-
Catalyst 6500 Series Command Reference, 7.6
-
Quick Links to Catalyst 6500 Series Switch and ROM Monitor Commands
-
Index
-
Preface
-
Command-Line Interfaces
-
alias to boot
-
cd to clear mls exclude protocol
-
clear mls multicast statistics to clear vtp pruneeligible
-
clear vtp statistics to disable
-
disconnect to enable
-
Format to Ping
-
pwd to reset-switch
-
restore counters to set crypto key rsa
-
set default portstatus to set logging timestamp
-
set logout to set port arp-inspection
-
set port auxiliaryvlan to set rcp username
-
set rgmp to set spantree portvlanpri
-
set spantree priority to set trunk
-
set udld to set vtp pruneeligible
-
show accounting to show dot1q-all-tagged
-
show dot1x to show ip alias
-
show ip dns to show ip permit
-
show ip route to show pbf-map
-
show port to show snmp
-
show snmp access to show tech-support
-
show test to show users
-
show version to squeeze
-
stack to write tech-support
-
Acronyms
-
Table Of Contents
set feature dot1x-radius-keepalive
set gvrp dynamic-vlan-creation
set inlinepower defaultallocation
set kerberos clients mandatory
set kerberos credentials forward
set lacp-channel system-priority
222set default portstatus
To set the default port status, use the set default portstatus command.
set default portstatus {enable | disable}
Syntax Description
Defaults
The default is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enter the clear config all command, or if a configuration loss occurs, all ports collapse into VLAN 1. This situation might cause a security and network instability problem. During a configuration loss, when you enter the set default portstatus command, all ports are put into a disable state, and the traffic flowing through the ports is blocked. You can then manually configure the ports back to the enable state.
This command is not saved in the configuration file.
After you set the default port status, the default port status does not clear when you enter the clear config all command.
Examples
This example shows how to disable the default port status:
Console> (enable) set default portstatus disableport status set to disable.Console> (enable)Related Commands
set dot1q-all-tagged
To change all existing and new dot1q trunks to the dot1q-only mode, use the set dot1q-all-tagged command.
set dot1q-all-tagged {enable | disable}
Syntax Description
Defaults
The 802.1Q tagging feature is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable dot1q-tagged-only, all data packets are sent out tagged and all received untagged data packets are dropped on all 802.1Q trunks.
You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.
You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.
The optional all keyword is not supported.
Note
Policy-based forwarding (PBF) does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.
If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.
Examples
This example shows how to enable dot1q tagging:
Console> (enable) set dot1q-all-tagged enableDot1q tagging is enabledConsole> (enable)Related Commands
set port dot1qtunnel
show dot1q-all-taggedset dot1x
To configure dot1x on a system, use the set dot1x command.
set dot1x system-auth-control {enable | disable}
set dot1x {quiet-period | tx-period | re-authperiod} seconds
set dot1x {supp-timeout | server-timeout} seconds
set dot1x max-req count
set dot1x guest-vlan vlan
set dot1x shutdown-timeout seconds
Syntax Description
Defaults
The default settings are as follows:
•
•
•
•
•
•
•
•
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you set the system-auth-control, the following applies:
•
•
If you do not enable reauthentication, reauthentication does not automatically occur after authentication has occurred.
When the supplicant does not notify the authenticator that it received the EAP-request/identity packet, the authenticator waits a period of time (set by entering the tx-period seconds parameter), and then retransmits the packet.
When the supplicant does not notify the backend authenticator that it received the EAP-request packet, the backend authenticator waits a period of time (set by entering the supp-timeout seconds parameter), and then retransmits the packet.
When the authentication server does not notify the backend authenticator that it received specific packets, the backend authenticator waits a period of time (set by entering the server-timeout seconds parameter), and then retransmits the packets.
When you enter the set dot1x dhcp-relay-agent command, you can enter more than one VLAN.
Examples
This example shows how to set the system authentication control:
Console> (enable) set dot1x system-auth-control enabledot1x authorization enabled.Console> (enable)This example shows how to set the idle time between authentication attempts:
Console> (enable) set dot1x quiet-period 45dot1x quiet-period set to 45 seconds.Console> (enable)This example shows how to set the retransmission time:
Console> (enable) set dot1x tx-period 15dot1x tx-period set to 15 seconds.Console> (enable)This example shows you how to specify the reauthentication time:
Console> (enable) set dot1x re-authperiod 7200dot1x re-authperiod set to 7200 secondsConsole> (enable)This example shows you how to specify the retransmission of EAP-Request packets by the authenticator to the supplicant:
Console> (enable) set dot1x supp-timeout 15dot1x supp-timeout set to 15 seconds.Console> (enable)This example shows how to specify the retransmission of packets by the backend authenticator to the authentication server:
Console> (enable) set dot1x server-timeout 15dot1x server-timeout set to 15 seconds.Console> (enable)This example shows how to specify the maximum number of packet retransmissions:
Console> (enable) set dot1x max-req 5dot1x max-req set to 5.Console> (enable)This example shows how to enable authentication for the DHCP Relay Agent on VLANs 1 through 5 and 24:
Console> (enable) set dot1x dhcp-relay-agent enable 1-5,24dot1x dhcp-relay-agent enabled for vlans 1-5, 24.Console> (enable)This example shows how to disable authentication for the DHCP Relay Agent on VLAN 1:
Console> (enable) set dot1x dhcp-relay-agent disable 1dotx dhcp-relay-agent disable for vlan 1Console> (enable)This example shows how to set the guest VLAN:
Console> (enable) set dot1x guest-vlan 69dot1x guest-vlan set to 69.Console> (enable)Related Commands
clear dot1x config
clear dot1x guest-vlan
set port dot1x
show dot1x
show port dot1xset enablepass
To change the password for the privileged level of the CLI, use the set enablepass command.
set enablepass
Syntax Description
This command has no arguments or keywords.
Defaults
The default configuration has no enable password configured.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Passwords are case sensitive and may be 0 to 19 characters in length, including spaces.
The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password.
Examples
This example shows how to establish a new password:
Console> (enable) set enablepassEnter old password: <old_password>Enter new password: <new_password>Retype new password: <new_password>Password changed.Console> (enable)Related Commands
set errdisable-timeout
To configure a timeout to automatically reenable ports that are in the errdisable state, use the set errdisable-timeout command.
set errdisable-timeout {enable | disable} {reason}
set errdisable-timeout interval {interval}
Syntax Description
Defaults
By default, all the errdisable state reasons are disabled globally; whenever there are no reasons enabled, the timer is stopped.
By default, the timeout is set to disable, and the interval value is set at 300 seconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
A port enters errdisable state for the following reasons (these reasons appear as configuration options within the set errdisable-timeout enable command):
•
•
•
•
•
•
•
•
•
•
•
You can enable or disable errdisable timeout for each of the reasons that are listed. If you specify "other," all ports errdisabled by causes other than the reasons listed are enabled for errdisable timeout. If you specify "all," all ports errdisabled for any reason are enabled for errdisable timeout.
You can manually prevent a port from being reenabled by setting the errdisable timeout for that port to disable using the set port errdisable-timeout mod/port disable command.
Examples
This example shows how to enable an errdisable timeout due to a BPDU port-guard event:
Console> (enable) set errdisable-timeout enable bpdu-guardSuccessfully enabled errdisable-timeout for bpdu-guard.Console> (enable)This example shows how to set an errdisable timeout interval to 450 seconds:
Console> (enable) set errdisable-timeout interval 450Successfully set errdisable timeout to 450 seconds.Console> (enable)This example shows how to set an errdisable timeout for broadcast suppression events:
Console> (enable) set errdisable-timeout enable bcast-suppressionSuccessfully enabled errdisable timeout for bcast-suppression.Console> (enable)This example shows how to set an errdisable timeout for ARP inspection events:
Console> (enable) set errdisable-timeout enable arp-inspectionSuccessfully enabled errdisable-timeout for arp-inspection.Console> (enable)Related Commands
set errordetection
To enable or disable various error detections, use the set errordetection command.
set errordetection inband enable | disable
set errordetection memory enable | disable
set errordetection portcounters enable | disable
Syntax Description
Defaults
The defaults are as follows:
•
•
•
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The set errordetection command is useful for monitoring the switch. If an error is detected, a syslog message informs you that a problem exists before noticeable performance degradation occurs. For example:
•
•
•
Inband, memory, and portcounter error detection is enabled by default in release 7.6(12) and later releases.
Examples
This example shows how to enable memory error detection:
Console> (enable) set errordetection memory enableMemory error detection enabled.Console> (enable)Related Commands
set feature agg-link-partner
To enable or disable the aggressive link partner feature, use the set feature agg-link-partner command.
set feature agg-link-partner {enable | disable}
Syntax Description
enable
Enables the aggressive link partner feature.
disable
Disables the aggressive link partner feature.
Defaults
The aggressive link partner feature is disabled globally.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable this feature, you reduce the possibility of aggressive link partners causing excessive collisions. Excessive collisions can lead to excessive alignment errors and runts.
The aggressive link partner feature works only on half duplex 10/100 ports.
The set feature agg-link-partner command is a global command so when you enable or disable this feature, all related modules in the chassis are enabled or disabled.
Examples
This example shows how to enable the aggressive link partner feature:
Console> (enable) set feature agg-link-partner enableAggressive link partner feature enabled.Console> (enable)This example shows how to disable the aggressive link partner feature:
Console> (enable) set feature agg-link-partner disableAggressive link partner feature disabled.Console> (enable)set feature dot1x-radius-keepalive
To enable or disable the 802.1X RADIUS keepalive state, use the set feature dot1x-radius-keepalive command.
set feature dot1x-radius-keepalive {enable | disable}
Syntax Description
Defaults
RADIUS keepalive state is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
To check whether or not configured RADIUS servers are alive, the switch can send out a dummy username for authentication. In reply to the dummy username, the RADIUS servers send an access rejection.
To turn off attempts to authenticate that test the RADIUS servers, enter the set feature dot1x-radius-keepalive disable command. If you disable this feature, the switch does not check the status of the servers, and the RADIUS server logs do not fill with dummy attempts.
Examples
This example shows how to disable the 802.1X RADIUS keepalive state feature:
Console> (enable) set feature dot1x-radius-keepalive enabledot1x radius-keepalive state enabled.Console> (enable)Related Commands
set feature mdg
To enable or disable the multiple default gateway feature, use the set feature mdg command.
set feature mdg {enable | disable}
Syntax Description
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
If you enable the multiple default gateway feature, the Catalyst 6500 series switch pings the default gateways every 10 seconds to verify that the gateways are still available.
Examples
This example shows how to enable the multiple default gateway feature:
Console> (enable) set feature mdg enableMultiple Gateway feature enabled.Console> (enable)This example shows how to disable the multiple default gateway feature:
Console> (enable) set feature mdg disableMultiple Gateway feature disabled.Console> (enable)set garp timer
To adjust the values of the join, leave, and leaveall timers, use the set garp timer command.
set garp timer {timer_type} {timer_value}
Syntax Description
timer_type
Type of timer; valid values are join, leave, and leaveall.
timer_value
Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.
Defaults
The defaults are the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The modified timer values are applied to all General Attribute Registration Protocol (GARP) applications (for example, GMRP and GVRP) timer values.
You must maintain the following relationship for the various timer values:
•
•
Caution
Examples
This example shows how to set the join timer value for all the ports on all the VLANs:
Console> (enable) set garp timer join 100GMRP/GARP Join timer value is set to 100 milliseconds.Console> (enable)This example shows how to set the leave timer value for all the ports on all the VLANs:
Console> (enable) set garp timer leave 300GMRP/GARP Leave timer value is set to 300 milliseconds.Console> (enable)set gmrp timer
set gvrp timer
show garp timerset gmrp
To enable or disable GARP Multicast Registration Protocol (GMRP) on the switch in all VLANs on all ports, use the set gmrp command.
set gmrp {enable | disable}
Syntax Description
Defaults
The default is GMRP is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You cannot enable GMRP if IGMP snooping is already enabled.
Examples
This example shows how to enable GMRP on the switch:
Console> (enable) set gmrp enableGMRP is enabled.Console> (enable)This example shows how to disable GMRP on the switch:
Console> (enable) set gmrp disableGMRP is disabled.Console> (enable)This example shows the display if you try to enable GMRP on the switch with IGMP enabled:
Console> (enable) set gmrp enableDisable IGMP to enable GMRP snooping feature.Console> (enable)Related Commands
set gmrp fwdall
To enable or disable the Forward All feature on a specified port or module and port list, use the set gmrp fwdall command.
set gmrp fwdall {enable | disable} mod/port...
Syntax Description
enable
Enables GMRP Forward All on a specified port.
disable
Disables GMRP Forward All on a specified port.
mod/port...
Number of the module and the ports on the module.
Defaults
The default is the Forward All feature is disabled for all ports.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Forward All indicates that a port is interested in receiving all the traffic for all the multicast groups.
If the port is trunking, then this feature is applied to all the VLANs on that port.
Examples
This example shows how to enable GMRP Forward All on module 5, port 5:
Console> (enable) set gmrp fwdall enable 5/5GMRP Forward All groups option enabled on port(s) 5/5.Console> (enable)This example shows how to disable the GMRP Forward All on module 3, port 2:
Console> (enable) set gmrp service fwdall disable 3/2GMRP Forward All groups option disabled on port(s) 3/2.Console> (enable)Related Commands
set gmrp registration
To specify the GMRP registration type, use the set gmrp registration command.
set gmrp registration {normal | fixed | forbidden} mod/port...
Syntax Description
Defaults
The default is administrative control is normal.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must return the port to normal registration mode to deregister multicast groups on the port.
GMRP supports a total of 3072 multicast addresses for the whole switch.
Examples
This example shows how to set the registration type to fixed on module 3, port 3:
Console> (enable) set gmrp registration fixed 3/3GMRP Registration is set to Fixed for port(s) 3/3.Console> (enable)This example shows how to set the registration type to forbidden on module 1, port 1:
Console> (enable) set gmrp registration forbidden 1/1GMRP Registration is set to Forbidden for port(s) 1/1.Console> (enable)Related Commands
set gmrp timer
To adjust the values of the join, leave, and leaveall timers, use the set gmrp timer command.
set gmrp timer {timer_type} {timer_value}
Syntax Description
timer_type
Type of timer; valid values are join, leave, and leaveall.
timer_value
Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.
Defaults
The default is the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must maintain the following relationship for the various timer values:
•
•
Caution
Note
Examples
This example shows how to set the join timer value to 100 milliseconds for all the ports on all the VLANs:
Console> (enable) set gmrp timer join 100GARP Join timer value is set to 100 milliseconds.Console> (enable)This example shows how to set the leave timer value to 300 milliseconds for all the ports on all the VLANs:
Console> (enable) set gmrp timer leave 300GARP Leave timer value is set to 300 milliseconds.Console> (enable)This example shows how to set the leaveall timer value to 20000 milliseconds for all the ports on all the VLANs:
Console> (enable) set gmrp timer leaveall 20000GARP LeaveAll timer value is set to 20000 milliseconds.Console> (enable)Related Commands
set garp timer
set gvrp timer
show gmrp timerset gvrp
To enable or disable GARP VLAN Registration Protocol (GVRP) globally in the switch or on a per-port basis, use the set gvrp command.
set gvrp {enable | disable} [mod/port]
Syntax Description
enable
Enables GVRP on the switch.
disable
Disables GVRP on the switch.
mod/port
(Optional) Number of the module and port on the module.
Defaults
The default is GVRP is globally set to disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable VTP pruning, VTP pruning runs on all the GVRP-disabled trunks.
To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.
Examples
This example shows how to enable GVRP globally on the switch:
Console> (enable) set gvrp enableGVRP enabled.Console> (enable)This example shows how to disable GVRP:
Console> (enable) set gvrp disableGVRP disabled.Console> (enable)This example shows how to enable GVRP on module 2, port 1:
Console> (enable) set gvrp enable 2/1GVRP enabled on port 2/1.Console> (enable)Related Commands
set garp timer
set gvrp timer
show gmrp timer
show gvrp configurationset gvrp applicant
To specify whether or not a VLAN is declared out of blocking ports, use the set gvrp applicant command.
set gvrp applicant {normal | active} {mod/port...}
Syntax Description
Defaults
The default is GVRP applicant set to normal.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.
On a port connected to a device that does not support the per-VLAN mode of STP, the port state may continuously cycle from blocking to listening to learning, and back to blocking. To prevent this, you must enter the set gvrp applicant active mod/port... command on the port to send GVRP VLAN declarations when the port is in the STP blocking state.
Examples
This example shows how to enforce the declaration of all active VLANs out of specified blocking ports:
Console> (enable) set gvrp applicant active 4/2-3,4/9-10,4/12-24Applicant was set to active on port(s) 4/2-3,4/9-10,4/12-24.Console> (enable)This example shows how to disallow the declaration of any VLAN out of specified blocking ports:
Console> (enable) set gvrp applicant normal 4/2-3,4/9-10,4/12-24Applicant was set to normal on port(s) 4/2-3,4/9-10,4/12-24.Console> (enable)Related Commands
set gvrp dynamic-vlan-creation
To enable or disable dynamic VLAN creation, use the set gvrp dynamic-vlan-creation command.
set gvrp dynamic-vlan-creation {enable | disable}
Syntax Description
Defaults
The default is dynamic VLAN creation is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can enable dynamic VLAN creation only when VTP is in transparent mode and no ISL trunks exist in the switch.
This feature is not allowed when there are 802.1Q trunks that are not configured with GVRP.
Examples
This example shows how to enable dynamic VLAN creation:
Console> (enable) set gvrp dynamic-vlan-creation enableDynamic VLAN creation enabled.Console> (enable)This example shows what happens if you try to enable dynamic VLAN creation and VTP is not in transparent mode:
Console> (enable) set gvrp dynamic-vlan-creation enableVTP has to be in TRANSPARENT mode to enable this feature.Console> (enable)This example shows how to disable dynamic VLAN creation:
Console> (enable) set gvrp dynamic-vlan-creation disableDynamic VLAN creation disabled.Console> (enable)Related Commands
set vtp
show gvrp configurationset gvrp registration
To set the administrative control of an outbound port and apply to all VLANs on the trunk, use the set gvrp registration command. GVRP registration commands are entered on a per-port basis.
set gvrp registration {normal | fixed | forbidden} mod/port...
Syntax Description
Defaults
The default administrative control is normal.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you set VLAN registration, you are communicating to the switch that the VLAN is interested in the users that are connecting to this port and that the VLAN's broadcast and multicast traffic is allowed to be sent to the port.
For static VLAN configuration, you should set the mod/port... control to fixed or forbidden if the mod/port... will not receive or process any GVRP message.
For each dynamically configured VLAN on a port, you should set the mod/port... control to normal (default), except for VLAN 1; GVRP registration mode for VLAN 1 is always fixed and is not configurable. VLAN 1 is always carried by 802.1Q trunks on which GVRP is enabled.
When GVRP is running, you can create a VLAN through a GVRP trunk port only if you enter the set gvrp dynamic-vlan-creation enable and the set gvrp registration normal commands.
Examples
This example shows how to set the administrative control to normal on module 3, port 7:
Console> (enable) set gvrp registration normal 3/7Registrar Administrative Control set to normal on port 3/7.Console> (enable)This example shows how to set the administrative control to fixed on module 5, port 10:
Console> (enable) set gvrp registration fixed 5/10Registrar Administrative Control set to fixed on Port 5/10.Console> (enable)This example shows how to set the administrative control to forbidden on module 5, port 2:
Console> (enable) set gvrp registration forbidden 5/2Registrar Administrative Control set to forbidden on port 5/2.Console> (enable)Related Commands
set gvrp timer
To adjust the values of the join, leave, and leaveall timers, use the set gvrp timer command.
set gvrp timer {timer_type} {timer_value}
Syntax Description
timer_type
Type of timer; valid values are join, leave, and leaveall.
timer_value
Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.
Defaults
The default is the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must maintain the following relationship for the various timer values:
•
•
Caution
Note
Examples
This example shows how to set the join timer value to 100 milliseconds for all the ports on all the VLANs:
Console> (enable) set gvrp timer join 100GVRP/GARP Join timer value is set to 100 milliseconds.Console> (enable)This example shows how to set the leave timer value to 300 milliseconds for all the ports on all the VLANs:
Console> (enable) set gvrp timer leave 300GVRP/GARP Leave timer value is set to 300 milliseconds.Console> (enable)This example shows how to set the leaveall timer value to 20000 milliseconds for all the ports on all the VLANs:
Console> (enable) set gvrp timer leaveall 20000GVRP/GARP LeaveAll timer value is set to 20000 milliseconds.Console> (enable)Related Commands
set garp timer
show gvrp configurationset igmp
To enable or disable Internet Group Management Protocol (IGMP) snooping on the switch, use the set igmp command.
set igmp {enable | disable}
Syntax Description
Defaults
The default is IGMP snooping is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
IGMP must be disabled to run GMRP.
If your system is configured with a Supervisor Engine 1, you must enable one of the multicast services (IGMP snooping or GMRP) on the switch in order to use IP MMLS.
Examples
This example shows how to enable IGMP snooping on the switch:
Console> (enable) set igmp enableIGMP feature for IP multicast enabledConsole> (enable)This example shows how to disable IGMP snooping on the switch:
Console> (enable) set igmp disableIGMP Snooping is disabled.Console> (enable)This example shows the display if you try to enable GMRP on the switch with IGMP enabled:
Console> (enable) set igmp enableDisable GMRP to enable IGMP snooping feature.Console> (enable)Related Commands
clear igmp statistics
set rgmp
show igmp statisticsset igmp fastblock
To enable or disable the IGMP version 3 fast-block mechanism on the switch, use the set igmp fastblock command.
set igmp fastblock {enable | disable}
Syntax Description
enable
Enables the IGMP version 3 fast-block mechanism.
disable
Disables the IGMP version 3 fast-block mechanism.
Defaults
By default, the IGMP version 3 fast-block mechanism is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable the fast-block mechanism on the switch:
Console> (enable) set igmp fastblock enableIGMP V3 fastblock enabledConsole> (enable)This example shows how to disable the fast-block mechanism on the switch:
Console> (enable) set igmp fastblock disableIGMP V3 fastblock disabledConsole> (enable)
Related Commands
set igmp v3-processing
show multicast v3-groupset igmp fastleave
To enable or disable Internet Group Management Protocol (IGMP) fastleave processing, use the set igmp fastleave command.
set igmp fastleave {enable | disable}
Syntax Description
Defaults
The default is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This command shows how to enable IGMP fastleave processing:
Console> (enable) set igmp fastleave enableIGMP fastleave set to enable.Warning: Can cause disconnectivity if there are more than one host joining the same group per access port.Console> (enable)This command shows how to disable IGMP fastleave processing:
Console> (enable) set igmp fastleave disableIGMP fastleave set to disable.Console> (enable)Related Commands
clear igmp statistics
set igmp
show igmp statistics
set igmp flooding
To activate or to prevent flooding of multicast traffic after the last host leaves a multicast group, enter the set igmp flooding command.
set igmp flooding {enable | disable}
Syntax Description
Defaults
IGMP flooding is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
For more information about IGMP flooding, refer to the "Understanding How IGMP Snooping Works" section of the "Configuring Multicast Services" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.
Examples
This example shows how to prevent the flooding of multicast traffic after the last host leaves a multicast group:
Console> (enable) set igmp flooding disableIGMP Flooding disabledConsole> (enable)This example shows how to enable the flooding of multicast traffic after the last host leaves a multicast group:
Console> (enable) set igmp flooding enableIGMP Flooding enabled (default)Console> (enable)Related Commands
set igmp leave-query-type
To set the type of query to be sent when a port receives a leave message, use the set igmp leave-query-type command.
set igmp leave-query-type {mac-gen-query | general-query}
Syntax Description
Defaults
By default, a MAC-based general query is sent when a port receives a leave message.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to send a MAC-based general query:
Console> (enable) set igmp leave-query-type mac-gen-queryConsole> (enable)This example shows how to send a general query:
Console> (enable) set igmp leave-query-type general-queryConsole> (enable)Related Commands
set igmp mode
To set the IGMP snooping mode, use the set igmp mode command.
set igmp mode {igmp-only | igmp-cgmp | auto}
Syntax Description
igmp-only
Specifies IGMP snooping only.
igmp-cgmp
Specifies IGMP and CGMP modes.
auto
Overrides the dynamic switching of IGMP snooping modes.
Defaults
The default is IGMP mode is auto.
Command Types
Switch.
Command Modes
Privileged.
Usage Guidelines
The switch dynamically chooses either IGMP-only or IGMP-CGMP mode, depending on the traffic present on the network. IGMP-only mode is used in networks with no CGMP devices. IGMP-CGMP mode is used in networks with both IGMP and CGMP devices. Auto mode overrides the dynamic switching of the modes.
Examples
This example shows how to set the IGMP mode to IGMP-only:
Console> (enable) set igmp mode igmp-onlyIGMP mode set to igmp-onlyConsole> (enable)This example shows how to set the IGMP mode to auto:
Console> (enable) set igmp mode autoIGMP mode set to autoConsole> (enable)Related Commands
set igmp ratelimit
To enable or disable IGMP rate limiting or to set the rate limit for IGMP snooping packets, use the set igmp ratelimit command.
set igmp ratelimit {enable | disable}
set igmp ratelimit {dvmrp | general-query | mospf1 | mospf2 | pimv2} rate
Syntax Description
Defaults
IGMP rate limiting is disabled.
The default rate limits are as follows:
•
•
•
•
•
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The set igmp ratelimit {enable | disable} command is supported in both text and binary configuration modes.
If IGMP rate limiting and multicast are enabled, multicast router ports might age out sporadically because the rate of the multicast control packets (such as PIMv2 hellos or IGMP general queries) exceeds the IGMP rate limit watermarks that were configured. The default value for these watermarks is 100. We recommend that you increase the PIMv2 hello ratelimit to 3000 by entering set igmp ratelimit pimv2 3000. You can also increase the IGMP general queries rate limit; we recommend that you set the value to 500 by entering set igmp ratelimit general-query 500.
Examples
This example shows how to enable IGMP rate limiting:
Console> (enable) set igmp ratelimit enableIGMP Ratelimiting enabledConsole> (enable)This example shows how to set the IGMP rate limit for MOSPF2 to 550 packets per every 30 seconds:
Console> (enable) set igmp ratelimit mospf2 550MOSPF2 Watermark set to allow 550 messages in 30 secondsConsole> (enable)This example shows how to set the IGMP ratel limit for PIMv2 1000 packets per every 30 seconds:
Console> (enable) set igmp ratelimit pimv2 1000PIMV2 Watermark set to allow 1000 messages in 30 secondsConsole> (enable)Related Commands
set igmp querier
To configure the IGMP querier for a specific VLAN, use the set igmp querier command.
set igmp querier {enable | disable} vlan
set igmp querier vlan {qi | oqi} seconds
Syntax Description
Defaults
IGMP querier is disabled.
The default value for qi is 125 seconds.
The default value for oqi is 300 seconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must enable IGMP querier on every VLAN for which switch querier functionality is required.
In the absence of general queries, the oqi value is the amount of time a switch waits before electing itself as the querier.
Examples
This example shows how to enable the IGMP querier for VLAN 4001:
Console> (enable) set igmp querier enable 4001IGMP switch querier enabled for VLAN 4001Console> (enable)This example shows how to set the querier interval to 130 seconds for VLAN 4001:
Console> (enable) set igmp querier 4001 qi 130QI for VLAN 4001 set to 130 second(s)Console> (enable)Related Commands
set igmp v3-processing
To explicitly enable or disable IGMP version 3 snooping, use the set igmp v3-processing command.
set igmp v3-processing {enable | disable}
Syntax Description
Defaults
By default, IGMP version 3 snooping is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
IGMP version 3 is supported only on Supervisor Engine 2. Supervisor Engine 1 and Supervisor Engine 1A do not support this feature.
If IGMP version 3 processing is disabled, any previous IGMP version 3 snooping entries are cleared. These IGMP version 3 entries are relearned as IGMP version 2 (GDA-based) entries after the switch receives an IGMP version 3 report. Any subsequent IGMP version 3 reports for other multicast sources or groups are also processed as version 2 reports.
Note
Examples
This example shows how to enable IGMP version 3 processing:
Console> (enable) set igmp v3-processing enableIGMP V3 processing enabledConsole> (enable)This example shows how to disable IGMP version 3 processing:
Console> (enable) set igmp v3-processing disableIGMP V3 processing disabledConsole> (enable)
Related Commands
set igmp fastblock
show multicast v3-groupset inlinepower defaultallocation
To set the default power allocation for a port, use the set inlinepower defaultallocation command.
set inlinepower defaultallocation value
Syntax Description
Defaults
The default is 10000 milliwatts.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
7000 milliwatts is the maximum power supported for these modules: WS-X6148-RJ21V, WS-X6148-RJ45V, WS-X6348-RJ21V, and WS-X6348-RJ45V.
Examples
This example shows how to set the default power allocation to 2000 milliwatts:
Console> (enable) set inlinepower defaultallocation 2000Default inline power allocation set to 9500 mWatt per applicable port.Console> (enable)Related Commands
set port inlinepower
show environment
show port inlinepowerset interface
To configure the in-band and Serial Line Internet Protocol (SLIP) interfaces on the switch, use the set interface command.
set interface {sc0 | sl0 | sc1} {up | down}
set interface sl0 slip_addr dest_addr
set interface sc0 [vlan] [ip_addr[netmask [broadcast]]]
set interface sc0 [vlan] [ip_addr/netmask [broadcast]]
set interface sc0 dhcp {renew | release}
set interface sc1 [vlan] [ip_addr[netmask [broadcast]]]
set interface sc1 [vlan] [ip_addr/netmask [broadcast]]
Syntax Description
Defaults
The default configuration is the in-band interface (sc0) in VLAN 1 with the IP address, subnet mask, and broadcast address set to 0.0.0.0. The default configuration for the SLIP interface (sl0) is that the IP address and broadcast address are set to 0.0.0.0.0.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The set interface sc0 dchp command is valid only when the address is learned from the DHCP server and available in privileged mode only.
Two configurable network interfaces are on a Catalyst 6500 series switch: in-band (sc0) and SLIP (sl0). Configuring the sc0 interface with an IP address and subnet mask allows you to access the switch CLI via Telnet from a remote host. You should assign the sc0 interface to an active VLAN configured on the switch (the default is VLAN 1). Make sure the IP address you assign is in the same subnet as other stations in that VLAN.
Configuring the sl0 interface with an IP address and destination address allows you to make a point-to-point connection to a host through the console port. Use the slip attach command to activate SLIP on the console port (you will not be able to access the CLI via a terminal connected to the console port until you use the slip detach command to deactivate SLIP on the console port).
When you specify the netmask value, this indicates the number of bits allocated to subnetting in the hostid section of the given Class A, B, or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the hostid bits for this Class B address is 16.
If you enter the netmask value in length of bits, for example, 204.20.22.7/24, the range for length is from
0 to 31 bits. If you do not enter the netmask value, the number of bits is assumed to be the natural netmask.Examples
This example shows how to use set interface sc0 and set interface sl0 from the console port. It also shows how to bring down interface sc0 using a terminal connected to the console port:
Console> (enable) set interface sc0 192.20.11.44/255.255.255.0Interface sc0 IP address and netmask set.Console> (enable) set interface sl0 192.200.10.45 192.200.10.103Interface sl0 SLIP and destination address set.Console> (enable) set interface sc0 downInterface sc0 administratively down.Console> (enable)This example shows how to set the IP address for sc0 through a Telnet session. Note that the default netmask for that IP address class is used (for example, a Class C address uses 255.255.255.0, and a Class B uses 255.255.0.0):
Console> (enable) set interface sc0 192.200.11.40This command may disconnect active telnet sessions.Do you want to continue (y/n) [n]? yInterface sc0 IP address set.This example shows how to take the interface out of operation through a Telnet session:
Console> (enable) set interface sc0 downThis command will inactivate telnet sessions.Do you want to continue (y/n) [n]? yInterface sc0 administratively down.This example shows how to assign the sc0 interface to a particular VLAN:
Console> (enable) set interface sc0 5Interface sc0 vlan set.Console> (enable)This example shows what happens when you assign the sc0 interface to a nonactive VLAN:
Console> (enable) set interface sc0 200Vlan is not active, user needs to set vlan 200 activeInterface sc0 vlan set.Console> (enable)This example shows how to release a DHCP-learned IP address back to the DHCP IP address pool:
Console> (enable) set interface sc0 dhcp releaseReleasing IP address...DoneConsole> (enable)This example shows how to renew a lease on a DHCP-learned IP address:
Console> (enable) set interface sc0 dhcp renewRenewing IP address...DoneConsole> (enable)This example shows how to set the IP address for sc1 from the console port:
Console> (enable) set interface sc1 10.6.33.15 255.255.255.0set interface sc1 10.6.33.15 255.255.255.0Interface sc1 IP address and netmask set.Console> (enable)Related Commands
set ip alias
To add aliases of IP addresses, use the set ip alias command.
set ip alias name ip_addr
Syntax Description
Defaults
The default configuration is one IP alias (0.0.0.0) configured as the default.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to define an IP alias of mercury for IP address 192.122.174.234:
Console> (enable) set ip alias mercury 192.122.174.234IP alias added.Console> (enable)Related Commands
set ip dns
To enable or disable DNS, use the set ip dns command.
set ip dns {enable | disable}
Syntax Description
Defaults
The default is DNS is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable DNS:
Console> (enable) set ip dns enableDNS is enabled.Console> (enable)This example shows how to disable DNS:
Console> (enable) set ip dns disableDNS is disabled.Console> (enable)Related Commands
set ip dns domain
To set the default DNS domain name, use the set ip dns domain command.
set ip dns domain name
Syntax Description
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
If you specify a domain name on the command line, the system attempts to resolve the host name as entered. If the system cannot resolve the host name as entered, it appends the default DNS domain name as defined with the set ip dns domain command. If you specify a domain name with a trailing dot, the program considers this to be an absolute domain name.
Examples
This example shows how to set the default DNS domain name:
Console> (enable) set ip dns domain yow.comDNS domain name set to yow.com.Console> (enable)Related Commands
clear ip dns domain
show ip dnsset ip dns server
To set the IP address of a Domain Name System (DNS) server, use the set ip dns server command.
set ip dns server ip_addr [primary]
Syntax Description
ip_addr
IP address of the DNS server.
primary
(Optional) Configures a DNS server as the primary server.
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can configure up to three DNS name servers as backup. You can also configure any DNS server as the primary server. The primary server is queried first. If the primary server fails, the backup servers are queried.
If DNS is disabled, you must use the IP address with all commands that require explicit IP addresses or manually define an alias for that address. The alias has priority over DNS.
Examples
These examples show how to set the IP address of a DNS server:
Console> (enable) set ip dns server 198.92.30.32198.92.30.32 added to DNS server table as primary server.Console> (enable) set ip dns server 171.69.2.132 primary171.69.2.132 added to DNS server table as primary server.Console> (enable) set ip dns server 171.69.2.143 primary171.69.2.143 added to DNS server table as primary server.This example shows what happens if you enter more than three DNS name servers as backup:
Console> (enable) set ip dns server 161.44.128.70DNS server table is full. 161.44.128.70 not added to DNS server table.Related Commands
clear ip dns server
show ip dnsset ip fragmentation
To enable or disable the fragmentation of IP packets bridged between FDDI and Ethernet networks, use the set ip fragmentation command.
set ip fragmentation {enable | disable}
Syntax Description
enable
Permits fragmentation for IP packets bridged between FDDI and Ethernet networks.
disable
Disables fragmentation for IP packets bridged between FDDI and Ethernet networks.
Defaults
The default value is IP fragmentation is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
If IP fragmentation is disabled, packets are dropped.
Note that FDDI and Ethernet networks have different maximum transmission units (MTUs).
Examples
This example shows how to disable IP fragmentation:
Console> (enable) set ip fragmentation disableBridge IP fragmentation disabled.Console> (enable)Related Commands
set ip http port
To configure the TCP port number for the HyperText Transfer Protocol (HTTP) server, use the set ip http port command.
set ip http port {default | port-number}
Syntax Description
default
Specifies the default HTTP server port number (80).
port-number
Number of the TCP port for the HTTP server; valid values are from 1 to 65535.
Defaults
The default TCP port number is 80.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to set the IP HTTP port default:
Console> (enable) set ip http port defaultHTTP TCP port number is set to 80.Console> (enable)This example shows how to set the IP HTTP port number:
Console> (enable) set ip http port 2398HTTP TCP port number is set to 2398.Console> (enable)Related Commands
set ip http server
show ip httpset ip http server
To enable or disable the HTTP server, use the set ip http server command.
set ip http server {enable | disable}
Syntax Description
Defaults
The default is the HTTP server is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable the HTTP server:
Console> (enable) set ip http server enableHTTP server is enabled.Console> (enable)This example shows the system response when the HTTP server-enabled command is not supported:
Console> (enable) set ip http server enableFeature not supported.Console> (enable)This example shows how to disable the HTTP server:
Console> (enable) set ip http server disableHTTP server disabled.Console> (enable)Related Commands
set ip permit
To enable or disable the IP permit list and to specify IP addresses to be added to the IP permit list, use the set ip permit command.
set ip permit {enable | disable}
set ip permit {enable | disable} [telnet | ssh | snmp]
set ip permit addr [mask] [telnet | ssh | snmp | all]
Syntax Description
Defaults
The default is IP permit list is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can achieve the same functionality of the IP permit list by using VLAN access control lists (VACLs). VACLs are handled by hardware (PFC), and the processing is considerably faster. For VACL configuration information, refer to the Catalyst 6000 Family Software Configuration Guide.
You can configure up to 100 entries in the permit list. If you enable the IP permit list, but the permit list has no entries configured, a caution displays on the screen.
Make sure you enter the entire disable keyword when entering the set ip permit disable command. If you abbreviate the keyword, the abbreviation is interpreted as a host name to add to the IP permit list.
If you do not specify the snmp, ssh, telnet, or all keyword, the IP address is added to both the SNMP and Telnet permit lists.
You enter the mask in dotted decimal format, for example, 255.255.0.0.
Examples
This example shows how to add an IP address to the IP permit list:
Console> (enable) set ip permit 192.168.255.255192.168.255.255 added to IP permit list.Console> (enable)This example shows how to add an IP address using an IP alias or host name to both the SNMP and Telnet permit lists:
Console> (enable) set ip permit batboybatboy added to IP permit list.Console> (enable)This example shows how to add a subnet mask of the IP address to both the SNMP and Telnet permit lists:
Console> (enable) set ip permit 192.168.255.255 255.255.192.0192.168.255.255 with mask 255.255.192.0 added to IP permit list.Console> (enable)This example shows how to add an IP address to the Telnet IP permit list:
Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet172.16.0.0 with mask 255.255.0.0 added to telnet permit list.Console> (enable)This example shows how to add an IP address to the SNMP IP permit list:
Console> (enable) set ip permit 172.20.52.32 255.255.255.224 snmp172.20.52.32 with mask 255.255.255.224 added to snmp permit list.Console> (enable)This example shows how to add an IP address to all IP permit lists:
Console> (enable) set ip permit 172.20.52.3 all172.20.52.3 added to IP permit list.Console> (enable)This example shows how to enable the IP permit list:
Console> (enable) set ip permit enableTelnet, Snmp and Ssh permit list enabledConsole> (enable)This example shows how to disable the IP permit list:
Console> (enable) set ip permit disableTelnet, Snmp and Ssh permit list disabled.Console> (enable)This example shows how to enable a specific IP permit list type:
Console> (enable) set ip permit enable sshSSH permit list enabled.Console> (enable)Related Commands
set ip redirect
To enable or disable ICMP redirect messages on the Catalyst 6500 series switches, use the set ip redirect command.
set ip redirect {enable | disable}
Syntax Description
enable
Permits ICMP redirect messages to be returned to the source host.
disable
Prevents ICMP redirect messages from being returned to the source host.
Defaults
The default configuration is ICMP redirect is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to deactivate ICMP redirect messages:
Console> (enable) set ip redirect disableICMP redirect messages disabled.Console> (enable)Related Commands
set ip route
To add IP addresses or aliases to the IP routing table, use the set ip route command.
set ip route {destination}[/netmask] {gateway} [metric] [primary]
Syntax Description
Defaults
The default configuration routes the local network through the sc0 interface with metric 0 as soon as sc0 is configured.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can configure up to three default gateways. The primary is the highest priority. If you do not designate a primary gateway, priority is based on the order of input. If you enter two primary definitions, the second definition becomes the primary and the first definition becomes the secondary default IP gateway.
You can only specify the primary keyword for a default route.
When you enter the destination value or gateway value, enter it in dot notation, for example, a.b.c.d.
When you specify the netmask value, this indicates the number of bits allocated to subnetting in the hostid section of the given Class A, B, or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the hostid bits for this Class B address is 16. Any number of bits in the hostid bits can be allocated to the netmask field. If you do not enter the netmask value, the number of bits is assumed to be the natural netmask.
When you enter the netmask, enter it as the number of bits or dot format, for example, destination/24 or destination/255.255.255.0. If you enter the netmask in dot format, you must have contiguous 1s.
Examples
These examples show how to add three default routes to the IP routing table, checking after each addition using the show ip route command:
Console> (enable) set ip route default 192.122.173.42 1 primaryRoute added.Console> (enable)Console> (enable) show ip routeFragmentation Redirect Unreachable------------- -------- -----------enabled enabled enabledDestination Gateway Flags Use Interface--------------- --------------- ------ ---------- ---------default 192.122.173.42 UG 59444 sc0192.22.74.0 192.22.74.223 U 5 sc0Console> (enable)Console> (enable) set ip route default 192.122.173.43 1Route added.Console> (enable)Console> (enable) show ip routeFragmentation Redirect Unreachable------------- -------- -----------enabled enabled enabledDestination Gateway Flags Use Interface--------------- --------------- ------ ---------- ---------default 192.122.173.43 UG 59444 sc0default 192.122.173.42 UG 59444 sc0192.22.74.0 192.22.74.223 U 5 sc0Console> (enable)Console> (enable) set ip route default 192.122.173.44 1Route added.Console> (enable)Console> (enable) show ip routeFragmentation Redirect Unreachable------------- -------- -----------enabled enabled enabledDestination Gateway Flags Use Interface--------------- --------------- ------ ---------- ---------default 192.122.173.44 UG 59444 sc0default 192.122.173.43 UG 59444 sc0default 192.122.173.42 UG 59444 sc0192.22.74.0 192.22.74.223 U 5 sc0Console> (enable)Related Commands
set ip unreachable
To enable or disable ICMP unreachable messages on the Catalyst 6500 series switch, use the set ip unreachable command.
set ip unreachable {enable | disable}
Syntax Description
enable
Allows IP unreachable messages to be returned to the source host.
disable
Prevents IP unreachable messages from being returned to the source host.
Defaults
The default is ICMP unreachable messages is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable ICMP unreachable messages, the switch returns an ICMP unreachable message to the source host whenever it receives an IP datagram that it cannot deliver. When you disable ICMP unreachable messages, the switch does not notify the source host when it receives an IP datagram that it cannot deliver.
For example, a switch has the ICMP unreachable message function enabled and IP fragmentation disabled. If a FDDI frame is received and needs to transmit to an Ethernet port, the switch cannot fragment the packet. The switch drops the packet and returns an IP unreachable message to the Internet source host.
Examples
This example shows how to disable ICMP unreachable messages:
Console> (enable) set ip unreachable disableICMP Unreachable message disabled.Console> (enable)Related Commands
set kerberos clients mandatory
To make Kerberos authentication mandatory for authenticating to services on the network, use the set kerberos clients mandatory command.
set kerberos clients mandatory
Syntax Description
This command has no arguments or keywords.
Defaults
The default is Kerberos clients are not set to mandatory.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
As an added layer of security, you can optionally configure the switch so that after users authenticate to it, they can authenticate to other services on the network only with Kerberos clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password.
Examples
This example shows how to make Kerberos authentication mandatory:
Console> (enable) set kerberos clients mandatoryKerberos clients set to mandatoryConsole> (enable)Related Commands
clear kerberos clients mandatory
set kerberos credentials forward
show kerberosset kerberos credentials forward
To configure clients to forward users' credentials as they connect to other hosts in the Kerberos realm, use the set kerberos credentials forward command.
set kerberos credentials forward
Syntax Description
This command has no arguments or keywords.
Defaults
The default is forwarding is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
A user authenticated to a Kerberized switch has a ticket granting ticket (TGT) and can use it to authenticate to a host on the network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to a host, the output will show no Kerberos credentials present.
You can optionally configure the switch to forward user TGTs as they authenticate from the switch to Kerberized remote hosts on the network by using Kerberized Telnet.
Examples
This example shows how to enable Kerberos credentials forwarding:
Console> (enable) set kerberos credentials forwardKerberos credentials forwarding enabledConsole> (enable)Related Commands
set kerberos clients mandatory
set kerberos local-realm
show kerberosset kerberos local-realm
To configure a switch to authenticate users defined in the Kerberos database, use the set kerberos local-realm command.
set kerberos local-realm kerberos_realm
Syntax Description
Defaults
The default value is a NULL string.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
To authenticate a user defined in the Kerberos database, you must configure the switch to know the host name or IP address of the host running the KDC and the name of the Kerberos realm.
You must enter the Kerberos realm name in all uppercase characters.
Examples
This example shows how to set a default Kerberos local realm for the switch:
Console> (enable) set kerberos local-realm CISCO.COMKerberos local realm for this switch set to CISCO.COM.Console> (enable)Related Commands
clear kerberos realm
set kerberos realm
show kerberosset kerberos realm
To map the name of a Kerberos realm to a DNS domain name or a host name, use the set kerberos realm command.
set kerberos realm {dns_domain | host} kerberos_realm
Syntax Description
dns_domain
DNS domain name to map to Kerberos realm.
host
IP address or name to map to Kerberos host realm.
kerberos_realm
IP address or name of Kerberos realm.
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can map the name of the Kerberos realm to a DNS domain name or a host name by entering the set kerberos realm command. The information entered with this command is stored in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.
You must enter Kerberos realms in uppercase characters.
Examples
This example shows how to map the Kerberos realm to a domain name:
Console> (enable) set kerberos realm CISCO CISCO.COMKerberos DnsDomain-Realm entry set to CISCO - CISCO.COMConsole> (enable)Related Commands
clear kerberos realm
set kerberos local-realm
show kerberosset kerberos server
To specify which Key Distribution Center (KDC) to use on the switch, use the set kerberos server command.
set kerberos server kerberos_realm {hostname | ip_address} [port]
Syntax Description
kerberos_realm
Name of the Kerberos realm.
hostname
Name of host running the KDC.
ip_address
IP address of host running the KDC.
port
(Optional) Number of the port.
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can specify to the switch which KDC to use in a Kerberos realm. Optionally, you can also specify the port number which the KDC is monitoring. The Kerberos server information you enter is maintained in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.
The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.
Examples
This example shows how to specify the Kerberos server:
Console> (enable) set kerberos server CISCO.COM 187.0.2.1 750Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750Console> (enable)Related Commands
clear kerberos server
show kerberosset kerberos srvtab entry
To enter the SRVTAB file directly into the switch from the command line, use the set kerberos srvtab entry command.
set kerberos srvtab entry kerberos_principal principal_type timestamp key_version_number key_type key_length encrypted_keytab
Syntax Description
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch must share a secret key with the KDC. To do this, you must give the switch a copy of the file that is stored in the KDC, which contains the secret key. These files are called SRVTAB files.
When you enter the SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch. The entries are maintained in the SRVTAB table. The maximum table size is 20 entries.
The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.
The key is encrypted with the private 3DES key when you copy the configuration to a file or enter the show config command.
Examples
This example shows how to enter a SRVTAB file directly into the switch:
Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0Kerberos SRVTAB entry set toPrincipal:host/niners.cisco.com@CISCO.COMPrincipal Type:0Timestamp:932423923Key version number:1Key type:1Key length:8Encrypted key tab:03;;5>00>50;0=0=0Related Commands
clear kerberos clients mandatory
show kerberosset kerberos srvtab remote
To provide the switch with a copy of the SRVTAB file from the KDC that contains the secret key, use the set kerberos srvtab remote command.
set kerberos srvtab remote {hostname | ip_address} filename
Syntax Description
hostname
Name of host running the KDC.
ip_address
IP address of host running the KDC.
filename
Name of the SRVTAB file.
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch must share a secret key with the KDC. To do this, you must give the switch a copy of the file that is stored in the KDC, which contains the secret key. These files are called SRVTAB files.
The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB files to the switch, which does not have a physical media drive, you must transfer them through the network using TFTP.
Examples
This example shows how to copy SRVTAB files to the switch remotely from the KDC:
Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab Console> (enable)Related Commands
clear kerberos creds
set kerberos srvtab entry
show kerberosset key config-key
To define a private 3DES key, use the set key config-key command.
set key config-key string
Syntax Description
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can define a private 3DES key for the switch. You can use the private 3DES key to encrypt the secret key that the switch shares with the KDC. If you set the 3DES key, the secret key is not displayed in clear text when you execute the show kerberos command. The key length should be eight characters or less.
Examples
This example shows how to define a 3DES key:
Console> (enable) set key config-key abcdKerberos config key set to abcdConsole> (enable)Related Commands
set l2protocol-tunnel cos
To apply a CoS value to all ingress tunneling ports, use the set l2protocol-tunnel cos command.
set l2protocol-tunnel cos cos-value
Syntax Description
Defaults
The default value for CoS is 5.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Because the CoS value applies to all ingress tunneling ports, all encapsulated PDUs sent out by the switch have the same CoS value.
Examples
This example shows how to set the CoS value to 6:
Console> (enable) set l2protocol-tunnel cos 6New CoS value is 6.Console> (enable)Related Commands
clear l2protocol-tunnel cos
clear l2protocol-tunnel statistics
set port l2protocol-tunnel
show l2protocol-tunnel statistics
show port l2protocol-tunnelset l2protocol-tunnel trunk
To set Layer 2 protocol tunneling on trunks, use the set l2protocol-tunnel trunk command.
set l2protocol-tunnel trunk {enable | disable}
Syntax Description
enable
Enables Layer 2 protocol tunneling on trunks.
disable
Disables Layer 2 protocol tunneling on trunks.
Defaults
Layer 2 protocol tunneling on trunks is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Do not enable or disable Layer 2 protocol tunneling on trunks when active layer 2 protocol tunnels are already configured. If you plan to configure Layer 2 protocol tunneling on trunks, do so before performing any other Layer 2 protocol tunneling tasks.
Examples
This example shows how to enable Layer 2 protocol tunneling on trunks:
Console> (enable) set l2protocol-tunnel trunk enableWarning!! Clear any layer 2 protocol tunnel configuration on trunksbefore using this command.Layer 2 Protocol Tunnel on trunks is allowed.Console> (enable)This example shows how to disable Layer 2 protocol tunneling on trunks:
Console> (enable) set l2protocol-tunnel trunk disableWarning!! Clear any layer 2 protocol tunnel configuration on trunksbefore using this command.Layer 2 Protocol Tunnel on trunks is not allowed.Console> (enable)Related Commands
show l2protocol-tunnel statistics
show port l2protocol-tunnelset lacp-channel system-priority
To set the priority of the system, use the set lacp-channel system-priority command.
set lacp-channel system-priority value
Syntax Description
Defaults
The default system priority value is 32768.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
LACP is supported on all Ethernet interfaces.
The set lacp-channel system-priority command is a global command; however, the priority value is used only for the modules that are running LACP. The priority value is ignored on the modules that are running PAgP.
Higher value numbers correspond to lower priority levels.
For differences between PAgP and LACP, refer to the "Guidelines for Port Configuration" section of the "Configuring EtherChannel" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.
Related Commands
clear lacp-channel statistics
set channelprotocol
set port lacp-channel
set spantree channelcost
set spantree channelvlancost
show lacp-channel
show port lacp-channelset lcperroraction
To configure how your system handles Link Control Protocol (LCP) errors when a module reports an ASIC problem to the NMP, use the set lcperroraction command.
set lcperroraction action
Syntax Description
action
Action for handling LCP errors. See the "Usage Guidelines" section for more information about valid values for action levels.
Defaults
The default is that the action level is set to ignore.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Valid values for action levels are as follows:
•
•
•
Note
Examples
This example shows how to set the action that handles an LCP error:
Console> (enable) set lcperroraction ignoreConsole> (enable)Related Commands
set lda
To configure the ASLB information on the Catalyst 6500 series switch, use the set lda command.
set lda enable | disable
set lda vip {server_virtual_ip} {destination_tcp_port} [{server_virtual_ip} {destination_tcp_port}] ...
set lda mac ld {ld_mac_address}
set lda mac router {mac_address}...
set lda router {router_vlan} {ld_mod/port} [backup_ld_mod/port]
set lda server {server_vlan} {ld_mod/port} [backup_ld_mod/port]
set lda udpage {udpagetime}
Syntax Description
Defaults
The default is the ASLB is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
This command is supported only on switches configured with the Supervisor Engine 1 with Layer 3 Switching Engine WS-F6K-PFC (Policy Feature Card).
You can enter a zero (0) as a wildcard (don't care) digit for the destination_tcp_port value.
You can enter up to 1024 server_virtual_ip destination_tcp_port entries separated by a space.
To cancel a previously entered VIP, use the clear lda vip command.
To cancel a previously entered MAC LD or router, use the clear lda mac command.
You need to enter the set lda commands to provide all the necessary information before using the commit lda command to program the setup into hardware.
The information you enter through the set lda commands are immediately saved into NVRAM, but you must enter the commit lda command for the setting to take effect.
When you disable the ASLB feature, you can enter the set lda commands, but the commit lda command will fail.
When you enter the set lda mac router command, you can enter up to 32 MAC addresses.
You can enter the value zero (0) to disable the udpage option. The udpagingtime value is specified in milliseconds; values are from 0 milliseconds to 2024000 milliseconds.
Examples
This example shows how to enable the ASLB feature:
Console> (enable) set lda enableSuccessfully enabled Local Director Acceleration.Console> (enable)This example shows how to disable the ASLB feature:
Console> (enable) set lda disableDisabling Local Director Acceleration.....Successfully disabled Local Director Acceleration.Console> (enable)This example shows how to specify the virtual IP address:
Console> (enable) set lda vip 10.0.0.8 8Successfully set server virtual ip and port information.Use commit lda command to save settings to hardware.Console> (enable)This example shows how to specify the MAC address for the LocalDirector:
Console> (enable) set lda mac ld 1-2-3-4-5-6Successfully set mac address.Use commit lda command to save settings to hardware.Console> (enable)This example shows how to specify multiple router MAC addresses:
Console> (enable) set lda mac router 1-2-3-4-5-6 3-4-56-67-4-5Successfully set mac address.Use commit lda command to save settings to hardware.Console> (enable)This example shows how to specify the router VLAN:
Console> (enable) set lda router 110 4/26Successfully set router vlan and ld port.Use commit lda command to save settings to hardware.Console> (enable)This example shows how to specify the udpage aging time:
Console> (enable) set lda udpage 20Successfully set LDA UDP aging time to 20ms.Console> (enable)This example shows how to specify the server VLAN:
Console> (enable) set lda server 105 4/40Successfully set server vlan and LD port.Use commit lda command to save settings to hardware.Console> (enable)Related Commands
set length
To configure the number of lines in the terminal display screen, use the set length command.
set length number [default]
Syntax Description
Defaults
The default value is 24 lines upon starting a session.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Output from a single command that overflows a single display screen is followed by the --More-- prompt. At the --More-- prompt, you can press Ctrl-C, q, or Q to interrupt the output and return to the prompt, press the Spacebar to display an additional screen of output, or press Return to display one more line of output.
Setting the screen length to 0 turns off the scrolling feature and causes the entire output to display at once. Unless you use the default keyword, a change to the terminal length value applies only to the current session.
When you change the value in a session, the value applies only to that session. When you use the clear config command, the number of lines in the terminal display screen is reset to the default of 100.
The default keyword is available in privileged mode only.
Examples
This example shows how to set the screen length to 60 lines:
Console> (enable) set length 60Screen length for this session set to 60.Console> (enable)This example shows how to set the default screen length to 40 lines:
Console> (enable) set length 40 defaultScreen length set to 40.Console> (enable)set localuser
To configure the switch to use local user authentication to authenticate access on the switch, use the set localuser command.
set localuser authentication {enable | disable}
set localuser user username [password pwd] [privilege privilege_level]
set localuser password [user username]
Syntax Description
Defaults
Local user authentication is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can configure a maximum of twenty-five local user accounts on each switch.
Before you can enable local user authentication you must define at least one local user account.
A username must be fewer than sixty-five characters in length and can consist of alphabetic and numeric characters only. At least one of the characters in the username must be alphabetic.
The privilege level assigned to a username and password combination designates whether a user will be logged in to normal or privileged mode after successful authentication. A user with a privilege level of 0 is automatically logged in to normal mode, and a user with a privilege level of 15 is logged in to privileged mode. A user with a privilege level of 0 can still access privileged mode by entering the enable command and password combination.
Note
Examples
This example shows how to use the create a local user account, including password and privilege level:
Console> (enable) set localuser user picard password captain privilege 15Added local user picard.Console> (enable)This example shows how to enable local user authentication:
Console> (enable) set localuser authentication enableLocalUser authentication enabledConsole> (enable)This example shows how to disable local user authentication:
Console> (enable) set localuser authentication disableLocalUser authentication disabledConsole> (enable)This example shows you how to reset your own password:
Console> (enable) set localuser passwordEnter old password:*****Enter new password:*******Retype new password:*******Password changed.Console> (enable)This example shows you, as an administrator, how to reset the password for a user:
Console> (enable) set localuser password picardEnter new password:*******Retype new password:*******Password changed.Console> (enable)Related Commands
set logging buffer
To limit the number of system logging messages buffered, use the set logging buffer command.
set logging buffer buffer_size
Syntax Description
Defaults
The default value is 500.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to limit the syslog message buffer to 400 messages:
Console> (enable) set logging buffer 400System logging buffer size set to <400>.Console> (enable)Related Commands
clear logging buffer
set logging timestamp
show logging bufferset logging console
To enable and disable the sending of system logging messages to the console, use the set logging console command.
set logging console {enable | disable}
Syntax Description
enable
Enables system message logging to the console.
disable
Disables system message logging to the console.
Defaults
The default is system message logging to the console is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable system message logging to the console:
Console> (enable) set logging console enableSystem logging messages will be sent to the console.Console> (enable)This example shows how to disable system message logging to the console:
Console> (enable) set logging console disableSystem logging messages will not be sent to the console.Console> (enable)Related Commands
set logging level
set logging session
show logging
show logging bufferset logging history
To set the number and severity level of syslog messages sent to the syslog history table, use the set logging history command.
set logging history history_table_size
set logging history severity history_severity_level
Syntax Description
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The Catalyst 6500 series switch holds syslog messages until the number of messages equals the defined size of the history log, after which the N messages are sent.
Examples
This example shows how to set the size of the syslog history table to 400:
Console> (enable) set logging history 400System logging history table size set to <400>.Console> (enable)This example shows how to limit syslog messages that are sent to the history log based on severity level:
Console> (enable) set logging history severity 5System logging history set to severity <5>Console> (enable)Related Commands
clear logging buffer
show loggingset logging level
To set the facility and severity level used when logging system messages, use the set logging level command.
set logging level facility severity [default]
Syntax Description
facility
Value to specify the type of system messages to capture; facility types are listed in Table 2-12.
severity
Value to specify the severity level of system messages to capture; severity level definitions are listed in Table 2-13.
default
(Optional) Causes the specified logging level to apply to all sessions.
Defaults
The default is facility is set to all, and level is set to 0.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can also set the logging level by using the set logging server command.
If you do not use the default keyword, the specified logging level applies only to the current session.
Examples
This example shows how to set the default facility and severity level for system message logging:
Console> (enable) set logging level snmp 2 defaultSystem logging facility <snmp> set to severity 2(critical).Console> (enable)Related Commands
clear logging level
show logging
show logging bufferset logging server
To enable and disable system message logging to configured syslog servers and to add a syslog server to the system logging server table, use the set logging server command.
set logging server {enable | disable}
set logging server ip_addr
set logging server facility severity
set logging server severity severity
set logging server facility
Syntax Description
enable
Enables system message logging to configured syslog servers.
disable
Disables system message logging to configured syslog servers.
ip_addr
IP address of the syslog server to be added to the configuration.
facility
Type of system messages to capture; server facility types are listed in Table 2-14.
severity
Severity level; severity level definitions are listed in Table 2-13.
severity severity
Sets the syslog maximum severity control globally for all message types; severity level definitions are listed in Table 2-13.
Defaults
The default is no syslog servers are configured to receive system messages.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can also set the logging level by using the set logging level command. If you do not enter the facility or server keywords, the parameter is applied to all levels.
Severity logging to a configured syslog server depends on the configuration set by the set logging level command. The server severity level must be greater than or equal to the default severity level of the message facility that you expect to receive in syslog messages on the syslog server.
Examples
This example shows how to enable system message logging to the server:
Console> (enable) set logging server enableSystem logging messages will be sent to the configured syslog servers.Console> (enable)This example shows how to disable system message logging to the server:
Console> (enable) set logging server disableSystem logging messages will not be sent to the configured syslog servers.Console> (enable)This example shows how to add a server to the system logging server table using its IP address:
Console> (enable) set logging server 171.69.192.205171.69.192.205 added to the System logging server table.Console> (enable)This example shows how to globally set the syslog maximum severity control for all message types:
Console> (enable) set logging server severity 4System logging server severity set to 4(warnings).Console> (enable)Related Commands
clear logging server
show loggingset logging session
To enable or disable the sending of system logging messages to the current login session, use the set logging session command.
set logging session {enable | disable}
Syntax Description
enable
Enables the sending of system logging messages to the current login session.
disable
Disables the sending of system logging messages to the current login session.
Defaults
The default is system message logging to the current login session is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to prevent system logging messages from being sent to the current login session:
Console> (enable) set logging session disableSystem logging messages will not be sent to the current login session.Console> (enable)This example shows how to cause system logging messages to be sent to the current login session:
Console> (enable) set logging session enableSystem logging messages will be sent to the current login session.Console> (enable)Related Commands
set logging console
set logging level
show logging
show logging bufferset logging telnet
To enable or disable logging on Telnet sessions, use the set logging telnet command.
set logging telnet {enable | disable}
Syntax Description
Defaults
The default is system message logging to the Telnet session is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to allow system logging messages to be sent to new Telnet sessions:
Console> (enable) set logging telnet enableSystem logging messages will be sent to the new telnet sessions.Console> (enable)This example shows how to prevent system logging messages from being sent to new Telnet sessions:
Console> (enable) set logging telnet disableSystem logging messages will not be sent to the new telnet sessions.Console> (enable)Related Commands
set logging console
set logging level
show logging
show logging bufferset logging timestamp
To enable or disable the time-stamp display on system logging messages, use the set logging timestamp command.
set logging timestamp {enable | disable}
Syntax Description
Defaults
By default, system message logging time-stamp is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable the time-stamp display:
Console> (enable) set logging timestamp enableSystem logging messages timestamp will be enabled.Console> (enable)This example shows how to disable the time-stamp display:
Console> (enable) set logging timestamp disableSystem logging messages timestamp will be disabled.Console> (enable)Related Commands
