-
Catalyst 3560 Switch Command Reference, Rel. 12.2(50)SE
-
Index
-
Preface
-
Using the Command Line Interface
-
Catalyst 3560 Switch Cisco IOS Commands - aaa accounting through reserved-only
-
Catalyst 3560 Switch Cisco IOS Commands - rmon collection through show vtp
-
Catalyst 3560 Switch Cisco IOS Commands - shutdown through vtp
-
Catalyst 3560 Switch Bootloader Commands
-
Catalyst 3560 Switch Debug Commands
-
Acknowledgments for Open-Source Software
-
Catalyst 3560 Switch Show Platform Commands
-
Table Of Contents
Catalyst 3560 Switch Cisco IOS Commands
authentication control-direction
clear ip arp inspection statistics
clear l2protocol-tunnel counters
clear mac address-table move update
clear spanning-tree detected-protocols
deny (ARP access-list configuration)
deny (IPv6 access-list configuration)
deny (MAC access-list configuration)
dot1x credentials (global configuration)
dot1x critical (global configuration)
dot1x critical (interface configuration)
energywise (global configuration)
energywise (interface configuration)
errdisable detect cause small-frame
errdisable recovery cause small-frame
ip arp inspection vlan logging
ip dhcp snooping information option
ip dhcp snooping information option allow-untrusted
ip dhcp snooping information option format remote-id
ip dhcp snooping vlan information option format-type circuit-id string
ip igmp snooping last-member-query-interval
ip igmp snooping report-suppression
ip igmp snooping vlan immediate-leave
ip sticky-arp (global configuration)
ip sticky-arp (interface configuration)
ipv6 dhcp client request vendor
ipv6 mld snooping last-listener-query-count
ipv6 mld snooping last-listener-query-interval
ipv6 mld snooping listener-message-suppression
ipv6 mld snooping robustness-variable
location (global configuration)
location (interface configuration)
logging event power-inline-status
mac address-table learning vlan
mac address-table notification
match (access-map configuration)
match (class-map configuration)
mls qos queue-set output buffers
mls qos queue-set output threshold
mls qos srr-queue input bandwidth
mls qos srr-queue input buffers
mls qos srr-queue input cos-map
mls qos srr-queue input dscp-map
mls qos srr-queue input priority-queue
mls qos srr-queue input threshold
mls qos srr-queue output cos-map
mls qos srr-queue output dscp-map
network-policy profile (global configuration)
network-policy profile (network-policy configuration)
permit (ARP access-list configuration)
permit (IPv6 access-list configuration)
permit (MAC access-list configuration)
renew ip dhcp snooping database
Catalyst 3560 Switch Cisco IOS Commands
aaa accounting dot1x
Use the aaa accounting dot1x global configuration command to enable authentication, authorization, and accounting (AAA) accounting and to create method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions. Use the no form of this command to disable IEEE 802.1x accounting.
aaa accounting dot1x {name | default} start-stop {broadcast group {name | radius | tacacs+} [group {name | radius | tacacs+}...] | group {name | radius | tacacs+} [group {name | radius | tacacs+}...]}
no aaa accounting dot1x {name | default}
Syntax Description
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requires access to a RADIUS server.
We recommend that you enter the dot1x reauthentication interface configuration command before configuring IEEE 802.1x RADIUS accounting on an interface.
Examples
This example shows how to configure IEEE 802.1x accounting:
Switch(config)# aaa new-modelSwitch(config)# aaa accounting dot1x default start-stop group radius
Note
The RADIUS authentication server must be properly configured to accept and log update or watchdog packets from the AAA client.
Related Commands
Specifies one or more AAA methods for use on interfaces running IEEE 802.1x.
aaa new-model
Enables the AAA access control model. For syntax information, see the Cisco IOS Security Command Reference, Release 12.2 > Authentication, Authorization, and Accounting > Authentication Commands.
Enables or disables periodic reauthentication.
dot1x timeout reauth-period
Sets the number of seconds between re-authentication attempts.
aaa authentication dot1x
Use the aaa authentication dot1x global configuration command to specify the authentication, authorization, and accounting (AAA) method to use on ports complying with the IEEE 802.1x authentication. Use the no form of this command to disable authentication.
aaa authentication dot1x {default} method1
no aaa authentication dot1x {default}
Syntax Description
Note
Defaults
No authentication is performed.
Command Modes
Global configuration
Command History
Usage Guidelines
The method argument identifies the method that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly IEEE 802.1x-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
Examples
This example shows how to enable AAA and how to create an IEEE 802.1x-compliant authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is not allowed access to the network.
Switch(config)# aaa new-modelSwitch(config)# aaa authentication dot1x default group radiusYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
aaa authorization network
Use the aaa authorization network global configuration command to the configure the switch to use user-RADIUS authorization for all network-related service requests, such as IEEE 802.1x per-user access control lists (ACLs) or VLAN assignment. Use the no form of this command to disable RADIUS user authorization.
aaa authorization network default group radius
no aaa authorization network default
Syntax Description
default group radius
Use the list of all RADIUS hosts in the server group as the default authorization list.
Defaults
Authorization is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authorization network default group radius global configuration command to allow the switch to download IEEE 802.1x authorization parameters from the RADIUS servers in the default authorization list. The authorization parameters are used by features such as per-user ACLs or VLAN assignment to get parameters from the RADIUS servers.
Use the show running-config privileged EXEC command to display the configured lists of authorization methods.
Examples
This example shows how to configure the switch for user RADIUS authorization for all network-related service requests:
Switch(config)# aaa authorization network default group radiusYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
action
Use the action access-map configuration commandto set the action for the VLAN access map entry. Use the no form of this command to return to the default setting.
action {drop | forward}
no action
Syntax Description
drop
Drop the packet when the specified conditions are matched.
forward
Forward the packet when the specified conditions are matched.
Defaults
The default action is to forward packets.
Command Modes
Access-map configuration
Command History
Usage Guidelines
You enter access-map configuration mode by using the vlan access-map global configuration command.
If the action is drop, you should define the access map, including configuring any access control list (ACL) names in match clauses, before applying the map to a VLAN, or all packets could be dropped.
In access-map configuration mode, use the match access-map configuration command to define the match conditions for a VLAN map. Use the action command to set the action that occurs when a packet matches the conditions.
The drop and forward parameters are not used in the no form of the command.
Examples
This example shows how to identify and apply a VLAN access map vmap4 to VLANs 5 and 6 that causes the VLAN to forward an IP packet if the packet matches the conditions defined in access list al2:
Switch(config)# vlan access-map vmap4Switch(config-access-map)# match ip address al2Switch(config-access-map)# action forwardSwitch(config-access-map)# exitSwitch(config)# vlan filter vmap4 vlan-list 5-6You can verify your settings by entering the show vlan access-map privileged EXEC command.
Related Commands
archive download-sw
Use the archive download-sw privileged EXEC command to download a new image from a TFTP server to the switch and to overwrite or keep the existing image.
archive download-sw {/allow-feature-upgrade | /directory | /force-reload | /imageonly | /leave-old-sw | /no-set-boot | no-version-check | /overwrite | /reload | /safe} source-url
Syntax Description
Defaults
The current software image is not overwritten with the downloaded image.
Both the software image and HTML files are downloaded.
The new image is downloaded to the flash: file system.
The BOOT environment variable is changed to point to the new software image on the flash: file system.
Image names are case sensitive; the image file is provided in tar format.
Command Modes
Privileged EXEC
Command History
12.1(19)EA1
This command was introduced.
12.2(20)SE
The http and https keywords were added.
12.2(35)SE
The allow-feature-upgrade and directory keywords were added.
Usage Guidelines
Use the /allow-feature-upgrade option to allow installation of an image with a different feature set, for example, upgrading from the IP base image to the IP services image.
Beginning with Cisco IOS release 12.2(35)SE, you can use the archive download-sw /directory command to specify a directory one time The /imageonly option removes the HTML files for the existing image if the existing image is being removed or replaced. Only the Cisco IOS image (without the HTML files) is downloaded.
Using the /safe or /leave-old-sw option can cause the new image download to fail if there is insufficient flash memory. If leaving the software in place prevents the new image from fitting in flash memory due to space constraints, an error results.
If you used the /leave-old-sw option and did not overwrite the old image when you downloaded the new one, you can remove the old image by using the delete privileged EXEC command. For more information, see the "delete" section.
Use the /overwrite option to overwrite the image on the flash device with the downloaded one.
If you specify the command without the /overwrite option, the download algorithm verifies that the new image is not the same as the one on the switch flash device. If the images are the same, the download does not occur. If the images are different, the old image is deleted, and the new one is downloaded.
After downloading a new image, enter the reload privileged EXEC command to begin using the new image, or specify the /reload or /force-reload option in the archive download-sw command.
Use the /directory option to specify a directory for images.
Examples
This example shows how to download a new image from a TFTP server at 172.20.129.10 and to overwrite the image on the switch:
Switch# archive download-sw /overwrite tftp://172.20.129.10/test-image.tarThis example shows how to download only the software image from a TFTP server at 172.20.129.10 to the switch:
Switch# archive download-sw /imageonly tftp://172.20.129.10/test-image.tarThis example shows how to keep the old software version after a successful download:
Switch# archive download-sw /leave-old-sw tftp://172.20.129.10/test-image.tarRelated Commands
archive tar
Use the archive tar privileged EXEC command to create a tar file, list files in a tar file, or extract the files from a tar file.
archive tar {/create destination-url flash:/file-url} | {/table source-url} | {/xtract source-url flash:/file-url [dir/file...]}
Syntax Description
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
Image names are case sensitive.
Examples
This example shows how to create a tar file. The command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30:
Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new_configsThis example shows how to display the contents of the file that is in flash memory. The contents of the tar file appear on the screen:
Switch# archive tar /table flash:c3560-ipservices-12-25.SEB.tarinfo (219 bytes)c3560-ipservices-mz.12-25.SEB/ (directory)c3560-ipservices-mz.12-25.SEB (610856 bytes)c3560-ipservices-mz.12-25.SEB/info (219 bytes)info.ver (219 bytes)This example shows how to display only the /html directory and its contents:
Switch# archive tar /table flash:c3560-ipservices-12-25.SEB.tar c3560-ipservices-12-25/htmlc3560-ipservices-mz.12-25.SEB/html/ (directory)c3560-ipservices-mz.12-25.SEB/html/const.htm (556 bytes)c3560-ipservices-mz.12-25.SEB/html/xhome.htm (9373 bytes)c3560-ipservices-mz.12-25.SEB/html/menu.css (1654 bytes)<output truncated>This example shows how to extract the contents of a tar file on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local flash file system. The remaining files in the saved.tar file are ignored.
Switch# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/new-configsRelated Commands
Downloads a new image from a TFTP server to the switch.
Uploads an existing image on the switch to a server.
archive upload-sw
Use the archive upload-sw privileged EXEC command to upload an existing switch image to a server.
archive upload-sw [/version version_string] destination-url
Syntax Description
Defaults
Uploads the currently running image from the flash file system.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the upload feature only if the HTML files associated with the embedded device manager have been installed with the existing image.
The files are uploaded in this sequence: the Cisco IOS image, the HTML files, and info. After these files are uploaded, the software creates the tar file.
Image names are case sensitive.
Examples
This example shows how to upload the currently running image to a TFTP server at 172.20.140.2:
Switch# archive upload-sw tftp://172.20.140.2/test-image.tarRelated Commands
Downloads a new image to the switch.
Creates a tar file, lists the files in a tar file, or extracts the files from a tar file.
arp access-list
Use the arp access-list global configuration command to define an Address Resolution Protocol (ARP) access control list (ACL) or to add clauses to the end of a previously defined list. Use the no form of this command to delete the specified ARP access list.
arp access-list acl-name
no arp access-list acl-name
Syntax Description
Defaults
No ARP access lists are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
After entering the arp access-list command, you enter ARP access-list configuration mode, and these configuration commands are available:
•
•
•
•
•
Use the permit and deny access-list configuration commands to forward and to drop ARP packets based on the specified matching criteria.
When the ARP ACL is defined, you can apply it to a VLAN by using the ip arp inspection filter vlan global configuration command. ARP packets containing only IP-to-MAC address bindings are compared to the ACL. All other types of packets are bridged in the ingress VLAN without validation. If the ACL permits a packet, the switch forwards it. If the ACL denies a packet because of an explicit deny statement, the switch drops the packet. If the ACL denies a packet because of an implicit deny statement, the switch compares the packet to the list of DHCP bindings (unless the ACL is static, which means that packets are not compared to the bindings).
Examples
This example shows how to define an ARP access list and to permit both ARP requests and ARP responses from a host with an IP address of 1.1.1.1 and a MAC address of 0000.0000.abcd:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# permit ip host 1.1.1.1 mac host 00001.0000.abcdSwitch(config-arp-nacl)# endYou can verify your settings by entering the show arp access-list privileged EXEC command.
Related Commands
authentication control-direction
Use the authentication control-direction interface configuration command to configure the port mode as unidirectional or bidirectional. Use the no form of this command to return to the default setting.
authentication control-direction {both | in}
no authentication control-direction
Syntax Description
Defaults
The port is in bidirectional mode.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the both keyword or the no form of this command to return to the default setting (bidirectional mode).
Examples
This example shows how to enable bidirectional mode:
Switch(config)# authentication control-direction bothThis example shows how to enable unidirectional mode:
Switch(config)# authentication control-direction inYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication event
Use the authentication event interface configuration command to set the actions for specific authentication events on the port.
authentication event fail {[action [authorize vlan vlan-id | next-method] {| retry {retry count}]} { no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action authorize}}
no authentication event fail {[action[authorize vlan vlan-id | next-method] {| retry {retry count}]} {no-response action authorize vlan vlan-id} {server {alive action reinitialize} | {dead action authorize}}
Syntax Description
Defaults
No event responses are configured on the port.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command with the fail, no-response, or event keywords to configure the switch response for a specific action.
For server-dead events:
•
•
If the Windows XP client is configured for DHCP and has an IP address from the DHCP server and a critical port receives an EAP-Success message, the DHCP configuration process might not re-initiate.
For no-response events:
•
•
•
You can configure any active VLAN except a Remote Switched Port Analyzer (RSPAN) VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is supported only on access ports. It is not supported on internal VLANs (routed ports) or trunk ports.
•
–
–
For more information, see the "Using IEEE 802.1x Authentication with MAC Authentication Bypass" section in the "Configuring IEEE 802.1x Port-Based Authentication" chapter of the software configuration guide.
For authentication-fail events:
•
–
–
The restricted VLAN is supported only in single host mode (the default port mode). When a port is placed in a restricted VLAN, the supplicant's MAC address is added to the MAC address table. Any other MAC address on the port is treated as a security violation.
•
Enable re-authentication with restricted VLANs. If re-authentication is disabled, the ports in the restricted VLANs do not receive re-authentication requests if it is disabled.
To start the re-authentication process, the restricted VLAN must receive a link-down event or an Extensible Authentication Protocol (EAP) logoff event from the port. If a host is connected through a hub:
–
–
When you reconfigure a restricted VLAN as a different type of VLAN, ports in the restricted VLAN are also moved and stay in their currently authorized state.
Examples
This example shows how to configure the authentication event fail command:
Switch(config)# authentication event fail action authorize vlan 20This example shows how to configure a no-response action:
Switch(config)# authentication event no-response action authorize vlan 10This example shows how to configure a server-response action:
Switch(config)# authentication event server alive action reinitializeYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication fallback
Use the authentication fallback interface configuration command to configure a port to use web authentication as a fallback method for clients that do not support IEEE 802.1x authentication. To return to the default setting, use the no form of this command.
authentication fallback name
no authentication fallback name
Syntax Description
Defaults
No fallback is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
You must enter the authentication port-control auto interface configuration command before configuring a fallback method.
You can only configure web authentication as a fallback method to 802.1x or MAB, so one or both of these authentication methods should be configured for the fallback to enable.
Examples
This example shows how to specify a fallback profile on a port:
Switch(config)# authentication fallback profile1You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication host-mode
Use the authentication host-mode interface configuration command to set the authorization manager mode on a port.
authentication host-mode [multi-auth | multi-domain | multi-host | single-host]
no authentication host-mode [multi-auth | multi-domain | multi-host | single-host]]
Syntax Description
Defaults
Single host mode is enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Single-host mode should be configured if only one data host is connected. Do not connect a voice device to authenticate on a single-host port. Voice device authorization fails if no voice VLAN is configured on the port.
Multi-domain mode should be configured if data host is connected through an IP Phone to the port. Multi-domain mode should be configured if the voice device needs to be authenticated.
Multi-auth mode should be configured to allow up to eight devices behind a hub to obtain secured port access through individual authentication. Only one voice device can be authenticated in this mode if a voice VLAN is configured.
Multi-host mode also offers port access for multiple hosts behind a hub, but multi-host mode gives unrestricted port access to the devices after the first user gets authenticated.
Examples
This example shows how to enable multiauth mode on a port:
Switch(config)# authentication host-mode multi-authThis example shows how to enable multi-domain mode on a port:
Switch(config)# authentication host-mode multi-domain
This example shows how to enable multi-host mode on a port:
Switch(config)# authentication host-mode multi-host
This example shows how to enable single-host mode on a port:
Switch(config)# authentication host-mode single-host
You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication open
Use the authentication open interface configuration command to enable or disable open access on a port. Use the no form of this command to disable open access.
authentication open
no authentication open
Defaults
Open access is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Open authentication must be enabled if a device requires network access before it is authenticated.
A port ACL should be used to restrict host access when open authentication is enabled.
Examples
This example shows how to enable open access on a port:
Switch(config)# authentication openThis example shows how to set the port to disable open access on a port:
Switch(config)# no authentication openRelated Commands
authentication order
Use the authentication order interface configuration command to set the order of authentication methods used on a port.
authentication order [dot1x | mab] {webauth}
no authentication order
Syntax Description
Command Default
The default authentication order is dot1x followed by mab and webauth.
Command Modes
Interface configuration
Command History
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device connected to a port. If one method in the list is unsuccessful, the next method is attempted.
Each method can only be entered once. Flexible ordering is only possible between 802.1x and MAB.
Web authentication can be configured as either a standalone method or as the last method in the order after either 802.1x or MAB. Web authentication should be configured only as fallback to dot1x or mab.
Examples
This example shows how to add 802.1x as the first authentication method, MAB as the second method, and web authentication as the third method:
Switch(config)# authentication order dotx mab webauthThis example shows how to add MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config)# authentication order mab webauthYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication periodic
Use the authentication periodic interface configuration command to enable or disable reauthentication on a port. Enter the no form of this command to disable reauthentication.
authentication periodic
no authentication periodic
Command Default
Reauthentication is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
You configure the amount of time between periodic re-authentication attempts by using the authentication timer reauthentication interface configuration command.
Examples
This example shows how to enable periodic reauthentication on a port:
Switch(config)# authentication periodicThis example shows how to disable periodic reauthentication on a port:
Switch(config)# no authentication periodicYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication port-control
Use the authentication port-control interface configuration command to enable manual control of the port authorization state. Use the no form of this command to return to the default setting.
authentication port-control {auto | force-authorized | force-un authorized}
no authentication port-control {auto | force-authorized | force-un authorized}
Syntax Description
Defaults
The default setting is force-authorized.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the auto keyword only on one of these port types:
•
•
•
•
•
To globally disable IEEE 802.1x authentication on the switch, use the no dot1x system-auth-control global configuration command. To disable IEEE 802.1x authentication on a specific port or to return to the default setting, use the no authentication port-control interface configuration command.
Examples
This example shows how to set the port state to automatic:
Switch(config)# authentication port-control autoThis example shows how to set the port state to the force- authorized state:
Switch(config)# authentication port-control force-authorizedThis example shows how to set the port state to the force-unauthorized state:
Switch(config)# authentication port-control force-unauthorizedYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication priority
Use the authentication priority interface configuration command to add an authentication method to the port-priority list.
auth priority [dot1x | mab] {webauth}
no auth priority [dot1x | mab] {webauth}
Syntax Description
Command Default
The default priority is 802.1x authentication, followed by MAC authentication bypass and web authentication.
Command Modes
Interface configuration
Command History
Usage Guidelines
Ordering sets the order of methods that the switch attempts when trying to authenticate a new device is connected to a port.
When configuring multiple fallback methods on a port, set web authentication (webauth) last.
Assigning priorities to different authentication methods allows a higher-priority method to interrupt an in-progress authentation method with a lower priority.
Note
The default priority of an authentication method is equivalent to its position in execution-list order: 802.1x authentication, MAC authentication bypass, and web authentication. Use the dot1x, mab, and webauth keywords to change this default order.
Examples
This example shows how to set 802.1x as the first authentication method and web authentication as the second authentication method:
Switch(config)# authentication priority dotx webauthThis example shows how to set MAC authentication Bypass (MAB) as the first authentication method and web authentication as the second authentication method:
Switch(config)# authentication priority mab webauthYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication timer
Use the authentication timer interface configuration command to configure the timeout and reauthentication parameters for an 802.1x-enabled port.
authentication timer {{[inactivity | reauthenticate] [server | am]} {restart value}}
no authentication timer {{[inactivity | reauthenticate] [server | am]} {restart value}}
Syntax Description
Defaults
The inactivity, server, and restart keywords are set to off. The reauthenticate keyword is set to one hour.
Command Modes
Interface configuration
Command History
Usage Guidelines
If a timeout value is not configured, an 802.1x session stays authorized indefinitely. No other host can use the port, and the connected host cannot move to another port on the same switch.
Examples
This example shows how to set the authentication inactivity timer to 60 seconds:
Switch(config)# authentication timer inactivity 60This example shows how to set the reauthentication timer to 120 seconds:
Switch(config)# authentication timer restart 120You can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
authentication violation
Use the authentication violation interface configuration command to configure the violation modes that occur when a new device connects to a port or when a new device connects to a port after the maximum number of devices are connected to that port.
authentication violation {protect | restrict | shutdown}
no authentication violation {protect | restrict | shutdown}
Syntax Description
Defaults
By default authentication violation shutdown mode is enabled.
Command Modes
Interface configuration
Command History
Examples
This example shows how to configure an IEEE 802.1x-enabled port as error disabled and to shut down when a new device connects it:
Switch(config-if)# authentication violation shutdownThis example shows how to configure an IEEE 802.1x-enabled port to generate a system error message and to change the port to restricted mode when a new device connects to it:
Switch(config-if)# authentication violation restrictThis example shows how to configure an IEEE 802.1x-enabled port to ignore a new device when it connects to the port:
Switch(config-if)# authentication violation protectYou can verify your settings by entering the show authentication privileged EXEC command.
Related Commands
auto qos voip
Use the auto qos voip interface configuration command to automatically configure quality of service (QoS) for voice over IP (VoIP) within a QoS domain. Use the no form of this command to return to the default setting.
auto qos voip {cisco-phone | cisco-softphone | trust}
no auto qos voip [cisco-phone | cisco-softphone | trust]
Syntax Description
Defaults
Auto-QoS is disabled on the port.
When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 2-1.
Table 2-1 Traffic Types, Packet Labels, and Queues
TrafficDSCP3
46
24, 26
48
56
34
-
CoS4
5
3
6
7
3
-
CoS-to-ingress queue map
2, 3, 4, 5, 6, 7 (queue 2)
0, 1 (queue 1)
CoS-to-egress queue map
5 (queue 1)
3, 6, 7 (queue 2)
4 (queue 3)
2
(queue 3)0, 1 (queue 4)
1 STP = Spanning Tree Protocol
2 BPDU = bridge protocol data unit
3 DSCP = Differentiated Services Code Point
4 CoS = class of service
Table 2-2 shows the generated auto-QoS configuration for the ingress queues.
Table 2-2 Auto-QoS Configuration for the Ingress Queues
SRR1 shared
1
0, 1
81 percent
67 percent
Priority
2
2, 3, 4, 5, 6, 7
19 percent
33 percent
1 SRR = shaped round robin. Ingress queues support shared mode only.
Table 2-3 shows the generated auto-QoS configuration for the egress queues.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and edge devices that can classify incoming traffic for QoS.
Auto-QoS configures the switch for VoIP with Cisco IP Phones on switch and routed ports and for VoIP with devices running the Cisco SoftPhone application. These releases support only Cisco IP SoftPhone Version 1.3(3) or later. Connected devices must use Cisco Call Manager Version 4 or later.
The show auto qos command output shows the service policy information for the Cisco IP phone.
To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. You can fine-tune the auto-QoS configuration after you enable auto-QoS.
Note
If this is the first port on which you have enabled auto-QoS, the auto-QoS-generated global configuration commands are executed followed by the interface configuration commands. If you enable auto-QoS on another port, only the auto-QoS-generated interface configuration commands for that port are executed.
When you enable the auto-QoS feature on the first port, these automatic actions occur:
•
If the switch port was configured by using the auto qos voip cisco-phone interface configuration command in Cisco IOS Release 12.2(37)SE or earlier, the auto-QoS generated commands new to Cisco IOS Release 12.2(40)SE are not applied to the port. To have these commands automatically applied, you must remove and then reapply the configuration to the port.
•
•
You can enable auto-QoS on static, dynamic-access, and voice VLAN access, and trunk ports. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to the IP phone.
Note
After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name. If you need to modify the policy map or aggregate policer, make a copy of it, and change the copied policy map or policer. To use the new policy map instead of the generated one, remove the generated policy map from the interface, and apply the new policy map.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging. For more information, see the debug auto qos command.
To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command, auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain (to avoid disrupting traffic on other ports affected by the global configuration). You can use the no mls qos global configuration command to disable the auto-QoS-generated global configuration commands. With QoS disabled, there is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Examples
This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to the port is a trusted device:
Switch(config)# interface gigabitethernet0/1Switch(config-if)# auto qos voip trustYou can verify your settings by entering the show auto qos interface interface-id privileged EXEC command.
Related Commands
Enables debugging of the auto-QoS feature.
Defines the default CoS value of a port or assigns the default CoS to all incoming packets on the port.
mls qos map {cos-dscp dscp1 ... dscp8 | dscp-cos dscp-list to cos}
Defines the CoS-to-DSCP map or the DSCP-to-CoS map.
Allocates buffers to a queue-set.
Assigns shaped round robin (SRR) weights to an ingress queue.
Allocates the buffers between the ingress queues.
Maps CoS values to an ingress queue or maps CoS values to a queue and to a threshold ID.
Maps DSCP values to an ingress queue or maps DSCP values to a queue and to a threshold ID.
Configures the ingress priority queue and guarantees bandwidth.
Maps CoS values to an egress queue or maps CoS values to a queue and to a threshold ID.
Maps DSCP values to an egress queue or maps DSCP values to a queue and to a threshold ID.
Configures the port trust state.
Maps a port to a queue-set.
Displays auto-QoS information.
Displays QoS information at the port level.
Assigns the shaped weights and enables bandwidth shaping on the four egress queues mapped to a port.
Assigns the shared weights and enables bandwidth sharing on the four egress queues mapped to a port.
boot auto-download-sw
Use the boot auto-download-sw global configuration command to specify a URL pathname to use for automatic software upgrades. Use the no form of this command to return to the default setting.
boot auto-download-sw source-url
no boot auto-download-sw
Syntax Description
Defaults
Disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies a path URL to use for automatic software upgrades.
You can use this command to configure the URL for the master switch to access in case of a version-mismatch.
Related Commands
boot config-file
Use the boot config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. Use the no form of this command to return to the default setting.
boot config-file flash:/file-url
no boot config-file
Syntax Description
Defaults
The default configuration file is flash:config.text.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
This command changes the setting of the CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
boot enable-break
Use the boot enable-break global configuration command to enable interrupting the automatic boot process. Use the no form of this command to return to the default setting.
boot enable-break
no boot enable-break
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled. The automatic boot process cannot be interrupted by pressing the Break key on the console.
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter this command, you can interrupt the automatic boot process by pressing the Break key on the console after the flash file system is initialized.
Note
This command changes the setting of the ENABLE_BREAK environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
boot helper
Use the boot helper global configuration command to dynamically load files during boot loader initialization to extend or patch the functionality of the boot loader. Use the no form of this command to return to the default.
boot helper filesystem:/file-url ...
no boot helper
Syntax Description
Defaults
No helper files are loaded.
Command Modes
Global configuration
Command History
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
boot helper-config-file
Use the boot helper-config-file global configuration command to specify the name of the configuration file to be used by the Cisco IOS helper image. If this is not set, the file specified by the CONFIG_FILE environment variable is used by all versions of Cisco IOS that are loaded. Use the no form of this command to return to the default setting.
boot helper-config-file filesystem:/file-url
no boot helper-config file
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and helper configuration file to load.
Defaults
No helper configuration file is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
This variable is used only for internal development and testing.
Filenames and directory names are case sensitive.
This command changes the setting of the HELPER_CONFIG_FILE environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
boot manual
Use the boot manual global configuration command to enable manually booting the switch during the next boot cycle. Use the no form of this command to return to the default setting.
boot manual
no boot manual
Syntax Description
This command has no arguments or keywords.
Defaults
Manual booting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The next time you reboot the system, the switch is in boot loader mode, which is shown by the switch: prompt. To boot up the system, use the boot boot loader command, and specify the name of the bootable image.
This command changes the setting of the MANUAL_BOOT environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
boot private-config-file
Use the boot private-config-file global configuration command to specify the filename that Cisco IOS uses to read and write a nonvolatile copy of the private configuration. Use the no form of this command to return to the default setting.
boot private-config-file filename
no boot private-config-file
Syntax Description
Defaults
The default configuration file is private-config.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames are case sensitive.
Examples
This example shows how to specify the name of the private configuration file to be pconfig:
Switch(config)# boot private-config-file pconfigRelated Commands
boot system
Use the boot system global configuration command to specify the Cisco IOS image to load during the next boot cycle. Use the no form of this command to return to the default setting.
boot system filesystem:/file-url ...
no boot system
Syntax Description
filesystem:
Alias for a flash file system. Use flash: for the system board flash device.
/file-url
The path (directory) and name of a bootable image. Separate image names with a semicolon.
Defaults
The switch attempts to automatically boot up the system by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Command Modes
Global configuration
Command History
Usage Guidelines
Filenames and directory names are case sensitive.
If you are using the archive download-sw privileged EXEC command to maintain system images, you never need to use the boot system command. The boot system command is automatically manipulated to load the downloaded image.
This command changes the setting of the BOOT environment variable. For more information, see Appendix A, "Catalyst 3560 Switch Bootloader Commands."
Related Commands
channel-group
Use the channel-group interface configuration command to assign an Ethernet port to an EtherChannel group, to enable an EtherChannel mode, or both. Use the no form of this command to remove an Ethernet port from an EtherChannel group.
channel-group channel-group-number mode {active | {auto [non-silent]} | {desirable [non-silent]} | on | passive}
no channel-group
PAgP modes:
channel-group channel-group-number mode {{auto [non-silent]} | {desirable [non-silent}}LACP modes:
channel-group channel-group-number mode {active | passive}On mode:
channel-group channel-group-number mode onSyntax Description
Defaults
No channel groups are assigned.
No mode is configured.
Command Modes
Interface configuration
Command History
12.1(19)EA1
This command was introduced.
12.2(25)SE
The channel-group-number range was changed from 1 to 12 to 1 to 48.
Usage Guidelines
For Layer 2 EtherChannels, you do not have to create a port-channel interface first by using the interface port-channel global configuration command before assigning a physical port to a channel group. Instead, you can use the channel-group interface configuration command. It automatically creates the port-channel interface when the channel group gets its first physical port if the logical interface is not already created. If you create the port-channel interface first, the channel-group-number can be the same as the port-channel-number, or you can use a new number. If you use a new number, the channel-group command dynamically creates a new port channel.
You do not have to disable the IP address that is assigned to a physical port that is part of a channel group, but we strongly recommend that you do so.
You create Layer 3 port channels by using the interface port-channel command followed by the no switchport interface configuration command. You should manually configure the port-channel logical interface before putting the interface into the channel group.
After you configure an EtherChannel, configuration changes that you make on the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk.
If you do not specify non-silent with the auto or desirable mode, silent is assumed. The silent mode is used when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. A example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port prevents that port from ever becoming operational. However, it allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission. Both ends of the link cannot be set to silent.
In the on mode, an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode.
Caution
Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
If you set the protocol by using the channel-protocol interface configuration command, the setting is not overridden by the channel-group interface configuration command.
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled.
Do not configure a secure port as part of an EtherChannel or an EtherChannel port as a secure port.
For a complete list of configuration guidelines, see the "Configuring EtherChannels" chapter in the software configuration guide for this release.
Caution
Examples
This example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable:
Switch# configure terminalSwitch(config)# interface range gigabitethernet0/1 -2Switch(config-if-range)# switchport mode accessSwitch(config-if-range)# switchport access vlan 10Switch(config-if-range)# channel-group 5 mode desirableSwitch(config-if-range)# endThis example shows how to configure an EtherChannel. It assigns two static-access ports in VLAN 10 to channel 5 with the LACP mode active:
Switch# configure terminalSwitch(config)# interface range gigabitethernet0/1 -2Switch(config-if-range)# switchport mode accessSwitch(config-if-range)# switchport access vlan 10Switch(config-if-range)# channel-group 5 mode activeSwitch(config-if-range)# endYou can verify your settings by entering the show running-config privileged EXEC command.
Related Commands
channel-protocol
Use the channel-protocol interface configuration command to restrict the protocol used on a port to manage channeling. Use the no form of this command to return to the default setting.
channel-protocol {lacp | pagp}
no channel-protocol
Syntax Description
lacp
Configure an EtherChannel with the Link Aggregation Control Protocol (LACP).
pagp
Configure an EtherChannel with the Port Aggregation Protocol (PAgP).
Defaults
No protocol is assigned to the EtherChannel.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the channel-protocol command only to restrict a channel to LACP or PAgP. If you set the protocol by using the channel-protocol command, the setting is not overridden by the channel-group interface configuration command.
You must use the channel-group interface configuration command to configure the EtherChannel parameters. The channel-group command also can set the mode for the EtherChannel.
You cannot enable both the PAgP and LACP modes on an EtherChannel group.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
Examples
This example shows how to specify LACP as the protocol that manages the EtherChannel:
Switch(config-if)# channel-protocol lacpYou can verify your settings by entering the show etherchannel [channel-group-number] protocol privileged EXEC command.
Related Commands
Assigns an Ethernet port to an EtherChannel group.
show etherchannel protocol
Displays protocol information the EtherChannel.
cisp enable
Use the cisp enable global configuration command to enable Client Information Signalling Protocol (CISP) on a switch so that it acts as an authenticator to a supplicant switch.
cisp enable
no cisp enable
Syntax Description
Defaults
There is no default setting.
Command Modes
Global configuration
Command History
Usage Guidelines
The link between the authenticator and supplicant switch is a trunk. When you enable VTP on both switches, the VTP domain name must be the same, and the VTP mode must be server.
When you configure VTP mode, to avoid the MD5 checksum mismatch error, verify that:
•
•
Examples
This example shows how to enable CISP:
switch(config)# cisp enableRelated Commands
Configures a profile on a supplicant switch.
Displays CISP information for a specified interface.
class
Use the class policy-map configuration command to define a traffic classification match criteria (through the police, set, and trust policy-map class configuration commands) for the specified class-map name. Use the no form of this command to delete an existing class map.
class class-map-name
no class class-map-name
Syntax Description
Defaults
No policy map class-maps are defined.
Command Modes
Policy-map configuration
Command History
Usage Guidelines
Before using the class command, you must use the policy-map global configuration command to identify the policy map and to enter policy-map configuration mode. After specifying a policy map, you can configure a policy for new classes or modify a policy for any existing classes in that policy map. You attach the policy map to a port by using the service-policy interface configuration command.
After entering the class command, you enter policy-map class configuration mode, and these configuration commands are available:
•
•
•
•
•
To return to policy-map configuration mode, use the exit command. To return to privileged EXEC mode, use the end command.
The class command performs the same function as the class-map global configuration command. Use the class command when a new classification, which is not shared with any other ports, is needed. Use the class-map command when the map is shared among many ports.
Examples
This example shows how to create a policy map called policy1. When attached to the ingress direction, it matches all the incoming traffic defined in class1, sets the IP Differentiated Services Code Point (DSCP) to 10, and polices the traffic at an average rate of 1 Mb/s and bursts at 20 KB. Traffic exceeding the profile is marked down to a DSCP value gotten from the policed-DSCP map and then sent.
Switch(config)# policy-map policy1Switch(config-pmap)# class class1Switch(config-pmap-c)# set dscp 10Switch(config-pmap-c)# police 1000000 20000 exceed-action policed-dscp-transmitSwitch(config-pmap-c)# exitYou can verify your settings by entering the show policy-map privileged EXEC command.
Related Commands
class-map
Use the class-map global configuration command to create a class map to be used for matching packets to the class name you specify and to enter class-map configuration mode. Use the no form of this command to delete an existing class map and to return to global configuration mode.
class-map [match-all | match-any] class-map-name
no class-map [match-all | match-any] class-map-name
Syntax Description
Defaults
No class maps are defined.
If neither the match-all or match-any keyword is specified, the default is match-all.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the name of the class for which you want to create or modify class-map match criteria and to enter class-map configuration mode.
The class-map command and its subcommands are used to define packet classification, marking, and aggregate policing as part of a globally named service policy applied on a per-port basis.
After you are in quality of service (QoS) class-map configuration mode, these configuration commands are available:
•
•
•
•
•
To define packet classification on a physical-port basis, only one match command per class map is supported. In this situation, the match-all and match-any keywords are equivalent.
Only one access control list (ACL) can be configured in a class map. The ACL can have multiple access control entries (ACEs).
Examples
This example shows how to configure the class map called class1 with one match criterion, which is an access list called 103:
Switch(config)# access-list 103 permit ip any any dscp 10Switch(config)# class-map class1Switch(config-cmap)# match access-group 103Switch(config-cmap)# exitThis example shows how to delete the class map class1:
Switch(config)# no class-map class1You can verify your settings by entering the show class-map privileged EXEC command.
Related Commands
clear dot1x
Use the clear dot1x privileged EXEC command to clear IEEE 802.1x information for the switch or for the specified port.
clear dot1x {all | interface interface-id}
Syntax Description
all
Clear all IEEE 802.1x information for the switch.
interface interface-id
Clear IEEE 802.1x information for the specified interface.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can clear all the information by using the clear dot1x all command, or you can clear only the information for the specified interface by using the clear dot1x interface interface-id command.
Examples
This example shows how to clear all IEEE 8021.x information:
Switch# clear dot1x allThis example shows how to clear IEEE 8021.x information for the specified interface:
Switch# clear dot1x interface gigabithethernet0/1You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
Related Commands
Displays IEEE 802.1x statistics, administrative status, and operational status for the switch or for the specified port.
clear eap sessions
Use the clear eap sessions privileged EXEC command to clear Extensible Authentication Protocol (EAP) session information for the switch or for the specified port.
clear eap sessions [credentials name [interface interface-id] | interface interface-id | method name | transport name] [credentials name | interface interface-id | transport name] ...
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can clear all counters by using the clear eap sessions command, or you can clear only the specific information by using the keywords.
Examples
This example shows how to clear all EAP information:
Switch# clear eapThis example shows how to clear EAP-session credential information for the specified profile:
Switch# clear eap sessions credential type1
You can verify that the information was deleted by entering the show dot1x privileged EXEC command.
Related Commands
Displays EAP registration and session information for the switch or for the specified port
clear energywise neighbors
Use the clear energywise neighbors privileged EXEC command to delete the EnergyWise neighbor tables.
clear energywise neighbors
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to delete the neighbor tables:
Switch# clear energywise neighborsCleared all non static energywise neighborsYou can verify that the tables were deleted by entering the show energywise neighbors privileged EXEC command.
Related Commands
show energywise neighbors
Displays the EnergyWise neighbor tables.
clear errdisable interface
Use the clear errdisable interface privileged EXEC command to re-enable a VLAN that was error disabled.
clear errdisable interface interface-id vlan [vlan-list]
Syntax Description
vlan list
(Optional) Specify a list of VLANs to be re-enabled. If a vlan-list is not specified, then all VLANs are re-enabled.
Command Default
No default is defined
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can re-enable a port by using the shutdown and no shutdown interface configuration commands, or you can clear error disable for VLANs by using the clear errdisable interface command.
Examples
This example shows how to re-enable all VLANs that were error-disabled on port Gi0/2.
Switch# clear errdisable interface GigabitEthernet0/2 vlan
Related Commands
Enables error-disabled detection for a specific cause or all causes.
Configures the recovery mechanism variables.
Displays error-disabled detection status.
Display error-disabled recovery timer information.
show interfaces status err-disabled
Displays interface status of a list of interfaces in error-disabled state.
clear arp inspection log
Use the clear ip arp inspection log privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection log buffer.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the contents of the log buffer:
Switch# clear ip arp inspection logYou can verify that the log was cleared by entering the show ip arp inspection log privileged command.
Related Commands
Defines an ARP access control list (ACL).
Configures the dynamic ARP inspection logging buffer.
Controls the type of packets that are logged per VLAN.
show inventory log
Displays the configuration and contents of the dynamic ARP inspection log buffer.
clear ip arp inspection statistics
Use the clear ip arp inspection statistics privileged EXEC command to clear the dynamic Address Resolution Protocol (ARP) inspection statistics.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the statistics for VLAN 1:
Switch# clear ip arp inspection statistics vlan 1You can verify that the statistics were deleted by entering the show ip arp inspection statistics vlan 1 privileged EXEC command.
Related Commands
show inventory statistics
Displays statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets for all VLANs or the specified VLAN.
clear ip dhcp snooping
Use the clear ip dhcp snooping privileged EXEC command to clear the DHCP snooping binding database, the DHCP snooping binding database agent statistics, or the DHCP snooping statistics counters.
clear ip dhcp snooping {binding {* | ip-address | interface interface-id | vlan vlan-id} | database statistics | statistics}
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When you enter the clear ip dhcp snooping database statistics command, the switch does not update the entries in the binding database and in the binding file before clearing the statistics.
Examples
This example shows how to clear the DHCP snooping binding database agent statistics:
Switch# clear ip dhcp snooping database statisticsYou can verify that the statistics were cleared by entering the show ip dhcp snooping database privileged EXEC command.
This example shows how to clear the DHCP snooping statistics counters:
Switch# clear ip dhcp snooping statisticsYou can verify that the statistics were cleared by entering the show ip dhcp snooping statistics user EXEC command.
Related Commands
Enables DHCP snooping on a VLAN.
Configures the DHCP snooping binding database agent or the binding file.
Displays the status of DHCP snooping database agent.
show ip dhcp snooping database
Displays the DHCP snooping binding database agent statistics.
show ip dhcp snooping statistics
Displays the DHCP snooping statistics.
clear ipc
Use the clear ipc privileged EXEC command to clear Interprocess Communications Protocol (IPC) statistics.
clear ipc {queue-statistics | statistics}
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can clear all statistics by using the clear ipc statistics command, or you can clear only the queue statistics by using the clear ipc queue-statistics command.
Examples
This example shows how to clear all statistics:
Switch# clear ipc statisticsThis example shows how to clear only the queue statistics:
Switch# clear ipc queue-statisticsYou can verify that the statistics were deleted by entering the show ipc rpc or the show ipc session privileged EXEC command.
Related Commands
show ipc {rpc | session}
Displays the IPC multicast routing statistics.
clear ipv6 dhcp conflict
Use the clear ipv6 dhcp conflict privileged EXEC command to clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database.
clear ipv6 dhcp conflict {* | IPv6-address}
Note
Syntax Description
*
Clear all address conflicts.
IPv6-address
Clear the host IPv6 address that contains the conflicting address.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
To configure the dual IPv4 and IPv6 template, enter the sdm prefer dual-ipv4-and-ipv6 {default | vlan} global configuration command, and reload the switch.
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Examples
This example shows how to clear all address conflicts from the DHCPv6 server database:
Switch# clear ipv6 dhcp conflict *Related Commands
Displays address conflicts found by a DHCPv6 server, or reported through a DECLINE message from a client.
clear l2protocol-tunnel counters
Use the clear l2protocol-tunnel counters privileged EXEC command to clear the protocol counters in protocol tunnel ports.
clear l2protocol-tunnel counters [interface-id]
Syntax Description
interface-id
(Optional) Specify interface (physical interface or port channel) for which protocol counters are to be cleared.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear protocol tunnel counters on the switch or on the specified interface.
Examples
This example shows how to clear Layer 2 protocol tunnel counters on an interface:
Switch# clear l2protocol-tunnel counters gigabitethernet0/3Related Commands
clear lacp
Use the clear lacp privileged EXEC command to clear Link Aggregation Control Protocol (LACP) channel-group counters.
clear lacp {channel-group-number counters | counters}
Syntax Description
channel-group-number
(Optional) Channel group number. The range is 1 to 48.
counters
Clear traffic counters.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
12.1(19)EA1
This command was introduced.
12.2(25)SE
The channel-group-number range was changed from 1 to 12 to 1 to 48.
Usage Guidelines
You can clear all counters by using the clear lacp counters command, or you can clear only the counters for the specified channel group by using the clear lacp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch# clear lacp countersThis example shows how to clear LACP traffic counters for group 4:
Switch# clear lacp 4 countersYou can verify that the information was deleted by entering the show lacp counters or the show lacp 4 counters privileged EXEC command.
Related Commands
clear mac address-table
Use the clear mac address-table privileged EXEC command to delete from the MAC address table a specific dynamic address, all dynamic addresses on a particular interface, or all dynamic addresses on a particular VLAN. This command also clears the MAC address notification global counters.
clear mac address-table {dynamic [address mac-addr | interface interface-id | vlan vlan-id] | notification}
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to remove a specific MAC address from the dynamic address table:
Switch# clear mac address-table dynamic address 0008.0070.0007You can verify that the information was deleted by entering the show mac address-table privileged EXEC command.
Related Commands
clear mac address-table move update
Use the clear mac address-table move update privileged EXEC command to clear the mac address-table-move update-related counters.
clear mac address-table move update
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the mac address-table move update related counters.
Switch# clear mac address-table move updateYou can verify that the information was cleared by entering the show mac address-table move update privileged EXEC command.
Related Commands
clear nmsp statistics
Use the clear nmsp statistics privileged EXEC command to clear the Network Mobility Services Protocol (NMSP) statistics. This command is available only when your switch is running the cryptographic (encrypted) software image.
clear nmsp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear NMSP statistics:
Switch# clear nmsp statisticsYou can verify that information was deleted by entering the show nmsp statistics privileged EXEC command.
Related Commands
clear pagp
Use the clear pagp privileged EXEC command to clear Port Aggregation Protocol (PAgP) channel-group information.
clear pagp {channel-group-number counters | counters}
Syntax Description
channel-group-number
(Optional) Channel group number. The range is 1 to 48.
counters
Clear traffic counters.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
12.1(19)EA1
This command was introduced.
12.2(25)SE
The channel-group-number range was changed from 1 to 12 to 1 to 48.
Usage Guidelines
You can clear all counters by using the clear pagp counters command, or you can clear only the counters for the specified channel group by using the clear pagp channel-group-number counters command.
Examples
This example shows how to clear all channel-group information:
Switch# clear pagp countersThis example shows how to clear PAgP traffic counters for group 10:
Switch# clear pagp 10 countersYou can verify that information was deleted by entering the show pagp privileged EXEC command.
Related Commands
clear port-security
Use the clear port-security privileged EXEC command to delete from the MAC address table all secure addresses or all secure addresses of a specific type (configured, dynamic, or sticky) on the switch or on an interface.
clear port-security {all | configured | dynamic | sticky} [[address mac-addr | interface interface-id] [vlan {vlan-id | {access | voice}}]]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
12.2(25)SEA
This command was introduced.
12.2(25)SEB
The access and voice keywords were added.
Examples
This example shows how to clear all secure addresses from the MAC address table:
Switch# clear port-security allThis example shows how to remove a specific configured secure address from the MAC address table:
Switch# clear port-security configured address 0008.0070.0007This example shows how to remove all the dynamic secure addresses learned on a specific interface:
Switch# clear port-security dynamic interface gigabitethernet0/1This example shows how to remove all the dynamic secure addresses from the address table:
Switch# clear port-security dynamicYou can verify that the information was deleted by entering the show port-security privileged EXEC command.
Related Commands
Enables port security on an interface.
switchport port-security mac-address mac-address
Configures secure MAC addresses.
switchport port-security maximum value
Configures a maximum number of secure MAC addresses on a secure interface.
Displays the port security settings defined for an interface or for the switch.
clear spanning-tree counters
Use the clear spanning-tree counters privileged EXEC command to clear the spanning-tree counters.
clear spanning-tree counters [interface interface-id]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If the interface-id is not specified, spanning-tree counters are cleared for all interfaces.
Examples
This example shows how to clear spanning-tree counters for all interfaces:
Switch# clear spanning-tree countersRelated Commands
clear spanning-tree detected-protocols
Use the clear spanning-tree detected-protocols privileged EXEC command to restart the protocol migration process (force the renegotiation with neighboring switches) on all interfaces or on the specified interface.
clear spanning-tree detected-protocols [interface interface-id]
Syntax Description
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
A switch running the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol or the Multiple Spanning Tree Protocol (MSTP) supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If a rapid-PVST+ switch or an MSTP switch receives a legacy IEEE 802.1D configuration bridge protocol data unit (BPDU) with the protocol version set to 0, it sends only IEEE 802.1D BPDUs on that port. A multiple spanning-tree (MST) switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or a rapid spanning-tree (RST) BPDU (Version 2).
However, the switch does not automatically revert to the rapid-PVST+ or the MSTP mode if it no longer receives IEEE 802.1D BPDUs because it cannot learn whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Use the clear spanning-tree detected-protocols command in this situation.
Examples
This example shows how to restart the protocol migration process on a port:
Switch# clear spanning-tree detected-protocols interface gigabitethernet0/1Related Commands
Displays spanning-tree state information.
Overrides the default link-type setting and enables rapid spanning-tree changes to the forwarding state.
clear vmps statistics
Use the clear vmps statistics privileged EXEC command to clear the statistics maintained by the VLAN Query Protocol (VQP) client.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear VLAN Membership Policy Server (VMPS) statistics:
Switch# clear vmps statisticsYou can verify that information was deleted by entering the show vmps statistics privileged EXEC command.
Related Commands
Displays the VQP version, reconfirmation interval, retry count, VMPS IP addresses, and the current and primary servers.
clear vtp counters
Use the clear vtp counters privileged EXEC command to clear the VLAN Trunking Protocol (VTP) and pruning counters.
clear vtp counters
Syntax Description
This command has no arguments or keywords.
Defaults
No default is defined.
Command Modes
Privileged EXEC
Command History
Examples
This example shows how to clear the VTP counters:
Switch# clear vtp countersYou can verify that information was deleted by entering the show vtp counters privileged EXEC command.
Related Commands
Displays general information about the VTP management domain, status, and counters.
cluster commander-address
You do not need to enter this command from a standalone cluster member switch. The cluster command switch automatically provides its MAC address to cluster member switches when these switches join the cluster. The cluster member switch adds this information and other cluster information to its running configuration file. Use the no form of this global configuration command from the cluster member switch console port to remove the switch from a cluster only during debugging or recovery procedures.
cluster commander-address mac-address [member number name name]
no cluster commander-address
Syntax Description
Defaults
The switch is not a member of any cluster.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is available only on the cluster command switch.
A cluster member can have only one cluster command switch.
The cluster member switch retains the identity of the cluster command switch during a system reload by using the mac-address parameter.
You can enter the no form on a cluster member switch to remove it from the cluster during debugging or recovery procedures. You would normally use this command from the cluster member switch console port only when the member has lost communication with the cluster command switch. With normal switch configuration, we recommend that you remove cluster member switches only by entering the no cluster member n global configuration command on the cluster command switch.
When a standby cluster command switch becomes active (becomes the cluster command switch), it removes the cluster commander address line from its configuration.
Examples
This is partial sample output from the running configuration of a cluster member.
Switch(config)# show running-configuration<output truncated>cluster commander-address 00e0.9bc0.a500 member 4 name my_cluster<output truncated>This example shows how to remove a member from the cluster by using the cluster member console.
Switch # configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# no cluster commander-addressYou can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster discovery hop-count
Use the cluster discovery hop-count global configuration command on the cluster command switch to set the hop-count limit for extended discovery of candidate switches. Use the no form of this command to return to the default setting.
cluster discovery hop-count number
no cluster discovery hop-count
Syntax Description
number
Number of hops from the cluster edge that the cluster command switch limits the discovery of candidates. The range is 1 to 7.
Defaults
The hop count is set to 3.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is available only on the cluster command switch. This command does not operate on cluster member switches.
If the hop count is set to 1, it disables extended discovery. The cluster command switch discovers only candidates that are one hop from the edge of the cluster. The edge of the cluster is the point between the last discovered cluster member switch and the first discovered candidate switch.
Examples
This example shows how to set hop count limit to 4. This command is executed on the cluster command switch.
Switch(config)# cluster discovery hop-count 4You can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
Displays a list of candidate switches.
cluster enable
Use the cluster enable global configuration command on a command-capable switch to enable it as the cluster command switch, assign a cluster name, and to optionally assign a member number to it. Use the no form of the command to remove all members and to make the cluster command switch a candidate switch.
cluster enable name [command-switch-member-number]
no cluster enable
Syntax Description
Defaults
The switch is not a cluster command switch.
No cluster name is defined.
The member number is 0 when the switch is the cluster command switch.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command on any command-capable switch that is not part of any cluster. This command fails if a device is already configured as a member of the cluster.
You must name the cluster when you enable the cluster command switch. If the switch is already configured as the cluster command switch, this command changes the cluster name if it is different from the previous cluster name.
Examples
This example shows how to enable the cluster command switch, name the cluster, and set the cluster command switch member number to 4.
Switch(config)# cluster enable Engineering-IDF4 4You can verify your setting by entering the show cluster privileged EXEC command on the cluster command switch.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster holdtime
Use the cluster holdtime global configuration command to set the duration in seconds before a switch (either the command or cluster member switch) declares the other switch down after not receiving heartbeat messages. Use the no form of this command to set the duration to the default value.
cluster holdtime holdtime-in-secs
no cluster holdtime
Syntax Description
holdtime-in-secs
Duration in seconds before a switch (either a command or cluster member switch) declares the other switch down. The range is 1 to 300 seconds.
Defaults
The default holdtime is 80 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command with the cluster timer global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the interval timer and the duration on the cluster command switch.
Switch(config)# cluster timer 3Switch(config)# cluster holdtime 30You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster member
Use the cluster member global configuration command on the cluster command switch to add candidates to a cluster. Use the no form of the command to remove members from the cluster.
cluster member [n] mac-address H.H.H [password enable-password] [vlan vlan-id]
no cluster member n
Syntax Description
Defaults
A newly enabled cluster command switch has no associated cluster members.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the cluster command switch to add a candidate to or remove a member from the cluster. If you enter this command on a switch other than the cluster command switch, the switch rejects the command and displays an error message.
You must enter a member number to remove a switch from the cluster. However, you do not need to enter a member number to add a switch to the cluster. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
You must enter the enable password of the candidate switch for authentication when it joins the cluster. The password is not saved in the running or startup configuration. After a candidate switch becomes a member of the cluster, its password becomes the same as the cluster command-switch password.
If a switch does not have a configured hostname, the cluster command switch appends a member number to the cluster command-switch hostname and assigns it to the cluster member switch.
If you do not specify a VLAN ID, the cluster command switch automatically chooses a VLAN and adds the candidate to the cluster.
Examples
This example shows how to add a switch as member 2 with MAC address 00E0.1E00.2222 and the password key to a cluster. The cluster command switch adds the candidate to the cluster through VLAN 3.
Switch(config)# cluster member 2 mac-address 00E0.1E00.2222 password key vlan 3This example shows how to add a switch with MAC address 00E0.1E00.3333 to the cluster. This switch does not have a password. The cluster command switch selects the next available member number and assigns it to the switch that is joining the cluster.
Switch(config)# cluster member mac-address 00E0.1E00.3333You can verify your settings by entering the show cluster members privileged EXEC command on the cluster command switch.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
Displays a list of candidate switches.
Displays information about the cluster members.
cluster outside-interface
Use the cluster outside-interface global configuration command to configure the outside interface for cluster Network Address Translation (NAT) so that a member without an IP address can communicate with devices outside the cluster. Use the no form of this command to return to the default setting.
cluster outside-interface interface-id
no cluster outside-interface
Syntax Description
interface-id
Interface to serve as the outside interface. Valid interfaces include physical interfaces, port-channels, or VLANs. The port-channel range is 1 to 48. The VLAN range is 1 to 4094.
Defaults
The default outside interface is automatically selected by the cluster command switch.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the cluster command switch. If you enter this command on a cluster member switch, an error message appears.
Examples
This example shows how to set the outside interface to VLAN 1:
Switch(config)# cluster outside-interface vlan 1You can verify your setting by entering the show running-config privileged EXEC command.
Related Commands
cluster run
Use the cluster run global configuration command to enable clustering on a switch. Use the no form of this command to disable clustering on a switch.
cluster run
no cluster run
Syntax Description
This command has no arguments or keywords.
Defaults
Clustering is enabled on all switches.
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter the no cluster run command on a cluster command switch, the cluster command switch is disabled. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a cluster member switch, it is removed from the cluster. Clustering is disabled, and the switch cannot become a candidate switch.
When you enter the no cluster run command on a switch that is not part of a cluster, clustering is disabled on this switch. This switch cannot then become a candidate switch.
Examples
This example shows how to disable clustering on the cluster command switch:
Switch(config)# no cluster runYou can verify your setting by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
cluster standby-group
Use the cluster standby-group global configuration command to enable cluster command-switch redundancy by binding the cluster to an existing Hot Standby Router Protocol (HSRP). Entering the routing-redundancy keyword enables the same HSRP group to be used for cluster command-switch redundancy and routing redundancy. Use the no form of this command to return to the default setting.
cluster standby-group HSRP-group-name [routing-redundancy]
no cluster standby-group
Syntax Description
Defaults
The cluster is not bound to any HSRP group.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command only on the cluster command switch. If you enter it on a cluster member switch, an error message appears.
The cluster command switch propagates the cluster-HSRP binding information to all cluster-HSRP capable members. Each cluster member switch stores the binding information in its NVRAM. The HSRP group name must be a valid standby group; otherwise, the command exits with an error.
The same group name should be used on all members of the HSRP standby group that is to be bound to the cluster. The same HSRP group name should also be used on all cluster-HSRP capable members for the HSRP group that is to be bound. (When not binding a cluster to an HSRP group, you can use different names on the cluster commander and the members.)
Examples
This example shows how to bind the HSRP group named my_hsrp to the cluster. This command is executed on the cluster command switch.
Switch(config)# cluster standby-group my_hsrpThis example shows how to use the same HSRP group named my_hsrp for routing redundancy and cluster redundancy.
Switch(config)# cluster standby-group my_hsrp routing-redundancyThis example shows the error message when this command is executed on a cluster command switch and the specified HSRP standby group does not exist:
Switch(config)# cluster standby-group my_hsrp%ERROR: Standby (my_hsrp) group does not existThis example shows the error message when this command is executed on a cluster member switch:
Switch(config)# cluster standby-group my_hsrp routing-redundancy%ERROR: This command runs on a cluster command switchYou can verify your settings by entering the show cluster privileged EXEC command. The output shows whether redundancy is enabled in the cluster.
Related Commands
cluster timer
Use the cluster timer global configuration command to set the interval in seconds between heartbeat messages. Use the no form of this command to set the interval to the default value.
cluster timer interval-in-secs
no cluster timer
Syntax Description
Defaults
The interval is 8 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter this command with the cluster holdtime global configuration command only on the cluster command switch. The cluster command switch propagates the values to all its cluster members so that the setting is consistent among all switches in the cluster.
The holdtime is typically set as a multiple of the heartbeat interval timer (cluster timer). For example, it takes (holdtime-in-secs divided by the interval-in-secs) number of heartbeat messages to be missed in a row to declare a switch down.
Examples
This example shows how to change the heartbeat interval timer and the duration on the cluster command switch:
Switch(config)# cluster timer 3Switch(config)# cluster holdtime 30You can verify your settings by entering the show cluster privileged EXEC command.
Related Commands
Displays the cluster status and a summary of the cluster to which the switch belongs.
define interface-range
Use the define interface-range global configuration command to create an interface-range macro. Use the no form of this command to delete the defined macro.
define interface-range macro-name interface-range
no define interface-range macro-name interface-range
Syntax Description
macro-name
Name of the interface-range macro; up to 32 characters.
interface-range
Interface range; for valid values for interface ranges, see "Usage Guidelines."
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
Usage Guidelines
The macro name is a 32-character maximum character string.
A macro can contain up to five ranges.
All interfaces in a range must be the same type; that is, all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs, but you can combine multiple interface types in a macro.
When entering the interface-range, use this format:
•
•
Valid values for type and interface:
•
VLAN interfaces must have been configured with the interface vlan command (the show running-config privileged EXEC command displays the configured VLAN interfaces). VLAN interfaces not displayed by the show running-config command cannot be used in interface-ranges.
•
•
•
For physical interfaces:
•
•
When you define a range, you must enter a space before the hyphen (-), for example:
gigabitethernet0/1 - 2
You can also enter multiple ranges. When you define multiple ranges, you must enter a space after the first entry before the comma (,). The space after the comma is optional, for example:
fastethernet0/3, gigabitethernet0/1 - 2
fastethernet0/3 -4, gigabitethernet0/1 - 2
Examples
This example shows how to create a multiple-interface macro:
Switch(config)# define interface-range macro1 fastethernet0/1 - 2, gigabitethernet0/1 - 2Related Commands
delete
Use the delete privileged EXEC command to delete a file or directory on the flash memory device.
delete [/force] [/recursive] filesystem:/
