Table Of Contents

set crypto key rsa

set default portstatus

set dhcp-snooping

set diagnostic bootup level

set diagnostic diagfail-action

set diagnostic event-log size

set diagnostic monitor

set diagnostic ondemand

set diagnostic schedule

set dot1q-all-tagged

set dot1x

set enablepass

set eou

set eou allow clientless

set eou authorize

set eou initialize

set eou logging

set eou max-retry

set eou radius-accounting

set eou rate-limit

set eou revalidate

set eou timeout

set errdisable-timeout

set errordetection

set ethernet-cfm

set ethernet-cfm ais

set ethernet-cfm ais level

set ethernet-cfm ais tx-count

set ethernet-cfm continuity-check

set ethernet-cfm continuity-check level

set ethernet-cfm continuity-check level ais

set ethernet-cfm domain

set ethernet-cfm earl-match-reg

set ethernet-cfm maintenance-association

set ethernet-cfm port-mac-enable

set ethernet-cfm traceroute-database

set ethernet-evc

set ethernet-lmi

set fan-tray-version

set feature agg-link-partner

set feature mdg

set firewall

set ftp

set garp timer

set gmrp

set gmrp fwdall

set gmrp registration

set gmrp timer

set gvrp

set gvrp applicant

set gvrp dynamic-vlan-creation

set gvrp registration

set gvrp timer

set igmp

set igmp fastblock

set igmp fastleave

set igmp flooding

set igmp leave-query-type

set igmp mode

set igmp querier

set igmp v3-processing

set image-verification

set inlinepower

set interface

set ip alias

set ip device-tracking

set ip dns

set ip dns domain

set ip dns server

set ip fragmentation

set ip http port

set ip http server

set ip permit

set ip redirect

set ip route

set ip telnet server

set ip unreachable

set kerberos clients mandatory

set kerberos credentials forward

set kerberos local-realm

set kerberos realm

set kerberos server

set kerberos srvtab entry

set kerberos srvtab remote

set key config-key

set l2protocol-tunnel cos

set l2protocol-tunnel trunk

set lacp-channel system-priority

set lcperroraction

set lda

set length

set localuser

set logging buffer

set logging callhome

set logging callhome destination

set logging callhome from

set logging callhome reply-to

set logging callhome severity

set logging callhome smtp-server

set logging console

set logging history

set logging level

set logging server

set logging session

set logging telnet

set logging timestamp

set logout

set mac-auth-bypass

set macro

set crypto key rsa

To generate and configure an RSA key pair, use the set crypto key rsa command.

set crypto key rsa nbits [force]

Syntax Description

nbits	Size of the key; valid values are 512 to 2048 bits.
force	(Optional) Regenerates the keys and suppress the warning prompt of overwriting existing keys.

Defaults

The command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The crypto commands are supported on systems that run these image types only:

•supk9 image—for example, cat6000-supk9.6-1-3.bin

•supcvk9 image—for example, cat6000-supcvk9.6-1-3.bin

If you do not enter the force keyword, the set crypto key command is saved into the configuration file and you will have to use the clear config all command to clear the RSA keys.

The nbits value is required.

To support SSH login, you first must generate an RSA key pair.

Examples

This example shows how to create an RSA key:

Console> (enable) set crypto key rsa 1024

Generating RSA keys.... [OK]

Console> (enable)

Related Commands

clear crypto key rsa
show crypto key

set default portstatus

To set the default port status, use the set default portstatus command.

set default portstatus {enable | disable}

Syntax Description

enable	Activates default port status.
disable	Deactivates default port status.

Defaults

The default is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enter the clear config all command, or if a configuration loss occurs, all ports collapse into VLAN 1. This situation might cause a security and network instability problem. During a configuration loss, when you enter the set default portstatus command, all ports are put into a disable state, and the traffic flowing through the ports is blocked. You can then manually configure the ports back to the enable state.

This command is not saved in the configuration file.

After you set the default port status, the default port status does not clear when you enter the clear config all command.

Examples

This example shows how to disable the default port status:

Console> (enable) set default portstatus disable

 port status set to disable.

Console> (enable) 

Related Commands

show default

set dhcp-snooping

To enable DHCP snooping information-option host tracking or the MAC address matching feature, use the set dhcp-snooping command.

set dhcp-snooping information-option host-tracking {enable | disable}

set dhcp-snooping match-mac {enable | disable}

set dhcp-snooping bindings-database auto-save interval

set dhcp-snooping bindings-database device:[filename]

Syntax Description

information-option	Specifies the DHCP information option feature.
host-tracking	Specifies host tracking.
enable	Enables the DHCP snooping feature.
disable	Disables the DHCP snooping feature.
match-mac	Specifies the DHCP snooping MAC address matching feature.
bindings-database	Configures storage of the DHCP snooping bindings database.
auto-save	Specifies the bindings database automatic save interval.
interval	Time interval in minutes; valid values are from 0 to 35000.
device:[filename]	Flash device where the bindings are saved and optionally, the file name that contains the bindings.

Defaults

Host tracking is disabled.

MAC address matching is enabled.

The interval is 0, which means that the auto-save feature is disabled.

The flash device is bootflash and the default filename is "dhcp-snooping-bindings-database."

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set dhcp-snooping information-option host-tracking {enable | disable} command enables or disables host tracking. Enabling host tracking causes the DHCP snooping process to insert the relay information agent option (option 82) with remote ID and circuit ID suboptions in all client-to-server DHCP packets on VLANs for which DHCP snooping is enabled. Enabling host tracking also activates the processing of option 82 in received server-to-client packets.

The set dhcp-snooping match-mac {enable | disable} command enables or disables the MAC address matching feature. When this option is enabled, the source MAC address in the Ethernet header is matched with the "chaddr" field in the DHCP payload for DHCP packets that come from untrusted ports. If the MAC address and "chaddr" field do not match, packets are dropped, and the counter for dropped packets on untrusted ports is incremented.

If DHCP snooping is disabled on a VLAN, the bindings for that VLAN are deleted.

The DHCP-snooping binding entries can be stored to a flash device so that the bindings can be restored immediately after the switch is reset.

To configure the auto-save interval for DHCP-snooping bindings, use the auto-save interval option. Valid ranges for the interval are 1 through 35000 minutes. Specifying a 0 disables the periodic saving of bindings on the flash device and deletes the bindings file stored in flash. Specifying a 0 does not clear a user-specified filename. The user-specified filename is cleared and returned to the default filename after you enter the clear config all command.

To specify the flash device and filename for storing the bindings, use the device:filename option. By default, the flash device is bootflash and the default filename is "dhcp-snooping-bindings-database." If you have not configured a filename, the bindings are automatically saved with the default filename on the flash device.

Examples

This example shows how to enable DHCP snooping information-option host tracking:

Console> (enable) set dhcp-snooping information-option host-tracking enable

DHCP Snooping Information Option Enabled.

Console> (enable)

This example shows how to disable DHCP snooping MAC address matching:

Console> (enable) set dhcp-snooping match-mac disable

DHCP Snooping MAC address matching disabled.

Console> (enable)

This example shows how to enable the auto-save option for DHCP-snooping binding entries and specify an interval of 600 minutes for the periodic saving of the bindings:

Console> (enable) set dhcp-snooping bindings-database auto-save 600

DHCP Snooping auto-save interval set to 600 minutes.

Console> (enable)

This example shows how to specify the flash device and filename for storing the bindings:

Console> (enable) set dhcp-snooping bindings-database disk1:dhcp-bindings

DHCP Snooping bindings storage file set to disk1:dhcp-bindings.

Console> (enable)

Related Commands

show dhcp-snooping config

set diagnostic bootup level

To specify the bootup generic online diagnostics level, use the set diagnostic bootup level.

set diagnostic bootup level {bypass | complete | minimal}

Syntax Description

bypass	Skips all online diagnostic tests.
complete	Runs all online diagnostic tests.
minimal	Runs only PFC tests for the supervisor engine and loopback tests fro all ports.

Defaults

The bootup level is minimal.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Although the default bootup level for generic online diagnostics is minimal, we recommend that you set the level to complete. We strongly recommend that you do not bypass diagnostics.

The bootup diagnostics level applies to the entire switch. The bootup diagnostics level cannot be configured on a per-module basis.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify complete as the bootup diagnostics level:

Console> (enable) set diagnostic bootup level complete

Diagnostic level set to complete

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic diagfail-action

To specify the generic online diagnostics failure response for the system, use the set diagnostic diagfail-action command.

set diagnostic diagfail-action {ignore | system}

Syntax Description

ignore	Specifies that test failures are ignored and the system still boots up.
system	Specifies that the test failures trigger error recovery.

Defaults

The system keyword is the default.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to configure the system to ignore test failures and still boot up:

Console> (enable) set diagnostic diagfail-action ignore

Diagnostic failure action set to ignore.

Console> (enable)

This example shows how to trigger an error recovery in the event of test failures:

Console> (enable) set diagnostic diagfail-action system

Diagnostic failure action set to system.

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic event-log size

To specify the size of event log for generic online diagnostics, use the set diagnostic event-log size command.

set diagnostic event-log size number_of_entries

Syntax Description

number_of_entries

Number of online diagnostics events in the event log; valid values are 1 to 10000.

Defaults

500 entries.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify 1000 entries for the online diagnostics event log size:

Console> (enable) set diagnostic event-log size 1000

Diagnostic event-log size set to 1000

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic monitor
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic monitor

To configure generic online diagnostic health monitoring, use the set diagnostic monitor command.

set diagnostic monitor interval module mod_num test {all | test_ID_num | test_list} hh:mm:ss

set diagnostic monitor module mod_num test {all | test_ID_num | test_list}

set diagnostic monitor syslog

Syntax Description

interval module	Configures online diagnostic monitoring test intervals.
mod_num	Number of the module.
test	Specifies particular online diagnostic tests.
all	Specifies all online diagnostic tests.
test_ID_num	Number of a specific online diagnostic test.
test_list	List of online diagnostic tests.
hh:mm:ss	Time in 24-hour format.
module	Enables health-monitoring diagnostic tests.
syslog	Enables syslog generation when a test fails.

Defaults

Disruptive tests are disabled by default. Some non-disruptive tests are enabled by default. Use the show diagnostic content module command to determine which tests are disruptive (D) and non-disruptive (N) by looking the "Attributes" column of the command output. We recommend that only the non-disruptive tests be used for health monitoring.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure health-monitoring diagnostic testing on specified modules while the switch is connected to a live network. You can specify the execution interval for each health-monitoring test, whether or not to generate a system message upon test failure, or whether an individual test should be enabled or disabled.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify that the online diagnostic health-monitoring tests (test 18) be run on module 7 at 12:12:12 and 100 milliseconds every 10 days:

Console> (enable) set diagnostic monitor interval module 7 test 18 12:12:12 100 10 

Diagnostic monitor interval set at 12:12:12 100 10 for module 7 test 18

Console> (enable) 

This example shows how to enable test 18 on module 7:

Console> (enable) set diagnostic monitor module 7 test 18

Module 7 test 18 diagnostic monitor enable.

Console> (enable)

This example shows how to enable syslog generation when a test fails:

Console> (enable) set diagnostic monitor syslog 

Diagnostic monitor syslog enable.

Console> (enable)

Usage Guidelines

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic ondemand
set diagnostic schedule
show diagnostic

set diagnostic ondemand

To configure on-demand generic online diagnostics, use the set diagnostic ondemand command.

set diagnostic ondemand action-on-failure {continue failure_limit | stop}

set diagnostic ondemand iterations number_of_iterations

Syntax Description

action-on-failure	Sets action that the switch should take in the event of online diagnostic test failures.
continue failure_limit	Continues on-demand tests until the test failure limit is reached; valid values are from 0 to 65534 failures.
stop	Specifies that online diagnostic tests stop when a single failure occurs.
interations	Specifies the number of times to repeat online diagnostic tests.
number_of_iterations	Number of times to repeat online diagnostic tests; valid values are from 1 to  999.

Defaults

The failure_limit argument is 0.

The number_of_iterations argument is 1.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For a complete list of on-demand generic online diagnostic tests for supervisor engines, fabric-enabled modules, and non-fabric-enabled modules, see the "Configuring GOLD" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to specify that the online diagnostics stop running after experiencing 100 failures:

Console> (enable) set diagnostic ondemand action-on-failure continue 100

Diagnostic ondemand action-on-failure set to continue 100

Console> (enable) 

This example shows how to specify that the online diagnostics run 50 times:

Console> (enable) set diagnostic ondemand iterations 50

Diagnostic ondemand iterations set to 50

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic schedule
show diagnostic

set diagnostic schedule

To schedule generic online diagnostics, use the set diagnostic schedule command.

set diagnotic schedule module mod_num test {all | test_ID_num | test_list} {port {port_num | port_range | all} | daily hh:mm | on month days_of_month range_of_years hh:mm | weekly day hh:mm}

Syntax Description

module mod_num	Specifies the module for which to schedule online diagnostics.
test	Specifies particular online diagnostic tests.
all	Species all online diagnostic tests.
test_ID_num	Number of a specific online diagnostic test.
test_list	List of online diagnostic tests.
port	Specifies the port on which the online diagnostic tests are run.
port_num	Number of the port.
port_range	Range of ports.
all	Specifies all ports on the module.
daily	Specifies a daily schedule
hh:mm	Hour and minute.
on	Specifies an absolute schedule.
month	Specifies the month.
days_of_month	Days of the month; valid values are from 1 to 31.
range_of_years	Range of years; valid values are from 1993-2035.
weekly	Specifies a weekly schedule.
day	Specifies a day of the week.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a specific module. You can specify that all tests be run or that individual tests be run. The tests can be scheduled to run only once or be repeated at specified intervals.

---

Note GOLD is supported on the Supervisor Engine 720 and the Supervisor Engine 32 only. Earlier diagnostic commands are still supported on the Supervisor Engine 1 and the Supervisor Engine 2.

---

Examples

This example shows how to schedule diagnostic testing (tests 1 and 2 specified) to occur on a specific date and time for a specific module:

Console> (enable) set diagnostic schedule module 7 test 1 daily 12:12

Diagnostic schedule set at daily 12:12 for module 7 test 1

Console> (enable)

This example shows how to schedule diagnostic testing (test 1 specified) to occur daily at a certain time for a specific port and module:

Console> (enable) set diagnostic schedule module 7 test 3 port 1 daily 16:16

Diagnostic schedule set at daily 16:16 for module 7 test 3

Console> (enable)

Related Commands

clear diagnostic
diagnostic start
diagnostic stop
set diagnostic bootup level
set diagnostic diagfail-action
set diagnostic event-log size
set diagnostic monitor
set diagnostic ondemand
show diagnostic

set dot1q-all-tagged

To change all existing and new dot1q trunks to the dot1q-only mode, use the set dot1q-all-tagged command.

set dot1q-all-tagged {enable | disable}

Syntax Description

enable	Enables dot1q-tagged-only mode.
disable	Disables dot1q-tagged-only mode.

Defaults

The 802.1Q tagging feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable dot1q-tagged-only, all data packets are sent out tagged and all received untagged data packets are dropped on all 802.1Q trunks.

You cannot enable the dot1q tunneling feature on a port until dot1q-tagged-only mode is enabled.

You cannot disable dot1q-tagged-only mode on the switch until dot1q tunneling is disabled on all the ports on the switch.

The optional all keyword is not supported.

---

Note Policy-based forwarding (PBF) does not work with 802.1Q tunnel traffic. PBF is supported on Layer 3 IP unicast traffic, but it is not applicable to Layer 2 traffic. At the intermediate (PBF) switch, all 802.1Q tunnel traffic appears as Layer 2 traffic.

---

If you enable dot1q-tagged globally, the dot1q-tagged per-port setting controls whether or not frames are tagged. If you disable dot-1q-tagged globally, the default group is never tagged and the per-port setting has no effect.

Examples

This example shows how to enable dot1q tagging:

Console> (enable) set dot1q-all-tagged enable

Dot1q tagging is enabled

Console> (enable)

Related Commands

set port dot1qtunnel
show dot1q-all-tagged

set dot1x

To configure 802.1X on a system, use the set dot1x command.

set dot1x system-auth-control {enable | disable}

set dot1x {quiet-period | tx-period | re-authperiod} seconds

set dot1x {supp-timeout | server-timeout} seconds

set dot1x max-req count

set dot1x shutdown-timeout seconds

set dot1x vlan-group vlan_group_name vlan

set dot1x radius-accounting {enable | disable}

set dot1x radius-vlan-assignment {enable | disable}

set dot1x guest-vlan supplicant {enable | disable}

Syntax Description

system-auth-control	Specifies authentication for the system.
enable	Enables the specified 802.1X function.
disable	Disables the specified 802.1X function.
quiet-period seconds	Specifies the idle time between authentication attempts; valid values are from 0 to 65535 seconds.
tx-period seconds	Specifies the time for the retransmission of EAP-Request/Identity frame; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
re-authperiod seconds	Specifies the time constant for the retransmission reauthentication time; valid values are from 1 to 65535 seconds.
supp-timeout seconds	Specifies the time constant for the retransmission of EAP-Request packets; valid values are from 0 to 65535 seconds. See the "Usage Guidelines" section for additional information.
server-timeout seconds	Specifies the time constant for the retransmission of packets by the backend authenticator to the authentication server; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
max-req count	Specifies the maximum number of times that the state machine retransmits an EAP-Request frame to the supplicant before it times out the authentication session; valid values are from 1 to 10.
shutdown-timeout seconds	Specifies the amount time that a port is shut down after a security violation; valid values are from 1 to 65535 seconds. See the "Usage Guidelines" section for additional information.
vlan-group	Specifies the VLAN group name.
vlan_group_name	Name of the VLAN group.
vlan	VLAN number; valid values are from 1 to 4094.
radius-accounting	Specifies 802.1X RADIUS accounting and tracking.
radius-vlan-assignment	Specifies 802.1X RADIUS VLAN assignment.
radius-keepalive	Specifies 802.1X RADIUS keepalive state.

Defaults

The default settings are as follows:

•system-auth-control is enabled.

•quiet-period is 60 seconds.

•tx-period is 30 seconds.

•re-authperiod is 3600 seconds.

•supp-timeout is 30 seconds.

•server-timeout is 30 seconds.

•max-req count is 2.

•shutdown-timeout is 300 seconds.

•radius-accounting is disabled.

•radius-vlan-assignment is disabled.

•radius-keepalive is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set the system-auth-control, the following applies:

•The enable keyword allows you to control each port's authorization status per the port-control parameter set using the set port dot1x command.

•The disable keyword allows you to make all ports behave as though the port-control parameter is set to force-authorized.

If you do not enable reauthentication, reauthentication does not automatically occur after authentication has occurred.

Private VLANs and 802.1X configurations are mutually exclusive of one another.

When the supplicant does not notify the authenticator that it received the EAP-request/identity packet, the authenticator waits a period of time (set by entering the tx-period seconds parameter), and then retransmits the packet.

When the supplicant does not notify the backend authenticator that it received the EAP-request packet, the backend authenticator waits a period of time (set by entering the supp-timeout seconds parameter), and then retransmits the packet.

When the authentication server does not notify the backend authenticator that it received specific packets, the backend authenticator waits a period of time (set by entering the server-timeout seconds parameter), and then retransmits the packets.

When you enter the set dot1x dhcp-relay-agent command, you can enter more than one VLAN.

To activate the shutdown-timeout timer on a port, enter the set port dot1x mod/port shutdown-timeout command.

To configure the 802.1X user distribution feature, follow these guidelines:

•Ensure that at least one VLAN is mapped to the VLAN group.

•You can map more than one VLAN to a VLAN group.

•The VLAN group can be modified by adding or deleting a VLAN.

•When an existing VLAN is cleared from the VLAN group name, none of the ports authenticated in the VLAN are cleared, but the mappings are removed from the existing VLAN group.

•If you clear the last VLAN from the VLAN group name, the VLAN group is deleted.

•You can clear a VLAN group, even when active VLANs are mapped to the group. When a VLAN group is cleared, none of the ports or users that are in the authenticated state in any VLAN within the group are cleared, but the VLAN mappings to the VLAN group are cleared.

•If you enter the set dot1x radius-vlan-assignment disable command, the VLAN information that is sent from the RADIUS server is ignored, and the port stays in the NVRAM-configured VLAN. This command is used to enable or disable the VLAN assignment feature globally. When the command is enabled, the switch uses the tunnel attributes to extract the VLAN name in the RADIUS Access-Accept message. The command is enabled by default.

To check whether or not configured RADIUS servers are alive, the switch can send out a dummy username for authentication. In reply to the dummy username, the RADIUS servers send an access rejection. To turn off authentication attempts that test the RADIUS servers, enter the set dot1x radius-keepalive disable command. If you disable this feature, the switch does not check the status of the servers, and the RADIUS server logs do not fill with dummy attempts.

---

Note In software releases 7.5 through 8.2, the command to enable or disable the RADIUS keepalive feature is set feature dot1x-radius-keepalive. In software release 8.3 and later releases, the command is set dot1x radius-keepalive.

---

Examples

This example shows how to set the system authentication control:

Console> (enable) set dot1x system-auth-control enable

dot1x authorization enabled.

Console> (enable) 

This example shows how to set the idle time between authentication attempts:

Console> (enable) set dot1x quiet-period 45

dot1x quiet-period set to 45 seconds.

Console> (enable)

This example shows how to set the retransmission time:

Console> (enable) set dot1x tx-period 15

dot1x tx-period set to 15 seconds.

Console> (enable)

This example shows you how to specify the reauthentication time:

Console> (enable) set dot1x re-authperiod 7200

dot1x re-authperiod set to 7200 seconds

Console> (enable)

This example shows you how to specify the retransmission of EAP-Request packets by the authenticator to the supplicant:

Console> (enable) set dot1x supp-timeout 15

dot1x supp-timeout set to 15 seconds.

Console> (enable) 

This example shows how to specify the retransmission of packets by the backend authenticator to the authentication server:

Console> (enable) set dot1x server-timeout 15

dot1x server-timeout set to 15 seconds.

Console> (enable) 

This example shows how to specify the maximum number of packet retransmissions:

Console> (enable) set dot1x max-req 5

dot1x max-req set to 5.

Console> (enable)

This example shows how to enable authentication for the DHCP Relay Agent on VLANs 1 through 5 and 24:

Console> (enable) set dot1x dhcp-relay-agent enable 1-5,24

dot1x dhcp-relay-agent enabled for vlans 1-5, 24.

Console> (enable)

This example shows how to disable authentication for the DHCP Relay Agent on VLAN 1:

Console> (enable) set dot1x dhcp-relay-agent disable 1

dotx dhcp-relay-agent disable for vlan 1

Console> (enable)

This example shows how to create a new VLAN group in the system:

Console> (enable) set dot1x vlan-group engg-dept 3

Vlan group engg-dept is successfully configured and mapped to vlan 3.

Console> (enable)

This example shows how to map another VLAN to an existing VLAN group name:

Console> (enable) set dot1x vlan-group engg-dept 4

Vlan 4 is successfully mapped to vlan group engg-group.

Console> (enable)

This example shows how to globally enable RADIUS accounting and tracking:

Console> (enable) set dot1x radius-accounting enable

dot1x radius-accounting enabled.

Console> (enable)

This example shows how to globally enable the RADIUS VLAN assignment feature:

Console> (enable) set dot1x radius-vlan-assignment enable

dot1x radius-vlan-assignment enabled.

Console> (enable)

This example shows how to globally enable the RADIUS keepalive state feature:

Console> (enable) set dot1x radius-keepalive enable

dot1x radius-keepalive state enabled.

Console> (enable)

This example shows how to enable the guest VLAN supplicant feature:

Console> (enable) set dot1x guest-vlan supplicant enable

Dot1x guest-vlan-supplicant feature enabled.

Console> (enable)

Related Commands

clear dot1x config
clear dot1x vlan-group
set port dot1x
set radius deadtime
show dot1x
show port dot1x

set enablepass

To change the password for the privileged level of the CLI, use the set enablepass command.

set enablepass

Syntax Description

This command has no arguments or keywords.

Defaults

The default configuration has no enable password configured.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Passwords are case sensitive and may be 0 to 19 characters in length, including spaces.

The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password.

Examples

This example shows how to establish a new password:

Console> (enable) set enablepass

Enter old password: <old_password>

Enter new password: <new_password>

Retype new password: <new_password>

Password changed.

Console> (enable)

Related Commands

enable
set password

set eou

To globally enable or disable Extensible Authentication Protocol over User Datagram Protocol (EoU), use the set eou command.

set eou {enable | disable}

Syntax Description

enable	Enables EoU globally.
disable	Disables EoU globally.

Defaults

Global EoU is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable LAN port IP (LPIP) on the switch:

Console> (enable) set eou enable

EoU LPIP Enabled globally

Console> (enable)

Related Commands

clear eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou allow clientless

To enable or disable bypassing of the LAN port IP (LPIP) posture validation for a clientless host, use the set eou allow clientless command.

set eou allow clientless {enable | disable}

Syntax Description

enable	Allows clientless hosts.
disable	Does not allow clientless hosts.

Command Default

The clientless mechanism is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to enable bypassing of the LPIP posture validation for a clientless host:

Console> (enable) set eou allow clientless enable

EoU Clientless hosts will be allowed

Console> (enable)

Related Commands

clear eou
set eou
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou authorize

To statically authorize a device by IP address or by MAC address and to apply an associated policy to the device, use the set eou authorize command.

set eou authorize ip ip_addr [ip_mask] policy policy_name

set eou authorize mac-address mac_addr [mac_mask] policy policy_name

Syntax Description

ip ip_addr	Sets an IP address-based exception list.
ip_mask	(Optional) IP mask.
policy policy_name	Specifies a policy name.
mac-address mac_addr	Sets a MAC address-based exception list.
mac_mask	(Optional) MAC address mask.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set eou authorize command allows a device with specific IP address or MAC address to be treated as an exception host. When that host is detected, it dynamically installs the specified policy.

If the policy template does not exist, when you enter this command, the policy template is created.

For other configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to statically authorize a device with a specific IP address and to apply an associated policy to the device:

Console> (enable) set eou authorize ip 172.20.52.19 255.255.255.224 policy poll 

Mapped IP address 172.20.52.0 IP mask 255.255.255.224 to policy name poll

Console> (enable)

This example shows how to statically authorize a device using the device MAC address and apply an associated policy to the device:

Console> (enable) set eou authorize mac-address 03-56-B7-45-65-56 policy poll

Mapped MAC 03-56-b7-45-65-56 to policy name poll.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou initialize

To restart the state machine for a host, use the set eou initialize command.

set eou initialize {all | ip ip_addr | mac mac_addr | posture-token posture_token}

set eou initialize authentication {clientless | eap | static}

Syntax Description

all	Initializes all EoU interfaces.
ip ip_addr	Initializes port with the specified IP address.
mac mac_addr	Initializes port with the specified MAC address.
posture-token posture_token	Initializes all EoU ports with the specified posture token.
authentication	Initializes all EoU ports of a specific authentication type.
clientless	Initializes all clientless ports.
eap	Initializes all ports with EAP authentication.
static	Initializes all hosts in an exception list.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to restart a host's state machine using the IP address:

Console> (enable) set eou initialize ip 172.20.52.19

Initializing Eou for ipAddress 172.20.52.19

Console> (enable) 

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou logging

To enable or disable EoU logging for LAN port IP events, use the set eou logging command.

set eou logging {enable | disable}

Syntax Description

enable	Enables logging.
disable	Disables logging.

Defaults

Logging is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable logging:

Console> (enable) set eou logging enable

Logging enabled for LPIP events.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou max-retry

To specify the number of times a packet is retransmitted to the Cisco Trust Agent (CTA) before declaring the CTA nonresponsive, use the set eou max-retry command.

set eou max-retry max_retries

Syntax Description

max_retries

Maximum number of reattempts; valid values are from 1 to 10.

Defaults

Packets are retransmitted 3 times.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For configuration guidelines and restrictions, see the "Configuring Network Access Control" chapter of the Catalyst 6500 Series Software Configuration Guide.

Examples

This example shows how to set the number of times that a packet is retransmitted to the CTA before declaring the CTA nonresponsive:

Console> (enable) set eou max-retry 6

eou max-retry set to 6.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou radius-accounting
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou radius-accounting

To globally enable or disable EoU RADIUS accounting, use the set eou radius-accounting command.

set eou radius-accounting {enable | disable}

Syntax Description

enable	Enables EoU RADIUS accounting.
disable	Disables EoU RADIUS accounting.

Defaults

EoU RADIUS accounting is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable EOU RADIUS accounting:

Console> (enable) set eou radius-accounting enable 

Radius Accounting for Eou Enabled.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou rate-limit
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou rate-limit

To set the maximum number of simultaneous EoU sessions that are allowed on the switch, use the set eou rate-limit command.

set eou rate-limit rate

Syntax Description

rate	Number of simultaneous sessions; valid values are 0 and from 10 to 200.

Defaults

The number of simultaneous sessions is 0.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the number of simultaneous EoU sessions to 100:

Console> (enable) set eou rate-limit 100

eou ratelimit set to 100.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou revalidate
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou revalidate

To revalidate a host, use the set eou revalidate command.

set eou revalidate {all | ip ip_addr | mac mac_addr | posture-token posture_token}

set eou revalidate authentication {clientless | eap | static}

Syntax Description

all	Revalidates all EoU ports.
ip ip_addr	Revalidates a port with the specified IP address.
mac mac_addr	Revalidates a port with the specified MAC address.
posture-token posture_token	Revalidates all ports with the specified posture token.
authentication	Revalidates all ports of a specific authentication type.
clientless	Revalidates all clientless ports.
eap	Revalidates all ports with EAP authentication.
static	Revalidates all hosts in an exception list.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to revalidate all hosts:

Console> (enable) set eou revalidate all

EoU LPIP revalidation started for all hosts

Console> (enable)

This example shows how to revalidate all clientless hosts:

Console> (enable) set eou revalidate authentication clientless

Revalidate all clientless hosts

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou timeout
set port eou
set security acl ip
show eou
show port eou

set eou timeout

To set EoU-related timers, use the set eou timeout command.

set eou timeout {aaa | hold-period | retransmit | revalidation | status-query} seconds

Syntax Description

aaa	Sets EoU AAA timeout.
hold-period	Sets EoU hold timeout.
retransmit	Sets EoU retransmit timeout.
revalidation	Sets EoU revalidation timeout.
status-query	Sets EoU status-query timeout.
seconds	Timeout in seconds; see the "Usage Guidelines" section for valid values.

Defaults

The following are the EoU timer defaults:

•aaa—60 seconds.

•hold-period—180 seconds.

•retransmit—3 seconds.

•revalidation—3600 seconds.

•status-query—300 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The following are ranges for EoU timeout periods:

•The aaa value is from 1 to 60 seconds.

•The hold-period value is from 60 to 86400 seconds.

•The retransmit value is from 1 to 60 seconds.

•The revalidation value is from 5 to 86400 seconds.

•The status-query value is from 30 to 1800 seconds.

Examples

This example shows how to set the status-query timeout to 30 seconds:

Console> (enable) set eou timeout status-query 30

LPIP Status Query timeout set to 30 seconds.

Console> (enable)

Related Commands

clear eou
set eou
set eou allow clientless
set eou authorize
set eou initialize
set eou logging
set eou max-retry
set eou radius-accounting
set eou rate-limit
set eou revalidate
set port eou
set security acl ip
show eou
show port eou

set errdisable-timeout

To configure a timeout to automatically reenable ports that are in the errdisable state, use the set errdisable-timeout command.

set errdisable-timeout {enable | disable} {reason}

set errdisable-timeout interval {interval}

Syntax Description

enable	Enables errdisable timeout.
disable	Disables errdisable timeout.
reason	Reason for the port being in errdisable state; valid values are arp-inspection, bcast-suppression, bpdu-guard, channel-misconfig, cross-fallback, duplex-mismatch, gl2pt-ingress-loop, gl2pt-threshold-exceed, gl2pt-cdp-threshold-exceed, gl2pt-stp-threshold-exceed, gl2pt-vtp-threshold-exceed, link-rxcrc, link-txcrc, udld, other, all.
interval interval	Specifies the timeout interval; valid values are from 30 to 86400 seconds (30 seconds to 24 hours).

Defaults

By default, all the errdisable state reasons are disabled globally; whenever there are no reasons enabled, the timer is stopped.

By default, the timeout is set to disable, and the interval value is set at 300 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

A port enters errdisable state for the following reasons (these reasons appear as configuration options within the set errdisable-timeout enable command):

•rp-inspection—ARP inspection

•bcast-suppression —Broadcast suppression

•bpdu-guard—BPDU port-guard

•cam-monitor—CAM monitoring

•channel-misconfig—Channel misconfiguration

•crossbar-fallback—Crossbar failure

•duplex-mismatch—Duplex mismatch

•gl2pt-ingress-loop—Layer 2 protocol tunnel misconfiguration

•gl2pt-threshold-exceed—When Layer 2 protocol tunnel threshold is exceeded

•gl2pt-cdp-threshold-exceed—When Layer 2 protocol tunnel CDP threshold is exceeded

•gl2pt-stp-threshold-exceed—When Layer 2 protocol tunnel STP threshold is exceeded

•gl2pt-vtp-threshold-exceed—When Layer 2 protocol tunnel VTP threshold is exceeded

•link-rxcrc—When link-errors RX threshold is exceeded

•link-txcrc—When link-errors TX threshold is exceeded

•udld—UDLD

•other—Reasons other than the above

•all—Applies errdisable timeout for all of the above reasons

You can enable or disable errdisable timeout for each of the reasons that are listed. If you specify "other," all ports errdisabled by causes other than the reasons listed are enabled for errdisable timeout. If you specify "all," all ports errdisabled for any reason are enabled for errdisable timeout.

You can manually prevent a port from being reenabled by setting the errdisable timeout for that port to disable using the set port errdisable-timeout mod/port disable command.

Examples

This example shows how to enable an errdisable timeout due to a BPDU port-guard event:

Console> (enable) set errdisable-timeout enable bpdu-guard

Successfully enabled errdisable-timeout for bpdu-guard.

Console> (enable) 

This example shows how to set an errdisable timeout interval to 450 seconds:

Console> (enable) set errdisable-timeout interval 450

Successfully set errdisable timeout to 450 seconds.

Console> (enable)

This example shows how to set an errdisable timeout for broadcast suppression events:

Console> (enable) set errdisable-timeout enable bcast-suppression

Successfully enabled errdisable timeout for bcast-suppression.

Console> (enable)

This example shows how to set an errdisable timeout for ARP inspection events:

Console> (enable) set errdisable-timeout enable arp-inspection

Successfully enabled errdisable-timeout for arp-inspection.

Console> (enable)

Related Commands

set port errdisable-timeout
show errdisable-timeout

set errordetection

To enable or disable various error detections, use the set errordetection command.

set errordetection inband {enable | disable}

set errordetection memory {enable | disable}

set errordetection portcounters {enable | disable}

set errordetection packet-buffer {errdisable | powercycle |
supervisor {errdisable | shutdown}}

set errordetection link-errors {enable | disable}

set errordetection link-errors action {errordisable | port-failover}

set errordetection link-errors interval value

set errordetection link-errors threshold {inerrors | rxcrc | txcrc} [high value] [low value]

set errordetection link-errors sampling value

Syntax Description

inband	Detects errors in the inband (sc0) interface.
enable	Enables the specified error detection.
disable	Disables the specified error detection.
memory	Detects memory corruption.
portcounters	Monitors and polls port counters.
packet-buffer	Specifies how to handle packet-buffer errors.
errdisable	Errdisables ports with packet-buffer errors.
powercycle	Power cycles modules with packet-buffer errors.
supervisor	Specifies handling packer-buffer errors on the supervisor engine.
errdisable	Errdisables supervisor engine ports with packet-buffer errors.
shutdown	Shuts down supervisor engine ports with packet-buffer errors.
link-errors	Detects link errors.
action	Specifies how link errors are handled.
errordisable	Errdisables the port when the high threshold is reached.
port-failover	Errdisables the port if the port is in a channel but is not the last operational port in the channel. The port also goes into errdisable state if it is a single port.
interval value	Specifies a timer constraint for reading the error counters on ports; valid values are 30 to 1800 seconds.
threshold	Specifies the threshold for link errors.
inerrors	Specifies the inerrors threshold.
rxcrc	Specifies the RXCRC (CRCAlignErrors) error counter threshold.
txcrc	Specifies the TXCRC error counter threshold.
high value	(Optional) Sets the high threshold value; valid values are 2 to 65535 packets.
low value	(Optional) Sets the low threshold value; valid values are 1 to 65534 packets.
sampling value	Specifies the number of consecutive times that a port must reach the high or low threshold value before the port is placed in the errdisable state; valid values are 1 to 255 times.

Defaults

The following are the default settings for set errordetection:

•Inband error detection is enabled.

•Memory error detection is enabled.

•Portcounters error detection is enabled.

•Packet-buffer error detection is errdisable.

•Packet-buffer error detection for the supervisor engine is shutdown.

•Link-error error detection is port-failover.

•The link-error interval is 30 seconds.

•The high value for the inerrors threshold is 1001 packets.

•The low value for the inerrors threshold is 1000 packets.

•The high value for the rxcrc threshold is 1001 packets.

•The low value for the rxcrc threshold is 1000 packets.

•The high value for the txcrc threshold is 1001 packets.

•The low value for the rxcrc threshold is 1000 packets.

•The link-error sampling is 3 times.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set errordetection command is useful for monitoring the switch. If an error is detected, a syslog message informs you that a problem exists before noticeable performance degradation occurs. For example, entering these commands displays the following information:

•set errordetection inband—Displays the type of inband failure occurrence, such as inband stuck, resource errors, and inband fail when you start the switch.

•set errordetection memory—Displays the address where the memory corruption occurred.

•set errordetection portcounters—Displays the module and port number and the counter that had the problem between two consecutive polls.

The rapid boot feature minimizes the amount of downtime a module experiences if the module encounters a packet-buffer error. You can enter one of the following commands to handle the error condition:

•set errordetection packet-buffer errdisable—If you enter the errdisable keyword, only ports that experience the packet-buffer error are put in errdisable state.

•set errordetection packet-buffer powercycle—If you enter the powercycle keyword, the module is power cycled. When you choose this option, a ROMMON image is downloaded on the module, and the normal bootup sequence is bypassed to reduce module downtime.

•supervisor—If you enter the supervisor errdisable keywords, the supervisor engine ports that experience the packet-buffer errors are put in the errdisable state. If you enter the supervisor shutdown keywords, the supervisor engine ports that experience the packet-buffer errors are shut down.

---

Caution Do not power cycle the module when the ROMMON image is downloading. Doing so might damage the module.

---

The rapid boot feature is available on the following modules:

•WS-X6248-RJ45

•WS-X6248-TELCO

•WS-X6348-RJ45

•WS-X6348-RJ21

•WS-X6148-RJ45

•WS-X6148-RJ21

The set errordetection link-errors global commands allow you to configure link error handling. When entering the set errordetection link-errors commands, follow these guidelines:

•set errordetection link-errors action {errordisable | port-failover}

If the error count for a port reaches the high value for the configurable threshold (within the sampling count period specified), the action is either errordisable or port-failover. If you select errordisable, the port goes into the errdisable state when the high threshold is reached. If you select port-failover, the channel status of the port is considered. The port goes into the errdisable state if the port is in a channel and is not the last operational port in the channel. The port also goes into errdisable state if it is a single port.

•set errordetection link-errors interval value

The interval value that you specify determines how often the error counter for a port is read.

•set errordetection link-errors threshold {inerrors | rxcrc | txcrc} [high value] [low value]

The threshold values that you specify determine how many link errors are allowed during the interval that you specify by entering the set errordetection interval value command. If the low threshold is reached (within the sampling count period specified), a syslog message is displayed. If the high threshold is reached (within the sampling count period specified), in addition to displaying a syslog message, the port is either errdisabled or the port failover mechanism takes effect.

When you enter the inerrors keyword, the ifInErrors counter is checked. For packet-oriented interfaces, the ifInErrors counter includes the number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. For character-oriented or fixed-length interfaces, the ifInErrors counter includes the number of inbound transmission units that contained errors that prevented them from being delivered to a higher-layer protocol.

After the inerrors keyword, rx-threshold keyword, or the tx-threshold keyword, enter one of the following options:

–The low keyword and a value

–The high keyword and a value

–Both keywords and a value for each

•set errordetection link-errors sampling value

To minimize the possibility of accidentally putting a port into the errdisable state because of a one-time event that is not a true system error condition, you can specify a sampling value. This value determines the number of times a port must reach the high or low threshold value before the port is placed in the errdisable state. For example, if the high threshold value for a port is 1000 and the sampling count is 3, the port is errdisabled only after it has reached the 1000 threshold 3 consecutive times.

Examples

This example shows how to enable memory error detection:

Console> (enable) set errordetection memory enable

Memory error detection enabled.

Console> (enable)

This example shows how to enable power cycling for a module that encounters packet-buffer errors:

Console> (enable) set errordetection packet-buffer powercycle

Warning: Boot ROM upgrade is required on module(s) 8 for rapid boot.

This will require a reset of the module(s). Do you want to continue (y/n) [n]? y

2004 May 11 16:24:01 EST +00:00 %SYS-6-CFG_CHG:Global block changed by Console//

Failed to download boot code on module 8.

Packet buffer error detection set to powercycle.

Console (enable) 

This example shows how to put ports that encounter packet-buffer errors into errdisable state:

Console (enable) set errordetection packet-buffer errdisable 

Packet buffer error detection set to errdisable.

Console (enable)

This example shows how to specify how link errors are handled:

Console> (enable) set errordetection link-errors action errordisable

Console> (enable)

This example shows how to set the timer constraint for reading error counters on ports to 60 seconds:

Console> (enable) set errordetection link-errors interval 60

Console> (enable)

This example shows how to set the rx-threshold for ports to 2000 packets:

Console> (enable) set errordetection link-errors rx-threshold high 2000

Console> (enable)

This example shows how to set the link-error sampling value to 10 times:

Console> (enable) set errordetection link-errors sampling 10

Console> (enable)

Related Commands

set errdisable-timeout
set port errordetection
show errdisable-timeout
show errordetection
show port errordetection

set ethernet-cfm

To enable or disable Connectivity Fault Management (CFM) globally on a switch, use the set ethernet-cfm command.

set ethernet-cfm {disable | enable}

Syntax Description

disable	Disables CFM globally on a switch.
enable	Enables CFM globally on a switch.

Defaults

CFM is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command stores the enable or disable setting in NVRAM.

Examples

This example shows how to enable CFM globally on a switch:

Console> (enable) set ethernet-cfm enable

Ethernet CFM enabled.

Console> (enable)

Related Commands

clear ethernet-cfm

set ethernet-cfm ais

To enable or disable a Connectivity Fault Management (CFM) Alarm Indication Signal (AIS) globally on a switch, use the set ethernet-cfm ais command.

set ethernet-cfm ais {disable | enable}

Syntax Description

disable	Disables the CFM link status AIS globally on a switch.
enable	Enables the CFM link status AIS globally on a switch.

Defaults

CFM AIS is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Use this command to enable or disable the AIS feature on a switch. The CFM AIS functionality is dependent on CFM being enabled globally. AIS will not be functional when CFM is disabled globally, although the show running-config all command will display that the AIS global status is enabled.

Examples

This example shows how to enable CFM AIS globally on a switch:

Console> (enable) set ethernet-cfm ais enable

Link-Status AIS feature is already enabled on the switch.

Console> (enable)

This example shows how to disable CFM AIS globally on a switch:

Console> (enable) set ethernet-cfm ais disable

Link-Status AIS feature is disabled on the switch.

Console> (enable)

Related Commands

set ethernet-cfm ais level

show ethernet-cfm errors

show ethernet-cfm status

set ethernet-cfm ais level

To configure the Connectivity Fault Management (CFM) Alarm Indication Signal (AIS) transmission level globally on a switch, which will be inherited by all the server Maintenance End Points (MEPs) to transmit AIS protocol data units (PDUs) when a fault is detected, use the set ethernet-cfm ais level command.

set ethernet-cfm ais level {level | default}

Syntax Description

level	AIS transmission level configured on a switch. Range: 0-7.
default	Specifies the AIS transmission level that is set to default on a switch.

Defaults

The default level is none when the transmission level is set to 8.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The global AIS level will be given priority over the Maintenance Intermediate Point (MIP) level to transmit the AIS under a defect condition. If the global level is set to the default, the AIS will be sent at the highest MIP level configured in the affected VLAN.

Examples

This example shows how to configure the CFM AIS level globally on a switch:

Console> (enable) set ethernet-cfm ais level 0

Link-Status AIS transmission level configured to 0 on the switch.

Console> (enable)

This example shows how to set the CFM AIS level to the default globally on a switch:

Console> (enable) set ethernet-cfm ais level default

Link-Status AIS transmission level set to default on the switch.

Console> (enable)

Related Commands

set ethernet-cfm continuity-check level

set ethernet-cfm ais tx-count

To configure the CFM Alarm Indication Signal PDUs transmission count on a switch, use the set ethernet-cfm ais tx-count command

set ethernet-cfm ais tx-count count

Syntax Description

tx-count

AIS transmission count configured on a switch. Range: 3-10.

Defaults

The default is 5.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to configure AIS PDUs transmission count globally on a switch:

Console> (enable) set ethernet-cfm ais tx-count 10

AIS PDU transmission count set to 10 on the switch.

Console> (enable)

Related Commands

set ethernet-cfm ais

set ethernet-cfm ais level

set ethernet-cfm continuity-check

To start or stop the transmission of continuity-check messages for a specific level, use the set ethernet-cfm continuity-check command.

set ethernet-cfm continuity-check {disable | enable} level level [vlan vlans]

Syntax Description

disable	Disables the continuity check.
enable	Enables the continuity check.
level level	Specifies the maintenance level of the local Maintenance End Points (MEPs); valid values are from 0 to 7.
vlan vlans	(Optional) Specifies the VLAN or range of VLANs on which to do the check; valid values are from 1 to 4094.

Defaults

Continuity check messages are disabled for all levels.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you do not specify a VLAN, this command starts or stops continuity-check messages for all VLANs at the maintenance level that you specify.

Examples

This example shows how to initialize the transmission of continuity-check messages for level 7 and applies to all VLANs in that level:

Console> (enable) set ethernet-cfm continuity-check enable level 7

Continuity Check for ME level 7 is enabled.

Console> (enable)

This example shows how to initialize the transmission of continuity-check messages for level 4 and applies to the VLAN range of 11-20:

Console> (enable) set ethernet-cfm continuity-check enable level 4 vlan 11-20

Continuity Check for ME level 4 in vlans 11-20 is enabled.

Console> (enable)

Related Commands

clear ethernet-cfm

set ethernet-cfm continuity-check level

To configure continuity-check message attributes for a specific level of the local Maintenance End Points (MEPs), use the set ethernet-cfm continuity-check level command.

set ethernet-cfm continuity-check level level vlan vlans interval interval-value [loss-threshold threshold]

Syntax Description

level	Maintenance level of the local MEPs; valid values are from 0 to 7.
vlan vlans	Specifies the VLAN or a range of VLANs on which to do the check; valid values are from 1 to 4094.
interval interval-value	Specifies the interval between continuity check messages; valid values are 1, 2, and 3. 1 is for 10 seconds, 2 is for 1 minute, and 3 is for 10 minutes.
loss-threshold threshold	(Optional) Specifies the number of continuity-check messages that can be lost before cleaning up the corresponding entry in the continuity-check database; valid values are from 0 to 10.

Defaults

The default settings are as follows:

interval-value: 1

threshold: 2 messages

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set ethernet-cfm continuity-check level command sets the broadcast attribute of the local MEPs.

To configure how often continuity-check messages are sent, use the interval-value argument.

You can enter the threshold argument to specify the message loss threshold. Whenever a continuity-check entry is aged out, a syslog message is generated indicating that the connection to the MPID may have issues.

Examples

This example shows how to configure continuity-check message attributes for a level of 5, a VLAN ID 11, an interval of 1 minute, and a loss threshold of three messages:

Console> (enable) set ethernet-cfm continuity-check level 5 vlan 11 interval 2 
loss-threshold 3

CC Attributes set for level(s)5

Console> (enable)

Related Commands

clear ethernet-cfm

set ethernet-cfm continuity-check level ais

To configure the Alarm Indication Signal (AIS) attributes for all Maintenance End Points (MEPs) that belong to a specific Maintenance Association (MA) or service, use the set ethernet-cfm continuity-check level ais command.

set ethernet-cfm continuity-check level levels vlan vlans ais {enable | disable}

set ethernet-cfm continuity-check level levels vlan vlans ais level level

set ethernet-cfm continuity-check level levels vlan vlans ais alarm-suppress {enable | disable}

Syntax Description

levels	AIS level for all the MEPs of an MA to transmit an AIS when it receives an AIS message. Valid values are from 0 to 7.
vlan vlans	Specifies the VLAN or a range of VLANs on which to do the check; valid values are from 1 to 4094.
enable	Enables AIS generation for all the MEPs of an MA.
disable	Disables AIS generation for all the MEPs of an MA.
level	Maintenance level of all the MEPs of an MA; valid values are from 0 to 7.
ais alarm-suppress	Enables or disables alarm suppression for all MEPs of an MA when the MA's lifetime expires.

Defaults

The default settings are as follows:

The AIS is enabled.

The AIS level is 8.

The AIS alarm suppress is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set ethernet-cfm continuity-check level ais command sets the alarm indication signal attribute for all the MEPs of an MA. This action is being done in parity with the continuity-check interval and loss-threshold per MA attributes to verify the integrity of transmitted data.

Examples

This example shows how to enable AIS generation for a level of 0 and VLAN ID 1000:

Console> (enable) set ethernet-cfm continuity-check level 0 vlan 1000 ais enable

CC Attributes set for level(s) 0.

Console> (enable)

This example shows how to disable AIS generation for a level of 0 and VLAN ID 1000:

Console> (enable) set ethernet-cfm continuity-check level 0 vlan 1000 ais disable 

CC Attributes set for level(s) 0.

Console> (enable)

This example shows how to enable alarm suppression for a level of 0 and VLAN ID 1000:

Console> (enable) set ethernet-cfm continuity-check level 0 vlan 1000 ais alarm-suppress 
enable 

CC Attributes set for level(s) 0.

Console> (enable)

This example shows how to configure the AIS level for the MEPs:

Console> (enable) set ethernet-cfm continuity-check level 5 vlan 5 ais level 6

CC Attributes set for vlan(s) 5 on level 5.

Console> (enable)

Related Commands

set ethernet-cfm continuity-check level

set ethernet-cfm domain

To create a maintenance domain and configure the maintenance level, use the set ethernet-cfm domain command.

set ethernet-cfm domain domain-name level level

Syntax Description

domain-name	Maintenance domain name.
level	Maintenance level; valid values are from 0 to 7.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to a configure a maintenance domain named customerXYDomain with level 6:

Console> (enable) set ethernet-cfm domain customerXYDomain level 6

Created a Domain customerXYDomain at level 6.

Console> (enable)

Related Commands

clear ethernet-cfm

set ethernet-cfm earl-match-reg

To set the Enhanced Address Recognition Logic (EARL) redirection for Connectivity Fault Management (CFM) packets using EARL match registers, use the set ethernet-cfm earl-match-reg command.

set ethernet-cfm earl-match-reg {disable | enable}

Syntax Description

enable	Enables the EARL redirection for CFM packets on the switch.
disable	Disables the EARL redirection for CFM packets on the switch.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set ethernet-cfm earl-match-reg command is used to support the CFM functionality on the forwarding ports of the two match register modules. Since the CFM functionality is not supported on modules that have two match registers, MVRP and CFM cannot be configured together.

Before using this command, you should enable the CFM functionality globally on the switch. If you disable the CFM or disable this command, the EARL configuration for CFM MAC addresses will not change.

Examples

This example shows how to enable the EARL redirection of the CFM packets on the switch:

Console> (enable) set ethernet-cfm earl-match-reg enable

Earl redirection for CFM packets is enabled on the switch.

Console> (enable)

This example shows how to disable the EARL redirection of the CFM packets on the switch:

Console> (enable) set ethernet-cfm earl-match-reg disable

Earl redirection for CFM packets is disabled on the switch.

Console> (enable)

Related Commands

show ethernet-cfm earl-match-status

set ethernet-cfm maintenance-association

To configure the maintenance association within the maintenance domain, use the set ethernet-cfm maintenance-association command.

set ethernet-cfm maintenance-association ma-name-fmt fmt name | value domain domain-name vlan vlan_id [direction up | down]

Syntax Description

ma-name-fmt fmt name | value	Specifies the maintenance association format, name, and value used to construct the Maintenance Association Identifier (MAID).
domain domain-name	Specifies the name of the maintenance association domain.
vlan vlan_id	Specifies the VLAN identifier number. Range: 1 to 4094.
direction	(Optional) Specifies the direction of the service. The following are the attributes for this keyword: up: Specifies the direction of the service from the top. down: Specifies the direction of the service from the bottom.

Defaults

The direction is down (outward).

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Specifying a service direction as down (outward) allows you to create multiple outward services at the same level that contains an overlapping set of VLANs. The set of VLANs in an outward service can also overlap with inward services.

Examples

This example shows how to configure the maintenance association in a domain with a VLAN ID:

Console> (enable) set ethernet-cfm maintenance-association ma-name-fmt text customerXMA 
domain customerXYDomain vlan 1 direction up

Maintenance Association created successfully for vlan 1 in domain customerXYDomain

Console> (enable)

Related Commands

clear ethernet-cfm maintenance-association

show ethernet-cfm maintenance-association

set ethernet-cfm port-mac-enable

To configure a system CAM entry for a specified module and port number and a specific VLAN or VLANs, use the set ethernet-cfm port-mac-enable command.

set ethernet-cfm port-mac-enable mNo/pNo vlan vlans

Syntax Description

mNo/pNo	Module number or port number to be specified.
vlan vlans	Specifies the VLAN identifier. Range: 1 to 4094.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to configure a system CAM entry for module 2, port 14 and VLAN 10:

Console> (enable) set ethernet-cfm port-mac-enable 3/14 vlan 10

CAM table updated with entries for port(s) 2/14 vlan(s) 10

Related Commands

clear ethernet-cfm port-mac-enable

show ethernet-cfm port-mac-enable

set ethernet-cfm traceroute-database

To enable or disable caching of Ethernet Connectivity Fault Management (CFM) data entered using traceroute messages, use the set ethernet-cfm traceroute-database command.

set ethernet-cfm traceroute-database {enable | disable}

set ethernet-cfm traceroute-database hold-time hold_time

set ethernet-cfm traceroute-database size size

Syntax Description

disable	Disables caching of Ethernet CFM data.
enable	Enables caching of Ethernet CFM data.
hold-time hold_time	Specifies the time for retaining the entry in the traceroute database. The time varies from 1 to 2880 minutes.
size size	Specifies the size of the traceroute database. The size varies from 1 to 4095 entries.

Defaults

Caching is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable the caching of Ethernet CFM data:

Console> (enable) set ethernet-cfm traceroute-database enable

Ethernet TRDB Cache enabled

This example shows how to set the hold time of the traceroute database to 300:

Console> (enable) set ethernet-cfm traceroute-database hold-time 300

Ethernet TRDB hold-time is set to 300

This example shows how to set the size of the traceroute database to 300:

Console> (enable) set ethernet-cfm traceroute-database size 300

Ethernet TRDB size is set to 300

Console> (enable)

Related Commands

clear ethernet-cfm traceroute-database

show ethernet-cfm traceroute-database

set ethernet-evc

To create an Ethernet Virtual Connection (EVC) in the global configuration mode and configure various parameters associated with the EVC on a switch, use the set ethernet-evc command.

set ethernet-evc evc-id uni-count count [multipoint] domain name ma-name-fmt fmt ma-name ce-vlan any | vlan

Syntax Description

evc-id	EVC identifier.
uni-count count	(Optional) Specifies the number of endpoints (UNIs) associated with an EVC. Range: 2 to 1024. Default value: 2.
multipoint	(Optional) Specifies a multipoint service.
domain name	(Optional) Specifies the Connectivity Fault Management (CFM) maintenance association domain name.
ma-name-fmt fmt	Specifies the format in which the ma-name is entered. Valid values for the format are text, number, vlan, and vpn-id.
ma-name	Name of the maintenance association.
ce-vlan	Associates a CE-Vlan to an EVC. The following are the arguments for this keyword: any: Maps all the VLANs to an EVC. vlan: Used by untagged frames.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If the number of UNIs entered is 2, you should use the optional multipoint keyword to indicate a multipoint service.

If a port is associated to an EVC with any vlan mapping, no other EVC can be configured on that port. The CE-Vlan is matched against the S-Vlan from the CFM configuration for a multiplexed EVC. If there is a mismatch, the command is rejected and an error message is displayed.

An EVC with uni-count 2 is by default a point-to-point EVC.

Examples

These examples show how to configure various EVC parameters:

Console> (enable) set ethernet-evc EVC1 uni-count 3

Successfully created Multipoint-to-Multipoint EVC with id EVC1 and uni_count 3.

Console> (enable) set ethernet-evc EVC1 domain ELMI ma-name-fmt text CFM1

Successfully create EVC EVC1 and CFM service name CFM1.

Console> (enable) set ethernet-evc EVC1 ce-vlan 10

CE-Vlan 10 is successfully mapped to EVC1.

Related Commands

clear ethernet-evc

show ethernet-evc

set ethernet-lmi

To enable or disable the Ethernet Local Management Interface (ELMI) globally on a switch, use the set ethernet-lmi command.

set ethernet-lmi {enable | disable}

Syntax Description

enable	Enables ELMI globally on a switch.
disable	Disables ELMI globally on a switch.

Defaults

ELMI is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

This command stores the enable or disable setting in NVRAM.

Examples

This example shows how to enable ELMI globally on a switch:

Console> (enable) set ethernet-lmi enable

Ethernet-LMI is enabled.

set fan-tray-version

To set the version for the fan tray in the chassis, use the set fan-tray-version command.

set fan-tray-version {1 | 2}

Syntax Description

1	Specifies version 1 for a lower-powered fan tray.
2	Specifies version 2 for a higher-powered fan tray.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set fan-tray-version command informs the software of the fan tray type so that the software can make the right cooling and power consumption adjustments for the chassis. The fan tray version is stored in the backplane IDPROM.

You must enter set fan-tray-version 2 before installing a higher-powered fan tray. You must enter set fan-tray-version 1 before downgrading to a lower-powered fan tray.

Use a higher-powered fan tray with a Supervisor Engine 720 with the 2500 W or 4000 W power supply.

Enter the show environment cooling command to display the fan tray version for the chassis.

Examples

This example shows how to set the fan tray version:

Console> (enable) set fan-tray-version 2

Programming successful for Chassis Serial EEPROM.

Fan tray version set to 2

Console> (enable)

Related Commands

show environment

set feature agg-link-partner

To enable or disable the aggressive link partner feature, use the set feature agg-link-partner command.

set feature agg-link-partner {enable | disable}

Syntax Description

enable	Enables the aggressive link partner feature.
disable	Disables the aggressive link partner feature.

Defaults

The aggressive link partner feature is disabled globally.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable this feature, you reduce the possibility of aggressive link partners causing excessive collisions. Excessive collisions can lead to excessive alignment errors and runts.

The aggressive link partner feature works only on half duplex 10/100 ports.

The set feature agg-link-partner command is a global command so when you enable or disable this feature, all related modules in the chassis are enabled or disabled.

Examples

This example shows how to enable the aggressive link partner feature:

Console> (enable) set feature agg-link-partner enable

Aggressive link partner feature enabled.

Console> (enable)

This example shows how to disable the aggressive link partner feature:

Console> (enable) set feature agg-link-partner disable

Aggressive link partner feature disabled.

Console> (enable)

set feature mdg

To enable or disable the multiple default gateway feature, use the set feature mdg command.

set feature mdg {enable | disable}

Syntax Description

enable	Enables the multiple default gateway.
disable	Disables the multiple default gateway.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you enable the multiple default gateway feature, the Catalyst 6500 series switch pings the default gateways every 10 seconds to verify that the gateways are still available.

Examples

This example shows how to enable the multiple default gateway feature:

Console> (enable) set feature mdg enable

Multiple  Gateway feature enabled.

Console> (enable)

This example shows how to disable the multiple default gateway feature:

Console> (enable) set feature mdg disable

Multiple  Gateway feature disabled.

Console> (enable)

set firewall

To configure the parameters for a Firewall Services Module (FWSM), use the set firewall command.

set firewall multiple-vlan-interfaces {enable | disable}

Syntax Description

multiple-vlan-interfaces	Sets the multiple VLAN interface feature for an FWSM.
enable	Enables multiple VLAN interfaces for an FWSM.
disable	Disables multiple VLAN interfaces for an FWSM.

Defaults

The multiple VLAN interface feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Disabling the multiple VLAN interface feature sets the FWSM to single VLAN interface mode.

Examples

This example shows how to enable the multiple VLAN feature on a firewall module:

Console> (enable) set firewall multiple-vlan-interfaces enable

This command will enable multiple vlan feature for all firewall modules in the

chassis .Can result in traffic bypassing the firewall module

Do you want to continue (y/n) [n]?y

Multiple vlan feature enabled for firewall

Console> (enable)

This example shows how to disable the multiple VLAN feature on a firewall module:

Console> (enable) set firewall multiple-vlan-interfaces disable

This command will disable multiple vlan feature for all firewall modules in the chassis.

Do you want to continue (y/n) [n]?y

Multiple vlan feature disabled for firewalls. All layer 3 firewall vlan interfaces have 
been brought down on MSFC

Please remove all the layer 3 firewall vlan interfaces from MSFC using no interface 
command on MSFC.

Console> (enable)

Related Commands

show firewall

set ftp

To configure File Transfer Protocol (FTP) parameters, use the set ftp command.

set ftp username new_ftp_username

set ftp password new_ftp_password

set ftp mode passive {enable | disable}

Syntax Description

username	Specifies a username for FTP connections.
new_ftp_username	Username for FTP.
password	Specifies a password for FTP connections.
new_ftp_password	Password for FTP.
mode	Specifies the FTP mode.
passive	Specifies passive mode for FTP connections.
enable	Enables passive mode.
disable	Disables passive mode.

Defaults

The FTP mode is set to passive.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For security reasons, the new_ftp_password argument is not stored in NVRAM. The password is encrypted by using a proprietary encryption algorithm.

The FTP mode is passive. To clear the FTP passive mode, use the clear ftp passive command.

Examples

This example shows how to specify a username for FTP connections:

Console> (enable) set ftp username abc

Ftp username set to abc.

Console> (enable)

This example shows how to specify a password for FTP connections:

Console> (enable) set ftp password mypassword

Enter password for User 'abc':

Retype password for User 'abc':

ftp password set

Console> (enable)

If the password is valid, then you can change and verify the new password.

This example shows how to disable FTP passive mode:

Console> (enable) set ftp mode passive disable

FTP Passive mode disabled.

Console> (enable)

Related Commands

clear ftp
show ftp

set garp timer

To adjust the values of the join, leave, and leaveall timers, use the set garp timer command.

set garp timer {timer_type} {timer_value}

Syntax Description

timer_type	Type of timer; valid values are join, leave, and leaveall.
timer_value	Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.

Defaults

The defaults are the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The modified timer values are applied to all General Attribute Registration Protocol (GARP) applications (for example, GMRP and GVRP) timer values.

You must maintain the following relationship for the various timer values:

•Leave time must be greater than or equal to three times the join time.

•Leaveall time must be greater than the leave time.

---

Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully.

---

Examples

This example shows how to set the join timer value for all the ports on all the VLANs:

Console> (enable) set garp timer join 100

GMRP/GARP Join timer value is set to 100 milliseconds.

Console> (enable)

This example shows how to set the leave timer value for all the ports on all the VLANs:

Console> (enable) set garp timer leave 300

GMRP/GARP Leave timer value is set to 300 milliseconds.

Console> (enable)

Related Commands

set gmrp timer
set gvrp timer
show garp timer

set gmrp

To enable or disable GARP Multicast Registration Protocol (GMRP) on the switch in all VLANs on all ports, use the set gmrp command.

set gmrp {enable | disable}

Syntax Description

enable	Enables GMRP on the switch.
disable	Disables GMRP on the switch.

Defaults

The default is GMRP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You cannot enable GMRP if IGMP snooping is already enabled.

Examples

This example shows how to enable GMRP on the switch:

Console> (enable) set gmrp enable

GMRP is enabled.

Console> (enable)

This example shows how to disable GMRP on the switch:

Console> (enable) set gmrp disable

GMRP is disabled.

Console> (enable)

This example shows the display if you try to enable GMRP on the switch with IGMP enabled:

Console> (enable) set gmrp enable

Disable IGMP to enable GMRP snooping feature.

Console> (enable)

Related Commands

show gmrp configuration

set gmrp fwdall

To enable or disable the Forward All feature on a specified port or module and port list, use the set gmrp fwdall command.

set gmrp fwdall {enable | disable} mod/port...

Syntax Description

enable	Enables GMRP Forward All on a specified port.
disable	Disables GMRP Forward All on a specified port.
mod/port...	Number of the module and the ports on the module.

Defaults

The default is the Forward All feature is disabled for all ports.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Forward All indicates that a port is interested in receiving all the traffic for all the multicast groups.

If the port is trunking, then this feature is applied to all the VLANs on that port.

Examples

This example shows how to enable GMRP Forward All on module 5, port 5:

Console> (enable) set gmrp fwdall enable 5/5

GMRP Forward All groups option enabled on port(s) 5/5.

Console> (enable)

This example shows how to disable the GMRP Forward All on module 3, port 2:

Console> (enable) set gmrp service fwdall disable 3/2

GMRP Forward All groups option disabled on port(s) 3/2.

Console> (enable)

Related Commands

show gmrp configuration

set gmrp registration

To specify the GMRP registration type, use the set gmrp registration command.

set gmrp registration {normal | fixed | forbidden} mod/port...

Syntax Description

normal	Specifies dynamic GMRP multicast registration and deregistration on the port.
fixed	Specifies the multicast groups currently registered on the switch are applied to the port, but any subsequent registrations or deregistrations do not affect the port. Any registered multicast groups on the port are not deregistered based on the GARP timers.
forbidden	Specifies that all GMRP multicasts are deregistered and prevent any further GMRP multicast registration on the port.
mod/port...	Number of the module and the ports on the module.

Defaults

The default is administrative control is normal.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must return the port to normal registration mode to deregister multicast groups on the port.

GMRP supports a total of 3072 multicast addresses for the whole switch.

Examples

This example shows how to set the registration type to fixed on module 3, port 3:

Console> (enable) set gmrp registration fixed 3/3

GMRP Registration is set to Fixed for port(s) 3/3.

Console> (enable)

This example shows how to set the registration type to forbidden on module 1, port 1:

Console> (enable) set gmrp registration forbidden 1/1

GMRP Registration is set to Forbidden for port(s) 1/1.

Console> (enable)

Related Commands

show gmrp configuration

set gmrp timer

To adjust the values of the join, leave, and leaveall timers, use the set gmrp timer command.

set gmrp timer {timer_type} {timer_value}

Syntax Description

timer_type	Type of timer; valid values are join, leave, and leaveall.
timer_value	Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.

Defaults

The default is the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must maintain the following relationship for the various timer values:

•Leave time must be greater than or equal to three times the join time.

•Leaveall time must be greater than the leave time.

---

Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully.

---

---

Note The modified timer values are applied to all GARP application (for example, GMRP and GVRP) timer values.

---

Examples

This example shows how to set the join timer value to 100 milliseconds for all the ports on all the VLANs:

Console> (enable) set gmrp timer join 100

GARP Join timer value is set to 100 milliseconds.

Console> (enable)

This example shows how to set the leave timer value to 300 milliseconds for all the ports on all the VLANs:

Console> (enable) set gmrp timer leave 300

GARP Leave timer value is set to 300 milliseconds.

Console> (enable)

This example shows how to set the leaveall timer value to 20000 milliseconds for all the ports on all the VLANs:

Console> (enable) set gmrp timer leaveall 20000

GARP LeaveAll timer value is set to 20000 milliseconds.

Console> (enable)

Related Commands

set garp timer
set gvrp timer
show gmrp timer

set gvrp

To enable or disable GARP VLAN Registration Protocol (GVRP) globally in the switch or on a per-port basis, use the set gvrp command.

set gvrp {enable | disable} [mod/port]

Syntax Description

enable	Enables GVRP on the switch.
disable	Disables GVRP on the switch.
mod/port	(Optional) Number of the module and port on the module.

Defaults

The default is GVRP is globally set to disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable VTP pruning, VTP pruning runs on all the GVRP-disabled trunks.

To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.

Examples

This example shows how to enable GVRP globally on the switch:

Console> (enable) set gvrp enable

GVRP enabled. 

Console> (enable) 

This example shows how to disable GVRP:

Console> (enable) set gvrp disable

GVRP disabled.

Console> (enable) 

This example shows how to enable GVRP on module 2, port 1:

Console> (enable) set gvrp enable 2/1

GVRP enabled on port 2/1. 

Console> (enable) 

Related Commands

set garp timer
set gvrp timer
show gmrp timer
show gvrp configuration

set gvrp applicant

To specify whether or not a VLAN is declared out of blocking ports, use the set gvrp applicant command.

set gvrp applicant {normal | active} {mod/port...}

Syntax Description

normal	Disallows the declaration of any VLAN out of blocking ports.
active	Enforces the declaration of all active VLANs out of blocking ports.
mod/port..	Number of the module and the ports on the module.

Defaults

The default is GVRP applicant set to normal.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

To run GVRP on a trunk, you need to enable GVRP both globally on the switch and individually on the trunk.

On a port connected to a device that does not support the per-VLAN mode of STP, the port state may continuously cycle from blocking to listening to learning, and back to blocking. To prevent this, you must enter the set gvrp applicant active mod/port... command on the port to send GVRP VLAN declarations when the port is in the STP blocking state.

Examples

This example shows how to enforce the declaration of all active VLANs out of specified blocking ports:

Console> (enable) set gvrp applicant active 4/2-3,4/9-10,4/12-24

Applicant was set to active on port(s) 4/2-3,4/9-10,4/12-24.

Console> (enable) 

This example shows how to disallow the declaration of any VLAN out of specified blocking ports:

Console> (enable) set gvrp applicant normal 4/2-3,4/9-10,4/12-24

Applicant was set to normal on port(s) 4/2-3,4/9-10,4/12-24.

Console> (enable) 

Related Commands

show gvrp configuration

set gvrp dynamic-vlan-creation

To enable or disable dynamic VLAN creation, use the set gvrp dynamic-vlan-creation command.

set gvrp dynamic-vlan-creation {enable | disable}

Syntax Description

enable	Enables dynamic VLAN creation.
disable	Disables dynamic VLAN creation.

Defaults

The default is dynamic VLAN creation is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can enable dynamic VLAN creation only when VTP is in transparent mode and no ISL trunks exist in the switch.

This feature is not allowed when there are 802.1Q trunks that are not configured with GVRP.

Examples

This example shows how to enable dynamic VLAN creation:

Console> (enable) set gvrp dynamic-vlan-creation enable

Dynamic VLAN creation enabled.

Console> (enable)

This example shows what happens if you try to enable dynamic VLAN creation and VTP is not in transparent mode:

Console> (enable) set gvrp dynamic-vlan-creation enable

VTP has to be in TRANSPARENT mode to enable this feature. 

Console> (enable)

This example shows how to disable dynamic VLAN creation:

Console> (enable) set gvrp dynamic-vlan-creation disable

Dynamic VLAN creation disabled.

Console> (enable)

Related Commands

set vtp
show gvrp configuration

set gvrp registration

To set the administrative control of an outbound port and apply to all VLANs on the trunk, use the set gvrp registration command. GVRP registration commands are entered on a per-port basis.

set gvrp registration {normal | fixed | forbidden} mod/port...

Syntax Description

normal	Allows dynamic registering and deregistering each VLAN (except VLAN 1) on the port.
fixed	Supports manual VLAN creation and registration, prevent VLAN deregistration, and register all VLANs known to other ports.
forbidden	Specifies that all the VLANs (except VLAN 1) are statically deregistered from the port.
mod/port...	Number of the module and the ports on the module.

Defaults

The default administrative control is normal.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you set VLAN registration, you are communicating to the switch that the VLAN is interested in the users that are connecting to this port and that the VLAN's broadcast and multicast traffic is allowed to be sent to the port.

For static VLAN configuration, you should set the mod/port... control to fixed or forbidden if the mod/port... will not receive or process any GVRP message.

For each dynamically configured VLAN on a port, you should set the mod/port... control to normal (default), except for VLAN 1; GVRP registration mode for VLAN 1 is always fixed and is not configurable. VLAN 1 is always carried by 802.1Q trunks on which GVRP is enabled.

When GVRP is running, you can create a VLAN through a GVRP trunk port only if you enter the set gvrp dynamic-vlan-creation enable and the set gvrp registration normal commands.

Examples

This example shows how to set the administrative control to normal on module 3, port 7:

Console> (enable) set gvrp registration normal 3/7

Registrar Administrative Control set to normal on port 3/7.

Console> (enable) 

This example shows how to set the administrative control to fixed on module 5, port 10:

Console> (enable) set gvrp registration fixed 5/10 

Registrar Administrative Control set to fixed on Port 5/10.

Console> (enable) 

This example shows how to set the administrative control to forbidden on module 5, port 2:

Console> (enable) set gvrp registration forbidden 5/2 

Registrar Administrative Control set to forbidden on port 5/2.

Console> (enable) 

Related Commands

show gvrp configuration

set gvrp timer

To adjust the values of the join, leave, and leaveall timers, use the set gvrp timer command.

set gvrp timer {timer_type} {timer_value}

Syntax Description

timer_type	Type of timer; valid values are join, leave, and leaveall.
timer_value	Timer values in milliseconds; valid values are from 1 to 2147483647 milliseconds.

Defaults

The default is the join timer is 200 milliseconds, the leave timer is 600 milliseconds, and the leaveall timer is 10000 milliseconds.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must maintain the following relationship for the various timer values:

•Leave time must be greater than or equal to three times the join time.

•Leaveall time must be greater than the leave time.

---

Caution Set the same GARP application (for example, GMRP and GVRP) timer values on all Layer 2-connected devices. If the GARP timers are set differently on the Layer 2-connected devices, GARP applications will not operate successfully.

---

---

Note The modified timer values are applied to all GARP application (for example, GMRP and GVRP) timer values.

---

Examples

This example shows how to set the join timer value to 100 milliseconds for all the ports on all the VLANs:

Console> (enable) set gvrp timer join 100

GVRP/GARP Join timer value is set to 100 milliseconds.

Console> (enable)

This example shows how to set the leave timer value to 300 milliseconds for all the ports on all the VLANs:

Console> (enable) set gvrp timer leave 300

GVRP/GARP Leave timer value is set to 300 milliseconds.

Console> (enable)

This example shows how to set the leaveall timer value to 20000 milliseconds for all the ports on all the VLANs:

Console> (enable) set gvrp timer leaveall 20000

GVRP/GARP LeaveAll timer value is set to 20000 milliseconds.

Console> (enable)

Related Commands

set garp timer
show gvrp configuration

set igmp

To enable or disable Internet Group Management Protocol (IGMP) snooping on the switch, use the set igmp command.

set igmp {enable | disable}

Syntax Description

enable	Enables IGMP snooping on the switch.
disable	Disables IGMP snooping on the switch.

Defaults

The default is IGMP snooping is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

IGMP must be disabled to run GMRP.

If your system is configured with a Supervisor Engine 1, you must enable one of the multicast services (IGMP snooping or GMRP) on the switch in order to use IP MMLS.

Examples

This example shows how to enable IGMP snooping on the switch:

Console> (enable) set igmp enable

IGMP feature for IP multicast enabled

Console> (enable)

This example shows how to disable IGMP snooping on the switch:

Console> (enable) set igmp disable

IGMP Snooping is disabled.

Console> (enable)

This example shows the display if you try to enable GMRP on the switch with IGMP enabled:

Console> (enable) set igmp enable

Disable GMRP to enable IGMP snooping feature.

Console> (enable)

Related Commands

clear igmp statistics
set rgmp
show igmp statistics

set igmp fastblock

To enable or disable the IGMP version 3 fast-block mechanism on the switch, use the set igmp fastblock command.

set igmp fastblock {enable | disable}

Syntax Description

enable	Enables the IGMP version 3 fast-block mechanism.
disable	Disables the IGMP version 3 fast-block mechanism.

Defaults

By default, the IGMP version 3 fast-block mechanism is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable the fast-block mechanism on the switch:

Console> (enable) set igmp fastblock enable

IGMP V3 fastblock enabled

Console> (enable)

This example shows how to disable the fast-block mechanism on the switch:

Console> (enable) set igmp fastblock disable

IGMP V3 fastblock disabled

Console> (enable)

Related Commands

set igmp v3-processing
show multicast v3-group

set igmp fastleave

To enable or disable Internet Group Management Protocol (IGMP) fastleave processing, use the set igmp fastleave command.

set igmp fastleave {enable | disable}

Syntax Description

enable	Enables IGMP fastleave processing.
disable	Disables IGMP fastleave processing.

Defaults

The default is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This command shows how to enable IGMP fastleave processing:

Console> (enable) set igmp fastleave enable

IGMP fastleave set to enable.

Warning: Can cause disconnectivity if there are more than one host joining the same group 
per access port.

Console> (enable)

This command shows how to disable IGMP fastleave processing:

Console> (enable) set igmp fastleave disable

IGMP fastleave set to disable.

Console> (enable)

Related Commands

clear igmp statistics
set igmp
show multicast protocols status

set igmp flooding

To activate or to prevent flooding of multicast traffic after the last host leaves a multicast group, enter the set igmp flooding command.

set igmp flooding {enable | disable}

Syntax Description

enable	Activates multicast flooding.
disable	Prevents multicast flooding.

Defaults

IGMP flooding is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

For more information about IGMP flooding, refer to the "Understanding How IGMP Snooping Works" section of the "Configuring Multicast Services" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to prevent the flooding of multicast traffic after the last host leaves a multicast group:

Console> (enable) set igmp flooding disable

IGMP Flooding disabled

Console> (enable)

This example shows how to enable the flooding of multicast traffic after the last host leaves a multicast group:

Console> (enable) set igmp flooding enable

IGMP Flooding enabled (default)

Console> (enable)

set igmp leave-query-type

To set the type of query to be sent when a port receives a leave message, use the set igmp leave-query-type command.

set igmp leave-query-type {mac-gen-query | general-query | auto-mode}

Syntax Description

mac-gen-query	Specifies sending a MAC-based general query on receiving a leave message.
general-query	Specifies sending a general query on receiving a leave message.
auto-mode	Specifies sending a group-specific query if no version 1 hosts are detected.

Defaults

By default, a MAC-based general query is sent when a port receives a leave message.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to send a MAC-based general query:

Console> (enable) set igmp leave-query-type mac-gen-query

Console> (enable)

This example shows how to send a general query:

Console> (enable) set igmp leave-query-type general-query

Console> (enable)

This example shows how to send a group-specific query if no version 1 hosts are detected:

Console> (enable) set igmp leave-query-type auto-mode

IGMP Leave Query Type set to Auto-Type

Console> (enable)

Related Commands

show igmp leave-query-type

set igmp mode

To set the IGMP snooping mode, use the set igmp mode command.

set igmp mode {igmp-only | igmp-cgmp | auto}

Syntax Description

igmp-only	Specifies IGMP snooping only.
igmp-cgmp	Specifies IGMP and CGMP modes.
auto	Overrides the dynamic switching of IGMP snooping modes.

Defaults

The default is IGMP mode is auto.

Command Types

Switch.

Command Modes

Privileged.

Usage Guidelines

The switch dynamically chooses either IGMP-only or IGMP-CGMP mode, depending on the traffic present on the network. IGMP-only mode is used in networks with no CGMP devices. IGMP-CGMP mode is used in networks with both IGMP and CGMP devices. Auto mode overrides the dynamic switching of the modes.

Examples

This example shows how to set the IGMP mode to IGMP-only:

Console> (enable) set igmp mode igmp-only

IGMP mode set to igmp-only

Console> (enable)

This example shows how to set the IGMP mode to auto:

Console> (enable) set igmp mode auto

IGMP mode set to auto

Console> (enable)

Related Commands

show igmp mode

set igmp querier

To configure the IGMP querier for a specific VLAN, use the set igmp querier command.

set igmp querier {enable | disable} vlan

set igmp querier vlan {qi | oqi} seconds

set igmp querier address vlan ip_addr

Syntax Description 

enable	Enables the IGMP querier for a VLAN.
disable	Disables the IGMP querier for a VLAN.
vlan	Number of the VLAN.
qi	Sets the querier interval for the VLAN.
oqi	Sets the other querier interval for the VLAN.
seconds	Range of the querier interval or the other querier interval in seconds; valid values are from 1 to 65535 seconds.
address	Sets the querier IP address for the VLAN.
ip_addr	IP address for the VLAN.

Defaults

IGMP querier is disabled.

The default value for qi is 125 seconds.

The default value for oqi is 300 seconds.

The default value for ip_addr is 0.0.0.0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You must enable IGMP querier on every VLAN for which switch querier functionality is required. In the absence of general queries, the oqi value is the amount of time a switch waits before electing itself as the querier.

Examples

This example shows how to enable the IGMP querier for VLAN 4001:

Console> (enable) set igmp querier enable 4001

IGMP switch querier enabled for VLAN 4001

Console> (enable)

This example shows how to set the querier interval to 130 seconds for VLAN 4001:

Console> (enable) set igmp querier 4001 qi 130

QI for VLAN 4001 set to 130 second(s)

Console> (enable)

Related Commands

show igmp querier information

set igmp v3-processing

To explicitly enable or disable IGMP version 3 snooping, use the set igmp v3-processing command.

set igmp v3-processing {enable | disable}

Syntax Description

enable	Enables IGMP version 3 snooping.
disable	Disables IGMP version 3 snooping.

Defaults

By default, IGMP version 3 snooping is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

IGMP version 3 is supported on Supervisor Engine 2 and Supervisor Engine 720. Supervisor Engine 1 and Supervisor Engine 1A do not support this feature.

If IGMP version 3 processing is disabled, any previous IGMP version 3 snooping entries are cleared. These IGMP version 3 entries are relearned as IGMP version 2 (GDA-based) entries after the switch receives an IGMP version 3 report. Any subsequent IGMP version 3 reports for other multicast sources or groups are also processed as IGMP version 2 reports.

When MMLS is enabled, IGMP version 3 processing works only in PIM SSM mode. If MMLS is disabled, IGMP version 3 reports are processed as IGMP version 2 reports. IGMP version 3 processing works independent of PIM mode when MMLS is enabled.

Examples

This example shows how to enable IGMP version 3 processing:

Console> (enable) set igmp v3-processing enable

IGMP V3 processing enabled

Console> (enable)

This example shows how to disable IGMP version 3 processing:

Console> (enable) set igmp v3-processing disable

IGMP V3 processing disabled

Console> (enable)

Related Commands

set igmp fastblock
show multicast v3-group

set image-verification

To ensure the integrity of a downloaded image, use the set image-verification command.

set image-verification [boot | copy | reset] {enable | disable}

Syntax Description

boot	(Optional) Specifies image verification at boot time.
copy	(Optional) Specifies image verification at copy time.
reset	(Optional) Specifies image verification at reset time.
enable	Enables image verification.
disable	Disables image verification.

Defaults

The image verification feature is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure the image verification feature to work when the system is booting, after the image has been copied, or before a system resets. If you enable or disable the image verification feature without specifying the boot keyword, the copy keyword, or the reset keyword, all three are enabled or disabled.

Examples

This example shows how to enable the image verification feature at reset time:

Console> (enable) set image-verification reset enable

Console> (enable)

This example shows how to disable the image verification feature at copy time:

Console> (enable) set image-verification copy disable

Console> (enable)

Related Commands

show image-verification

set inlinepower

To set inline power parameters, use the set inlinepower command.

set inlinepower defaultallocation value

set inlinepower notify-threshold value module mod

Syntax Description

defaultallocation	Sets the default power allocation per port.
value	Default power allocation; valid values are from 4000 to 15400 milliwatts.
notify-threshold	Sets the inline power usage notification threshold.
value	Percentage of power usage that sets off the threshold notification; valid values are from 1 to 99 percent.
module mod	Specifies the module.

Defaults

The default allocation value is 15400 milliwatts.

The notification threshold is 99 percent.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set inlinepower defaultallocation command is global and only affects Cisco IP phones.

---

Caution The set inlinepower defaultallocation command can be harmful when there is not enough power in the system to bring up all connected inline power devices. If you set a small value for the power allocation, all connected inline power devices initially will be powered up. However, after receiving CDP messages, the system will learn that devices are consuming more power and deny power to some of the ports. Setting a small value might also result in the overdrawing of power for some time with unanticipated results, such as hardware failures and unexpected resets.

---

7000 milliwatts is the maximum power supported for these modules: WS-X6148-RJ21V, WS-X6148-RJ45V, WS-X6348-RJ21V, and WS-X6348-RJ45V.

The inline power threshold notification generates a syslog message when inline power usage exceeds the specified threshold.

Examples

This example shows how to set the default power allocation to 9500 milliwatts:

Console> (enable) set inlinepower defaultallocation 9500

Default inline power allocation set to 9500 mWatt per applicable port.

Console> (enable)

This example shows how to set the threshold for the inline power usage notification:

Console> (enable) set inlinepower notify-threshold 40 module 4

Module 4 inlinepower notify-threshold is set to 40%.

Console> (enable)

Related Commands

set port inlinepower
show environment
show inlinepower
show port inlinepower

set interface

To configure the in-band and Serial Line Internet Protocol (SLIP) interfaces on the switch, use the set interface command.

set interface {sc0 | sl0 | sc1} {up | down}

set interface sl0 slip_addr dest_addr

set interface sc0 [vlan] [ip_addr[netmask [broadcast]]]

set interface sc0 [vlan] [ip_addr/netmask [broadcast]]

set interface sc0 dhcp {renew | release}

set interface sc1 [vlan] [ip_addr[netmask [broadcast]]]

set interface sc1 [vlan] [ip_addr/netmask [broadcast]]

Syntax Description

sc0	Specifies the sc0 in-band interface.
sl0	Specifies the SLIP interface.
sc1	Specifies the sc1 in-band interface.
up	Brings the interface into operation.
down	Brings the interface out of operation.
slip_addr	IP address of the console port.
dest_addr	IP address of the host to which the console port will be connected.
vlan	(Optional) Number of the VLAN to be assigned to the interface; valid values are from 1 to 4094.
ip_addr	(Optional) IP address.
/netmask	(Optional) Subnet mask.
broadcast	(Optional) Broadcast address.
dhcp	Performs Dynamic Host Configuration Protocol (DHCP) operations on the sc0 interface.
renew	Renews the lease on a DHCP-learned IP address.
release	Releases a DHCP-learned IP address back to the DHCP IP address pool.

Defaults

The default configuration is the in-band interface (sc0) in VLAN 1 with the IP address, subnet mask, and broadcast address set to 0.0.0.0. The default configuration for the SLIP interface (sl0) is that the IP address and broadcast address are set to 0.0.0.0.0.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set interface sc0 dchp command is valid only when the address is learned from the DHCP server and available in privileged mode only.

Two configurable network interfaces are on a Catalyst 6500 series switch: in-band (sc0) and SLIP (sl0). Configuring the sc0 interface with an IP address and subnet mask allows you to access the switch CLI using Telnet from a remote host. You should assign the sc0 interface to an active VLAN configured on the switch (the default is VLAN 1). Make sure the IP address you assign is in the same subnet as other stations in that VLAN.

Configuring the sl0 interface with an IP address and destination address allows you to make a point-to-point connection to a host through the console port. Use the slip attach command to activate SLIP on the console port (you will not be able to access the CLI using a terminal connected to the console port until you use the slip detach command to deactivate SLIP on the console port).

When you specify the netmask value, this indicates the number of bits allocated to subnetting in the host ID section of the given Class A, B, or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the host ID bits for this Class B address is 16.

If you enter the netmask value in length of bits, for example, 204.20.22.7/24, the range for length is from
0 to 31 bits. If you do not enter the netmask value, the number of bits is assumed to be the natural netmask.

Examples

This example shows how to use set interface sc0 and set interface sl0 from the console port. It also shows how to bring down interface sc0 using a terminal connected to the console port:

Console> (enable) set interface sc0 192.20.11.44/255.255.255.0

Interface sc0 IP address and netmask set.

Console> (enable) set interface sl0 192.200.10.45 192.200.10.103

Interface sl0 SLIP and destination address set.

Console> (enable) set interface sc0 down

Interface sc0 administratively down.

Console> (enable)

This example shows how to set the IP address for sc0 through a Telnet session. Note that the default netmask for that IP address class is used (for example, a Class C address uses 255.255.255.0, and a Class B uses 255.255.0.0):

Console> (enable) set interface sc0 192.200.11.40

This command may disconnect active telnet sessions.

Do you want to continue (y/n) [n]? y

Interface sc0 IP address set.

This example shows how to take the interface out of operation through a Telnet session:

Console> (enable) set interface sc0 down

This command will inactivate telnet sessions.

Do you want to continue (y/n) [n]? y

Interface sc0 administratively down. 

This example shows how to assign the sc0 interface to a particular VLAN:

Console> (enable) set interface sc0 5

Interface sc0 vlan set.

Console> (enable)

This example shows what happens when you assign the sc0 interface to a nonactive VLAN:

Console> (enable) set interface sc0 200

Vlan is not active, user needs to set vlan 200 active

Interface sc0 vlan set.

Console> (enable)

This example shows how to release a DHCP-learned IP address back to the DHCP IP address pool:

Console> (enable) set interface sc0 dhcp release

Releasing IP address...Done

Console> (enable) 

This example shows how to renew a lease on a DHCP-learned IP address:

Console> (enable) set interface sc0 dhcp renew

Renewing IP address...Done

Console> (enable) 

This example shows how to set the IP address for sc1 from the console port:

Console> (enable) set interface sc1 10.6.33.15 255.255.255.0

set interface sc1 10.6.33.15 255.255.255.0

Interface sc1 IP address and netmask set.

Console> (enable)

Related Commands

show interface
slip

set ip alias

To add aliases of IP addresses, use the set ip alias command.

set ip alias name ip_addr

Syntax Description

name	Name of the alias being defined.
ip_addr	IP address of the alias being defined.

Defaults

The default configuration is one IP alias (0.0.0.0) configured as the default.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to define an IP alias of mercury for IP address 192.122.174.234:

Console> (enable) set ip alias mercury 192.122.174.234

IP alias added.

Console> (enable) 

Related Commands

clear ip alias
show ip alias

set ip device-tracking

To enable or disable IP device tracking, use the set ip device-tracking command. To set the IP device-tracking probe interval, use the set ip device-tracking probe interval command. To set the IP device-tracking probe count, use the set ip device-tracking probe count command.

set ip device-tracking {enable | disable}

set ip device-tracking probe interval interval

set ip device-tracking probe interval count

Syntax Description

enable	Enables device tracking.
disable	Disables device tracking.
probe interval interval	Sets the interval between successive ARP packet transmissions.
probe count count	Sets the ARP probes when the idle timer expires.

Defaults

The default for device tracking is enabled. The default probe interval is 30 seconds.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable device tracking:

Console> (debug-eng) set ip device-tracking enable

Successfully enabled device tracking

Console> (enable) 

This example shows how to disable device tracking:

Console> (debug-eng) set ip device-tracking enable

Successfully disabled device tracking

Console> (enable) 

This example shows how to set the device tracking probe interval:

Console> (enable) set ip device-tracking probe interval 60

Device tracking probe interval set to 60 secs

Console> (enable) 

This example shows how to set the device tracking probe count3:

Console> (enable) set ip device-tracking probe count 3

Device tracking probe count set to 3

Console> (enable)

Related CommandsConsole> (enable)

show ip device-tracking

set ip dns

To enable or disable DNS, use the set ip dns command.

set ip dns {enable | disable}

Syntax Description

enable	Enables DNS.
disable	Disables DNS.

Defaults

The default is DNS is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable DNS:

Console> (enable) set ip dns enable 

DNS is enabled.

Console> (enable) 

This example shows how to disable DNS:

Console> (enable) set ip dns disable

DNS is disabled.

Console> (enable) 

Related Commands

show ip dns

set ip dns domain

To set the default DNS domain name, use the set ip dns domain command.

set ip dns domain name

Syntax Description

name	DNS domain name.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you specify a domain name on the command line, the system attempts to resolve the host name as entered. If the system cannot resolve the host name as entered, it appends the default DNS domain name as defined with the set ip dns domain command. If you specify a domain name with a trailing dot, the program considers this to be an absolute domain name.

Examples

This example shows how to set the default DNS domain name:

Console> (enable) set ip dns domain yow.com

 DNS domain name set to yow.com.

Console> (enable)

Related Commands

clear ip dns domain
show ip dns

set ip dns server

To set the IP address of a Domain Name System (DNS) server, use the set ip dns server command.

set ip dns server ip_addr [primary]

Syntax Description

ip_addr	IP address of the DNS server.
primary	(Optional) Configures a DNS server as the primary server.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure up to three DNS name servers as backup. You can also configure any DNS server as the primary server. The primary server is queried first. If the primary server fails, the backup servers are queried.

If DNS is disabled, you must use the IP address with all commands that require explicit IP addresses or manually define an alias for that address. The alias has priority over DNS.

Examples

These examples show how to set the IP address of a DNS server:

Console> (enable) set ip dns server 198.92.30.32 

198.92.30.32 added to DNS server table as primary server.

Console> (enable) set ip dns server 171.69.2.132 primary 

171.69.2.132 added to DNS server table as primary server.

Console> (enable) set ip dns server 171.69.2.143 primary 

171.69.2.143 added to DNS server table as primary server.

This example shows what happens if you enter more than three DNS name servers as backup:

Console> (enable) set ip dns server 161.44.128.70

DNS server table is full. 161.44.128.70 not added to DNS server table.

Related Commands

clear ip dns server
show ip dns

set ip fragmentation

To enable or disable the fragmentation of IP packets bridged between FDDI and Ethernet networks, use the set ip fragmentation command.

set ip fragmentation {enable | disable}

Syntax Description

enable	Permits fragmentation for IP packets bridged between FDDI and Ethernet networks.
disable	Disables fragmentation for IP packets bridged between FDDI and Ethernet networks.

Defaults

The default value is IP fragmentation is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If IP fragmentation is disabled, packets are dropped.

Note that FDDI and Ethernet networks have different maximum transmission units (MTUs).

Examples

This example shows how to disable IP fragmentation:

Console> (enable) set ip fragmentation disable

Bridge IP fragmentation disabled.

Console> (enable)

Related Commands

show ip route

set ip http port

To configure the TCP port number for the HyperText Transfer Protocol (HTTP) server, use the set ip http port command.

set ip http port {default | port-number}

Syntax Description

default	Specifies the default HTTP server port number (80).
port-number	Number of the TCP port for the HTTP server; valid values are from 1 to 65535.

Defaults

The default TCP port number is 80.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to set the IP HTTP port default:

Console> (enable) set ip http port default 

HTTP TCP port number is set to 80.

Console> (enable)

This example shows how to set the IP HTTP port number:

Console> (enable) set ip http port 2398 

HTTP TCP port number is set to 2398.

Console> (enable)  

Related Commands

set ip http server
show ip http

set ip http server

To enable or disable the HTTP server, use the set ip http server command.

set ip http server {enable | disable}

Syntax Description

enable	Enables the HTTP server.
disable	Disables the HTTP server.

Defaults

The default is the HTTP server is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable the HTTP server:

Console> (enable) set ip http server enable

HTTP server is enabled.

Console> (enable)

This example shows the system response when the HTTP server-enabled command is not supported:

Console> (enable) set ip http server enable

Feature not supported.

Console> (enable)

This example shows how to disable the HTTP server:

Console> (enable) set ip http server disable

HTTP server disabled.

Console> (enable) 

Related Commands

set ip http port
show ip http

set ip permit

To enable or disable the IP permit list and to specify IP addresses to be added to the IP permit list, use the set ip permit command.

set ip permit {enable | disable}

set ip permit {enable | disable} [telnet | ssh | snmp]

set ip permit addr [mask] [telnet | ssh | snmp | all]

Syntax Description

enable	Enables the IP permit list.
disable	Disables the IP permit list.
telnet	(Optional) Specifies the Telnet IP permit list.
ssh	(Optional) Specifies the SSH IP permit list.
snmp	(Optional) Specifies the SNMP IP permit list.
addr	IP address to be added to the IP permit list. An IP alias or host name that can be resolved through DNS can also be used.
mask	(Optional) Subnet mask of the specified IP address.
all	(Optional) Specifies all entries in the IP permit list be removed.

Defaults

The default is IP permit list is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can achieve the same functionality of the IP permit list by using VLAN access control lists (VACLs). VACLs are handled by hardware (PFC), and the processing is considerably faster. For VACL configuration information, refer to the Catalyst 6500 Series Software Configuration Guide.

You can configure up to 100 entries in the permit list. If you enable the IP permit list, but the permit list has no entries configured, a caution displays on the screen.

Make sure you enter the entire disable keyword when entering the set ip permit disable command. If you abbreviate the keyword, the abbreviation is interpreted as a host name to add to the IP permit list.

If you do not specify the snmp, ssh, telnet, or all keyword, the IP address is added to both the SNMP and Telnet permit lists.

You enter the mask in dotted decimal format, for example, 255.255.0.0.

Examples

This example shows how to add an IP address to the IP permit list:

Console> (enable) set ip permit 192.168.255.255

192.168.255.255 added to IP permit list.

Console> (enable)

This example shows how to add an IP address using an IP alias or host name to both the SNMP and Telnet permit lists:

Console> (enable) set ip permit batboy

batboy added to IP permit list.

Console> (enable)

This example shows how to add a subnet mask of the IP address to both the SNMP and Telnet permit lists:

Console> (enable) set ip permit 192.168.255.255 255.255.192.0

192.168.255.255 with mask 255.255.192.0 added to IP permit list.

Console> (enable)

This example shows how to add an IP address to the Telnet IP permit list:

Console> (enable) set ip permit 172.16.0.0 255.255.0.0 telnet

172.16.0.0 with mask 255.255.0.0 added to telnet permit list.

Console> (enable)

This example shows how to add an IP address to the SNMP IP permit list:

Console> (enable) set ip permit 172.20.52.32 255.255.255.224 snmp

172.20.52.32 with mask 255.255.255.224 added to snmp permit list.

Console> (enable)

This example shows how to add an IP address to all IP permit lists:

Console> (enable) set ip permit 172.20.52.3 all

172.20.52.3 added to IP permit list.

Console> (enable)

This example shows how to enable the IP permit list:

Console> (enable) set ip permit enable

Telnet, Snmp and Ssh permit list enabled

Console> (enable)

This example shows how to disable the IP permit list:

Console> (enable) set ip permit disable

Telnet, Snmp and Ssh permit list disabled.

Console> (enable)

This example shows how to enable a specific IP permit list type:

Console> (enable) set ip permit enable ssh

SSH permit list enabled.

Console> (enable)

Related Commands

clear ip permit
show ip permit

set ip redirect

To enable or disable ICMP redirect messages on the Catalyst 6500 series switches, use the set ip redirect command.

set ip redirect {enable | disable}

Syntax Description

enable	Permits ICMP redirect messages to be returned to the source host.
disable	Prevents ICMP redirect messages from being returned to the source host.

Defaults

The default configuration is ICMP redirect is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to deactivate ICMP redirect messages:

Console> (enable) set ip redirect disable

ICMP redirect messages disabled.

Console> (enable) 

Related Commands

show ip route
show netstat

set ip route

To add IP addresses or aliases to the IP routing table, use the set ip route command.

set ip route {destination}[/netmask] {gateway} [metric] [primary]

Syntax Description

destination	IP address, IP alias of the network, or specific host to be added. Use default as the destination to set the new entry as the default route.
/netmask	(Optional) Number of bits in netmask or dot format (for example, 172.20.22.7/24 or 172.20.22.7/255.255.255.0).
gateway	IP address or IP alias of the router.
metric	(Optional) Value used to indicate the number of hops between the switch and the gateway.
primary	(Optional) Used with the multiple IP gateways feature to specify the default IP gateway with the highest priority.

Defaults

The default configuration routes the local network through the sc0 interface with metric 0 as soon as sc0 is configured.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can configure up to three default gateways. The primary is the highest priority. If you do not designate a primary gateway, priority is based on the order of input. If you enter two primary definitions, the second definition becomes the primary and the first definition becomes the secondary default IP gateway.

You can only specify the primary keyword for a default route.

When you enter the destination value or gateway value, enter it in dot notation, for example, a.b.c.d.

When you specify the netmask value, this indicates the number of bits allocated to subnetting in the host ID section of the given Class A, B, or C address. For example, if you enter an IP address for the sc0 interface as 172.22.20.7, the host ID bits for this Class B address is 16. Any number of bits in the host ID bits can be allocated to the netmask field. If you do not enter the netmask value, the number of bits is assumed to be the natural netmask.

When you enter the netmask, enter it as the number of bits or dot format, for example, destination/24 or destination/255.255.255.0. If you enter the netmask in dot format, you must have contiguous 1s.

Examples

These examples show how to add three default routes to the IP routing table, checking after each addition using the show ip route command:

Console> (enable) set ip route default 192.122.173.42 1 primary

Route added.

Console> (enable)

Console> (enable) show ip route

Fragmentation   Redirect   Unreachable

-------------   --------   -----------

enabled         enabled    enabled

Destination     Gateway         Flags   Use         Interface

--------------- --------------- ------  ----------  ---------

default         192.122.173.42   UG           59444  sc0

192.22.74.0     192.22.74.223    U                5  sc0

Console> (enable)

Console> (enable) set ip route default 192.122.173.43 1

Route added.

Console> (enable)

Console> (enable) show ip route

Fragmentation   Redirect   Unreachable

-------------   --------   -----------

enabled         enabled    enabled

Destination     Gateway         Flags   Use         Interface

--------------- --------------- ------  ----------  ---------

default         192.122.173.43   UG           59444  sc0

default         192.122.173.42   UG           59444  sc0

192.22.74.0     192.22.74.223    U                5  sc0

Console> (enable)

Console> (enable) set ip route default 192.122.173.44 1

Route added.

Console> (enable)

Console> (enable) show ip route

Fragmentation   Redirect   Unreachable

-------------   --------   -----------

enabled         enabled    enabled

Destination     Gateway         Flags   Use         Interface

--------------- --------------- ------  ----------  ---------

default         192.122.173.44   UG           59444  sc0

default         192.122.173.43   UG           59444  sc0

default         192.122.173.42   UG           59444  sc0

192.22.74.0     192.22.74.223    U                5  sc0

Console> (enable)

Related Commands

clear ip route
show ip route

set ip telnet server

To enable or disable the Telnet server, use the set ip telnet server command.

set ip telnet server {enable | disable}

Syntax Description

enable	Enables the Telnet server.
disable	Disables the Telnet server.

Defaults

The Telnet server is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Examples

This example shows how to enable the Telnet server:

Console> (enable) set ip telnet server enable

Telnet server enabled

2005 Aug 23 08:12:20 %SYS-5-TELNET_STARTED:Telnet Daemon Started

Console> (enable)

Related Commands

show ip telnet

set ip unreachable

To enable or disable ICMP unreachable messages on the Catalyst 6500 series switch, use the set ip unreachable command.

set ip unreachable {enable | disable}

Syntax Description

enable	Allows IP unreachable messages to be returned to the source host.
disable	Prevents IP unreachable messages from being returned to the source host.

Defaults

The default is ICMP unreachable messages is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enable ICMP unreachable messages, the switch returns an ICMP unreachable message to the source host whenever it receives an IP datagram that it cannot deliver. When you disable ICMP unreachable messages, the switch does not notify the source host when it receives an IP datagram that it cannot deliver.

For example, a switch has the ICMP unreachable message function enabled and IP fragmentation disabled. If a FDDI frame is received and needs to transmit to an Ethernet port, the switch cannot fragment the packet. The switch drops the packet and returns an IP unreachable message to the Internet source host.

Examples

This example shows how to disable ICMP unreachable messages:

Console> (enable) set ip unreachable disable

ICMP Unreachable message disabled.

Console> (enable)

Related Commands

show ip route

set kerberos clients mandatory

To make Kerberos authentication mandatory for authenticating to services on the network, use the set kerberos clients mandatory command.

set kerberos clients mandatory

Syntax Description

This command has no arguments or keywords.

Defaults

The default is Kerberos clients are not set to mandatory.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

As an added layer of security, you can optionally configure the switch so that after users authenticate to it, they can authenticate to other services on the network only with Kerberos clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password.

Examples

This example shows how to make Kerberos authentication mandatory:

Console> (enable) set kerberos clients mandatory 

Kerberos clients set to mandatory

Console> (enable)

Related Commands

clear kerberos clients mandatory
set kerberos credentials forward
show kerberos

set kerberos credentials forward

To configure clients to forward users' credentials as they connect to other hosts in the Kerberos realm, use the set kerberos credentials forward command.

set kerberos credentials forward

Syntax Description

This command has no arguments or keywords.

Defaults

The default is forwarding is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

A user authenticated to a Kerberized switch has a ticket granting ticket (TGT) and can use it to authenticate to a host on the network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to a host, the output will show no Kerberos credentials present.

You can optionally configure the switch to forward user TGTs as they authenticate from the switch to Kerberized remote hosts on the network by using Kerberized Telnet.

Examples

This example shows how to enable Kerberos credentials forwarding:

Console> (enable) set kerberos credentials forward 

Kerberos credentials forwarding enabled

Console> (enable)

Related Commands

set kerberos clients mandatory
set kerberos local-realm
show kerberos

set kerberos local-realm

To configure a switch to authenticate users defined in the Kerberos database, use the set kerberos local-realm command.

set kerberos local-realm kerberos_realm

Syntax Description

kerberos_realm

IP address or name (in uppercase characters) of the Kerberos realm.

Defaults

The default value is a NULL string.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

To authenticate a user defined in the Kerberos database, you must configure the switch to know the host name or IP address of the host running the KDC and the name of the Kerberos realm.

You must enter the Kerberos realm name in all uppercase characters.

Examples

This example shows how to set a default Kerberos local realm for the switch:

Console> (enable) set kerberos local-realm CISCO.COM 

Kerberos local realm for this switch set to CISCO.COM.

Console> (enable)

Related Commands

clear kerberos realm
set kerberos realm
show kerberos

set kerberos realm

To map the name of a Kerberos realm to a DNS domain name or a host name, use the set kerberos realm command.

set kerberos realm {dns_domain | host} kerberos_realm

Syntax Description

dns_domain	DNS domain name to map to Kerberos realm.
host	IP address or name to map to Kerberos host realm.
kerberos_realm	IP address or name of Kerberos realm.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can map the name of the Kerberos realm to a DNS domain name or a host name by entering the set kerberos realm command. The information entered with this command is stored in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.

You must enter Kerberos realms in uppercase characters.

Examples

This example shows how to map the Kerberos realm to a domain name:

Console> (enable) set kerberos realm CISCO CISCO.COM

Kerberos DnsDomain-Realm entry set to CISCO - CISCO.COM

Console> (enable)

Related Commands

clear kerberos realm
set kerberos local-realm
show kerberos

set kerberos server

To specify which Key Distribution Center (KDC) to use on the switch, use the set kerberos server command.

set kerberos server kerberos_realm {hostname | ip_address} [port]

Syntax Description

kerberos_realm	Name of the Kerberos realm.
hostname	Name of host running the KDC.
ip_address	IP address of host running the KDC.
port	(Optional) Number of the port.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can specify to the switch which KDC to use in a Kerberos realm. Optionally, you can also specify the port number which the KDC is monitoring. The Kerberos server information you enter is maintained in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.

The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.

Examples

This example shows how to specify the Kerberos server:

Console> (enable) set kerberos server CISCO.COM 187.0.2.1 750 

Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750

Console> (enable) 

Related Commands

clear kerberos server
show kerberos

set kerberos srvtab entry

To enter the SRVTAB file directly into the switch from the command line, use the set kerberos srvtab entry command.

set kerberos srvtab entry kerberos_principal principal_type timestamp key_version_number key_type key_length encrypted_keytab

Syntax Description

kerberos_principal	Service on the switch.
principal_type	Version of the Kerberos SRVTAB.
timestamp	Number representing the date and time the SRVTAB entry was created.
key_version_number	Version of the encrypted key format.
key_type	Type of encryption used.
key_length	Length, in bytes, of the encryption key.
encrypted_keytab	Secret key the switch shares with the KDC.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch must share a secret key with the KDC. To do this, you must give the switch a copy of the file that is stored in the KDC, which contains the secret key. These files are called SRVTAB files.

When you enter the SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch. The entries are maintained in the SRVTAB table. The maximum table size is 20 entries.

The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.

The key is encrypted with the private 3DES key when you copy the configuration to a file or enter the show config command.

Examples

This example shows how to enter a SRVTAB file directly into the switch:

Console> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 
1 8 03;;5>00>50;0=0=0

Kerberos SRVTAB entry set to 

Principal:host/niners.cisco.com@CISCO.COM

Principal Type:0

Timestamp:932423923

Key version number:1

Key type:1

Key length:8

Encrypted key tab:03;;5>00>50;0=0=0

Related Commands

clear kerberos clients mandatory
show kerberos

set kerberos srvtab remote

To provide the switch with a copy of the SRVTAB file from the KDC that contains the secret key, use the set kerberos srvtab remote command.

set kerberos srvtab remote {hostname | ip_address} filename

Syntax Description

hostname	Name of host running the KDC.
ip_address	IP address of host running the KDC.
filename	Name of the SRVTAB file.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

To make it possible for remote users to authenticate to the switch using Kerberos credentials, the switch must share a secret key with the KDC. To do this, you must give the switch a copy of the file that is stored in the KDC, which contains the secret key. These files are called SRVTAB files.

The KDC is a Kerberos server and database program running on a network host that allocates the Kerberos credentials to different users or network services.

The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB files to the switch, which does not have a physical media drive, you must transfer them through the network using TFTP.

Examples

This example shows how to copy SRVTAB files to the switch remotely from the KDC:

Console> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab 
Console> (enable)

Related Commands

clear kerberos creds
set kerberos srvtab entry
show kerberos

set key config-key

To define a private 3DES key, use the set key config-key command.

set key config-key string

Syntax Description

string

3DES key name.

Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

You can define a private 3DES key for the switch. You can use the private 3DES key to encrypt the secret key that the switch shares with the KDC. If you set the 3DES key, the secret key is not displayed in clear text when you execute the show kerberos command. The key length should be eight characters or less.

Examples

This example shows how to define a 3DES key:

Console> (enable) set key config-key abcd 

Kerberos config key set to abcd

Console> (enable)

Related Commands

clear key config-key

set l2protocol-tunnel cos

To apply a CoS value to all ingress tunneling ports, use the set l2protocol-tunnel cos command.

set l2protocol-tunnel cos cos-value

Syntax Description

cos-value

CoS value; valid values are 0 to 7.

Defaults

The default value for CoS is 5.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Because the CoS value applies to all ingress tunneling ports, all encapsulated PDUs sent out by the switch have the same CoS value.

Examples

This example shows how to set the CoS value to 6:

Console> (enable)  set l2protocol-tunnel cos 6

New CoS value is 6.

Console> (enable)

Related Commands

clear l2protocol-tunnel cos
clear l2protocol-tunnel statistics
set port l2protocol-tunnel
show l2protocol-tunnel statistics
show port l2protocol-tunnel

set l2protocol-tunnel trunk

To set Layer 2 protocol tunneling on trunks, use the set l2protocol-tunnel trunk command.

set l2protocol-tunnel trunk {enable | disable}

Syntax Description

enable	Enables Layer 2 protocol tunneling on trunks.
disable	Disables Layer 2 protocol tunneling on trunks.

Defaults

Layer 2 protocol tunneling on trunks is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Do not enable or disable Layer 2 protocol tunneling on trunks when active Layer 2 protocol tunnels are already configured. If you plan to configure Layer 2 protocol tunneling on trunks, do so before performing any other Layer 2 protocol tunneling tasks.

Examples

This example shows how to enable Layer 2 protocol tunneling on trunks:

Console> (enable) set l2protocol-tunnel trunk enable 

Layer 2 Protocol Tunnel on trunks is allowed.

Console> (enable)

This example shows how to disable Layer 2 protocol tunneling on trunks:

Console> (enable) set l2protocol-tunnel trunk disable 

Warning!! Clear any layer 2 protocol tunnel configuration on trunks 

before