Table Of Contents

set crypto key rsa

set default portstatus

set dhcp-snooping

set diagnostic bootup level

set diagnostic diagfail-action

set diagnostic event-log size

set diagnostic monitor

set diagnostic ondemand

set diagnostic schedule

set dot1q-all-tagged

set dot1x

set enablepass

set eou

set eou allow clientless

set eou authorize

set eou initialize

set eou logging

set eou max-retry

set eou radius-accounting

set eou rate-limit

set eou revalidate

set eou timeout

set errdisable-timeout

set errordetection

set ethernet-cfm

set ethernet-cfm continuity-check

set ethernet-cfm continuity-check level

set ethernet-cfm domain

set ethernet-cfm vlan

set fan-tray-version

set feature agg-link-partner

set feature mdg

set firewall

set ftp

set garp timer

set gmrp

set gmrp fwdall

set gmrp registration

set gmrp timer

set gvrp

set gvrp applicant

set gvrp dynamic-vlan-creation

set gvrp registration

set gvrp timer

set igmp

set igmp fastblock

set igmp fastleave

set igmp flooding

set igmp leave-query-type

set igmp mode

set igmp querier

set igmp v3-processing

set image-verification

set inlinepower

set interface

set ip alias

set ip device-tracking

set ip dns

set ip dns domain

set ip dns server

set ip fragmentation

set ip http port

set ip http server

set ip permit

set ip redirect

set ip route

set ip telnet server

set ip unreachable

set kerberos clients mandatory

set kerberos credentials forward

set kerberos local-realm

set kerberos realm

set kerberos server

set kerberos srvtab entry

set kerberos srvtab remote

set key config-key

set l2protocol-tunnel cos

set l2protocol-tunnel trunk

set lacp-channel system-priority

set lcperroraction

set lda

set length

set localuser

set logging buffer

set logging callhome

set logging callhome destination

set logging callhome from

set logging callhome reply-to

set logging callhome severity

set logging callhome smtp-server

set logging console

set logging history

set logging level

set logging server

set logging session

set logging telnet

set logging timestamp

set logout

set mac-auth-bypass

set macro

2

set crypto key rsa

To generate and configure an RSA key pair, use the set crypto key rsa command.

set crypto key rsa nbits [force]

Syntax Description

nbits	Size of the key; valid values are 512 to 2048 bits.
force	(Optional) Regenerates the keys and suppress the warning prompt of overwriting existing keys.

Defaults

The command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The crypto commands are supported on systems that run these image types only:

•supk9 image—for example, cat6000-supk9.6-1-3.bin

•supcvk9 image—for example, cat6000-supcvk9.6-1-3.bin

If you do not enter the force keyword, the set crypto key command is saved into the configuration file and you will have to use the clear config all command to clear the RSA keys.

The nbits value is required.

To support SSH login, you first must generate an RSA key pair.

Examples

This example shows how to create an RSA key:

Console> (enable) set crypto key rsa 1024

Generating RSA keys.... [OK]

Console> (enable)

Related Commands

clear crypto key rsa
show crypto key

set default portstatus

To set the default port status, use the set default portstatus command.

set default portstatus {enable | disable}

Syntax Description

enable	Activates default port status.
disable	Deactivates default port status.

Defaults

The default is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enter the clear config all command, or if a configuration loss occurs, all ports collapse into VLAN 1. This situation might cause a security and network instability problem. During a configuration loss, when you enter the set default portstatus command, all ports are put into a disable state, and the traffic flowing through the ports is blocked. You can then manually configure the ports back to the enable state.

This command is not saved in the configuration file.

After you set the default port status, the default port status does not clear when you enter the clear config all command.

Examples

This example shows how to disable the default port status:

Console> (enable) set default portstatus disable

 port status set to disable.

Console> (enable) 

Related Commands

show default

set dhcp-snooping

To enable DHCP snooping information-option host tracking or the MAC address matching feature, use the set dhcp-snooping command.

set dhcp-snooping information-option host-tracking {enable | disable}

set dhcp-snooping match-mac {enable | disable}

set dhcp-snooping bindings-database auto-save interval

set dhcp-snooping bindings-database device:[filename]

Syntax Description

information-option	Specifies the DHCP information option feature.
host-tracking	Specifies host tracking.
enable	Enables the DHCP snooping feature.
disable	Disables the DHCP snooping feature.
match-mac	Specifies the DHCP snooping MAC address matching feature.
bindings-database	Configures storage of the DHCP snooping bindings database.
auto-save	Specifies the bindings database automatic save interval.
interval	Time interval in minutes; valid values are from 0 to 35000.
device:[filename]	Flash device where the bindings are saved and optionally, the file name that contains the bindings.

Defaults

Host tracking is disabled.

MAC address matching is enabled.

The interval is 0, which means that the auto-save feature is disabled.

The flash device is bootflash and the default filename is "dhcp-snooping-bindings-database."

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set dhcp-snooping information-option host-tracking {enable | disable} command enables or disables host tracking. Enabling host tracking causes the DHCP snooping process to insert the relay information agent option (option 82) with remote ID and circuit ID suboptions in all client-to-server DHCP packets on VLANs for which DHCP snooping is enabled. Enabling host tracking also activates the processing of option 82 in received server-to-client packets.

The set dhcp-snooping match-mac {enable | disable} command enables or disables the MAC address matching feature. When this option is enabled, the source MAC address in the Ethernet header is matched with the "chaddr" field in the DHCP payload for DHCP packets that come from untrusted ports. If the MAC address and "chaddr" field do not match, packets are dropped, and the counter for dropped packets on untrusted ports is incremented.

If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.

The DHCP-snooping binding entries can be stored to a flash device so that the bindings can be restored immediately after the switch is reset.

To configure the auto-save interval for DHCP-snooping bindings, use the auto-save interval option. Valid ranges for the interval are 1 through 35000 minutes. Specifying a 0 disables the periodic saving of bindings on the flash device and deletes the bindings file stored in flash. Specifying a 0 does not clear a user-specified filename. The user-specified filename is cleared and returned to the default filename after you enter the clear config all command.

To specify the flash device and filename for storing the bindings, use the device:filename option. By default, the flash device is bootflash and the default filename is "dhcp-snooping-bindings-database." If you have not configured a filename, the bindings are automatically saved with the default filename on the flash device.

Examples

This example shows how to enable DHCP snooping information-option host tracking:

Console> (enable) set dhcp-snooping information-option host-tracking enable

DHCP Snooping Information Option Enabled.

Console> (enable)

This command shows how to disable DHCP snooping MAC address matching:

Console> (enable) set dhcp-snooping match-mac disable

DHCP Snooping MAC address matching disabled.

Console> (enable)

This example shows how to enable the auto-save option for DHCP-snooping binding entries and specify an interval of 600 minutes for the periodic saving of the bindings:

Console> (enable) set dhcp-snooping bindings-database auto-save 600

DHCP Snooping auto-save interval set to 600 minutes.

Console> (enable)

This example shows how to specify the flash device and filename for storing the bindings:

Console> (enable) set dhcp-snooping bindings-database disk1:dhcp-bindings

DHCP Snooping bindings storage file set to disk1:dhcp-bindings.

Console> (enable)

Related Commands

show dhcp-snooping config

set diagnostic bootup level

To specify the bootup generic online diagnostics level, use the set diagnostic bootup level.

set diagnostic bootup level {bypass | complete | minimal}

Syntax Description

bypass	Skips all online diagnostic tests.
complete	Runs all online diagnostic tests.
minimal	Runs only PFC tests for the supervisor engine and loopback tests fro all ports.

Defaults

The bootup level is minimal.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Although the default bootup level for generic online diagnostics is minimal, we recommend that you set the level to complete. We strongly recommend that you do not bypass diagnostics.

The bootup diagnostics level applies to the entire switch. The bootup diagnostics level cannot be configured on a per-module basis.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify complete as the bootup diagnostics level:

Console> (enable) set diagnostic bootup level complete

Diagnostic level set to complete

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic diagfail-action

To specify the generic online diagnostics failure response for the system, use the set diagnostic diagfail-action command.

set diagnostic diagfail-action {ignore | system}

Syntax Description

ignore	Specifies that test failures are ignored and the system still boots up.
system	Specifies that the test failures trigger error recovery.

Defaults

The system keyword is the default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to configure the system to ignore test failures and still boot up:

Console> (enable) set diagnostic diagfail-action ignore

Diagnostic failure action set to ignore.

Console> (enable)

This example shows how to trigger an error recovery in the event of test failures:

Console> (enable) set diagnostic diagfail-action system

Diagnostic failure action set to system.

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic event-log size

To specify the size of event log for generic online diagnostics, use the set diagnostic event-log size command.

set diagnostic event-log size number_of_entries

Syntax Description

number_of_entries

Number of online diagnostics events in the event log; valid values are 1 to 10000.

Defaults

500 entries.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify 1000 entries for the online diagnostics event log size:

Console> (enable) set diagnostic event-log size 1000

Diagnostic event-log size set to 1000

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic monitor

To configure generic online diagnostic health monitoring, use the set diagnostic monitor command.

set diagnostic monitor interval module mod_num test {all | test_ID_num | test_list} hh:mm:ss

set diagnostic monitor module mod_num test {all | test_ID_num | test_list}

set diagnostic monitor syslog

Syntax Description

interval module	Configures online diagnostic monitoring test intervals.
mod_num	Number of the module.
test	Specifies particular online diagnostic tests.
all	Specifies all online diagnostic tests.
test_ID_num	Number of a specific online diagnostic test.
test_list	List of online diagnostic tests.
hh:mm:ss	Time in 24-hour format.
module	Enables health-monitoring diagnostic tests.
syslog	Enables syslog generation when a test fails.

Defaults

Disruptive tests are disabled by default. Some non-disruptive tests are enabled by default. Use the show diagnostic content module command to determine which tests are disruptive (D) and non-disruptive (N) by looking the "Attributes" column of the command output. We recommend that only the non-disruptive tests be used for health monitoring.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure health-monitoring diagnostic testing on specified modules while the switch is connected to a live network. You can specify the execution interval for each health-monitoring test, whether or not to generate a system message upon test failure, or whether an individual test should be enabled or disabled.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify that the online diagnostic health-monitoring tests (test 18) be run on module 7 at 12:12:12 and 100 milliseconds every 10 days:

Console> (enable) set diagnostic monitor interval module 7 test 18 12:12:12 100 10 

Diagnostic monitor interval set at 12:12:12 100 10 for module 7 test 18

Console> (enable) 

This example shows how to enable test 18 on module 7:

Console> (enable) set diagnostic monitor module 7 test 18

Module 7 test 18 diagnostic monitor enable.

Console> (enable)

This example shows how to enable syslog generation when a test fails:

Console> (enable) set diagnostic monitor syslog 

Diagnostic monitor syslog enable.

Console> (enable)

Usage Guidelines

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic ondemand

To configure on-demand generic online diagnostics, use the set diagnostic ondemand command.

set diagnostic ondemand action-on-failure {continue failure_limit | stop}

set diagnostic ondemand iterations number_of_iterations

Syntax Description

action-on-failure	Sets action that the switch should take in the event of online diagnostic test failures.
continue failure_limit	Continues on-demand tests until the test failure limit is reached; valid values are from 0 to 65534 failures.
stop	Specifies that online diagnostic tests stop when a single failure occurs.
interations	Specifies the number of times to repeat online diagnostic tests.
number_of_iterations	Number of times to repeat online diagnostic tests; valid values are from 1 to  999.

Defaults

The failure_limit argument is 0.

The number_of_iterations argument is 1.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For a complete list of on-demand generic online diagnostic tests for supervisor engines, fabric-enabled modules, and non-fabric-enabled modules, see the "Configuring GOLD" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify that the online diagnostics stop running after experiencing 100 failures:

Console> (enable) set diagnostic ondemand action-on-failure continue 100

Diagnostic ondemand action-on-failure set to continue 100

Console> (enable) 

This example shows how to specify that the online diagnostics run 50 times:

Console> (enable) set diagnostic ondemand iterations 50

Diagnostic ondemand iterations set to 50

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic schedule
show diagnostic

set diagnostic schedule

To schedule generic online diagnostics, use the set diagnostic schedule command.

set diagnotic schedule module mod_num test {all | test_ID_num | test_list} {port {port_num | port_range | all} | daily hh:mm | on month days_of_month range_of_years hh:mm | weekly day hh:mm}

Syntax Description

module mod_num	Specifies the module for which to schedule online diagnostics.
test	Specifies particular online diagnostic tests.
all	Species all online diagnostic tests.
test_ID_num	Number of a specific online diagnostic test.
test_list	List of online diagnostic tests.
port	Specifies the port on which the online diagnostic tests are run.
port_num	Number of the port.
port_range	Range of ports.
all	Specifies all ports on the module.
daily	Specifies a daily schedule
hh:mm	Hour and minute.
on	Specifies an absolute schedule.
month	Specifies the month.
days_of_month	Days of the month; valid values are from 1 to 31.
range_of_years	Range of years; valid values are from 1993-2035.
weekly	Specifies a weekly schedule.
day	Specifies a day of the week.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a specific module. You can specify that all tests be run or that individual tests be run. The tests can be scheduled to run only once or be repeated at specified intervals.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to schedule diagnostic testing (tests 1 and 2 specified) to occur on a specific date and time for a specific module:

Console> (enable) set diagnostic schedule module 7 test 1 daily 12:12

Diagnostic schedule set at daily 12:12 for module 7 test 1

Console> (enable)

This example shows how to schedule diagnostic testing (test 1 specified) to occur daily at a certain time for a specific port and module:

Console> (enable) set diagnostic schedule module 7 test 3 port 1 daily 16:16

Diagnostic schedule set at daily 16:16 for module 7 test 3

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
show diagnostic

set dot1q-all-tagged

To change all existing and new dot1q trunks to the dot1q-only mode, use the set dot1q-all-tagged command.

set dot1q-all-tagged {enable | disable}

Syntax Description

enable	Enables dot1q-tagged-only mode.
disable	Disables dot1q-tagged-only mode.

Defaults

The 802.1Q tagging feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable dot1q-tagged-only, all data packets are sent out tagged and all received untagged data packets are dropped on all 802.1Q trunks.

You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.

You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.

The optional all keyword is not supported.

---

Note Policy-based forwarding (PBF) does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

---

If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.

Examples

This example shows how to enable dot1q tagging:

Console> (enable) set dot1q-all-tagged enable

Dot1q tagging is enabled

Console> (enable)

Related Commands

set port dot1qtunnel
show dot1q-all-tagged

set dot1x

To configure 802.1X on a system, use the set dot1x command.

set dot1x system-auth-control {enable | disable}

set dot1x {quiet-period | tx-period | re-authperiod} seconds

set dot1x {supp-timeout | server-timeout} seconds

set dot1x max-req count

set dot1x shutdown-timeout seconds

set dot1x vlan-group vlan_group_name vlan

set dot1x radius-accounting {enable | disable}

set dot1x radius-vlan-assignment {enable | disable}

set dot1x radius-keepalive {enable | disable}

Syntax Description

system-auth-control	Specifies authentication for the system.
enable	Enables the specified 802.1X function.
disable	Disables the specified 802.1X function.
quiet-period seconds	Specifies the idle time between authentication attempts; valid values are from 0 to 65535 seconds.
tx-period seconds	Specifies the time for the retransmission of EAP-Request/Identity frame; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
re-authperiod seconds	Specifies the time constant for the retransmission reauthentication time; valid values are from 1 to 65535 seconds.
supp-timeout seconds	Specifies the time constant for the retransmission of EAP-Request packets; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
server-timeout seconds	Specifies the time constant for the retransmission of packets by the backend authenticator to the authentication server; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
max-req count	Specifies the maximum number of times that the state machine retransmits an EAP-Request frame to the supplicant before it times out the authentication session; valid values are from 1 to 10.
shutdown-timeout seconds	Specifies the amount time that a port is shut down after a security violation; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
vlan-group	Specifies the VLAN group name.
vlan_group_name	Name of the VLAN group.
vlan	VLAN number; valid values are from 1 to 4094.
radius-accounting	Specifies 802.1X RADIUS accounting and tracking.
radius-vlan-assignment	Specifies 802.1X RADIUS VLAN assignment.
radius-keepalive	Specifies 802.1X RADIUS keepalive state.

Defaults

The default settings are as follows:

•system-auth-control is enabled.

•quiet-period is 60 seconds.

•tx-period is 30 seconds.

•re-authperiod is 3600 seconds.

•supp-timeout is 30 seconds.

•server-timeout is 30 seconds.

•max-req count is 2.

•shutdown-timeout is 300 seconds.

•radius-accounting is disabled.

•radius-vlan-assignment is disabled.

•radius-keepalive is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set the system-auth-control, the following applies:

•The enable keyword allows you to control each port's authorization status per the port-control parameter set using the set port dot1x command.

•The disable keyword allows you to make all ports behave as though the port-control parameter is set to force-authorized.

If you do not enable reauthentication, reauthentication does not automatically occur after authentication has occurred.

Private VLANs and 802.1X configurations are mutually exclusive of one another.

When the supplicant does not notify the authenticator that it received the EAP-request/identity packet, the authenticator waits a period of time (set by entering the tx-period seconds parameter), and then retransmits the packet.

When the supplicant does not notify the backend authenticator that it received the EAP-request packet, the backend authenticator waits a period of time (set by entering the supp-timeout seconds parameter), and then retransmits the packet.

When the authentication server does not notify the backend authenticator that it received specific packets, the backend authenticator waits a period of time (set by entering the server-timeout seconds parameter), and then retransmits the packets.

When you enter the set dot1x dhcp-relay-agent command, you can enter more than one VLAN.

To activate the shutdown-timeout timer on a port, enter the set port dot1x mod/port shutdown-timeout command.

To configure the 802.1X user distribution feature, follow these guidelines:

•Ensure that at least one VLAN is mapped to the VLAN group.

•You can map more than one VLAN to a VLAN group.

•The VLAN group can be modified by adding or deleting a VLAN.

•When an existing VLAN is cleared from the VLAN group name, none of the ports authenticated in the VLAN are cleared, but the mappings are removed from the existing VLAN group.

•If you clear the last VLAN from the VLAN group name, the VLAN group is deleted.

•You can clear a VLAN group, even when active VLANs are mapped to the group. When a VLAN group is cleared, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared.

•If you enter the set dot1x radius-vlan-assignment disable command, the VLAN information that is sent from the RADIUS server is ignored, and the port stays in the NVRAM-configured VLAN. This command is used to enable or disable the VLAN assignment feature globally. When the command is enabled, the switch uses the tunnel attributes to extract the VLAN name in the RADIUS Access-Accept message. The command is enabled by default.

To check whether or not configured RADIUS servers are alive, the switch can send out a dummy username for authentication. In reply to the dummy username, the RADIUS servers send an access rejection. To turn off authentication attempts that test the RADIUS servers, enter the set dot1x radius-keepalive disable command. If you disable this feature, the switch does not check the status of the servers, and the RADIUS server logs do not fill with dummy attempts.

---

Note In software releases 7.5 through 8.2, the command to enable or disable the RADIUS keepalive feature is set feature dot1x-radius-keepalive. In software release 8.3 and later releases, the command is set dot1x radius-keepalive.

---

Examples

This example shows how to set the system authentication control:

Console> (enable) set dot1x system-auth-control enable

dot1x authorization enabled.

Console> (enable) 

This example shows how to set the idle time between authentication attempts:

Console> (enable) set dot1x quiet-period 45

dot1x quiet-period set to 45 seconds.

Console> (enable)

This example shows how to set the retransmission time:

Console> (enable) set dot1x tx-period 15

dot1x tx-period set to 15 seconds.

Console> (enable)

This example shows you how to specify the reauthentication time:

Console> (enable) set dot1x re-authperiod 7200

dot1x re-authperiod set to 7200 seconds

Console> (enable)

This example shows you how to specify the retransmission of EAP-Request packets by the authenticator to the supplicant:

Console> (enable) set dot1x supp-timeout 15

dot1x supp-timeout set to 15 seconds.

Console> (enable) 

This example shows how to specify the retransmission of packets by the backend authenticator to the authentication server:

Console> (enable) set dot1x server-timeout 15

dot1x server-timeout set to 15 seconds.

Console> (enable) 

This example shows how to specify the maximum number of packet retransmissions:

Console> (enable) set dot1x max-req 5

dot1x max-req set to 5.

Console> (enable)

This example shows how to enable authentication for the DHCP Relay Agent on VLANs 1 through 5 and 24:

Console> (enable) set dot1x dhcp-relay-agent enable 1-5,24

dot1x dhcp-relay-agent enabled for vlans 1-5, 24.

Console> (enable)

This example shows how to disable authentication for the DHCP Relay Agent on VLAN 1:

Console> (enable) set dot1x dhcp-relay-agent disable 1

dotx dhcp-relay-agent disable for vlan 1

Console> (enable)

This example shows how to create a new VLAN group in the system:

Console> (enable) set dot1x vlan-group engg-dept 3

Vlan group engg-dept is successfully configured and mapped to vlan 3.

Console> (enable)

This example shows how to map another VLAN to an existing VLAN group name:

Console> (enable) set dot1x vlan-group engg-dept 4

Vlan 4 is successfully mapped to vlan group engg-group.

Console> (enable)

This example shows how to globally enable RADIUS accounting and tracking:

Console> (enable) set dot1x radius-accounting enable

dot1x radius-accounting enabled.

Console> (enable)

This example shows how to globally enable the RADIUS VLAN assignment feature:

Console> (enable) set dot1x radius-vlan-assignment enable

dot1x radius-vlan-assignment enabled.

Console> (enable)

This example shows how to globally enable the RADIUS keepalive state feature:

Console> (enable) set dot1x radius-keepalive enable

dot1x radius-keepalive state enabled.

Console> (enable)

Related Commands

clear dot1x config
clear dot1x vlan-group
set port dot1x
set radius deadtime
show dot1x
show port dot1x

set enablepass

To change the password for the privileged level of the CLI, use the set enablepass command.

set enablepass

Syntax Description

This command has no arguments or keywords.

Defaults

The default configuration has no enable password configured.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Passwords are case sensitive and may be 0 to 19 characters in length, including spaces.

The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password.

Examples

This example shows how to establish a new password:

Console> (enable) set enablepass

Enter old password: <old_password>

Enter new password: <new_password>

Retype new password: <new_password>

Password changed.

Console> (enable)

Related Commands

enable
set password

set eou

To globally enable or disable Extensible Authentication Protocol over User Datagram Protocol (EoU), use the set eou command.

set eou {enable | disable}

Syntax Description

enable	Enables EoU globally.
disable	Disables EoU globally.

Defaults

Global EoU is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable LAN port IP (LPIP) on the switch:

Console> (enable) set eou enable

EoU LPIP Enabled globally

Console> (enable)

Related Commands

clear eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou allow clientless

To enable or disable bypassing of the LAN port IP (LPIP) posture validation for a clientless host, use the set eou allow clientless command.

set eou allow clientless {enable | disable}

Syntax Description

enable	Allows clientless hosts.
disable	Does not allow clientless hosts.

Command Default

The clientless mechanism is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable bypassing of the LPIP posture validation for a clientless host:

Console> (enable) set eou allow clientless enable

EoU Clientless hosts will be allowed

Console> (enable)

Related Commands

clear eou
set eou
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou authorize

To statically authorize a device by IP address or by MAC address and to apply an associated policy to the device, use the set eou authorize command.

set eou authorize ip ip_addr [ip_mask] policy policy_name

set eou authorize mac-address mac_addr [mac_mask] policy policy_name

Syntax Description

ip ip_addr	Sets an IP address-based exception list.
ip_mask	(Optional) IP mask.
policy policy_name	Specifies a policy name.
mac-address mac_addr	Sets a MAC address-based exception list.
mac_mask	(Optional) MAC address mask.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set eou authorize command allows a device with specific IP address or MAC address to be treated as an exception host. When that host is detected, it dynamically installs the specified policy.

If the policy template does not exist, when you enter this command, the policy template is created.

For other configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to statically authorize a device with a specific IP address and to apply an associated policy to the device:

Console> (enable) set eou authorize ip 172.20.52.19 255.255.255.224 policy poll 

Mapped IP address 172.20.52.0 IP mask 255.255.255.224 to policy name poll

Console> (enable)

This example shows how to statically authorize a device using the device MAC address and apply an associated policy to the device:

Console> (enable) set eou authorize mac-address 03-56-B7-45-65-56 policy poll

Mapped MAC 03-56-b7-45-65-56 to policy name poll.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou initialize

To restart the state machine for a host, use the set eou initialize command.

set eou initialize {all | ip ip_addr | mac mac_addr | posture-token posture_token}

set eou initialize authentication {clientless | eap | static}

Syntax Description

all	Initializes all EoU interfaces.
ip ip_addr	Initializes port with the specified IP address.
mac mac_addr	Initializes port with the specified MAC address.
posture-token posture_token	Initializes all EoU ports with the specified posture token.
authentication	Initializes all EoU ports of a specific authentication type.
clientless	Initializes all clientless ports.
eap	Initializes all ports with EAP authentication.
static	Initializes all hosts in an exception list.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to restart a host's state machine using the IP address:

Console> (enable) set eou initialize ip 172.20.52.19

Initializing Eou for ipAddress 172.20.52.19

Console> (enable) 

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou logging

To enable or disable EoU logging for LAN port IP events, use the set eou logging command.

set eou logging {enable | disable}

Syntax Description

enable	Enables logging.
disable	Disables logging.

Defaults

Logging is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable logging:

Console> (enable) set eou logging enable

Logging enabled for LPIP events.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou max-retry

To specify the number of times a packet is retransmitted to the Cisco Trust Agent (CTA) before declaring the CTA nonresponsive, use the set eou max-retry command.

set eou max-retry max_retries

Syntax Description

max_retries

Maximum number of reattempts; valid values are from 1 to 10.

Defaults

Packets are retransmitted 3 times.

Command Types

Switch command.

Command Modes

Privileged.