keywords have the same result.

---

Note On the switch, 10/100/1000 Mbps and GBIC ports can receive and send pause frames; 10/100 Mbps ports can receive only pause frames. Therefore, for 10/100 ports, the conditions described in the next paragraphs are always send off.

---

When you use the flowcontrol command to set a port to control traffic rates during congestion, you are setting flow control on a port to one of these conditions:

•receive on and send on: Flow control operates in both directions; pause frames can be sent by both the local device and the remote device to show link congestion.

•receive on and send desired: The port can receive pause frames and is able to send pause frames if the attached device supports it.

•receive on and send off: The port cannot send out pause frames, but can operate with an attached device that is required to or is able to send pause frames; the port is able to receive pause frames.

•receive off and send on: The port sends pause frames if the remote device supports it, but cannot receive pause frames from the remote device.

•receive off and send desired: The port cannot receive pause frames, but can send pause frames if the attached device supports it.

•receive off and send off: Flow control does not operate in either direction. In case of congestion, no indication is given to the link partner and no pause frames are sent or received by either device.

Table 2-4 shows the flow control results on local and remote ports for a combination of settings. The table assumes that receive desired has the same results as using the receive on keywords. Because 10/100 Mbps ports cannot send pause frames, only the last two rows (send off) apply to these ports.

Table 2-4 Flow Control Settings and Local and Remote Port Flow Control Resolution 

Flow Control Settings		Flow Control Resolution
Local Device	Remote Device	Local Device	Remote Device
send on/receive on	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Sends and receives Does not send or receive Sends and receives Does not send or receive Sends and receives Does not send or receive	Sends and receives Does not send or receive Sends and receives Does not send or receive Receives only Does not send or receive
send on/receive off	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Does not send or receive Does not send or receive Sends only Does not send or receive Sends only Does not send or receive	Does not send or receive Does not send or receive Receives only Does not send or receive Receives only Does not send or receive
send desired/receive on	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Sends and receives Receives only Sends and receives Receives only Sends and receives Does not send or receive	Sends and receives Sends only Sends and receives Sends only Receives only Does not send or receive
send desired/receive off	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Does not send or receive Does not send or receive Sends only Does not send or receive Sends only Does not send or receive	Does not send or receive Does not send or receive Receives only Does not send or receive Receives only Does not send or receive
send off/receive on	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Receives only Receives only Receives only Receives only Receives only Does not send or receive	Sends and receives Sends only Sends and receives Sends only Receives only Does not send or receive
send off/receive off	send on/receive on send on/receive off send desired/receive on send desired/receive off send off/receive on send off/receive off	Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive	Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive Does not send or receive

Examples

This example shows how to configure the local port to not support any level of flow control by the remote port:

Switch(config-if)# flowcontrol receive off

Switch(config-if)# flowcontrol send off

You can verify your settings by entering the show interfaces privileged EXEC command.

Related Commands

Command	Description
show interfaces flowcontrol	Displays interface input and output flow control settings and status.
show flowcontrol	Displays flow control settings and status for specified interfaces or all interfaces on the switch.

interface port-channel

Use the interface port-channel global configuration command to access or create the port-channel logical interface for Layer 3 routed interfaces. Use the no form of this command to remove the port-channel.

interface port-channel port-channel-number

no interface port-channel port-channel-number

Syntax Description

port-channel-number

Port-channel number. The range is 1 to 64.

Defaults

No port-channel logical interfaces are defined.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

For Layer 2 EtherChannels, you must configure the channel-group interface configuration command, which automatically creates the port-channel logical interface. You cannot put Layer 2 interfaces into a manually created port-channel interface.

You create Layer 3 port channels by using the interface port-channel command. You must manually configure the port-channel logical interface before putting the interface into the channel group.

Only one port channel in a channel group is allowed.

---

Caution When using a port-channel interface as a routed interface, do not assign Layer 3 addresses on the physical interfaces that are assigned to the channel group.

---

---

Caution Do not assign bridge groups on the physical interfaces in a channel group used as a Layer 3 port-channel interface because it creates loops. You must also disable spanning tree.

---

Follow these guidelines when you use the interface port-channel command:

•If you configure Inter-Switch Link (ISL), you must assign the IP address to the switch virtual interface (SVI).

•If you want to use the CDP, you must configure it only on the physical interface and not on the port-channel interface.

•If you do not assign a static MAC address on the port-channel interface, a MAC address is automatically assigned. If you assign a static MAC address and then later remove it, the MAC address is automatically assigned.

•Before enabling IEEE 802.1x authentication on a port, you must first remove it from the EtherChannel. If you try to enable IEEE 802.1x authentication on an EtherChannel or on an active port in an EtherChannel, an error message appears, and IEEE 802.1x authentication is not enabled.

Examples

This example shows how to create a port-channel interface with a port channel number of 5:

Switch(config)# interface port-channel 5

You can verify your setting by entering the show running-config privileged EXEC or show etherchannel channel-group-number detail privileged EXEC command.

Related Commands

Command	Description
channel-group	Assigns an Ethernet interface to an EtherChannel group.
show etherchannel	Displays EtherChannel information for a channel.
show running-config	Displays the current operating configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

interface range

Use the interface range global configuration command to enter interface range configuration mode and to execute a command on multiple ports at the same time. Use the no form of this command to remove an interface range.

interface range {port-range | macro name}

no interface range {port-range | macro name}

Syntax Description

port-range	Port range. For a list of valid values for port-range, see the "Usage Guidelines" section.
macro name	Specify the name of a macro.

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

When you enter interface range configuration mode, all interface parameters you enter are attributed to all interfaces within the range.

For VLANs, you can use the interface range command only on existing VLAN switch virtual interfaces (SVIs). To display VLAN SVIs, enter the show running-config privileged EXEC command. VLANs not displayed cannot be used in the interface range command. The commands entered under interface range command are applied to all existing VLAN SVIs in the range.

All configuration changes made to an interface range are saved to NVRAM, but the interface range itself is not saved to NVRAM.

You can enter the interface range in two ways:

•Specifying up to five interface ranges

•Specifying a previously defined interface-range macro

You can define up to five interface ranges with a single command, with each range separated by a comma.

All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs.

Valid values for port-range type and interface:

•vlan vlan-id, where vlan-id is 1 to 4094; do not enter leading zeros

•port-channel port-channel-number, where port-channel-number is from 1 to 64

•fastethernet interface-id

•gigabitethernet interface-id

For physical interfaces, the interface-id is defined as a slot/number (where slot is always 0 for the switch), and you can enter the range in one of these ways:

•type 0/number - number (for example, gigabitethernet0/1 -2)

•type 0/number - 0/number (for example, gigabitethernet0/1 - 0/2)

When you define a range, you must enter a space between the first entry and the hyphen (-):

interface range gigabitethernet0/1 -2, gigabitethernet0/4 -5

When you define multiple ranges, you must enter a space before and after the comma (,):

interface range fastethernet0/3 - 7, gigabitethernet0/1 - 2

You cannot specify both a macro and an interface range in the same command.

A single interface can also be specified in port-range (this would make the command similar to the interface interface-id global configuration command).

---

Note For more information about configuring interface ranges, see the software configuration guide for this release.

---

Examples

This example shows how to use the interface range command to enter interface range configuration mode to apply commands to two ports:

Switch(config)# interface range gigabitethernet0/1 - 2

Switch(config-if-range)#

This example shows how to use a port-range macro macro1 for the same function. The advantage is that you can reuse macro1 until you delete it.

Switch(config)# define interface-range macro1 gigabitethernet0/1 - 2

Switch(config)# interface range macro macro1

Switch(config-if-range)#

Related Commands

Command	Description
define interface-range	Creates an interface range macro.
show running-config	Displays the configuration information currently running on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

interface vlan

Use the interface vlan global configuration command to create or access a dynamic switch virtual interface (SVI) and to enter interface configuration mode. Use the no form of this command to delete an SVI.

interface vlan vlan-id

no interface vlan vlan-id

Syntax Description

vlan-id

VLAN number from 1 to 4094; do not enter leading zeros.

Defaults

The default VLAN interface is VLAN 1.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

SVIs are created the first time you enter the interface vlan vlan-id command for a particular vlan. The vlan-id corresponds to the VLAN-tag associated with data frames on an ISL or IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access port.

---

Note When you create an SVI, it does not become active until it is associated with a physical port.

---

If you delete an SVI by entering the no interface vlan vlan-id command, the deleted interface is no longer visible in the output from the show interfaces privileged EXEC command.

---

Note You cannot delete the VLAN 1 interface.

---

You can reinstate a deleted SVI by entering the interface vlan vlan-id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.

The number of routed ports and SVIs that you can configure is not limited by software; however, the interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For the Catalyst 3550 Gigabit Ethernet switches, the tables are based on 16 routed interfaces (SVIs and routed ports. For switches with mainly Fast Ethernet ports, the tables are based on 8 routed interfaces. For more information, see the sdm prefer command.

Examples

This example shows how to create a new SVI with VLAN ID 23 and enter interface configuration mode:

Switch(config)# interface vlan 23

Switch(config-if)#

You can verify your setting by entering the show interfaces and show interfaces vlan vlan-id privileged EXEC commands.

Related Commands

Command	Description
show interfaces vlan vlan-id	Displays the administrative and operational status of all interfaces or the specified VLAN.

ip access-group

Use the ip access-group interface configuration command to control access to a Layer 2 or Layer 3 interface. Use the no form of this command to remove all access groups or the specified access group from the interface.

ip access-group {access-list-number | name} {in | out}

no ip access-group [access-list-number | name] {in | out}

Syntax Description

access-list-number	The number of the IP access control list (ACL). The range is 1 to 199 and 1300 to 2699.
name	The name of an IP ACL, specified in the ip access-list global configuration command.
in	Specify filtering on inbound packets.
out	Specify filtering on outbound packets. This keyword is valid only on Layer 3 interfaces.

Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

You can apply named or numbered standard or extended access lists to an interface. To define an access list by name, use the ip access-list global configuration command. To define a numbered access list, use the access list global configuration command. You can used numbered standard access lists ranging from 1 to 99 and 1300 to 1999 or extended access lists ranging from 100 to 199 and 2000 to 2699.

You can use this command to apply an access list to a Layer 2 or Layer 3 interface. However, note these limitations for Layer 2 interfaces (port ACLs):

•You can only apply ACLs in the inbound direction; the out keyword is not supported for Layer 2 interfaces.

•You can only apply one IP ACL and one MAC ACL per interface.

•Layer 2 interfaces do not support logging; if the log keyword is specified in the IP ACL, it is ignored.

•An IP ACL applied to a Layer 2 interface only filters IP packets. To filter non-IP packets, use the mac access-group interface configuration command with MAC extended ACLs.

You can apply IP ACLs to both outbound or inbound Layer 3 interfaces.

A Layer 2 interface can have only one IP ACL applied (in the inbound direction). A Layer 3 interface can have one IP ACL applied in each direction.

You cannot apply an IP ACL to a Layer 3 interface on a switch that has a Layer 2 interface with an applied IP ACL or MAC ACL, and you cannot apply a VLAN map to any of the switch VLANs.

You cannot apply an IP ACL or MAC ACL to a Layer 2 interface on a switch that has an input Layer 3 ACL or a VLAN map applied to it.

For standard inbound access lists, after the switch receives a packet, it checks the source address of the packet against the access list. IP extended access lists can optionally check other fields in the packet, such as the destination IP address, protocol type, or port numbers. If the access list permits the packet, the switch continues to process the packet. If the access list denies the packet, the switch discards the packet. If the access list has been applied to a Layer 3 interface, discarding a packet (by default) causes the generation of an Internet Control Message Protocol (ICMP) Host Unreachable message. ICMP Host Unreachable messages are not generated for packets discarded on a Layer 2 interface.

For standard outbound access lists, after receiving a packet and sending it to a controlled interface, the switch checks the packet against the access list. If the access list permits the packet, the switch sends the packet. If the access list denies the packet, the switch discards the packet and, by default, generates an ICMP Host Unreachable message.

If the specified access list does not exist, all packets are passed.

Examples

This example shows how to apply IP access list 101 to inbound packets on an interface:

Switch(config)# interface fastethernet0/1

Switch(config-if)# ip access-group 101 in

You can verify your settings by entering the show ip interface, show access-lists, or show ip access-lists privileged EXEC command.

Related Commands

Command	Description
access list	Configures a numbered ACL. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
ip access-list	Configures a named ACL. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
show access-lists	Displays ACLs configured on the switch.
show ip access-lists	Displays IP ACLs configured on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.
show ip interface	Displays information about interface status and configuration. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 > IP Services Commands.

ip address

Use the ip address interface configuration command to set an IP address for the Layer 2 switch or an IP address for each switch virtual interface (SVI) or routed port on the Layer 3 switch. Use the no form of this command to remove an IP address or to disable IP processing.

ip address ip-address subnet-mask [secondary]

no ip address [ip-address subnet-mask] [secondary]

Syntax Description

ip-address	IP address.
subnet-mask	Mask for the associated IP subnet.
secondary	(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Defaults

No IP address is defined.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

If you remove the switch IP address through a Telnet session, your connection to the switch is lost.

Hosts can find subnet masks by sending an Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the switch detects another host using one of its IP addresses, it sends an error message to the console.

You can use the optional keyword secondary to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.

---

Note If any router on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

---

When you are routing Open Shortest Path First (OSPF), ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

If your switch receives its IP address from a Bootstrap Protocol (BOOTP) or DHCP server and you remove the switch IP address by using the no ip address command, IP processing is disabled, and the BOOTP or DHCP server cannot reassign the address.

A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software; however, the interrelationship between this number and the number of other features being configured might have an impact on CPU utilization due to hardware limitations. You can use the sdm prefer global configuration command to reallocate system hardware resources based on templates and feature tables. For the Catalyst 3550 Gigabit Ethernet switches, the tables are based on 16 routed interfaces (SVIs and routed ports. For switches with mainly Fast Ethernet ports, the tables are based on 8 routed interfaces. For more information, see the sdm prefer command.

Examples

This example shows how to configure the IP address for the Layer 2 switch on a subnetted network:

Switch(config)# interface vlan 1

Switch(config-if)# ip address 172.20.128.2 255.255.255.0 

This example shows how to configure the IP address for a port on the Layer 3 switch:

Switch(config)# ip multicast-routing

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# no switchport

Switch(config-if)# ip address 172.20.128.2 255.255.255.0

You can verify your settings by entering the show running-config privileged EXEC command.

Command	Description
show running-config	Displays the running configuration on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip admission

Use the ip admission interface configuration command to enable web authentication. You can also use this command in fallback-profile mode. Use the no form of this command to disable web authentication.

ip admission rule

no ip admission

Syntax Description

rule	Apply an IP admission rule to the interface.

Command Modes

Global configuration

Command History

Release	Modification
12.2(35)SE	This command was introduced.

Usage Guidelines

The ip admission command applies a web authentication rule to a switch port.

Examples

This example shows how to apply a web authentication rule to a switchport:

Switch# configure terminal

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# ip admission rule1

This example shows how to apply a web authentication rule to a fallback profile for use on an IEEE 802.1x enabled switch port.

Switch# configure terminal

Switch(config)# fallback profile profile1

Switch(config)# ip admission name rule1

Switch(config)# end

Related Commands

Command	Description
dot1x fallback	Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
fallback profile	Enable web authentication on a port
ip admission name proxy http	Enable web authentication globally on a switch
show ip admission	Displays information about NAC cached entries or the NAC configuration. For more information, see the Network Admission Control Software Configuration Guide on Cisco.com.

ip admission name proxy http

Use the ip admission name proxy http global configuration command to enable web authentication. Use the no form of this command to disable web authentication.

ip admission name proxy http

no ip admission name proxy http

Syntax Description

This command has no arguments or keywords.

Defaults

Web authentication is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(35)SE	This command was introduced.

Usage Guidelines

The ip admission name proxy http command globally enables web authentication on a switch.

After you enable web authentication on a switch, use the ip access-group in and ip admission web-rule interface configuration commands to enable web authentication on a specific interface.

Examples

This example shows how to configure only web authentication on a switchport:

Switch# configure terminal

Switch(config) ip admission name http-rule proxy http 

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# ip access-group 101 in

Switch(config-if)# ip admission rule

Switch(config-if)# end

This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback mechanism on a switchport.

Switch# configure terminal

Switch(config)# ip admission name rule2 proxy http 

Switch(config)# fallback profile profile1

Switch(config)# ip access group 101 in

Switch(config)# ip admission name rule2

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)# dot1x port-control auto

Switch(config-if)# dot1x fallback profile1

Switch(config-if)# end

Related Commands

Command	Description
dot1x fallback	Configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication.
fallback profile	Create a web authentication fallback profile.
ip admission	Enable web authentication on a port
show ip admission	Displays information about NAC cached entries or the NAC configuration. For more information, see the Network Admission Control Software Configuration Guide on Cisco.com.

ip arp inspection filter vlan

Use the ip arp inspection filter vlan global configuration command to permit or deny Address Resolution Protocol (ARP) requests and responses from a host configured with a static IP address when dynamic ARP inspection is enabled. Use the no form of this command to return to the default settings.

ip arp inspection filter arp-acl-name vlan vlan-range [static]

no ip arp inspection filter arp-acl-name vlan vlan-range [static]

Syntax Description

arp-acl-name	ARP access control list (ACL) name.
vlan-range	VLAN number or range. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
static	(Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used. If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

Defaults

No defined ARP ACLs are applied to any VLAN.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

When an ARP ACL is applied to a VLAN for dynamic ARP inspection, only the ARP packets with IP-to-MAC address bindings are compared against the ACL. If the ACL permits a packet, the switch forwards it. All other packet types are bridged in the ingress VLAN without validation.

If the switch denies a packet because of an explicit deny statement in the ACL, the packet is dropped. If the switch denies a packet because of an implicit deny statement, the packet is then compared against the list of DHCP bindings (unless the ACL is static, which means that packets are not compared against the bindings).

Use the arp access-list acl-name global configuration command to define the ARP ACL or to add clauses to the end of a predefined list.

Examples

This example shows how to apply the ARP ACL static-hosts to VLAN 1 for dynamic ARP inspection:

Switch(config)# ip arp inspection filter static-hosts vlan 1

You can verify your settings by entering the show ip arp inspection vlan 1 privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP ACL.
deny (ARP access-list configuration)	Denies an ARP packet based on matches against the DHCP bindings.
permit (ARP access-list configuration)	Permits an ARP packet based on matches against the DHCP bindings.
show arp access-list	Displays detailed information about ARP access lists.
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection limit

Use the ip arp inspection limit interface configuration command to limit the rate of incoming Address Resolution Protocol (ARP) requests and responses on an interface. It prevents dynamic ARP inspection from using all of the switch resources if a denial-of-service occurs. Use the no form of this command to return to the default settings.

ip arp inspection limit {rate pps [burst interval seconds] | none}

no ip arp inspection limit

Syntax Description

rate pps	Specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 packets per second (pps).
burst interval seconds	(Optional) Specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15 seconds.
none	Specify no upper limit for the rate of incoming ARP packets that can be processed.

Defaults

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

The rate applies to both trusted and untrusted interfaces. Configure appropriate rates on trunks to process packets across multiple dynamic ARP inspection-enabled VLANs, or use the none keyword to make the rate unlimited.

After a switch receives more than the configured rate of packets every second consecutively over a number of burst seconds, the interface is placed into an error-disabled state.

Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

You should configure trunk ports with higher rates to reflect their aggregation. When the rate of incoming packets exceeds the user-configured rate, the switch places the interface into an error-disabled state. The error-disable recovery feature automatically removes the port from the error-disabled state according to the recovery setting.

The rate of incoming ARP packets on EtherChannel ports equals to the sum of the incoming rate of ARP packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on all the channel members.

Examples

This example shows how to limit the rate of incoming ARP requests on a port to 25 pps and to set the interface monitoring interval to 5 consecutive seconds:

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# ip arp inspection limit rate 25 burst interval 5

You can verify your settings by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command	Description
show ip arp inspection interfaces	Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.

ip arp inspection log-buffer

Use the ip arp inspection log-buffer global configuration command to configure the dynamic Address Resolution Protocol (ARP) inspection logging buffer. Use the no form of this command to return to the default settings.

ip arp inspection log-buffer {entries number | logs number interval seconds}

no ip arp inspection log-buffer {entries | logs}

Syntax Description

entries number	Number of entries to be logged in the buffer. The range is 0 to 1024.
logs number interval seconds	Number of entries needed in the specified interval to generate system messages. For logs number, the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated. For interval seconds, the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

Defaults

When dynamic ARP inspection is enabled, denied or dropped ARP packets are logged.

The number of log entries is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

A value of 0 is not allowed for both the logs and the interval keywords.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. For example, if the logs number is 20 and the interval seconds is 4, the switch generates system messages for five entries every second while there are entries in the log buffer.

A log buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a system message as a single entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the output display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer, or increase the logging rate.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Switch(config)# ip arp inspection log-buffer entries 45

This example shows how to configure the logging rate to 20 log entries per 4 seconds. With this configuration, the switch generates system messages for five entries every second while there are entries in the log buffer.

Switch(config)# ip arp inspection log-buffer logs 20 interval 4

You can verify your settings by entering the show ip arp inspection log privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
clear ip arp inspection log	Clears the dynamic ARP inspection log buffer.
ip arp inspection vlan logging	Controls the type of packets that are logged per VLAN.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

ip arp inspection trust

Use the ip arp inspection trust interface configuration command to configure an interface trust state that determines which incoming Address Resolution Protocol (ARP) packets are inspected. Use the no form of this command to return to the default setting.

ip arp inspection trust

no ip arp inspection trust

This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).

Syntax Description

This command has no arguments or keywords.

Defaults

The interface is untrusted.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

The switch does not check ARP packets that it receives on the trusted interface; it simply forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.

Examples

This example shows how to configure a port to be trusted:

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# ip arp inspection trust 

You can verify your setting by entering the show ip arp inspection interfaces interface-id privileged EXEC command.

Related Commands

Command	Description
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
show ip arp inspection interfaces	Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.

ip arp inspection validate

Use the ip arp inspection validate global configuration command to perform specific checks for dynamic Address Resolution Protocol (ARP) inspection. Use the no form of this command to return to the default settings.

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

no ip arp inspection validate [src-mac] [dst-mac] [ip]

Syntax Description

src-mac	Compare the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
dst-mac	Compare the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
ip	Compare the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are compared only in ARP responses.

Defaults

No checks are performed.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src-mac and dst-mac validations, and a second command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.

If you first specify the src-mac keyword, you also can specify the dst-mac and ip keywords. If you first specify the ip keyword, no other keywords can be specified.

The no form of the command disables only the specified checks. If none of the options are enabled, all checks are disabled.

Examples

This example show how to enable source MAC validation:

Switch(config)# ip arp inspection validate src-mac 

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection vlan

Use the ip arp inspection vlan global configuration command to enable dynamic Address Resolution Protocol (ARP) inspection on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip arp inspection vlan vlan-range

no ip arp inspection vlan vlan-range

Syntax Description

vlan-range

VLAN number or range. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Defaults

ARP inspection is disabled on all VLANs.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

You must specify the VLANs on which to enable dynamic ARP inspection.

Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Examples

This example shows how to enable dynamic ARP inspection on VLAN 1:

Switch(config)# ip arp inspection vlan 1

You can verify your setting by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP access control list (ACL).
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip arp inspection vlan logging

Use the ip arp inspection vlan logging global configuration command to control the type of packets that are logged per VLAN. Use the no form of this command to disable this logging control.

ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}

no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}

Syntax Description

vlan-range	Specify the VLANs configured for logging. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
acl-match {matchlog | none}	Specify that the logging of packets is based on access control list (ACL) matches. The keywords have these meanings: •matchlog—Log packets based on the logging configuration specified in the access control entries (ACE). If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, Address Resolution Protocol (ARP) packets permitted or denied by the ACL are logged. •none—Do not log packets that match ACLs.
dhcp-bindings {permit | all | none}	Specify the logging of packets is based on Dynamic Host Configuration Protocol (DHCP) binding matches. The keywords have these meanings: •all—Log all packets that match DHCP bindings. •none—Do not log packets that match DHCP bindings. •permit—Log DHCP-binding permitted packets.

Defaults

All denied or all dropped packets are logged.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

The term logged means that the entry is placed into the log buffer and that a system message is generated.

The acl-match and dhcp-bindings keywords merge with each other; that is, when you configure an ACL match, the DHCP bindings configuration is not disabled. Use the no form of the command to reset the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log when Address Resolution Protocol (ARP) packets are denied. These are the options:

•acl-match—Logging on ACL matches is reset to log on deny.

•dhcp-bindings—Logging on DHCP binding matches is reset to log on deny.

If neither the acl-match or the dhcp-bindings keywords are specified, all denied packets are logged.

The implicit deny at the end of an ACL does not include the log keyword. This means that when you use the static keyword in the ip arp inspection filter vlan global configuration command, the ACL overrides the DHCP bindings. Some denied packets might not be logged unless you explicitly specify the deny ip any mac any log ACE at the end of the ARP ACL.

Examples

This example shows how to configure ARP inspection on VLAN 1 to log packets that match the permit commands in the ACL:

Switch(config)# arp access-list test1

Switch(config-arp-nacl)# permit request ip any mac any log

Switch(config-arp-nacl)# permit response ip any any mac any any log

Switch(config-arp-nacl)# exit

Switch(config)# ip arp inspection vlan 1 logging acl-match matchlog 

You can verify your settings by entering the show ip arp inspection vlan vlan-range privileged EXEC command.

Related Commands

Command	Description
arp access-list	Defines an ARP ACL.
clear ip arp inspection log	Clears the dynamic ARP inspection log buffer.
ip arp inspection log-buffer	Configures the dynamic ARP inspection logging buffer.
show ip arp inspection log	Displays the configuration and contents of the dynamic ARP inspection log buffer.
show ip arp inspection vlan vlan-range	Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN.

ip dhcp snooping

Use the ip dhcp snooping global configuration command to enable DHCP snooping globally. Use the no form of this command to return to the default setting.

ip dhcp snooping

no ip dhcp snooping

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP snooping is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping for any DHCP snooping configuration to take effect.

DHCP snooping is not active until snooping is enabled on a VLAN by using the ip dhcp snooping VLAN vlan-id global configuration command.

In Cisco IOS Release 12.1(19)EA1, the implementation for the option-82 subscriber identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port. The previous version uses the snmp-ifindex circuit ID and remote ID suboption.

If you have option 82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option-82 configuration is not affected. However, when you enable DHCP snooping globally on the switch by using the ip dhcp snooping global configuration command, the previous option-82 configuration is suspended, and the new option-82 format is applied. When you disable DHCP snooping on the switch, the previous option-82 configuration is re-enabled.

To provide for backward compatibility, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command when you enable DHCP snooping. When DHCP snooping is enabled globally, option-82 information (in the selected format) is inserted only on snooped VLANs.

To use the previous version of option 82 without enabling DHCP snooping, see the software configuration guide for more information.

Examples

This example shows how to enable DHCP snooping:

Switch(config)# ip dhcp snooping

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping vlan	Enables DHCP snooping on a VLAN.
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping binding

Use the ip dhcp snooping binding privileged EXEC command to configure the DHCP snooping binding database and to add binding entries to the database. Use the no form of this command to delete entries from the binding database.

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds

no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id

This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).

Syntax Description

mac-address	Specify a MAC address.
vlan vlan-id	Specify a VLAN number. The range is from 1 to 4904.
ip-address	Specify an IP address.
interface interface-id	Specify an interface on which to add or delete a binding entry.
expiry seconds	Specify the interval (in seconds) after which the binding entry is no longer valid. The range is from 1 to 4294967295.

Defaults

No default database is defined.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(25)SE	This command was introduced.

Usage Guidelines

In the DHCP snooping binding database, each database entry, also referred to a binding, has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database can have up to 512 bindings.

When a switch learns new bindings or it loses bindings, the switch updates the entries in the database and in the binding file at a configured location. The frequency at which the database and the file are updated is based on a configurable delay, and the updates are batched. You can configure this delay by using the ip dhcp snooping database write-delay seconds global configuration command.

Use the show ip dhcp snooping binding privileged EXEC command to display only the dynamically configured bindings. Use the show ip source binding privileged EXEC command to display the dynamically and statically configured bindings.

Examples

This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:

Switch# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 interface 
gigabitethernet0/1 expiry 1000

You can verify your settings by entering the show ip dhcp snooping binding or the show ip dhcp source binding privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
show ip dhcp snooping binding	Displays the dynamically configured bindings in the DHCP snooping binding database and the configuration information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping database

Use the ip dhcp snooping database global configuration command to configure the DHCP snooping binding database agent. Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.

ip dhcp snooping database {{flash:/filename | ftp://user:password@host/filename | http://[[username:password]@]{hostname | host-ip}[/directory]/image-name.tar | rcp://user@host/filename | tftp://host/filename} | timeout seconds | write-delay seconds}

no ip dhcp snooping database [timeout | write-delay]

This command is available only if your switch is running the IP services image, formerly known as the enhanced multilayer image (EMI).

Syntax Description

flash:/filename	Specify that the database agent or the binding file is in the flash memory.
ftp://user:password@host/filename	Specify that the database agent or the binding file is on an FTP server.
http://[[username:password]@] {hostname | host-ip}[/directory] /image-name.tar	Specify that the database agent or the binding file is on an FTP server.
rcp://user@host/filename	Specify that the database agent or the binding file is on a Remote Control Protocol (RCP) server.
tftp://host/filename	Specify that the database agent or the binding file is on a TFTP server.
timeout seconds	Specify (in seconds) when to stop the database transfer process after the DHCP snooping binding database changes. The default is 300 seconds. The range is from 0 to 86400. Use 0 to define an infinite duration.
write-delay seconds	Specify (in seconds) the duration for which the transfer should be delayed after the binding database changes. The default is 300 seconds. The range is from 15 to 86400.

Defaults

The URL for the database agent or binding file is not defined.

The timeout value is 300 seconds (5 minutes).

The write-delay value is 300 seconds (5 minutes).

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

The DHCP snooping binding database can have up to 8192 bindings.

To ensure that the lease time in the database is accurate, we recommend that Network Time Protocol (NTP) is enabled and configured for these features:

•NTP authentication

•NTP peer and server associations

•NTP broadcast service

•NTP access restrictions

•NTP packet source IP address

If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.

Use the ip dhcp snooping database flash:/filename command to save the DHCP snooping binding database in the stack master NVRAM. The database is not saved in a stack member NVRAM.

Use the no ip dhcp snooping database command to disable the agent.

Use the no ip dhcp snooping database timeout command to reset the timeout value.

Use the no ip dhcp snooping database write-delay command to reset the write-delay value.

Examples

This example shows how to store a binding file at an IP address of 10.1.1.1 that is in a directory called directory. A file named file must be present on the TFTP server.

Switch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file

This example shows how to store a binding file called file01.txt in the stack master NVRAM.

Switch(config)# ip dhcp snooping database flash:file01.txt

You can verify your settings by entering the show ip dhcp snooping database privileged EXEC command.

Related Commands

Command	Description
ip dhcp snooping	Enables DHCP snooping on a VLAN.
ip dhcp snooping binding	Configures the DHCP snooping binding database.
show ip dhcp snooping database	Displays the status of DHCP snooping database agent.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping information option

Use the ip dhcp snooping information option global configuration command to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.

ip dhcp snooping information option

no ip dhcp snooping information option

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP option-82 data insertion is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port or snmp-ifindex, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.

The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.

In Cisco IOS Release 12.1(19)EA1, the implementation for the option-82 subscriber identification changed from the previous release. The new option-82 format uses a different circuit ID and remote ID suboption, vlan-mod-port. The previous version uses the snmp-ifindex circuit ID and remote ID suboption.

You can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command. When DHCP snooping is enabled globally, option-82 information (in the selected format) is only inserted on snooped VLANs.

Examples

This example shows how to enable DHCP option-82 data insertion:

Switch(config)# ip dhcp snooping information option

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping information option allow-untrusted

Use the ip dhcp snooping information option allow-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to configure the switch to drop these packets from the edge switch.

ip dhcp snooping information option allow-untrusted

no ip dhcp snooping information option allow-untrusted

Syntax Description

This command has no arguments or keywords.

Defaults

The switch drops DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch.

Command Modes

Global configuration

Command History

Release	Modification
12.1(22)EA3	This command was introduced.

Usage Guidelines

In Cisco IOS Release 12.1(22)EA3 and in Cisco IOS Release 12.2(25)SEA or later, you might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.

If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allow-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.

---

Note Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.

---

Examples

This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:

Switch(config)# ip dhcp snooping information option allow-untrusted

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping information option format remote-id

Use the ip dhcp snooping information option format remote-id global configuration command on the switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.

ip dhcp snooping information option format remote-id [string ASCII-string | hostname]

no ip dhcp snooping information option format remote-id

Syntax Description

string ASCII-string	Specify a remote ID, using up to 63 ASCII characters (no spaces).
hostname	Specify the switch hostname as the remote ID.

Defaults

The switch MAC address is the remote ID.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, by default, the remote-ID suboption is the switch MAC address. You can use this command to configure either the switch hostname or a string of ASCII characters (but no spaces) to be the remote ID.

---

Note If the hostname exceeds 63 characters, it is truncated to 63 characters in the remote-ID configuration.

---

Examples

This example shows how to configure the option-82 remote-ID suboption:

Switch(config)# ip dhcp snooping information option format remote-id hostname

You can verify your settings by entering the show ip dhcp snooping user EXEC command.

Related Commands

Command	Description
ip dhcp snooping vlan information option format-type circuit-id string	Configures the option-82 circuit-ID suboption.
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping information option format snmp-ifindex

Use the ip dhcp snooping information option format snmp-ifindex global configuration command to select the snmp-ifindex alternative option-82 data format. Use the no form of this command to use the vlan-mod-port option-82 data format.

ip dhcp snooping information option format snmp-ifindex

no ip dhcp snooping information option format snmp-ifindex

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP option-82 data insertion uses the vlan-mod-port format.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

If you have option 82 configured on the switch and you upgrade to Cisco IOS Release 12.1(19)EA1 or later, the option 82 configuration is not affected. However, when you enable DHCP snooping globally on the switch by using the ip dhcp snooping global configuration command, the relay agent information option configuration is disabled. This happens regardless of whether snooping is enabled on any VLANs. To provide for backward compatibility when using option 82 with DHCP snooping, you can select the previous option-82 format by using the ip dhcp snooping information option format snmp-ifindex global configuration command.

You can configure some switches in the network to continue using the previous option 82 format, and configure DHCP snooping on other switches in the network.

Option-82 information is only inserted on snooped VLANs.

Examples

This example shows how to enable DHCP option 82 data insertion in the snmp-ifindex format:

Switch(config)# ip dhcp snooping information option format snmp-ifindex

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping limit rate

Use the ip dhcp snooping limit rate interface configuration command to configure the number of DHCP messages an interface can receive per second. Use the no form of this command to return to the default setting.

ip dhcp snooping limit rate rate

no ip dhcp snooping limit rate

Syntax Description

rate	Number of DHCP messages an interface can receive per second. The range is 1 to 2048.

Defaults

DHCP snooping rate limiting is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.
12.2(25)SE	The range was changed to 1 to 2048.

Usage Guidelines

Normally, the rate limit applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, keep in mind that trusted interfaces might aggregate DHCP traffic on multiple VLANs (some of which might not be snooped) in the switch, and you will need to adjust the interface rate limits to a higher value.

If the rate limit is exceeded, the interface is error-disabled. If you enabled error recovery by entering the errdisable recovery dhcp-rate-limit global configuration command, the interface retries the operation again when all the causes have timed out. If the error-recovery mechanism is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.

Examples

This example shows how to set a message rate limit of 150 messages per second on an interface:

Switch(config-if)# ip dhcp snooping limit rate 150

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
errdisable recovery	Configures the recover mechanism.
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.
show ip dhcp snooping statistics	Displays the DHCP snooping statistics in summary or detail form.

ip dhcp snooping trust

Use the ip dhcp snooping trust interface configuration command to configure a port as trusted for DHCP snooping purposes. Use the no form of this command to return to the default setting.

ip dhcp snooping trust

no ip dhcp snooping trust

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP snooping trust is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

Configure as trusted ports that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports that are connected to DHCP clients.

Examples

This example shows how to enable DHCP snooping trust on a port:

Switch(config-if)# ip dhcp snooping trust

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping verify

Use the ip dhcp snooping verify global configuration command to configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. Use the no form of this command to configure the switch to not verify the MAC addresses.

ip dhcp snooping verify mac-address

no ip dhcp snooping verify mac-address

Syntax Description

This command has no arguments or keywords.

Defaults

The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SE	This command was introduced.

Usage Guidelines

In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.

Examples

This example shows how to disable the MAC address verification:

Switch(config)# no ip dhcp snooping verify mac-address

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.

ip dhcp snooping vlan

Use the ip dhcp snooping vlan global configuration command to enable DHCP snooping on a VLAN. Use the no form of this command to disable DHCP snooping on a VLAN.

ip dhcp snooping vlan vlan-range

no ip dhcp snooping vlan vlan-range

Syntax Description

vlan vlan-range

Specify a VLAN ID or range of VLANs on which to enable DHCP snooping. The range is 1 to 4094. You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

Defaults

DHCP snooping is disabled on all VLANs.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.

Examples

This example shows how to enable DHCP snooping on VLAN 10:

Switch(config)# ip dhcp snooping vlan 10

You can verify your settings by entering the show ip dhcp snooping privileged EXEC command.

Related Commands

Command	Description
show ip dhcp snooping	Displays the DHCP snooping configuration.
show ip dhcp snooping binding	Displays the DHCP snooping binding information.

ip dhcp snooping vlan information option format-type circuit-id string

Use the ip dhcp snooping information option format-type circuit-id interface configuration command on the switch to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.

ip dhcp snooping vlan vlan information option format-type circuit-id string ASCII-string

no ip dhcp snooping vlan vlan information option format-type circuit-id string

Syntax Description

vlan vlan	Specify the VLAN ID. The range is 1 to 4094.
string ASCII-string	Specify a circuit ID, using from 3 to 63 ASCII characters (no spaces).

Defaults

The switch VLAN and the port identifier, in the format vlan-mod-port, is the default circuit ID.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEE	This command was introduced.

Usage Guidelines

You must globally enable DHCP snooping by using the ip dhcp snooping global configuration command for any DHCP snooping configuration to take effect.

When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and the port identifier, in the format vlan-mod-port. You can use this command to configure a string of ASCII characters to be the remote ID.

---

Note When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character strings on the NVRAM or the flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.

---

Examples

This example shows how to configure the option-82 circuit-ID suboption:

Switch(config-if)# ip dhcp snooping vlan 250 information option format-type circuit-id 
customerABC-250-0-0

You can verify your settings by entering the show ip dhcp snooping user EXEC command.

---

Note The show command only displays the global command output, including a remote-ID configuration. It does not display any per-interface, per-VLAN string that you have configured for the circuit ID.

---

Related Commands

Command	Description
ip dhcp snooping information option format remote-id	Configures the option-82 remote-ID suboption.
show ip dhcp snooping	Displays the DHCP snooping configuration.

ip igmp filter

Use the ip igmp filter interface configuration command to control whether or not all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an Internet Group Management Protocol (IGMP) profile to the interface. Use the no form of this command to remove the specified profile from the interface.

ip igmp filter profile number

no ip igmp filter

Syntax Description

profile number

The IGMP profile number to be applied. The range is 1 to 4294967295.

Defaults

No IGMP filters are applied.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.

Usage Guidelines

You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.

Examples

This example shows how to apply IGMP profile 22 to an interface.

Switch(config)# interface fastethernet0/1

Switch(config-if)# ip igmp filter 22

You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.

Switch# show running-config interface fastethernet0/1

Building configuration...

Current configuration : 124 bytes

!

interface FastEthernet0/1

 no ip address

 shutdown

 snmp trap link-status

 ip igmp filter 22

end

Related Commands

Command	Description
ip igmp profile	Configures the specified IGMP profile number.
show ip igmp profile	Displays the characteristics of the specified IGMP profile.
show running-config interface interface-id	Displays the running configuration on the switch interface, the IGMP profile (if any) that is applied to an interface. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip igmp max-groups

Use the ip igmp max-groups interface configuration command to set the maximum number of Internet Group Management Protocol (IGMP) groups that a Layer 2 interface can join or to configure the IGMP throttling action when the maximum number of entries is in the forwarding table. Use the no form of this command to return to the default settings.

ip igmp max-groups {number | action {deny | replace}}

no ip igmp max-groups {number | action}

Syntax Description

number	The maximum number of IGMP groups that an interface can join. The range is 0 to 4294967294. The default is no limit.
action deny	When the maximum number of entries is in the IGMP snooping forwarding table, drop the next IGMP join report. This is the default action.
action replace	When the maximum number of entries is in the IGMP snooping forwarding table, replace the existing group with the new group for which the IGMP report was received.

Defaults

The default maximum number of groups is no limit.

After the switch learns the maximum number of IGMP group entries on an interface, the default throttling action is to drop the next IGMP report that the interface receives and to not add an entry for the IGMP group to the interface.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(19)EA1	The action {deny | replace} keywords were added.

Usage Guidelines

You can use this command only on Layer 2 physical interfaces and on logical EtherChannel interfaces. You cannot set IGMP maximum groups or configure the IGMP throttling action for routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

Follow these guidelines when configuring the IGMP throttling action:

•If you configure the throttling action as deny and set the maximum group limitation, the entries that were previously in the forwarding table are not removed but are aged out. After these entries are aged out and the maximum number of entries is in the forwarding table, the switch drops the next IGMP report received on the interface.

•If you configure the throttling action as replace and set the maximum group limitation, the entries that were previously in the forwarding table are removed. When the maximum number of entries is in the forwarding table, the switch replaces a randomly-selected multicast entry with the received IGMP report.

•When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups {deny | replace} command has no effect.

Examples

This example shows how to limit to 25 the number of IGMP groups that an interface can join.

Switch(config)# interface fastethernet0/1

Switch(config-if)# ip igmp max-groups 25

This example shows how to configure the switch to replace the existing group with the new group for which the IGMP report was received when the maximum number of entries is in the forwarding table:

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip igmp max-groups action replace

You can verify your setting by using the show running-config privileged EXEC command and by specifying an interface.

Related Commands

Command	Description
show running-config interface interface-id	Displays the running configuration on the switch interface, including the maximum number of IGMP groups that an interface can join and the throttling action. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip igmp profile

Use the ip igmp profile global configuration command to create an Internet Group Management Protocol (IGMP) profile and enter igmp profile configuration mode. From this mode, you can specify the configuration of the IGMP profile to be used for filtering IGMP membership reports from a switchport. Use the no form of this command to delete the IGMP profile.

ip igmp profile profile number

no ip igmp profile profile number

Syntax Description

profile number

The IGMP profile number being configured. The range is 1 to 4294967295.

Defaults

No IGMP profiles are defined. When configured, the default action for matching an IGMP profile is to deny matching addresses.

Command Modes

Global configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.

Usage Guidelines

When you are in IGMP profile configuration mode, you can create the profile by using these commands:

•deny: specifies that matching addresses are denied; this is the default condition.

•exit: exits from igmp-profile configuration mode.

•no: negates a command or resets to its defaults.

•permit: specifies that matching addresses are permitted.

•range: specifies a range of IP addresses for the profile. This can be a single IP address or a range with a start and an end address.

When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.

You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.

Examples

This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:

Switch # config terminal

Switch(config)# ip igmp profile 40

Switch(config-igmp-profile)# permit

Switch(config-igmp-profile)# range 233.1.1.1 233.255.255.255

You can verify your settings by using the show ip igmp profile privileged EXEC command.

Related Commands

Command	Description
ip igmp filter	Applies the IGMP profile to the specified interface.
show ip igmp profile	Displays the characteristics of all IGMP profiles or the specified IGMP profile number.

ip igmp snooping

Use the ip igmp snooping global configuration command to globally enable Internet Group Management Protocol (IGMP) snooping on the switch or to enable it on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip igmp snooping [vlan vlan-id]

no ip igmp snooping [vlan vlan-id]

Syntax Description

vlan vlan-id

(Optional) Enable IGMP snooping on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.

Defaults

IGMP snooping is globally enabled on the switch.

IGMP snooping is enabled on VLAN interfaces.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

When IGMP snooping is enabled globally, it is enabled in all the existing VLAN interfaces. When IGMP snooping is globally disabled, it is disabled on all the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

Examples

This example shows how to globally enable IGMP snooping:

Switch(config)# ip igmp snooping

This example shows how to enable IGMP snooping on VLAN 1:

Switch(config)# ip igmp snooping vlan 1

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping mrouter	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping last-member-query-interval

Use the ip igmp snooping last-member-query-interval global configuration command to enable the Internet Group Management Protocol (IGMP) configurable-leave timer globally or on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip igmp snooping [vlan vlan-id] last-member-query-interval time

no ip igmp snooping [vlan vlan-id] last-member-query-interval

Syntax Description

vlan vlan-id	(Optional) Enable IGMP snooping and the leave timer on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.
time	Interval time out in seconds. The range is 100 to 5000 milliseconds.

t

Defaults

The default timeout setting is 1000 milliseconds.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEB	This command was introduced.

Usage Guidelines

When IGMP snooping is globally enabled, IGMP snooping is enabled on all the existing VLAN interfaces. When IGMP snooping is globally disabled, IGMP snooping is disabled on all the existing VLAN interfaces.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

Configuring the leave timer on a VLAN overrides the global setting.

The IGMP configurable leave time is only supported on devices running IGMP Version 2.

The configuration is saved in NVRAM.

Examples

This example shows how to globally enable the IGMP leave timer for 2000 milliseconds:

Switch(config)# ip igmp snooping last-member-query-interval 2000

This example shows how to configure the IGMP leave timer for 3000 milliseconds on VLAN 1:

Switch(config)# ip igmp snooping vlan 1 last-member-query-interval 3000

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
ip igmp snooping vlan immediate-leave	Enables IGMP Immediate-Leave processing.
ip igmp snooping vlan mrouter	Configures a Layer 2 port as a multicast router port.
ip igmp snooping vlan static	Configures a Layer 2 port as a member of a group.
show ip igmp snooping	Displays the IGMP snooping configuration.

ip igmp snooping querier

Use the ip igmp snooping querier global configuration command to globally enable the Internet Group Management Protocol (IGMP) querier function in Layer 2 networks. Use the command with keywords to enable and configure the IGMP querier feature on a VLAN interface. Use the no form of this command to return to the default settings.

ip igmp snooping querier [vlan vlan-id] [address ip-address | max-response-time response-time | query-interval interval-count | tcn query [count count | interval interval] | timer expiry | version version]

no ip igmp snooping querier [vlan vlan-id] [address | max-response-time | query-interval | tcn query { count count | interval interval} | timer expiry | version]

Syntax Description

vlan vlan-id	(Optional) Enable IGMP snooping and the IGMP querier function on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.
address ip-address	(Optional) Specify a source IP address. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.
max-response-time response-time	(Optional) Set the maximum time to wait for an IGMP querier report. The range is 1 to 25 seconds.
query-interval interval-count	(Optional) Set the interval between IGMP queriers. The range is 1 to 18000 seconds.
tcn query [count count | interval interval]	(Optional) Set parameters related to Topology Change Notifications (TCNs). The keywords have these meanings: •count count—Set the number of TCN queries to be executed during the TCN interval time. The range is 1 to 10. •interval interval—Set the TCN query interval time. The range is 1 to 255.
timer expiry	(Optional) Set the length of time until the IGMP querier expires. The range is 60 to 300 seconds.
version version	(Optional) Select the IGMP version number that the querier feature uses. Select 1 or 2.

Defaults

The IGMP snooping querier feature is globally disabled on the switch.

When enabled, the IGMP snooping querier disables itself if it detects IGMP traffic from a multicast-enabled device.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

Use this command to enable IGMP snooping to detect the IGMP version and IP address of a device that sends IGMP query messages, which is also called a querier.

By default, the IGMP snooping querier is configured to detect devices that use IGMP Version 2 (IGMPv2) but does not detect clients that are using IGMP Version 1 (IGMPv1). You can manually configure the max-response-time value when devices use IGMPv2. You cannot configure the max-response-time when devices use IGMPv1. (The value cannot be configured and is set to zero).

Non-RFC compliant devices running IGMPv1 might reject IGMP general query messages that have a non-zero value as the max-response-time value. If you want the devices to accept the IGMP general query messages, configure the IGMP snooping querier to run IGMPv1.

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

Examples

This example shows how to globally enable the IGMP snooping querier feature:

Switch(config)# ip igmp snooping querier

This example shows how to set the IGMP snooping querier maximum response time to 25 seconds:

Switch(config)# ip igmp snooping querier max-response-time 25

This example shows how to set the IGMP snooping querier interval time to 60 seconds:

Switch(config)# ip igmp snooping querier query-interval 60

This example shows how to set the IGMP snooping querier TCN query count to 25:

Switch(config)# ip igmp snooping querier tcn count 25

This example shows how to set the IGMP snooping querier timeout to 60 seconds:

Switch(config)# ip igmp snooping querier timeout expiry 60

This example shows how to set the IGMP snooping querier feature to version 2:

Switch(config)# ip igmp snooping querier version 2

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the IGMP snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping mrouter	Displays the IGMP snooping router ports.

ip igmp snooping report-suppression

Use the ip igmp snooping report-suppression global configuration command to enable Internet Group Management Protocol (IGMP) report suppression. Use the no form of this command to disable IGMP report suppression and to forward all IGMP reports to multicast routers.

ip igmp snooping report-suppression

no ip igmp snooping report-suppression

Syntax Description

This command has no arguments or keywords.

Defaults

IGMP report suppression is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.

The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices. When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.

If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers. If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1, IGMPv2, and IGMPv3 reports for a group to the multicast devices.

If you disable IGMP report suppression by entering the no ip igmp snooping report-suppression command, all IGMP reports are forwarded to all the multicast routers.

Examples

This example shows how to disable report suppression:

Switch(config)# no ip igmp snooping report-suppression

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
show ip igmp snooping	Displays the IGMP snooping configuration of the switch or the VLAN.

ip igmp snooping source-only-learning age-timer

Use the ip igmp snooping source-only-learning age-timer global configuration command to enable and configure the aging time of the forward-table entries that the switch learns by using the source-only learning method. Use the no form of this command to return to the default setting.

ip igmp snooping source-only-learning age-timer time

no ip igmp snooping source-only-learning age-timer

Syntax Description

time	Aging time is seconds. The range is 0 to 2880 seconds. If you set time to 0, aging of the forward-table entries is disabled.

Defaults

The aging feature is enabled. The default is 600 seconds (10 minutes).

Command Modes

Global configuration

Command History

Release	Modification
12.1(14)EA1	This command was introduced.

Usage Guidelines

In a source-only network, switch ports are connected to multicast source ports and multicast router ports. The switch ports are not connected to hosts that send IGMP join or leave messages.

The switch learns about IP multicast groups that alias with the reserved, destination, IP multicast addresses (in the range 224.0.0.xxx) from the IP multicast data stream by using the source-only learning method. The switch forwards traffic that aliases with these multicast addresses only to the multicast router ports. You cannot disable IP multicast-source-only learning for traffic that aliases with these multicast addresses.

The aging time only affects the forwarding-table entries that the switch learns by using the source-only learning method. If the aging time is too long or is disabled, the forwarding table is filled with unused multicast addresses that the switch learned by using source-only learning or by using the IGMP join messages. When the switch receives traffic for new IP multicast groups, it floods the packet to all ports in the same VLAN. This unnecessary flooding can impact switch performance.

To disable the aging of the forwarding-table entries, enter the ip igmp snooping source-only-learning age-timer 0 global configuration command. If aging is disabled and you want to delete multicast addresses that the switch learned by using source-only-learning, re-enable aging of the forwarding-table entries. The switch can now age out the multicast addresses that were learned by the source-only learning method and that are not in use.

Examples

This example shows how to set the aging time as 1200 seconds (20 minutes):

Switch(config)# ip igmp snooping source-only-learning age-timer 1200

This example shows how to disable aging of the forward-table entries:

Switch(config)# ip igmp snooping source-only-learning age-timer 0

You can verify your settings by entering the show running-config | include source-only-learning privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
show running-config | include source-only-learning	Displays the configuration information running on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

ip igmp snooping tcn

Use the ip igmp snooping tcn global configuration command to configure the Internet Group Management Protocol (IGMP) Topology Change Notification (TCN) behavior. Use the no form of this command to return to the default settings.

ip igmp snooping tcn {flood query count count | query solicit}

no ip igmp snooping tcn {flood query count | query solicit}

Syntax Description

flood query count count	Specify the number of IGMP general queries for which the multicast traffic is flooded. The range is 1 to 10.
query solicit	Send an IGMP leave message (global leave) to speed the process of recovering from the flood mode caused during a TCN event.

Defaults

The TCN flood query count is 2.

The TCN query solicitation is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEB	This command was introduced.

Usage Guidelines

Use ip igmp snooping tcn flood query count global configuration command to control the time that multicast traffic is flooded after a TCN event. If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command, the flooding stops after receiving one general query. If you set the count to 7, the flooding of multicast traffic due to the TCN event lasts until 7 general queries are received. Groups are relearned based on the general queries received during the TCN event.

Use the ip igmp snooping tcn query solicit global configuration command to enable the switch to send the global leave message whether or not it is the spanning-tree root and to speed the process of recovering from the flood mode caused during a TCN event.

Examples

This example shows how to specify 7 as the number of IGMP general queries for which the multicast traffic is flooded:

Switch(config)# no ip igmp snooping tcn flood query count 7

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
ip igmp snooping tcn flood	Specifies flooding on an interface as the IGMP snooping spanning-tree TCN behavior.
show ip igmp snooping	Displays the IGMP snooping configuration of the switch or the VLAN.

ip igmp snooping tcn flood

Use the ip igmp snooping tcn flood interface configuration command to specify multicast flooding as the Internet Group Management Protocol (IGMP) snooping spanning-tree Topology Change Notification (TCN) behavior. Use the no form of this command to disable the multicast flooding.

ip igmp snooping tcn flood

no ip igmp snooping tcn flood

Syntax Description

This command has no arguments or keywords.

Defaults

Multicast flooding is enabled on an interface during a spanning-tree TCN event.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEB	This command was introduced.

Usage Guidelines

When the switch receives a TCN, multicast traffic is flooded to all the ports until two general queries are received. If the switch has many ports with attached hosts that are subscribed to different multicast groups, the flooding might exceed the capacity of the link and cause packet loss.

You can change the flooding query count by using the ip igmp snooping tcn flood query count count global configuration command.

Examples

This example shows how to disable the multicast flooding on an interface:

Switch(config)# interface gigabitethernet0/2

Switch(config-if)# no ip igmp snooping tcn flood

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping	Enables IGMP snooping on the switch or on a VLAN.
ip igmp snooping tcn	Configures the IGMP TCN behavior on the switch.
show ip igmp snooping	Displays the IGMP snooping configuration of the switch or the VLAN.

ip igmp snooping vlan immediate-leave

Use the ip igmp snooping immediate-leave global configuration command to enable Internet Group Management Protocol (IGMP) snooping immediate-leave processing on a per-VLAN basis. Use the no form of this command to return to the default setting.

ip igmp snooping vlan vlan-id immediate-leave

no ip igmp snooping vlan vlan-id immediate-leave

Syntax Description

vlan-id

Enable IGMP snooping and the Immediate-Leave feature on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.

Defaults

IGMP immediate-leave processing is disabled.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

You should configure the Immediate- Leave feature only when there is a maximum of one receiver on every port in the VLAN. The configuration is saved in NVRAM.

The Immediate-Leave feature is supported only with IGMP Version 2 hosts.

Examples

This example shows how to enable IGMP immediate-leave processing on VLAN 1:

Switch(config)# ip igmp snooping vlan 1 immediate-leave

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping mrouter	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping vlan mrouter

Use the ip igmp snooping mrouter global configuration command to add a multicast router port or to configure the multicast learning method. Use the no form of this command to return to the default settings.

ip igmp snooping vlan vlan-id mrouter {interface interface-id | learn {cgmp | pim-dvmrp}}

no ip igmp snooping vlan vlan-id mrouter {interface interface-id | learn {cgmp | pim-dvmrp}}

Syntax Description

vlan-id	Enable IGMP snooping, and add the port in the specified VLAN as the multicast router port. The range is 1 to 1001 and 1006 to 4094.
interface interface-id	Specify the next-hop interface to the multicast router. The keywords have these meanings: •fastethernet interface number—a Fast Ethernet IEEE 802.3 interface. •gigabitethernet interface number—a Gigabit Ethernet IEEE 802.a interface. •port-channel interface number—a channel interface. The range is 0 to 64.
learn {cgmp | pim-dvmrp}	Specify the multicast router learning method. The keywords have these meanings: •cgmp—Set the switch to learn multicast router ports by snooping on Cisco Group Management Protocol (CGMP) packets. •pim-dvmrp—Set the switch to learn multicast router ports by snooping on IGMP queries and Protocol-Independent Multicast-Distance Vector Multicast Routing Protocol (PIM-DVMRP) packets.

Defaults

By default, there are no multicast router ports.

The default learning method is pim-dvmrp—to snoop IGMP queries and PIM-DVMRP packets.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

The CGMP learn method is useful for reducing control traffic.

The configuration is saved in NVRAM.

Examples

This example shows how to configure an interface as a multicast router port:

Switch(config)# ip igmp snooping vlan 1 mrouter interface gigabitethernet0/2

This example shows how to specify the multicast router learning method as CGMP:

Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping mrouter	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip igmp snooping vlan static

Use the ip igmp snooping static global configuration command to enable Internet Group Management Protocol (IGMP) snooping and to statically add a Layer 2 port as a member of a multicast group. Use the no form of this command to remove ports specified as members of a static multicast group.

ip igmp snooping vlan vlan-id static ip-address interface interface-id

no ip igmp snooping vlan vlan-id static ip-address interface interface-id

Syntax Description

vlan-id	Enable IGMP snooping on the specified VLAN. The range is 1 to 1001 and 1006 to 4094.
ip-address	Add a Layer 2 port as a member of a multicast group with the specified group IP address.
interface interface-id	Specify the interface of the member port. The keywords have these meanings: •fastethernet interface number—a Fast Ethernet IEEE 802.3 interface. •gigabitethernet interface number—a Gigabit Ethernet IEEE 802.a interface. •port-channel interface number—a channel interface. The range is 0 to 64.

Defaults

By default, there are no ports statically configured as members of a multicast group.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in IGMP snooping.

The configuration is saved in NVRAM.

Examples

This example shows how to statically configure a host on an interface:

Switch(config)# ip igmp snooping vlan 1 static 0100.5e02.0203 interface gigabitethernet0/1

Configuring port gigabitethernet0/1 on group 0100.5e02.0203

You can verify your settings by entering the show ip igmp snooping privileged EXEC command.

Related Commands

Command	Description
ip igmp snooping report-suppression	Enables IGMP report suppression.
show ip igmp snooping	Displays the snooping configuration.
show ip igmp snooping groups	Displays IGMP snooping multicast information.
show ip igmp snooping mrouter	Displays the IGMP snooping router ports.
show ip igmp snooping querier	Displays the configuration and operation information for the IGMP querier configured on a switch.

ip source binding

Use the ip source binding global configuration command to configure static IP source bindings on the switch. Use the no form of this command to delete static bindings.

ip source binding mac-address vlan vlan-id ip-address interface interface-id

no source binding mac-address vlan vlan-id ip-address interface interface-id

Syntax Description

mac-address	Specify a MAC address.
vlan vlan-id	Specify a VLAN number. The range is from 1 to 4094.
ip-address	Specify an IP address.
interface interface-id	Specify an interface on which to add or delete an IP source binding.

Defaults

No IP source bindings are configured.

Command Modes

Global configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

A static IP source binding entry has an IP address, its associated MAC address, and its associated VLAN number. The entry is based on the MAC address and the VLAN number. If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.

Examples

This example shows how to add a static IP source binding:

Switch(config)# ip source binding 0001.1234.1234 vlan 1 172.20.50.5 interface 
gigabitethernet0/1 

This example shows how to add a static binding and then modify the IP address for it:

Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.25 interface 
gigabitethernet0/1 

Switch(config)# ip source binding 0001.1357.0007 vlan 1 172.20.50.30 interface 
gigabitethernet0/1 

You can verify your settings by entering the show ip source binding privileged EXEC command.

Related Commands

Command	Description
ip verify source	Enables IP source guard on an interface.
show ip source binding	Displays the IP source bindings on the switch.
show ip verify source	Displays the IP source guard configuration on the switch or on a specific interface.

ip ssh

Use the ip ssh global configuration command to configure the switch to run Secure Shell (SSH) version 1 or SSH version 2. Use the no form of this command to return to the default setting.

ip ssh version [1 | 2]

no ip ssh version [1 | 2]

This command is available only when your switch is running the cryptographic (encrypted) software image.

Syntax Description

1	(Optional) Configure the switch to run SSH version 1 (SSHv1).
2	(Optional) Configure the switch to run SSH version 2 (SSHv1).

Defaults

The default version is the latest SSH version supported by the SSH client.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

If you do not enter this command or if you do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

The switch supports an SSHv1 or an SSHv2 server. It also supports an SSHv1 client. For more information about the SSH server and the SSH client, see the software configuration guide for this release.

A Rivest, Shamir, and Adelman (RSA) key pair generated by an SSHv1 server can be used by an SSHv2 server and the reverse.

Examples

This example shows how to configure the switch to run SSH version 2:

Switch(config)# ip ssh version 2

You can verify your settings by entering the show ip ssh or show ssh privileged EXEC command.

Related Commands

Command	Description
show ip ssh	Displays if the SSH server is enabled and displays the version and configuration information for the SSH server. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Security Command Reference, Release 12.2 > Other Security Features > Secure Shell Commands.
show ssh	Displays the status of the SSH server. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Security Command Reference, Release 12.2 > Other Security Features > Secure Shell Commands.

ip verify source

Use the ip verify source interface configuration command to enable IP source guard on an interface. Use the no form of this command to disable IP source guard.

ip verify source [port-security]

no ip verify source

Syntax Description

port-security

(Optional) Enable IP source guard with IP and MAC address filtering. If you do not enter the port-security keyword, IP source guard with IP address filtering is enabled.

Defaults

IP source guard is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(25)SEA	This command was introduced.

Usage Guidelines

To enable IP source guard with source IP address filtering, use the ip verify source interface configuration command.

To enable IP source guard with source IP and MAC address filtering, use the ip verify source port-security interface configuration command.

Examples

This example shows how to enable IP source guard with source IP address filtering:

Switch(config-if)# ip verify source 

This example shows how to enable IP source guard with source IP and MAC address filtering:

Switch(config-if)# ip verify source port-security 

You can verify your settings by entering the show ip source binding privileged EXEC command.

Related Commands

Command	Description
ip source binding	Configures static bindings on the switch.
show ip verify source	Displays the IP source guard configuration on the switch or on a specific interface.

ip vrf (global configuration)

Use the ip-vrf global configuration command to configure a Virtual Private Network (VPN) routing/forwarding (VRF) routing table and to enter VRF configuration mode. Use the no form of this command to remove a VRF routing table and to return to global configuration mode.

ip vrf vrf-name

no ip vrf vrf-name

---

Note The switch supports multi-VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices. You must have the IP services image, formerly known as the enhanced multilayer image (EMI), installed on your switch to configure multi-VRF CE.

---

Syntax Description

vrf-name

Name assigned to a VRF.

Defaults

No VRFs are defined.

No import or export lists are associated with a VRF.

No route maps are associated with a VRF.

The maximum number of routes in a VRF is 8000 for Fast Ethernet switches and 12000 for Gigabit Ethernet switches.

Command Modes

Global configuration or router configuration

Command History

Release	Modification
12.1(11)EA1	This command was introduced.

Usage Guidelines

Entering the ip vrf command enables the VRF configuration mode. These configuration commands are available:

•default: set a command (description, export, import, maximum routes, route-target) to its default setting.

•description: describes the VRF (up to 80 characters).

•exit: exits VRF configuration mode and returns to global configuration mode.

•export map route-map: set a route-map to be used as an export route map for the VRF.

•import map route-map: set a route-map to be used as an import route map for the VRF.

•maximum routes limit {warn threshold | warn-only}: limit the maximum number of routes in a VRF to prevent a PE router from importing too many routes. The limits are from 1 to 4294967295; the threshold is a percentage of the limit, from 1 to 100.

•no: negate a command or return to its default setting.

•rd: specify Route Distinguisher as either an autonomous system-relative composed of an autonomous system (AS) number and an arbitrary number, or as an IP-address-relative composed of an IP address and an arbitrary number.

–16-bit AS number: 32-bit number (for example, 101:3)

–32-bit IP address: 16-bit number (for example, 192.168.122.15:1.)

•route-target {import | export | both} route-target-ext-community: specify Target VPN Extended Communities. You can specify the Target for export, import, or both.

To return to global configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.

Use an import route map when an application requires finer control over the routes imported into a VRF than that provided by the import and export extended communities configured for the importing and exporting VRF. The import map command associates a route map with the specified VRF. You can filter routes that are eligible for import into a VRF, based on the route target extended community attributes of the route, by using a route map. The route map might deny access to selected routes from a community that is on the import list.

If you set a maximum routes threshold, the switch rejects routes when the threshold limit is reached. If you enter warn-only, the switch creates a syslog error message when the maximum number of VRF routes exceeds the allowed limit, but additional routes are still allowed

A route distinguisher (RD) creates routing and forwarding tables and specifies the default route distinguisher for a VPN. A route distinguisher must be configured for a VRF to be functional. The RD is added to the beginning of the customer's IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes.

The route target specifies a target VPN extended community. Like a route-distinguisher, an extended community is composed of either an autonomous system number and an arbitrary number or an IP address and an arbitrary number.

The ip vrf vrf-name command creates a VRF routing table and a Cisco Express Forwarding (CEF) forwarding table, both named vrf-name. Associated with these tables is the default route distinguisher value route-distinguisher.

Examples

This example shows how to create the VRF named vpn1, enter VRF configuration mode, and import a route map to the VRF:

Switch(config)# ip vrf vpn1

Switch(config-vrf)# rd 100:2

Switch(config-vrf)# route-target both 100:2

Switch(config-vrf)# route-target import 100:1

Related Commands

Command	Description
ip vrf (interface configuration)	Associate a VRF routing table or a route map with an interface.
show ip route vrf	Displays the IP routing table associated with a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip vrf	Displays display the set of defined VRFs and associated interfaces. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.

ip vrf (interface configuration)

Use the ip-vrf interface configuration command to associate a Virtual Private Network (VPN) routing/forwarding (VRF) routing table or a route map with an interface. Use the no form of this command to disassociate the VRF routing table or route map.

ip vrf {forwarding table-name | sitemap route-map-name}

no ip vrf {forwarding table-name | sitemap route-map-name}

---

Note The switch supports multi-VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices. You must have the IP services image, formerly known as the enhanced multilayer image (EMI), installed on your switch to configure multi-VRF CE.

---

Syntax Description

forwarding table-name	Specify a VRF forwarding table name for the interface.
sitemap route-map-name	Specify a VRF route-map for routes received from this site.

Defaults

The default for an interface is the global routing table.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(11)EA1	This command was introduced.

Usage Guidelines

Use the ip vrf forwarding command to associate an interface with a VRF. Executing this command on an interface removes the IP address. You must reconfigure the IP address.

Examples

This example shows how to link the VRF named vpn1 to an interface:

Switch(config)# interface fastethernet 0/1

Switch(config-if)# ip vrf forwarding vpn1

Related Commands

Command	Description
ip vrf (global configuration)	Configures a VRF routing table.
ip route vrf	Establishes static routes for a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip route vrf	Displays the IP routing table associated with a VRF. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.
show ip vrf	Displays display the set of defined VRFs and associated interfaces. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Switching Services Command Reference, Release 12.2.

l2protocol-tunnel

Use the l2protocol-tunnel interface configuration command to enable tunneling of Layer 2 protocols on an access or IEEE 802.1Q tunnel port or on a port channel. You can enable tunneling for Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. You can also enable point-to-point tunneling for Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or UniDirectional Link Detection (UDLD) packets. Use the no form of this command to disable tunneling on the interface.

l2protocol-tunnel [cdp | stp | vtp] [point-to-point [pagp | lacp | udld]] | [shutdown-threshold
[cdp | stp | vtp] [point-to-point [pagp | lacp | udld]] value] | [drop-threshold [cdp | stp | vtp] [point-to-point [pagp | lacp | udld]]] value]

no l2protocol-tunnel [cdp | stp | vtp] [point-to-point [pagp | lacp | udld]] | [shutdown-threshold
[cdp | stp | vtp] [point-to-point [pagp | lacp | udld]]] | [drop-threshold [cdp | stp | vtp] [point-to-point [pagp | lacp | udld]]]

Syntax Description

l2protocol-tunnel	Enable point-to-multipoint tunneling of CDP, STP, and VTP packets.
cdp	(Optional) Enable tunneling of CDP, specify a shutdown threshold for CDP, or specify a drop threshold for CDP.
stp	(Optional) Enable tunneling of STP, specify a shutdown threshold for STP, or specify a drop threshold for STP.
vtp	(Optional) Enable tunneling or VTP, specify a shutdown threshold for VTP, or specify a drop threshold for VTP.
point-to-point	(Optional) Enable point-to point tunneling of PAgP, LACP, and UDLD packets.
pagp	(Optional) Enable point-to-point tunneling of PAgP, specify a shutdown threshold for PAgP, or specify a drop threshold for PAgP.
lacp	(Optional) Enable point-to-point tunneling of LACP, specify a shutdown threshold for LACP, or specify a drop threshold for LACP.
udld	(Optional) Enable point-to-point tunneling of UDLD, specify a shutdown threshold for UDLD, or specify a drop threshold for UDLD.
shutdown-threshold	(Optional) Set a shutdown threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface is shut down.
drop-threshold	(Optional) Set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets.
value	Specify a threshold in packets per second to be received for encapsulation before the interface shuts down, or specify the threshold before the interface drops packets. The range is 1 to 4096. The default is no threshold.

Defaults

The default is that no Layer 2 protocol packets are tunneled.

The default is no shutdown threshold for the maximum number of Layer 2 protocol packets.

The default is no drop threshold for the maximum number of Layer 2 protocol packets.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(9)EA1	This command was introduced.
12.1(13)EA1	The drop-threshold keywords was added.
12.1(19)EA1	The point-to-point, pagp, lacp, and udld keywords were added.

Usage Guidelines

You must enter this command, with or without protocol types, to tunnel Layer 2 packets.

Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.

You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.

In a service-provider network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. When protocol tunneling is enabled on the service-provider switch for PAgP or LACP, remote customer switches receive the protocol data units (PDUs) and can negotiate automatic creation of EtherChannels.

To enable tunneling of PAgP, LACP, and UDLD packets, you must have a point-to-point network topology. To decrease the link-down detection time, you should also enable UDLD on the interface when you enable tunneling of PAgP or LACP packets.

You can enable point-to-point protocol tunneling for PAgP, LACP, and UDLD individually or for all three protocols.

---

Caution PAgP, LACP, and UDLD tunneling is only intended to emulate a point-to-point topology. An erroneous configuration that sends tunneled packets to many ports could lead to a network failure.

---

Enter the shutdown-threshold keyword to control the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

When the shutdown threshold is reached, the interface is error-disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard global configuration command, the interface retries the operation again when all the causes have timed out. If the error recovery mechanism is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown interface configuration commands.

Enter the drop-threshold keyword to control the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold, the drop-threshold value must be less than or equal to the shutdown-threshold value.

When the drop threshold is reached, the interface drops Layer 2 protocol packets until the rate at which they are received is below the drop threshold.

The configuration is saved in NVRAM.

---

Note For more information about Layer 2 protocol tunneling, see the software configuration guide for this release.

---

Examples

This example shows how to enable protocol tunneling for CDP packets and to set the shutdown threshold to 50 packets per second:

Switch(config-if)# l2protocol-tunnel cdp

Switch(config-if)# l2protocol-tunnel shutdown-threshold cdp 50

This example shows how to enable protocol tunneling for STP packets and to set the drop threshold to 400 packets per second:

Switch(config-if)# l2protocol-tunnel stp

Switch(config-if)# l2protocol-tunnel drop-threshold stp 400

This example shows how to enable point-to-point protocol tunneling for PAgP and UDLD packets and to set the PAgP drop threshold to 1000 packets per second:

Switch(config-if)# l2protocol-tunnel point-to-point pagp

Switch(config-if)# l2protocol-tunnel point-to-point udld

Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000

Related Commands

Command	Description
l2protocol-tunnel cos	Configures a class of service (CoS) value for all tunneled Layer 2 protocol packets.
show errdisable recovery	Displays error-disabled recovery timer information.
show l2protocol-tunnel	Displays information about ports configured for Layer 2 protocol tunneling, including port, protocol, class of service (CoS), and thresholds.

l2protocol-tunnel cos

Use the l2protocol-tunnel cos global configuration command to configure class of service (CoS) value for all tunneled Layer 2 protocol packets. Use the no form of this command to return to the default setting.

l2protocol-tunnel cos value

no l2protocol-tunnel cos

Syntax Description

value

Specify CoS priority value for tunneled Layer 2 protocol packets. The range is 0 to 7, with 7 being the highest priority.

Defaults

If a CoS value is configured for data packets for the interface, the default is to use this CoS value for tunneled Layer 2 protocol packets. If no CoS value is configured for the interface, the default is 5.

Command Modes

Global configuration

Command History

Release	Modification
12.1(9)EA1	This command was introduced.

Usage Guidelines

When enabled, the tunneled Layer 2 protocol packets use this CoS value.

The value is saved in NVRAM.

Examples

This example shows how to configure a Layer-2 protocol-tunnel CoS value of 7:

Switch(config)# l2protocol-tunnel cos 7

Related Commands

Command	Description
show l2protocol-tunnel	Displays information about ports configured for Layer 2 protocol tunneling, including CoS.

lacp port-priority

Use the lacp port-priority interface configuration command to set the port priority for the Link Aggregation Control Protocol (LACP). Use the no form of this command to return to the default setting.

lacp port-priority priority-value

no lacp port-priority

Syntax Description

priority-value

Port priority for LACP. The range is 1 to 65535.

Defaults

The default priority value is 32768.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Usage Guidelines

This command only takes effect on EtherChannel interfaces that are already configured for LACP.

The lacp port-priority interface configuration command determines which ports are bundled and which ports are put in hot-standby mode when there are more than eight ports in an LACP channel group.

An LACP channel group can have up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode.

In port-priority comparisons, a numerically lower value has a higher priority: When there are more than eight ports in an LACP channel-group, the eight ports with the numerically lowest values (highest priority values) for LACP port priority are bundled into the channel group, and the lower-priority ports are put in hot-standby mode. If two or more ports have the same LACP port priority (for example, they are configured with the default setting of 65535) an internal value for the port number determines the priority.

---

Note The LACP port priorities are only effective if the ports are on the switch that controls the LACP link. See the lacp system-priority global configuration command for determining which switch controls the link.

---

Use the show lacp internal privileged EXEC command to display LACP port priorities and internal port number values.

For more information about configuring LACP on physical interfaces, see the "Configuring EtherChannels" chapter in the software configuration guide for this release.

Examples

This example shows set the port priority for LACP:

Switch(config)# lacp port-priority 32764

You can verify your settings by entering the show etherchannel privileged EXEC command.

Related Commands

Command	Description
lacp system-priority	Globally sets the LACP priority.

lacp system-priority

Use the lacp system-priority global configuration command to set the system priority for Link Aggregation Control Protocol (LACP). Use the no form of this command to return to the default setting.

lacp system-priority priority-value

no lacp system-priority

Syntax Description

priority-value

System priority for LACP. The range is 1 to 65535.

Defaults

The default priority value is 32768.

Command Modes

Global configuration

Command History

Release	Modification
12.1(12c)EA1	This command was introduced.

Usage Guidelines

The lacp system-priority command determines which switch in an LACP link controls port priorities.

An LACP channel group can have up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. When there are more than eight ports in an LACP channel-group, the switch on the controlling end of the link uses port priorities to determine which ports are bundled into the channel and which ports are put in hot-standby mode. Port priorities on the other switch (the noncontrolling end of the link) are ignored.

In priority comparisons, numerically lower values have higher priority. Therefore, the system with the numerically lower value (higher priority value) for LACP system priority becomes the controlling system. If both switches have the same LACP system priority (for example, they are both configured with the default setting of 32768), the LACP system ID (the switch MAC address) determines which switch is in control.

The lacp system-priority command applies to all LACP EtherChannels on the switch.

Use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag in the output display).

For more information about configuring LACP on physical interfaces, see the "Configuring EtherChannels" chapter in the software configuration guide for this release.

Examples

This example shows how to set the system priority for LACP:

Switch(config)# lacp system-priority 32764

You can verify your settings by entering the show lacp internal privileged EXEC command.

Related Commands

Command	Description
lacp port-priority	Sets the LACP priority for a specific port.

logging event

Use the logging event interface configuration command to enable notification of interface link status changes. Use the no form of this command to disable notification.

logging event {bundle-status | link-status | spanning-tree | status | trunk status}

no logging event {bundle-status | link-status | spanning-tree | status | trunk status}

Syntax Description

bundle-status	Enable notification of BUNDLE and UNBUNDLE messages.
link-status	Enable notification of interface data link status changes.
spanning-tree	Enable notification of spanning-tree events.
status	Enable notification of spanning-tree state change messages.
trunk-status	Enable notification of trunk-status messages.

Defaults

Event logging is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
12.2(20)SE	This command was introduced.

logging file

Use the logging file global configuration command to set logging file parameters. Use the no form of this command to return to the default setting.

logging file flash:filename [max-file-size] [min-file-size] [severity-level-number | type]

no logging file flash:filename [severity-level-number | type]

Syntax Description

flash:filename	The path and name of the file that contains the log messages.
max-file-size	(Optional) Specify the maximum logging file size. The range is 4096 to 2147483647.
min-file-size	(Optional) Specify the minimum logging file size. The range is 1024 to 2147483647.
severity-level-number	(Optional) Specify the logging severity level. The range is 0 to 7. See the type option for the meaning of each level.
type	(Optional) Specify the logging type. These keywords are valid: •emergencies—System is unusable (severity 0). •alerts—Immediate action needed (severity 1). •critical—Critical conditions (severity 2). •errors—Error conditions (severity 3). •warnings—Warning conditions (severity 4). •notifications—Normal but significant messages (severity 5). •information—Information messages (severity 6). •debugging—Debugging messages (severity 7).

Defaults

The minimum file size is 2048 bytes; the maximum file size is 4096 bytes.

The default severity level is 7 (debugging messages and numerically lower levels).

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

The log file is stored in ASCII text format. You can use the more privileged EXEC command to display its contents.

The command rejects the minimum file size if it is greater than the maximum file size minus 1024; the minimum file size then becomes the maximum file size minus 1024.

Specifying a level causes messages at that level and numerically lower levels to be displayed.

Examples

This example shows how to save informational log messages to a file in flash memory:

Switch(config)# logging file flash:logfile informational

You can verify your setting by entering the show running-config privileged EXEC command.

Related Commands

Command	Description
show running-config	Displays the running configuration on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

mac access-group

Use the mac access-group interface configuration command to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.

mac access-group {name} in

no mac access-group [name]

Syntax Description

name	Specify a named MAC access list.
in	Specify that the ACL is applied in the ingress direction. Outbound ACLs are not supported on Layer 2 interfaces.

Defaults

No MAC ACL is applied to the interface.

Command Modes

Interface configuration (Layer 2 interfaces only)

Command History

Release	Modification
12.1(9)EA1	This command was introduced.

Usage Guidelines

You can apply MAC ACLs only to ingress Layer 2 interfaces. You cannot apply MAC ACLs to Layer 3 interfaces.

On Layer 2 interfaces, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC access lists. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP ACL and a MAC ACL to the interface.

You cannot apply more than one MAC ACL to a Layer 2 interface. If a MAC ACL is already configured on a Layer 2 interface and you apply a new MAC ACL to the interface, the new ACL replaces the previously configured one.

You cannot apply a MAC ACL (or IP ACL) to a Layer 2 interface on a switch that has an input Layer 3 ACL or a VLAN map applied to it. If a switch has a MAC ACL or IP ACL applied to a Layer 2 interface, you cannot apply an IP ACL to an input Layer 3 interface on that switch, and you cannot apply a VLAN map to any of the switch VLANs.

When an inbound packet is received on an interface with a MAC ACL applied, the switch checks the match conditions in the ACL. If the conditions are matched, the switch forwards or drops the packet, according to the ACL action.

If the specified ACL does not exist, the switch forwards all packets.

---

Note For more information about configuring MAC extended ACLs, see the "Configuring Network Security with ACLs" chapter in the software configuration guide for this release.

---

Examples

This example shows how to apply a MAC extended ACL named macacl2 to an interface:

Switch(config)# interface fastethernet0/1

Switch(config-if)# mac access-group macacl2 in

You can verify your settings by entering the show mac access-group privileged EXEC command. You can view configured ACLs on the switch by entering the show access-lists privileged EXEC command.

Related Commands

Command	Description
show access-lists	Displays the ACLs configured on the switch.
show mac access-group	Displays the MAC ACLs configured on the switch.
show running-config	Displays the running configuration on the switch. For syntax information, select Cisco IOS Release 12.2 Configuration Guides and Command References > Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 > File Management Commands > Configuration File Management Commands.

mac access-list extended

Use the mac access-list extended global configuration command to create an access list based on MAC addresses for non-IP traffic. Using this command puts you in the extended MAC access list configuration mode. Use the no form of this command to return to the default setting.

mac access-list extended name

no mac access-list extended name

Syntax Description

name	Assign a name to the MAC extended access list.

Defaults

By default, there are no MAC access lists created.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.

Usage Guidelines

MAC named extended lists are used with VLAN maps and class maps.

You should use this command (and not the access-list global configuration command) for defining Layer 2 access lists.

Entering the mac access-list extended command enables the MAC-access list configuration mode. These configuration commands are available:

•default: sets a command to its default.

•deny: specifies packets to reject. For more information, see the deny MAC-access list configuration command.

•exit: exits from MAC-access list configuration mode.

•no: negates a command or sets its defaults.

•permit: specifies packets to forward. For more information, see the permit command.

---

Note For more information about MAC extended access lists, see the software configuration guide for this release.

---

Examples

This example shows how to create a MAC named extended access list named mac1 and to enter extended MAC access list configuration mode:

Switch(config)# mac access-list extended mac1

Switch(config-ext-macl)#

This example shows how to delete MAC named extended access list mac1:

Switch(config)# no mac access-list extended mac1

You can verify your settings by entering the show access-lists privileged EXEC command.

Related Commands

Command	Description
deny permit	Configures the MAC ACL (in extended MAC-access list configuration mode).
show access-lists	Displays the access lists configured on the switch.
vlan access-map	Defines a VLAN map and enters access-map configuration mode where you can specify a MAC ACL to match and the action to be taken.

mac address-table aging-time

Use the mac address-table aging-time global configuration command to set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. Use the no form of this command to return to the default setting. The aging time applies to all VLANs or a specified VLAN.

mac address-table aging-time {0 | 10-1000000} [vlan vlan-id]

no mac address-table aging-time {0 | 10-1000000} [vlan vlan-id]

---

Note Beginning with Cisco IOS Release 12.1(11)EA1, the mac address-table aging-time command replaces the mac-address-table aging-time command (with the hyphen).

---

Syntax Description

0	Aging is disabled. Static address entries are never aged or removed from the table.
10-100000	Aging time in seconds. The range is 10 to 1000000 seconds.
vlan vlan-id	(Optional) Specify the VLAN ID to which to apply the aging time. The range is 1 to 4094.

Defaults

The default is 300 seconds.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(11)EA1	The mac-address-table aging-time command was replaced by the mac address-table aging-time command.

Usage Guidelines

If hosts do not send continuously, increase the aging time to record the dynamic entries for a longer time. Increasing the time can reduce the possibility of flooding when the hosts send again.

Examples

This example shows how to set the aging time to 200 seconds for all VLANs:

Switch(config)# mac address-table aging-time 200

You can verify your setting by entering the show mac address-table aging-time privileged EXEC command.

Related Commands

Command	Description
show mac address-table aging-time	Displays the MAC address table aging time for all VLANs or the specified VLAN.

mac address-table notification

Use the mac address-table notification global configuration command to enable the MAC address notification feature on the switch. Use the no form of this command to return to the default setting.

mac address-table notification [history-size value] | [interval value]

no mac address-table notification [history-size | interval]

---

Note Beginning with Cisco IOS Release 12.1(11)EA1, the mac address-table notification command replaces the mac-address-table notification command (with the hyphen).

---

Syntax Description

history-size value	(Optional) Configure the maximum number of entries in the MAC notification history table. The range is 1 to 500 entries.
interval value	(Optional) Set the notification trap interval. The switch sends the notification traps when this amount of time has elapsed. The range is 0 to 2147483647 seconds.

Defaults

By default, the MAC address notification feature is disabled.

The default trap interval value is 1 second.

The default number of entries in the history table is 1.

Command Modes

Global configuration

Command History

Release	Modification
12.1(8)EA1	This command was introduced.
12.1(11)EA1	The mac-address-table notification command was replaced by the mac address-table notification command.

Usage Guidelines

The MAC address notification feature sends Simple Network Management Protocol (SNMP) traps to the network management system (NMS) whenever a new MAC address is added or an old address is deleted from the forwarding tables. MAC notifications are generated only for dynamic and secure MAC addresses. Events are not generated for self addresses, multicast addresses, or other static addresses.

When you configure the history-size option, the existing MAC address history table is deleted, and a new table is created.

You enable the MAC address notification feature by using the mac address-table notification command. You must also enable MAC address notification traps on an interface by using the snmp trap mac-notification interface configuration command and configure the switch to send MAC address traps to the NMS by using the snmp-server enable traps mac-notification global configuration command.

Examples

This example shows how to enable the MAC address-table notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries:

Switch(config)# mac address-table notification

Switch(config)# mac address-table notification interval 60 

Switch(config)# mac address-table notification history-size 100

You can verify your settings by entering the show mac address-table notification privileged EXEC command.

Related Commands

Command	Description
clear mac address-table notification	Clears the MAC address notification global counters.
show mac address-table notification	Displays the MAC address notification settings on all interfaces or on the specified interface.
snmp-server enable traps	Sends the SNMP MAC notification traps when the mac-notification keyword is appended.
snmp trap mac-notification	Enables the SNMP MAC notification trap on a specific interface.

mac address-table static

Use the mac address-table static global configuration command to add static addresses to the MAC address table. Use the no form of this command to remove static entries from the table.

mac address-table static mac-addr vlan vlan-id interface interface-id

no mac address-table static mac-addr vlan vlan-id [interface interface-id]

---

Note Beginning with Cisco IOS Release 12.1(11)EA1, the mac address-table static command replaces the mac-address-table static command (with the hyphen).

---

Syntax Description

mac-addr	Destination MAC address (unicast or multicast) to add to the address table. Packets with this destination address received in the specified VLAN are forwarded to the specified interface.
vlan vlan-id	Specify the VLAN for which the packet with the specified MAC address is received. The range is 1 to 4094.
interface interface-id	Interface to which the received packet is forwarded. Valid interfaces include physical ports and port channels.

Defaults

No static addresses are configured.

Command Modes

Global configuration

Command History

Release	Modification
12.1(4)EA1	This command was introduced.
12.1(11)EA1	The mac-address-table static command was replaced by the mac address-table static command.

Examples

This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination, the packet is forwarded to the specified interface:

Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface 
gigabitethernet0/1

You can verify your setting by entering the show mac address-table privileged EXEC command.

Related Commands

Command	Description
show mac address-table static	Displays static MAC address table entries only.

mac address-table static drop

Use the mac address-table static drop global configuration command to enable unicast MAC address filtering and to configure the switch to drop traffic with a specific source or destination MAC address. Use the no form of this command to return to the default setting.

mac address-table static mac-addr vlan vlan-id drop

no mac address-table static mac-addr vlan vlan-id

Syntax Description

mac-addr	Unicast source or destination MAC address. Packets with this MAC address are dropped.
vlan vlan-id	Specify the VLAN for which the packet with the specified MAC address is received. The range is 1 to 4094.

Defaults

Unicast MAC address filtering is disabled. The switch does not drop traffic for specific source or destination MAC addresses.

Command Modes

Global configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

Follow these guidelines when using this feature:

•Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported. Packets that are forwarded to the CPU are also not supported.

•If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.

For example, if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command, the switch drops packets with the specified MAC address as a source or destination.

If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by the mac address-table static mac-addr vlan vlan-id interface interface-id command, the switch adds the MAC address as a static address.

Examples

This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped:

Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop

This example shows how to disable unicast MAC address filtering:

Switch(config)# no mac address-table static c2f3.220a.12f4 vlan 4 

You can verify your setting by entering the show mac address-table static privileged EXEC command.

Related Commands

Command	Description
show mac address-table static	Displays only static MAC address table entries.

macro apply

Use the macro apply interface configuration command to apply a macro to an interface or to apply and trace a macro configuration on an interface.

macro {apply | trace} macro-name [parameter {value}] [parameter {value}]
[parameter {value}]

Syntax Description

apply	Apply a macro to the specified interface.
trace	Use the trace keyword to apply a macro to an interface and to debug the macro.
macro-name	Specify the name of the macro.
parameter value	(Optional) Specify unique parameter values that are specific to the interface. You can enter up to three keyword-value pairs. Parameter keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value.

Defaults

This command has no default setting.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.
12.1(20)EA1	The parameter value keywords were added.

Usage Guidelines

You can use the macro trace macro-name interface configuration command to apply and show the macros running on an interface or to debug the macro to find any syntax or configuration errors.

If a command fails because of a syntax error or a configuration error when you apply a macro, the macro continues to apply the remaining commands to the interface.

When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface.

Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.

Some macros might contain keywords that require a parameter value. You can use the macro apply macro-name ? command to view a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.

There are Cisco-default Smartports macros embedded in the switch software. You can display these macros and the commands they contain by using the show parser macro user EXEC command.

Follow these guidelines when you apply a Cisco-default Smartports macro on an interface:

•Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro name macro-name user EXEC command.

•Keywords that begin with $ mean that a unique parameter value is required. Append the Cisco-default macro with the required values by using the parameter value keywords.

The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.

When you apply a macro to an interface, the macro name is automatically added to the interface. You can display the applied commands and macro names by using the show running-configuration interface interface-id user EXEC command.

A macro applied to an interface range behaves the same way as a macro applied to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces.

You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.

Examples

After you have created a macro by using the macro name global configuration command, you can apply it to an interface. This example shows how to apply a user-created macro called duplex to an interface:

Switch(config-if)# macro apply duplex

To debug a macro, use the macro trace interface configuration command to find any syntax or configuration errors in the macro as it is applied to an interface. This example shows how troubleshoot the user-created macro called duplex on an interface:

Switch(config-if)# macro trace duplex

Applying command...`duplex auto'

%Error Unknown error.

Applying command...`speed nonegotiate'

This example shows how to display the Cisco-default cisco-desktop macro and how to apply the macro and set the access VLAN ID to 25 on an interface:

Switch# show parser macro cisco-desktop

--------------------------------------------------------------

Macro name : cisco-desktop

Macro type : default

# Basic interface - Enable data VLAN only

# Recommended value for access vlan (AVID) should not be 1

switchport access vlan $AVID

switchport mode access

# Enable port security limiting port to a single

# MAC address -- that of desktop

switchport port-security

switchport port-security maximum 1

# Ensure port-security age is greater than one minute

# and use inactivity timer

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

# Configure port as an edge network port

spanning-tree portfast

spanning-tree bpduguard enable

--------------------------------------------------------------

Switch#

Switch# configure terminal

Switch(config)# interface fastethernet0/4

Switch(config-if)# macro apply cisco-desktop $AVID 25

Related Commands

Command	Description
macro description	Adds a description about the macros that are applied to an interface.
macro global	Applies a macro on a switch or applies and traces a macro on a switch.
macro global description	Adds a description about the macros that are applied to the switch.
macro name	Creates a macro.
show parser macro	Displays the macro definition for all macros or for the specified macro.

macro description

Use the macro description interface configuration command to enter a description about which macros are applied to an interface. Use the no form of this command to remove the description.

macro description text

no macro description text

Syntax Description

description text

Enter a description about the macros that are applied to the specified interface.

Defaults

This command has no default setting.

Command Modes

Interface configuration

Command History

Release	Modification
12.1(19)EA1	This command was introduced.

Usage Guidelines

Use the description keyword to associate comment text, or the macro name, with an interface. When multiple macros are applied on a single interface, the description text will be from the last applied macro.

This example shows how to add a description to an interface:

Switch(config-if)# macro description duplex settings

You can verify your settings by entering the show parser macro description privileged EXEC command.

Related Commands

Command	Description
macro apply	Applies a macro on an interface or applies and traces a macro on an interface.
macro global	Applies a macro on a switch or applies and traces a macro on a switch
macro global description	Adds a description about the macros that are applied to the switch.
macro name	Creates a macro.
show parser macro	Displays the macro definition for all macros or for the specified macro.

macro global

Use the macro global global configuration command to apply a macro to a switch or to apply and trace a macro configuration on a switch.

macro global {apply | trace} macro-name [parameter {value}] [parameter {value}]
[parameter {value}]

Syntax Description

apply	Apply a macro to the switch.
trace	Use the trace keyword to apply a macro to a switch and to debug the macro.
macro-name	Specify the name of the macro.
parameter value	(Optional) Specify unique parameter values that are specific to the switch. You can enter up to three keyword-value pairs. Parameter keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value.

Defaults

This command has no default setting.

Command Modes

Global configuration

Command History

Release	Modification
12.1(20)EA2	This command was introduced.

Usage Guidelines