Table Of Contents
set crypto key rsa
set default portstatus
set dhcp-snooping
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
set dot1q-all-tagged
set dot1x
set enablepass
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set errdisable-timeout
set errordetection
set ethernet-cfm
set ethernet-cfm continuity-check
set ethernet-cfm continuity-check level
set ethernet-cfm domain
set ethernet-cfm vlan
set fan-tray-version
set feature agg-link-partner
set feature mdg
set firewall
set ftp
set garp timer
set gmrp
set gmrp fwdall
set gmrp registration
set gmrp timer
set gvrp
set gvrp applicant
set gvrp dynamic-vlan-creation
set gvrp registration
set gvrp timer
set igmp
set igmp fastblock
set igmp fastleave
set igmp flooding
set igmp leave-query-type
set igmp mode
set igmp querier
set igmp v3-processing
set image-verification
set inlinepower
set interface
set ip alias
set ip device-tracking
set ip dns
set ip dns domain
set ip dns server
set ip fragmentation
set ip http port
set ip http server
set ip permit
set ip redirect
set ip route
set ip telnet server
set ip unreachable
set kerberos clients mandatory
set kerberos credentials forward
set kerberos local-realm
set kerberos realm
set kerberos server
set kerberos srvtab entry
set kerberos srvtab remote
set key config-key
set l2protocol-tunnel cos
set l2protocol-tunnel trunk
set lacp-channel system-priority
set lcperroraction
set lda
set length
set localuser
set logging buffer
set logging callhome
set logging callhome destination
set logging callhome from
set logging callhome reply-to
set logging callhome severity
set logging callhome smtp-server
set logging console
set logging history
set logging level
set logging server
set logging session
set logging telnet
set logging timestamp
set logout
set mac-auth-bypass
set macro
2
set crypto key rsa
To generate and configure an RSA key pair, use the set crypto key rsa command.
set crypto key rsa nbits [force]
Syntax Description
nbits
|
Size of the key; valid values are 512 to 2048 bits.
|
force
|
(Optional) Regenerates the keys and suppress the warning prompt of overwriting existing keys.
|
Defaults
The command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The crypto commands are supported on systems that run these image types only:
•
supk9 image—for example, cat6000-supk9.6-1-3.bin
•
supcvk9 image—for example, cat6000-supcvk9.6-1-3.bin
If you do not enter the
force keyword, the
set crypto key command is saved into the configuration file and you will have to use the
clear config all command to clear the RSA keys.
The nbits value is required.
To support SSH login, you first must generate an RSA key pair.
Examples
This example shows how to create an RSA key:
Console> (enable) set crypto key rsa 1024
Generating RSA keys.... [OK]
Related Commands
clear crypto key rsa
show crypto key
set default portstatus
To set the default port status, use the set default portstatus command.
set default portstatus {enable | disable}
Syntax Description
enable
|
Activates default port status.
|
disable
|
Deactivates default port status.
|
Defaults
The default is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enter the clear config all command, or if a configuration loss occurs, all ports collapse into VLAN 1. This situation might cause a security and network instability problem. During a configuration loss, when you enter the set default portstatus command, all ports are put into a disable state, and the traffic flowing through the ports is blocked. You can then manually configure the ports back to the enable state.
This command is not saved in the configuration file.
After you set the default port status, the default port status does not clear when you enter the clear config all command.
Examples
This example shows how to disable the default port status:
Console> (enable) set default portstatus disable
port status set to disable.
Related Commands
show default
set dhcp-snooping
To enable DHCP snooping information-option host tracking or the MAC address matching feature, use the set dhcp-snooping command.
set dhcp-snooping information-option host-tracking {enable | disable}
set dhcp-snooping match-mac {enable | disable}
set dhcp-snooping bindings-database auto-save interval
set dhcp-snooping bindings-database device:[filename]
Syntax Description
information-option
|
Specifies the DHCP information option feature.
|
host-tracking
|
Specifies host tracking.
|
enable
|
Enables the DHCP snooping feature.
|
disable
|
Disables the DHCP snooping feature.
|
match-mac
|
Specifies the DHCP snooping MAC address matching feature.
|
bindings-database
|
Configures storage of the DHCP snooping bindings database.
|
auto-save
|
Specifies the bindings database automatic save interval.
|
interval
|
Time interval in minutes; valid values are from 0 to 35000.
|
device:[filename]
|
Flash device where the bindings are saved and optionally, the file name that contains the bindings.
|
Defaults
Host tracking is disabled.
MAC address matching is enabled.
The interval is 0, which means that the auto-save feature is disabled.
The flash device is bootflash and the default filename is "dhcp-snooping-bindings-database."
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The set dhcp-snooping information-option host-tracking {enable | disable} command enables or disables host tracking. Enabling host tracking causes the DHCP snooping process to insert the relay information agent option (option 82) with remote ID and circuit ID suboptions in all client-to-server DHCP packets on VLANs for which DHCP snooping is enabled. Enabling host tracking also activates the processing of option 82 in received server-to-client packets.
The set dhcp-snooping match-mac {enable | disable} command enables or disables the MAC address matching feature. When this option is enabled, the source MAC address in the Ethernet header is matched with the "chaddr" field in the DHCP payload for DHCP packets that come from untrusted ports. If the MAC address and "chaddr" field do not match, packets are dropped, and the counter for dropped packets on untrusted ports is incremented.
If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.
The DHCP-snooping binding entries can be stored to a flash device so that the bindings can be restored immediately after the switch is reset.
To configure the auto-save interval for DHCP-snooping bindings, use the auto-save interval option. Valid ranges for the interval are 1 through 35000 minutes. Specifying a 0 disables the periodic saving of bindings on the flash device and deletes the bindings file stored in flash. Specifying a 0 does not clear a user-specified filename. The user-specified filename is cleared and returned to the default filename after you enter the clear config all command.
To specify the flash device and filename for storing the bindings, use the device:filename option. By default, the flash device is bootflash and the default filename is "dhcp-snooping-bindings-database." If you have not configured a filename, the bindings are automatically saved with the default filename on the flash device.
Examples
This example shows how to enable DHCP snooping information-option host tracking:
Console> (enable) set dhcp-snooping information-option host-tracking enable
DHCP Snooping Information Option Enabled.
This command shows how to disable DHCP snooping MAC address matching:
Console> (enable) set dhcp-snooping match-mac disable
DHCP Snooping MAC address matching disabled.
This example shows how to enable the auto-save option for DHCP-snooping binding entries and specify an interval of 600 minutes for the periodic saving of the bindings:
Console> (enable) set dhcp-snooping bindings-database auto-save 600
DHCP Snooping auto-save interval set to 600 minutes.
This example shows how to specify the flash device and filename for storing the bindings:
Console> (enable) set dhcp-snooping bindings-database disk1:dhcp-bindings
DHCP Snooping bindings storage file set to disk1:dhcp-bindings.
Related Commands
set diagnostic bootup level
To specify the bootup generic online diagnostics level, use the set diagnostic bootup level.
set diagnostic bootup level {bypass | complete | minimal}
Syntax Description
bypass
|
Skips all online diagnostic tests.
|
complete
|
Runs all online diagnostic tests.
|
minimal
|
Runs only PFC tests for the supervisor engine and loopback tests fro all ports.
|
Defaults
The bootup level is minimal.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Although the default bootup level for generic online diagnostics is minimal, we recommend that you set the level to complete. We strongly recommend that you do not bypass diagnostics.
The bootup diagnostics level applies to the entire switch. The bootup diagnostics level cannot be configured on a per-module basis.
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to specify complete as the bootup diagnostics level:
Console> (enable) set diagnostic bootup level complete
Diagnostic level set to complete
Related Commands
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic
set diagnostic diagfail-action
To specify the generic online diagnostics failure response for the system, use the set diagnostic diagfail-action command.
set diagnostic diagfail-action {ignore | system}
Syntax Description
ignore
|
Specifies that test failures are ignored and the system still boots up.
|
system
|
Specifies that the test failures trigger error recovery.
|
Defaults
The system keyword is the default.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to configure the system to ignore test failures and still boot up:
Console> (enable) set diagnostic diagfail-action ignore
Diagnostic failure action set to ignore.
This example shows how to trigger an error recovery in the event of test failures:
Console> (enable) set diagnostic diagfail-action system
Diagnostic failure action set to system.
Related Commands
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic
set diagnostic event-log size
To specify the size of event log for generic online diagnostics, use the set diagnostic event-log size command.
set diagnostic event-log size number_of_entries
Syntax Description
number_of_entries
|
Number of online diagnostics events in the event log; valid values are 1 to 10000.
|
Defaults
500 entries.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to specify 1000 entries for the online diagnostics event log size:
Console> (enable) set diagnostic event-log size 1000
Diagnostic event-log size set to 1000
Related Commands
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic
set diagnostic monitor
To configure generic online diagnostic health monitoring, use the set diagnostic monitor command.
set diagnostic monitor interval module mod_num test {all | test_ID_num | test_list} hh:mm:ss
set diagnostic monitor module mod_num test {all | test_ID_num | test_list}
set diagnostic monitor syslog
Syntax Description
interval module
|
Configures online diagnostic monitoring test intervals.
|
mod_num
|
Number of the module.
|
test
|
Specifies particular online diagnostic tests.
|
all
|
Specifies all online diagnostic tests.
|
test_ID_num
|
Number of a specific online diagnostic test.
|
test_list
|
List of online diagnostic tests.
|
hh:mm:ss
|
Time in 24-hour format.
|
module
|
Enables health-monitoring diagnostic tests.
|
syslog
|
Enables syslog generation when a test fails.
|
Defaults
Disruptive tests are disabled by default. Some non-disruptive tests are enabled by default. Use the show diagnostic content module command to determine which tests are disruptive (D) and non-disruptive (N) by looking the "Attributes" column of the command output. We recommend that only the non-disruptive tests be used for health monitoring.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can configure health-monitoring diagnostic testing on specified modules while the switch is connected to a live network. You can specify the execution interval for each health-monitoring test, whether or not to generate a system message upon test failure, or whether an individual test should be enabled or disabled.
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to specify that the online diagnostic health-monitoring tests (test 18) be run on module 7 at 12:12:12 and 100 milliseconds every 10 days:
Console> (enable) set diagnostic monitor interval module 7 test 18 12:12:12 100 10
Diagnostic monitor interval set at 12:12:12 100 10 for module 7 test 18
This example shows how to enable test 18 on module 7:
Console> (enable) set diagnostic monitor module 7 test 18
Module 7 test 18 diagnostic monitor enable.
This example shows how to enable syslog generation when a test fails:
Console> (enable) set diagnostic monitor syslog
Diagnostic monitor syslog enable.
Usage Guidelines
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic ondemand
set diagnostic schedule
show diagnostic
set diagnostic ondemand
To configure on-demand generic online diagnostics, use the set diagnostic ondemand command.
set diagnostic ondemand action-on-failure {continue failure_limit | stop}
set diagnostic ondemand iterations number_of_iterations
Syntax Description
action-on-failure
|
Sets action that the switch should take in the event of online diagnostic test failures.
|
continue failure_limit
|
Continues on-demand tests until the test failure limit is reached; valid values are from 0 to 65534 failures.
|
stop
|
Specifies that online diagnostic tests stop when a single failure occurs.
|
interations
|
Specifies the number of times to repeat online diagnostic tests.
|
number_of_iterations
|
Number of times to repeat online diagnostic tests; valid values are from 1 to 999.
|
Defaults
The failure_limit argument is 0.
The number_of_iterations argument is 1.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
For a complete list of on-demand generic online diagnostic tests for supervisor engines, fabric-enabled modules, and non-fabric-enabled modules, see the "Configuring GOLD" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to specify that the online diagnostics stop running after experiencing 100 failures:
Console> (enable) set diagnostic ondemand action-on-failure continue 100
Diagnostic ondemand action-on-failure set to continue 100
This example shows how to specify that the online diagnostics run 50 times:
Console> (enable) set diagnostic ondemand iterations 50
Diagnostic ondemand iterations set to 50
Related Commands
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic schedule
show diagnostic
set diagnostic schedule
To schedule generic online diagnostics, use the set diagnostic schedule command.
set diagnotic schedule module mod_num test {all | test_ID_num | test_list} {port {port_num |
port_range | all} | daily hh:mm | on month days_of_month range_of_years hh:mm | weekly day
hh:mm}
Syntax Description
module mod_num
|
Specifies the module for which to schedule online diagnostics.
|
test
|
Specifies particular online diagnostic tests.
|
all
|
Species all online diagnostic tests.
|
test_ID_num
|
Number of a specific online diagnostic test.
|
test_list
|
List of online diagnostic tests.
|
port
|
Specifies the port on which the online diagnostic tests are run.
|
port_num
|
Number of the port.
|
port_range
|
Range of ports.
|
all
|
Specifies all ports on the module.
|
daily
|
Specifies a daily schedule
|
hh:mm
|
Hour and minute.
|
on
|
Specifies an absolute schedule.
|
month
|
Specifies the month.
|
days_of_month
|
Days of the month; valid values are from 1 to 31.
|
range_of_years
|
Range of years; valid values are from 1993-2035.
|
weekly
|
Specifies a weekly schedule.
|
day
|
Specifies a day of the week.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a specific module. You can specify that all tests be run or that individual tests be run. The tests can be scheduled to run only once or be repeated at specified intervals.
Note
GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.
Examples
This example shows how to schedule diagnostic testing (tests 1 and 2 specified) to occur on a specific date and time for a specific module:
Console> (enable) set diagnostic schedule module 7 test 1 daily 12:12
Diagnostic schedule set at daily 12:12 for module 7 test 1
This example shows how to schedule diagnostic testing (test 1 specified) to occur daily at a certain time for a specific port and module:
Console> (enable) set diagnostic schedule module 7 test 3 port 1 daily 16:16
Diagnostic schedule set at daily 16:16 for module 7 test 3
Related Commands
clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
show diagnostic
set dot1q-all-tagged
To change all existing and new dot1q trunks to the dot1q-only mode, use the set dot1q-all-tagged command.
set dot1q-all-tagged {enable | disable}
Syntax Description
enable
|
Enables dot1q-tagged-only mode.
|
disable
|
Disables dot1q-tagged-only mode.
|
Defaults
The 802.1Q tagging feature is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable dot1q-tagged-only, all data packets are sent out tagged and all received untagged data packets are dropped on all 802.1Q trunks.
You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.
You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.
The optional all keyword is not supported.
Note
Policy-based forwarding (PBF) does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.
If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.
Examples
This example shows how to enable dot1q tagging:
Console> (enable) set dot1q-all-tagged enable
Related Commands
set port dot1qtunnel
show dot1q-all-tagged
set dot1x
To configure 802.1X on a system, use the set dot1x command.
set dot1x system-auth-control {enable | disable}
set dot1x {quiet-period | tx-period | re-authperiod} seconds
set dot1x {supp-timeout | server-timeout} seconds
set dot1x max-req count
set dot1x shutdown-timeout seconds
set dot1x vlan-group vlan_group_name vlan
set dot1x radius-accounting {enable | disable}
set dot1x radius-vlan-assignment {enable | disable}
set dot1x radius-keepalive {enable | disable}
Syntax Description
system-auth-control
|
Specifies authentication for the system.
|
enable
|
Enables the specified 802.1X function.
|
disable
|
Disables the specified 802.1X function.
|
quiet-period seconds
|
Specifies the idle time between authentication attempts; valid values are from 0 to 65535 seconds.
|
tx-period seconds
|
Specifies the time for the retransmission of EAP-Request/Identity frame; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
|
re-authperiod seconds
|
Specifies the time constant for the retransmission reauthentication time; valid values are from 1 to 65535 seconds.
|
supp-timeout seconds
|
Specifies the time constant for the retransmission of EAP-Request packets; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
|
server-timeout seconds
|
Specifies the time constant for the retransmission of packets by the backend authenticator to the authentication server; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
|
max-req count
|
Specifies the maximum number of times that the state machine retransmits an EAP-Request frame to the supplicant before it times out the authentication session; valid values are from 1 to 10.
|
shutdown-timeout seconds
|
Specifies the amount time that a port is shut down after a security violation; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
|
vlan-group
|
Specifies the VLAN group name.
|
vlan_group_name
|
Name of the VLAN group.
|
vlan
|
VLAN number; valid values are from 1 to 4094.
|
radius-accounting
|
Specifies 802.1X RADIUS accounting and tracking.
|
radius-vlan-assignment
|
Specifies 802.1X RADIUS VLAN assignment.
|
radius-keepalive
|
Specifies 802.1X RADIUS keepalive state.
|
Defaults
The default settings are as follows:
•
system-auth-control is enabled.
•
quiet-period is 60 seconds.
•
tx-period is 30 seconds.
•
re-authperiod is 3600 seconds.
•
supp-timeout is 30 seconds.
•
server-timeout is 30 seconds.
•
max-req count is 2.
•
shutdown-timeout is 300 seconds.
•
radius-accounting is disabled.
•
radius-vlan-assignment is disabled.
•
radius-keepalive is enabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you set the system-auth-control, the following applies:
•
The enable keyword allows you to control each port's authorization status per the port-control parameter set using the set port dot1x command.
•
The disable keyword allows you to make all ports behave as though the port-control parameter is set to force-authorized.
If you do not enable reauthentication, reauthentication does not automatically occur after authentication has occurred.
Private VLANs and 802.1X configurations are mutually exclusive of one another.
When the supplicant does not notify the authenticator that it received the EAP-request/identity packet, the authenticator waits a period of time (set by entering the tx-period seconds parameter), and then retransmits the packet.
When the supplicant does not notify the backend authenticator that it received the EAP-request packet, the backend authenticator waits a period of time (set by entering the supp-timeout seconds parameter), and then retransmits the packet.
When the authentication server does not notify the backend authenticator that it received specific packets, the backend authenticator waits a period of time (set by entering the server-timeout seconds parameter), and then retransmits the packets.
When you enter the set dot1x dhcp-relay-agent command, you can enter more than one VLAN.
To activate the shutdown-timeout timer on a port, enter the set port dot1x mod/port shutdown-timeout command.
To configure the 802.1X user distribution feature, follow these guidelines:
•
Ensure that at least one VLAN is mapped to the VLAN group.
•
You can map more than one VLAN to a VLAN group.
•
The VLAN group can be modified by adding or deleting a VLAN.
•
When an existing VLAN is cleared from the VLAN group name, none of the ports authenticated in the VLAN are cleared, but the mappings are removed from the existing VLAN group.
•
If you clear the last VLAN from the VLAN group name, the VLAN group is deleted.
•
You can clear a VLAN group, even when active VLANs are mapped to the group. When a VLAN group is cleared, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared.
•
If you enter the set dot1x radius-vlan-assignment disable command, the VLAN information that is sent from the RADIUS server is ignored, and the port stays in the NVRAM-configured VLAN. This command is used to enable or disable the VLAN assignment feature globally. When the command is enabled, the switch uses the tunnel attributes to extract the VLAN name in the RADIUS Access-Accept message. The command is enabled by default.
To check whether or not configured RADIUS servers are alive, the switch can send out a dummy username for authentication. In reply to the dummy username, the RADIUS servers send an access rejection. To turn off authentication attempts that test the RADIUS servers, enter the set dot1x radius-keepalive disable command. If you disable this feature, the switch does not check the status of the servers, and the RADIUS server logs do not fill with dummy attempts.
Note
In software releases 7.5 through 8.2, the command to enable or disable the RADIUS keepalive feature is set feature dot1x-radius-keepalive. In software release 8.3 and later releases, the command is set dot1x radius-keepalive.
Examples
This example shows how to set the system authentication control:
Console> (enable) set dot1x system-auth-control enable
dot1x authorization enabled.
This example shows how to set the idle time between authentication attempts:
Console> (enable) set dot1x quiet-period 45
dot1x quiet-period set to 45 seconds.
This example shows how to set the retransmission time:
Console> (enable) set dot1x tx-period 15
dot1x tx-period set to 15 seconds.
This example shows you how to specify the reauthentication time:
Console> (enable) set dot1x re-authperiod 7200
dot1x re-authperiod set to 7200 seconds
This example shows you how to specify the retransmission of EAP-Request packets by the authenticator to the supplicant:
Console> (enable) set dot1x supp-timeout 15
dot1x supp-timeout set to 15 seconds.
This example shows how to specify the retransmission of packets by the backend authenticator to the authentication server:
Console> (enable) set dot1x server-timeout 15
dot1x server-timeout set to 15 seconds.
This example shows how to specify the maximum number of packet retransmissions:
Console> (enable) set dot1x max-req 5
This example shows how to enable authentication for the DHCP Relay Agent on VLANs 1 through 5 and 24:
Console> (enable) set dot1x dhcp-relay-agent enable 1-5,24
dot1x dhcp-relay-agent enabled for vlans 1-5, 24.
This example shows how to disable authentication for the DHCP Relay Agent on VLAN 1:
Console> (enable) set dot1x dhcp-relay-agent disable 1
dotx dhcp-relay-agent disable for vlan 1
This example shows how to create a new VLAN group in the system:
Console> (enable) set dot1x vlan-group engg-dept 3
Vlan group engg-dept is successfully configured and mapped to vlan 3.
This example shows how to map another VLAN to an existing VLAN group name:
Console> (enable) set dot1x vlan-group engg-dept 4
Vlan 4 is successfully mapped to vlan group engg-group.
This example shows how to globally enable RADIUS accounting and tracking:
Console> (enable) set dot1x radius-accounting enable
dot1x radius-accounting enabled.
This example shows how to globally enable the RADIUS VLAN assignment feature:
Console> (enable) set dot1x radius-vlan-assignment enable
dot1x radius-vlan-assignment enabled.
This example shows how to globally enable the RADIUS keepalive state feature:
Console> (enable) set dot1x radius-keepalive enable
dot1x radius-keepalive state enabled.
Related Commands
clear dot1x config
clear dot1x vlan-group
set port dot1x
set radius deadtime
show dot1x
show port dot1x
set enablepass
To change the password for the privileged level of the CLI, use the set enablepass command.
set enablepass
Syntax Description
This command has no arguments or keywords.
Defaults
The default configuration has no enable password configured.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Passwords are case sensitive and may be 0 to 19 characters in length, including spaces.
The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password.
Examples
This example shows how to establish a new password:
Console> (enable) set enablepass
Enter old password: <old_password>
Enter new password: <new_password>
Retype new password: <new_password>
Related Commands
enable
set password
set eou
To globally enable or disable Extensible Authentication Protocol over User Datagram Protocol (EoU), use the set eou command.
set eou {enable | disable}
Syntax Description
enable
|
Enables EoU globally.
|
disable
|
Disables EoU globally.
|
Defaults
Global EoU is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.
Examples
This example shows how to enable LAN port IP (LPIP) on the switch:
Console> (enable) set eou enable
EoU LPIP Enabled globally
Related Commands
clear eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou
set eou allow clientless
To enable or disable bypassing of the LAN port IP (LPIP) posture validation for a clientless host, use the set eou allow clientless command.
set eou allow clientless {enable | disable}
Syntax Description
enable
|
Allows clientless hosts.
|
disable
|
Does not allow clientless hosts.
|
Command Default
The clientless mechanism is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.
Examples
This example shows how to enable bypassing of the LPIP posture validation for a clientless host:
Console> (enable) set eou allow clientless enable
EoU Clientless hosts will be allowed
Related Commands
clear eou
set eou
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou
set eou authorize
To statically authorize a device by IP address or by MAC address and to apply an associated policy to the device, use the set eou authorize command.
set eou authorize ip ip_addr [ip_mask] policy policy_name
set eou authorize mac-address mac_addr [mac_mask] policy policy_name
Syntax Description
ip ip_addr
|
Sets an IP address-based exception list.
|
ip_mask
|
(Optional) IP mask.
|
policy policy_name
|
Specifies a policy name.
|
mac-address mac_addr
|
Sets a MAC address-based exception list.
|
mac_mask
|
(Optional) MAC address mask.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The set eou authorize command allows a device with specific IP address or MAC address to be treated as an exception host. When that host is detected, it dynamically installs the specified policy.
If the policy template does not exist, when you enter this command, the policy template is created.
For other configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.
Examples
This example shows how to statically authorize a device with a specific IP address and to apply an associated policy to the device:
Console> (enable) set eou authorize ip 172.20.52.19 255.255.255.224 policy poll
Mapped IP address 172.20.52.0 IP mask 255.255.255.224 to policy name poll
This example shows how to statically authorize a device using the device MAC address and apply an associated policy to the device:
Console> (enable) set eou authorize mac-address 03-56-B7-45-65-56 policy poll
Mapped MAC 03-56-b7-45-65-56 to policy name poll.
Related Commands
clear eou
set eou
set eou allow clientless
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou
set eou initialize
To restart the state machine for a host, use the set eou initialize command.
set eou initialize {all | ip ip_addr | mac mac_addr | posture-token posture_token}
set eou initialize authentication {clientless | eap | static}
Syntax Description
all
|
Initializes all EoU interfaces.
|
ip ip_addr
|
Initializes port with the specified IP address.
|
mac mac_addr
|
Initializes port with the specified MAC address.
|
posture-token posture_token
|
Initializes all EoU ports with the specified posture token.
|
authentication
|
Initializes all EoU ports of a specific authentication type.
|
clientless
|
Initializes all clientless ports.
|
eap
|
Initializes all ports with EAP authentication.
|
static
|
Initializes all hosts in an exception list.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.
Examples
This example shows how to restart a host's state machine using the IP address:
Console> (enable) set eou initialize ip 172.20.52.19
Initializing Eou for ipAddress 172.20.52.19
Related Commands
clear eou
set eou
set eou allow clientless
set eou authorize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou
set eou logging
To enable or disable EoU logging for LAN port IP events, use the set eou logging command.
set eou logging {enable | disable}
Syntax Description
enable
|
Enables logging.
|
disable
|
Disables logging.
|
Defaults
Logging is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to enable logging:
Console> (enable) set eou logging enable
Logging enabled for LPIP events.
Console> (enable)
Related Commands
clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou
set eou max-retry
To specify the number of times a packet is retransmitted to the Cisco Trust Agent (CTA) before declaring the CTA nonresponsive, use the set eou max-retry command.
set eou max-retry max_retries
Syntax Description
max_retries
|
Maximum number of reattempts; valid values are from 1 to 10.
|
Defaults
Packets are retransmitted 3 times.
Command Types
Switch command.
Command Modes
Privileged.