-
Catalyst 4500 Series Switch Cisco IOS Command Reference, 12.2(40)SG
-
Quick Links to Catalyst 4500 Series Switch Cisco IOS Commands
-
Preface
-
Command-Line Interface
-
aaa accounting dot1x default start-stop group radius through instance
-
interface port-channel through shape
-
show access-group mode interface through show vtp
-
snmp ifindex clear through vtp v2-mode
-
Acronyms and Abbreviations
-
Acknowledgements for Open-Source Software
-
Table Of Contents
ip arp inspection limit (interface)
ip arp inspection vlan logging
ip dhcp snooping information option
ip dhcp snooping information option allow-untrusted
ip dhcp snooping vlan number information option format-type
ip igmp snooping report-suppression
ip igmp snooping vlan explicit-tracking
ip igmp snooping vlan immediate-leave
ip verify unicast source reachable-via
ipv6 mld snooping last-listener-query-count
ipv6 mld snooping last-listener-query-interval
ipv6 mld snooping listener-message-suppression
ipv6 mld snooping robustness-variable
issu config-sync mismatched-commands
l2protocol-tunnel drop-threshold
l2protocol-tunnel shutdown-threshold
logging event link-status global (global configuration)
logging event link-status (interface configuration)
logging event trunk-status global (global configuration)
logging event trunk-status (interface configuration)
mac-address-table dynamic group protocols
mac-address-table notification
macro global apply cisco-global
match (class-map configuration)
port-security mac-address sticky
qos (global configuration mode)
qos (interface configuration mode)
qos account layer2 encapsulation
renew ip dhcp snooping database
service-policy (interface configuration)
service-policy (policy-map class)
service-policy input (control-plane)
shape (interface configuration)
interface
To select an interface to configure and to enter interface configuration mode, use the interface command.
interface type number
Syntax Description
type
Type of interface to be configured; see Table 2-6 for valid values.
number
Module and port number.
Defaults
No interface types are configured.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Table 2-6 lists the valid values for type.
Table 2-6 Valid type Values
ethernet
Ethernet IEEE 802.3 interface.
fastethernet
100-Mbps Ethernet interface.
gigabitethernet
Gigabit Ethernet IEEE 802.3z interface.
tengigabitethernet
10-Gigabit Ethernet IEEE 802.3ae interface.
ge-wan
Gigabit Ethernet WAN IEEE 802.3z interface; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine 2 only.
pos
Packet OC-3 interface on the Packet over SONET Interface Processor; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine 2 only.
atm
ATM interface; supported on Catalyst 4500 series switches that are configured with a Supervisor Engine 2 only.
vlan
VLAN interface; see the interface vlan command.
port-channel
Port channel interface; see the interface port-channel command.
null
Null interface; the valid value is 0.
Examples
This example shows how to enter the interface configuration mode on the Fast Ethernet interface 2/4:
Switch(config)# interface fastethernet2/4Switch(config-if)#Related Commands
interface port-channel
To access or create a port-channel interface, use the interface port-channel command.
interface port-channel channel-group
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.
You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.
Only one port channel in a channel group is allowed.
CautionThe Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.
If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.
Examples
This example creates a port-channel interface with a channel-group number of 64:
Switch(config)# interface port-channel 64Switch(config)#Related Commands
channel-group
show etherchannelinterface range
To run a command on multiple ports at the same time, use the interface range command.
interface range {vlan vlan_id - vlan_id} {port-range | macro name}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Interface configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended VLAN addresses added.
Usage Guidelines
You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.
The values that are entered with the interface range command are applied to all the existing VLAN SVIs.
Before you can use a macro, you must define a range using the define interface-range command.
All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.
You can enter the port range in two ways:
•
•
You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.
You can define up to five port ranges on a single command; separate each range with a comma.
When you define a range, you must enter a space between the first port and the hyphen (-):
interface range gigabitethernet 5/1 -20, gigabitethernet4/5 -20.Use these formats when entering the port-range:
•
•
Valid values for interface-type are as follows:
•
•
•
You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.
You can specify a single interface in the port-range value. This makes the command similar to the interface interface-number command.
Examples
This example shows how to use the interface range command to interface to FE 5/18 - 20:
Switch(config)# interface range fastethernet 5/18 - 20Switch(config-if)#This command shows how to run a port-range macro:
Switch(config)# interface range macro macro1Switch(config-if)#Related Commands
define interface-range
show running config (refer to Cisco IOS documentation)interface vlan
To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.
interface vlan vlan_id
no interface vlan vlan_id
Syntax Description
Defaults
Fast EtherChannel is not specified.
Command Modes
Global configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.
If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.
You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.
Examples
This example shows the output when you enter the interface vlan vlan_id command for a new VLAN number:
Switch(config)# interface vlan 23% Creating new VLAN interface.Switch(config)#ip arp inspection filter vlan
To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.
ip arp inspection filter arp-acl-name vlan vlan-range [static]
no ip arp inspection filter arp-acl-name vlan vlan-range [static]
Syntax Description
arp-acl-name
Access control list name.
vlan-range
VLAN number or range; valid values are from 1 to 4094.
static
(Optional) Specifies that the access control list should be applied statically.
Defaults
No defined ARP ACLs are applied to any VLAN.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.
This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.
If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.
Examples
This example shows how to apply the ARP ACL "static-hosts" to VLAN 1 for DAI:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection filter static-hosts vlan 1Switch(config)# endSwitch#Switch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled Active static-hosts NoVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspectionip arp inspection limit (interface)
To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.
ip arp inspection limit {rate pps | none} [burst interval seconds]
no ip arp inspection limit
Syntax Description
Defaults
The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.
The rate is unlimited on all the trusted interfaces.
The burst interval is set to 1 second by default.
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(20)EW
Added support for interface monitoring.
Usage Guidelines
The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.
The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.
After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.
Examples
This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:
Switch# config terminalSwitch(config)# interface fa6/3Switch(config-if)# ip arp inspection limit rate 25Switch(config-if)# endSwitch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps)--------------- ----------- ----------Fa6/3 Trusted 25Switch#This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:
Switch# config terminalSwitch(config)# interface fa6/1Switch(config-if)# ip arp inspection limit rate 20 burst interval 5Switch(config-if)# endRelated Commands
ip arp inspection log-buffer
To configure the parameters that are associated with the logging buffer, use the ip arp inspection log-buffer command. To disable the parameters, use the no form of this command.
ip arp inspection log-buffer {entries number | logs number interval seconds}
no ip arp inspection log-buffer {entries | logs}
Syntax Description
Defaults
When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.
The number of entries is set to 32.
The number of logging entries is limited to 5 per second.
The interval is set to 1.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.
Examples
This example shows how to configure the logging buffer to hold up to 45 entries:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection log-buffer entries 45Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 5 entries per 1 seconds.No entries in log buffer.Switch#This example shows how to configure the logging rate to 10 logs per 3 seconds:
Switch(config)# ip arp inspection log-buffer logs 10 interval 3Switch(config)# endSwitch# show ip arp inspection logTotal Log Buffer Size : 45Syslog rate : 10 entries per 3 seconds.No entries in log buffer.Switch#Related Commands
arp access-list
show ip arp inspectionip arp inspection trust
To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to configure an interface to be trusted:
Switch# config terminalSwitch(config)# interface fastEthernet 6/3Switch(config-if)# ip arp inspection trustSwitch(config-if)# endTo verify the configuration, use the show form of this command:
Switch# show ip arp inspection interfaces fastEthernet 6/3Interface Trust State Rate (pps) Burst Interval--------------- ----------- ---------- --------------Fa6/3 Trusted None 1Switch#Related Commands
ip arp inspection validate
To perform specific checks for ARP inspection, use the ip arp inspection validate command. To disable checks, use the no form of this command.
ip arp inspection validate [src-mac] [dst-mac] [ip]
no ip arp inspection validate [src-mac] [dst-mac] [ip]
Syntax Description
Defaults
Checks are disabled.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.
The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.
Examples
This example show how to enable the source MAC validation:
Switch(config)# ip arp inspection validate src-macSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show arp access-list
ip arp inspection vlan
To enable dynamic ARP inspection (DAI) on a per-VLAN basis, use the ip arp inspection vlan command. To disable DAI, use the no form of this command.
ip arp inspection vlan vlan-range
no ip arp inspection vlan vlan-range
Syntax Description
Defaults
ARP inspection is disabled on all VLANs.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must specify on which VLANs to enable DAI. DAI may not function on the configured VLANs if they have not been created or if they are private.
Examples
This example shows how to enable DAI on VLAN 1:
Switch(config)# ip arp inspection vlan 1Switch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : DisabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Deny DenySwitch#Related Commands
arp access-list
show ip arp inspection
ip arp inspection vlan logging
To control the type of packets that are logged, use the ip arp inspection vlan logging command. To disable this logging control, use the no form of this command.
ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {permit | all | none}}
no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings}
Syntax Description
Defaults
All denied or dropped packets are logged.
Command Modes
Configuration
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:
•
•
Examples
This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip arp inspection vlan 1 logging acl-match matchlogSwitch(config)# endSwitch# show ip arp inspection vlan 1Source Mac Validation : EnabledDestination Mac Validation : DisabledIP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL---- ------------- --------- --------- ----------1 Enabled ActiveVlan ACL Logging DHCP Logging---- ----------- ------------1 Acl-Match DenySwitch#Related Commands
arp access-list
show ip arp inspection
ip cef load-sharing algorithm
To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.
ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
no ip cef load-sharing algorithm {include-ports {source source | destination dest} | original | tunnel | universal}
Syntax Description
Defaults
Default load-sharing algorithm is disabled.
Note
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.
Examples
This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:
Switch(config)# ip cef load-sharing algorithm include-portsSwitch(config)#This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:
Switch(config)# ip cef load-sharing algorithm include-ports tunnelSwitch(config)#Related Commands
ip device tracking maximum
To enable IP port security binding tracking on a Layer 2 port, use the ip device tracking maximum command. To disable IP port security on untrusted Layer 2 interfaces, use the no form of this command.
ip device tracking maximum {number}
no ip device tracking maximum {number}
Syntax Description
number
Specifies the number of bindings created in the IP device tracking table for a port, valid values are from 0 to 2048.
Defaults
This command has no default settings.
Command Modes
Interface configuration mode
Command History
12.2(37)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable IP Port Security with IP-Mac filters on a Layer 2 access port:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip device trackingSwitch(config)# interface fastethernet 4/3Switch(config-if)# switchport mode accessSwitch(config-if)# switchport access vlan 1Switch(config-if)# ip device tracking maximum 5Switch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security maximum 5Switch(config-if)# ip verify source tracking port-securitySwitch(config-if)# endYou can verify your settings by entering the show ip verify source privileged EXEC command.
Related Commands
ip verify source
show ip verify sourceip dhcp snooping
To enable DHCP snooping globally, use the ip dhcp snooping command. To disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP snooping is disabled.
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN.
Examples
This example shows how to enable DHCP snooping:
Switch(config)# ip dhcp snoopingSwitch(config)#This example shows how to disable DHCP snooping:
Switch(config)# no ip dhcp snoopingSwitch(config)#Related Commands
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping binding
To set up and generate a DHCP binding configuration to restore bindings across reboots, use the ip dhcp snooping binding command. To disable the binding configuration, use the no form of this command.
ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface expiry seconds
no ip dhcp snooping binding mac-address vlan vlan-# ip-address interface interface
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
Whenever a binding is added or removed using this command, the binding database is marked as changed and a write is initiated.
Examples
This example shows how to generate a DHCP binding configuration on interface gigabitethernet1/1 in VLAN 1 with an expiration time of 1000 seconds:
Switch# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 interface gi1/1 expiry 1000Switch#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping database
To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.
ip dhcp snooping database {url | timeout seconds | write-delay seconds}
no ip dhcp snooping database {timeout | write-delay}
Syntax Description
Defaults
The timeout value is set to 300 seconds (5 minutes).
The write-delay value is set to 300 seconds.
Command Modes
Interface configuration mode
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.
Note
Examples
This example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.
Switch# config terminalSwitch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/fileSwitch(config)# endSwitch# show ip dhcp snooping databaseAgent URL : tftp://10.1.1.1/directory/fileWrite delay Timer : 300 secondsAbort Timer : 300 secondsAgent Running : YesDelay Timer Expiry : Not RunningAbort Timer Expiry : Not RunningLast Succeded Time : NoneLast Failed Time : NoneLast Failed Reason : No failure recorded.Total Attempts : 1 Startup Failures : 0Successful Transfers : 0 Failed Transfers : 0Successful Reads : 0 Failed Reads : 0Successful Writes : 0 Failed Writes : 0Media Failures : 0Switch#Related Commands
ip dhcp snooping
ip dhcp snooping binding
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping binding
ip dhcp snooping information option
To enable DHCP option 82 data insertion, use the ip dhcp snooping information option command. To disable DHCP option 82 data insertion, use the no form of this command.
ip dhcp snooping information option format remote-id {hostname | string {word}}
no ip dhcp snooping information option format remote-id {hostname | string {word}}
Syntax Description
Defaults
DHCP option 82 data insertion is enabled.
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.2(40)SG
Added remote-id keyword to support Option 82 enhancement.
Usage Guidelines
If the hostname is longer than 63 characters it is truncated to 63 characters in the Remote ID.
Examples
This example shows how to enable DHCP option 82 data insertion:
Switch(config)# ip dhcp snooping information optionSwitch(config)#This example shows how to disable DHCP option 82 data insertion:
Switch(config)# no ip dhcp snooping information optionSwitch(config)#This example shows how to configure the hostname as the Remote ID:
Switch(config)# ip dhcp snooping information option format remote-id hostnameSwitch(config)#The following example shows how to enable DHCP Snooping on Vlan 500 through 555 and Opton 82 remote-id.
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 500 555Switch(config)# ip dhcp snooping information option format remote-id string switch123Switch(config)# interface GigabitEthernet 5/1Switch(config-if)# ip dhcp snooping trustSwitch(config-if)# ip dhcp snooping limit rate 100Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id string customer-555Switch(config-if)# interface FastEthernet 2/1Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id string customer-500Switch(config)# endRelated Commands
ip dhcp snooping
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
ip dhcp snooping vlan number information option format-type
show ip dhcp snooping
show ip dhcp snooping binding
ip dhcp snooping information option allow-untrusted
To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use the ip dhcp snooping information option allow-untrusted command. To disallow receipt of these DHCP packets, use the no form of this command.
ip dhcp snooping information option allow-untrusted
no ip dhcp snooping information option allow-untrusted
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP packets with option 82 are not allowed on snooping untrusted ports.
Command Modes
Global configuration mode
Command History
12.2(25)EWA
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip dhcp snooping information option allow-untrustedSwitch(config)# endSwitch#Related Commands
ip dhcp snooping
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
ip dhcp snooping information option
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping limit rate
To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.
ip dhcp snooping limit rate rate
no ip dhcp snooping limit rate
Syntax Description
Defaults
DHCP snooping rate limiting is disabled.
Command Modes
Interface configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.
Examples
This example shows how to enable the DHCP message rate limiting:
Switch(config-if)# ip dhcp snooping limit rate 150Switch(config)#This example shows how to disable the DHCP message rate limiting:
Switch(config-if)# no ip dhcp snooping limit rateSwitch(config)#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping trust
To configure an interface as trusted for DHCP snooping purposes, use the ip dhcp snooping trust command. To configure an interface as untrusted, use the no form of this command.
ip dhcp snooping trust
no ip dhcp snooping trust
Syntax Description
This command has no arguments or keywords.
Defaults
DHCP snooping trust is disabled.
Command Modes
Interface configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable DHCP snooping trust on an interface:
Switch(config-if)# ip dhcp snooping trustSwitch(config)#This example shows how to disable DHCP snooping trust on an interface:
Switch(config-if)# no ip dhcp snooping trustSwitch(config)#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping vlan
Use the ip dhcp snooping vlan command to enable DHCP snooping on a VLAN. To disable DHCP snooping on a VLAN, use the no form of this command.
ip dhcp snooping [vlan number]
no ip dhcp snooping [vlan number]
Syntax Description
Defaults
DHCP snooping is disabled.
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
DHCP snooping is enabled on a VLAN only if both global snooping and the VLAN snooping are enabled.
Examples
This example shows how to enable DHCP snooping on a VLAN:
Switch(config)# ip dhcp snooping vlan 10Switch(config)#This example shows how to disable DHCP snooping on a VLAN:
Switch(config)# no ip dhcp snooping vlan 10Switch(config)#This example shows how to enable DHCP snooping on a group of VLANs:
Switch(config)# ip dhcp snooping vlan 10 55Switch(config)#This example shows how to disable DHCP snooping on a group of VLANs:
Switch(config)# no ip dhcp snooping vlan 10 55Switch(config)#Related Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan number information option format-type
show ip dhcp snooping
show ip dhcp snooping bindingip dhcp snooping vlan number information option format-type
Use the ip dhcp snooping vlan number information option format-type command to enable circuit-id (a sub-option of DHCP snooping option-82) on a VLAN. To disable circuit-id on a VLAN, use the no form of this command.
ip dhcp snooping vlan number information option format-type circuit-id string string
no ip dhcp snooping vlan number information option format-type circuit-id string string
Syntax Description
Defaults
VLAN-mod-port, if DHCP snooping option-82 is disabled.
Command Modes
Interface configuration mode
Command History
12.2(40)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The curcuit-id suboption of DHCP option-82 is supported only when DHCP snooping is globally enabled and on VLANs using DHCP option-82.
Examples
The following example shows how to enable DHCP Snooping on Vlan 500 through 555 and Opton 82 circuit-id.
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 500 555Switch(config)# ip dhcp snooping information option format remote-id string switch123Switch(config)# interface GigabitEthernet 5/1Switch(config-if)# ip dhcp snooping trustSwitch(config-if)# ip dhcp snooping limit rate 100Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id string customer-555Switch(config-if)# interface FastEthernet 2/1Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id string customer-500Switch(config)# endRelated Commands
ip dhcp snooping
ip dhcp snooping information option
ip dhcp snooping limit rate
ip dhcp snooping trust
ip dhcp snooping vlan
show ip dhcp snooping
show ip dhcp snooping bindingip igmp filter
To control whether all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an IGMP profile to the interface, use the ip igmp filter command. To remove a profile from the interface, use the no form of this command.
ip igmp filter profile number
no ip igmp filter
Syntax Description
Defaults
Profiles are not applied.
Command Modes
Interface configuration mode
Command History
12.1(11b)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.
An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.
Examples
This example shows how to apply IGMP profile 22 to an interface.
Switch(config)# interface gigabitethernet1/1Switch(config-if)# ip igmp filter 22Switch(config-if)#Related Commands
ip igmp profile
show ip igmp profileip igmp max-groups
To set the maximum number of IGMP groups that a Layer 2 interface can join, use the ip igmp max-groups command. To set the maximum back to the default, use the no form of this command.
ip igmp max-groups number
no ip igmp max-groups
Syntax Description
number
Maximum number of IGMP groups that an interface can join; valid values are from 0 to 4294967294.
Defaults
No maximum limit.
Command Modes
Interface configuration mode
Command History
12.1(11b)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You can use the ip igmp max-groups command only on Layer 2 physical interfaces; you cannot set the IGMP maximum groups for the routed ports, the switch virtual interfaces (SVIs), or the ports that belong to an EtherChannel group.
Examples
This example shows how to limit the number of IGMP groups that an interface can join to 25:
Switch(config)# interface gigabitethernet1/1Switch(config-if)# ip igmp max-groups 25Switch(config-if)ip igmp profile
To create an IGMP profile, use the ip igmp profile command. To delete the IGMP profile, use the no form of this command.
ip igmp profile profile number
no ip igmp profile profile number
Syntax Description
Defaults
No profile created.
Command Modes
Global configuration mode
IGMP profile configuration
Command History
12.1(11b)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.
You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.
Examples
This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:
Switch # config terminalSwitch(config)# ip igmp profile 40Switch(config-igmp-profile)# permitSwitch(config-igmp-profile)# range 233.1.1.1 233.255.255.255Switch(config-igmp-profile)#Related Commands
ip igmp filter
show ip igmp profileip igmp query-interval
To configure the frequency that the switch sends the IGMP host-query messages, use the ip igmp query-interval command. To return to the default frequency, use the no form of this command.
ip igmp query-interval seconds
no ip igmp query-interval
Syntax Description
seconds
Frequency, in seconds, at which the IGMP host-query messages are transmitted; valid values depend on the IGMP snooping mode. See the "Usage Guidelines" section for more information.
Defaults
The query interval is set to 60 seconds.
Command Modes
Interface configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If you use the default IGMP snooping configuration, the valid query interval values are from 1 to 65535 seconds. If you have changed the default configuration to support CGMP as the IGMP snooping learning method, the valid query interval values are from 1 to 300 seconds.
The designated switch for a LAN is the only switch that sends the IGMP host-query messages. For IGMP version 1, the designated switch is elected according to the multicast routing protocol that runs on the LAN. For IGMP version 2, the designated querier is the lowest IP-addressed multicast switch on the subnet.
If no queries are heard for the timeout period (controlled by the ip igmp query-timeout command), the switch becomes the querier.
Note
Examples
This example shows how to change the frequency at which the designated switch sends the IGMP host-query messages:
Switch(config-if)# ip igmp query-interval 120Switch(config-if)#Related Commands
ip igmp query-timeout (refer to Cisco IOS documentation)
ip pim query-interval (refer to Cisco IOS documentation)
show ip igmp groups (refer to Cisco IOS documentation)ip igmp snooping
To enable IGMP snooping, use the ip igmp snooping command. To disable IGMP snooping, use the no form of this command.
ip igmp snooping [tcn {flood query count count | query solicit}]
no ip igmp snooping [tcn {flood query count count | query solicit}]
Syntax Description
Defaults
IGMP snooping is enabled.
Command Modes
Global configuration mode
Interface configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(11)EW
Support for flooding the spanning-tree table was added.
Usage Guidelines
The tcn flood option applies only to Layer 2 switch ports and EtherChannels; it does not apply to routed ports, VLAN interfaces, or Layer 3 channels.
The ip igmp snooping command is disabled by default on multicast routers.
Note
Examples
This example shows how to enable IGMP snooping:
Switch(config)# ip igmp snoopingSwitch(config)#This example shows how to disable IGMP snooping:
Switch(config)# no ip igmp snoopingSwitch(config)#This example shows how to enable the flooding of the spanning-tree table to the network after nine topology changes have occurred:
Switch(config)# ip igmp snooping tcn flood query count 9Switch(config)#This example shows how to disable the flooding of the spanning-tree table to the network:
Switch(config)# no ip igmp snooping tcn floodSwitch(config)#This example shows how to enable an IGMP general query:
Switch(config)# ip igmp snooping tcn query solicitSwitch(config)#This example shows how to disable an IGMP general query:
Switch(config)# no ip igmp snooping tcn query solicitSwitch(config)#Related Commands
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan mrouter
ip igmp snooping vlan staticip igmp snooping report-suppression
To enable report suppression, use the ip igmp snooping report-suppression command. To disable report suppression and forward the reports to the multicast devices, use the no form of this command.
ip igmp snooping report-suppression
no igmp snooping report-suppression
Syntax Description
This command has no arguments or keywords.
Defaults
IGMP snooping report-suppression is enabled.
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If the ip igmp snooping report-suppression command is disabled, all the IGMP reports are forwarded to the multicast devices.
If the command is enabled, report suppression is done by IGMP snooping.
Examples
This example shows how to enable report suppression:
Switch(config)# ip igmp snooping report-suppressionSwitch(config)#This example shows how to disable report suppression:
Switch(config)# no ip igmp snooping report-suppressionSwitch(config)#This example shows how to display the system status for report suppression:
Switch# show ip igmp snoopvlan 1----------IGMP snooping is globally enabledIGMP snooping TCN solicit query is globally disabledIGMP snooping global TCN flood query count is 2IGMP snooping is enabled on this VlanIGMP snooping immediate-leave is disabled on this VlanIGMP snooping mrouter learn mode is pim-dvmrp on this VlanIGMP snooping is running in IGMP_ONLY mode on this VlanIGMP snooping report suppression is enabled on this VlanSwitch#Related Commands
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan mrouter
ip igmp snooping vlan staticip igmp snooping vlan
To enable IGMP snooping for a VLAN, use the ip igmp snooping vlan command. To disable IGMP snooping, use the no form of this command.
ip igmp snooping vlan vlan-id
no ip igmp snooping vlan vlan-id
Syntax Description
Defaults
IGMP snooping is disabled.
Command Modes
Global configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
This command is entered in VLAN interface configuration mode only.
The ip igmp snooping vlan command is disabled by default on multicast routers.
Examples
This example shows how to enable IGMP snooping on a VLAN:
Switch(config)# ip igmp snooping vlan 200Switch(config)#This example shows how to disable IGMP snooping on a VLAN:
Switch(config)# no ip igmp snooping vlan 200Switch(config)#Related Commands
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan mrouter
ip igmp snooping vlan staticip igmp snooping vlan explicit-tracking
To enable per-VLAN explicit host tracking, use the ip igmp snooping vlan explicit-tracking command. To disable explicit host tracking, use the no form of this command.
ip igmp snooping vlan vlan-id explicit-tracking
no ip igmp snooping vlan vlan-id explicit-tracking
Syntax Description
Defaults
Explicit host tracking is enabled.
Command Modes
Configuration
Command History
12.1(20)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to disable IGMP explicit host tracking on interface VLAN 200 and how to verify the configuration:
Switch(config)# no ip igmp snooping vlan 200 explicit-trackingSwitch(config)# endSwitch# show ip igmp snooping vlan 200 | include explicit trackingGlobal IGMP Snooping configuration:-----------------------------------IGMP snooping : EnabledIGMPv3 snooping : EnabledReport suppression : EnabledTCN solicit query : DisabledTCN flood query count : 2Vlan 2:--------IGMP snooping : EnabledIGMPv2 immediate leave : DisabledExplicit host tracking : DisabledMulticast router learning mode : pim-dvmrpCGMP interoperability mode : IGMP_ONLYExplicit host tracking : DisabledSwitch#Related Commands
show ip igmp snooping membership
clear ip igmp snooping statistics vlan (refer to Cisco IOS documentation)
show ip igmp snooping statistics vlan (refer to Cisco IOS documentation)ip igmp snooping vlan immediate-leave
To enable IGMP immediate-leave processing, use the ip igmp snooping vlan immediate-leave command. To disable immediate-leave processing, use the no form of this command.
ip igmp snooping vlan vlan_num immediate-leave
no ip igmp snooping vlan vlan_num immediate-leave
Syntax Description
vlan_num
Number of the VLAN; valid values are from 1 to 4094.
immediate-leave
Enables immediate leave processing.
Defaults
Immediate leave processing is disabled.
Command Modes
Global configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
You enter this command in global configuration mode only.
Use the immediate-leave feature only when there is a single receiver for the MAC group for a specific VLAN.
The immediate-leave feature is supported only with IGMP version 2 hosts.
Examples
This example shows how to enable IGMP immediate-leave processing on VLAN 4:
Switch(config)# ip igmp snooping vlan 4 immediate-leaveSwitch(config)#This example shows how to disable IGMP immediate-leave processing on VLAN 4:
Switch(config)# no ip igmp snooping vlan 4 immediate-leaveSwitch(config)#Related Commands
ip igmp snooping
ip igmp snooping vlan mrouter
ip igmp snooping vlan static
show ip igmp interface (refer to Cisco IOS documentation)
show mac-address-table multicastip igmp snooping vlan mrouter
To statically configure an Layer 2 interface as a multicast router interface for a VLAN, use the
ip igmp snooping vlan mrouter command. To remove the configuration, use the no form of this command.ip igmp snooping vlan vlan-id mrouter {interface {{fastethernet slot/port} | {gigabitethernet slot/port} | {tengigabitethernet slot/port} | {port-channel number}} |
{learn {cgmp | pim-dvmrp}}noip igmp snooping vlan vlan-id mrouter {interface {{fastethernet slot/port} | {gigabitethernet slot/port} | {tengigabitethernet slot/port} | {port-channel number}} |
{learn {cgmp | pim-dvmrp}}Syntax Description
Defaults
Multicast switch snooping PIM-DVMRP packets are specified.
Command Modes
Interface configuration mode
Command History
Usage Guidelines
You enter this command in VLAN interface configuration mode only.
The interface to the switch must be in the VLAN where you are entering the command. It must be both administratively up and line protocol up.
The CGMP learning method can decrease control traffic.
The learning method that you configure is saved in NVRAM.
The static connections to multicast interfaces are supported only on switch interfaces.
Examples
This example shows how to specify the next-hop interface to a multicast switch:
Switch(config-if)# ip igmp snooping 400 mrouter interface fastethernet 5/6Switch(config-if)#This example shows how to specify the multicast switch learning method:
Switch(config-if)# ip igmp snooping 400 mrouter learn cgmpSwitch(config-if)#Related Commands
ip igmp snooping
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan static
show ip igmp snooping
show ip igmp snooping mrouterip igmp snooping vlan static
To configure a Layer 2 interface as a member of a group, use the ip igmp snooping vlan static command. To remove the configuration, use the no form of this command.
ip igmp snooping vlan vlan_num static mac-address {interface {fastethernet slot/port} | {gigabitethernet slot/port} | {tengigabitethernet slot/port} | {port-channel number}}
no ip igmp snooping vlan vlan_num static mac-address {interface {fastethernet slot/port} | {gigabitethernet slot/port} | {tengigabitethernet mod/interface-number} | {port-channel number}}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Examples
This example shows how to configure a host statically on an interface:
Switch(config)# ip igmp snooping vlan 4 static 0100.5e02.0203 interface fastethernet 5/11Configuring port FastEthernet5/11 on group 0100.5e02.0203 vlan 4Switch(config)#Related Commands
ip igmp snooping
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan mrouter
show mac-address-table multicastip local-proxy-arp
To enable the local proxy ARP feature, use the ip local-proxy-arp command. To disable the local proxy ARP feature, use the no form of this command.
ip local-proxy-arp
no ip local-proxy-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Local proxy ARP is disabled.
Command Modes
Interface configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Use this feature only on subnets where hosts are intentionally prevented from communicating directly to the switch on which they are connected.
ICMP redirect is disabled on interfaces where the local proxy ARP feature is enabled.
Examples
This example shows how to enable the local proxy ARP feature:
Switch(config-if)# ip local-proxy-arpSwitch(config-if)#ip mfib fastdrop
To enable MFIB fast drop, use the ip mfib fastdrop command. To disable MFIB fast drop, use the no form of this command.
ip mfib fastdrop
no ip mfib fastdrop
Syntax Description
This command has no arguments or keywords.
Defaults
MFIB fast drop is enabled.
Command Modes
EXEC
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
This example shows how to enable MFIB fast drops:
Switch# ip mfib fastdropSwitch#Related Commands
clear ip mfib fastdrop
show ip mfib fastdropip route-cache flow
To enable NetFlow statistics for IP routing, use the ip route-cache flow command. To disable NetFlow statistics, use the no form of this command.
ip route-cache flow [infer-fields]
no ip route-cache flow [infer-fields]
Syntax Description
infer-fields
(Optional) Includes the NetFlow fields as inferred by the software: Input identifier, Output identifier, and Routing information.
Defaults
NetFlow statistics is disabled.
Inferred information is excluded.
Command Modes
Configuration
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
12.1(19)EW
Command enhanced to support infer fields.
Usage Guidelines
To use these commands, you need to install the Supervisor Engine IV and the NetFlow Service Card.
The NetFlow statistics feature captures a set of traffic statistics. These traffic statistics include the source IP address, destination IP address, Layer 4 port information, protocol, input and output identifiers, and other routing information that can be used for network analysis, planning, accounting, billing and identifying DoS attacks.
NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types.
If you enter the ip route-cache flow infer-fields command after the ip route-cache flow command, you will purge the existing cache, and vice versa. This action is done to avoid having flows with and without inferred fields in the cache simultaneously.
For additional information on NetFlow switching, refer to the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide.
Note
Examples
This example shows how to enable NetFlow switching on the switch:
Switch# config terminalSwitch(config)# ip route-cache flowSwitch(config)# exitSwitch#
Note
ip source binding
To add or delete a static IP source binding entry, use the ip source binding command. To delete the corresponding IP source binding entry, use the no form of this command.
ip source binding ip-address mac-address vlan vlan-id interface interface-name
no ip source binding ip-address mac-address vlan vlan-id interface interface-name
Syntax Description
ip-address
Binding IP address.
mac-address
Binding MAC address.
vlan vlan-id
VLAN number.
interface interface-name
Binding interface.
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The ip source binding command is used to add a static IP source binding entry only.
The no form of this command deletes the corresponding IP source binding entry. For the deletion to succeed, all required parameters must match.
Each static IP binding entry is keyed by a MAC address and VLAN number. If the CLI contains an existing MAC and VLAN, the existing binding entry will be updated with the new parameters; a separate binding entry will not be created.
Examples
This example shows how to configure the static IP source binding:
Switch# config terminalSwitch(config)# ip source binding 11.0.0.1 0000.000A.000B vlan 10 interface fastethernet6/10Switch(config)#Related Commands
ip sticky-arp
To enable sticky ARP, use the ip sticky-arp command. Use the no form of this command to disable sticky ARP.
ip sticky-arp
no ip sticky-arp
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is supported on PVLANs only.
ARP entries that are learned on Layer3 PVLAN interfaces are sticky ARP entries. (You should display and verify ARP entries on the PVLAN interface using the show arp command).
For security reasons, sticky ARP entries on the PVLAN interface do not age out. Connecting new equipment with the same IP address generates a message and the ARP entry is not created.
Because the ARP entries on the PVLAN interface do not age out, you must manually remove ARP entries on the PVLAN interface if a MAC address changes.
Unlike static entries, sticky-ARP entries are not stored and restored when you enter the reboot and restart commands.
Examples
This example shows how to enable sticky ARP:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config) ip sticky-arpSwitch(config)# endSwitch#This example shows how to disable sticky ARP:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config) no ip sticky-arpSwitch(config)# endSwitch#Related Commands
arp (refer to Cisco IOS documentation)
show arp (refer to Cisco IOS documentation)ip verify header vlan all
To enable IP header validation for Layer 2-switched IPv4 packets, use the ip verify header vlan all command. To disable the IP header validation, use the no form of this command.
ip verify header vlan all
no ip verify header vlan all
Syntax Description
This command has no default settings.
Defaults
The IP header is validated for bridged and routed IPv4 packets.
Command Modes
Configuration
Command History
12.1(20)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command does not apply to Layer 3-switched (routed) packets.
The Catalyst 4500 series switch checks the validity of the following fields in the IPv4 header for all switched IPv4 packets:
•
•
•
If an IPv4 packet fails the IP header validation, the packet is dropped. If you disable the header validation, the packets with the invalid IP headers are bridged but are not routed even if routing was intended. The IPv4 access lists also are not applied to the IP headers.
Examples
This example shows how to disable the IP header validation for the Layer 2-switched IPv4 packets:
Switch# config terminalSwitch(config)# no ip verify header vlan allSwitch(config)# endSwitch#ip verify source
To enable IP source guard on untrusted Layer 2 interfaces, use the ip verify source command. To disable IP source guard on untrusted Layer 2 interfaces, use the no form of this command.
ip verify source {vlan dhcp-snooping | tracking} [port-security]
no ip verify source {vlan dhcp-snooping | tracking} [port-security]
Syntax Description
Defaults
IP source guard is disabled.
Command Modes
Global configuration mode
Command History
12.1(19)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.2(37)SG
Added support for IP port security and tracking.
Examples
This example shows how to enable IP source guard on VLANs 10 through 20 on a per-port basis:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip dhcp snoopingSwitch(config)# ip dhcp snooping vlan 10 20Switch(config)# interface fastethernet6/1Switch(config-if)# switchport trunk encapsulation dot1qSwitch(config-if)# switchport mode trunkSwitch(config-if)# switchport trunk native vlan 10Switch(config-if)# switchport trunk allowed vlan 11-20Switch(config-if)# no ip dhcp snooping trustSwitch(config-if)# ip verify source vlan dhcp-snoopingSwitch(config)# endSwitch# show ip verify source interface f6/1Interface Filter-type Filter-mode IP-address Mac-address Vlan--------- ----------- ----------- --------------- ----------------- ----------Fa6/1 ip-mac active 10.0.0.1 10Fa6/1 ip-mac active deny-all 11-20Switch#This example shows how to enable IP Port Security with IP-Mac filters on a Layer 2 access port:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# ip device trackingSwitch(config)# interface fastEthernet 4/3Switch(config-if)# switchport mode accessSwitch(config-if)# switchport access vlan 1Switch(config-if)# ip device tracking maximum 5Switch(config-if)# switchport port-securitySwitch(config-if)# switchport port-security maximum 5Switch(config-if)# ip verify source tracking port-securitySwitch(config-if)# endYou can verify your settings by entering the show ip verify source privileged EXEC command.
Related Commands
debug ip verify source packet (refer to Cisco IOS documentation)
ip device tracking maximum
ip dhcp snooping
ip dhcp snooping limit rate
ip dhcp snooping information option
ip dhcp snooping trust
ip source binding (refer to Cisco IOS documentation)
show ip dhcp snooping
show ip dhcp snooping binding
show ip verify source (refer to Cisco IOS documentation)
show ip source binding (refer to Cisco IOS documentation)ip verify unicast source reachable-via
To enable and configure unicast RPF checks on a Supervisor Engine 6-E and Catalyst 4900M chassis IPv4 interface, use the ip verify unicast source reachable-via command. To disable unicast RPF, use the no form of this command.
ip verify unicast source reachable-via rx allow-default
no ip verify unicast source reachable-via
Syntax Description
rx
Verifies that the source address is reachable on the interface where the packet was received.
allow-default
Verifies that the default route matches the source address.
Defaults
Disabled
Command Modes
Interface configuration mode
Command History
12.2(40)SG
Support for this command was introduced on the Catalyst 4500 with a Supervisor Engine 6-E and Catalyst 4900M chassis.
Usage Guidelines
Note
Do not use unicast RPF on internal network interfaces. Internal interfaces might have routing asymmetry, which means that there are multiple routes to the source of a packet. Apply unicast RPF only where there is natural or configured symmetry.
Examples
This example shows how to enable unicast RPF exist-only checking mode:
Switch# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gigabitethernet1/1Switch(config-if)# ip verify unicast source reachable-via rx allow-defaultSwitch(config-if)# endSwitch#Related Commands
ip cef (refer to Cisco IOS documentation)
show running-configipv6 mld snooping
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping globally or on the specified VLAN, use the ipv6 mld snooping command without keywords. To disable MLD snooping on a switch or the VLAN, use the no form of this command.
ipv6 mld snooping [vlan vlan-id]
no ipv6 mld snooping [vlan vlan-id]
Syntax Description
vlan vlan-id
(Optional) Enables or disables IPv6 MLD snooping on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
Defaults
MLD snooping is globally disabled on the switch.
MLD snooping is enabled on all VLANs. However, MLD snooping must be globally enabled before VLAN snooping can take place.
Command Modes
Global configuration mode
Command History
Usage Guidelines
When MLD snooping is globally disabled, it is disabled on all the existing VLAN interfaces. When you globally enable MLD snooping, it is enabled on all VLAN interfaces that are in the default state (enabled). VLAN configuration overrides global configuration on interfaces on which MLD snooping has been disabled.
If MLD snooping is globally disabled, you cannot enable it on a VLAN. If MLD snooping is globally enabled, you can disable it on individual VLANs.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
This example shows how to globally enable MLD snooping:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snoopingSwitch(config)#endSwitch#This example shows how to disable MLD snooping on a VLAN:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#no ipv6 mld snooping vlan 11Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 mld snooping user EXEC command.
Related Commands
ipv6 mld snooping last-listener-query-count
To configure IP version 6 (IPv6) Multicast Listener Discovery Mulitcast Address Specific Queries (MASQs) that will be sent before aging out a client, use the ipv6 mld snooping last-listener-query-count command. To reset the query count to the default settings, use the no form of this command.
ipv6 mld snooping [vlan vlan-id] last-listener-query-count integer_value
no ipv6 mld snooping [vlan vlan-id] last-listener-query-count
Syntax Description
vlan vlan-id
(Optional) Configure last-listener query count on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
integer_value
The range is 1 to 7.
Command Default
The default global count is 2.
The default VLAN count is 0 (the global count is used).
Command Modes
Global configuration mode
Command History
Usage Guidelines
In MLD snooping, the IPv6 multicast switch periodically sends out queries to hosts belonging to the multicast group. If a host wants to leave a multicast group, it can silently leave or it can respond to the query with a Multicast Listener Done message (equivalent to an IGMP Leave message). When Immediate Leave is not configured (it should not be configured if multiple clients for a group exist on the same port), the configured last-listener query count determines the number of MASQs that are sent before an MLD client is aged out.
When the last-listener query count is set for a VLAN, this count overrides the value configured globally. When the VLAN count is not configured (set to the default of 0), the global count is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
This example shows how to globally set the last-listener query count:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping last-listener-query-count 1Switch(config)#endSwitch#This example shows how to set the last-listener query count for VLAN 10:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 10 last-listener-query-count 3Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 mld snooping [vlan vlan-id] user EXEC command.
Related Commands
ipv6 mld snooping last-listener-query-interval
show ipv6 mld snooping querieripv6 mld snooping last-listener-query-interval
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping last-listener query interval on the switch or on a VLAN, use the ipv6 mld snooping last-listener-query-interval command. To reset the query time to the default settings, use the no form of this command.
ipv6 mld snooping [vlan vlan-id] last-listener-query-interval integer_value
no ipv6 mld snooping [vlan vlan-id] last-listener-query-interval
Syntax Description
Command Default
The default global query interval (maximum response time) is 1000 (1 second).
The default VLAN query interval (maximum response time) is 0 (the global count is used).
Command Modes
Global configuration mode
Command History
Usage Guidelines
The last-listener-query-interval time is the maximum time that a multicast switch waits after issuing a Mulitcast Address Specific Query (MASQ) before deleting a port from the multicast group.
In MLD snooping, when the IPv6 multicast switch receives an MLD leave message, it sends out queries to hosts belonging to the multicast group. If there are no responses from a port to a MASQ for a length of time, the switch deletes the port from the membership database of the multicast address. The last listener query interval is the maximum time that the switch waits before deleting a nonresponsive port from the multicast group.
When a VLAN query interval is set, the global query interval is overridden. When the VLAN interval is set at 0, the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
This example shows how to globally set the last-listener query interval to 2 seconds:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping last-listener-query-interval 2000Switch(config)#endSwitch#This example shows how to set the last-listener query interval for VLAN 1 to 5.5 seconds:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 1 last-listener-query-interval 5500Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 MLD snooping [vlan vlan-id] user EXEC command.
Related Commands
ipv6 mld snooping last-listener-query-count
show ipv6 mld snooping querieripv6 mld snooping listener-message-suppression
To enable IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping listener message suppression, use the ipv6 mld snooping listener-message-suppression command. To disable MLD snooping listener message suppression, use the no form of this command.
ipv6 mld snooping listener-message-suppression
no ipv6 mld snooping listener-message-suppression
Command Default
The default is for MLD snooping listener message suppression to be disabled.
Command Modes
Global configuration mode
Command History
Usage Guidelines
MLD snooping listener message suppression is equivalent to IGMP snooping report suppression. When it is enabled, received MLDv1 reports to a group are forwarded to IPv6 multicast switchs only once in every report-forward time. This prevents the forwarding of duplicate reports.
Examples
This example shows how to enable MLD snooping listener message suppression:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping listener-message-suppressionSwitch(config)#endSwitch#This example shows how to disable MLD snooping listener message suppression:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#no ipv6 mld snooping listener-message-suppressionSwitch(config)#endSwitch#You can verify your settings by entering the show ipv6 mld snooping [vlan vlan-id] user EXEC command.
Related Commands
ipv6 mld snooping
show ipv6 mld snoopingipv6 mld snooping robustness-variable
To configure the number of IP version 6 (IPv6) Multicast Listener Discovery (MLD) queries that the switch sends before deleting a listener that does not respond, or to enter a VLAN ID to configure the number of queries per VLAN, use the ipv6 mld snooping robustness-variable command. To reset the variable to the default settings, use the no form of this command.
ipv6 mld snooping [vlan vlan-id] robustness-variable integer_value
no ipv6 mld snooping [vlan vlan-id] robustness-variable
Syntax Description
vlan vlan-id
(Optional) Configure the robustness variable on the specified VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
integer_value
The range is 1 to 3.
Command Default
The default global robustness variable (number of queries before deleting a listener) is 2.
The default VLAN robustness variable (number of queries before aging out a multicast address) is 0, which means that the system uses the global robustness variable for aging out the listener.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Robustness is measured by the number of MLDv1 queries sent with no response before a port is removed from a multicast group. A port is deleted when there are no MLDv1 reports received for the configured number of MLDv1 queries. The global value determines the number of queries that the switch waits before deleting a listener that does not respond, and it applies to all VLANs that do not have a VLAN value set.
The robustness value configured for a VLAN overrides the global value. If the VLAN robustness value is 0 (the default), the global value is used.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
This example shows how to configure the global robustness variable so that the switch sends out three queries before it deletes a listener port that does not respond:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping robustness-variable 3Switch(config)#endSwitch#This example shows how to configure the robustness variable for VLAN 1. This value overrides the global configuration for the VLAN:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 1 robustness-variable 1Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 MLD snooping [vlan vlan-id] user EXEC command.
Related Commands
ipv6 mld snooping last-listener-query-count
show ipv6 mld snoopingipv6 mld snooping tcn
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) Topology Change Notifications (TCNs), use the ipv6 mld snooping tcn commands. To reset the default settings, use the no form of the commands.
ipv6 mld snooping tcn {flood query count integer_value | query solicit}
no ipv6 mld snooping tcn {flood query count integer_value | query solicit}
Syntax Description
Command Default
TCN query soliciting is disabled.
When enabled, the default flood query count is 2.
Command Modes
Global configuration mode
Command History
Examples
This example shows how to enable TCN query soliciting:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping tcn query solicit.Switch(config)#endSwitch#This example shows how to set the flood query count to 5:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping tcn flood query count 5.Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 MLD snooping [vlan vlan-id] user EXEC command.
Related Commands
ipv6 mld snooping vlan
To configure IP version 6 (IPv6) Multicast Listener Discovery (MLD) snooping parameters on the VLAN interface, use the ipv6 mld snooping vlan command. To reset the parameters to the default settings, use the no form of this command.
ipv6 mld snooping vlan vlan-id [immediate-leave | mrouter interface interface-id | static ipv6-multicast-address interface interface-id]
no ipv6 mld snooping vlan vlan-id [immediate-leave | mrouter interface interface-id | static ip-address interface interface-id]
Syntax Description
Command Default
MLD snooping Immediate-Leave processing is disabled.
By default, there are no static IPv6 multicast groups.
By default, there are no multicast switch ports.
Command Modes
Global configuration mode
Command History
Usage Guidelines
You should only configure the Immediate-Leave feature when there is only one receiver on every port in the VLAN. The configuration is saved in NVRAM.
The static keyword is used for configuring the MLD member ports statically.
The configuration and the static ports and groups are saved in NVRAM.
VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs and cannot be used in MLD snooping.
Examples
This example shows how to enable MLD Immediate-Leave processing on VLAN 1:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 1 immediate-leaveSwitch(config)#endSwitch#This example shows how to disable MLD Immediate-Leave processing on VLAN 1:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#no ipv6 mld snooping vlan 1 immediate-leaveSwitch(config)#endSwitch#This example shows how to configure a port as a multicast switch port:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 1 mrouter interface gigabitethernet1/0/2Switch(config)#endSwitch#This example shows how to configure a static multicast group:
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#ipv6 mld snooping vlan 2 static FF12::34 interface gigabitethernet1/0/2Switch(config)#endSwitch#You can verify your settings by entering the show ipv6 mld snooping vlan vlan-id user EXEC command.
Related Commands
ipv6 mld snooping
ipv6 mld snooping vlan
show ipv6 mld snoopingissu abortversion
To cancel the ISSU upgrade or the downgrade process in progress and to restore the Catalyst 4500 series switch to its state before the start of the process, use the issue abortversion command.
issu abortversion active-slot [active-image-new]
Syntax Description
active-slot
Specifies the slot number for the current standby supervisor engine.
active-image-new
(Optional) Name of the new image present in the current standby supervisor engine.
Defaults
There are no default settings.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
You can use the issu abortversion command at any time to stop the ISSU process to complete the process by entering the issu commitversion command. Before any action is taken, a check ensures that both supervisor engines are either in the run version (RV) or load version (LV) state.
When the issu abortversion command is entered before the issu runversion command, the standby supervisor engine is reset and reloaded with the old image. When the issu abortversion command is entered after the issu runversion command, a change takes place and the new standby supervisor engine is reset and reloaded with the old image.
Examples
This example shows how you can reset and reload the standby supervisor engine:
Switch# issu abortversion 2Switch#Related Commands
issu acceptversion
issu commitversion
issu loadversion
issu runversion
show issu stateissu acceptversion
To halt the rollback timer and to ensure that the new Cisco IOS software image is not automatically stopped during the ISSU process, use the issu acceptversion command.
issu acceptversion active-slot [active-image-new]
Syntax Description
active-slot
Specifies the slot number for the currently active supervisor engine.
active-image-new
(Optional) Name of the new image on the current lyactive supervisor engine.
Defaults
Rollback timer resets automatically 45 minutes after you issue the issu runversion command.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
After you are satisfied with the new image and have confirmed the new supervisor engine is reachable by both the console and the network, enter the issu acceptversion command to halt the rollback timer. If the issu acceptversion command is not entered within 45 minutes from the time the issu runversion command is entered, the entire ISSU process is automatically rolled back to the previous version of the software. The rollback timer starts immediately after you issue the issu runversion command.
If the rollback timer expires before the standby supervisor engine goes to a hot standby state, the timer is automatically extended by up to 15 minutes. If the standby state goes to a hot-standby state within this extension time or the 15 minute extension expires, the switch aborts the ISSU process. A warning message that requires your intervention is displayed every 1 minute of the timer extension.
If the rollback timer is set to a long period of time, such as the default of 45 minutes, and the standby supervisor engine goes into the hot standby state in 7 minutes, you have 38 minutes (45 minus 7) to roll back if necessary.
Use the issu set rollback-timer to configure the rollback timer.
Examples
This example shows how to halt the rollback timer and allow the ISSU process to continue:
Switch# issu acceptversion 2Switch#Related Commands
issu abortversion
issu commitversion
issu loadversion
issu runversion
issu set rollback-timer
show issu stateissu commitversion
To load the new Cisco IOS software image into the new standby supervisor engine, use the
issu commitversion command.issu commitversion standby-slot standby-image-new
Syntax Description
standby-slot
Specifies the slot number for the currently active supervisor engine.
active-image-new
(Optional) Name of the new image on the current lyactive supervisor engine.
Defaults
Enabled by default.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
The issu commitversion command checks that the standby supervisor engine has the new Cisco IOS software image in its file system and that both supervisor engines are in the run version (RV) state. If these conditions are met, the following actions take place:
•
•
•
Entering the issu commitversion command completes the In Service Software Upgrade (ISSU) process. This process cannot be stopped or reverted to its original state without starting a new ISSU process.
Entering the issu commitversion command without entering the issu acceptversion command is equivalent to entering both the issu acceptversion and the issu commitversion commands. Use the
issu commitversion command if you do not intend to run in the current state for an extended period of time and are satisfied with the new software version.Examples
This example shows how you can configure the standby supervisor engine to be reset and reloaded with the new Cisco IOS software version:
Switch# issu commitversion 1Switch#Related Commands
issu acceptversion
issu commitversion
issu loadversion
issu runversion
show issu stateissu config-sync mismatched-commands
If the IOS version differs on your active and standby supervisors, some CLIs will not be compatible between them. If such commands are already present in the running configuration of the active supervisor engine and the syntax-check for the command fails at the standby supervisor engine while it is booting, the issu config-sync mismatched-commands command moves the active supervisor engine into the Mismatched Command List (MCL) and resets the standby supervisor engine.
issu config-sync {ignore | validate} mismatched-commands
Syntax Description
ignore
Ignore the mismatched command list.
validate
Revalidate the mismatched command list with the modified running-configuration.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
The following is an example log entry for Mismatched Commands:
00:06:31: Config Sync: Bulk-sync failure due to Servicing Incompatibility. Please check full list of mismatched commands via:show issu config-sync failures mcl00:06:31: Config Sync: Starting lines from MCL file:interface GigabitEthernet7/7! <submode> "interface"- ip address 11.0.0.1 255.0.0.0! </submode> "interface"To display all Mismatched Commands, use the show issu config-sync failures mcl command.
To clean the MCL, use the following steps:
Step 1
Step 2
issu config-sync validate mismatched-commands command.Step 3
You could also ignore the MCL by doing the following:
Step 1
Step 2
Note
Step 3
Examples
This example shows how you can validate removal of entries from the MCL:
Switch# issu config-sync validate mismatched-commandsSwitch#Related Commands
issu loadversion
To start the ISSU process, use the issu loadversion command.
issue loadversion active-slot active-image-new standby-slot standby-image-new [force]
Syntax Description
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
The issue loadversion command causes the standby supervisor engine to be reset and booted with the new Cisco IOS software image specified by the command. If both the old image and the new image are ISSU capable, ISSU compatible, and have no configuration mismatches, the standby supervisor engine moves into Stateful Switchover (SSO) mode, and both supervisor engines move into the load version (LV) state.
It will take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and the standby supervisor engine to transition to SSO mode.
Examples
This example shows how to initiate the ISSU process:
Switch# issu loadversion 1 bootflash:new-image 2 slavebootflash:new-imageSwitch#Related Commands
issu abortversion
issu acceptversion
issu commitversion
issu runversion
show issu stateissu runversion
To force a change from the active supervisor engine to the standby supervisor engine and to cause the newly active supervisor engine to run the new image specified in the issu loadversion command, use the issu runversion command.
issu runversion standby-slot [standby-image-new]
Syntax Description
standby-slot
Specifies the standby slot on the networking device.
standby-image-new
Specifies the name of the new image on the standby supervisor engine.
Defaults
This command has no default settings.
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
The issu runversion command changes the currently active-supervisor engine to standby-supervisor engine and the real standby-supervisor engine is booted with the old image version following and resets the switch. As soon as the standby-supervisor engine moves into the standby state, the rollback timer is started.
Examples
This example shows how to force a change of the active-supervisor engine to standby-supervisor engine:
Switch# issu runversion 2Switch#Related Commands
issu abortversion
issu acceptversion
issu commitversion
issu loadversion
show issu stateissu set rollback-timer
To configure the In Service Software Upgrade (ISSU) rollback timer value, use the
issu set rollback-timer command.issu set rollback-timer seconds
Syntax Description
seconds
Specfies the rollback timer value, in seconds. The valid timer value range is from 0 to 7200 seconds (2 hours). A value of 0 seconds disables the rollback timer.
Defaults
Rollback timer value is 2700 seconds.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Use the issue set rollback-timer command to configure the rollback timer value. You can only enable this command when the supervisor engines are in the init state.
Examples
This example shows how you can set the rollback timer value to 3600 seconds, or 1 hour:
Switch# configure terminalSwitch(config)# issu set rollback-timer 3600Switch(config)# endSwitch#Related Commands
issu acceptversion
issu set rollback-timerl2protocol-tunnel
To enable protocol tunneling on an interface, use the l2protocol-tunnel command. You can enable tunneling for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable tunneling on the interface, use the no form of this command.
l2protocol-tunnel [cdp | stp | vtp]
no l2protocol-tunnel [cdp | stp | vtp]
Syntax Description
cdp
(Optional) Enables tunneling of CDP.
stp
(Optional) Enables tunneling of STP.
vtp
(Optional) Enables tunneling of VTP.
Defaults
The default is that no Layer 2 protocol packets are tunneled.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
You must enter this command, with or without protocol types, to tunnel Layer 2 packets.
Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well-known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.
You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.
Examples
This example shows how to enable protocol tunneling for the CDP packets:
Switch(config-if)# l2protocol-tunnel cdpSwitch(config-if)#Related Commands
l2protocol-tunnel cos
l2protocol-tunnel drop-threshold
l2protocol-tunnel shutdown-thresholdl2protocol-tunnel cos
To configure the class of service (CoS) value for all tunneled Layer 2 protocol packets, use the l2protocol-tunnel cos command. To return to the default value of zero, use the no form of this command.
l2protocol-tunnel cos value
no l2protocol-tunnel cos
Syntax Description
value
Specifies the CoS priority value for tunneled Layer 2 protocol packets. The range is 0 to 7, with 7 being the highest priority.
Defaults
The default is to use the CoS value that is configured for data on the interface. If no CoS value is configured, the default is 5 for all tunneled Layer 2 protocol packets.
Command Modes
Global configuration mode
Command History
12.2(18)EW
This command was first introduced on the Catalyst 4500 series switch.
Usage Guidelines
When enabled, the tunneled Layer 2 protocol packets use this CoS value.
The value is saved in NVRAM.
Examples
This example shows how to configure a Layer 2 protocol tunnel CoS value of 7:
Switch(config)# l2protocol-tunnel cos 7Switch(config)#Related Commands
l2protocol-tunnel
l2protocol-tunnel drop-threshold
l2protocol-tunnel shutdown-thresholdl2protocol-tunnel drop-threshold
To set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets, use the I2protocol-tunnel drop-threshold command. You can set the drop threshold for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the drop threshold on the interface, use the no form of this command.
l2protocol-tunnel drop-threshold [cdp | stp | vtp] value
no l2protocol-tunnel drop-threshold [cdp | stp | vtp] value
Syntax Description
Defaults
The default is no drop threshold for the number of the Layer 2 protocol packets.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The l2protocol-tunnel drop-threshold command controls the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.
When the drop threshold is reached, the interface drops the Layer 2 protocol packets until the rate at which they are received is below the drop threshold.
Examples
This example shows how to configure the drop threshold rate:
Switch(config-if)# l2protocol-tunnel drop-threshold cdp 50Switch(config-if)#Related Commands
l2protocol-tunnel
l2protocol-tunnel cos
l2protocol-tunnel shutdown-thresholdl2protocol-tunnel shutdown-threshold
To configure the protocol tunneling encapsulation rate, use the I2protocol-tunnel shutdown-threshold command. You can set the encapsulation rate for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the encapsulation rate on the interface, use the no form of this command.
l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] value
no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] value
Syntax Description
Defaults
The default is no shutdown threshold for the number of Layer 2 protocol packets.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The l2-protocol-tunnel shutdown-threshold command controls the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.
When the shutdown threshold is reached, the interface is error disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery feature generation is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown commands.
Examples
This example shows how to configure the maximum rate:
Switch(config-if)# l2protocol-tunnel shutdown-threshold cdp 50Switch(config-if)#Related Commands
l2protocol-tunnel
l2protocol-tunnel cos
l2protocol-tunnel shutdown-thresholdlacp port-priority
To set the LACP priority for the physical interfaces, use the lacp port-priority command.
lacp port-priority priority
Syntax Description
Defaults
Priority is set to 32768.
Command Modes
Interface configuration mode
Command History
Usage Guidelines
This command is not supported on the systems that are configured with a Supervisor Engine I.
You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.
Although this command is a global configuration command, the priority value is supported only on port channels with LACP-enabled physical interfaces.This command is supported on LACP-enabled interfaces.
When setting the priority, the higher numbers indicate lower priorities.
Examples
This example shows how to set the priority for the interface:
Switch(config-if)# lacp port-priority 23748Switch(config-if)#Related Commands
channel-group
channel-protocol
lacp system-priority
show lacplacp system-priority
To set the priority of the system for LACP, use the lacp system-priority command.
lacp system-priority priority
Syntax Description
Defaults
Priority is set to 32768.
Command Modes
Global configuration mode
Command History
Usage Guidelines
This command is not supported on systems that are configured with a Supervisor Engine I.
You must assign each switch that is running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.
Although this command is a global configuration command, the priority value is supported on port channels with LACP-enabled physical interfaces.
When setting the priority, tthe higher numbers indicate lower priorities.
You can also enter the lacp system-priority command in interface configuration mode. After you enter the command, the system defaults to global configuration mode.
Examples
This example shows how to set the system priority:
Switch(config)# lacp system-priority 23748Switch(config)#Related Commands
channel-group
channel-protocol
lacp port-priority
show lacplogging event link-status global (global configuration)
To change the default switch-wide global link-status event messaging settings, use the
logging event link-status global command. Use the no form of this command to disable the link-status event messaging.logging event link-status global
no logging event link-status global
Syntax Description
This command has no arguments or keywords.
Defaults
The global link-status messaging is disabled.
Command Modes
Global configuration mode
Command History
12.2(25)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If link-status logging event is not configured at the interface level, this global link-status setting takes effect for each interface.
Examples
This example shows how to globally enable link status message on each interface:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# logging event link-status globalSwitch(config)# endSwitch#Related Commands
logging event link-status global (global configuration)
logging event link-status (interface configuration)
To enable the link-status event messaging on an interface, use the logging event link-status command. Use the no form of this command to disable link-status event messaging. Use the
logging event link-status use-global command to apply the global link-status setting.logging event link-status
no logging event link-status
logging event link-status use-global
Defaults
Global link-status messaging is enabled.
Command Modes
Interface configuration mode
Command History
12.2(25)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
To enable system logging of interface state-change events on a specific interface, enter the
logging event link-status command in interface configuration mode.To enable system logging of interface state-change events on all interfaces in the system, enter the logging event link-status global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
Examples
This example shows how to enable logging event state-change events on interface gi11/1:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# logging event link-statusSwitch(config-if)# endSwitch#This example shows how to turn off logging event link status regardless of the global setting:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# no logging event link-statusSwitch(config-if)# endSwitch#This example shows how to enable the global event link-status setting on interface gi11/1:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# logging event link-status use-globalSwitch(config-if)# endSwitch#Related Commands
logging event link-status global (global configuration)
logging event trunk-status global (global configuration)
To enable the trunk-status event messaging globally, use the logging event trunk-status global command. Use the no form of this command to disable trunk-status event messaging.
logging event trunk-status global
no logging event trunk-status global
Syntax Description
This command has no arguments or keywords.
Defaults
Global trunk-status messaging is disabled.
Command Modes
Global configuration mode
Command History
12.2(25)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
If trunk-status logging event is not configured at the interface level, the global trunk-status setting takes effect for each interface.
Examples
This example shows how to globally enable link status messaging on each interface:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# logging event trunk-status globalSwitch(config)# endSwitch#Related Commands
logging event trunk-status global (global configuration)
logging event trunk-status (interface configuration)
To enable the trunk-status event messaging on an interface, use the logging event trunk-status command. Use the no form of this command to disable the trunk-status event messaging. Use the
logging event trunk-status use-global command to apply the global trunk-status setting.logging event trunk-status
no logging event trunk-status
logging event trunk-status use-global
Defaults
Global trunk-status messaging is enabled.
Command Modes
Interface configuration mode
Command History
12.2(25)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
To enable system logging of interface state-change events on a specific interface, enter the
logging event trunk-status command in interface configuration mode.To enable system logging of interface state-change events on all interfaces in the system, enter the logging event trunk-status use-global command in global configuration mode. All interfaces without the state change event configuration use the global setting.
Examples
This example shows how to enable logging event state-change events on interface gi11/1:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# logging event trunk-statusSwitch(config-if)# endSwitch#This example shows how to turn off logging event trunk status regardless of the global setting:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# no logging event trunk-statusSwitch(config-if)# endSwitch#This example shows how to enable the global event trunk-status setting on interface gi11/1:
Switch# config terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)# interface gi11/1Switch(config-if)# logging event trunk-status use-globalSwitch(config-if)# endSwitch#Related Commands
logging event trunk-status global (global configuration)
mac access-list extended
To define the extended MAC access lists, use the mac access-list extended command. To remove the MAC access lists, use the no form of this command.
mac access-list extended name
no mac access-list extended name
Syntax Description
Defaults
MAC access lists are not defined.
Command Modes
Global configuration mode
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
When you enter the ACL name, follow these naming conventions:
•
•
•
•
•
When you enter the mac access-list extended name command, you use the [no] {permit | deny} {{src-mac mask | any} [dest-mac mask]} [protocol-family {appletalk | arp-non-ipv4 | decnet | ipx | ipv6 | rarp-ipv4 | rarp-non-ipv4 | vines | xns}] subset to create or delete entries in a MAC layer access list.
Table 2-7 describes the syntax of the mac access-list extended subcommands.
Table 2-7 mac access-list extended Subcommands
deny
Prevents access if the conditions are matched.
no
(Optional) Deletes a statement from an access list.
permit
Allows access if the conditions are matched.
src-mac mask
Source MAC address in the form: source-mac-address source-mac-address-mask.
any
Specifies any protocol type.
dest-mac mask
(Optional) Destination MAC address in the form: dest-mac-address dest-mac-address-mask.
protocol-family
(Optional) Name of the protocol family. Table 2-8 lists which packets are mapped to a particular protocol family.
Table 2-8 describes mapping an Ethernet packet to a protocol family.
When you enter the src-mac mask or dest-mac mask value, follow these guidelines:
•
•
•
•
•
•
•
Examples
This example shows how to create a MAC layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:
Switch(config)# mac access-list extended mac_layerSwitch(config-ext-macl)# deny 0000.4700.0001 0.0.0 0000.4700.0009 0.0.0 protocol-family appletalkSwitch(config-ext-macl)# permit any anySwitch(config-ext-macl)# endSwitch#Related Commands
mac-address-table aging-time
To configure the aging time for the entries in the Layer 2 table, use the mac-address-table aging-time command. To reset the seconds value to the default setting, use the no form of this command.
mac-address-table aging-time seconds [vlan vlan_id]
no mac-address-table aging-time seconds [vlan vlan_id]
Syntax Description
seconds
Aging time in seconds; valid values are 0 and from 10 to 1000000 seconds.
vlan vlan_id
(Optional) Single VLAN number or a range of VLANs; valid values are from 1 to 4094.
Defaults
Aging time is set to 300 seconds.
Command Modes
Global configuration mode
Command History
12.1(8a)EW
Support for this command was introduced on the Catalyst 4500 series switch.
12.1(12c)EW
Support for extended addressing was added.
Usage Guidelines
If you do not enter a VLAN, the change is applied to all routed-port VLANs.
Enter 0 seconds to disable aging.
Examples
This example shows how to configure the aging time to 400 seconds:
Switch(config)# mac-address-table aging-time 400Switch(config)#This example shows how to disable aging:
Switch(config)# mac-address-table aging-time 0Switch(config)Related Commands
show mac-address-table aging-time
mac-address-table dynamic group protocols
To enable the learning of MAC addresses in both the "ip" and "other" protocol buckets, even though the incoming packet may belong to only one of the protocol buckets, use the
mac-address-table dynamic group protocols command. To disable grouped learning, use the no form of this command.mac-address-table dynamic group protocols {ip | other} {ip | other}
[no] mac-address-table dynamic group protocols {ip | other} {ip | other}
Syntax Description
Defaults
The group learning feature is disabled.
Command Modes
Global configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The entries within the "ip" and "other" protocol buckets are created according to the protocol of the incoming traffic.
When you use the mac-address-table dynamic group protocols command, an incoming MAC address that might belong to either the "ip" or the "other" protocol bucket, is learned on both protocol buckets. Therefore, any traffic destined to this MAC address and belonging to any of the protocol buckets is unicasted to that MAC address, rather than flooded. This reduces the unicast Layer 2 flooding that might be caused if the incoming traffic from a host belongs to a different protocol bucket than the traffic that is destined to the sending host.
Examples
This example shows that the MAC addresses are initially assigned to either the "ip" or the "other" protocol bucket:
Switch# show mac-address-table dynamicUnicast Entriesvlan mac address type protocols port-------+---------------+--------+---------------------+--------------------1 0000.0000.5000 dynamic other GigabitEthernet1/11 0001.0234.6616 dynamic ip GigabitEthernet3/11 0003.3178.ec0a dynamic assigned GigabitEthernet3/11 0003.4700.24c3 dynamic ip GigabitEthernet3/11 0003.4716.f475 dynamic ip GigabitEthernet3/11 0003.4748.75c5 dynamic ip GigabitEthernet3/11 0003.47f0.d6a3 dynamic ip GigabitEthernet3/11 0003.47f6.a91a dynamic ip GigabitEthernet3/11 0003.ba06.4538 dynamic ip GigabitEthernet3/11 0003.fd63.3eb4 dynamic ip GigabitEthernet3/11 0004.2326.18a1 dynamic ip GigabitEthernet3/11 0004.5a5d.de53 dynamic ip GigabitEthernet3/11 0004.5a5e.6ecc dynamic ip GigabitEthernet3/11 0004.5a5e.f60e dynamic ip GigabitEthernet3/11 0004.5a5f.06f7 dynamic ip GigabitEthernet3/11 0004.5a5f.072f dynamic ip GigabitEthernet3/11 0004.5a5f.08f6 dynamic ip GigabitEthernet3/11 0004.5a5f.090b dynamic ip GigabitEthernet3/11 0004.5a88.b075 dynamic ip GigabitEthernet3/11 0004.c1bd.1b40 dynamic ip GigabitEthernet3/11 0004.c1d8.b3c0 dynamic ip GigabitEthernet3/11 0004.c1d8.bd00 dynamic ip GigabitEthernet3/11 0007.e997.74dd dynamic ip GigabitEthernet3/11 0007.e997.7e8f dynamic ip GigabitEthernet3/11 0007.e9ad.5e24 dynamic ip GigabitEthernet3/11 000b.5f0a.f1d8 dynamic ip GigabitEthernet3/11 000b.fdf3.c498 dynamic ip GigabitEthernet3/11 0010.7be8.3794 dynamic assigned GigabitEthernet3/11 0012.436f.c07f dynamic ip GigabitEthernet3/11 0050.0407.5fe1 dynamic ip GigabitEthernet3/11 0050.6901.65af dynamic ip GigabitEthernet3/11 0050.da6c.81cb dynamic ip GigabitEthernet3/11 0050.dad0.af07 dynamic ip GigabitEthernet3/11 00a0.ccd7.20ac dynamic ip GigabitEthernet3/11 00b0.64fd.1c23 dynamic ip GigabitEthernet3/11 00b0.64fd.2d8f dynamic assigned GigabitEthernet3/11 00d0.b775.c8bc dynamic ip GigabitEthernet3/11 00d0.b79e.de1d dynamic ip GigabitEthernet3/11 00e0.4c79.1939 dynamic ip GigabitEthernet3/11 00e0.4c7b.d765 dynamic ip GigabitEthernet3/11 00e0.4c82.66b7 dynamic ip GigabitEthernet3/11 00e0.4c8b.f83e dynamic ip GigabitEthernet3/11 00e0.4cbc.a04f dynamic ip GigabitEthernet3/11 0800.20cf.8977 dynamic ip GigabitEthernet3/11 0800.20f2.82e5 dynamic ip GigabitEthernet3/1Switch#This example shows how to assign MAC addresses that belong to either the "ip" or the "other" bucket to both buckets:
Switch(config)# mac-address-table dynamic group protocols ip otherSwitch(config)# exitSwitch# show mac address-table dynamicUnicast Entriesvlan mac address type protocols port-------+---------------+--------+---------------------+--------------------1 0000.0000.5000 dynamic ip,other GigabitEthernet1/11 0001.0234.6616 dynamic ip,other GigabitEthernet3/11 0003.4700.24c3 dynamic ip,other GigabitEthernet3/11 0003.4716.f475 dynamic ip,other GigabitEthernet3/11 0003.4748.75c5 dynamic ip,other GigabitEthernet3/11 0003.47c4.06c1 dynamic ip,other GigabitEthernet3/11 0003.47f0.d6a3 dynamic ip,other GigabitEthernet3/11 0003.47f6.a91a dynamic ip,other GigabitEthernet3/11 0003.ba0e.24a1 dynamic ip,other GigabitEthernet3/11 0003.fd63.3eb4 dynamic ip,other GigabitEthernet3/11 0004.2326.18a1 dynamic ip,other GigabitEthernet3/11 0004.5a5d.de53 dynamic ip,other GigabitEthernet3/11 0004.5a5d.de55 dynamic ip,other GigabitEthernet3/11 0004.5a5e.6ecc dynamic ip,other GigabitEthernet3/11 0004.5a5e.f60e dynamic ip,other GigabitEthernet3/11 0004.5a5f.08f6 dynamic ip,other GigabitEthernet3/11 0004.5a5f.090b dynamic ip,other GigabitEthernet3/11 0004.5a64.f813 dynamic ip,other GigabitEthernet3/11 0004.5a66.1a77 dynamic ip,other GigabitEthernet3/11 0004.5a6b.56b2 dynamic ip,other GigabitEthernet3/11 0004.5a6c.6a07 dynamic ip,other GigabitEthernet3/11 0004.5a88.b075 dynamic ip,other GigabitEthernet3/11 0004.c1bd.1b40 dynamic ip,other GigabitEthernet3/11 0004.c1d8.b3c0 dynamic ip,other GigabitEthernet3/11 0004.c1d8.bd00 dynamic ip,other GigabitEthernet3/11 0005.dce0.7c0a dynamic assigned GigabitEthernet3/11 0007.e997.74dd dynamic ip,other GigabitEthernet3/11 0007.e997.7e8f dynamic ip,other GigabitEthernet3/11 0007.e9ad.5e24 dynamic ip,other GigabitEthernet3/11 0007.e9c9.0bc9 dynamic ip,other GigabitEthernet3/11 000b.5f0a.f1d8 dynamic ip,other GigabitEthernet3/11 000b.fdf3.c498 dynamic ip,other GigabitEthernet3/11 0012.436f.c07f dynamic ip,other GigabitEthernet3/11 0050.0407.5fe1 dynamic ip,other GigabitEthernet3/11 0050.6901.65af dynamic ip,other GigabitEthernet3/11 0050.da6c.81cb dynamic ip,other GigabitEthernet3/11 0050.dad0.af07 dynamic ip,other GigabitEthernet3/11 00a0.ccd7.20ac dynamic ip,other GigabitEthernet3/11 00b0.64fd.1b84 dynamic assigned GigabitEthernet3/11 00d0.b775.c8bc dynamic ip,other GigabitEthernet3/11 00d0.b775.c8ee dynamic ip,other GigabitEthernet3/11 00d0.b79e.de1d dynamic ip,other GigabitEthernet3/11 00e0.4c79.1939 dynamic ip,other GigabitEthernet3/11 00e0.4c7b.d765 dynamic ip,other GigabitEthernet3/11 00e0.4c82.66b7 dynamic ip,other GigabitEthernet3/11 00e0.4c8b.f83e dynamic ip,other GigabitEthernet3/11 00e0.4c8c.0861 dynamic ip,other GigabitEthernet3/11 0800.20d1.bf09 dynamic ip,other GigabitEthernet3/1Switch#Related Commands
mac-address-table dynamic (refer to Cisco IOS documentation)
mac-address-table notification
To enable MAC address notification on a switch, use the mac-address-table notification command. To return to the default setting, use the no form of this command
mac-address-table notification {change [history-size hs_value] | [interval intv_value]] | [mac-move] | [threshold [limit percentage] | [interval time]}
no mac-address-table notification {change [history-size hs_value] | [interval intv_value]] | [mac-move] | [threshold [limit percentage] | [interval time]}
Syntax Description
Defaults
MAC address notification feature is disabled.
The default MAC change trap interval value is 1 second.
The default number of entries in the history table is 1.
MAC move notification is disabled.
MAC threshold monitoring feature is disabled.
The default limit is 50 percent.
The default time is 120 seconds.
Command Modes
Global configuration mode
Command History
12.2(31)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
We can enable the MAC change notification feature by using the
mac address-table notification change command. We must also enable MAC notification traps on an interface by using the snmp trap mac-notification change interface configuration command and configure the switch to send MAC change traps to the NMS by using the snmp-server enable traps mac-notification global configuration command.When the history-size option is configured, the existing MAC change history table is deleted, and a new table is created.
Examples
This example shows how to set the MAC address notification history table size to 300 entries:
Switch(config)# mac-address-table notification change history-size 300Switch(config)#This example shows how to set the MAC address notification interval time to 1250 seconds:
Switch(config)# mac-address-table notification change interval 1250Switch(config)#Related Commands
clear mac-address-table
show mac-address-table notification
snmp-server enable traps
snmp trap mac-notification changemac-address-table static
To configure the static MAC addresses for a VLAN interface or drop unicast traffic for a MAC address for a VLAN interface, use the mac-address-table static command. To remove the static MAC address configurations, use the no form of this command.
mac-address-table static mac-addr {vlan vlan-id} {interface type | drop}
no mac-address-table static mac-addr {vlan vlan-id} {interface type} {drop}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
12.1(13)EW
Support for this command was introduced on the Catalyst 4500 series switches.
Usage Guidelines
When a static MAC address is installed, it is associated with a port.
The output interface specified must be a Layer 2 interface and not an SVI.
If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.
Entering the no form of this command does not remove the system MAC addresses.
When removing a MAC address, entering interface int is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.
Examples
This example shows how to add the static entries to the MAC address table:
Switch(config)# mac-address-table static 0050.3e8d.6400 vlan 100 interface fastethernet5/7Switch(config)#Related Commands
macro apply cisco-desktop
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop, use the macro apply cisco-desktop command.
macro apply cisco-desktop $AVID access_vlanid
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
Examples
This example shows how to enable the Cisco-recommended features and settings on port fa2/1:
Switch(config)# interface FastEthernet2/1Switch(config-if)# macro apply cisco-desktop $AVID 50Switch(config-if)#The contents of this macro are as follows:
# Basic interface - Enable data VLAN only# Recommended value for access vlan (AVID) should not be 1switchport access vlan $AVID [access_vlanid]switchport mode access# Enable port security limiting port to a single# MAC address -- that of desktopswitchport port-security# Ensure port-security age is greater than one minute# and use inactivity timer# "Port-security maximum 1" is the default and will not# Show up in the configswitchport port-security violation restrictswitchport port-security aging time 2switchport port-security aging type inactivity# Configure port as an edge network portspanning-tree portfastspanning-tree bpduguard enableRelated Commands
macro apply cisco-phone
macro apply cisco-router
macro apply cisco-switchmacro apply cisco-phone
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop and a Cisco IP phone, use the macro apply cisco-phone command.
macro apply cisco-phone $AVID access_vlanid $VVID voice_vlanid
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.
Examples
This example shows how to enable the Cisco-recommended features and settings on port fa2/1:
Switch(config)# interface FastEthernet2/1Switch(config-if)# macro apply cisco-phone $AVID 10 $VVID 50Switch(config-if)#The contents of this macro are as follows:
# VoIP enabled interface - Enable data VLAN# and voice VLAN (VVID)# Recommended value for access vlan (AVID) should not be 1\switchport access vlan $AVID [access_vlan_id]switchport mode access# Update the Voice VLAN (VVID) value which should be# different from data VLAN# Recommended value for voice vlan (VVID) should not be 1switchport voice vlan $VVID [voice_vlan_id]# Enable port security limiting port to a 3 MAC# addressees -- One for desktop and two for phoneswitchport port-securityswitchport port-security maximum 3# Ensure port-security age is greater than one minute# and use inactivity timerswitchport port-security violation restrictswitchport port-security aging time 2switchport port-security aging type inactivity# Enable auto-qos to extend trust to attached Cisco phoneauto qos voip cisco-phone# Configure port as an edge network portspanning-tree portfastspanning-tree bpduguard enable@Related Commands
macro apply cisco-desktop
macro apply cisco-router
macro apply cisco-switchmacro apply cisco-router
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a router, use the macro apply cisco-router command.
macro apply cisco-router $NVID native_vlanid
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you applythe macro apply cisco-router command, clear the configuration on the interface with the default interface command.
Examples
This example shows how to enable the Cisco-recommended features and settings on port fa2/1:
Switch(config)# interface FastEthernet2/1Switch(config-if)# macro apply cisco-router $NVID 80Switch(config-if)#The contents of this macro are as follows:
# Access Uplink to Distributionswitchport trunk encapsulation dot1q# Define unique Native VLAN on trunk ports# Recommended value for native vlan (NVID) should not be 1switchport trunk native vlan $NVID [native_vlan_id]# Update the allowed VLAN range (VRANGE) such that it# includes data, voice and native VLANs# switchport trunk allowed vlan $VRANGE [vlan_range]# Hardcode trunk and disable negotiation to# speed up convergence# Hardcode speed and duplex to routerswitchport mode trunkswitchport nonegotiatespeed 100duplex full# Configure qos to trust this interfaceauto qos voip trustqos trust dscp# Ensure fast access to the network when enabling the interface.# Ensure that switch devices cannot become active on the interface.spanning-tree portfastspanning-tree bpduguard enableRelated Commands
macro apply cisco-desktop
macro apply cisco-phone
macro apply cisco-switchmacro apply cisco-switch
To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch, use the macro apply cisco-switch command.
macro apply cisco-switch $NVID native_vlanid
Syntax Description
Defaults
This command has no default settings.
Command Modes
Interface configuration mode
Command History
12.2(18)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command can only be viewed and applied; it cannot be modified.
Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply this macro, clear the configuration on the interface with the default interface command.
Examples
This example shows how to enable the Cisco-recommended features and settings on port fa2/1:
Switch(config)# interface FastEthernet2/1Switch(config-if)# macro apply cisco-switch $NVID 45Switch(config-if)#The contents of this macro are as follows:
# Access Uplink to Distributionswitchport trunk encapsulation dot1q# Define unique Native VLAN on trunk ports# Recommended value for native vlan (NVID) should not be 1switchport trunk native vlan $NVID [native_vlan_id]# Update the allowed VLAN range (VRANGE) such that it# includes data, voice and native VLANs# switchport trunk allowed vlan $VRANGE# Hardcode trunk and disable negotiation to# speed up convergenceswitchport mode trunkswitchport nonegotiate# Configure qos to trust this interfaceauto qos voip trust# 802.1w defines the link as pt-pt for rapid convergencespanning-tree link-type point-to-pointRelated Commands
macro apply cisco-desktop
macro apply cisco-phone
macro apply cisco-routermacro global apply cisco-global
To apply the system-defined default template to the switch, use the macro global apply cisco-global global configuration command on the switch stack or on a standalone switch.
macro global apply cisco-global
Syntax Description
This command has no keywords or variables.
Defaults
This command has no default setting.
Command Modes
Global configuration mode
Command History
12.2(31)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Examples
These examples show how to apply the system-defined default to the switch:
Switch(config)#macro global apply cisco-globalChanging VTP domain name from gsg-vtp to [smartports] Device mode already VTP TRANSPARENT.Switch(config)#macro global apply system-cpp
To apply the control plane policing default template to the switch, use the macro global apply system-cpp global configuration command on the switch stack or on a standalone switch.
macro global apply system-cpp
Syntax Description
This command has no keywords or variables.
Defaults
This command has no default setting.
Command Modes
Global configuration mode
Command History
12.2(31)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
This command is not supported on the Supervisor Engine 6-E and Catalyst 4900M chassis.
Examples
These examples show how to apply the system-defined default to the switch:
Switch (config)# macro global apply system-cppSwitch (config)#Related Commands
macro global apply cisco-global
macro global descriptionmacro global description
To enter a description about the macros that are applied to the switch, use the macro global description global configuration command on the switch stack or on a standalone switch. Use the no form of this command to remove the description.
macro global description text
no macro global description text
Syntax Description
Defaults
This command has no default setting.
Command Modes
Global configuration mode
Command History
12.2(31)SG
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
Use the description keyword to associate comment text, or the macro name, with a switch. When multiple macros are applied on a switch, the description text will be from the last applied macro.
This example shows how to add a description to a switch:
Switch(config)# macro global description udld aggressive mode enabledYou can verify your settings by entering the show parser macro description privileged EXEC command.
Related Commands
macro global apply cisco-global
main-cpu
To enter the main CPU submode and manually synchronize the configurations on the two supervisor engines, use the main-cpu command.
main-cpu
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Redundancy
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch. (Catalyst 4507R only).
Usage Guidelines
The main CPU submode is used to manually synchronize the configurations on the two supervisor engines.
From the main CPU submode, use the auto-sync command to enable automatic synchronization of the configuration files in NVRAM.
Note
Examples
This example shows how to reenable the default automatic synchronization feature using the auto-sync standard command to synchronize the startup-config and config-register configuration of the active supervisor engine with the standby supervisor engine. The updates for the boot variables are automatic and cannot be disabled.
Switch(config)# redundancySwitch(config-red)# main-cpuSwitch(config-r-mc)# auto-sync standardSwitch(config-r-mc)# endSwitch# copy running-config startup-configSwitch#Related Commands
match
To specify a match clause by selecting one or more ACLs for a VLAN access-map sequence, use the match subcommand. To remove the match clause, use the no form of this command.
match {ip address {acl-number | acl-name}} | {mac address acl-name}
no match {ip address {acl-number | acl-name}} | {mac address acl-name}
Note
Syntax Description
Defaults
This command has no default settings.
Command Modes
VLAN access-map
Command History
12.1(12c)EW
Support for this command was introduced on the Catalyst 4500 series switch.
Usage Guidelines
The match clause specifies the IP or MAC ACL for traffic filtering.
The MAC sequence is not effective for IP packets. IP packets should be access controlled by IP match clauses.
Refer to the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide for additional configuration guidelines and restrictions.
Refer to the Cisco IOS Command Reference publication for additional match command information.
Examples
This example shows how to define a match clause for a VLAN access map:
Switch(config)# vlan access-map ganymede 10Switch(config-access-map)# match ip address 13Switch(config-access-map)#Related Commands
show vlan access-map
vlan access-mapmatch (class-map configuration)
To define the match criteria for a class map, use the match class-map configuration command. To remove the match criteria, use the no form of this command.
Non-Supervisor Engine 6-E
match {access-group acl-index-or-name | cos cos-list | [lp] dscp dscp-list | [lp] precedence ip-precedence-list
no match {access-group acl-index-or-name | cos cos-list | [lp] dscp dscp-list | [lp] precedence ip-precedence-list
Supervisor Engine 6-E and Catalyst 4900M chassis
match {access-group acl-index-or-name | cos cos-list | [lp] dscp dscp-list | [lp] precedence ip-precedence-list | qos-group value | protocol
no match {access-group acl-index-or-name | cos cos-list | [lp] dscp dscp-list | [lp] precedence ip-precedence-list | qos-group value | protocol
Syntax Description
