Table Of Contents
Cisco IOS Commands for the Catalyst 4500 Series Switches
clear interface gigabitethernet
clear ip arp inspection statistics
clear ip dhcp snooping database
clear ip dhcp snooping database statistics
clear mac-address-table dynamic
debug platform packet protocol lacp
debug platform packet protocol pagp
debug spanning-tree backbonefast
debug spanning-tree uplinkfast
ip arp inspection limit (interface)
ip arp inspection vlan logging
ip dhcp snooping information option
ip igmp snooping report-suppression
ip igmp snooping vlan immediate-leave
ip verify source vlan dhcp-snooping
power inline allocation default
qos (global configuration mode)
qos (interface configuration mode)
qos account layer2 encapsulation
renew ip dhcp snooping database
Cisco IOS Commands for the Catalyst 4500 Series Switches
This chapter contains an alphabetical listing of Cisco IOS commands for the Catalyst 4500 series switches. For information about Cisco IOS commands that are not included in this publication, refer to Cisco IOS Release 12.1 Configuration Guides and Command References at this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_product_indices_list.html
access-group mode
To specify override modes (for example, VACL overrides PACL) and non-override modes (for example, merge or strict mode), use the access-group mode command. Use the no form of this command to return to prefer port mode.
access-group mode {prefer {port | vlan} | merge}
no access-group mode {prefer {port | vlan} | merge}
Syntax Description
Defaults
PACL override mode
Command Modes
Interface configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
On the Layer 2 interface, three modes that are supported: prefer port, prefer VLAN, and merge. A Layer 2 interface can have one IP ACL applied in either direction (one inbound and one outbound).
Examples
This example shows how to make the PACL mode on the switch take effect:
(config-if)# access-group mode prefer port(config-if)#This example shows how to merge applicable ACL features:
(config-if)# access-group mode merge(config-if)#Related Commands
show access-group mode interface
show ip interface (refer to Cisco IOS documentation)
show mac access-group interfaceaction
To specify an action to be taken when a match occurs in a VACL, use the action command. To remove an action clause, use the no form of this command.
action {drop | forward}
no action {drop | forward}
Syntax Description
drop
Sets the action to drop packets.
forward
Sets the action to forward packets to their destination.
Defaults
This command has no default settings.
Command Modes
VLAN access-map
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
In a VLAN access map, if at least one ACL is configured for a packet type (IP or MAC), the default action for the packet type is drop (deny).
If an ACL is not configured for a packet type, the default action for the packet type is forward (permit).
If an ACL for a packet type is configured and the ACL is empty or undefined, the configured action will be applied to the packet type.
Examples
This example shows how to define a drop action:
Switch(config-access-map)# action dropSwitch(config-access-map)#This example shows how to define a forward action:
Switch(config-access-map)# action forwardSwitch(config-access-map)#Related Commands
match
show vlan access-map
vlan access-mapapply
To implement a new VLAN database, increment the configuration number, save the configuration number in NVRAM, and propagate the configuration number throughout the administrative domain, use the apply command.
apply
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
VLAN configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The apply command implements the configuration changes you made after you entered VLAN database mode and uses them for the running configuration. This command keeps you in VLAN database mode.
You cannot use this command when the switch is in the VTP client mode.
You can verify that VLAN database changes occurred by entering the show vlan command from privileged EXEC mode.
Examples
This example shows how to implement the proposed new VLAN database and to recognize it as the current database:
Switch(config-vlan)# applySwitch(config-vlan)#Related Commands
abort (refer to Cisco IOS documentation)
exit (refer to Cisco IOS documentation)
reset
show vlan
shutdown vlan (refer to Cisco IOS documentation)
vtp (global configuration mode)arp access-list
To define an ARP access list or add clauses at the end of a predefined list, use the arp access-list command.
arp access-list name
Syntax Description
Defaults
None
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
The following example shows how to define an ARP access list named static-hosts:
Switch(config)# arp access-list static-hostsSwitch(config)#Related Commands
deny
ip arp inspection filter vlan
permitattach module
To remotely connect to a specific module, use the attach module configuration command.
attach module mod
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged
Command History
Usage Guidelines
This command applies only to the Access Gateway Module on Catalyst 4500 series switches.
The valid values for mod depends on the chassis used. For example, if you have a Catalyst 4006 chassis, valid values for the module are from 2 to 6. If you have a 4507R chassis, valid values are from 3 to 7.
When you execute the attach module mod command, the prompt changes to Gateway#.
This command is identical to the session module mod and the remote login module mod commands.
Examples
This example shows how to remotely log in to an Access Gateway Module:
Switch# attach module 5Attaching console to module 5Type 'exit' at the remote prompt to end the sessionGateway>Related CommandsYou can verify your settings by entering the show storm-control privileged EX
remote login module
session moduleauto qos voip
To automatically configure quality of service (auto-QoS) for voice over IP (VoIP) within a QoS domain, use the auto qos voip interface configuration command. Use the no form of this command to change the auto-QoS configuration settings to the standard QoS defaults.
auto qos voip {cisco-phone | trust}
no auto qos voip {cisco-phone | trust}
Syntax Description
Defaults
Auto-QoS is disabled on all interfaces.
Command Modes
Interface configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Use this command to configure the QoS appropriate for VoIP traffic within the QoS domain. The QoS domain includes the switch, the interior of the network, and the edge devices that can classify incoming traffic for QoS.
Use the cisco-phone keyword on ports at the edge of the network that are connected to Cisco IP phones. The switch detects the telephone through the Cisco Discovery Protocol (CDP) and trusts the CoS labels in packets received from the telephone.
Use the trust keyword on ports connected to the interior of the network. Because it is assumed that traffic has already been classified by other edge devices, the CoS/DSCP labels in these packets are trusted.
When you enable the auto-QoS feature on the specified interface, these actions automatically occur:
•
QoS is globally enabled (qos global configuration command).
•
•
•
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports.
To display the QoS configuration that is automatically generated when auto-QoS is enabled, enable debugging before you enable auto-QoS. Use the debug auto qos privileged EXEC command to enable auto-QoS debugging.
To disable auto-QoS on an interface, use the no auto qos voip interface configuration command. When you enter this command, the switch enables standard QoS and changes the auto-QoS settings to the standard QoS default settings for that interface. This action will not change any global configuration performed by auto-QoS; the global configuration remains the same.
Examples
This example shows how to enable auto-QoS and to trust the CoS and DSCP labels received in incoming packets when the switch or router connected to Gigabit Ethernet interface 1/1 is a trusted device:
Switch(config)# interface gigabitethernet1/1Switch(config-if)# auto qos voip trustThis example shows how to enable auto-QoS and to trust the CoS labels received in incoming packets when the device connected to Fast Ethernet interface 2/1 is detected as a Cisco IP phone:
Switch(config)# interface fastethernet2/1Switch(config-if)# auto qos voip cisco-phoneThis example shows how to display the QoS configuration that is automatically generated when auto-QoS is enabled:
Switch# debug auto qosAutoQoS debugging is onSwitch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet1/1Switch(config-if)# auto qos voip trustSwitch(config-if)#00:00:56:qos00:00:57:qos map cos 3 to dscp 2600:00:57:qos map cos 5 to dscp 4600:00:58:qos map dscp 32 to tx-queue 100:00:58:qos dbl00:01:00:policy-map autoqos-voip-policy00:01:00: class class-default00:01:00: dbl00:01:00:interface GigabitEthernet1/100:01:00: qos trust cos00:01:00: tx-queue 300:01:00: priority high00:01:00: shape percent 3300:01:00: service-policy output autoqos-voip-policySwitchconfig-if)# interface gigabitethernet1/1Switch(config-if)# auto qos voip cisco-phoneSwitch(config-if)#00:00:55:qos00:00:56:qos map cos 3 to dscp 2600:00:57:qos map cos 5 to dscp 4600:00:58:qos map dscp 32 to tx-queue 100:00:58:qos dbl00:00:59:policy-map autoqos-voip-policy00:00:59: class class-default00:00:59: dbl00:00:59:interface GigabitEthernet1/100:00:59: qos trust device cisco-phone00:00:59: qos trust cos00:00:59: tx-queue 300:00:59: priority high00:00:59: shape percent 3300:00:59: bandwidth percent 3300:00:59: service-policy output autoqos-voip-policyYou can verify your settings by entering the show auto qos interface command.
Related Commands
debug auto qos (refer to Cisco IOS documentation)
qos map cos
qos trust
show auto qos
show qos
show qos interface
show qos mapsauto-sync
To enable automatic synchronization of the configuration files in NVRAM, use the auto-sync command. To disable automatic synchronization, use the no form of this command.
auto-sync {startup-config | config-register | bootvar | standard}
no auto-sync {startup-config | config-register | bootvar | standard}
Syntax Description
Defaults
Standard automatic synchronization of all configuration files
Command Modes
Redundancy main-cpu
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4507R only).
Usage Guidelines
If you enter the no auto-sync standard command, no automatic synchronizations occur.
Examples
This example shows how (from the default configuration) to enable automatic synchronization of the configuration register in the main CPU:
Switch# configure terminalSwitch (config)# redundancySwitch (config-r)# main-cpuSwitch (config-r-mc)# no auto-sync standardSwitch (config-r-mc)# auto-sync configure-registerSwitch (config-r-mc)#Related Commands
channel-group
To assign and configure an EtherChannel interface to an EtherChannel group, use the channel-group command. To remove a channel group configuration from an interface, use the no form of this command.
channel-group number mode {active | on | auto [non-silent]} | {passive | desirable [non-silent]}
no channel-group
Syntax Description
Defaults
No channel-groups are assigned.
Command Modes
Interface configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(13)EW
Support for LACP was added.
Usage Guidelines
You do not have to create a port channel interface before assigning a physical interface to a channel group. If a port channel interface has not been created, it is automatically created when the first physical interface for the channel group is created.
If a specific channel number is used for the PAgP-enabled interfaces of a channel group, that same channel number cannot be used for configuring a channel that has LACP-enabled interfaces or vice versa.
You can also create port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
You do not have to disable the IP address that is assigned to a physical interface that is part of a channel group, but we recommend that you do so.
Any configuration or attribute changes you make to the port-channel interface are propagated to all interfaces within the same channel group as the port channel (for example, configuration changes are also propagated to the physical interfaces that are not part of the port channel, but are part of the channel group).
You can create a usable EtherChannel by connecting two port groups, in on mode, together.
Caution
Examples
This example shows how to add Gigabit Ethernet interface 1/1 to the EtherChannel group specified by port channel 45:
Switch(config-if)# channel-group 45 mode onCreating a port-channel interface Port-channel45Switch(config-if)#Related Commands
interface port-channel
show interfaces port-channel (refer to Cisco IOS documentation)channel-protocol
To enable LACP or PAgP on an interface, use the channel-protocol command. To disable the protocols, use the no form of this command.
channel-protocol {lacp | pagp}
no channel-protocol {lacp | pagp}
Syntax Description
Defaults
PAgP
Command Modes
Interface configuration
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Usage Guidelines
This command is not supported on systems configured with a Supervisor Engine 1.
You can also select the protocol using the channel-group command.
If the interface belongs to a channel, the no form of this command is rejected.
All ports in an EtherChannel must use the same protocol; you cannot run two protocols on one module.
PAgP and LACP are not compatible; both ends of a channel must use the same protocol.
You can manually configure a switch with PAgP on one side and LACP on the other side in the on mode.
You can change the protocol at any time, but this change causes all existing EtherChannels to reset to the default channel mode for the new protocol. You can use the channel-protocol command to restrict anyone from selecting a mode that is not applicable to the selected protocol.
Configure all ports in an EtherChannel to operate at the same speed and duplex mode (full duplex only for LACP mode).
For a complete list of guidelines, refer to the "Configuring EtherChannel" section of the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Examples
This example shows how to select LACP to manage channeling on the interface:
Switch(config-if)# channel-protocol lacpSwitch(config-if)#Related Commands
channel-group
show etherchannelclass-map
To access the QoS class map configuration mode to configure QoS class maps, use the class-map command. To delete a class map, use the no form of this command.
class-map [match-all | match-any] name
no class-map [match-all | match-any] name
Syntax Description
match-all
(Optional) Specifies that all match criteria in the class map must be matched.
match-any
(Optional) Specifies that one or more match criteria must match.
name
Name of the class map.
Defaults
Match all criteria.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The variables name and acl_name are case sensitive.
Use the class-map command and its subcommands on individual interfaces to define packet classification, marking, aggregate, and flow policing as part of a globally named service policy.
These commands are available in QoS class map configuration mode:
•
•
•
These optional subcommands are also available:
–
–
–
The following subcommands appear in the CLI help, but they are not supported on LAN interfaces:
•
•
•
•
•
•
•
After you have configured the class map name and are in class map configuration mode, you can enter the match subcommands. The syntax for these subcommands is as follows:
match {[access-group {acl_index | name acl_name}] | [ip {dscp | precedence} value1 value2... value8]}
See Table 2-1 for a syntax description of the match subcommands.
Examples
This example shows how to access the class-map commands and subcommands and to configure a class map named ipp5 and enter a match statement for ip precedence 5:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# class-map ipp5Switch(config-cmap)# match ip precedence 5Switch(config-cmap)#This example shows how to configure the class map to match an already configured access list:
Switch(config-cmap)# match access-group IPacl1Switch(config-cmap)#Related Commands
policy-map
service-policy
show class-map
show policy-map
show policy-map interfaceclear counters
To clear interface counters, use the clear counters command.
clear counters [{FastEthernet interface_number} | {GigabitEthernet interface_number} |
{null interface_number} | {port-channel number} | {vlan vlan_id}]Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses was added.
Usage Guidelines
This command clears all the current interface counters from all interfaces unless you specify an interface.
Note
Examples
This example shows how to clear all interface counters:
Switch# clear countersClear "show interface" counters on all interfaces [confirm] ySwitch#This example shows how to clear counters on a specific interface:
Switch# clear counters vlan 200Clear "show interface" counters on this interface [confirm]ySwitch#Related Commands
show interface counters (refer to Cisco IOS documentation)
clear interface gigabitethernet
To clear the hardware logic from a Gigabit Ethernet IEEE 802.3z interface, use the clear interface gigabitethernet command.
clear interface gigabitethernet slot/port
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear the hardware logic from a Gigabit Ethernet IEEE 802.3z interface:
Switch# clear interface gigabitethernet 1/1Switch#Related Commands
clear interface vlan
To clear the hardware logic from a VLAN, use the clear interface vlan command.
clear interface vlan number
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Examples
This example shows how to clear the hardware logic from a specific VLAN:
Switch# clear interface vlan 5Switch#Related Commands
clear ip access-template
To clear statistical information in access lists, use the clear ip access-template command.
clear ip access-template access-list
Syntax Description
access-list
Number of the access list; valid values are from 100 to 199 for an IP extended access list, and from 2000 to 2699 for an expanded range IP extended access list.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear statistical information for an access list:
Switch# clear ip access-template 201Switch#clear ip arp inspection log
To clear the status of the log buffer, use the clear ip arp inspection log command.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear the contents of the log buffer:
Switch# clear ip arp inspection logSwitch#Related Commands
arp access-list
show ip arp inspection logclear ip arp inspection statistics
To clear the dynamic ARP inspection statistics, use the clear ip arp inspection statistics command.
clear ip arp inspection statistics [vlan vlan-range]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows to clear the DAI statistics from VLAN 1:
Switch# clear ip arp inspection statistics vlan 1Switch# show ip arp inspection statistics vlan 1Vlan Forwarded Dropped DHCP Drops ACL Drops---- --------- ------- ---------- ----------1 0 0 0 0Vlan DHCP Permits ACL Permits Source MAC Failures---- ------------ ----------- -------------------1 0 0 0Vlan Dest MAC Failures IP Validation Failures---- ----------------- ----------------------1 0 0Switch#Related Commands
arp access-list
clear ip arp inspection log
show ip arp inspectionclear ip dhcp snooping database
To clear the DHCP binding database, use the clear ip dhcp snooping database command.
clear ip dhcp snooping database
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear the DHCP binding database:
Switch# clear ip dhcp snooping databaseSwitch#Related Commands
ip dhcp snooping
ip dhcp snooping binding interface (refer to Cisco IOS documentation)
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingclear ip dhcp snooping database statistics
To clear DHCP binding database statistics, use the clear ip dhcp snooping database statistics command.
clear ip dhcp snooping database statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear the DHCP binding database:
Switch# clear ip dhcp snooping database statisticsSwitch#Related Commands
ip dhcp snooping
ip dhcp snooping binding
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingclear ip igmp group
To delete IGMP group cache entries, use the clear ip igmp group command.
clear ip igmp group [{fastethernet slot/port} | {GigabitEthernet slot/port} | {host_name | group_address} {Loopback interface_number} | {null interface_number} |
{port-channel number} | {vlan vlan_id}]Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The IGMP cache contains a list of the multicast groups of which hosts on the directly connected LAN are members.
To delete all entries from the IGMP cache, enter the clear ip igmp group command with no arguments.
Examples
This example shows how to clear entries for a specific group from the IGMP cache:
Switch# clear ip igmp group 224.0.255.1Switch#This example shows how to clear IGMP group cache entries from a specific interface:
Switch# clear ip igmp group gigabitethernet 2/2Switch#Related Commands
ip host (refer to Cisco IOS documentation)
show ip igmp groups (refer to Cisco IOS documentation)
show ip igmp interfaceclear ip mfib counters
To clear global MFIB counters and counters for all active MFIB routes, use the clear ip mfib counters command.
clear ip mfib counters
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear all the active MFIB routes and global counters:
Switch# clear ip mfib countersSwitch#Related Commands
clear ip mfib fastdrop
To clear all MFIB fast drop entries, use the clear ip mfib fastdrop command.
clear ip mfib fastdrop
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If new fast-dropped packets arrive, new fast drop entries are created.
Examples
This example shows how to clear all fast drop entries:
Switch# clear ip mfib fastdropSwitch#Related Commands
ip mfib fastdrop
show ip mfib fastdropclear lacp counters
To clear statistics for all interfaces belonging to a specific channel group, use the clear lacp counters command.
clear lacp [channel-group] counters
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Usage Guidelines
This command is not supported on systems configured with a Supervisor Engine 1.
If you do not specify a channel-group, all channel groups are cleared.
If you enter this command for a channel group that contains members in PAgP mode, the command is ignored.
Examples
This example shows how to clear the statistics for a specific group:
Switch# clear lacp 1 countersSwitch#Related Commands
clear mac-address-table dynamic
To clear dynamic address entries from the Layer 2 MAC address table, use the clear mac-address-table dynamic command.
clear mac-address-table dynamic [{address mac_addr} | {interface interface}] [vlan vlan_id]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
Enter the clear mac-address-table dynamic command with no arguments to remove all dynamic entries from the table.
Examples
This example shows how to clear all dynamic Layer 2 entries for a specific interface (gi1/1):
Switch# clear mac-address-table dynamic interface gi1/1Switch#Related Commands
mac-address-table aging-time
main-cpu
show mac-address-table addressclear pagp
To clear port channel information, use the clear pagp command.
clear pagp {group-number | counters}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to clear port channel information for a specific group:
Switch# clear pagp 32Switch#This example shows how to all clear port channel traffic filters:
Switch# clear pagp countersSwitch#Related Commands
clear qos
To clear global and per-interface aggregate QoS counters, use the clear qos command.
clear qos [aggregate-policer [name] | interface {{fastethernet | GigabitEthernet} {slot/interface}} | vlan {vlan_num} | port-channel {number}]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Note
The clear qos command resets the interface qos policy counters. If no interface is specified, the clear qos command resets the qos policy counters for all interfaces.
Examples
This example shows how to clear global and per-interface aggregate QoS counters for all protocols:
Switch# clear qosSwitch#This example shows how to clear specific protocol aggregate QoS counters for all interfaces:
Switch# clear qos aggregate-policerSwitch#Related Commands
clear vlan counters
To clear the software-cached counter values to start from zero again for a specified VLAN or all existing VLANs, use the clear vlan counters command.
clear vlan [vlan-id] counters
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Usage Guidelines
If you do not specify a vlan-id; the software-cached counter values for all existing VLANs are cleared.
Examples
Switch# clear vlan 10 countersClear "show vlan" counters on this vlan [confirm]ySwitch#Related Commands
clear vmps statistics
To clear VMPS statistics, use the clear vmps statistics command.
clear vmps statistics
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Examples
This example shows how to clear VMPS statistics:
Switch# clear vmps statisticsSwitch#Related Commands
vmps reconfirm (privileged EXEC)
show vmpsdebug adjacency
To display adjacency debugging information, use the debug adjacency command. To disable debugging output, use the no form of this command.
debug adjacency [ipc]
no debug adjacency
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to display information in the adjacency database:
Switch# debug adjacency4d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:004d02h: ADJ: add 172.20.52.36 (GigabitEthernet1/1) via ARP will expire: 04:00:00<... output truncated...>Switch#Related Commands
undebug adjacency (same as no debug adjacency)
debug backup
To debug backup events, use the debug backup command. To disable debugging output, use the no form of this command.
debug backup
no debug backup
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug backup events:
Switch# debug backupBackup events debugging is onSwitch#Related Commands
undebug backup (same as no debug backup)
debug condition interface
To limit debugging output of interface-related activities, use the debug condition interface command. To disable debugging output, use the no form of this command.
debug condition interface {fastethernet slot/port | GigabitEthernet slot/port |
null interface_num | port-channel interface-num | vlan vlan_id}no debug condition interface {fastethernet slot/port | GigabitEthernet slot/port | null interface_num | port-channel interface-num | vlan vlan_id}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Examples
This example shows how to limit debugging output to VLAN interface 1:
Switch# debug condition interface vlan 1Condition 2 setSwitch#Related Commands
debug interface
undebug condition interface (same as no debug condition interface)debug condition standby
To limit debugging output for standby state changes, use the debug condition standby command. To disable debugging output, use the no form of this command.
debug condition standby {fastethernet slot/port | GigabitEthernet slot/port |
port-channel interface-num | vlan vlan_id group-number}no debug condition standby {fastethernet slot/port | GigabitEthernet slot/port |
port-channel interface-num | vlan vlan_id group-number}Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
If you attempt to remove the only condition set, you will be prompted with a message asking if you want to abort the removal operation. You can enter n to abort the removal or y to proceed with the removal. If you remove the only condition set, it could cause an excessive number of debugging messages.
Examples
This example shows how to limit the debugging output to group 0 in VLAN 1:
Switch# debug condition standby vlan 1 0Condition 3 setSwitch#This example shows the display if you try to turn off the last standby debug condition:
Switch# no debug condition standby vlan 1 0This condition is the last standby condition set.Removing all conditions may cause a flood of debuggingmessages to result, unless specific debugging flagsare first removed.Proceed with removal? [yes/no]: n% Operation abortedSwitch#Related Commands
undebug condition standby (same as no debug condition standby)
debug condition vlan
To limit VLAN debugging output for a specific VLAN, use the debug condition vlan command. To disable debugging output, use the no form of this command.
debug condition vlan {vlan_id}
no debug condition vlan {vlan_id}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
If you attempt to remove the only VLAN condition set, you will be prompted with a message asking if you want to abort the removal operation. You can enter n to abort the removal or y to proceed with the removal. If you remove the only condition set, it could result in the display of an excessive number of messages.
Examples
This example shows how to limit debugging output to VLAN 1:
Switch# debug condition vlan 1Condition 4 setSwitch#This example shows the message that is displayed when you attempt to disable the last VLAN debug condition:
Switch# no debug condition vlan 1This condition is the last vlan condition set.Removing all conditions may cause a flood of debuggingmessages to result, unless specific debugging flagsare first removed.Proceed with removal? [yes/no]: n% Operation abortedSwitch#Related Commands
undebug condition vlan (same as no debug condition vlan)
debug dot1x
To enable debugging for the 802.1x feature, use the debug dot1x command. Use the no form of this command to disable debugging output.
debug dot1x {all | errors | events | packets | registry | state-machine}
no debug dot1x {all | errors | events | packets | registry | state-machine}
Syntax Description
Defaults
Debugging is disabled.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
show dot1x
undebug dot1x (same as no debug dot1x)debug etherchnl
To debug EtherChannel, use the debug etherchnl command. To disable debugging output, use the no form of this command.
debug etherchnl [all | detail | error | event | idb | linecard]
no debug etherchnl
Syntax Description
Defaults
The default settings are as follows:
•
•
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If you do not specify a keyword, all debug messages are displayed.
Examples
This example shows how to display all EtherChannel debug messages:
Switch# debug etherchnlPAgP Shim/FEC debugging is on22:46:30:FEC:returning agport Po15 for port (Fa2/1)22:46:31:FEC:returning agport Po15 for port (Fa4/14)22:46:33:FEC:comparing GC values of Fa2/25 Fa2/15 flag = 1 122:46:33:FEC:port_attrib:Fa2/25 Fa2/15 same22:46:33:FEC:EC - attrib incompatable for Fa2/25; duplex of Fa2/25 is half, Fa2/15 is full22:46:33:FEC:pagp_switch_choose_unique:Fa2/25, port Fa2/15 in agport Po3 is incompatableSwitch#This example shows how to display EtherChannel IDB debug messages:
Switch# debug etherchnl idbAgport idb related debugging is onSwitch#This example shows how to disable debugging:
Switch# no debug etherchnlSwitch#Related Commands
undebug etherchnl (same as no debug etherchnl)
debug interface
To abbreviate entry of the debug condition interface command, use the debug interface command. To disable debugging output, use the no form of this command.
debug interface {FastEthernet slot/port | GigabitEthernet slot/port | null |
port-channel interface-num | vlan vlan_id}no debug interface {FastEthernet slot/port | GigabitEthernet slot/port | null |
port-channel interface-num | vlan vlan_id}Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Examples
This example shows how to limit debugging to interface VLAN 1:
Switch# debug interface vlan 1Condition 1 setSwitch#Related Commands
debug condition interface
undebug interface (same as no debug interface)debug ipc
To debug IPC activity, use the debug ipc command. To disable debugging output, use the no form of this command.
debug ipc {all | errors | events | headers | packets | ports | seats}
no debug ipc {all | errors | events | headers | packets | ports | seats}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable debugging of IPC events:
Switch# debug ipc eventsSpecial Events debugging is onSwitch#Related Commands
undebug ipc (same as no debug ipc)
debug ip dhcp snooping event
To debug DHCP snooping events, use the debug ip dhcp snooping event command. To disable debugging output, use the no form of this command.
debug ip dhcp snooping event
no debug ip dhcp snooping event
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping event is disabled.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable debugging for DHCP snooping events:
Switch# debug ip dhcp snooping eventSwitch#This example shows how to disable debugging for DHCP snooping events:
Switch# no debug ip dhcp snooping eventSwitch#Related Commands
debug ip dhcp snooping packet
To debug DHCP snooping messages, use the debug ip dhcp snooping packet command. To disable debugging output, use the no form of this command.
debug ip dhcp snooping packet
no debug ip dhcp snooping packet
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping packet is disabled.
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable debugging for DHCP snooping packets:
Switch# debug ip dhcp snooping packetSwitch#This example shows how to disable debugging for DHCP snooping packets:
Switch# no debug ip dhcp snooping packetSwitch#Related Commands
debug ip verify source packet
To debug IP source guard messages, use the debug ip verify source packet command. To disable debugging output, use the no form of this command.
debug ip verify source packet
no debug ip verify source packet
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging of snooping security packets is disabled.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable debugging for IP source guard:
Switch# debug ip verify source packetSwitch#This example shows how to disable debugging for IP source guard:
Switch# no debug ip verify source packetSwitch#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip verify source vlan dhcp-snooping (refer to Cisco IOS documentation)
show ip dhcp snooping
show ip dhcp snooping binding
show ip verify source (refer to Cisco IOS documentation)
debug lacp
To debug LACP activity, use the debug lacp command. To disable debugging output, use the no form of this command.
debug lacp [all | event | fsm | misc | packet]
no debug lacp
Syntax Description
Defaults
Debugging of LACP activity is disabled.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported by the supervisor engine only and can be entered only from the switch console.
Examples
This example shows how to enable LACP miscellaneous debugging:
Switch# debug lacpPort Aggregation Protocol Miscellaneous debugging is onSwitch#Related Commands
undebug pagp (same as no debug pagp)
debug monitor
To display monitoring activity, use the debug monitor command. To disable debugging output, use the no form of this command.
debug monitor {all | errors | idb-update | list | notifications | platform | requests}
no debug monitor {all | errors | idb-update | list | notifications | platform | requests}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug monitoring errors:
Switch# debug monitor errorsSPAN error detail debugging is onSwitch#Related Commands
undebug monitor (same as no debug monitor)
debug nvram
To debug NVRAM activity, use the debug nvram command. To disable debugging output, use the no form of this command.
debug nvram
no debug nvram
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug NVRAM:
Switch# debug nvramNVRAM behavior debugging is onSwitch#Related Commands
undebug nvram (same as no debug nvram)
debug pagp
To debug PAgP activity, use the debug pagp command. To disable debugging output, use the no form of this command.
debug pagp [all | event | fsm | misc | packet]
no debug pagp
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported by the supervisor engine only and can be entered only from the switch console.
Examples
This example shows how to enable PAgP miscellaneous debugging:
Switch# debug pagp miscPort Aggregation Protocol Miscellaneous debugging is onSwitch#*Sep 30 10:13:03: SP: PAgP: pagp_h(Fa5/6) expired*Sep 30 10:13:03: SP: PAgP: 135 bytes out Fa5/6*Sep 30 10:13:03: SP: PAgP: Fa5/6 Transmitting information packet*Sep 30 10:13:03: SP: PAgP: timer pagp_h(Fa5/6) started with interval 30000<... output truncated...>Switch#Related Commands
undebug pagp (same as no debug pagp)
debug platform packet protocol lacp
To debug LACP protocol packets, use the debug platform packet protocol lacp command. To disable debugging output, use the no form of this command.
debug platform packet protocol lacp [receive | transmit | vlan]
no debug platform packet protocol lacp [receive | transmit | vlan]
Syntax Description
receive
Enables platform packet reception debugging functions.
transmit
Enables platform packet transmission debugging functions.
vlan
Enables platform packet VLAN debugging functions.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable all PM debugging:
Switch# debug platform packet protocol lacpSwitch#Related Commands
undebug platform packet protocol lacp (same as no debug platform packet protocol lacp)
debug platform packet protocol pagp
To debug PAgP protocol packets, use the debug platform packet protocol lacp command. To disable debugging output, use the no form of this command.
debug platform packet protocol pagp [receive | transmit | vlan]
no debug platform packet protocol pagp [receive | transmit | vlan]
Syntax Description
receive
Enables platform packet reception debugging functions.
transmit
Enables platform packet transmission debugging functions.
vlan
Enables platform packet VLAN debugging functions.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable all PM debugging:
Switch# debug platform packet protocol pagpSwitch#Related Commands
undebug platform packet protocol pagp (same as no debug platform packet protocol pagp)
debug pm
To debug port manager (PM) activity, use the debug pm command. To disable debugging output, use the no form of this command.
debug pm {all | card | cookies | etherchnl | messages | port | registry | scp | sm | span | split |
vlan | vp}no debug pm {all | card | cookies | etherchnl | messages | port | registry | scp | sm | span | split |
vlan | vp}Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable all PM debugging:
Switch# debug pm allSwitch#Related Commands
undebug pm (same as no debug pm)
debug psecure
To debug port security, use the debug psecure command. To disable debugging output, use the no form of this command.
debug psecure
no debug psecure
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable all PM debugging:
Switch# debug psecureSwitch#Related Commands
debug redundancy
To debug supervisor redundancy, use the debug redundancy command. To disable debugging output, use the no form of this command.
debug redundancy {errors | fsm | kpa | msg | progression | status | timer}
no debug redundancy
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4507R only).
Examples
This example shows how to debug redundancy facility timer event debugging:
Switch# debug redundancy timerRedundancy timer debugging is onSwitch#debug smf updates
To debug software MAC filter (SMF) address insertions and deletions, use the debug smf updates command. To disable debugging output, use the no form of this command.
debug smf updates
no debug smf updates
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug SMF updates:
Switch# debug smf updatesSoftware MAC filter address insertions and deletions debugging is onSwitch#Related Commands
undebug smf (same as no debug smf)
debug spanning-tree
To debug spanning tree activities, use the debug spanning-tree command. To disable debugging output, use the no form of this command.
debug spanning-tree {all | bpdu | bpdu-opt | etherchannel | config | events | exceptions |
general | mst | pvst+ | root | snmp}no debug spanning-tree {all | bpdu | bpdu-opt | etherchannel | config | events | exceptions | general | mst | pvst+ | root | snmp}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug spanning tree PVST+:
Switch# debug spanning-tree pvst+Spanning Tree PVST+ debugging is onSwitch#Related Commands
undebug spanning-tree (same as no debug spanning-tree)
debug spanning-tree backbonefast
To enable debugging of spanning tree BackboneFast events, use the debug spanning-tree backbonefast command. To disable debugging output, use the no form of this command.
debug spanning-tree backbonefast [detail | exceptions]
no debug spanning-tree backbonefast
Syntax Description
detail
(Optional) Displays detailed BackboneFast debugging messages.
exceptions
(Optional) Enables debugging of spanning tree BackboneFast exceptions.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported by the supervisor engine only and can be entered only from the switch console.
Examples
This example shows how to enable debugging and to display detailed spanning tree BackboneFast debugging information:
Switch# debug spanning-tree backbonefast detailSpanning Tree backbonefast detail debugging is onSwitch#Related Commands
undebug spanning-tree backbonefast (same as no debug spanning-tree backbonefast)
debug spanning-tree switch
To enable switch shim debugging, use the debug spanning-tree switch command. To disable debugging output, use the no form of this command.
debug spanning-tree switch {all | errors | general | pm | rx {decode | errors | interrupt |
process} | state | tx [decode]}no debug spanning-tree switch {all | errors | general | pm | rx {decode | errors | interrupt | process} | state | tx [decode]}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the switch console.
Examples
This example shows how to enable transmit BPDU debugging on the spanning tree switch shim:
Switch# debug spanning-tree switch txSpanning Tree Switch Shim transmit bpdu debugging is on*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 303*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 304*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 305*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 349*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 350*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 351*Sep 30 08:47:33: SP: STP SW: TX: bpdu of type ieee-st size 92 on FastEthernet5/9 801<... output truncated...>Switch#Related Commands
undebug spanning-tree switch (same as no debug spanning-tree switch)
debug spanning-tree uplinkfast
To enable debugging of spanning tree UplinkFast events, use the debug spanning-tree uplinkfast command. To disable debugging output, use the no form of this command.
debug spanning-tree uplinkfast [exceptions]
no debug spanning-tree uplinkfast
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported only by the supervisor engine and can be entered only from the switch console.
Examples
This example shows how to debug spanning tree UplinkFast exceptions:
Switch# debug spanning-tree uplinkfast exceptionsSpanning Tree uplinkfast exceptions debugging is onSwitch#Related Commands
undebug spanning-tree uplinkfast (same as no debug spanning-tree uplinkfast)
debug sw-vlan
To debug VLAN manager activities, use the debug sw-vlan command. To disable debugging output, use the no form of this command.
debug sw-vlan {badpmcookies | events | management | packets | registries}
no debug sw-vlan {badpmcookies | events | management | packets | registries}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug software VLAN events:
Switch# debug sw-vlan eventsvlan manager events debugging is onSwitch#Related Commands
undebug sw-vlan (same as no debug sw-vlan)
debug sw-vlan ifs
To enable VLAN manager IOS file system (IFS) error tests, use the debug sw-vlan ifs command. To disable debugging output, use the no form of this command.
debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}
no debug sw-vlan ifs {open {read | write} | read {1 | 2 | 3 | 4} | write}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The following are four types of file read operations:
•
•
•
•
Examples
This example shows how to debug of TLV data errors during a file-read operation:
Switch# debug sw-vlan ifs read 4vlan manager ifs read # 4 errors debugging is onSwitch#Related Commands
undebug sw-vlan ifs (same as no debug sw-vlan ifs)
debug sw-vlan notification
To enable debugging messages that trace the activation and deactivation of ISL VLAN IDs, use the debug sw-vlan notification command. To disable debugging output, use the no form of this command.
debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}
no debug sw-vlan notification {accfwdchange | allowedvlancfgchange | fwdchange | linkchange | modechange | pruningcfgchange | statechange}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to debug the software VLAN interface mode change notifications:
Switch# debug sw-vlan notification modechangevlan manager port mode change notification debugging is onSwitch#Related Commands
undebug sw-vlan notification (same as no debug sw-vlan notification)
debug sw-vlan vtp
To enable debugging messages to be generated by the VTP protocol code, use the debug sw-vlan vtp command. To disable debugging output, use the no form of this command.
debug sw-vlan vtp {events | packets | pruning [packets | xmit] | xmit}
no debug sw-vlan vtp {events | packets | pruning [packets | xmit] | xmit}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If you do not enter any more parameters after entering pruning, the VTP pruning debugging messages are displayed.
Examples
This example shows how to debug software VLAN outgoing VTP packets:
Switch# debug sw-vlan vtp xmitvtp xmit debugging is onSwitch#Related Commands
undebug sw-vlan vtp (same as no debug sw-vlan vtp)
debug udld
To enable debugging of UDLD activity, use the debug udld command. To disable debugging output, use the no form of this command.
debug udld {events | packets | registries}
no debug udld {events | packets | registries}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported by the supervisor engine only and can be entered only from the Catalyst 4500 series switch console.
Examples
This example shows how to enable debugging of UDLD events:
Switch# debug udld eventsUDLD events debugging is onSwitch#This example shows how to enable debugging of UDLD packets:
Switch# debug udld packetsUDLD packets debugging is onSwitch#This example shows how to enable debugging of UDLD registry events:
Switch# debug udld registriesUDLD registries debugging is onSwitch#Related Commands
undebug udld (same as no debug udld)
debug vqpc
To debug VLAN Query Protocol (VQP), use the debug vqpc command. To disable debugging output, use the no form of this command.
debug vqpc [all | cli | events | learn | packet]
no debug vqpc [all | cli | events | learn | packet]
Syntax Description
all
(Optional) Debugs all VQP events.
cli
(Optional) Debugs VQP command line interface.
events
Debugs VQP events.
learn
Debugs VQP address learning.
packet
Debugs VQP packets.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable all PM debugging:
Switch# debug vqpc allSwitch#Related Commands
vmps reconfirm (privileged EXEC)
define interface-range
To create a macro of interfaces, use the define interface-range command.
define interface-range macro-name interface-range
Syntax Description
macro-name
Name of the interface range macro; up to 32 characters.
interface-range
List of valid ranges when specifying interfaces; see "Usage Guidelines."
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The macro name is a character string of up to 32 characters.
A macro can contain up to five ranges. An interface range cannot span modules.
When entering the interface-range, use these formats:
•
•
Valid values for interface-type are as follows:
•
•
•
Examples
This example shows how to create a multiple-interface macro:
Switch(config)# define interface-range macro1 gigabitethernet 4/1-6, fastethernet 2/1-5Switch(config)#Related Commands
deny
To deny an ARP packet based on matches against the DHCP bindings, use the deny command. Use the no form of the command to remove specified ACEs from the access list.
deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
no deny {[request] ip {any | host sender-ip | sender-ip sender-ip-mask} mac {any | host sender-mac | sender-mac sender-mac-mask} | response ip {any | host sender-ip | sender-ip sender-ip-mask} [{any | host target-ip | target-ip target-ip-mask}] mac {any | host sender-mac | sender-mac sender-mac-mask} [{any | host target-mac | target-mac target-mac-mask}]} [log]
Syntax Description
Defaults
At the end of the ARP access list, there is an implicit deny ip any mac any command.
Command Modes
arp-nacl configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Deny clauses can be added to forward or drop ARP packets based on some matching criteria.
Examples
A host with a MAC address of 0000.0000.abcd has an IP address of 1.1.1.1. To deny both requests and responses from this host, define an access list as follows:
Switch(config)# arp access-list static-hostsSwitch(config-arp-nacl)# deny ip host 1.1.1.1 mac host 0000.0000.abcdSwitch(config-arp-nacl)# endSwitch# show arp access-listARP access list static-hostsdeny ip host 1.1.1.1 mac host 0000.0000.abcdSwitch#Related Commands
arp access-list
ip arp inspection filter vlan
permitdot1x guest-vlan
To enable guest VLAN on a per-port basis use the dot1x guest-vlan command. To return to the default setting, use the no form of this command.
dot1x guest-vlan vlan-id
no dot1x guest-vlan vlan-id
Syntax Description
Defaults
The default value for the guest VLAN is 0.
Command Modes
Interface configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Guest VLAN can be configured only on switch ports that are statically configured as an access port. Guest VLAN has the same restrictions as a dot1x port that has no trunk port, dynamic port, EtherChannel port, or SPAN destination port.
Examples
This example shows how to enable guest VLAN on Fast Ethernet interface 4/3:
Switch# configure terminalSwitch(config)# interface fastethernet4/3Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x guest-vlan 26Switch(config-if)# endSwitch(config)# endSwitch#Related Commands
dot1x max-reauth-req
show dot1xdot1x initialize
To unauthorize an interface before reinitializing 802.1x, use the dot1x initialize command.
dot1x initialize interface
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Use this command to initialize state machines and to set up the environment for fresh authentication.
Examples
This example shows how to initialize the 802.1x state machines on an interface:
Switch# dot1x initializeSwitch#Related Commands
dot1x max-reauth-req
To set the maximum number of times the switch will retransmit an EAP-Request/Identity frame to the client before restarting the authentication process, use the dot1x max-reauth-req command. To return to the default setting, use the no form of this command.
dot1x max-reauth-req count
no dot1x max-reauth-req
Syntax Description
count
Number of times that the switch retransmits EAP-Request/Identity frames before restarting the authentication process; valid values are from 1 to 10.
Defaults
The switch sends a maximum of 2 retransmissions.
Command Modes
Interface configuration.
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. This setting impacts the wait before a non-dot1x-capable client is admitted to the guest VLAN, if one is configured.
You can verify your settings by entering the show dot1x privileged EXEC command.
Examples
This example shows how to set 5 as the number of times that the switch retransmits an EAP-Request/Identity frame before restarting the authentication process:
Switch(config-if)# dot1x max-reauth-req 5Switch(config-if)#Related Commands
dot1x guest-vlan
dot1x initialize
show dot1xdot1x max-req
To set the maximum number of times the switch retransmits an Extensible Authentication Protocol (EAP)-Request frame of types other than EAP-Request/Identity to the client before restarting the authentication process, use the dot1x max-req command. To return to the default setting, use the no form of this command.
dot1x max-req count
no dot1x max-req
Syntax Description
count
Number of times that the switch retransmits EAP-Request frames of types other than EAP-Request/Identity before restarting the authentication process; valid values are from 1 to 10.
Defaults
The switch sends a maximum of two retransmissions.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
You can verify your settings by entering the show dot1x privileged EXEC command.
Examples
This example shows how to set 5 as the number of times that the switch retransmits an EAP-Request frame before restarting the authentication process:
Switch(config-if)# dot1x max-req 5Switch(config-if)#Related Commands
dot1x initialize
dot1x max-reauth-req
show dot1xdot1x multiple-hosts
To allow multiple hosts (clients) on an 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto, use the dot1x multiple-hosts command. To return to the default setting, use the no form of this command.
dot1x multiple-hosts
no dot1x multiple-hosts
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Interface configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command enables you to attach multiple clients to a single 802.1x-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (re-authentication fails, or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Examples
This example shows how to enable 802.1x on Gigabit Ethernet 1/1 and to allow multiple hosts:
Switch(config)# interface gigabitethernet1/1Switch(config-if)# dot1x port-control autoSwitch(config-if)# dot1x multiple-hostsYou can verify your settings by entering the show dot1x [interface interface-id] privileged EXEC command.
Related Commands
dot1x port-control
To enable manual control of the authorization state on a port, use the dot1x port-control command. To return to the default setting, use the no form of this command.
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control {auto | force-authorized | force-unauthorized}
Syntax Description
Defaults
The port 802.1x authorization is disabled.
Command Modes
Interface configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The 802.1x protocol is supported on both Layer 2 static-access ports and Layer 3-routed ports.
You can use the auto keyword only if the port is not configured as one of these:
•
•
•
•
To globally disable 802.1x on the switch, you must disable it on each port. There is no global configuration command for this task.
Examples
This example shows how to enable 802.1x on Gigabit Ethernet 1/1:
Switch(config)# interface gigabitethernet1/1Switch(config-if)# dot1x port-control autoSwitch#You can verify your settings by using show dot1x all or show dot1x interface commands to show the port-control status. An enabled status indicates that the port-control value is set either to auto or to force-unauthorized.
Related Commands
dot1x re-authenticate
To manually initiate a reauthentication of all 802.1x-enabled ports or the specified 802.1x-enabled port, use the dot1x re-authenticate command.
dot1x re-authenticate [interface interface-id]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You can use this command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts (re-authperiod) and automatic reauthentication.
Examples
This example shows how to manually reauthenticate the device connected to Gigabit Ethernet interface 0/1:
Switch# dot1x re-authenticate interface gigabitethernet1/1Starting reauthentication on gigabitethernet1/1Switch#dot1x re-authentication
To enable periodic reauthentication of the client, use the dot1x re-authentication command. To return to the default setting, use the no form of this command.
dot1x re-authentication
no dot1x re-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
The periodic reauthentication is disabled.
Command Modes
Interface configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You configure the amount of time between periodic reauthentication attempts by using the dot1x timeout re-authperiod global configuration command.
Examples
This example shows how to disable periodic reauthentication of the client:
Switch(config-if)# no dot1x re-authenticationSwitch(config-if)#This example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds:
Switch(config-if)# dot1x re-authenticationSwitch(config-if)# dot1x timeout re-authperiod 4000Switch#You can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
dot1x system-auth-control
To enable 802.1x authentication on the switch, use the dot1x system-auth-control command. To disable 802.1x authentication on the system, use the no form of this command.
dot1x system-auth-control
no dot1x system-auth-control
Syntax Description
This command has no arguments or keywords.
Defaults
The 802.1x authentication is disabled.
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
As the port-control value defaults to force-authorized, you can easily enable 802.1x on a port by setting the port-control value to auto.
When enabled, each port authorization status is controlled according to the value of the port-control parameter on the port.
When disabled, all ports function as though the port-control parameter is set to force-authorized.
Examples
This example shows how to enable 802.1x authentication:
Switch(config)# dot1x system-auth-controlSwitch(config)#Related Commands
dot1x timeout
To set the reauthentication timer, use the dot1x timeout command. To return to the default setting, use the no form of this command.
dot1x timeout {reauth-period seconds | quiet-period seconds | tx-period seconds |
supp-timeout seconds | server-timeout seconds}no dot1x timeout {reauth-period | quiet-period | tx-period | supp-timeout | server-timeout}
Syntax Description
Defaults
The default settings are as follows:
•
•
•
•
•
Command Modes
Interface configuration
Command History
12.1(12)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Usage Guidelines
Periodic reauthentication must be enabled before entering the dot1x timeout re-authperiod command. Enter the dot1x re-authentication command to enable periodic reauthentication.
This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request:
Switch(config-if)# dot1x timeout tx-period 60Switch(config-if)#You can verify your settings by entering the show dot1x privileged EXEC command.
Related Commands
duplex
To configure the duplex operation on an interface, use the duplex command. To return to the default setting, use the no form of this command.
duplex {auto | full | half}
no duplex
Syntax Description
auto
Specifies autonegotiation operation.
full
Specifies full-duplex operation.
half
Specifies half-duplex operation.
Defaults
Half duplex operation
Command Modes
Interface configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Table 2-2 lists the supported command options by interface.
If the transmission speed on a 16-port RJ-45 Gigabit Ethernet port is set to 1000, duplex mode is set to full. If the transmission speed is changed to 10 or 100, the duplex mode stays at full. You must configure the correct duplex mode on the switch when the transmission speed changes to 10 or 100 from 1000 Mbps.
Note
Caution
Table 2-3 describes the system performance for different combinations of the duplex and speed modes. The specified duplex command configured with the specified speed command produces the resulting action shown in the table.
Examples
This example shows how to configure the interface for full-duplex operation:
Switch(config-if)# duplex fullSwitch(config-if)#Related Commands
speed
interface (refer to Cisco IOS documentation)
show controllers (refer to Cisco IOS documentation)
show interfaces (refer to Cisco IOS documentation)errdisable detect
To enable error disable detection, use the errdisable detect command. To disable the error disable detection feature, use the no form of this command.
errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}
no errdisable detect cause {all | arp-inspection | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap}
Syntax Description
Defaults
All error disable causes are detected.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
A cause (dtp-flap, link-flap, pagp-flap) is defined as the reason the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state (an operational state similar to link down state).
You must enter the shutdown command and then the no shutdown command to recover an interface manually from error disable.
Examples
This example shows how to enable error disable detection for the link-flap error disable cause:
Switch(config)# errdisable detect cause link-flapSwitch(config)#To disable errdisable detection for DAI, perform the following:
Switch(config)# no errdisable detect cause arp-inspectionSwitch(config)# endSwitch# show errdisable detectErrDisable Reason Detection status----------------- ----------------udld Enabledbpduguard Enabledsecurity-violatio Enabledchannel-misconfig Disabledpsecure-violation Enabledvmps Enabledpagp-flap Enableddtp-flap Enabledlink-flap Enabledl2ptguard Enabledgbic-invalid Enableddhcp-rate-limit Enabledunicast-flood Enabledstorm-control Enabledilpower Enabledarp-inspection DisabledSwitch#Related Commands
show errdisable detect
show interfaces statuserrdisable recovery
To configure the recovery mechanism variables, use the errdisable recovery command. To return to the default setting, use the no form of this command.
errdisable recovery [cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | storm-control | udld | unicastflood | vmps} [arp-inspection] [interval {interval}]
no errdisable recovery [cause {all | arp-inspection | bpduguard | channel-misconfig | dhcp-rate-limit | dtp-flap | gbic-invalid | l2ptguard | link-flap | pagp-flap | pesecure-violation | security-violation | storm-control | udld | unicastflood | vmps} [arp-inspection] [interval {interval}]
Syntax Description
Defaults
Error disable recovery is disabled.
The recovery interval is set to 300 seconds.
Command Modes
Configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(19)EW
Support for the storm-control feature.
Usage Guidelines
A cause (bpduguard, dtp-flap, link-flap, pagp-flap, udld) is defined as the reason the error-disabled state occurred. When a cause is detected on an interface, the interface is placed in error-disabled state (an operational state similar to link-down state). If you do not enable error-disable recovery for the cause, the interface stays in error-disabled state until a shutdown and no shutdown occurs. If you enable recovery for a cause, the interface is brought out of error-disabled state and allowed to retry operation again once all the causes have timed out.
You must enter the shutdown command and then the no shutdown command to recover an interface manually from error disable.
Examples
This example shows how to enable the recovery timer for the BPDU guard error disable cause:
Switch(config)# errdisable recovery cause bpduguardSwitch(config)#This example shows how to set the timer to 300 seconds:
Switch(config)# errdisable recovery interval 300Switch(config)#To enable errdisable recovery for arp-inspection, do the following:
Switch(config)# errdisable recovery cause arp-inspectionSwitch(config)# endSwitch# show errdisable recoveryErrDisable Reason Timer Status----------------- --------------udld Disabledbpduguard Disabledsecurity-violatio Disabledchannel-misconfig Disabledvmps Disabledpagp-flap Disableddtp-flap Disabledlink-flap Disabledl2ptguard Disabledpsecure-violation Disabledgbic-invalid Disableddhcp-rate-limit Disabledunicast-flood Disabledstorm-control Disabledarp-inspection EnabledTimer interval: 300 secondsInterfaces that will be enabled at the next timeout:Switch#Related Commands
show errdisable recovery
show interfaces statusflowcontrol
To configure a gigabit interface to send or receive pause frames, use the flowcontrol command. To disable the flow control setting, use the no form of this command.
flowcontrol {receive | send} {off | on | desired}
no flowcontrol {receive | send} {off | on | desired}
Syntax Description
Defaults
The default settings for GigabitEthernet interfaces are as follows:
•
•
•
•
Table 2-4 shows the default settings for modules:
Command Modes
Interface configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Pause frames are special packets that signal a source to stop sending frames for a specific period of time because the buffers are full.
Table 2-5 describes guidelines for using different configurations of the send and receive keywords with the flowcontrol command.
Table 2-6 identifies how flow control will be forced or negotiated on gigabit interfaces based on their speed settings.
Note
Examples
This example shows how to enable send flow control:
Switch(config-if)# flowcontrol receive onSwitch(config-if)#This example shows how to disable send flow control:
Switch(config-if)# flowcontrol send offSwitch(config-if)#This example shows how to set receive flow control to desired:
Switch(config-if)# flowcontrol receive desiredSwitch(config-if)#Related Commands
interface port-channel
interface range
interface vlan
show flowcontrol
show running-config (refer to Cisco IOS Documentation)
speedhw-module reset
To reset a module by turning the power off and then on, use the hw-module reset command.
hw-module {module num} reset
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to reload a specific module:
Switch# hw-module module 3 resetSwitch#instance
To map a VLAN or a set of VLANs to an MST instance, use the instance command. To return the VLANs to the common instance default, use the no form of this command.
instance instance-id {vlans vlan-range}
no instance instance-id
Syntax Description
Defaults
Mapping is disabled.
Command Modes
MST configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The mapping is incremental, not absolute. This means that when you enter a range of VLANs, this range is added or removed to the existing ones.
Any unmapped VLAN is mapped to the CIST instance.
Examples
This example shows how to map a range of VLANs to instance 2:
Switch(config-mst)# instance 2 vlans 1-100Switch(config-mst)#This example shows how to map a VLAN to instance 5:
Switch(config-mst)# instance 5 vlans 1100Switch(config-mst)#This example shows how to move a range of VLANs from instance 2 to the CIST instance:
Switch(config-mst)# no instance 2 vlans 40-60Switch(config-mst)#This example shows how to move all the VLANs mapped to instance 2 back to the CIST instance:
Switch(config-mst)# no instance 2Switch(config-mst)#Related Commands
name
revision
show spanning-tree mst
spanning-tree mst configurationinterface port-channel
To access or create a port channel interface, use the interface port-channel command.
interface port-channel channel-group
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You do not have to create a port channel interface before assigning a physical interface to a channel group. A port channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You can also create port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
Only one port channel in a channel group is allowed.
Caution
If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.
Examples
This example creates a port channel interface with a channel group number of 64:
Switch(config)# interface port-channel 64Switch(config)#Related Commands
channel-group
show etherchannelinterface range
To run a command on multiple ports at the same time, use the interface range command.
interface range {vlan vlan_id - vlan_id} {port-range | macro name}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Interface configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
You can use the interface range command on existing VLAN SVIs only. To display VLAN SVIs, enter the show running config command. VLANs not displayed cannot be used in the interface range command.
The values entered with the interface range command are applied to all existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes made to a port range are saved to NVRAM, but port ranges created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
•
•
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span modules.
You can define up to five port ranges on a single command; separate each range with a comma.
When you define a range, you must enter a space between the first port and the hyphen (-):
interface range gigabitethernet 5/1 -20, gigabitethernet4/5 -20.Use these formats when entering the port-range:
•
•
Valid values for interface-type are as follows:
•
•
•
You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. Likewise, if you have already entered an interface range, the CLI does not allow you to enter a macro.
You can specify a single interface in the port-range value. This makes the command similar to the interface interface-number command.
Examples
This example shows how to use the interface range command to interface to FE 5/18 - 20:
Switch(config)# interface range fastethernet 5/18 - 20Switch(config-if)#This command shows how to run a port-range macro:
Switch(config)# interface range macro macro1Switch(config-if)#Related Commands
define interface-range
show running config (refer to Cisco IOS documentation)interface vlan
To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.
interface vlan vlan_id
no interface vlan vlan_id
Syntax Description
Defaults
Fast EtherChannel is not specified.
Command Modes
Global configuration
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
SVIs are created the first time you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag associated with data frames on an ISL or 802.1Q encapsulated trunk, or the VLAN ID configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
Examples
This example shows the output when you enter the interface vlan vlan_id command for a new VLAN number:
Switch(config)# interface vlan 23% Creating new VLAN interface.Switch(config)#ip arp inspection filter vlan
To permit ARPs from hosts configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. Use the no form of this command to disable this application.
ip arp inspection filter arp-acl-name vlan vlan-range [static]
no ip arp inspection filter arp-acl-name vlan vlan-range [static]
Syntax Description
arp-acl-name
Access control list name.
vlan-range
VLAN number or range; valid values are from 1 to 4094.
static
(Optional) Specifies that the access control list should be applied statically.
Defaults
No defined ARP ACLs are applied to any VLAN.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, ARP packets containing only IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that incoming ARP packets are compared against the ARP access control list, and packets are permitted only if the access control list permits them.
If access control lists deny packets because of explicit denies, the packets are dropped. If packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
Examples
This example shows how to apply the ARP ACL "static-hosts" to VLAN 1 for DAI:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection filter static-hosts vlan 1Switch(config)# endSwitch#Switch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled Active static-hosts NoVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspectionip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in event of a DOS attack, use the ip arp inspection limit command. Use the no form of this command to release the limit.
ip arp inspection limit {rate pps | none}
no ip arp inspection limit
Syntax Description
Defaults
Rate is set to 15 packets per second on untrusted interfaces, assuming a switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Trunk ports should be configured with higher rates to reflect their aggregation. Once the rate of incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both trusted and non-trusted interfaces. Configure appropriate rates on trunks to handle packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of incoming ARP packets on channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for channel ports only after examining the rate of incoming ARP packets on the channel members.
Examples
This example shows how to limit the rate of incoming ARP requests to 25 packets per second:
Switch# configure terminalSwitch(config)# interface fa6/3Switch(config-if)# ip arp inspection limit rate 25Switch(config-if)# endSwitch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps)--------------- ----------- ----------Fa6/3 Trusted 25Switch#Related Commands
ip arp inspection log-buffer
To configure parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. Use the no form of this command to disable the parameters.
ip arp inspection log-buffer {entries number | logs number interval seconds}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Defaults
When dynamic ARP inspection is enabled, denied, or dropped, ARP packets are logged.
The number of entries is set to 32.
The number of logging entries is limited to 5 per second.
The interval is set to 1.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The first dropped packet of a given flow is logged immediately. Subsequent packets for the same flow are registered but not logged immediately. Registering these packets is done in a log buffer that is shared by all VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection log-buffer entries 45Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 5 entries per 1 seconds.No entries in log buffer.Switch#This example shows how to configure the logging rate to 10 logs per 3 seconds:
Switch(config)# ip arp inspection log-buffer logs 10 interval 3Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 10 entries per 3 seconds.No entries in log buffer.Switch#Related Commands
arp access-list
show ip arp inspectionip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. Use the no form of this command to make interfaces untrusted.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to configure an interface to be trusted:
Switch# config terminalSwitch(config)# interface fastEthernet 6/3Switch(config-if)# ip arp inspection trustSwitch(config-if)# endTo verify the configuration, use the show form of the command:Switch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps)--------------- ----------- ----------Fa6/3 Trusted NoneSwitch#Related Commands
ip arp inspection validate
To perform specific checks for ARP inspection, use the ip arp inspection validate command. Use the no form of this command to disable the checks.
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Defaults
Checks are disabled.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command; that is, if a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of the command disables only the specified checks. If none of the check options are enabled, all checks are disabled.
Examples
This example show how to enable source mac validation:
Switch(config)# ip arp inspection validate src-macSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show arp access-listip arp inspection vlan
To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan command. Use the no form of this command to disable DAI.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Defaults
ARP inspection is disabled on all VLANs.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if they have not been created or if they are private.
Examples
This example shows how to enable DAI on VLAN 1:
Switch(config)# ip arp inspection vlan 1Switch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : DisabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show ip arp inspectionip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command. Use the no form of this command to disable this logging control.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Defaults
All denied or dropped packets are logged.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The acl-match and dhcp-bindings keywords merge with each other; that is, when you set an ACL match configuration, the DHCP bindings configuration is not disabled. The no form of the command can be used to reset some of the logging criteria to their defaults. If neither option is specified, all types of logging are reset to log on when ARP packets are denied. The two options available to you are:
•
•
Examples
This example shows how to configure ARP inspection on VLAN 1 to log packets on matching against ACLs with the logging keyword:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection vlan 1 logging acl-match matchlogSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspectionip cef load-sharing algorithm
To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.
ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
no ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
Syntax Description
Defaults
Default load-sharing algorithm is disabled.
Note
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The original algorithm, tunnel algorithm, and universal algorithm are routed through hardware. For software-routed packets, they are treated differently. The include-ports option does not apply to software-switched traffic.
Examples
This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:
Switch(config)# ip cef load-sharing algorithm include-portsSwitch(config)#Related Commands
ip dhcp snooping
To enable DHCP snooping globally, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP snooping is disabled.
Command Modes
Global configuration
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN.
Examples
This example shows how to enable DHCP snooping:
Switch(config)# ip dhcp snoopingSwitch(config)#This example shows how to disable DHCP snooping:
Switch(config)# no ip dhcp snoopingSwitch(config)#Related Commands
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping binding
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Whenever a binding is added or removed using this command, the binding database is marked as changed and a write is initiated.
Examples
This example shows how to generate DHCP binding configuration on interface gi1/1 in VLAN 1 with an expiration time of 1000 seconds:
Switch# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 interface gi1/1 expiry 1000Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping database
To store the bindings generated by DHCP snooping, use the ip dhcp snooping database command. Use the no form of this command to either reset the timeout, reset the write-delay, or delete the agent specified by the URL.
ip dhcp snooping database {url | timeout seconds | write-delay seconds}
no ip dhcp snooping database {timeout | write-delay}
Syntax Description
Defaults
The timeout value is set to 300 seconds (5 minutes).
The write-delay value is set to 300 seconds.
Command Modes
Interface configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Because both NVRAM and bootflash have limited storage capacity, we recommend that you store a file on an TFTP server. When a file is stored in a remote location that is accessible through TFTP, an RPR redundant supervisor engine can take over the binding list when a switchover occurs.
You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.
Examples
This example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.
Switch# config terminalSwitch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/fileSwitch(config)# endSwitch# show ip dhcp snooping databaseAgent URL : tftp://10.1.1.1/directory/fileWrite delay Timer : 300 secondsAbort Timer : 300 secondsAgent Running : YesDelay Timer Expiry : Not RunningAbort Timer Expiry : Not RunningLast Succeded Time : NoneLast Failed Time : NoneLast Failed Reason : No failure recorded.Total Attempts : 1 Startup Failures : 0Successful Transfers : 0 Failed Transfers : 0Successful Reads : 0 Failed Reads : 0Successful Writes : 0 Failed Writes : 0Media Failures : 0Switch#Related Commands
ip dhcp snooping
ip dhcp snooping binding
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping information option
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP option 82 data insertion is enabled.
Command Modes
Global configuration
Command History
